As threats continue to grow in our cyberspace, setting up a dedicated team for incident response has become an undeniable reality. A business can either set up an in-house CSIRT/CERT team or outsource it completely. At times, companies follow a mixed approach by getting an experienced incident response service provider on board. Recently,
LIFARS has set up its CSIRT team called LISIRT to help our clients respond promptly when a cybersecurity incident is detected. While it is true that a CSIRT/CERT team cannot function efficiently in its silo, LISIRT’s mission statement includes establishing partnerships with public and private CERTs.
In this article, we will discuss various prominent international forums and organizations for CSIRT/CERT teams. You can read more about CSIRT/CERT teams along with their roles and responsibilities here.
1. SEI CERT/CC’s International Network (Software Engineering Institute Computer Emergency Response Team/Coordination Centre)
Founded in 1988, CERT/CC was created as a response to the Morris worm that infected close to 10% of the computers connected to the Internet. Over the years, CERT/CC has built an international network of CSIRTs, including 50 national CSIRTs. It also organizes an annual meeting for national CSIRTs to meet and discuss unique challenges of their roles while protecting and defending a nation, its critical infrastructures, and economy. Besides, a CSIRT can also seek authorization from SEI to use the “CERT” mark in their names. CSIRTs can use this mark on their website to demonstrate that they are a part of the network of teams who provide similar services.
2. FIRST (Forum of Incident Response and Security Teams)
FIRST was established in 1990 after the creation of CERT/CC at SEI. It aims to ensure a safer internet for all by bringing together incident response and security teams from every country across the globe. FIRST believes that effective incident response to cybersecurity incidents is a global task, considering the boundaryless nature of the Internet. Computer Security Incident Response Teams (CSIRTs), Product Security Incident Response Teams (PSIRTs), and independent security researchers should work together to minimize the damage caused by security incidents.
A CSIRT/CERT team can become a FIRST member for a variety of benefits. Apart from facilitating trusted interactions between CSIRTs/CERTs, FIRST also hosts an annual conference focusing on computer security incident handling. It has set up a dedicated discussion forum for FIRST member teams to share information about incidents, vulnerabilities, tools, and any other issues that a CSIRT/CERT may encounter.
FIRST’s CSIRT Services Framework (v2.1) can be a guiding document for a CSIRT/CERT that is seeking to establish, define, and improve its incident response operations. Recognized experts from the FIRST community has developed this framework, along with strong support from TF-CSIRT (Task Force on Computer Security Incident Response Team) Community and ITU (International Telecommunications Union). It identifies five service areas for a CSIRT: Information Security Incident Management, Vulnerability Management, Knowledge Transfer, Information Security Event Management, and Situational Awareness. For each of these service areas, the framework describes constituent services, functions, and sub-functions.
3. GEANT’s TF-CSIRT (Task Force on Computer Security Incident Response Teams)
TF-CSIRT facilitates interaction between members of the CSIRT community in a trusted environment for improving coordination and coordination. It promotes common standards and procedures for the handling of cybersecurity incidents and takes part in joint initiatives as appropriate. It continually works with organizations such as FIRST, ENISA, and other regional CSIRT groups. TF-CSIRT assists in establishing and developing new CSIRTs along with training CSIRT team members. Besides, it maintains the Trusted Introducer service by listing known teams and accrediting and certifying CSIRT teams as per their level of maturity.
LIFARS Computer Security Incident Response Team (LISIRT) is a listed member of the TF-CSIRT Trusted Introducer program. We have started our journey towards accreditation and ultimately, certification.
4. ENISA (European Union Agency for Cybersecurity)
ENISA is the designated EU agency for achieving a high level of cybersecurity across the European Union. On its website, it maintains a dedicated inventory for European CSIRT teams. It contains an interactive map that visualizes the status of CSIRTS in EU, including information about membership status with ENISA’s CSIRTs network, FIRST, and TF-CSIRT’s TI program. For government CERTs in Europe, there is also an informal association called ECG (European Government CERTs) to cooperate on the matters of incident response. ECG members can be a part of other regional and international organizations while contributing to their ENISA deliverables. As per the information available on the ECG’s website, membership applications are closed. ECG has thirteen CSIRT/CERT members as of now.
ENISA maintains a three-tier approach for CSIRT maturity: Basic, Intermediate, and Advanced. The Basic level focusses on getting the basics right, the Intermediate Level on how to advance, and the Advanced level on reaching the objectives. For assessment of a CSIRT’s maturity, it proposes two approaches, i.e., self-assessment and peer-review. Though this CSIRT maturity model builds on the Open CSIRT Foundation’s Security Incident Management Maturity Model (SIM3), it has stringent requirements for national CSIRTs with critical responsibilities.
Similar to other organizations that we have discussed so far, ENISA has published extensive resources for CSIRT teams to establish, improve, and mature their operations, along with a self-assessment tool for CSIRT maturity.
5. OCF (The Open CSIRT Foundation)
OCF maintains and governs the SIM3 (Security Incident Management Maturity Model), along with training and certifying auditors for this maturity model. This maturity model for CSIRTs has been in use since 2009. It has four parameters, divided over four categories: Organizational, Human, Tools, and Processes. An attribute relevant to a CSIRT’s operations and functions is called as a parameter. This model measures each parameter on a scale of 0 to 4.
Over the years, multiple international forums and organizations have relied on SIM3. For example, ENISA designed its three-tier approach by relying on this model. TF-CSIRT has been using this model since 2010 for certifying its accredited members. There are chances that the FIRST may adopt this model for its membership framework. Japan-based Nippon CSIRT Association (NCA) with over 300 member CSIRTs has adopted SIM3 for improving the maturity of its member CSIRT teams.
Having a dedicated incident response team substantially minimizes the impact and duration of successful cybersecurity incidents. While many laws and regulations across the globe have made it mandatory to have an incident response process in place, CSIRTs also help in maintaining a chain of custody and evidence preservation for civil suits and criminal investigations. At the same time, a CSIRT team working on its own will have limited information about evolving threats. The most effective way to break this information barrier is to facilitate communication and knowledge sharing between CSIRTs across the border.
Is your CSIRT a part of an international forum or consortium that we have missed? Let us know.