Irrespective of whether or not you are familiar with incident response, you would have seen that CSIRT and CERT are often used interchangeably. Both terms are used to describe dedicated teams focusing on incident response; however, terminology can be significant. This article presents an understanding of what CSIRT and CERT teams are and how they are different from or similar to each other.
CSIRT stands for Computer Security Incident Response Team, and CERT stands for Computer Emergency Response Team. At times, organizations replace CSIRT with CIRT, which can either mean Computer Incident Response Team or Cybersecurity Incident Response Team. Based on established practices and preferred language styling, an organization may adopt any of these terms.
In 2007, Software Engineering Institute, CMU, published a document titled “Defining Computer Security Response Teams.” This document defines a computer security incident response team as
a concrete organizational entity (i.e., one or more staff) that is assigned the responsibility for coordinating and supporting the response to a computer security event or incident.
As far as CERT is concerned, it is a registered mark of Carnegie Mellon University since 1997. However, it allows an organization to send an application to use the CERT mark in its CSIRT’s name. After the Morris worm impacted a substantial part of the Internet in 1988, DARPA led the foundation of the Computer Emergency Response Team Coordination Center (referred to as CERT-CC) at Carnegie Mellon University. CERT-CC’s primary objective was to protect the Internet by collecting and sharing information on critical security vulnerabilities. Over the years, many countries have created national level organizations using the CERT acronym such as US-CERT, CERT-UK, JPCERT, etc.
Differentiating Between CSIRT and CERT
At the outset, there are many overlapping areas between CSIRT and CERT. A CSIRT can be responsible for responding to security incidents faced by an organization. It prepares a comprehensive response plan, including the changes or improvements to defend against similar incidents in the future. While responding to a computer security incident, several non-technical aspects come into play: public relations, legal obligations, employee communication, and personnel management.
On the other hand, a CERT can be established by an industry or a country to collect and disseminate security-related information for the benefit of the concerned industry or country. This can be in the form of advisories, disclosures, white papers, and recommendations. Besides, our experts have observed that SEI encourages using the “CSIRT” term for an incident response team. SEI refers to its CERT division as CERT-CC, and all the publications coming out from SEI use the term CSIRT for referring to independent incident response teams or organizations.
Do you know LIFARS can deploy teams virtually anywhere in the world. For mission critical systems, LIFARS implements effective remote cyber incident response by deploying cyber-attack response team to the local enterprise environment. Read more about LIFARS Cyber Incident Response offering here.
Responsibilities of a CSIRT team
Roughly, the responsibilities of a CSIRT team include:
- Determining the impact, extent of damages, and nature of a security event or incident
- Finding the exact technical cause of a security event or incident
- Exploring potential threats that may have occurred due to a security event or incident
- Recommending best possible solutions and mitigation approaches
- Coordinating the implementation of an organization’s incident response plan with other teams such as PR, HR, legal, physical security, information security, etc.
- Sharing information about an organization’s existing risks, potential threats, possible attacks, exploits, and mitigation strategies
- Coordinating with external parties such as vendors and suppliers, ISPs, industry-specific and national incident response teams, law enforcement agencies, and data protection authorities
- Maintaining a database of security events and incidents for future usage including correlation, training, and improvisations
- Recommending best practices concerning security configurations, change management, protecting critical assets, encryption, and incident prevention
- Participating in an organization’s vulnerability assessment and penetration testing activities, security policies development, awareness and training, evidence collection, and monitoring/logging
- Closely monitoring news, security newsletters, relevant websites, and vendor disclosures to identify the latest technical developments, emerging threats, legal updates, and innovative defensive strategies
Roles In a CSIRT team
It is clear from the discussion so far that a CSIRT consists of individuals from different backgrounds. Based on our recent learnings while establishing a new CSIRT team, a CSIRT team requires the following individuals:
- Team Leader: In most cases, this will be your organization’s CISO or a board member with relevant experience. The primary role of a team leader is to ensure proper communication between a CSIRT team and the board so that a CSIRT team receives the required budget and attention.
- Incident Manager: Depending on the size of your organization and risk assessment results, you can have multiple incident managers. An incident manager is an executive responsible for calling meetings and maintaining accountability within an incident response team. Before any security event or incident gets escalated, an incident manager summarizes the findings of the CSIRT team and shares them with the team leader for further communication with the stakeholders.
- Lead Investigator: A lead investigator is a security analyst with proven experience in incident response. Depending on the size of your organization’s technical infrastructure and threats posed, you can have multiple lead investigators. A lead investigator may require a dedicated team of junior security analysts and investigators during the investigation of a security incident.
- Communications and Public Relations: Ideally, this individual should belong to your organization’s marketing/PR team to answer press inquiries, deliver press statements, and drafting communications/notifications for sending to business partners, stakeholders, customers, and employees.
- Legal: This individual should be a member of your organization’s legal team, who will advise the CSIRT team on legal aspects of a security incident. A legal professional can help comply with legal obligations such as data breach notifications, disclosure of security incidents, and any legal or regulatory proceedings arising out of a security incident.
- Human Resources: Generally, this should be your organization’s head of HR. This individual is responsible for dealing with any personnel-related issues that can occur during an ongoing incident response. They can also provide valuable suggestions for communicating a security incident to employees.
Should you outsource your organization’s incident response?
To sustain and thrive in a dynamic business environment, an organization deals with many constraints to navigate challenges successfully. When it comes to cybersecurity, our experts have often noted that many organizations lack appropriate technical and human resources to achieve a maximum possible level of security. At times, you have certain pieces to solve the puzzle, but the rest are missing. This is where service providers like LIFARS help you in saving the day.
A service provider specializing in incident response and digital forensics can help you implement a tried-and-tested incident response plan. Further, with their experience in monitoring, investigating, and remediating such incidents regularly, they may be able to provide you an upper hand in defending against ever-evolving threats and successfully mitigating a security incident. Their PR and legal team members can further help you ensure that your legal obligations are met, while reputational damages are kept at a minimum.
However, based on what we have learned while partnering with our clients to improve their cyber resiliency, we recommend that you select a service provider who can provide you organization-specific services instead of general incident response services. Their team must be available 24/7 so that there is a minimum time lag between detecting a security incident and starting the incident response. Before getting a service provider on board, you should ensure that they are familiar with your industry, and appropriate legal safeguards are in place for your organization.
For help in your organization’s incident response plan, you can always get in touch with our incident response experts. Do you know that LIFARS has recently set-up its own CSIRT? Stay tuned for more updates on LISIRT (LIFARS Computer Security Incident Response Team).