LISIRT – LIFARS Computer Security Incident Response Team

LISIRT is based in the United States and in Slovakia and is focusing mostly on digital forensics, incident response, threat hunting, pentesting, auditing and advisory services.

LISIRT constituency consists of organizations and companies that opted to elect LIFARS as its IR team through a retainer contract. An organization will be a temporary constituent when it contracts LIFARS to respond to an incident, either as sole responder or as part of a larger team.

LISIRT’s Mission Statement

LIFARS has set forth the following missions for LISIRT to its constituency:


1. To help prepare for cybersecurity incidents;
2. To respond promptly when a cybersecurity incident occurs by assisting our constituency with identification, containment, eradication and recovery from the incident, through the use of LIFARS professional services;
3. To inform, and where needed to help with the coordination of measures, about current cybersecurity incidents, events and threats;
4. To communicate and exchange with the relevant authorities and agencies where mandated or required by law or regulation;
5. To establish connections and partnerships with public and private CERTs.

Incident Response
1. Alerts & Warnings
2. Managed Detection and Response
3. Containment, Eradication & Recovery
4. Post-Incident Activity
5. On-Site Incident Response
6. Remote Incident Response
7. Incident Response Coordination
8. Digital Forensics & Malware Analysis
9. Bitcoin Payments

Proactive Services
1. Threat Hunting
2. Penetration Testing
3. Red Teaming
4. Secure Code Review
5. Phishing Simulations
6. Security Audits
7. Tabletop Exercises
8. Cyber Resiliency Trainings

LISIRT is now a Listed member in the TF-CSIRT Trusted Introducer (TI) and will continue its journey towards Accreditation and ultimately the Certification. LISIRT adopted the Security Incident Management Maturity Model (SIM3) to govern, document, perform and measure its functions and operations. This model is also used for the TF-CSIRT/TI Certification.

CSIRT is the abbreviation for ‘Computer Security incident response team’ and it is a dedicated or ad-hoc team in an organization with the main goal to respond to cybersecurity incidents. The terms CSIRT and CERT are usually used interchangeably but there may be slight differences in the scope of services they provide.

Historically, the term Computer Emergency Response Team (CERT) has been used first by the CERT Coordination Center (CERT-CC) at Carnegie Mellon University (CMU) in 1988 and it is now a registered trademark in many jurisdictions. The emergence of the term is tied with the outbreak of the infamous Morris Worm that paralyzed approximately 10% of the Internet and which was the first felony in the US under the 1986 Computer Fraud and Abuse Act.

During the daily work as forensic analysts, malware analysts, incident responders, threat hunters, pentesters and consultants, LISIRT often encounters interesting things. Sometimes they are important enough to share with the world. And so LIFARS TechDiary was born. In this place observations, remarks and case studies resulting from LISIRT’s engagements will be published. Follow us on Twitter.

• https://lifars.com/knowledge-center/923-words-on-ntuser-dat/
• https://lifars.com/2020/05/what-can-happen-when-you-click-on-phishing-link-containing-malicious-vbs-script/
• https://lifars.com/knowledge-center/the-spy-who-encrypted-me/
• https://lifars.com/knowledge-center/session-hijacking-case-study/
• https://lifars.com/knowledge-center/windows-shellbags-forensics-investigative-value-of-windows-shellbags/
• https://lifars.com/knowledge-center/osquery-for-cyber-incident-response/
• https://lifars.com/knowledge-center/malware-analysis-of-dridex-bitpaymer-and-doppelpaymer-campaign/