Saturday, February 21, 2015

Time to set up a CERT/CSIRT? Yes!

One clear lesson learned organizationally from fighting a Hydra named Drye/Dyreza/Upatre is that while a entity can have clearly defined security groups and functions, unless there is a mechanism in place to bring them all together in unified communication and intelligence sharing, coordination of response can be seriously hampered.

Precious time may be lost as each group (network ops, AV ops, board of directors, executive branch, field staff) focuses the response effort based on their skill set and operational authority.

Communications and threat-intelligence may not make it to key decision-makers, general employees, or remediation responders.  This can provide just enough head-room for the threat to grow, morph, and dig-in.

It is mission critical that some structure be available for everyone to come together so the incident response can be coordinated and laser-focused; not just to block and remediate the incident, but to understand if it was a opportunistic attack, collateral damage, or a probe as part of a wider and more stealthy attack campaign.

I am happy to report that efforts are now underway on the ranch to get the fencing crews, the coyote kill-squad, and the herd wranglers all talking to one-another and develop our very own CERT/CSIRT team.

To that end, I’m dropping the following linkages as a starting place for reference as the workgroup forms.

I have found these resources make an excellent starting point for gaining foundational understanding of what an effective CERT/CSIRT team looks like and the many ways it can be structured depending on the organization’s needs/limitations.

Obviously this is just the tip of the iceberg, but I have found that as my knowledge of key CERT/CSIRT concepts and terminology has grown, so has my ability to find more advanced material on particular related items of interest.

If any CERT/CSIRT team leaders or members happen to be reading GSD, I would deeply appreciate any additional resources URL’s or links from you in the comments that could be valuable to those just getting started in CERT/CSIRT formation and operations.

ENISA - European Union Agency for Network and Information Security – Yes they are from across the pond but this is some of the very best publically available material I have found (so far) on CERT concepts and operations.

And here are additional reading resources for CERT/CSIRT teams; raging from basic to complex.

One crazy-big tome for Cybersecurity Operations

The SANS Institute InfoSec Reading Room (link) has lots of great material

Another training resource for CERT team-members is

One course of particular note there might be the Certified Information Systems Security Professional (CISSP)® Common Body of Knowledge (CBK)® Review

Finally, for some “perspective” I found these posts to be insightful and encouraging as this daunting task is considered.


--Claus Valca


Corey Harrell said...

Nice list of references. One reference not listed and one I found helpful building a CSIRT was the book "The Computer Incident Response Planning Handbook: Executable Plans for Protecting Information at Risk." The content was very practical and helped on documenting the flow of the plan. The book is:

I think I posted this comment to the wrong post. The other one can be deleted.

Claus said...

@ Corey Harrell - Thank you so very much for your recommendation!

I've added it to my Amazon "to order" list.

Having work flows to share during the team building process should help with buy-in.

It surprised me (probably shouldn't have) just how much each security/network operation team was so good at what they specialized in but the communication was so fragmented and it took forever (weeks) before everyone was effectively sharing information. Precious time lost!

--Claus V.