One clear lesson learned organizationally from fighting a Hydra named Drye/Dyreza/Upatre is that while a entity can have clearly defined security groups and functions, unless there is a mechanism in place to bring them all together in unified communication and intelligence sharing, coordination of response can be seriously hampered.
Precious time may be lost as each group (network ops, AV ops, board of directors, executive branch, field staff) focuses the response effort based on their skill set and operational authority.
Communications and threat-intelligence may not make it to key decision-makers, general employees, or remediation responders. This can provide just enough head-room for the threat to grow, morph, and dig-in.
It is mission critical that some structure be available for everyone to come together so the incident response can be coordinated and laser-focused; not just to block and remediate the incident, but to understand if it was a opportunistic attack, collateral damage, or a probe as part of a wider and more stealthy attack campaign.
I am happy to report that efforts are now underway on the ranch to get the fencing crews, the coyote kill-squad, and the herd wranglers all talking to one-another and develop our very own CERT/CSIRT team.
To that end, I’m dropping the following linkages as a starting place for reference as the workgroup forms.
I have found these resources make an excellent starting point for gaining foundational understanding of what an effective CERT/CSIRT team looks like and the many ways it can be structured depending on the organization’s needs/limitations.
Obviously this is just the tip of the iceberg, but I have found that as my knowledge of key CERT/CSIRT concepts and terminology has grown, so has my ability to find more advanced material on particular related items of interest.
If any CERT/CSIRT team leaders or members happen to be reading GSD, I would deeply appreciate any additional resources URL’s or links from you in the comments that could be valuable to those just getting started in CERT/CSIRT formation and operations.
ENISA - European Union Agency for Network and Information Security – Yes they are from across the pond but this is some of the very best publically available material I have found (so far) on CERT concepts and operations.
- CERT – overview
- What's new – ENISA site changes
- Good Practice Guide for Incident Management – extensive guide to CERT/CSIRT concepts and practices
- Setting-up Guide
- CERT Running Guide Home
- Good Practice Guide on Training Methodologies
- Incident management guide
- Proactive detection of incidents
- Standards and tools for exchange and processing of actionable information
- Actionable information for security incident response
- Setting up a CERT – training resources
- Operational – training resources
- Publications – lots and lots of excellent documentation
- Training Resources – (technical, operational, setup, legal & cooperation)
- Exercise Material – practice and drilling makes perfect
- Clearinghouse for Incident Handling Tools – even more tools, tips, and guides for CERT/CSIRT teams.
And here are additional reading resources for CERT/CSIRT teams; raging from basic to complex.
- Create a CSIRT - The CERT Division – CERT.ORG
- Forming an Incident Response Team – AUSCERT.ORG.AU
- Expectations for Computer Security Incident Response (RFC 2350) – IETF.ORG
- Avoiding the Trial-by-Fire Approach to Security Incidents –CERT.ORG (first article in PDF)
- Handbook for Computer Security Incident Response Teams (CSIRTs) – CERT.ORG
- Computer Incident Response Team (CIRT) Process – UCSanDiego CIRT page
- Security Library / Best Practices Guide (BPGL) – FIRST.org page (added to post 03/08/2015)
One crazy-big tome for Cybersecurity Operations
- Ten Strategies of a World-Class Cybersecurity Operations Center - Carson Zimmerman - The MITRE Corporation
The SANS Institute InfoSec Reading Room (link) has lots of great material
- Computer Incident Response Team (641)- (direct to PDF link) – SANS Institute InfoSec Reading Room whitepaper
- Computer Incident Response Team Charter – GIACs - (direct to PDF link) – SANS Institute InfoSec Reading Room whitepaper
- Incident Handling for SMEs (Small to Medium Enterprises) - (direct to PDF link) – SANS Institute InfoSec Reading Room whitepaper
- An Incident Handling Process for Small and Medium Businesses - (direct to PDF link) – SANS Institute InfoSec Reading Room whitepaper
- Creating and Managing an Incident Response Team for a Large Company - (direct to PDF link) – SANS Institute InfoSec Reading Room whitepaper
- Implementing a Computer Incident Response Team in a Smaller, Limited Resource Organizational Setting - (direct to PDF link) – SANS Institute InfoSec Reading Room whitepaper
- Building an Incident Response Program To Suit Your Business - (direct to PDF link) – SANS Institute InfoSec Reading Room whitepaper
- Incident Response and Creating the CSIRT in Corporate America - (direct to PDF link) – SANS Institute InfoSec Reading Room whitepaper
- Corporate Incident Handling Guidelines - (direct to PDF link) – SANS Institute InfoSec Reading Room whitepaper
- Incident Management 101 Preparation & Initial Response (aka Identification) - (direct to PDF link) – SANS Institute InfoSec Reading Room whitepaper
- CodeRed II: Incident Handling Process and Procedures - (direct to PDF link) – SANS Institute InfoSec Reading Room whitepaper
Another training resource for CERT team-members is OpenSecurityTraining.info
One course of particular note there might be the Certified Information Systems Security Professional (CISSP)® Common Body of Knowledge (CBK)® Review
Finally, for some “perspective” I found these posts to be insightful and encouraging as this daunting task is considered.
- Is an Alert Review Time of Less than Five Hours Enough? - TaoSecurity
- Brainwashed by The Cult of the Quick – TaoSecurity
- CSIRT Request Tracker Installation Guide - Journey Into Incident Response – the “CSIRT Request Tracker Workflow” diagram was very helpful
- Where's the IR in DFIR Training? - Journey Into Incident Response
- Why breaches happen under IR teams noses – Hexacorn blog