CERT/CSIRT

Learning outcomes

  • Describe the function of CERT/CSIRT teams
  • Describe the common structure for a CERT/CSIRT team
  • Describe the pre-planning and primary concerns of a CERT/CSIRT team
  • List the typical steps in an incident handling process

Would you like to download my PowerPoint to folllow along?

  • What is CERT/CSIRT?
    • Computer Emergency Response Team (CERT)
    • Computer Security Incident Response Team (CSIRT)
    • Went from CERT to CSIRT to panic people less
    • CSIRT is usually housed/run by the SOC (Security Operations Center)
  • Types of CSIRT you might see
    • National CSIRT
      • US-CERT run by DHS (the Cyber Security Division
      • CERT-CC combo of DARPA and Carnegie Mellon
      • FIRST Forum of Incident Response and Security Teams
    • More Local CSIRT
      • Companies need them too
      • Every company no matter how small should have a plan
  • Security Operations Center(SOC)
    • Larger companies might have a CSIRT and a SOC.
    • Smaller companies with dedicated IT might have only a NOC (Network Operations Center) that does double duty as a SOC
    • A SOC is for detection, containment and remediation of threats will happen.
    • A SOC is created when there is a lot of sensitive data is being handled, or because of industry or government that says you need one
    • Some SOCs are 24/7 some are regular 9-5, some have on call options, totally dependent on the company and its needs
    • Government branches will generally have a SOC because of the threats and scale of the threats they deal with
  • How to decide who's on a CSIRT?
    • You need people from ALL parts of the company
    • C-Suite (A.K.A. authority to make the tough calls)
    • IT
    • Sales
    • Accounting and Finance
    • If you don't have someone on the team to speak to what each group does, the tools they need, and the planning they have things will be missed
  • Communication and Planning within a CSIRT
    • Need backup communication. If the company servers are down relying on company email and VoIP isn't going to go well in an emergency
      • Outsourced servers, phones and emails
    • Everything needs to be updated
      • Is everyone on the team still working for the company? In the same role? Are we missing any departments? Are we missing any new info or situations that have changed?
    • Everyone talks and agrees what should be done in the event of an emergency
    • Regular meetings are needed,Both for planning, but also because you need to trust your team. Trust they are doing their part. That goes better when you know them
    • Checklists are the best way to plan , don't assume logical thoughts in an emergency
  • Things to think about
    • What assets does the company have?
    • Threat assessment, including risk assessment of the company
    • Public statements, pre-write these and have several ready to go for different contingency plans
    • What is your backup plan?
    • What logs are you keeping? For how long? When do you go through them?
    • What information is shared when? (legal disclosure obligations), think of sharing in house, shareholders, stakeholders, public and when those things should happen
  • TEST
    • Everything will go wrong. You don't know there's an issue until you test
    • Don't aim for perfect. Aim to do better than last year
    • Schedule REGULAR tests

Suggested Activities and Discussion Topics:

  • Pick a recent cybersecurity incident from the news in the last 6 months. Say 5 things they did correctly, and 5 things they could work on according to this checklist
  • In small groups, discuss what's missing from my things to think about list. What else might a company need to consider when planning for an incident?

Would you like to see some more classes? Click here