• News
• Events
• Activities
• Publications

• about
• contact
• login

CSIRT Starter Kit

Many organisations are interested in having their own team to handle computer security incidents, but don't know where to start. Nowadays the problem is not that there is not enough information, rather that there is too much. This page therefore gives pointers to the first things you should read, before moving on to more comprehensive sites such as that maintained by the CERT Co-ordination Center (CERT-CC).

Such teams may be known by a range of different acronyms including CERT®, Incident Response Team (IRT) and Computer Security Incident Response Team (CSIRT), but all do similar work. In this document the term CSIRT will be used.

Why do I need a CSIRT?

• A slideshow (PDF) from CERT-POLSKA on what you and your organisation can gain
• The Incident Cost and Modelling Project (ICAMP) worked out how much security incidents cost organisations
• For more details about acronyms and other common questions, see the CERT-CC FAQ

Where do I start?

• CERT-CC have an outline plan of how to establish a CSIRT
• CERT-CC also have a report on different structures for incident response teams

Who makes up a CSIRT?

• CSIRT staff need a particular set of human and technical skills from (CERT-CC)

What do CSIRTs do?

• To call yourself a CSIRT, you must do incident handling as defined in this guide from NIST
• Many CSIRTs also provide other services but noone does everything in this list from CERT-CC
• The complete reference for CSIRTs is the CSIRT Handbook, published by CERT-CC

What is an incident response policy?

• SecurityFocus have an article on why and how to develop an incident response policy
• Sun have a comprehensive set of four papers on Responding to Customer Seecurity Incidents in their Blueprints series

What software tools do I need?

• A catalogue of the tools used by working CSIRTs is maintained by the European CSIRT Task Force

Is there any training for CSIRTs?

CSIRT staff need to understand system and network management using the products common in their constituency, but also need special skills that are unique to the incident handling role of CSIRTs

• Courses on running a CSIRT are run in Europe by the TRANSITS project and in the USA by CERT-CC
• Technical training relevant to CSIRT work is available from a number of providers listed in an appendix to the CERT-CC State of the Practice guide. Some of these providers (e.g. CERT-CC and SANS) offer formal certification.

Where can I find other CSIRTs?

CSIRTs need to work together to resolve incidents and there is a strong community that shares experiences, technical information and working practices. Existing teams are normally very happy to help new teams: the more CSIRTs there are, the better the Internet is for all of us

• Regular meetings are held by TF-CSIRT (Europe) and FIRST (international)
• Directories of CSIRTs are also maintained by these organisations of CSIRTs in Europe, and FIRST members
• Regional Internet registries may also hold CSIRT information, such as the RIPE IRT object

Longer term plans

• To help CSIRTs to become fully professional services, a CSIRT Maturity Model is being developed.