CSIRT Starter Kit
Computer Security Incident Response Teams (CSIRTs) are responsible for receiving and reviewing incident reports, and responding to them as appropriate. These services are normally performed for a defined constituency such as a corporation, institution, educational or government network, region or country, or a paid client. CSIRT services generally fall into three categories - reactive (e.g vulnerability alerts, incident handling); proactive (e.g. intrusion detection, auditing and information dissemination); and security quality management (e.g. risk analysis, disaster recovery planning, and education and training)
Security threats are real and every networked system can potentially be compromised in a manner of minutes causing service downtime, data theft and the replication of virus, worms and trojans across the Internet. Ignoring security will eventually cost an organisation time, effort and productivity, and in some cases there can be a significant financial impact or loss of reputation.
The establishment of a CSIRT can prevent many problems before they happen, but also quickly respond to incidents if they occur. The cost of establishing and running them is usually outweighed by the amount saved by not having to fix problems, and in some cases services can be offered on an added value or commercial basis.
The following should be defined when establishing a CSIRT:
- Mission Statement - what tasks should be undertaken?
- Constituency - who should be served
- Organisation - where does the CSIRT fit in the overall organisational structure?
- Relationship - who to cooperate with, and whom to trust?
Once a basic framework has been defined, the next steps are to define incident categorisation and disclosure policies, and escalation procedures. This is usually accompanied by the implementation of incident handling systems, and training of key staff in procedures. It is also important to raise awareness of the CSIRT within its designated constituency, as well as establishing contacts with other CSIRTs.
It should be pointed out that 'CSIRT' is a commonly accepted generic term for incident handling and response teams. They were traditionally known as Computer Emergency Response Teams (CERTs) after the original CERT/CC, and many still use this designation. However, the 'CERT' acronym is trademarked by CERT/CC which lead to alternatives such as 'CSIRT' and 'IRT' to be adopted. The various terms are interchangeable and do not imply differing roles, although of course services offered can vary from team-to-team.
Why do I need a CSIRT?
- Incident Cost Analysis and Modelling Project (I-CAMP) - 1st Report on how much security incidents cost organisations. From CIC 1997
- Incident Cost Analysis and Modeling Project (I-CAMP II) - 2nd Report on how much security incidents cost organisations. From CIC 2000
- CSIRT FAQ - Common questions about CSIRTs. From CERT/CC
How do I start?
- Creating a CSIRT - A process for getting started. From CERT/CC
- Organizational Models for CSIRTs - Different ways of structuring incident response teams. From CERT/CC
- Staffing Your CSIRT - What basic skills are required? From CERT/CC
What do CSIRTs do?
- Computer Security Incident Handling Guide - Required criteria for incident handling. From NIST
- CSIRT Services - Types and categorisation of services that can be offered. From CERT/CC
- How to Design a Useful Incident Response Policy - Reasons for developing incident response policies. From Symantec
- Clearinghouse for Incident Handling Tools - Catalogue of tools used by CSIRTs. From ENISA
Is any training available?
It is beneficial for CSIRT staff to already have experience in system and/or network administration, but also require specialist skills in areas of incident handling. TF-CSIRT provides both basic and advanced training through its TRANSITS training courses that are regularly held in Europe and other regions of the world.Other organisations such as CERT-CC and SANS also offer CSIRT training.
How can I find other CSIRTs?
CSIRTs need to collaborate to resolve incidents, as well as share information, experiences and working practices. Established CSIRTs are often happy to assist new teams as more teams means more chance of resolving problems.
The first step towards being recognised as an official CSIRT is to be listed by TF-CSIRT. This requires the support of other CSIRTs, so it is important to build relationships with at least two other established CSIRTs. Often established CSIRTs can also provide advice and mentoring to new CSIRTs. Listing gives CSIRTs automatic access to TF-CSIRT meetings and mailing lists.
After a CSIRT has been listed, it can decide whether to apply for accreditation from TF-CSIRT. This involves fulfilling certain basic criteria and regularly updating information about the team. Accreditation brings a number of benefits including access to sensitive information and closed sessions of TF-CSIRT meetings.
Some accredited CSIRTs further choose to undertake certification of their service offerings.