CSIRTs and CERTs

Dealing with the issue of “negative cyber phenomena” can be somewhat problematic as different scientific literature as well as procedural rules often use different synonyms, which should mean the same thing, to define the specific negative phenomenon.

The reason for the persistence of terminology is, on the one hand, the relatively short time we have been dealing with cyber threats, attacks and incidents, and, on the other hand, the not always identical translation from English, which is used primarily in IT.

1.4.1        Cyberthreat

A threat can most simply be defined as something that is able to disrupt the normal or orderly state of affairs and interfere with the rights of other entities. This is a negative effect that may or may not be brought to completion. It is sufficient for the definition itself that the possibility of a negative state threatens and is real.

According to the Ministry of the Interior of the Czech Republic, “any phenomenon that has the potential to harm the interests and values ​​protected by the state is considered a threat. The severity of a threat is determined by the magnitude of the possible damage and the time scale (usually expressed in probability or risk) of the possible application of that threat.”[1]

The Cybersecurity Glossary defines several terms that are directly related to cyber threats.

Threat is defined as “the potential cause of an unwanted incident that could result in damage to a system or organisation.”[2]

Directly related to this basic concept is the concept of information security threat[3], which is defined as “a potential cause of an adverse event that may result in damage to the system and its assets, such as destruction, unwanted disclosure (compromise), data modification or unavailability of services.”[4]

In addition to the two above-mentioned terms, the authors also define active threat, passive threat and advanced and permanent threat in the glossary.[5]

The Oxford dictionary states that a cyberthreat is the possibility of a malicious attempt to damage or disrupt a computer network or system.[6] In this context, a computer system is considered to be a system.

Cyberthreat can also be defined as an act aimed at changing[7] information, applications or the system itself.

Jirovský defines four groups of basic threats and at the same time characterises their relationship:[8]

1.     Leakage of information is a condition where protected information is leaked to an unauthorised entity.

2.     Integrity violation represents damage, change or deletion of data.

3.     Suppression of a service means intentionally obstructing access to information, applications, or the system.[9]

4.     Unauthorised use is the use of information by an unauthorised entity or in an unauthorised manner.[10]

Classification of cyberthreats

There are a number of classifications of cyberthreats, and most often these threats are divided according to:

1.     Source of threat

a)     Man-made threats. In the event that a threat is caused by a person, it is appropriate to focus on the form of fault that led to the initiation of the threat. From this point of view, it is possible to distinguish threats caused:

·         intentionally,

·         through negligence.

b)    Technical errors (e.g. software or hardware error).

c)     Force majeure.

            Cyber​threats caused by force majeure include, for example:

2.     Source of action

3.     Target of threat

4.     Motivation

If a threat is caused by intentional human behaviour, it is appropriate to deal with its motivation when addressing the threat. Based on the analysis of the motivation for such behaviour, it is possible to create corrective measures within the threat response process so that there is no incentive for this motivation in the future.  

Based on motivation, you can monitor:

• threats in order to obtain financial gain,
  
• threats in order to gain a competitive advantage,
  
• threats in order to demonstrate somebody’s capabilities,
  
• threats for retaliation,
  
• threats due to non-fulfilment of obligations.[13]
  

5.     Type of threat

• social engineering,
  
• botnet,
  
• malware,
  
• ransomware,
  
• spam/scam,
  
• fraudulent offers,
  
• phishing, pharming, spear phishing, vishing, smishing,
  
• hacking,
  
• sniffing,
  
• DoS, DDoS, DRDoS attacks,
  
• distribution of defective content,
  
• identity theft,
  
• APT (Advanced Persistent Threat),
  
• cyberterrorism,
  
• cyber extortion.
  

The Decree on Cybersecurity in Appendix 3 lists some of the threats as an example. According to this decree, a threat is:

1.     a breach of security policy, execution of unauthorised activities, misuse of permissions by users and administrators,

2.     damage or failure of hardware or software,

3.     identity fraud,

4.     use of software in violation of the license conditions,

5.     malicious code (such as viruses, spyware, Trojans),

6.     violation of physical security,

7.     interruption of the provision of electronic communications services or electricity supply,

8.     misuse or unauthorised modification of data,

9.     loss, theft or damage to an asset,

10.  non-compliance with the contractual obligation by a supplier,

11.  a fault for reasons attributable to employees,

12.  misuse of internal means, sabotage,

13.  long-term interruption in the provision of electronic communications services, electricity supply or other important services,

14.  shortage of employees with a required professional level,

15.  targeted cyberattack using social engineering, use of espionage techniques,

16.  misuse of removable electronic data carriers,

17.  attack on electronic communication (eavesdropping, modification).

1.4.2        Cybersecurity event

Prosise and Mandiva characterise “computer security event” (which can be understood as a computer attack or computer crime), as an illegal, unauthorised, unacceptable action that involves a computer system or computer network. Such an action may focus, for example, on the theft of personal data, spam or other harassment, embezzlement, dissemination or possession of child pornography, etc.^[14]

Jirásek et al. define a security event as: “an event that may cause or lead to a breach of information systems and technologies and the rules defined for its protection (security policy).”[15]

The definition of a security event can also be found in Article 3.5 of ISO/IEC 27001, which states that such an event is: “an identifiable state of a system, service, or network, indicating a possible breach of security policy or failure of security measures. It may also be another situation that previously has not happened that may be important from an information security perspective."

A similar definition can be found in NIST, 800-61 Computer Security Incident Handling Guide, which states that a security event is: “an unfavourable event with a negative effect, such as system crashes, packet flooding, unauthorised use of system privileges, unauthorised access to sensitive data or execution of malicious code that destroys data. “[16]

A cybersecurity event is also defined by the Act on ​​Cybersecurity in Section 7 (1) as “an event that may cause a breach of information security in information systems or a breach of security of services or security and integrity of electronic communications networks.”

In fact, it is an event without a real negative consequence for a given communication or information system. In essence it is only a threat, but it must be real.

At the same time, the authors use tautologies by explaining an event as an event.

We believe that it would be more appropriate and probably more comprehensible to label and interpret the term “cybersecurity incident” as a cyberthreat, because there really is only a potential cause that can cause an adverse event.

Example: An e-mail message containing malicious code (malware) is delivered to a user's internal company mail. However, this malware is compressed (e.g. using WinZip) and cannot be installed without further user action. Such an event does not necessarily mean a breach of security in itself, but it is in certain circumstances capable of breaching it.

1.4.3        Cyber (security) incident

Jirásek et al. define a security incident as “a breach or imminent threat of a breach of security policies, security principles, or standard security rules for the operation of information and communication technology.”[17]

The ISO/IEC 27001 standard provides its own definition of an information security incident. In Article 3.6 of this standard, an information security incident is defined as: “one or more unwanted or unexpected security events in which there is a high probability of compromising an organisation and compromising information security.”

A very similar definition of a computer security incident can also be found in the NIST manual, 800-61 Computer Security Incident Handling Guide, which states that it is “a violation or imminent threat of violating security policies, acceptable use policies (system, service) or standard security practice.”[18]

A cybersecurity incident is also defined in Section 7 (2) of the Act on ​​Cybersecurity as “a breach in the security of information in information systems or a breach in the security of service provision or a breach of security and integrity of electronic communication networks due to a cybersecurity event.”

It follows from the wording of the act that an incident can be caused by both intentional and negligent actions of a person but also by force majeure. It is essential that the security of information, or services and information and communication systems associated with them, is compromised.

A cybersecurity incident thus represents a real breach of information security in information systems or a breach of the security of services or the security and integrity of electronic communication networks, i.e. a breach of an information or communication system with a negative impact.

Accidents, hardware and software errors, errors made by administrators during configuration, errors of system users, etc. are also responsible for a certain part of cybersecurity incidents.

Example: If we build on the previous example, then when the user runs malicious code on the computer, we are already referring to the occurrence of a security incident.

1.4.4        Cyberattack

Jirásek et al. define a cyberattack as: “An attack on an IT infrastructure to cause damage and obtain sensitive or strategically important information. It is most often used in the context of politically or militarily motivated attacks."[19]

Such a definition of a cyberattack would significantly narrow and not affect all the negative activities of cyberspace users[20], espesially because it cumulatively combines the conditions for IT damage and information retrieval. A cyberattack can also include actions in the form of social engineering, where the only goal is to obtain information, or, conversely, a DoS or DDoS attack, where the only goal may be to suppress (i.e. not damage) the functionality of one or more computer systems or services.

The difference between a cybersecurity incident and a cyberattack lies primarily in the question of fault. As mentioned earlier, a cybersecurity incident can be caused by both intentional and negligent human behaviour, or force majeure. However, a cyberattack is an intentional act by a person.

Based on the above, a cyberattack^[21] can therefore be defined as any intentional conduct by an attacker in cyberspace that is directed against the interests of another person.

A cyberattack can also be defined as the actions of an attacker or group of attackers that use information and communication technology to attack another information and communication infrastructure, whether to compromise the availability, confidentiality, or integrity of data.

1.4.5        Cybercrime

At the end of the discussion of cyber incidents and attacks, we consider it necessary to define, at least in general terms, the relationship between these attacks or incidents and cybercrime.

When defining the content of the concept of cybercrime, it is necessary to realise that along with the growth of the possibilities of using information and communication tools, the possibility of their use (abuse) to commit crime is also growing. Therefore, there is virtually no universal, generally accepted definition that would fully affect the scope and depth of this concept.

Most generally, cybercrime can be defined as conduct directed against a computer system, computer network, data or users, or conduct in which a computer system is used as a tool to commit a crime. An indispensable criterion for the application of the definition of cybercrime is the fact that the computer network, or cyberspace, is then the environment in which this activity takes place.

Cybercrime represents the broadest set for all crimes that occur in the information and communication technology environment. “Classic crime” is very often transferred to cyberspace, as it is possible to commit crime faster and more effectively there (e.g. fraud, dissemination of child abuse material, etc.). In addition to this transfer of familiar crime, there are new attacks so far often not covered by law.

It should be noted that not every cyberattack must be a crime, but every cybercrime must be a cyberattack at the same time. Many cyberattacks, even due to the absence of a criminal law standard, can be subsumed under conduct that will have the nature of an administrative or civil tort, or it may not be conduct that is punishable by any legal standard (it can be, for example, only an immoral or intolerable conduct).