CSIRTs and CERTs

CERT (Computer Emergency Response Team) and CSIRT (Computer Security Incident Response Team). Although each of these acronyms has a slightly different meaning and mainly a slightly different historical genesis, both acronyms can in fact today be understood as the same type of team – a team that is in its clearly defined scope of activity responsible for dealing with security incidents and (cyber)threats, from the point of view of users or other teams, the place to which they can turn with the detected security incident, with a request for cooperation, exchange of information, assistance, etc.

CERT/CSIRT teams are created at the level of individual organisations that mediate the operation of the Internet (ISP – Internet Service Providers), as well as organisations that use the Internet environment for their core business (such as IT companies, content providers, banks).

The basic duty of every CSIRT team is to respond to a threat and cooperate in resolving incidents. A CSIRT team usually addresses a problem that occurs in its scope of activity (e.g. its own network infrastructure), i.e. where it has real possibilities to intervene.

A CERT/CSIRT of a given network (organisation) is generally a point of contact that users can turn to with an identified security problem (or just a suspected problem) that concerns a computer network or one of the services operated. A professional CERT/CSIRT team should review each report (including a potential) security incident received and, if possible, remedy the problem.

It is nothing revolutionary which would not exist in practice, every major organisation, internet provider or service provider runs a security team. The difference between a regular security team and a CERT/CSIRT team is mainly in the involvement in the global security infrastructure, the sharing of information within this infrastructure and the observance of established formal procedures.

The existence of at least one official CERT/CSIRT team is desirable in every network operated, especially in the large ones (transit, regional, university), i.e. at the level of large ISPs, but also at banks or service providers.

The overarching top teams within individual states have a significant and specific role – the so-called national and governmental teams, to which a separate subchapter will be devoted.

Globally, existing CERT/CSIRT teams can be viewed as an infrastructure that addresses Internet security problems. At work, a CERT/CSIRT team draws primarily from its experience, pre-prepared and proven procedures and from cooperation and exchange of information with other CERT/CSIRT teams.

The basic requirement of a community is that the CERT/CSIRT team publicly declares its contact information and rules of activity:

·      who is its operator,

·      who are its members,

·      the way and when it is possible to reach the team,

·      what services does it offer,

·      scope of activity (AS number[1], network, domains, services), in which the team is qualified to act and in what way, i.e. defining its powers and responsibilities. Based on the scope of activity, the team is then contacted (e.g. by those attacked) and addresses the issues (incidents) associated with it.

The concept of addressing a security incident can have different specifics depending on the team settings and its internal policy – it can be a simple elimination of an attack (destruction of the source of the problem, e.g. by disconnecting the compromised computer system from the network), tracing the attacker, fast resumption of operation of the infected service/network, etc.

Depending on the team's activities in resolving a security incident, teams can be described as internal (institutional) or coordinating. The internal type of the team usually has the possibility of direct intervention (disconnect the source of the problem, introduce network traffic filtering, etc.), the coordination type of the team does not have the possibility of direct intervention, its activities focus on communication, cooperation and mediation of information (they are usually national teams, which will be discussed below).

In the case of addressing a specific incident, the participants tries to address it directly at the source, i.e. with who is closest to the source or destination of the incident and can intervene as effectively as possible (end network or service administrator). The ideal situation occurs when the source and target are within the scope of a CSIRT team, because it is very easy and fast to find a specific expert at the problem site. The expert can then also address the problem effectively and his/her reactions are predictable, as he/she voluntarily published his/her rules of the game. This communication procedure is very flexible due to the fact that the communication does not go through different levels. It is fast and accurate. Then the reaction can be the same. However, if the victim cannot find a suitable counterpart (whether because he/she does not exist, does not give any usable information about himself/herself, refuses to address the problem or simply does not react), a “leverage” would be appropriate. That can be usually, to some extent, provided by top teams – national and governmental.