CSIRTs and CERTs

CERT/CSIRT teams are set up on a voluntary basis, and it is in their interest to communicate effectively with each other, exchange important information and knowledge and cooperate. They therefore associate in international organisations. Currently, the best known and most active organisations that deal with this issue and create a suitable environment for the above objectives are the international organisations GÉANT[1] and FIRST (Forum for Incident Response and Security Teams)[2].

Both of the above organisations initiate and enable regular meetings of members of the security teams, exchange of experience and participate in defining the basic rules of cooperation and communication between the world's CERT/CSIRT teams.

The European organisation GÉANT runs several activities in which the world's CERT/CSIRT teams can participate if interested:

·      TF-CSIRT (Task Force for CSIRT) is a working group that allows teams to work together in the form of regular two-to-three-day meetings, which take place 3 times a year. (This meeting is usually hosted by a CERT/CSIRT team.) More information can be found at: https://tf-csirt.org/.

·      CSIRT Training – used to train new members of CSIRT/CERT teams, or for those who are going to establish a CERT/CSIRT team. It is usually held twice a year and the trainers are experienced members of renowned CERT/CSIRT teams and other top security experts. More information can be found at: https://tf-csirt.org/transits/.

·      Trusted Introducer[3] – an office whose primary task is to build trust between different CERT/CSIRT teams and to assist in the creation of new ones. More information can be found at: https://www.trusted-introducer.org/.

In addition to the large annual conference held every year, FIRST organises a number of training sessions, creates guidelines and standards for the effective work of CERT/CSIRT teams and, of course, cooperates with the TF-CSIRT activity.

Within the global infrastructure of CERT/CSIRT teams, GÉANT and FIRST act as a kind of “guarantee” that the team that claims to be a CERT/CSIRT team is really so, and that the declared pattern of conduct is true. Every new team that wants to join the security infrastructure goes through an entry process that verifies that the team meets community standards, is transparent, and there are no compelling reasons to accept it. In the case of European infrastructure (TF-CSIRT platform), this entry process is provided by the Trusted Introducer and is actually requested by the new team to register in the team list and be granted listed status.[4]

Among the existing teams, there must also be at least two teams (so-called sponsors) that will support a new team, and no already established team may object to its acceptance. If all goes well, information about the new team is stored in a list maintained by TI (and some of it is published), the team gets the listed status, and the community welcomes the new member.

In the case of FIRST, the entry procedure is very similar, only ending not by granting status, but by gaining membership.

Both processes have one thing in common – it is about determining and publicise the maximum amount of information about a given team, describing its conduct and perceiving the issue of resolving security incidents so that it corresponds to the requirements of the community.

In the case of the Trusted Introducer, it is possible to achieve other, more significant, statuses, namely accredited and certified statuses. The differences are as follows:

·      A team with the achieved listed status provided basic information about itself, declared a desire to conduct as a CSIRT team and the community accepted it.

·      A team with the accredited status declares the required level of its procedures to the community and is committed to adhering to common TI policies.

·      A team with the certified status then proved its “level of maturity” (maturity) within the certification process.

Being an accredited or certified team requires a continuous effort to maintain the status of the team. Part of this effort is also the obligation to keep the team information up-to-date on the TI's list. If the team does not do so in the long run, it may lose its status and, in the worst case, be expelled by the community. This obligation also applies to listed teams, which, if they do not pass the accreditation process within three years of obtaining the listed status, must renew their listed status by demonstrating support from other teams (i.e. a re-listed process). This mechanism ensures a high degree of timeliness of the information in the TI list and thus its credibility.

Another organisation active in the field of security is ENISA (European Network and Information Security Agency, http://www.enisa.europa.eu/). It works closely with EU Member States and the private sector and covers a range of activities including pan-European cybersecurity exercises, the development of national cybersecurity strategies, cooperation between CERT/CSIRT teams and capacity building, addressing data protection issues and working together to create and implement legislation in matters related to Network Information Security (NIS).

All three mentioned organisations have one more common function – they gather know-how from the whole community and enable its sharing (by formulating so-called best-practices documents, instructions, recommendations).