2. CERT/CSIRT teams

2.11. SUMMARY

ℹ️ SUMMARY / MAIN OUTPUTS FROM THE CHAPTER

  • The difference between a regular security team and a CERT/CSIRT team is mainly in the involvement in the global security infrastructure, the sharing of information within this infrastructure and the observance of established formal procedures.
  • The basic requirement of a community is that the CERT/CSIRT team publicly declares its contact information and rules of activity:

o   who is its operator,

o   who are its members,

o   the way and when it is possible to reach the team,

o   what services does it offer,

o   scope of activity (AS number[1], network, domains, services), in which the team is qualified to act and in what way, i.e. defining its powers and responsibilities. Based on the scope of activity, the team is then contacted (e.g. by those attacked) and addresses the issues (incidents) associated with it.

  • Scope of activity of the team – defines what the team is responsible for and what its role is. This, of course, depends on what team it is. It is possible to set up teams of roughly the following types:

o   internal – it serves and is responsible for a specific network (e.g. for a specific range of IP addresses, domains), usually set up by the network operator,

o   coordinating – a team whose main task is to coordinate the resolution of security incidents, it does not have to address them in a targeted manner,

o   vendor – a team dealing with the resolution of security incidents that affect a specific product (SW),

o   national, government – special cases based on the principles of the first two mentioned teams (internal and coordinating), their scope and role depend on the founder and often also on the legislation of a particular country.

  • CERT/CSIRT teams have no official hierarchy that would make one team superior to another. All teams are equal in terms of functioning, communication, cooperation and exchange of information and are not limited in these areas.
  • National CERT/CSIRT acts as a kind of last resort – the last instance where it is possible to request intercession, assistance and intervention.
  • A government CERT/CSIRT usually focuses on the area of ​​state administration and self-government and on resolving incidents that threaten the security of the state and its services. A government CERT/CSIRT can take the form of an internal team with the possibility of direct intervention in the event of a problem. Its existence is usually supported by legislation.


[1] ASAutonomous System. An autonomous system is a set of IP networks and routers under common technical management, which represents a common routing policy towards the Internet.

🗝️  KEY WORDS TO REMEMBER

  • CSIRT team
  • CERT team
  • Incident handling
  • Hierarchy of teams
  • Scope of activity

KNOWLEDGE CHECK QUESTIONS       

  • What is a CSIRT/CERT team?
  • How is a CSIRT/CERT team created and established?
  • What does the national CSIRT team focus on?
  • What does the government CSIRT team focus on?
  • What are the basic community requirements for a CERT/CSIRT team?