Tagged with CERT x

What are CERTs

Computer Emergency Response Teams (CERTs) are organisations dedicated to the protection of information security and can be established at the national level, at the sectoral level (such as finance or energy) as well as within a single entity (e.g. company CERTs). Alternatively, these types of organisations are called CSIRT (Computer Security Incident Response Team) or CIRT (Computer Incident Response Team). 

Depending on the legal framework, the role of CERT can be educational, advisory, preventive and investigative, which includes monitoring accidents at the national level, providing early warnings and information on risks and incidents in the field of information security, but also promoting security culture among citizens, in state institutions and the private sector. 

Due to the fact that they are in charge of a limited number of specific information systems, special CERTs usually have an incident management function, which implies a more active role in the process of restoring normal system functioning, incident and malware analysis. 

The first organisation of this kind is the CERT Coordination Center (CERT / CC) of the Software Engineering Institute at Carnegie Mellon University in Pittsburgh, USA. As early as 1990, national organisations founded the international organization FIRST (Forum of Incident Response and Security Teams), which currently has more than 500 members worldwide. FIRST brings together CERT teams at the state level, commercial CERTs and academic CERTs.


Role of CERTs

The task of each CERT is to monitor and analyse threats to the security of ICT systems  , provide assistance in identifying threats and preventing attacks, empower actors for adequate responses to attacks, provide legal assistance in processing cyber incidents [CYBER-CRIME] , maintain communication with relevant institutions and more. 

In order for a CERT to successfully implement its activities, it is necessary to establish a catalog of services. If the services, vision, mission and goals are clearly and precisely defined, the basic framework of business and development of CERT is established. These are, as a rule, among other things, coordination of information, monitoring of intrusion detection systems, analysis of potential threats and attacks on the security of ICT systems, recovery of the system from the consequences of attacks. The basic services of CERTs include the proposal and implementation of protection measures, reporting, analysis and technical support. They can be described in more detail in the light of their four basic processes: triage, resolution, issuing notices and giving feedback to users.

The triage process is the basic point of contact and involves accepting, collecting, sorting and forwarding the information obtained. When the CERT triage team receives some information or a problem report, a confirmation is sent to the sender that the message has been received, and then the information is sorted, prioritized, a unique identifier is added, and forwarded to other processes within the implemented services.

The incident resolution process involves analysing reported security incidents or threats and responding to them. During the analysis, the cause is determined, the evidence is analysed, it is determined who is involved in the incident, as well as what kind of support and to what extent is needed. What the response will be depends on CERT's missions, goals and definitions of services, but also on the priorities set.

The notification process is a notification in different formats, such as: announcements,  warnings, advice, short notices, guidelines, technical procedures. The primary purpose of issuing a notification is to provide information to users that will help them protect their systems or to find traces of a potential attack by providing information about possible, ongoing, or recent threats. Additionally, methods for preventing, detecting, or recovering from incidents are suggested.

The feedback process is communication with users and entities, either on request or in a regular form (e.g. in the form of a report).

The information management process covers all 4 mentioned phases and is a very important part of the basic process. Information needs to be collected and recorded, then verified, categorised and finally stored. Some information may also be published, to provide guidance or support to stakeholders, but throughout the process the security of all information within the CERT organisation must be at the highest level. 

In addition, the cooperation process involves all types of interactions that CERT has with other entities. It is desirable to regularly maintain existing and establish new contacts with local and regional partners and clients, as well as to create adequate databases. However, information is exchanged during all four basic processes, so it is important to choose partner organisations carefully in order to preserve the integrity, confidentiality and availability of data. 

In addition to national CERTs that comprehensively deal with security incidents in ICT systems at the national level, there are a large number of special CERTs around the world, focused on improving information security within one sector, group of entities, and even within just one company. Given the complexity and specificity of a particular community or group of entities (academic institutions, banks, etc.) or the confidential nature of information managed by companies, special CERTs with their highly specialised experts are certainly the most competent address for protection against cyber incidents and establishing preventive measures.

Digital hygiene CERT

Incident notice

For the purposes of this toolkit, we will define “incident” as any event that has a negative impact on the security of network and information systems. This can range from complex and sophisticated technical attacks to system malfunctioning caused by human error.

However, when it comes to ICT systems of special importance  , such as those which are part of a country’s critical infrastructure (power supply, telecommunications, etc.) or used for banking services, they have an obligation to report incidents in their systems to competent state bodies and authorities. For example, if the incident occured in the banking sector, the operator of the ICT system needs to notify the country’s central bank.

When there are more serious incidents and attacks, which can strongly affect national defence or national security, relevant intelligence and security services and agencies (military or civilian) should be notified as well. In addition, when an incident involves and affects personal data, the national data protection authority (Commissioner, Agency, Commission, etc.) is also to be notified.

Sometimes it is very difficult to distinguish between types of incidents, as they can occur simultaneously. Below is a list of some of the types of incidents which usually require sending an incident notice to the competent state authorities:

  • Breaking into the ICT system: an attack on a computer network and server infrastructure which, by violating protection measures, enabled access to the ICT system and unauthorised influence on its operation; 
  • Data leakage: availability of protected data outside the circle of persons authorised to access data; 
  • Unauthorised modification of data
  • Data loss
  • Interruption in the functioning of the system or part of the system; 
  • Denial of service attacks [DDoS] ; 
  • Installation of malware  within the ICT system; 
  • Unauthorised data collection through unauthorised surveillance of communications or social engineering; 
  • Constant attack on certain resources; 
  • Abuse of authority to access ICT system resources; 
  • Other incidents
DDos Damage Data leaks CERT Cybercrime

Security act

Operators of ICT systems of special importance are usually required to have and implement a security act. The security act regulates protection measures, principles, manner and procedures for achieving an adequate level of system security, as well as authorisations and responsibilities related to the security and resources of the ICT system of special importance  . The operator of the ICT system of special importance has to check the compliance of the applied measures in the ICT system with the security act at least once a year.

Each protection measure, e.g. making regular data backups , should be described in as much detail as possible. In addition to the description, the measure should contain the principles and procedures that will be applied during its implementation.

After describing the measures and referring to the principles and procedures, the security act should determine the responsible person for each measure, which is obliged to make sure that the measures are respected in practice.

Data backup CERT

File a complaint

When you are filing a complaint to the police, it is important for you to gather all the necessary digital evidence  and not only to copy the content of the message in question. It is often not simple, as it requires technical knowledge and patience, for which few people upset by the attack can have nerves. If you can't deal with it, call a friend, colleague or family member for help. They can also record evidence of an attack, but also deal with your account on the platform on which the attack is taking place. The documentation should contain material evidence of the attack and be classified so as to facilitate the search. Using a spreadsheet can be convenient, as attacks can be sorted by time, location, cause, duration and type of attack, reports filed on the platform, and response. This is all important information for lawyers, police, further investigation and court proceedings. Try to identify the type of attack, because some forms of online threats are still unknown to the general public, and sometimes even to the police. This will help the investigators to better understand what happened and how to look for the perpetrators.

First, you should provide relevant links or URL addresses in their integral form, i.e. if the attack occurs on social media, then you should provide an integral link of the account which sent you a threat. Then, you should save a copy of the message in an integral form containing metadata, i.e. email headers

Furthermore, it would be good to make a screenshot/print-screen of the message, image or a video included in the incident. On the other hand, if there are several segments of the incidents - you are facing-multiple SMS-s, messages received via an application on a computer or phone, etc. - you should make a screenshot of each one or possibly make a video of the entire process. 

In addition, if the harassment occurs through phone communication, then the report should contain call logs issued by the phone operator because they contain the time of the call and the number from which the call was made, which may make further investigation easier. Also, you can turn to a Computer Emergency Response Team in your country, which may provide technical support and mitigate the damage, or state bodies in charge of investigating cybercrime

Digital evidence Data leaks CERT Cybercrime Criminal charges Police