The task of each CERT is to monitor and analyse threats to the security of ICT systems , provide assistance in identifying threats and preventing attacks, empower actors for adequate responses to attacks, provide legal assistance in processing cyber incidents [CYBER-CRIME] , maintain communication with relevant institutions and more.
In order for a CERT to successfully implement its activities, it is necessary to establish a catalog of services. If the services, vision, mission and goals are clearly and precisely defined, the basic framework of business and development of CERT is established. These are, as a rule, among other things, coordination of information, monitoring of intrusion detection systems, analysis of potential threats and attacks on the security of ICT systems, recovery of the system from the consequences of attacks. The basic services of CERTs include the proposal and implementation of protection measures, reporting, analysis and technical support. They can be described in more detail in the light of their four basic processes: triage, resolution, issuing notices and giving feedback to users.
The triage process is the basic point of contact and involves accepting, collecting, sorting and forwarding the information obtained. When the CERT triage team receives some information or a problem report, a confirmation is sent to the sender that the message has been received, and then the information is sorted, prioritized, a unique identifier is added, and forwarded to other processes within the implemented services.
The incident resolution process involves analysing reported security incidents or threats and responding to them. During the analysis, the cause is determined, the evidence is analysed, it is determined who is involved in the incident, as well as what kind of support and to what extent is needed. What the response will be depends on CERT's missions, goals and definitions of services, but also on the priorities set.
The notification process is a notification in different formats, such as: announcements, warnings, advice, short notices, guidelines, technical procedures. The primary purpose of issuing a notification is to provide information to users that will help them protect their systems or to find traces of a potential attack by providing information about possible, ongoing, or recent threats. Additionally, methods for preventing, detecting, or recovering from incidents are suggested.
The feedback process is communication with users and entities, either on request or in a regular form (e.g. in the form of a report).
The information management process covers all 4 mentioned phases and is a very important part of the basic process. Information needs to be collected and recorded, then verified, categorised and finally stored. Some information may also be published, to provide guidance or support to stakeholders, but throughout the process the security of all information within the CERT organisation must be at the highest level.
In addition, the cooperation process involves all types of interactions that CERT has with other entities. It is desirable to regularly maintain existing and establish new contacts with local and regional partners and clients, as well as to create adequate databases. However, information is exchanged during all four basic processes, so it is important to choose partner organisations carefully in order to preserve the integrity, confidentiality and availability of data.
In addition to national CERTs that comprehensively deal with security incidents in ICT systems at the national level, there are a large number of special CERTs around the world, focused on improving information security within one sector, group of entities, and even within just one company. Given the complexity and specificity of a particular community or group of entities (academic institutions, banks, etc.) or the confidential nature of information managed by companies, special CERTs with their highly specialised experts are certainly the most competent address for protection against cyber incidents and establishing preventive measures.