• CERT Development

    CERT Development

  • 1

CERT Development Information & Services

Effective Response

Today’s IT Security Risk

  • Well funded, organized attackers threaten your network
  • IT attacks can result in:
    • Loss of data
    • Disruption of services
    • Defacement of public Internet resources
 
  • Business results of these attacks can be:
    • Loss of revenue
    • Loss of public confidence
    • Release of sensitive data
    • Loss of intellectual property or intelligence
    • Damage to brand
CERT Development Information & Services

Traditional, Preventative Approach to IT Security

Prevent: Implement preventative security in line with best practices

Mitigrate: If an incident occurs, restore from backup and resume operation

The Problem

  • Root cause and ultimate impact of incidents remains largely unknown
  • Management left to guess as to the overall risk to the business from IT Security incidents
  • Dedicated attackers remain undetected, and their damage unknown

CERT Defined

A Computer Emergency Response Team (CERT) or Security Incident Response Team (SIRT) is a unit within an information security group that is responsible for investigating and reporting on suspected information security incidents. 

A CERT responds to reports of possible incidents from a Security Operations Center (SOC) and/or from users

A CERT is a second or third-tier response group that handles technical investigations into incidents

IT Security Cycle

  • CERT completes the IT Security and Risk Management Cycle
  • Events are proactively investigated
 
  • Results are used to dynamically adjust security efforts
  • Impact and risk can more accurately be measured

Reasons for a CERT

  • Minimize the negative impact of security incidents
  • Promote compliance with IT usage policies
  • Track and understand incidents to aid in future prevention and detection
 
  • Provide advisories to IT security and IT user base about new and potential threats
  • Quantify loss and risk from security incidents
  • Detect and deter advanced threats
IT Security Cycle
CERT Capabilities

CERT Capabilities

  • Root cause analysis, to understand where security failures occurred, so that they can be corrected
  • Generate alerts and advisories to users of IT systems
  • Notify SOC staff of new threats to aid detection efforts
  • Notify IT staff of potential security vulnerabilities
  • Provide metrics to assess loss and risk from incidents
  • Report critical findings or failures to management
CERT Capabilities

Organizational Requirements

  • SOC monitoring capability or automated detection systems to report suspected incidents to CERT
  • SOC or CERT Hotline for users to report suspected incidents
  • Preapproved access permissions and communication permissions needed for CERT to respond and report on active incidents in real time
  • Interaction models between CERT and other groups with preapproved communication methods defined

CERT Staff Requirements

  • Extremely knowledgeable in a variety of areas:
    • Networking
    • Log analysis
    • Malware analysis
    • Digital forensics
    • Penetration testing
  • Must have an investigative mindset and be very interested in technology
  • Must be extremely trustworthy with proper security clearances
Organization & Staff Requirements
CERT Engagement Tools

Tools

A variety of tools will be needed to support a CERT

  • Centralized Logging
  • Automated Detection
  • Intelligence Feed System
  • Incident Tracking System
  • Network Monitoring
  • Enterprise Forensic System

Policies and Procedures

  • Must be repeatable, remain nimble so as to enable rapid response, be forensically sound, maintain defensible evidence, and be in line with relevant standards
  • Should adopt relevant requirements from ISO 17025, ISO 27035 and organizational policies and procedures
  • Should define clear authorizations and reporting lines to ensure correct distribution of sensitive material

CERT Engagement Tools

Training

Training will be required in a number of disciplines for all team members

  • Network Fundamentals
  • Incident Handling
  • Log Analysis
  • Network Monitoring
  • Malware Analysis
  • Forensic Collection and Analysis
  • Penetration Testing
Training

Summary

  • Today’s attackers are investing in stealing your data
  • You must invest in protecting it
  • Modern IT Security must be PROACTIVE not merely PREVENTATIVE
  • Implementing a CERT to investigate anomalies on your network is the most effective way to address the current and future threats
  • Feedback from a CERT provides quantifiable data to identify and assess risks to your organization, allowing informed business decisions