Computer Emergency Response Team (CERT), is a group of information security experts within your system, organization or corporation responsible for the protection, detection and first response to cybersecurity incidents. A Computer Emergency Response Team will identify cyber threats tyour IT infrastructure and focus on resolving cyber incidents such as data breaches, denial-of-service attacks, ransomware attacks or system hacks as well as providing alerts and incident handling guidelines.
CERTs also conduct ongoing public awareness campaigns and engage their users in research aimed at improving cybersecurity of systems.
Requirements for establishing a CERT Team
Some of the main requirements in establishing a CERT team include
- Designing CERT Framework
- Understanding and Implementing Organizational Structures
- Strategy how you start it / Initial Policies / Phases
- Mission and Objectives
- Funding
- CERT locations
- Staff/Team skills
- Define Processes
Services offered by CERT Team
A good CERT Team should be able to provide following services to its users nd organisations
- Alerts and Warnings about Cyber incidents
- Incident Handling
- Incident Analysis
- Response Support
- Incident Response Coordination
- Incident Response on Site
- Vulnerability Handling
- Vulnerability Analysis
- Vulnerability Response
- Vulnerability Response Coordination
- Announcements
- Technology Watch
- Vulnerability Assessments
- Penetration Testing – Continuous
- Configuration and Maintenance of Security Tools
- Intrusion Detection
- Security Services
- Information Dissemination
- Digital Forensics
- Risk analysis
- Business Continuity and Disaster Recovery
- Security Consulting
- Awareness Building
- Education/Training Product Evaluation or Certification
Technical Excellence of CERT Team
The CERT should have the most up to date resources and cybersecurity expertise at its disposal, and in order to maintain this advantage, the advisors and experts must have access to high levels of technical excellence. Your CERT may start with being initially with a small number of good quality capabilities rather than lots of poor quality capabilities.
Tier3 provides tools and consultation based on incident categories which are fairly standard in the cybersecurity industry and are regularly used by computer emergency response teams globally. Our CERT Team tools and scripts can help SOC analysts, CERT team members to respond and contain the cyber incident quickly and efficiently while protecting artifacts for forensics and analysis.
| Category | Name | Description |
|---|---|---|
| CAT 1 | Root-level compromise | This category is used when an individual gains unauthorized root-level access (logical or physical) to the organization’s network, any of the systems, applications, data, or other resources. |
| CAT 2 | User-level access | This category is used when an individual gains unauthorized user-level access (logical or physical) to the organizations network, any of the systems, applications, data, or other resources. |
| CAT 3 | Attempted access | This category is used when an unauthorized user attempts to gain unauthorized access to the organization’s assets (local or remote) |
| CAT 4 | Denial of service (DoS) | An attack that successfully prevents or impairs the normal authorized functionality of networks, systems or applications by exhausting resources. This activity includes being the victim or participating in the DoS. |
| CAT 5 | Poor security practice | This category is used when misuse or unauthorized use of an organization’s information technology assets is discovered. Also, covers violation of the organizations computer security policies such as weak password, or misconfigured system. |
| CAT 6 | Scanning/probing | This category includes any activity that seeks to access or identify a company or organizations computer, open ports, protocols, services, or any combination for exploit. This activity does not directly result in a compromise or DOS. |
| CAT 7 | Malicious code | Successful installation of malicious software (e.g., virus, worm, Trojan horse, or other malware) that infects an operating system or application. |
| CAT 8 | Unknown | This category can be used for a incident that does not currently have a determination of what is happening. An incident with this category selection cannot be closed until a specific category has been determined |
| CAT 9 | Exercises/Training | Since categories will be used for metrics, any category generated while exercising or testing should be closed with this category in order to keep these types of events separate from all the real events. |
| CAT 0 | Discard | This category should be used for falsely generated tickets, bad tickets, or any tickets that should just be discarded and not counted. |
CERT typically operates as a centralized, dedicated team within an organization that is responsible for coordinating the response to and recovery from cyber incidents, as well as monitoring and analyzing the latest cyber threats and vulnerabilities.
Some of the specific tools that handle the tasks and responsibilities of CERT in network management may include:
- Tools for identifying and responding to cyber incidents: CERT monitors the organization’s networks and systems for signs of cyber attacks and coordinates the response to such incidents. This may involve isolating affected systems, restoring systems and data, and working with other teams and stakeholders to minimize the impact of the incident. These tools include SIEM tool.
- Tools for analyzing and mitigating vulnerabilities: CERT monitors and analyzes the latest cyber threats and vulnerabilities, and provides guidance on how to mitigate or eliminate them. This may involve issuing alerts and advisories and coordinating with other organizations and agencies to develop and implement effective countermeasures.
- Tools and consultation for developing and implementing cybersecurity policies and procedures: CERT works with other teams and stakeholders to develop and implement policies and procedures for protecting against cyber threats. This may involve penetration testing or establishing standards and guidelines for secure network design and configuration, as well as developing and implementing security controls and protocols.
- Tools and consultation for providing cybersecurity training and awareness: CERT conducts training and awareness programs to help individuals and organizations understand and manage cyber risks. This may include developing and delivering educational materials and programs, as well as promoting best practices and guidelines for cybersecurity.
- Tools for SOC : SOC itself usually has specialised tooling, the most common being the SIEM (security information and event management) tool. It takes logs and data sources as input, performs some correlation and rule checking, and then outputs alerts for triaging. Licencing for SOC tooling can be expensive, typically the more enterprise-focused solutions tend to cost the most (and often require annual renewal).
Tier3 can provide additional consultation and help to your CERT Team for
● Study and suggest the types of Cyber Security labs including Digital Forensics tools for Laboratory, Security Operation center (SOC), Network Operation Center (NOC), Cyber Range tools for Capacity Development, Hardware, IOT, and Industrial Automation Control System Security lab etc.
● Propose hardware & software tools and network inventories for each lab.
For more information please feel free to contact us and talk to one of our Tier 3 Cyber security experts.
