Posted on by CSIRTin
Angel L. Hueca Senior Computer Security Information Analyst CERT Division
At the 2018 World Economic Forum, global leaders voiced concerns about the growing trend of cyberattacks targeting critical infrastructure and strategic industrial sectors, citing fears of a worst-case scenario that could lead to a breakdown of the systems that keep societies functioning. A painful example was the May 2017 WannaCry ransomware attack in which a worm rapidly spread through a number of computer networks, affecting more than 150 countries and more than 400,000 endpoints.
One of the largest victims of the WannaCry attack was the National Health Service in England and Scotland, where up to 70,000 computers, MRI scanners, and blood-storage refrigerators may have been affected. In this global threat environment, the need for Computer Security Incident Response Teams (CSIRTs) has become ever more critical. CSIRTs are expert teams that use their specialized knowledge and skills to detect and respond to computer security incidents. In the broader internet community, these teams form a "global network" from a diverse group of organizations and sectors, such as critical infrastructure, government, industry, and academia. In this blog post, the first in a series on CSIRTS, I talk about the work of CSIRTs and their importance in the global threat landscape.
Implementing a robust incident management capability enhances the ability of national governments and organizations to understand and respond to cyber threats. The Carnegie Mellon University Software Engineering Institute (SEI) defines a National CSIRT as "a computer security incident response team with National Responsibility (or National CSIRT) is a CSIRT that is designated by a country or economy to have specific responsibilities in cyber protection for the country or economy." National CSIRTs have taken a prominent role as points of contact in the coordination and response to national, regional, and international computer security incidents. Previous and current administrations have set forth cybersecurity policies that enable the United States to pursue international cooperation in maintaining a globally secure and resilient Internet with partner and ally nations. In 2014 the SEI's CERT Division and the U.S. Department of State's Office of the Coordinator for Cyber Issues (S/CCI), in coordination with the Department of Homeland Security's Office of International Affairs, began developing and implementing global cybersecurity capacity building activities that support capability and capacity building for national-level CSIRTs.
The CERT Division's International Cybersecurity Initiatives (ICI) Team and S/CCI collaborate with the global national CSIRT community, regional organizations, stakeholders from government, private sector, and the technical community, as well as relevant international organizations.
S/CCI-identified partner governments work with the CERT Division's ICI team to gather information about their national CSIRT to pinpoint where further development is needed and how to best utilize capacity building resources. The ICI team conducts workshops specific to CSIRT functions and provides guidance on developing internal workflows, policies, and standards.
We travel to different nations and train officials and staff on best practices and what to look for when training cybersecurity teams. Working side-by-side with partnering governments, the ICI team helps identify the best path forward for cyber capacity building in line with the four strategic goals that have been outlined for national CSIRTs. As outlined in the 2011 SEI Report Best Practices for National Cyber Security: Building a National Computer Security Incident Management Capability, Version 2.0, the four strategic goals for national CSIRTS include the following:
To help CSIRT teams achieve these goals, the CERT/CC contributed to the development of a list of services and functions a CSIRT can provide. In collaboration with the Forum of Incident Response and Security Teams (FIRST), a comprehensive list was created from the different perspectives of global FIRST members. The CSIRT Services Framework presents a hierarchical model that consists of the following levels:
The CSIRT Services Framework is outlined as follows:
Service areas outlined in the CSIRT Services Framework include Incident Management, Analysis, Information Assurance, Situational Awareness, Outreach and Communications, Capability Building, and Research and Development. In working with international stakeholders, the ICI Team works with key personnel from the hosting nation to determine the current capacity of the CSIRT and identify areas for improvement. Working with the international stakeholder, an ICI team member will help select which service areas are best suited for the national CSIRT based on organizational mission.
Not every service area outlined in the CSIRT Services Framework might be needed by every CSIRT. Instead, the ICI team always emphasizes that CSIRTs, particularly resource constrained teams like National CSIRTs should select the most relevant services based on constituent needs and focus on providing high levels of service in those areas. Through proper planning and requirements identification, CSIRTs have the ability to start detecting and mitigating cyber threats effectively as they emerge.
Looking to the Future
The World Energy Council released a 2016 report predicting that the energy sector will be a prime target for cyber-attacks. Looking to the future, it seems a safe bet that CSIRTs will continue to play a critical role in maintaining the critical infrastructures that ensures power generation, food supply chains, and medical care. The next post in this series will provide details of a recent engagement in Cote d'Ivoire and delivery of a workshop on network analysis and Distributed Denial of Service mitigation.
Read the SEI whitepaper CSIRT Frequently Asked Questions (FAQ).
Read the FIRST CSIRT Framework.
Read the report Combatting Cyber Threats: CSIRTs and Fostering International Cooperation on Cybersecurity from the Global Commission on Internet Governance.