Incident response or incident managment
Concepts related to Incident Response
A Security Operations Center (SOC) is a team within an organization that monitors systems for security events and focus on incident response. They may use a SIEM tool.
Monitoring is an important part of Incident Response.
Log management is one important field of IT security operations. You can read more about it, SIEM and SOAR on this post.
It is important to take into account the Indicators of Attack (IoA) and Indicators of Compromise (IoC). They are for networks what signatures are for viruses.
Incident Response Standards
Standards for incident response:
- ISO/IEC 27035-1
- NIST SP 800-61
- ENISA’s Good Practice Guide for Incident Management
- CSA CIR
ISO/IEC 27035-1 is about IT incident management.
NIST SP 800-61 has the title “Computer Security Incident Handling Guide” You can read more about it on this external link.
“Good Practice Guide for Incident Management” is published by EU agency ENISA. You can read it on this external link.
“Handbook for Computer Security Incident Response” by Carnegie Mellon University SEI. It can be downloaded from this external link.
Cloud Security Alliance (CSA) Cloud Incident Response (CIR) framework on this external link.
Incident Response Certifications for Profesionals
CERT Incident Response Process Professional Certificate. You can read more on this post.
Incident Management Course
SANS course “SEC504: Hacker Tools, Techniques, and Incident Handling“. You can read more about it on this post.
Incident Management Steps
Incident Management Steps are different depending on the source.
The incident management steps featured on this post are based on:
- NIST SP 800-61
- CISSP
NIST SP 800-61 IR Steps
NIST SP 800-61 steps:
- Preparation
- Detection and analysis
- Containment, eradication, and recovery
- Post-incident recovery
CISSP IR Steps
CISSP IR steps:
- Detection
- Response
- Mitigation
- Reporting
- Recovery
- Remediation
- Lessons Learned
These steps are detailed in book “CISSP Official Study Guide 9th Edition”, pp. 804-809.
Computer Security Incient Response Team
The, term CSIRT, as an acronym for Computer Security Incident Response Team or Cyber Security Incident Response Team is used to design a group of experts that handles computer security incidents.
A Computer Emergency Response Team (CERT) used to define a CSIRT, more extended in the USA.
As computer threads started to appeared after the development of the internet on the late 80s, there was a need to create teams that knew how to handle computer security incidents.
A CSIRT could belong to a public institution (e.g., CISA-CERT, that belongs to American CISA) or a private organization (e.g., Amazon SIRT, that belongs to Amazon). Some CERTs have an international scope, while some other are more focused on a country.
Many countries have an official CERT, whose goal is to provide cyber security to their citizens and organizations.
The first team called CERT was CERT-CC, created in 1988. It belongs to the Carnegie Mellon University (USA).
At the beginning of the 90s, CSIRT were starting to be created in the European Union under the TERENA program.
In 1989, FIRST (Forum of Incident Response and Security Teams) was founded. It is a global association of CERTs, and some of the most important ones over the world belong to FIRST association.
You can find all CERT teams belonging to FIRST on this external link.
There is a EU CSIRT network that is coordinated by ENISA. You can read more about it on this external link.
You can find a list of CERTs related to Spain on this link. Law 40/2015 determines to which CERT do public sector organizations should address.
There is also a full list of CERTs on this link.
List of some of the existing CERTs:
| Name | Country/Org | Organization | Web |
|---|---|---|---|
| DKCERT | DK | DKCERT | Link |
| CCN-CERT | ES | Centro Critológico Nacional (CCN) For public administrations and classified and strategic companies of Spain | Link |
| INCIBE-CERT (previously CERTSI) | ES | INCIBE (CERT de Seguridad e Industria) For citizens, companies, critical entities, universities and research centers of Spain. | Link |
| ESPDEF-CERT | ES | Mando Conjunto del Ciberespacio (MCCE) For Defense of Spain. | Link |
| esCERT | ES | Universidad Politécnica de Cataluña (UPC) | Link |
| IRIS-CERT | ES | RedIRIS | Link |
| CIRCL.lu | LU | Computer Incident Response Center Luxembourg (CIRCL) | Link |
| CERT-EU | EU | European Commission | Link |
| US-CERT | US | CISA | Link |
| CERT/CC | US | Carnegie Mellon Software Engineering Institute (SEI) | Link |
CSIRT Certifications for Organizations
CSIRT certifications for organizations featured on this post:
- Carnegie-Mellon CERT
- TF-CSIRT Trusted Introducer
TF-CSIRT Trusted Introducer
TF-CSIRT is an organization within the European Union that coordinates different CSIRTs.
TF_CSIRT Trusted is a list or CSIRTs. There are different ways in which an organization can be added to this list:
- Listed
- Accredited
- Certified
TF-CSIRT Trusted Accreditation/Certification
CSIRT Certifications for Professionals
CSIRT certifications for professionals featured on this post:
- CERT Incident Response Process Professional Certificate
CERT Incident Response Process Professional Certificate
CERT Incident Response Process Professional Certificate official website
Incident Response Tools
Incident Response Tools featured on this post:
- AWS Kill Switch
AWS Kill Switch
AWS Kill Switch is an incident response tool for quickly locking down AWS accounts and IAM roles during a security incident.
It is free and open source software (FOSS).
AWS Kill Switch code repository
Incident Response Regulations
Incident Response Regulation in Spain
There is the Real Decreto 43/2021, de 26 de enero, por el que se desarrolla el Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de las redes y sistemas de información. You can read it on this link.