IT Security Incident Response

Incident response or incident managment

Concepts related to Incident Response

A Security Operations Center (SOC) is a team within an organization that monitors systems for security events and focus on incident response. They may use a SIEM tool.

Monitoring is an important part of Incident Response.

Log management is one important field of IT security operations. You can read more about it, SIEM and SOAR on this post.

It is important to take into account the Indicators of Attack (IoA) and Indicators of Compromise (IoC). They are for networks what signatures are for viruses.

Incident Response Standards

Standards for incident response:

  • ISO/IEC 27035-1
  • NIST SP 800-61
  • ENISA’s Good Practice Guide for Incident Management
  • CSA CIR

ISO/IEC 27035-1 is about IT incident management.

NIST SP 800-61 has the title “Computer Security Incident Handling Guide” You can read more about it on this external link.

Good Practice Guide for Incident Management” is published by EU agency ENISA. You can read it on this external link.

Handbook for Computer Security Incident Response” by Carnegie Mellon University SEI. It can be downloaded from this external link.

Cloud Security Alliance (CSA) Cloud Incident Response (CIR) framework on this external link.

Incident Response Certifications for Profesionals

CERT Incident Response Process Professional Certificate. You can read more on this post.

Incident Management Course

SANS course “SEC504: Hacker Tools, Techniques, and Incident Handling“. You can read more about it on this post.

Incident Management Steps

Incident Management Steps are different depending on the source.

The incident management steps featured on this post are based on:

  • NIST SP 800-61
  • CISSP

NIST SP 800-61 IR Steps

NIST SP 800-61 steps:

  1. Preparation
  2. Detection and analysis
  3. Containment, eradication, and recovery
  4. Post-incident recovery

CISSP IR Steps

CISSP IR steps:

  1. Detection
  2. Response
  3. Mitigation
  4. Reporting
  5. Recovery
  6. Remediation
  7. Lessons Learned

These steps are detailed in book “CISSP Official Study Guide 9th Edition”, pp. 804-809.

Computer Security Incient Response Team

The, term CSIRT, as an acronym for Computer Security Incident Response Team or Cyber Security Incident Response Team is used to design a group of experts that handles computer security incidents.

A Computer Emergency Response Team (CERT) used to define a CSIRT, more extended in the USA.

As computer threads started to appeared after the development of the internet on the late 80s, there was a need to create teams that knew how to handle computer security incidents.

A CSIRT could belong to a public institution (e.g., CISA-CERT, that belongs to American CISA) or a private organization (e.g., Amazon SIRT, that belongs to Amazon). Some CERTs have an international scope, while some other are more focused on a country.

Many countries have an official CERT, whose goal is to provide cyber security to their citizens and organizations.

The first team called CERT was CERT-CC, created in 1988. It belongs to the Carnegie Mellon University (USA).

At the beginning of the 90s, CSIRT were starting to be created in the European Union under the TERENA program.

In 1989, FIRST (Forum of Incident Response and Security Teams) was founded. It is a global association of CERTs, and some of the most important ones over the world belong to FIRST association.

You can find all CERT teams belonging to FIRST on this link.

You can find a list of CERTs related to Spain on this link.

There is also a full list of CERTs on this link.

List of some of the existing CERTs:

NameCountry/OrgOrganizationWeb
DKCERTDKDKCERTLink
CCN-CERTESCentro Critológico Nacional (CCN)
For public administrations and classified and strategic companies of Spain
Link
INCIBE-CERT
(previously CERTSI)
ESINCIBE (CERT de Seguridad e Industria)
For citizens, companies, critical entities, universities and research centers of Spain.
Link
ESPDEF-CERTESMando Conjunto del Ciberespacio (MCCE)
For Defense of Spain.
Link
esCERTESUniversidad Politécnica de Cataluña (UPC)Link
IRIS-CERTESRedIRISLink
CIRCL.luLUComputer Incident Response Center Luxembourg (CIRCL)Link
CERT-EUEUEuropean CommissionLink
US-CERTUSCISALink
CERT/CCUSCarnegie Mellon Software Engineering Institute (SEI)Link

CSIRT Certifications for Organizations

CSIRT certifications for organizations featured on this post:

  • Carnegie-Mellon CERT
  • TF-CSIRT Trusted Introducer

TF-CSIRT Trusted Introducer

TF-CSIRT is an organization within the European Union that coordinates different CSIRTs.

TF_CSIRT Trusted is a list or CSIRTs. There are different ways in which an organization can be added to this list:

  1. Listed
  2. Accredited
  3. Certified

TF-CSIRT Trusted Accreditation/Certification

CSIRT Certifications for Professionals

CSIRT certifications for professionals featured on this post:

  • CERT Incident Response Process Professional Certificate

CERT Incident Response Process Professional Certificate

CERT Incident Response Process Professional Certificate official website

Incident Response Tools

Incident Response Tools featured on this post:

  • AWS Kill Switch

AWS Kill Switch

AWS Kill Switch is an incident response tool for quickly locking down AWS accounts and IAM roles during a security incident.

It is free and open source software (FOSS).

AWS Kill Switch code repository

Incident Response Regulations

Incident Response Regulation in Spain

There is the Real Decreto 43/2021, de 26 de enero, por el que se desarrolla el Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de las redes y sistemas de información. You can read it on this link.

You might also be interested

Leave a Reply

Your email address will not be published. Required fields are marked *