Introduction
Cybersecurity is an industry with a very vast scope, and with many domains of expertise. Even if your team has the best experts available, the most avant-garde equipment and 24/7 implication, it is still not possible to claim that the company is 100% protected from cyber-threats.
When companies want to upgrade their security levels, they normally use what is known as “penetration tests”. These are actioned by a ‘red team’ who will simulate a cyberattack and who will attempt to take down the company’s defences. This allows the company to identify and fix any weaknesses in the security systems that potential attackers may exploit.
Simultaneously, a ‘blue team’ will be in charge of the daily maintenance of the security levels of the company’s information systems. In this article, I will anwer the following questions: who are they? What do they do ? How do they react to increasingly efficient attackers ?
This « blue team » focuses primarily on detection and reaction to security issues. The daily monitoring tasks are normally carried out by the SOC (security operations centre), while any specific threat responses are managed by the CSIRT (computer security incident response team) in collaboration with the CSERT (Community Emergency Response Team).
What is a SOC and how does it work ?
There are two main ways to detect a security incident: technical and human. Human detection is when a user notices some unusual or suspect activity during their normal occupations, whereas technical detection happens thanks to an automated analysis of all the data collected about the Information system and its activity, from servers, firewalls, proxies and antivirus.
Generally speaking, all equipment linked to the information systems of a company transmits data about their activity to a tool named SIEM (Security Incident and Event Manager), which is the heart of SOC performance. This SIEM tool centralises and correlates the different logs, in order to predict and notify of any possible threats based on previously established criteria.
These notifications are analysed and deconstructed by the SOC team. Any notifications or incidents that are not deemed as real threats are eliminated, whereas any verified incidents are sent to the CSIRT, who will be in charge of deploying an appropriate response.
According to their financial and human resources, companies can choose whether to set up a SOC in-house, or whether to outsource one, meaning that the latter would be managed by a service provider. In the case of an outsourced SOC, the service providers need to guarantee the level of expertise and security promised, by providing them with all the information system logs (extremely sensitive information). In France, ANSSI (French national cybersecurity agency) have a list of all the service providers who are officially qualified to deliver incident detection and reaction measures (PDIS/PRIS).
CSIRT, the last defence barrier
Every time the SOC receives a security breach alert, the CSIRT are responsible for investigating the event, in order to discover the source of the incident through RCA (root cause analysis) and for applying any appropriate response to restore normal activity and security levels.
These kinds of investigations include email analysis, as well as forensics and processing of data logs. More often than not, CSIRT also refer to what is known as OSINT (Open-Source Intelligence) or to Cyber-threat intelligence, in order to precisely identify the source of the attack.
It may happen, for example, that a SOC detects activity from a workstation to a C&C server. At this point, the CSIRT will action a forensic analysis on the workstation in question, in order to identify any malware that hasn’t been picked up by the antivirus. Through the CSIRT’s analysis, it will be possible to identify the source of malicious activity, to find out where it came from, how it was installed on the system and how it manages to persist. All this information is of vital importance to restore the pc’s health without losing any data or information.
Members of CSIRT are generally highly technical profiles with knowledge of systems, networks, and of course, security, and the fact that each team member has their own area of expertise means that this kind of organisation relies heavily on collaboration between members.
Moreover, it is extremely important for members of the CSIRT to be easily accessible and well-known, as it is very likely that some response/restoration activity may be actioned by other teams in the same company such as network, systems, support. In order for these activities to run smoothly across departments, ticketing systems are vital, as they allow users to trace incident history, responses and any relevant feedback needed by management for activity monitoring.
Normally, the CSIRT is managed by a team leader, who reports directly to RSSI. This leader will have extensive knowledge of the incidents in their area, a thorough understanding of the communication systems based on KPIs, and how these related to other statistics regarding incidentology. The whole CSIRT also participates in prevention activities, through constant monitoring and vulnerability analysis.
CERT and CSIRT : what’s the difference ?
On Nov 2nd 1988, the internet witnessed the appearance of the first malware: Morris. In order to face this unprecedented event, the American Defence and Advanced Research Projects Agency (DARPA) created the first ever CSIRT: the CERT (Computer Emergency response team and coordination centre). Today, the CERT is officially a registered property of the software engineering institute of Carnegie Mellon University, in Pittsburgh (USA).
Although there are no real differences between CERT and CSIRT in terms of activity, it is possible for a CSIRT to be certified as a CERT by the Software engineering institute, thus integrating the global CERT community, even though this kind of community is independent from the SEI.
In France, CERT registration is operated by ANSSI and grants services to French administration. CERT-IST is a registered French association who provide services to companies in the industrial, service and tertiary industries.
Follow us on LinkedIn