TF-CSIRT – Whats it all about?

I have recently taken a break from blogging to focus on other things, before jumping back into my Incident Response 101 blog series. I want to write a little bit about TF-CSIRT and the reasons for joining a community like this. It is a process I am slowly becoming familiar with and it definitely deserves more words written about it…

First off…. What is TF-CSIRT?

Task Force Computer Security Incident Response Teams or TF-CSIRT for short, was established by the European CERT community back in the year 2000. The idea was to create a community of incident response groups/teams, which can work together for a common goal. That goal being, spreading information/knowledge sharing, assisting each other in incidents, and any other way they can leverage such a strong community to help in the incident response world.

In order to provide access to the community, a service was created called “The Trusted Introducer Service”. This service is used to provide a directory of incident response teams which are members of TF-CSIRT. The Trusted Introducer Service acts as a clearing house to ensure that members meet the correct requirements when joining. and then offering further processes for becoming accredited or certified TF-CSIRT members.

So what are the benefits?

The main backbone of the TF-CSIRT community is the member database, where emergency contact details for each incident response team are displayed. This information can prove vital in an incident response situation. To maintain this vital community spirit TF-CSIRT hosts regular conferences and meetups for its members, these are great for getting to know other teams and sharing knowledge.

Another huge benefit of TF-CSIRT actually lies within the certification process. This process provides strict requirements based on the SIM3 audit model and essentially means that when you hit the magic certification level, you are one of the best prepared incident response teams in Europe (at least on paper). This is a standard that a lot of teams aspire towards, but unfortunately don’t make it, due to time commitments usually.

The TF-CSIRT community also works very closely with FIRST (Forum of incident response and security teams). This partnership helps deliver a yearly joint conference.

There are many other benefits from becoming a member at TF-CSIRT, and I would highly recommend it!

So how do I join?

Joining TF-CSIRT is broken up into 3 different “memberships” or processes.

Listed Member

The first processs is to become a listed member. This means you become part of the community and you will get your team listed in the TF-CSIRT database. This also means you can begin attending the European conferences and meetups that are offered.

To become a listed member, you need to fulfill some requirements:-

  1. You need to be sponsored by at least 2 other already accredited or certified teams. A good idea here, would be to look at the Trusted Introducer directory and see if you know teams that have already gone through this process. The TF-CSIRT community is becoming larger and larger within Europe, so the chances are you already know the relevant teams to get the process moving.
  2. Get PGP/GPG keys for your team to communicate with TF-CSIRT. This one is a tiny bit of hassle as there is a large debate out there about using PGP, it can be quite difficult to get PGP supported within certain organizations and ad-hoc processes may end up being needed to facilitate this requirement.

Once you have these two main requirements met, you simply fill out a form and email it to the Trusted Introducer email address and VOILA… Well not quite VOILA, there is still an internal process which is undertaken within TF-CSIRT where various members are voting about your membership. But after a period, you will find yourself a listed member!

Accredited Member

A lot of teams who aim for the certification membership, will first need to become accredited members. By becoming accredited you recieve access to the members only part of the Trusted Introducer service where you have access quite a lot of nice information about other teams within the directory which is not publically available. Many teams reach this stage aiming for certification, but for multiple reasons do not progress to that step. You should look at the accreditation step as “we are who we say we are”, an incident response team who wants more than simply being listed, but wants to show the community they mean business.

To become accredited your team must:-

  1. Already be a listed member
  2. Use RFC2350 (I will blog about this soon)
  3. Fill out a large amount of information about your team and their capabilities and service offerings

Once these requirements are met, this information is supplied to the Trusted Introducer team. This time it is not quite VOILA at all. There is a long process where the information you have provided is vetted and assessed. This assessment takes around 3 months to complete and can result in further questions being asked by the Trusted Introducer team. After it is completed and you are accepted, then you gain a shiny new status of “Accredited” within the directory!

Certified Member

Saving the best type of membership for last, a certified member is a team who has met the gold standard for incident response teams. They have adhered to the strict SIM3 model and achieved a maturity rating within this model that is set by the Trusted Introducer team, and essentially means “your team is one of the best in Europe at incident response” (on paper!).

The requirements to become certified:-

  1. Must already be an accredited member
  2. Have a positive SIM3 assessment based on current Trusted Introducer thresholds

The idea with number 2. is that the team will spend time assessing their current maturity within incident response. To do this they use the SIM3 model, something which I will be blogging about very soon! This model is used to ensure that a team has all necessary processes documented and in place, plus that there is a measurable maturity within these processes.

If the team discovers they are not quite ready after completing a SIM3 assessment, they can then spend some time improving processes and documentation to a higher standard. Another low hanging fruit is ensuring that the processes you define are signed off and audited by someone independant from your incident response team. Once you are confident you have met the correct maturity level within your documentation, you can then apply to be certified.

A SIM3 auditor will then be appointed to you, this auditor will perform an onsite workshop at your location and audit all of your documented processes. Performing interviews of certain team members, and really digging deep to ensure that processes are not just something written on paper, but are understood too.

Once this audit is passed, your status will then be changed within the directory to “Certified” and you can then go and show off to your friends! *cough* I mean constituents…

I may make the certification process sound like a long drawn out process, but in fact how else could you achieve such an important gold standard, without being audited externally and being put before a committee who decides if you are mature enough to be certified, any other process like this would also take time. However the benefits that come after being certified are huge, your constituents and management can have safer knowledge that they are being served by a certified team.

Final words…

I hope that you learned something from this blog post, I have become familiar with the whole Trusted Introducer/TF-CSIRT grouping over the last 2 years and I think it is incredibly exciting to be a part of this community. The certification process is also an incredible learning experience and will ensure that you really have everything in order to run your incident response team!

The Trusted Introducer website has far more details and interesting information about the processes, and can be found here:- https://www.trusted-introducer.org/index.html

My next blog post in this area will talk about the SIM3 model and how awesome it is for measuring the maturity of your incident response team…

Leave a Reply

Your email address will not be published. Required fields are marked *