TF-CSIRT – Whats it all about?

I have recently taken a break from blogging to focus on other things, before jumping back into my Incident Response 101 blog series. I want to write a little bit about TF-CSIRT and the reasons for joining a community like this. It is a process I am slowly becoming familiar with and it definitely deserves more words written about it…

First off…. What is TF-CSIRT?

Task Force Computer Security Incident Response Teams or TF-CSIRT for short, was established by the European CERT community back in the year 2000. The idea was to create a community of incident response groups/teams, which can work together for a common goal. That goal being, spreading information/knowledge sharing, assisting each other in incidents, and any other way they can leverage such a strong community to help in the incident response world.

In order to provide access to the community, a service was created called “The Trusted Introducer Service”. This service is used to provide a directory of incident response teams which are members of TF-CSIRT. The Trusted Introducer Service acts as a clearing house to ensure that members meet the correct requirements when joining. and then offering further processes for becoming accredited or certified TF-CSIRT members.

So what are the benefits?

The main backbone of the TF-CSIRT community is the member database, where emergency contact details for each incident response team are displayed. This information can prove vital in an incident response situation. To maintain this vital community spirit TF-CSIRT hosts regular conferences and meetups for its members, these are great for getting to know other teams and sharing knowledge.

Another huge benefit of TF-CSIRT actually lies within the certification process. This process provides strict requirements based on the SIM3 audit model and essentially means that when you hit the magic certification level, you are one of the best prepared incident response teams in Europe (at least on paper). This is a standard that a lot of teams aspire towards, but unfortunately don’t make it, due to time commitments usually.

The TF-CSIRT community also works very closely with FIRST (Forum of incident response and security teams). This partnership helps deliver a yearly joint conference.

There are many other benefits from becoming a member at TF-CSIRT, and I would highly recommend it!

So how do I join?

Joining TF-CSIRT is broken up into 3 different “memberships” or processes.

Listed Member

The first processs is to become a listed member. This means you become part of the community and you will get your team listed in the TF-CSIRT database. This also means you can begin attending the European conferences and meetups that are offered.

To become a listed member, you need to fulfill some requirements:-

  1. You need to be sponsored by at least 2 other already accredited or certified teams. A good idea here, would be to look at the Trusted Introducer directory and see if you know teams that have already gone through this process. The TF-CSIRT community is becoming larger and larger within Europe, so the chances are you already know the relevant teams to get the process moving.
  2. Get PGP/GPG keys for your team to communicate with TF-CSIRT. This one is a tiny bit of hassle as there is a large debate out there about using PGP, it can be quite difficult to get PGP supported within certain organizations and ad-hoc processes may end up being needed to facilitate this requirement.

Once you have these two main requirements met, you simply fill out a form and email it to the Trusted Introducer email address and VOILA… Well not quite VOILA, there is still an internal process which is undertaken within TF-CSIRT where various members are voting about your membership. But after a period, you will find yourself a listed member!

Accredited Member

A lot of teams who aim for the certification membership, will first need to become accredited members. By becoming accredited you recieve access to the members only part of the Trusted Introducer service where you have access quite a lot of nice information about other teams within the directory which is not publically available. Many teams reach this stage aiming for certification, but for multiple reasons do not progress to that step. You should look at the accreditation step as “we are who we say we are”, an incident response team who wants more than simply being listed, but wants to show the community they mean business.

To become accredited your team must:-

  1. Already be a listed member
  2. Use RFC2350 (I will blog about this soon)
  3. Fill out a large amount of information about your team and their capabilities and service offerings

Once these requirements are met, this information is supplied to the Trusted Introducer team. This time it is not quite VOILA at all. There is a long process where the information you have provided is vetted and assessed. This assessment takes around 3 months to complete and can result in further questions being asked by the Trusted Introducer team. After it is completed and you are accepted, then you gain a shiny new status of “Accredited” within the directory!

Certified Member

Saving the best type of membership for last, a certified member is a team who has met the gold standard for incident response teams. They have adhered to the strict SIM3 model and achieved a maturity rating within this model that is set by the Trusted Introducer team, and essentially means “your team is one of the best in Europe at incident response” (on paper!).

The requirements to become certified:-

  1. Must already be an accredited member
  2. Have a positive SIM3 assessment based on current Trusted Introducer thresholds

The idea with number 2. is that the team will spend time assessing their current maturity within incident response. To do this they use the SIM3 model, something which I will be blogging about very soon! This model is used to ensure that a team has all necessary processes documented and in place, plus that there is a measurable maturity within these processes.

If the team discovers they are not quite ready after completing a SIM3 assessment, they can then spend some time improving processes and documentation to a higher standard. Another low hanging fruit is ensuring that the processes you define are signed off and audited by someone independant from your incident response team. Once you are confident you have met the correct maturity level within your documentation, you can then apply to be certified.

A SIM3 auditor will then be appointed to you, this auditor will perform an onsite workshop at your location and audit all of your documented processes. Performing interviews of certain team members, and really digging deep to ensure that processes are not just something written on paper, but are understood too.

Once this audit is passed, your status will then be changed within the directory to “Certified” and you can then go and show off to your friends! *cough* I mean constituents…

I may make the certification process sound like a long drawn out process, but in fact how else could you achieve such an important gold standard, without being audited externally and being put before a committee who decides if you are mature enough to be certified, any other process like this would also take time. However the benefits that come after being certified are huge, your constituents and management can have safer knowledge that they are being served by a certified team.

Final words…

I hope that you learned something from this blog post, I have become familiar with the whole Trusted Introducer/TF-CSIRT grouping over the last 2 years and I think it is incredibly exciting to be a part of this community. The certification process is also an incredible learning experience and will ensure that you really have everything in order to run your incident response team!

The Trusted Introducer website has far more details and interesting information about the processes, and can be found here:- https://www.trusted-introducer.org/index.html

My next blog post in this area will talk about the SIM3 model and how awesome it is for measuring the maturity of your incident response team…

Incident Response 101 – The Why?

In the previous post we discussed the background for my knowledge within incident response. Now we will jump into the exciting stuff and talk about “The Why?”

I guess a pretty good place to start in defining the incident response process, is understanding why do we need incident response at all?

Incident response wouldn’t exist without something to actually trigger the process. To trigger the process you need an incident, and what will generate that incident?

Threats

Incidents are generated from a threat, whether this threat is a nation state attacker, a script kiddie, a pandemic, or even some sort of natural disaster. So then what is a threat, and how do we define it?

I like to start out this explanation by showing the following diagram:-

Diagram by IncibeCERT

Intent + Capability + Opportunity = Threat

Each one of these conditions needs to be met to fulfill the criteria to create a threat. To make it more understandable I use an example of whether there is a threat at home from my child trying to steal Nutella from the cupboard.

Intent

Intent is pure and simple, does my child want the Nutella? Do they have the desire and drive to get it? Without intent, I could leave Nutella all over the house and not be worried about anything happening to it.

Capability

Does my child have the capability to get the Nutella? I may have left the cupboard door open, and my child may desperately want the Nutella. But they haven’t learned to open a jar yet. So the threat is not there…

Opportunity

Did I leave the Nutella jar open on the kitchen top? So now my child has the perfect chance to get hold of it. The opportunity has been given to them, now they can combine it with their intent and capability to create the threat!

Well what can we do about this?

You may look at these three points, and think there is alot to be done to protect against each part of the “threat process”. But there isn’t… You cannot take actions to reduce the capabilities of your attackers yourself.

You also cannot influence an attackers intent against you. In some niche cases, you could argue that by “doing good things” you might reduce the intent. But this is a relatively difficult issue to measure.

So this leaves only “opportunity” where you can have some sort of impact. I say “some sort of” because an attacker will always get an opportunity. An opportunity can be something as simple as a misconfigured firewall, a vulnerability in a public facing server and many more.

But you can do your best to restrict the number of opportuntities presented to an attacker. A good example of this, is vulnerability management, when an exploit or vulnerability is released and this effects you, taking actions to patch or mitigate it can help reduce the attackers opportunity to become a threat.

But what about incident response?

You may be thinking, well wait a minute, where does incident response fit into this? Incident reponse assumes that the attacker had the opportunity to become a threat and then carried out actions against you which have resulted in an incident needing to be handled. Incident response is purely a reaction process and is driven by threats.

In some cases the lessons learned from the root cause analysis within the incident response process can also assist with reducing the attacker opportunities. An example of this… Imagine having a perimeter firewall hole, which is too wide and allows external access to a number of test servers which are not patched. The subsequent incident from an attacker compromising these servers, can lead to a report which identifies the broad firewall rule and gives advice on how to fix it. Thus reducing the next attackers opportunity to become a threat!

Closing remarks…

In the next post we will look at how we can have an understanding of the threat landscape, and how to figure out which threats might be relevant to us…

Incident Response 101 – The Background

In the previous post, I gave an introduction to my planned set of blog posts around incident response.

But…

The first question is, how have I made it to this stage in my understanding of the incident response process. Which materials, courses, books etc have lead me to develop my current knowledge level in this field. I will try to give a short description of each resource and why it is important…

All authors start with some background about them, so the audience trusts them a little more when they begin reading, “oh this guy has read alot, and is certified in xx and xx, they must know what they are talking about”.

This is a list of resources, that I turn to at least once a week in my work within incident response.

Materials:-

FIRST CSIRT Services Framework 2.0

https://www.first.org/standards/frameworks/csirts/FIRST_CSIRT_Services_Framework_v2.1.0.pdf

It took me quite some time to find this document, and it was quite a way into my journey of discovery within building a Cyber Defence Center before I found it. But once I did, it answered so many of the outstanding questions I had. This document lays it out flat, what you need to do to deliver a large selection of services within the CSIRT world. It opened up a door to a large community for me too, as I found the authors to be very interesting and the FIRST group a very welcome aid in my service architecture. I treat this book like the bible for the services I needed to build.

Just like any religious text, there is always room for intepretation and this resource is very good, but it does not answer every single question. In some areas it raises more questions, which require deeper research and more technically focused answers. But this we will touch in on later in the blog posts on this subject.

SIM3 – Security Incident Management Maturity Model

http://opencsirt.org/wp-content/uploads/2019/12/SIM3-mkXVIIIc.pdf

I started learning about the SIM3 Model whilst beginning research into joining the TF-CSIRT community (something we will look into in later blog posts). This model lays out the perfect foundation for the building blocks you need to assemble an international class incident response team. Attaining a good maturity rating within this model, enables you to join the TF-CSIRT community and know that you have a very well oiled incident response process. The SIM3 Model is written by Don Stikvoort, who has also been highly influential in the FIRST CSIRT Services Framework.

This model is the golden standard for creating an incident response service, and I will reference it alot throughout the blog posts coming up. It gives you some of the backbone structure that you need to then build upon, to create your own service.

Books:-

Intelligence-Driven Incident Response

http://shop.oreilly.com/product/0636920043614.do

I bought this book after attending the SANS FOR578 course that I mention above. I wanted a supplmental resource to aid my studies in Cyber Threat Inteligence, and this book went beyond my expectations. It really breaks down the incident response process in detail and shows where you can begin to look at it as a driver for gaining threat intelligence. This book really helped solved the problem I will later discuss, around “incident recording” language.

I recommend this book to everyone who I meet within the incident response world.

MITRE – Ten Strategies of a World-Class Cybersecurity Operations Center

https://www.mitre.org/sites/default/files/publications/pr-13-1028-mitre-10-strategies-cyber-ops-center.pdf

This book is available for free from the link above. I was lucky enough to recieve a printed copy from someone I met at the FOR578 training course. This book goes into a lot of great details on how to build a SOC and which resources you should look at to do it. Although the book was written back in 2014 and a lot has changed since then, it still holds alot of relevancy today. The section called “Strategy 4” is very useful in determining which functions should an incident response team have, and how can they be developed if needed.

Courses:-

SANS SEC401 – GSEC

https://www.sans.org/course/security-essentials-bootcamp-style

This course was the first “none vendor” focused training course I ever took, before this I was heavily focused on studying Network Security through the CCNA books. This course helped me understand that the security world was bigger than specific vendors offerings and opened up the gates to my eventual drive into cyber security and incident response. For anyone starting out in this field, this course is very useful as it is very broad and tries to get around most of the important topics in cyber security.

SANS FOR578 – Cyber Threat Intelligence

https://www.sans.org/course/cyber-threat-intelligence

If I look back at any course, or anyhing I have ever studied in general. This course holds the top honours for how much I learned. I went into this course with an understanding of how I thought cyber security worked, and then came out the other side with an entirely deeper knowledge and thought process. This course really helped me understand that data can be so powerful when absorbed from the incident response process. Providing that the data is organized into structures and frameworks to present it in a clear way. I also had the added bonus that the course was being taught by Jake Williams (@malwarejake), and his anecdotes helped to further the understanding of the materials. I would say that this course was the straw which broke the camels back and changed me from being a purely technical orientated person to being much more focused on process and structure. I do not have enough great words in my dictionary for this course!

Other resources:-

Don’t ever underestimate the value you can get from just talking to people, whether they are in the incident response field, or in other fields. A great example is the crossover between incident response and incident management in an ITIL sense. Essentially they are the same process and flow, just that incident response has the “cyber” tag.

Closing words…

This is just a list of the resources that I have used, and they are not complete, you need to find the bits you need from each of them and use it to define your own process.

I have also had the massive benefit of learning from some great people and spending time with organizations like CIRCL, Mandiant, Red Canary to name a few… I just try to absorb as much from the experts as possible…

Incident Response 101 – Intro

I have been wanting to write a set of blog posts about this for a while, possibly I will one day turn this into a book! But for now, it can live here.

Over the last year, I have given a few presentations and lectures about incident response, some of which live on our Github in the presentations folder. But they are not tied together and they aren’t “alive” like a series of blog posts could be…

I would like to share alot of the knowledge I gain whilst working within this field, and studying alongside. A lot of the words coming in the next few blog posts, will be coming from experience of delivering exactly what they say.

A problem that I have found whilst trying to understand incident response deeply, is that most incident response books, courses and sales folk seem to really focus on the deep technical parts of incident response… The forensics, the detections, the reverse engineering, the indicators of compromise etc etc. The “sexy” analysis parts, and the easy sell. What I have been missing is a comprehensive guide to the underlying process behind the whole incident response stack.

Then it struck me, most of the people working within incident response are deeply technical and do get down and dirty with the analysis stage. But they aren’t really strong when it comes to the process. A process which is made up of far more stages that just analysis. This ends up creating a vacuum, where incident response seems highly expensive and complex to the outside observer.

So I have decided to write some blog posts to the “2019 me”. So I can help others who are in my shoes, those who need to build something much more than just an analysis team. Those who need to architect the entire process from alert to end report that delivers great actionable results.