Creating the CIRT: CIRT functions

In this series, I am reviewing the fundamentals of running a computer incident response team (CIRT), sometimes called a computer emergency response team (CERT) or a computer security incident response team (CSIRT).

Shortly after the infamous Morris Worm incident of Nov. 2, 1988, and several other attacks on the Internet of the day, security experts established the Computer Emergency Response Team Coordination Center (CERT/CC) at the Software Engineering Institute of Carnegie Mellon University in Pittsburgh, Pa.

Since then, CERT/CC has provided invaluable services to the world community of Internet users and especially to system and security administrators. In addition to the archives of security alerts and incident analyses available online and via free e-mail subscriptions, CERT/CC provides free electronic textbooks of great quality.

One of these is the famous _Handbook for Computer Security Incident Response Teams (CSIRTs)_ edited by Moira West-Brown and colleagues and now in its second edition (April 2003). I strongly recommend this work to anyone concerned with establishing and managing a CIRT.

The book describes the functions of the CIRT as follows: “For a team to be considered a CSIRT, it must provide one or more of the incident handling services: incident analysis, incident response on site, incident response support, or incident response coordination.”

The book explains in detail all aspects of these functions and summarizes research on the range of services that CIRTs actually provide, whether by themselves or in cooperation with other teams in the information technology sector, in a table which I have reproduced below in a format more suited to our ASCII-based newsletter:

Reactive Services

* Alerts and warnings

* Incident handling

 – Incident analysis

 – Incident response on site

 – Incident response support

 – Incident response coordination

* Vulnerability handling

 – Vulnerability analysis

 – Vulnerability response

 – Vulnerability response coordination

* Artifact handling

 – Artifact analysis

 – Artifact response

 – Artifact response coordination

Proactive Services

* Announcements

* Technology watch

* Security audits or assessments

* Configuration & maintenance of security tools, applications and infrastructures

* Development of security tools

* Intrusion detection services

* Security-related information dissemination

Security Quality Management Services

* Risk analysis

* Business continuity and disaster recovery planning

* Security consulting

* Awareness building

* Education / training

* Product evaluation or certification  

The only problematic term in this list is “artifact,” which the authors define as “any file or object found on a system that might be involved in probing or attacking systems and networks or that is being used to defeat security measures. Artifacts can include but are not limited to computer viruses, Trojan horse programs, worms, exploit scripts, and tool kits.”

The specific combination of functions that your CIRT will provide will be a function of personnel and budgetary resources and of the maturity of the team. It is wise to focus a completely new CIRT on essential services such as incident handling and analysis as its first priority. With time and experience, the team can add functions such as coordinating with other security teams and with computer and network operations in the more proactive services and the security quality services that will lead to long-term reduction in security incidents and to lower damages and costs from such incidents.