How Computer Emergency Response Teams & Computer Security Incident Response Teams Combat Cyber Threats

As private entities and government organizations alike have incorporated the use of computer technology into their day-to-day operations, the need to manage this technology has become evident. Companies stand to lose archives of sensitive and valuable data, public and consumer trust, and billions of dollars in profit losses and legal expenses should they neglect to address cybersecurity vulnerabilities. Today, organizations have come to recognize the need to integrate responsible approaches to data management and safe internet activity. Many government entities and some larger private enterprises utilize the services of Computer Emergency Response Team (CERT) organizations, which help develop and oversee standard policy and practice regarding Internet use, as well as steps for resolving all cybersecurity incidents.

First established at Carnegie Mellon University, the CERT Division represents a national effort to develop improved cybersecurity infrastructure. This endeavor largely entails strengthening capabilities to respond to cybersecurity incidents and preparing organizations to sustain functionality when threats affect their data systems. Professionals in CERT organizations work constantly to strengthen security on a national level and strive to connect all private and public clients to a growing collection of resources, strategies, best practices and cybersecurity expertise. Many companies look to develop in-house Computer Security Incident Response Teams (CSIRTs) in an effort to develop or strengthen their cybersecurity capabilities and prevent or minimize potential damage inflicted by cyber attacks.

While CERTs may operate on a national scale and work with a wide range of organizations, CSIRT services are specific to a single organization. Regardless of whether an organization utilizes the services of CERT groups or has the resources to establish an in-house CSIRT division, these advanced teams have become essential business personnel. These teams or groups require individuals with the ability to understand the intricacies of data infrastructure, recognize cyber threats, coordinate and enact effective responses, and prepare organizations to deal with future threats. These professionals manage these critical tasks through established, clearly defined strategies including threat response, asset response, intelligence support, and affected entity response.

Threat Response

Threat response is characterized by structured attempts to discover the nature and origin of current or past cyber threats. This critical component of CERT and CSIRT response refers to all investigative processes related to cybersecurity incidents: unauthorized attempts to log in to an organization’s internal systems, retrieving or sharing sensitive information, and other malicious activities. To enable effective threat response, CERT and CSIRT professionals must first establish protocols for acceptable data sharing and online activity for anyone who utilizes an organization’s systems. This will help all parties recognize potential threats and suspicious activity more easily. With acceptable activity clearly defined, any activity that violates these guidelines may be considered a threat, in which case all threat-related information should be shared with federal law enforcement. For both government organizations and private entities, disseminating information quickly and effectively the moment an incident occurs is key to tracking the origin of the threat and mitigating the damage it causes; with such protocols in place, the process of investigating threats is akin to computer forensics investigations. CERT and CSIRT personnel collect information related to points of vulnerability where breaches occur, and also document and store any information that serves as evidence of malicious cyber activity.

For CERTs operating on the federal level, threat response is overseen by the US Department of Justice and conducted by personnel from The FBI and other entities. In the private sector, CSIRT operatives often coordinate threat response activities with the federal government before subsequently performing investigative actions independently.

Asset Response

This tier of cybersecurity incident management is focused primarily on determining the financial impact of cyber threats on an organization, and minimizing the damage to commercial assets. Subsequent to a cyber attack, the damage incurred can have a cascading effect on other areas of the organization, as well as external stakeholders who are connected to the data infrastructure (such as consumers or partner organizations). Preventing additional damage requires a thorough understanding of the organization’s asset structure and that of its constituents. Professionals in asset response must assess both the internal and external scope of a threat in order to protect the interests of any individual or organization connected to the affected entity; this might entail developing tools and resources in immediate response to a threat or utilizing such resources as part of a strategy to prevent further incidents. Individuals responsible for asset response must also work in close coordination with their colleagues in threat response to accomplish these goals and successfully protect all assets from cyber attacks.

Intelligence Support

Through the use of cyber technology, adversarial groups—such as rival governments, cyber terrorist entities, or even domestic hacker organizations—seek to infiltrate and control U.S. data systems in order to conduct data theft or to compromise economic and social stability. Some of these adversaries may even attempt to divert U.S. intelligence efforts with false leads and other fraudulent information. In order to combat this, experts involved in the intelligence support phase may work closely with U.S. intelligence agencies to capture information on these groups. This process of gathering intelligence may be a precursor to preparing an offensive strategy aimed at hampering the capabilities of current and potential threats, thereby weakening the opposition’s ability to inflict damage on information systems. For government CERTs, the intelligence support role is characterized by efforts to fortify government agencies’ ability to protect the government and its constituents against cyber threats. In a private enterprise CSIRT organization, the role may entail working in close communication with law enforcement, customers, and the general public to quickly track the source of malicious activity (such as data theft), as well as working to implement or develop software solutions intended to disable threats that could potentially damage data systems.

CERT teams facing these challenges on the national level utilize centralized communication hubs to enable the rapid deployment of information regarding potential threats, namely the CERT Coordination Center (CERT/CC) and the National Cybersecurity and Communication Integration Center (NCCIC). These individuals work to disable the capabilities of cyber terrorists and address gaps in intelligence on potentially dangerous groups and their methods of doing harm. To counter cyber terrorism, for instance, intelligence support specialists aim to destroy propaganda and confound terrorist groups’ ability to recruit and strategize online by tracking and exposing this activity to the public. Tracking this information is also essential in order to bring legal action against individuals of such groups once they are identified and can be tried in a court of law.

Affected Entity Response

When an organization falls victim to a cybersecurity breach—particularly in instances where sensitive information is compromised—it is considered an “affected entity.” In addition to taking steps toward mitigating further risk to constituents, affected entities are responsible for communicating important information concerning the incident to stakeholders. In the context of a national or government organization, this may include communicating details to citizens and other members of the government. In the case of a private organization, affected entities often must disseminate key information to customers, members of their supply chain or others who may be affected; this is especially true when private customer information has been compromised. Central to the affected entity response protocol is the fact that the entity may be legally accountable for disclosing information regarding a breach to all affected parties, and in some cases, compensating affected parties impacted financially. Legal compliance for the affected entity could also involve disclosing certain information to authorities—such as fraudulent email solicitations intended to gather sensitive information from employees and corrupt data systems.

CERT and CSIRT professionals serving an affected entity, or those advising an affected entity in the midst of an event, should be fully aware of all actions required by law on the part of the affected organization. Due to privacy laws, a private affected entity may be entitled to voluntary disclosure of certain details regarding a cybersecurity incident. However, like government organizations, private entities may be required to adhere to certain applicable regulations and may also be bound by legal contracts to provide full disclosure to constituents. It is critical for CSIRT professionals to understand their organizations’ rights to privacy as well as all relevant legal implications in order to lead the organization in taking the most appropriate action. In the case of private entities, the federal government does not conduct these activities but will be aware of organizational actions taken, especially those necessary in accordance with laws and regulations.

Developing clear cybersecurity incident response strategies is critical to the successful management of valuable information, ensuring system functionality and rapid response in the event of a cyber threat. Under guidelines established by the CERT/CC, communities of information security professionals, government officials and other parties work daily to centralize cybersecurity standards and build better information technology protocols. This demanding field may be ideal for individuals with advanced training, experience and expertise in cybersecurity and information assurance. Professionals who have obtained a Master of Science in Cybersecurity degree are in high demand and will continue to be so as the field continues to expand, making their specialized talent and knowledge indisputably critical.

Learn More

As the nation’s oldest private military college, Norwich University has been a leader in innovative education since 1819. Through its online programs, Norwich delivers relevant and applicable curricula that allow its students to make a positive impact on their places of work and their communities.

At Norwich University, we extend a tradition of values-based education, where structured, disciplined, and rigorous studies create a challenging and rewarding experience. Online programs, such as the Master of Science in Cybersecurity, have made our comprehensive curriculum available to more students than ever before.

Norwich University has been designated as a Center for Academic Excellence in Cyber Defense Education by the National Security Agency and Department of Homeland Security. Through your program, you can choose from five concentrations that are uniquely designed to provide an in-depth examination of policies, procedures, and overall structure of an information assurance program.

Recommended Readings:
Top 7 Encryption Software for Information Assurance Professionals
5 Steps for Conducting Computer Forensic Investigations
Deep Web Crime Requires New Forensic Approaches

Sources:

Organizational Models for Computer Security Incident Response Teams (CSIRTs), Carnegie Mellon Software Engineering Institute
Incident Management, United States Computer Emergency Readiness Team
Defining Incident Management Processes for CSIRTs: A Work in Progress, Carnegie Mellon Software Engineering Institute
CSIRT Frequently Asked Questions (FAQ), Carnegie Mellon Software Engineering Institute
Best Practices and Controls for Mitigating Insider Threats, Carnegie Mellon University Software Engineering Institute
Resources for Creating a CSIRT, Carnegie Mellon University Software Engineering Institute
National Cyber Incident Response Plan, U.S. Department of Homeland Security
DHS's Claire Grady Discusses Efforts to Curb Terrorist Recruitment Online At the 2017 United Nations General Assembly, U.S. Department of Homeland Security