Nettitude Blog

Nettitude ups its Incident Response game & joins FIRST

Posted by Adrian Shaw on May 30, 2017 1:05:09 PM

Having recently completed the process of joining FIRST, Nettitude’s Incident Response (IR) team were impressed with the recent release of their updated CSIRT service framework.

For those unfamiliar with the work of FIRST, they are a non-profit corporation that facilitates co-operation between CSIRTs and provides access to best practices and tools.   Crucially, they also facilitate communications between CSIRTs globally.   One of the many motivations for Nettitude’s IR team joining FIRST was that we regularly uncover attacker infrastructure in foreign countries during investigations that we undertake in partnership with our clients, but experience difficulty in finding organisations in those countries who can assist with the take-down of that infrastructure.   Equally, we may have the option of taking over that attacker infrastructure, but need to be aware of the laws that govern such operations in those countries.   The communication and information sharing facilitated by FIRST allows us to quickly overcome these obstacles, and we share FIRSTs goal of achieving the swiftest and effective possible resolution of incidents.

Returning to the CSIRT service framework; we regard this as the most comprehensive overview of capabilities that are required to manage an effective CSIRT team. The framework defines a number of service areas and the functions required to meet the needs of the service areas.   The service area and services can be summarised as follows:

Service Area 1 – Incident Management

  • Incident Handling
  • Incident Analysis
  • Incident Mitigation and recovery

Service Area 2 – Analysis

  • Artefact Analysis
  • Media Analysis
  • Vulnerability / Exploitation Analysis

Service Area 3 - Information Assurance

  • Risk Assessment
  • Operating Policies Support
  • Business Continuity and Disaster Recovery Planning Support
  • Technical Security Support
  • Patch management

Service Area 4 – Situational Awareness

  • Metric Operations
  • Fusion and Correlation
  • Development and Curation of Security Intelligence

Service Area 5 - Outreach/Communications

  • Security Awareness Raising
  • Cybersecurity Policy Advisement
  • Information Sharing and Publications

Service Area 6 - Capability Development

  • Organizational Metrics
  • Training and Education
  • Conducting Exercises
  • Technical Advice
  • Lesson learned

Service Area 7 - Research and Development

  • Development of Vulnerability Discovery/Analysis/Remediation/Root Cause Analysis Methodologies
  • Development of Technologies and Processes for Gathering/Fusing/Correlating Security Intelligence
  • Development of Tools

As can be seen, there a lot of areas covered, and the above list doesn’t cover the multiple functional areas for each service.  The CSIRT service framework is comprehensive and superbly captures the range of challenges currently facing incident response teams.  For Nettitude, the publication of this framework validates the huge amount of work that we have done internally to reach the level of capability described in the document.  However, we recognise that for many organisations, developing that full range of capability is going to be simply beyond their current resources.  Even for larger organisations, we know from our experience that reaching that range of capability is going to be extremely challenging.

Membership of FIRST provides us with the ability to share our extensive experience and capability in this area with our peers and wider community. The tools and techniques that we develop and blog about in our labs resource can now reach a wider audience through the FIRST community, as we are already planning some presentations for this forum. Nettitude have long recognised that combatting cyber-crime can only be achieved through sharing information, tools and techniques amongst the InfoSec community.   We urge every organisation that currently has a CSIRT, no matter how mature they are, to investigate the potential for joining FIRST.

Topics: Security Blog

About Nettitude

Nettitude is the trusted cyber security provider to thousands of businesses around the world. We stop at nothing to keep your data and business secure in an age of ever-evolving cyber threats.

Our experts use an award winning Threat Intelligence led approach that incorporates real-time data, ensuring that your company is protected at every stage of its journey.

Receive an update when we post!

Recent Posts