A Computer Emergency Response Team (CERT) is a group of information security experts responsible for the protection against, detection of and response to an organization’s cybersecurity incidents. A CERT may focus on resolving incidents such as data breaches and denial-of-service attacks as well as providing alerts and incident handling guidelines. CERTs also conduct ongoing public awareness campaigns and engage in research aimed at improving security systems.
The original computer security incident response team, the Computer Emergency Response Team Coordination Center (CERT/CC), was put together in late 1988 at Carnegie Mellon University in Pittsburgh, Pennsylvania.
What is the role of an emergency response team?
Regardless of whether they are called a CERT, CSIRT, IRT or any other similar name, the role of all computer emergency response teams is fairly comparable. All of these organizations are trying to accomplish the same incident response related goals of responding to computer security incidents to regain control and minimize damage, providing or assisting with effective incident response and recovery and preventing computer security incidents from reoccurring.
In general, an incident response team is responsible for protecting the organization from computer, network or cybersecurity problems that threaten an organization and its information. A universal model for incident response that has been in use for a long time is the “protect, detect and respond” model:
This refers to making sure an organization has taken the necessary measures and precautions to secure itself before any cybersecurity problems arise. This area focuses on proactive strategies rather than reactive strategies. Some of those protection strategies are:
- Create an organizational incident response plan.
- Perform risk assessments or analysis.
- Create an up-to-date asset inventory management
- Implement vulnerability scanning tools and intrusion detection systems (IDS).
- Provide security awareness training for all employees.
- Build configuration, vulnerability and patch management
- Develop security plans, policies, procedures and incident response training materials.
- Detail guidelines for users on what security issues should be reported and outline a process for making a report.
- Create incident response playbooks for common incident types.
- Deploy internal and external defensive measures that are regularly updated based on current threats.
- Reevaluate the effectiveness of procedures every time an incident occurs.
Incidents cannot be responded to unless they are detected. In fact, detection of security incidents may take weeks or months for many organizations to accomplish. A common detection strategy is to implement a defensive network architecture using technology such as routers, firewalls, intrusion detection and prevention systems, network monitors and security operations centers (SOC).
Effective detection takes time and effort. It also requires a high level of understanding of how an organization’s network really operates. Common questions that need to be answered prior to developing a detection strategy include:
- What applications are always in use?
- What does normal network traffic look like?
- Which network protocols are in use?
- Which network protocols should never appear on the network?
- What are normal bandwidth utilization patterns, including volume and direction?
- What devices are supposed to be attached to the network?
- Who are the system and data owners for these attached hosts and devices?
In order to determine if a network is not working properly, is hosting unwanted applications or experiencing abnormal traffic patterns, it is necessary to be able to completely characterize how the network and systems attached to it are supposed to work. If proper operation of a system is not understood, then it is not possible to know when that system is not operating as intended.
System management requires that every part of a network must be documented and baselined. This can be accomplished with:
- A software asset management (SAM) program that establishes what is supposed to be there and who owns it as well as which applications and business functions are supported by each asset. Additionally, regular checks against the asset baseline should be conducted.
- An application management and security program that includes application owners, authorized users, characterization of data transfer and other traffic that applications are responsible for.
- Change, configuration and patch management programs to know that the network is set up the way it is supposed to be.
- A bandwidth utilization baseline and routine bandwidth checks against the baseline.
- Network flow baselines and continuous monitoring to capture deviation from baseline.
With both the protect and detect practices, it is important to understand that all elements of these process models must be built in advance before any response activity can take place. Many organizations fail to plan for incident response or fail to implement any protection and detection strategies and therefore cannot know if their networks and systems are secure or not.
Once a computer security incident has been detected, formal incident response can commence. Responding to a computer security incident has a few steps. The first step is when the team receives a report of an incident from a constituent, such as a user, business partner or security operations center staff member. Team members then analyze the incident report to understand what is happening and create an immediate strategy to regain control and stop further damage from occurring. Lastly, the strategy is turned into a plan that is then implemented to recover from the incident and return to normal operations as quickly as possible.
The National Institute of Standards and Technology (NIST) has developed its own incident response model that has become popular with incident responders especially within the US Federal Executive Branch. The NIST model uses the terms “contain, eradicate and recover” to describe its incident response model and process. The NIST Special Publication Computer Security Incident Handling Guide, SP-800-61 describes this incident response model in detail.
Following an Internet worm incident in November of 1988 that disabled 10 percent of the Internet, the Defense Advanced Research Projects Agency (DARPA) gave the Software Engineering Institute (SEI) of Carnegie Mellon University the responsibility of setting up a center to coordinate communications among security and computer experts during emergencies and to help prevent future computer security incidents from occurring. The Internet worm that precipitated the creation of the world’s first computer emergency response team eventually became known as the Robert Morris Worm.
The Morris Worm was named after its creator, Robert Tappan Morris, a graduate student at Cornell University, who released the worm on the campus of the Massachusetts Institute of Technology (MIT) in an apparent attempt to disguise the origin of the worm. According to its creator, the Morris Worm was not intended to be destructive, but rather was written to highlight software security flaws in Berkeley Software Distribution (BSD) variants of UNIX. Ironically, the worm itself contained a software flaw that caused it to replicate itself much faster than intended causing machines it infected to slow or stop under the demands of the worm, contributing to the discovery of the worm.
Beyond the damage caused by the Morris Worm, there were three lasting effects from the release of the worm:
- One effect of the Morris worm was the creation of the CERT/Coordination Center at the Software Engineering Institute (SEI). The SEI, founded in 1984, is a federally funded research and development center (FFRDC) and was selected by DARPA to stand up the CERT Coordination Center because it could act as a neutral third-party in coordinating efforts, particularly with software vendors, in eliminating software flaws that become security problems.
- Another effect of the Morris Worm was that Robert Tappan Morris became the first person to be tried and convicted under the Computer Fraud and Abuse Act (CFAA) of 1986. The 24-year old computer science student received a sentence of three years probation, 400 hours of community service, a fine of $10,000, plus the costs of his probation, for a total of $13,326.
- The third effect of the Morris Worm, and perhaps the most far-reaching effect, is that it stimulated the thinking and research into critical infrastructure protection. The Morris Worm highlighted problems with poor software design and engineering, overlooked or ignored software flaws that become security vulnerabilities and poor security practices that remain significant problems today. Even if there was no malicious intent, the release of the Morris Worm showed that the Internet was not necessarily a place where everybody could be trusted to have the best interests of everyone else in mind.
Beyond the Morris Worm, since its creation in 1988, the CERT Coordination Center has gone on to become one of the world’s leading computer security institutes. Since the creation of CERT/CC the Internet has grown from an estimated 60,000 computers in 1998 to more than one billion hosts advertised in the domain name system (DNS) as of January 2019.
Some of the areas where the CERT Coordination Center has demonstrated leadership include:
- Contributing to the development of over 50 incident response teams worldwide.
- Facilitating the development of incident response methods and education.
- Becoming a founding member of the Forum of Incident Response and Security Teams (FIRST).
- Creating numerous security assessment methods and tools.
- Leading in developing graduate cybersecurity education.
- Conducting insider threat research and education.
- Directing malware analysis and defense methods.
- Publishing vulnerability reports and a vulnerability database.
CERTs vs CSIRTs
The term CERT was chosen as the identifier for the Computer Emergency Response Team at the Software Engineering Institute. The SEI is a federally funded research and development center managed by Carnegie Mellon University, who trademarked and owns the “CERT” name. Today, the SEI points out that the CERT designator is no longer an acronym, but a trademarked symbol. The SEI no longer uses the name Computer Emergency Response Team to refer to the CERT Division of the SEI. The SEI now refers to its CERT division as the CERT Coordination Center or CERT/CC.
Due to Carnegie Mellon’s trademarked ownership over the CERT title, they have encouraged other incident response organizations to use the term Computer Security Incident Response Team (CSIRT) instead of CERT. Therefore, all computer security incident response documentation, publications and education courses from the SEI and CERT/CC use the term CSIRT to refer to independently-owned or run incident response organizations.
As a result of the trademarked CERT name, other acronyms came into common use to describe teams with similar incident response functions:
- Computer Security Incident Response Team (CSIRT).
- Incident Response Team (IRT).
- United States Computer Emergency Readiness Team (US-CERT).
- Computer Security Incident Response Capability or Center (CSIRC).
- Computer Incident Response Capability or Center (CIRC).
- Computer Incident Response Team (CIRT).
- Incident Handling Team (IHT).
- Incident Response Center or Incident Response Capability (IRC).
- Incident Response Team (IRT).
- Security Emergency Response Team (SERT).
- Security Incident Response Team (SIRT).
Another possible naming approach is to precede any of the above terms with an organizational designation or to add a suffix. Examples could include “Amazon SIRT” to refer to the specific incident response team at Amazon or “CERT-MX” to refer to a technical response center in Mexico.
Even though Carnegie Mellon University has enforced its ownership of the CERT term in the past, the SEI recently retired the domain cert.org and consolidated its web presence under the sei.cmu.edu domain.
An established computer security incident response team can request a license to use the CERT designator from the SEI at no cost. Obtaining a license to use the CERT designator also allows an incident response team to be listed on the SEI web site as an authorized user of the CERT designator and display an “authorized user” CERT badge on its own website.
How to become a certified incident response professional
Computer security incident response teams are typically overseen by team managers that need to make certain that their team members are appropriately trained and qualified for incident response responsibilities. Incident response professionals with proper training or certifications can help an organization meet its incident protection, detection, management and mitigation goals as well as minimize the time it takes to recover from an incident. They should be well-versed in common attack techniques and vectors as well as the tools, policies and procedures necessary to effectively respond to cybersecurity-related emergencies.
Since incident handling evolves and requires a strong knowledge of technology and procedures, regular training for incident response team members is strongly encouraged. Additionally, there are several qualification programs for computer security incident handlers. All of these certifications require taking an examination and may have minimum experience requirements prior to consideration.
One example of this is the Global Information Assurance Certification (GIAC) program formed by the SANS Institute. This program offers 30 different certifications including the GIAC Certified Incident Handler (GCIH). The process of achieving the GCIH certification covers the basic steps of the incident handling process, the detection of malicious applications and network activity, the education of common attack techniques, the analysis of system and network vulnerabilities and the continuous process improvement of discovering the root causes of incidents.
Another example is the CERT-Certified Computer Security Incident Handler Certification (CSIH) that is offered by the Software Engineering Institute (SEI), home of CERT/CC. The CSIH examination covers protection of infrastructure, event and incident detection, triage and incident analysis and sustainable incident response capabilities.
Neither of these certifications have any required training prerequisites in order to sit for the exam, although both the SANS Institute and the SEI offer a number of basic and advanced incident handling courses that would make a good training curriculum plus professional certification for an incident handler.
US-CERT (Computer Emergency Readiness Team)
US-CERT is an acronym that stands for the United States Computer Emergency Readiness Team. The use of the word “readiness” was intended to give an indication of its focus on being proactive, or “ready,” for emergencies rather than being reactive and concentrated on response. The stated mission of US-CERT says, “US-CERT is responsible for analyzing and reducing cyber threats and vulnerabilities, disseminating cyber threat warning information and coordinating incident response activities.”
On September 2003, the US Department of Homeland Security (DHS) announced a partnership with the CERT Coordination Center at the Software Engineering Institute to create the US-CERT as a “coordination point for prevention, detection and response to cyberattacks across the internet.”
Then in 2017, the DHS streamlined its organizational structure, moving US-CERT along with other operational functions, into the National Cybersecurity Communications and Integration Center (NCCIC). The NCCIC operated as the surviving entity until November 2018. At this time, the Cybersecurity and Infrastructure Security Agency (CISA) was created as a standalone agency within the DHS and incorporated the NCCIC, including what was the US-CERT, into its Cybersecurity Division.
As of now, all web pages associated with the us-cert.gov domain now lead to web pages branded by CISA. The URL www.us-cert.gov now goes to a CISA web page that announces the NCCIC as “the nation’s flagship cyber defense, incident response and operational integration center.”
The CISA acts as the risk advisor to the United States in regards to online or virtual security threats and incidents. This is executed through the combination of research and development with threat intelligence and government policy. The organization’s capabilities include federal network monitoring and protection, infrastructure resilience and emergency communications.
Additionally, the CISA provides cybersecurity knowledge and best practices to other government organizations in order to protect the nation’s resources.
Community Emergency Response Team
There is another kind of organization that commonly uses the CERT acronym. It is also an incident response organization, but it has a different focus and constituency in mind. It is the Community Emergency Response Team (CERT).
A community emergency response team program is administered by the US Department of Homeland Security (DHS) and is designed to educate and train the American public about disaster preparedness and disaster response. Some of the skills taught by this CERT organization include how to safely respond to manmade and natural disasters, organize basic disaster response, prepare for emergencies, perform search and rescue and administer first aid.