What is a Computer Security Incident Response Team (CSIRT)?
A Computer Security Incident Response Team (CSIRT) is a service organization that is responsible for receiving, reviewing, and responding to computer security incident reports and activity. Their services are usually performed for a defined constituency that could be a parent entity such as a corporate, governmental, or educational organization; a region or country; a research network; or a paid client.
A CSIRT can be a formalized team or an ad-hoc team. A formalized team performs incident response work as its major job function. An ad-hoc team is called together during an ongoing computer security incident or to respond to an incident when the need arises.
What is a computer security incident?
Each organization will need to define what a computer security incident is for their site. Examples of general definitions for a computer security incident might be:
Examples of incidents could include activity such as
Computer security incident activity can be defined as network or host activity that potentially threatens the security of computer systems.
Why would an organization need a CSIRT?
Even the best information security infrastructure cannot guarantee that intrusions or other malicious acts will not happen. When computer security incidents occur, it will be critical for an organization to have an effective way to respond.
The speed with which an organization can recognize, analyze, and respond to an incident will limit the damage and lower the cost of recovery. A CSIRT can be on site and able to conduct a rapid response to contain a computer security incident and recover from it. CSIRTs may also have familiarity with the compromised systems and therefore be more readily able to coordinate the recovery and propose mitigation and response strategies.
Their relationships with other CSIRTs and security organizations can facilitate the sharing of response strategies and early alerts to potential problems. Proactively, CSIRTs can work with other areas of the organization to ensure new systems are developed and deployed with "security in mind" and in conformance with any site security policies. They can help identify vulnerable areas of the organization and in some cases perform vulnerability assessments and incident detection.
They can focus attention on security, and provide awareness training to the constituency. CSIRTs can also provide expertise to do preventive and predictive analysis to help mitigate future threats.
What types of CSIRTs exist?
CSIRTs come in all shapes and sizes and serve diverse constituencies. Some CSIRTs support an entire country, for example, the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC); others may provide assistance to a particular region, such as AusCERT does for the Asia-Pacific area; still others may provide support to a particular university or commercial organization. There are also corporate groups who provide CSIRT services to clients for a fee.
Some general categories of CSIRTs include, but are not limited to, the following:
Computer Security Incident Response Team
Computer Incident Response Capability
Computer Incident Response Team
Incident Response Center or Incident Response Capability
Incident Response Team
Security Emergency Response Team
Security Incident Response Team
Can "CERT" be used in a CSIRT name?
"CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. Organizations who wish to use "CERT" in their team name must contact us to request permission. For additional copyright information about the CERT Division, please see our legal information. For additional information about the CERT Coordination Center, see the CERT FAQ.
Where in an organizational structure is a CSIRT commonly found?
There is no standard hierarchical location where a CSIRT may be found in an organizational structure. Some CSIRTs are part of an existing Information Technology (IT) or Telecommunications group. Others may be part of a security group or work in conjunction with the group responsible for physical security. CSIRTs may also be located in the audit group, while others are in a separate entity. Many organizations are beginning to look at the development of a CSIRT as part of their business continuity and disaster recovery plans.
Wherever the CSIRT is located, it is vital that it has management support and receives authority to do the work required.
What does a CSIRT do? (What services does a CSIRT provide?)
A CSIRT may perform both reactive and proactive functions to help protect and secure the critical assets of an organization. There is not one standard set of functions or services that a CSIRT provides. Each team chooses their services based on the needs of their constituency. For a discussion of the wide range of services that a CSIRT can choose to provide, please see Section 2.3 of the Handbook for CSIRTs.
Whatever services a CSIRT chooses to provide, the goals of a CSIRT must be based on the business goals of its constituent or parent organizations. Protecting critical assets are key to the success of both an organization and its CSIRT. The CSIRT must enable and support the critical business processes and systems of its constituency.
A CSIRT is similar to a fire department. Just as a fire department "puts out a fire" that has been reported, a CSIRT helps organizations contain and recover from computer security breaches and threats. The process by which a CSIRT does this is called incident handling. But just as a fire department performs fire education and safety training as a proactive service, a CSIRT can also provide proactive services. These types of services may include security awareness training, intrusion detection, penetration testing, documentation, or even program development. These proactive services can help an organization not only prevent computer security incidents, but also decrease the response time involved when an incident occurs.
The incident reporting function enables a CSIRT to serves as a central point of contact for reporting local problems. This allows all incident reports and activity to be collected in one location where information can be reviewed and correlated across the parent organization or constituency. This information can then be used to determine trends and patterns of intruder activity and recommend corresponding preventative strategies for the whole constituency. This is one part of the incident analysis function. The other part of incident analysis involves taking an in-depth look at an incident report or incident activity to determine the scope, priority, and threat of the incident, along with researching possible response and mitigation strategies.
Incident response functions can take many forms. A CSIRT may send out recommendations for recovery, containment, and prevention to constituents or systems and network administrators at sites who then perform the response steps themselves. A CSIRT may also perform these steps themselves on the affected systems. The response may also involve sharing information and lessons learned with other response teams and other appropriate organizations and sites.
These incident handling functions are the reactive services that a CSIRT may provide.
Who provides the funding for a CSIRT?
CSIRTs can receive funding from their parent organization, either directly or as part of an IT department (e.g., a CSIRT formed from existing staff members of a commercial organization, a university, a government/military organization). The CSIRT could also be funded via some other mechanism—a membership subscription service (members subscribe to selected services that the CSIRT provides and pay a fee for those services), through government services, via a network service provider, perhaps through project funding, etc.
How much does it cost to create a CSIRT?
The cost to create a CSIRT will depend on the number of resources and services to be provided, the administrative costs for the area or organization, and the structure of the CSIRT.
While information about the costs of creating a CSIRT is not widely available, there are some resources that may help determine the cost of computer security incidents and response strategies. This information may be used to help determine the resources needed to prevent or recover from an incident. This information may also be used in a cost/benefit analysis to compare the cost of an incident to the cost of preventing the incident or decreasing the recovery time by implementing a CSIRT.
Developing an Effective Incident Cost Analysis Mechanism, by David A. Dittrich; SecurityFocus, June 12, 2002 http://www.securityfocus.com/infocus/1592
Incident Cost Analysis and Modeling Project
Computer Crime and Security Survey from Computer Security Institute (CSI) in partnership with the FBI
Australian Computer Crime and Security Surveys 2002-2006
How big should a CSIRT be?
Determining the size of a CSIRT can be a challenge, and unfortunately there is little empirical data that can be used to answer this question. Different CSIRTs have different staffing levels based on their resources, needs and workload. A model that works for one organization may not work for another.
The size of CSIRT staff should be based on the resources available and the services that are necessary to provide. Experience has shown that no team wants a single point of failure, so just having one person devoted to incident response may not be enough.
Who works in a CSIRT?
Our experience has shown that the best CSIRT staff members have a variety of technical skills and personality traits (including communication skills and people skills). CSIRT staff are dedicated, innovative, detail-oriented, flexible, and analytical. They are problem solvers, good communicators, and able to handle stressful situations. One of the most important traits a team member must have is integrity.
CSIRT staff roles may include
Other roles may include
What type of CSIRT training is required?
If your budget allows, you may be able to hire staff to match the skill sets needed for the services you provide. If you cannot find staff with those skills, you may need to train them yourselves.
Consider the type of training that new staff will need to learn about your
You can take advantage of third-party courses to help train your staff:
Where can an organization find more information on CSIRT policies and procedures?
Issues related to CSIRT policies and procedures are included in the Handbook for Computer Security Incident Response Teams (CSIRTs) (see Section 2.5.).
Another useful online resource for information security policies, although not specifically related to CSIRTS, is the SANS Security Policy Project page, which includes sample policies and policy templates as well as links to other websites containing information security policies.
Other collections of various types of computer policies include the following:
How does an organization start a CSIRT?
There are several components to building an effective CSIRT. The actual process for building a team will depend on the timeframes, available staff and budget resources, expertise, and the unique circumstances of each organization. The following is a high-level overview of some of these components; some are sequential and some can be handled in parallel, depending on the resources and level of support obtained from the organization:
The CERT Division offers a one-day course that focuses on providing guidance and additional insight that can help organizations plan and implement their response team. In addition, two documents that provide an overview of issues to be considered when starting a CSIRT are
Other resources that provide information about interacting with other CSIRTs, as well as guidelines for developing computer security policies and procedures, include the following:
The CERT Division also offers other training courses for those who will manage a CSIRT as well as for technical staff who want more training in analyzing and responding to computer security incidents.
What is FIRST?
FIRST is the international forum of incident response and security teams. Established in 1990, FIRST is a coalition that brings together a variety of security teams and computer security incident response teams from government, commercial, and academic organizations. Attending the yearly FIRST conferences can be a way for a new team to learn more about techniques and strategies for providing a response capability as well as to get in contact with established teams.