Collaboration in incident response


There is one novel cybersecurity aspect of the envisioned CitySCAPE project that warrants special mention: the planned collaborative threat investigation platform, which aims to greatly speed up the process of incident discovery, handling, forensic and disabling of attackers’ infrastructure.

The current process of incident handling has several extra steps that take time. This time can be used by the attacker to carry out reconnaissance of the compromised system, plant additional backdoors and malware or execute a ransomware attack. Time is crucial in incident response – the faster the discovery and actions taken, the less damage a breach of security can cause.

As an example, the following describes a common scenario that often occurs:

  1. A CSIRT organization becomes aware of a malicious actors’ indicators of compromise (used to detect attackers in system) or critical vulnerability
  2. Notifications via e-mail or public advisories are disseminated
  3. A local system administrator becomes aware of breach, informs the CSIRT and asks help with the incident response
  4. Co-operative incident response is initiated. Among other procedural matters, an environment for sharing logs has to be established and granting an access to affected system has to be figured out

For CityCAPE, the planned collaborative tools will enable the system administrator to automatically synchronize the CSIRTs prepared IDS rules into their own engine, immediately get a notification if there’s a match and then start further co-operation using the collaborative threat investigation platform and security incident response platform. This will allow the CitySCAPE administrator to share the necessary logs and alerts with the national incident response team where the highly experienced experts can leverage their knowledge in resolving the incident and recommend measures to avoid similar incidents in the future.

This way the entire process is almost entirely automated, and rapid incident response can be already underway within minutes instead of hours.

It is this aspect that CERT-EE will be contributing towards the project with the action 9.3 – Awareness raising and liaison with response teams. By soliciting and gathering feedback from other national CSIRTs, we hope to create a framework that could see even wider adoption than just the CitySCAPE project.

As a last point, while the defence of the system is the priority in any case, the effect of crippling the attacker’s infrastructure should not be underestimated either – this may disrupt their further actions and even gain knowledge of the attacker’s identity. This requires tight co-operation between national CSIRTs, since the attackers very rarely use infrastructure that is located in the victim’s jurisdiction, necessitating a need for cross-border takedowns. However, due to time zone differences as well as the need for the other party to verify the information provided, the takedown can take time. Taking the latter into consideration, it is important to acquire the information as soon as possible, so that the notice of takedown can be served post haste.