By Vincent J., Cybersecurity Consultant Squad
Introduction
Cybersecurity is a vast field populated by specialized personnel. Despite their skills, commitment, and the availability of ever-increasing resources, it is impossible to guarantee 100% that an organization is fully protected against cyber threats.
When a company wants to assess its security level, it often uses intrusion tests. These are conducted by the "red team," a team of attackers who simulate real attacks on the company's IT system with the aim of detecting and exploiting as many vulnerabilities as possible, which are then corrected.
Opposite them, another team is responsible for the day-to-day defense of the company's IT systems: the "blue team." Who are they? What do they do? How are they organized to deal with increasingly sophisticated malicious actors?
The "blue team" has two main areas of focus: detecting and responding to security incidents. It is commonly accepted that detection is handled by the SOC, while response is managed by the CSIRT, possibly in collaboration with one or more CERTs.
Role and Functioning of the SOC
There are two main channels for detecting security incidents: the human channel and the technical channel. Detection via the human channel occurs when a user voluntarily reports their findings about a suspicious event. The technical channel provides alerts through automated analysis of various event logs collected within the information system (servers, firewalls, proxies, antivirus software, etc.).
Generally speaking, each piece of equipment on the IS transmits its logs to a collector, which then forwards them to the SOC's main tool: the SIEM (Security Incident and Event Manager). The SIEM's role is to centralize, aggregate, and correlate the various logs in order to generate alerts based on predefined detection rules.
These alerts are then analyzed and enriched by the SOC team. False positives are discarded and confirmed incidents are forwarded to the CSIRT, which will take the appropriate action.
Depending on the financial and human resources available, a company may opt for an internal or outsourced SOC, i.e., one that is managed by a service provider. In the case of an outsourced SOC, the company will need to be confident in its service provider. This is because it will need to provide the service provider with all of its IT logs, and therefore potentially sensitive information. ANSSI maintains a list of service providers qualified in security incident detection and response (PDIS/PRIS).
The CSIRT, the last line of defense
Upon receiving a security alert from the SOC, the CSIRT is responsible for investigating the security incident. The objective is twofold: to identify the source of the incident through a root cause analysis (RCA) and to apply the necessary corrections to restore security.
Their investigations range from analyzing email headers to forensics and log analysis. They also commonly use OSINT (Open-Source Intelligence) or Cyber-Threat Intelligence to pinpoint the source of attacks.
For example, the SOC may detect connections from a workstation to a C&C server. The CSIRT will then perform a forensic analysis on the workstation in question to identify malware that has not been detected by the antivirus software. Extracting and reverse engineering the malware will show that it is indeed the source of the detected connections. The analysis will also determine how it got onto the workstation, how it installed itself, and how it persists. All this information is useful in the remediation process to restore the computer to its user without any loss of data.
CSIRT members generally have a technical background with expertise in networks, systems, and, of course, security. Each team member has their own specialty, so overall effectiveness depends on everyone working together.
On the other hand, it is often the case that remedial actions must be carried out by other teams within the company (network, systems, workstations, etc.). It is therefore essential that the CSIRT is known and visible to everyone in order to facilitate the exchange of information.
The use of a ticketing tool is essential for keeping track of incidents that have occurred within the scope, actions taken, and for enabling the drafting of feedback reports that can be presented to management.
The CSIRT is generally headed by a leader who reports directly to the CISO. They have comprehensive knowledge of incidents that have occurred within the scope, detailed knowledge of major incidents, and their communications are based on KPIs and other statistics relating to incidentology.
The CSIRT also participates in risk and threat prevention activities by monitoring and analyzing vulnerabilities.
CERT and CSIRT: what's the difference?
On November 2, 1988, the Internet witnessed the appearance of the first computer worm: Morris. In response to this unprecedented incident, DARPA (Defense Advanced Research Projects Agency - USA) created the first CSIRT: CERT/CC (Computer Emergency Response Team / Coordination Center). Today, CERT/CC belongs to the SEI (Software Engineering Institute) at Carnegie Mellon University in Pittsburgh, Pennsylvania (USA). "CERT" is a registered trademark in the United States owned by this university.
When a CSIRT obtains authorization from the SEI to use the CERT trademark, it becomes a CERT and joins the global CERT community. It should be noted that each CERT is independent of the SEI. There is therefore no fundamental difference between the two names in terms of their activities.
In France, CERT-FR is operated by ANSSI and provides services to French government agencies. CERT-IST is a French association that offers its services to companies in the industrial, service, and tertiary sectors.
