Monthly Archives: March 2018

CERTs, CSIRTs and SOCs after 10 years from definitions

Nowadays is hard to give strong definitions on what are the differences between Security Operation Centers (SOC), Computer Emergency Response Teams (CERT) and Computer Security Incident Response Teams (CSIRT) since they are widely used in many organisations accomplishing very closed and similar tasks. Robin Ruefle (2007) on her paper titled "Defining Computer Security Incident Response Teams" (Available here) gave us a nice idea. She also admits (at the end of the paper) there is not such a strong difference between those common terms: CSIRT, CERT, CSIRC, CIRT, IHT. Her conclusion made me thinking about how this topic has been evolving over the past 10 years.  

Despite her amazing work on defining (let me call) CSIRTs I would give you more details on how those teams have been evolving over the past decade based on my personal experiences directly to the field. Indeed after being involved on building several CERTs, organising CSIRTs and evaluating SOCs I started to spot strong and soft similarities between those teams. Today I'd like to share with you those strong and soft similarities without talking about "differences" since there are not evidence on differences at all.

Each team is asked for CyberSecurity incidents but each team holds specific aims and respond to cybersecurity incident in a specific way. Every team needs to understand what happened after a cybersecurity related incident and this is the very strong common point that every team takes care of: deeply understand what happened. Nobody is better then other or nobody is more addicted respect to other in understanding what really happened during an incident, every team have fully autonomy to figure out what happened through inspection and analytical skills.  The weak similarities come after the initial understanding (analysis) phase. CSIR Teams ad SOC Teams usually study the related incident looking for a response while CERT usually tries to forecast incidents. The definition of response highlight the "weak similarities" between CSIRT and SOC. 

CSIRT usually (but not necessary) look to the incident with a "business" perspective taking care of (but not limited to): communication countermeasures, policy creations, insurance calls, business impact analysis, technical skillset and off course taking care about technical mitigations. For example a CSIRT would evaluate according to the marketing area a communication strategy after a successful incident hit the company, or it could call insurances to evaluate if they will cover some damages or again it could interact to HR area to define missing skillsets in the organisation. Off course it is able to interact with defensive technologies but it's only one ste of its tasks.

A SOC usually (but not necessary) look to the incident with a more "technical" perspective taking care of (but not limited to): incident forensic, log analysis, vendor calls, patch distributions, vulnerability management and software/hardware tunings.  For example after an incident happened to an organisation its SOC would try to block it involving all its resources to block the threat by acting on peripheral devices or running commands directly on user's machines. The SOC deeply understands SIEM technology and it is able to improve it, it is also able to use and to interact through defensive teams and/or technology like sandboxes, proxy, WAF as well. The SOC team holds strong network oriented capabilities.

CER Teams usually take care about incidents following the community sharing procedures such as (but not limited to): feeds, bulletin, Index of Compromises and applying effective governance actions to local IT/SOC teams enabling them to mitigate the incident in the fastest way possibile. CERT team members work a lot with global incidents understanding new threats and tracking known threat movements. They usually work with Threat Intelligence Platforms and with high level dashboard to better understand the evolution of threats to forecast new attacks.

CERTs and SOCs are usually focused on prevention such as (but not limited to): what are the best rules to apply ? What are the procedures in case of incidents ? They are really focused on using threat intelligence in order to spot attack and to block incidents. On the other hand CERTs and CSIRTs are mostly focused on Guidelines and business impact analysis while SOCs and CSIRTs really need to follow incident response procedures in order to apply their high technical skills to mitigate the attack. The following image tries to highlight the main (but not the only) keywords that you would probably deal if you work on a SOC a CERT or in a CSIRT.

The main ideas (but not the only ones) behind the 3 teams could be summed up in the following terms: Mitigation (belongs to SOC), Response (belongs to CSIRT) and Alerting-Prevention (belongs to CERT). I'd like to point out that mitigation and response are quite different concepts. Indeed mitigation holds a technical view of the resolution, response holds a more business view of the resolution. While mitigating an incident means to "take it down" and so to restore the attacked system as it was before the incident, an incident response could include more sophisticated actions that could include the board of director in the decision process as well.
Similar teams but with strong attitudes need different professional profiles. Usually (but again not necessary) SOC Teams need more technical profiles which includes hard skills such as: vendor based certifications, network oriented attitudes and forensic attitudes. CSIRT teams needs a mixup profiles more oriented to technical skills but also with business view such as: risk evaluation, guideline buildings and communication skills. CERTs need to have a wide landscape vision about threats and for such a reason they need to know threat intelligence, they need to know prevention tools and to be part of strong IoC sharing communities. Developer skills are not mandatory on those teams but if "weak and dirty" scripting skills are in place, the entire team will benefit from them. Automation and integration are widely needed on such a teams and a scripting profile would create such an integrations.

As mentioned at the beginning of this "post" it is hard ...  almost impossible ... to give hard definitions about the evolution of "CSIRTs" but it's possible to observe strong and weak similarities in order to better understand what team is most suitable for every organisation.  If you belongs to a "CSIRT" or to a "SOC" or to a "CERT" and you feel like you are doing a little bit of each team according to my post, well, it is ok ! In ten years "things" have been changed a lot from the original definitions  and it's quite normal being involved in hybrid teams.


IN BRIEF: The Government of Egypt has announced that it is setting up a specialized digital forensic lab for Intellectual Property as part of its enforcement schemes of combating software piracy.


The new lab, the first of its kind in the MENA region, is mainly designed to resolve business software and internet-based piracy cases. It authentically recovers data from digital devices and unearths new fraud techniques.

The latest measures applied aim to enhance the investigative capabilities and ease the digital forensic evidence acquisition, analysis, and reporting.

The cutting-edge techniques and latest technologies employed in the lab devise a road-map for judges, prosecutors, and lawyers. The practiced procedures enable them to distinguish the counterfeit products from the genuine and manage the intellectual property and digital piracy issues at hand.

The Information Technology Industry Development Agency – developing the IT industry in Egypt, hosts the lab at its premises. The agency is the executive IT arm of the Egyptian ICT ministry to enforce IPR related to software products and databases.

“Over the last couple of years, ITIDA’s IPR office has undertaken comprehensive actions to increase IP enforcement with all the stakeholders like the economic courts; i.e., judges and prosecutors, police officers, and copyright owners," said Dr. Mohamed Hegazy, Egypt’s IPR Office Manager.

Aiming at developing the necessary skills, the fully dedicated IPR office has delivered extensive training and capacity-building programs in legal, technical and practical aspects during 2017 to more than 900 police officers, 97 journalists from the National Broadcasting Authority, 125 employees from different software companies, in addition to 473 judges and prosecutors in the economic courts.

UPDATES: I took part to the concluded Intelligence strategies & crime prevention for law enforcers meeting held in South Africa - Among others, I emphasized on search warrant, Chain of custody, to document everything during forensics investigation & Proper handling of Digital evidences
Digital evidence, by its very nature, is fragile and can be altered, damaged, or destroyed by improper handling or examination - this may render it unusable or lead to an inaccurate conclusion.

“We are committed to sustaining our success in combating IP infringement and expanding IP rights. The launch of this lab enables us to achieve our targets”. “Only in 2017, we have delivered technical expertise reports of 96 cases to the economic courts, registered 203 computer software programs and issued 267 licenses for the first time.”, Hegazy added.

According to the latest BSA-IDC Global Software Piracy Study in 2016, the Egyptian piracy rate reached 61%, a ratio lower than most of competing countries and leading global outsourcing locations including Morocco (65 percent), the Philippines (67 percent) and Vietnam (78 percent).

The Cabinet is preparing a data protection and privacy law draft. It has already agreed on cyber-crime law and awaits the Parliament’s approval to be enacted, according to Egypt’s state media.

Egypt is currently undergoing an unprecedented phase of development in all fields, which is largely attributed to sound policies, monetary reforms, and global partnerships.

With the sustained momentum that Egypt is gaining in the area of tech innovation and startups ecosystem maturity, the Egyptian government represented by the Ministry of ICT has put its free and open software strategy into action in 2016.

The newly adopted policy represents a paradigm shift in intellectual property rules as it provides an alternate software-licensing model while developing a healthy eco-system for software production and innovation.

How to evaluate and select the best encryption services

Encryption is necessary after all, so the only discussions about this technology and these services should be about choosing a solution.

When to comes to truly protecting data, encryption is a no-brainer. In fact, some industry regulations require that businesses and associations encrypt specific information. Health care is a great example of this, but organizations in all sectors have a responsibility to protect their customer and client information, whether it's personally identifiable information or an email between colleagues.

The Myth of “Staying One Step Ahead of the Hackers”


The assumption that software security can stay ahead of the hackers is not true because the software security industry is always reacting to threats that hackers expose. Once hackers start exploiting a flaw in an application, security companies try to block the resulting threat by providing security updates for existing software or by developing new programs. Either way, hackers will be one step ahead because the software security industry can’t predict what new threats the hackers will unleash.


KWA UFUPI: Mifumo ya kimtandao katika baadhi ya wizara za serikali ya Ujerumani ilikumbwa na udukuzi uliopelekea kuibiwa kwa taarifa kadhaa huku baadhi ya vyombo vya habari vimeishutumu Urusi dhidi ya shambulizi hilo la kimtandao. Nae waziri wa Ujerumani wa maswala ya uchumi akieleza hawana uhakika kua Urusi imehusika na shambulizi hilo. Aidha, Urusi  imekana kuhusika na shambulizi hilo.

Mataifa makubwa yenye uwezo wa kimtandao yamekua yakishutumiana panapo tokea mashambulizi mtandao kwenye mataifa hayo. Urusi, Uchina na Korea ya Kaskazini wamekua wakishtumiwa Zaidi na mataifa ya Ulaya na marekani.

TAARIFA: Tume ya TEHAMA ya nchini Tanzania imekaa kikao chake cha kwanza mahsusi kujadili maswala ya usalama mtandao Nchini ambapo mengi yalipata kuangaziwa na lengo kuu limekua ni kuhakiki tunapata taifa salama kimtandao.

Ujerumani Hivi karibuni imekumbwa na shambulizi mtandao katika wizara zake mbili hadi sasa ambao umepelekea taarifa kadhaa za wizara hizo kupotelea mikononi mwa wahalifu mtandao.

Wabunge wa Ujerumani wametupia lawama serikali kwa kutokuwaambia kuhusu mashambulizi hayo ya mtandaoni huku kamati ya masuala ya dijitali ya bunge la Ujerumani ikiketi kwa dharura kwa madhumuni ya kuipitia taarifa juu ya udukuzi huo ulio gundulika Mwishoni mwa mwezi Februari mwaka huu wa 2018.

Mmoja wa wajumbe wa kamati ya digitali – Anke Domscheit-Berg, kutokea chama cha mrengo wa kushoto, Die Linke ame eleza ya kua serikali ya ujerumani ilipaswa kujua mashambulizi hayo ya kimtandao mapema na kuyadhibiti.

Shirika la habari la Ujerumani, DPA, lilivinukuu vyanzo vya usalama ambavyo havikutajwa majina vikisema kwamba kundi la APT28 la Urusi lilidukuwa mifumo ya mawasiliano ya wizara za mambo ya nje na ndani za Ujerumani na kufanikiwa kuiba taarifa.

Shirika hilo linasema kuwa mashambulizi hayo yaligunduliwa mwezi Disemba mwaka jana na inawezekana yalikuwa yakiendelea kwa mwaka mzima.

Thomas de Maiziere.
Waziri wa Mambo ya Ndani wa Ujerumani
Kufuatia ripoti hiyo, wizara ya mambo ya ndani ilithibitisha kudukuliwa kwa kompyuta za serikali kuu ya shirikisho, ikisema kuwa mashambulizi hayo yalifanyika kwenye masuala yasiyohusiana na siri za serikali na kwamba yalidhibitiwa.

Hata hivyo, msemaji wa wizara hiyo hakuweza kutoa undani zaidi wa suala hili, akisema limo kwenye uchunguzi na kwamba hatua za kiusalama zinaendelea kuchukuliwa.

Lakini kwa mujibu wa vyombo vya habari vya Ujerumani, udukuzi uliachiwa kuendelea hadi Februari 28 ya mwaka huu wa 2018 ili wachunguzi wakusanye taarifa kuhusiana na upana, malengo na watendani wenyewe.

"Ikithibitika kuwa ni kweli, hivi vitakuwa ni aina ya vita dhidi ya Ujerumani," alisema mkuu wa kamati ya masuala ya dijitali ya bunge la Ujerumani, Dieter Janacek, kutoka chama cha walinzi wa mazigira, Die Grüne, kwa mujibu wa gazeti la Berliner Zeitung.
Janacek aliyataja mashambulizi hayo kubwa ni mabaya kabisa, na ametoa wito kwa serikali kuzifikisha taarifa zote ilizonazo bungeni.

Vikao vya kwanza vya Usalama Mtandao vilivyo andaliwa na Tume ya TEHAMA Nchini Tanzania 

Alipoulizwa endapo mashambulizi hayo yalifanywa na kundi linaloungwa mkono na Urusi, mbunge kutokea muungano wa CDU/CSU wa Kansela Angela Merkel, aliutetea mkakati wa serikali kuzuia taarifa. Stephan Mayer kutoka chama cha CSU alisema "uchunguzi kamili na wa kina" ulikuwa unahitajika "lakini sio wa kuwekwa hadharani." Mbunge huyo aliongeza kuwa "kuwadhania vibaya wengine hakuwezi kuusaidia uchunguzi huo".

Kundi la APT28 au wakati mwengine huitwa Fancy Bear, ambalo linahusishwa na idara ya ujasusi kwenye jeshi la Urusi, limewahi kutajwa kuhusika na mashambulizi  ya mtandaoni dhidi ya Bunge la Ujerumani mwaka 2015 na pia ofisi za Jumuiya ya Kujihami ya NATO na serikali za mashariki mwa Ulaya.

Brigitte Zypries
Waziri wa Nishati na Uchumi
Tayari waziri wa nishati na uchumi wa Ujerumani Mh. Brigitte Zypries amezungumzia shambulizi hili na kueleza yakua hakuna Ushahidi unaothibitisha ya kua Urusi ndio imehusika.

Aidha, Urusi nayo imekana kuhusika na shambulizi hilo.