Support for CERTs / CSIRTs

The successful creation and operation of CERTs / CSIRTs depend on various factors. A lot of mistakes can be made, especially in early phases, that are difficult or impossible to mitigate later. This page contains a lot of good practice material that aims at helping EU Member States, but also other stakeholders, to smoothly establish and operate CERTs / CSIRTs. The material you find here has been created in cooperation with experts in this field, that dispose of long years of hands-on experience in the related areas. All material has been tested in practice.

Contact us if you'd like to find out more!

• How to set up a CERT?

A step-by-step explanation on how to plan, kick-off and establish your own CERT. We even provide you with an easy to use project plan! More...

• How to run a CERT?

A basic collection of good practice on how to operate a CERT, especially in the crucial first year. More...

• Exercises for CERTs

An easy-to-use collection of exercises for CERTs in various areas. More...

• Baseline capabilities of national / governmental CERTs

Recommendations for a basic set of capabilites of CERTs with responsibilities for CIIP and international cooperation. More...

• How CERTs manage security incidents?

Good practices, practical information and guidelines for the management of network and information security incidents with an emphasis on incident handling. More...

• How to improve detection of network security incidents?

This report lists 30 external sources and 12 categories of internal tools and mechanisms along with the relevant recommendations which can be used to improve the detection of network security incidents. More...

• Legal aspects of information exchange between CERTs

A study into the legal and regulatory aspects of information sharing and cross-border collaboration of national/governmental CERTs in Europe. More...

• Common tools for CERTs

An overview of tools in use by the European CERT community (TF-CSIRT). More...

• Supporting fight against cybercrime

A study with the aim to improve the capability of CERTs, with a focus on the national/governmental CERTs (n/g CERTs), to address the network and information security (NIS) aspects of cybercrime. More...

Refer to http://www.enisa.europa.eu/activities/cert/support

Exercise 7: Network Forensics

Main Objective	The objective of the exercise is to familiarise students with standard network monitoring tools, their output and applications for the analysis of network security events. As a result, students will be able to interpret the security context of collected network data, thus enabling the post-mortem analysis of security incidents.
Targeted Audience	Technical CERT staff
Total Duration	Roughly 6 hours, 30 minutes
Time Schedule	Introduction to the exercise	15 min.
	PART 1 PCAP TRACE ANALYSIS – SERVER SIDE ATTACK
	Task 1: Introductory scenario – fake web server vulnerability exploitation step-by-step	60 min.
	Task 2: Dabber scenario	60 min.
	PART 2 PCAP TRACE ANALYSIS – CLIENT SIDE ATTACK
	Task 1: Drive-by download without fast flux	60 min.
	Task 2: Drive-by download with fast flux	60 min.
	PART 3 NETFLOW ANALYSIS
	Task 1: DDoS analysis step-by-step	60 min.
	Task 2: DDoS analysis DIY	60 min.
	Summary of the exercise	15 min.
Frequency	This exercise should be carried out whenever a new CERT team is being set up or new team members responsible for advanced incident handling join the team. It should be extended regularly to cover new types of attacks.

General Description

The exercise should be performed as a ‘hands-on’ class. A short introduction to the field of network forensics should be made. A set of security incident packet traces should be given for analysis. Each packet trace involves a different security scenario, which is presented to the students. For each scenario the goal is to identify security information relevant to a particular incident – in the context of an attacked and attacking host or application. It is recommended that the traces include not just malicious traffic but benign traffic as well, so as to mirror real life conditions. The packet traces should be in pcap format and in the form of netflow samples. Traces in the pcap format should include examples of full packet payload captures. The students should be allowed access to the Internet and encouraged to use search engines to facilitate their analysis. This handbook contains six examples of attack scenarios. You are encouraged to create your own.
Because of the technical nature of this exercise, it is advisable that you, as the trainer, have a lot of experience with analysing packet and flow traces. The examples in the handbook are detailed so as to help you as much as possible.

Students require access to the LiveDVD, which contains all the tools and logs necessary for carrying out the exercise. The tools needed for each scenario are listed in the handbook sections devoted to the scenarios.