Cybersecurity Emergency Response Teams (CERT), also known as Computer Security Incident Response Teams (CSIRT), are the first responders in the event of a cyberattack.

This team supports businesses, critical infrastructure and government agencies. While some organizations are large enough to have their own CERT (such as banks, for example), most companies use commercial CERT.

What is a CERT for (its missions)?

The primary mission of a CERT is to contain computer security incidents, minimize their impact on the organization’s operations and reputation, and facilitate post-crisis remediation and reconstruction.

How does a CERT work?

CERT can be operated by private organizations or government agencies. They are made up of IT professionals who have been trained in incident response and analysis, risk assessment, forensic investigation and other areas of cybersecurity.

When an intrusion is suspected, the CERT team is activated and comes to take note of the situation: available tools, signs of compromise, attack indicators, perimeter to be defended and potential impacts, procedures and organization…

The team interacts with the information systems department and the SOC when it exists to make the best use of the available security resources.

During the crisis, the team may need to recommend or deploy specific tools, for example an agile SecOps platform such as SEKOIA.IO XDR to provide circumstantial supervision if the victim’s own means are unusable.

After the crisis, the CERT may be called upon to propose recommendations for the architecture of the security system to prevent an aftershock, improve the posture of the victim, increase awareness, etc. For example, CERT may recommend strengthening risk management by acquiring means of monitoring vulnerabilities or knowledge of threats with an intelligence flow such as SEKOIA.IO CTI.

How to choose a CERT provider?

The main quality of a commercial CERT is its responsiveness and expertise. Such a team must indeed be able to react effectively from the first moments of its mission. For this, the skills and experience of the team are vital. To enable them to deploy their full potential. However, they must be able to rely on fluid, easy-to-access tools designed for incident response.

For example, SEKOIA.IO XDR has leveraged over a decade of incident response experience to deliver the best-in-class analyst experience. Designed by and for operational security professionals, the platform provides all the necessary functionalities, federated in a user-friendly interface focused on uses.

Note on the “CERT” trademark

CERT” is a registered trademark of the Software Engineering Institute of Carneggie Melon University (USA), which holds the rights to it and regulates its use for all countries. Any CSIRT is not by default authorized to use this mark, although the use, in particular in France and in Europe, tends to erase the distinction between these two terms. The use made “CERT” the generic term, as Frigo was a brand of refrigerator or Kleenex a brand of tissues, despite Carneggie Melon’s efforts to the contrary.

How to operate an internal CERT?

Everything we said about commercial CERT remains valid for an in-house CERT. However, an internal team must also respect in its design and its procedures the organizational principles of the structure, company or not, which hosts them.

In particular, it is common for regulatory obligations to lead to the imposition of architectural choices, or even to direct towards solutions qualified or certified by official bodies. For example, the European directive NIS 2 proposes to reinforce the capacities of capitalization and sharing of information on the threats, which can direct towards a platform such as SEKOIA.IO TIP.

Discover the definition of: