New release : CTI Report - Pharmaceutical and drug manufacturing 

                 Download now

Incident response by Luc, head of CERT-Intrinsec

January 29, 2018

Incident response by Luc, head of CERT-Intrinsec

This interview with Luc Roudé, the CERT-Intrinsec manager, was conducted by GSMag, in order to present the missions and challenges of a CERT. 

 

GSMag: Can you tell us about your CERT and its activities?

Luc: The main missions of Intrinsec's CERT are to carry out operations of incident response and of’digital investigation, to maintain a monitoring activity on critical vulnerabilities and major events, and to support its clients on issues of anticipation, treatment and strengthening against computer threats.
Within Intrinsec itself, the CERT operates within a structure Managed Security Services, including a SOC and a cell of Cyber Threat Intelligence. We act as Level 3 of the SOC and provide our technical & security expertise to the CTI analysts.

 

GSMag: How is the incident response handled?

We have several approaches, the simplest being a direct telephone line to the CERT allowing anyone experiencing a security incident to contact us. Once the event is resolved, we systematically conduct a post-mortem and provide the client with the tools to avoid similar scenarios. Where possible, we also offer suggestions tailored to their specific context to initiate a process of continuous improvement.

For existing clients, we will integrate into their security incident management process. This may involve preliminary measures to prepare the environment for incident response operations. We are also able to integrate with existing systems, for example, by positioning ourselves as an escalation point for an SOC existing or by setting up a flow of technical indicators consumed by IPS or IDS equipment operated by the customer.

 

  • GS Mag: How do you collaborate with other CERTs in France, Europe and beyond?

We have fairly informal communication channels with CERT internal and private entities operating in France. We also exchange information within discussion groups with international entities. This mainly involves sharing information on new threats: latest examples of malware discoveries, associated technical indicators, techniques used by certain attacker groups…

Regarding information sharing with other private CERTs, we put aside the fact that we are competitors as much as possible to focus on our common mission: to put as many obstacles as possible in the way of cybercriminals.

 

  • GS Mag: What about other actors and entities orchestrating security, such as SOCs?

MISP

Within Intrinsec, the CERT shoulder the SOC in several aspects. The most classic is its positioning at Level 3, to escalate incidents handled by analysts at Levels 1 and 2. In our regular operations, we upload all the artifacts we can extract from the malware analyzed during our incident response operations to a shared indicators platform (MISP). CERT also aims to bridge the gap between attackers and defenders in the context of missions to Purple Team The objective of these operations being to test defenses against credible attack scenarios, the CERT can provide feedback on offensive techniques observed "in the field," and offer its technical expertise in support of the SOC to develop methods for detecting these tactics. Finally, the CERT contributes to the CTI technical expertise. CTI analysts are more trained on geopolitical aspects; if they find unknown files associated closely or remotely with one of our clients, we support them in analyzing the file.

 

  • GS Mag: What, in your opinion, are the keys to an efficient incident response?

An incident response operation can generally be divided into six steps: Preparation, Identification, Containment, Eradication, Return to Nominal and Capitalization. And it cannot be stressed enough: the key is preparation. From a purely organizational perspective, first and foremost, by asking ourselves a few questions: What types of attackers are likely to harm us? What attack scenarios can we envision against these profiles? What measures do we have to prevent, detect, and respond to these scenarios?

Next, it is necessary to choose the means to implement in order to answer these questions. In this context, I regularly cite the model presented in an article published by SANS in 2015, The Sliding Scale of Cyber Security [1]. Different categories of resources are presented, the most important being focused on the IT architecture. An incident response carried out within a well-managed infrastructure is much more likely to be quick and effective. An up-to-date architecture diagram, a consistent flow matrix, a classification of critical business assets… all this information is essential for identifying the points to inspect as a priority and planning appropriate defense actions.

[1] https://www.sans.org/reading-room/whitepapers/analyst/sliding-scale-cyber-security-36240

 

  • GS Mag: What advice can you give to organizations to strengthen their level of security?

It is essential to’involve senior management and of’to bear the costs incurred. Developing a coherent information security strategy requires engaging in projects with diverse groups and undertaking actions that may not initially appear to have immediate relevance to the business, or may even introduce operational constraints. In this context, having the support of management allows for a strong message regarding the importance of information security and ensures the allocation of the necessary resources for the successful execution of a continuous improvement initiative.

 

You can find the rest of the interview in issue #41 of the magazine Global Security Mag.

 

Contact