Background on eCSIRT.net
Today's foundation of the distributed network of CSIRTs existing in Europe can be described as follows:
- Established communication:
Based on Internet-based email only. Telephone and telefax might be used to confirm specific information or to discuss potential approaches.
- No backup for Internet-based email.
- Established communication security:
Based on PGP encryption and digital signatures. Keys are authenticated on an ad-hoc basis through CSIRT-to-CSIRT communication.
- No key infrastructure.
- Established informal knowledge-transfer:
If events are of enough interest or seem to be important, they might be shared with other teams.
- No guidelines or requirements what should be shared with whom.
- Supported integration of new entities:
New CSIRTs are presented to the community by means of the European CSIRT Directory (TI, http://www.ti.terena.nl). No efforts are made to formally introduce new teams, although each team is welcome to sign up for accreditation under the TI framework.
- No formal integration of new CSIRTs.
- Successful cooperation on case by case basis:
CSIRTs involved with the same incidents will share information based on a case by case basis and on the need to know principle.
- No predetermined rules for cooperation on a routine basis.
- Limited availability of statistical or trend analysis outside the CSIRT community:
While value added information is available to single and cooperating teams it is rarely made available outside the CSIRT community.
- No availability of early warning information.
- No established way of providing sanitized information to the public.
The eCSIRT.net project aims to address - directly and indirectly - the recognized limitations and missing benefits of an established CSIRT infrastructure. By concentrating on the CSIRT-to-CSIRT communication and cooperation, an overall improvement for all participating CSIRTs can be achieved in regard to various aspect. The innovation is not only related to specific new technology but to new solutions to existing problems and new operational practices:
- Improved communication:
By applying new established protocols - namely IODEF and IDMEF1 - communication will be formalized and integrated into the internal workflows enable semi-automated handling of new incoming reports and facilitate complete and timely reporting to other CSIRTs. One side effect will be that a common language for CSIRTs will be established to describe events and data of common interest. While the protocols implement a technical and syntax oriented solution, the integration into workflows demand a semantical solution to avoid, that the same set of data exchanged is interpreted differently from the CSIRTs involved.
- Backup for Internet-based communication especially in regard to alerts:
While all incidents and attacks are important to the impacted users and organizations, the need for 24 by 7 (round the clock) helpdesks and service offerings are still rare. But global attacks like Nimda, Code Red or vulnerabilities like the SNMP weaknesses require immediate attention and at least the timely dissemination of heads-up and alert messages. As it is clear from the past experiences that the network itself will be impacted, backup for Internet-based communication is mandatory to allow CSIRT-to-CSIRT-communication during crisises.
- Established formal agreements regarding knowledge-transfer:
Guidelines and recommendations as well as a common understanding, what MUST be shared, what SHOULD be shared, what CANNOT be shared (due to legal constraints) and who will get access under what conditions will not only make it much easier to exchange information. It will also help to remove the need to decide on a case by case basis and therefore greatly improve the working conditions as well.
- Formal integration of new entities:
As new CSIRTs would like to participate in the European CSIRT network, this new teams will need to follow the same rules as everyone else. This requires some formal steps and is supported by a Code-of-Conduct. This code will augment the European CSIRT directory efforts.
- Established cooperation routinely on all cases:
CSIRTs will share as much information as possible within the boundaries of the agreed terms and code-of-conduct. As there is prior agreement on the conditions improvements in the way incidents are handled by the CSIRTs apply. Based on the more complete understanding and background information available regarding incidents, the actions taken by CSIRTs and recommendations given will be more precise and tailored towards the needs of the constituents.
- Established cooperation towards early warning information:
The recent large scale incidents have shown that the time frame from the first indicators of a new problem and a large scale exploitation or attack is becoming smaller and smaller. There is simply not enough time to wait until the next business day to address problems as Nimda, Code Red or even the SNMP vulnerability. To address this the solution will need to include CSIRTs outside Europe as early warning indicators, because information might not be available to European teams early enough to provide enough lead time otherwise. This is especially true outside business hours. In addition automated reporting based on sensors available to CSIRTs can be integrated to provide additional data points for informed decisions.
- Sanitized insights into the CSIRT community through public statistical and trend analysis:
While there is a clear need for confidentiality and privacy related to incidents, the silence about incidents, attack and their impact on the organizations as well as the society at large is not helpful. Based on the established common language necessary for the improved exchange of incident / attack related data, all events are already labeled in a standardized way. Thereby the presentation of statistical analysis is made possible without additional effort, as today any analysis would require to transform all data towards a common language first. The availability of any statistical and trend analysis is important for the teams, as they will gain arguments to support their position and services. In addition they will gain insights into their own work which would allow them to adjust their work accordingly to new trends. Without real insights which are available outside the CSIRT community the threats cannot be evaluated nor addressed on the policy level.
As the strength of CSIRTs lays in the close relationship between the CSIRT and their constituency, the eCSIRT.net project does not intervene in this regard. Only the information that steams from the cooperation within the European CSIRT network which is especially created to support the take-up by other CSIRTs or which are "products" like the public statistics and trend analysis will be made available. Everything else will benefit the CSIRTs participating in this project - and others adopting our approach - by improving their operation and ultimately their service to their constituents. This approach will also address the recognized need to provide local support in terms of language, laws and culture.
As the take-up of new solutions and techniques is always a limiting factor towards availability and dissemination the eCSIRT.net project aims to prepare comprehensive guides and information material that will help other CSIRTs to adopt the common framework, the established procedures and to apply the techniques used. This will also explain the process and lead interested CSIRTs through the process to become an integral part of the European CSIRT network.
To summarize the innovation of the eCSIRT.net approach include:
- Enhancing performance of CSIRTs
- Enhancing cooperation amongst CSIRTs
- Facilitating information dissemination amongst CSIRTs
- Facilitating availability of early warning information to CSIRTs
- Facilitating availability of value added information, analysis and assessment in terms of statistics, best practices to avoid incidents, in and outside CSIRTs
- Establishing the basis for adoption of new technologies as new best practice