Ebook: Next Generation CERTs

For millennia, we humans have collectively and instinctively responded to complex incidents that threaten our common well-being. From earthquakes, wildfires, and floods to large electrical blackouts, food-supply contaminations, and product-safety recalls. Responding to and preparing for such calamities, we have evolved collective capabilities and institutions at varied levels–local, regional, sector, national, international, and global. With the wide-spread adoption of networked information technologies, cybersecurity incidents have emerged as yet another threat to our common well-being. Thirty years ago, the institutional construct of a Computer-Emergency Response Team (CERT) evolved from responses to actual incidents in the nascent Internet.

As the Chief Scientist for the CERT Division of the Software Engineering Institute at Carnegie Mellon University, I’m honored and humbled to preface this volume compiled by my esteemed colleagues, A. Armando, M. Henauer and A. Rigoni. These papers provide insights on the evolution of CERTs as long-lived yet agile institutions. Such agility is more urgently needed than ever as we observe the fast emerging and evolving threats that exploit social media, on-line human frailties, the scale of the Internet of Things, and artificial intelligence tools.

As the essence of shared national security interests, NATO serves a critical long-standing role for ensuring peace and stability in Europe and beyond. In that spirit, A. Armando, M. Henauer and A. Rigoni held a NATO-sponsored workshop on March 28–30, 2017, on “New Generation CERT: from Response to Readiness – Strategy and Guidelines” at the School of Telecommunications of the Italian Armed Forces in Italy that convened cybersecurity experts from NATO member and affiliate states. I was delighted to participate in the vigorous discussions that provided the material for this volume.

Trust, sharing, change, verify, preparedness, mission, dynamic, readiness, monitoring, exercise.

These ten words are my key impressions from the nine chapters. In Chapter 1.1, by A. Rigoni, et al., trust is fundamental to the concept of a CERT – assisting in an emergency, when organizations are vulnerable to active threats. In Chapter 1.2, by M. Maybury, sharing information is the lifeblood of a CERT, without sharing a CERT is nothing. In Chapter 2.1, by K. Wrona, et al., change in the threats, technologies, and organizational needs drive the evolution of our concepts of CERTs. In Chapter 2.2, by L. Russo, et al., verify with red teams – an imperative to realistically validate protections, procedures, and functional CERT capabilities. In Chapter 3.1, by S. Bordi, dynamic evolution defines each and every CERT, especially as the security operations center matures and integrates with CERT capabilities. In Chapter 3.2, by L. Ballarno et al., readiness defines the persistent state of staff in a CERT – ready to effectively respond to any computer emergency, even if previous unexperienced. In Chapter 3.3, by F. Casano et al., exercise is the essence of a “fit” and ready to respond CERT – organizations require no less. I hope you enjoy these chapters on the continued evolution of CERT’s and see how the ideas herein will shape that evolution for NATO states and affiliates.

Gregory SHANNON

Carnegie Mellon University Pittsburgh, USA

The goal of this chapter is to outline the main characteristics of a CERT based on its type, primary mission, authority on incident response, and capabilities required to achieve the strategic objectives. In particular, different organizational models are thoroughly investigated, outlining the different layouts through which services and capabilities can be offered to the Constituency.

In an increasingly interconnected world, it is essentials for all entities to have a common strategy involving each cybersecurity operations center, in order to increase the overall system’s resilience.

The sharing of cybersecurity information is the first step to tackle when defining this common strategy, both at the sectoral and regional level. This is of particular relevance above all since it allows for the creation of a cybersecurity information-sharing ecosystem. Industries, Universities, Governments, private stakeholders and critical infrastructure providers are the main actors involved in this network. In general, the characterization of threats follows the information exchange (threat sharing) and is based on three fundamental aspects: cyber adversary tactics, techniques and procedures (TTPs).

In order to be effective, the common strategy should be principled, preventative, proactive and partnership-focused: it should not be abstract, but should follow a pragmatic approach by seeking to invest in affordable and effective solutions. In the near future, the human intervention will no more be necessary for the protection of computers: computers themselves will be responsible for acknowledging and sharing incidents, analytics and exercises, in order to increase their cyber resilience.

This chapter discusses the changes that the traditional Computer Emergency Response Capability (CERT) will have to adopt in order to continue to provide value and support to the future NATO operations. As the ICT solutions become increasingly federated, cooperation between future CERTs will need to be an integral part of the operational model for any large organization or business, especially if it is considered part of critical infrastructure. Tighter integration with ICT operations and business operations in general, ensuring that cyber-attacks are detected and effectively and efficiently mitigated as a regular day-to-day activity, will continue to make CERTs relevant and highly necessary for any organization. While the name might change or disappear, the functions provided are more important than ever and no future ICT system should operate without them.

A business aligned and adaptive Cyber Defence capabilities, enabled by a clear internal context knowledge and by the Cyber Threat Intelligence is the target to move towards in order to counter face the new challenging and dynamic cyber threats. In an asymmetric scenario, like cyber security issue, trusted and skilled people, that perform process and use technologies, is the key factor to develop, implement and handle cyber defence activities and projects. The definition of a Cyber Defence maturity model allows measuring the effectiveness and the efficiency of this new approach.

The main differences between SOC and CERT concerns the objectives, approaches, methods, organizational structures and related activities. The growing cyber threat scenario requires a change of perspective in the organization’s tasks management. An organization should evaluate the possibility to change the attribution of responsibilities of some services in order to evolve from SOC to a new CERT structure.

The chapter discusses the broad use of Wargaming. It will start by describing the role of Board War Gaming in military environments, considering the effect it had on historical events, such as how the US Navy inter-war wargaming underpinned the eventual success against the Japanese Empire, in World War II. The subject will be further developed by describing how Wargaming is exploited nowadays, featuring Locked Shields: the world’s largest and most advanced international technical live-fire cyber defense exercise organized by NATO, as use case, and analyzing Capture the flag (CTF) contests overall along with cyber ranges. The focus will be on the importance that such competitions have in today’s world: gaining awareness of security flaws through “battles”, specialized training, and the fact that it constitutes a new approach to learning, totally hands-on.