CSIRT Description for IstroCSIRT According to RFC2350 ----------------------------------------------------- 1. About this document 1.1 Date of Last Update This is version 1.0, published 2021/10/11. 1.2 Distribution List for Notifications There is no distribution list for notifications. 1.3 Locations where this Document May Be Found The current version of this CSIRT description document is available on https://www.istrosec.com/service/csirt-services/. Please make sure you are using the latest version. 1.4 Authenticating this Document This document has been signed with the PGP key of IstroCSIRT. See section 2.8 for more details The signatures are also on our Web site, under: https://www.istrosec.com/#contact. 1.5 Document Identification Title: "RFC 2350 IstroCSIRT" Version: 1.0 Document Date: 2021/10/11 Expiration: This document is valid until superseded by a later version 2. Contact Information 2.1 Name of the Team IstroSec Computer Security Incident Response Team Short name: IstroCSIRT 2.2 Address IstroSec s.r.o. Černyševského 10 851 01 Bratislava Slovakia 2.3 Time Zone GMT +02:00 2.4 Telephone Number +421917699002 2.5 Facsimile Number None available. 2.6 Other Telecommunication None available. 2.7 Electronic Mail Address This is a mail alias that relays mail to the human(s) on duty for the IstroCSIRT. This is an address for general inquiries on IstroSec 2.8 Public Keys and Other Encryption Information The IstroCSIRT has a PGP key, whose KeyID is 5F11 C277 5692 0C70 and whose fingerprint is 0x7B32BC0318E646CA6E9169A25F11C27756920C70. The key and its signatures can be found at the usual large public keyservers. 2.9 Team Members Head of IstroCSIRT is Lukas Hlavicka, the CTO of IstroSec s.r.o. Information on the team members are available on https://www.istrosec.com/#team Management, liaison and supervision are provided by primary representative Henrich Slezak, Head of GRC and CISO of IstroSec s.r.o. and by Peter Fischer, Head of Managed Defense. 2.10 Other Information General information about the IstroSec s.r.o., as well as various security resources, can be found at https://www.istrosec.com. 2.11 Points of Customer Contact The preferred method for contacting the IstroCSIRT is via e-mail at ; e-mail sent to this address will be taken care of by a human within a day. If it is not possible (or not advisable for security reasons) to use e-mail, the IstroCSIRT can be reached by telephone during regular office hours. Telephone messages are checked less often than e-mail. The IstroCSIRT's hours of operation are generally restricted to business hours (08:00-18:00 Monday to Friday except holidays). If possible, when submitting your report, use the form mentioned in section 6. 3. Charter 3.1 Mission Statement IstroCSIRT’s vision is to be an international leader in research, development and cyber security services and deliver strong, innovative and effective solutions to tackle cybersecurity challenges. IstroCSIRT's goal is to offer quality professional services to our customers at a reasonable price and to continuously increase our customer’s security resilience. 3.2 Constituency Constituency of IstroCSIRT consists of institutions of any type, size or industry, which signed an agreement with the host company IstroSec s.r.o. as well as customer base of IstroSec s.r.o products. Our customers are SMEs, corporations, Fortune 500 companies and governmental entities across all industries which take cyber security very seriously. 3.3 Sponsorship and/or Affiliation The IstroCSIRT is sponsored by its host company IstroSec s.r.o. It maintains affiliations with various CSIRTs throughout Slovakia and the EU on an as needed basis. 3.4 Authority The IstroCSIRT operates with authority delegated by its customers who signed a contract, agreement or other type of legal document. 4. Policies 4.1 Types of Incidents and Level of Support The IstroCSIRT addresses all types of computer security incidents which occur, or threaten to occur, in our customers' infrastructure. The level of support given by IstroCSIRT will vary depending on the type of contract, service or subscription. Types of incidents other than those mentioned above will be prioritized according to their apparent severity and extent. 4.2 Co-operation, Interaction and Disclosure of Information IstroCSIRT highly regards the importance of operational cooperation and information sharing between CERTs and other security teams. While respecting the confidentiality requirements of our clients, we support information sharing on current threats and our recommendations on security controls via our website, where we publish blogs, reports, case studies and whitepapers on different cybersecurity issues. We respect the principles of responsible disclosure of vulnerabilities. 4.3 Communication and Authentication IstroCSIRT protects sensitive information in accordance with relevant regulations and policies within Slovakia and the EU. In particular, IstroCSIRT respects the sensitivity markings allocated by originators of information. This is achieved by PGP, TLP or other agreed means and communication protocols, depending on the sensitivity level and context. In view of the types of information that the IstroCSIRT will likely be dealing with, end-to-end encryption for phone calls will be used wherever possible. If not available, telephones will be considered sufficiently secure to be used even unencrypted. Unencrypted e-mail will not be considered particularly secure, but will be sufficient for the transmission of low-sensitivity data. If it is necessary to send highly sensitive data by e-mail, PGP will be used. Network file transfers will be considered to be similar to e-mail for these purposes: sensitive data should be encrypted for transmission. Where it is necessary to establish trust, for example before relying on information given to the IstroCSIRT, or before disclosing confidential information, the identity and bona fide of the other party will be ascertained to a reasonable degree of trust. Within IstroCSIRT's constituency, referrals from known trusted people will suffice to identify someone. Otherwise, appropriate methods will be used, such as a search of FIRST members, the use of WHOIS and other Internet registration information, etc, along with telephone call-back or e-mail mail-back to ensure that the party is not an impostor. Incoming e-mail whose data must be trusted will be checked with the originator personally, or by means of digital signatures (PGP in particular is supported). 5. Services 5.1 Reactive Security 5.1.1 Incident Response and Incident Response Coordination IstroSec uses NIST methodology modified to be used in response to advanced cyber-attacks. Incident response follows a 4-step process: - Preparation for incident response - Detection and analysis of incident response - Containment, Eradication and Recovery - Systemic post incident activity 5.1.2 Digital Forensics - Obtaining digital evidence - Analysis of digital evidence - Creating report/briefing or expert’s report for judicial proceedings - Court expert witness services 5.1.3 Malware Analysis - Identify the type of malware - Identify if the malware is custom crafted or run of the mill one - Extract malware configuration – if possible - Identify malware functionalities - Attribute malicious code to threat actor or campaign - Identify options to disturb malware process (relevant in case of advanced malwares, with advanced defense mechanism which can’t be detected or removed by commercial EDRs or AV) - Creating special-purpose “malware antibodies” in case standard EDRs or antimalware able to detect or react to malware 5.2 Proactive Activities The IstroSec performs the following proactive services: - Threat profiling for organization - Technology watch and alert (active threats and relevant security vulnerabilities) - Offensive security services - Defensive intelligence - Technical security assessments - Incident response preparedness - Threat hunting - Security monitoring - Security controls implementation - Trainings, exercises and attack simulations - Auditing and advisory services - Research and development Detailed descriptions of the above services are available on our website https://www.istrosec.com/#services 6. Incident Reporting Forms Online reporting form can be found on https://www.istrosec.com/incident/. 7. Disclaimers While every precaution will be taken in the preparation of information, notifications and alerts, IstroCSIRT assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.