When it takes more than conventional security measures to respond to a cyberattack, the Computer Security Incident Response Team (CSIRT) is called in. But what tasks exactly do the IT security specialists from the “IT fire brigade” perform?
Text: Andreas Heer, Image: Adobe Stock,
Today, all eyes are on Antoine Neuenschwander. As one of the IT security specialists in the CSIRT team at Swisscom, he is currently the acting Incident Handler. In other words, he looks into security-related incidents that cannot be dealt with in the scope of the Security Operation Center’s (SOC) normal tasks. Neuenschwander is sitting at his computer with two monitors in front of him, typing commands into one of the numerous windows open on his screen. “The CSIRT’s work is quite a mixed bag,” he says. “Every day is different. You never know what you’re going to come across.”
Neuenschwander has spent the last ten years working in IT security and belongs to a rare breed of specialists currently in high demand in the face of ever-increasing digitalisation. In his expert opinion, the shortage can mainly be attributed to the highly demanding nature of his job: “In addition to having a curiosity to get to the bottom of things, it takes a lot of expertise, good analytical skills and soft skills that help you handle colleagues and customers.” Security specialists also have to keep calm in stressful situations and make prudent decisions. In that sense, it is not unlike an actual fire brigade.
Neuenschwander is currently looking into a brute force attack on SSH ports. This type of attack attempts to crack weak passwords to gain remote access to the infrastructure. Once a server has been hacked in this way, it can be plundered for valuable company data, or other types of attacks can be launched, such as DDoS (distributed denial of service) attacks, in order to overload and put systems out of commission. “Poorly secured systems that can be accessed via the internet are some of the most common security problems we see in our daily work,” says Neuenschwander as he discusses his experience working with various companies.
In this case, Neuenschwander was notified about the incident by the SOC. But he also looks for patterns on his own to find possible signs of cyberattacks. The security specialist uses this sort of threat hunting to find out if the internal infrastructure has also been affected by an undetected wave of attacks. Defensive measures can then be taken at an early stage – ideally before cybercriminals get what they want.
When investigating attacks, it is important to have a grasp on cybercriminals’ various TTPs – tactics, techniques and procedures. “That way we can react much more quickly in the event of a new attack that employs similar methods,” says the security expert. “In turn, our customers benefit from this experience.”
It also helps that Neuenschwander has experience keeping Swisscom’s own infrastructure secure. “After all, Swisscom has had an IT security team since 1995,” he adds. “We have quite a bit of experience and reached a certain degree of maturity.”
But not every incident report involves a malware cyberattack. The CSIRT is increasingly receiving reports of emails sent by the “boss” urgently requesting payments – and they do not contain any suspicious links and look impressively realistic: “Business email compromise is a common social engineering tactic used by cybercriminals to skim away cash,” says Neuenschwander. In other words, the human factor also plays a role in cybersecurity and is part of Neuenschwander’s daily work.
The Security Operation Center (SOC) is the navigation bridge of sorts when it comes to dealing with cyberattacks. It monitors the infrastructure according to standardised processes and coordinates defensive measures in response to incidents. When handling these alerts, the security specialists decide whether an incident can be dealt with directly by the SOC or whether to escalate it and bring in the CSIRT.
The specialists belonging to the Computer Security Incident Response Team (CSIRT) handle the defence and threat removal tasks requiring a more in-depth analysis. These also include forensic tasks and threat hunting, or, in other words, actively monitoring security incidents. The CSIRT also helps the affected companies communicate with their customers and partners about the incident. Essentially, the CSIRT plays a complementary role to the SOC.
The following whitepaper discusses how you can develop a cyber defence strategy for your own company with an SOC and CSIRT.
More on the topic