GFCE Cybersecurity Knowledge Modules

KM3 - Cyber diplomacy and international cooperation
Module objectives
1. Risks for international peace and cyber-stability
3 Topics
1.1 Cyber-attacks and geopolitics
1.2 Cyber as part of hybrid warfare
1.3 Cyber-armament
2. Towards an international agreement
4 Topics
2.1. Framework for responsible state behaviour in cyberspace
2.2. Applicability of international law
2.3. Norms, confidence building measures, and capacity building
2.4 Broader context
3. International cooperation
4 Topics
3.1. The United Nations
3.2. Other multilateral forums
3.3. Regional efforts
3.4. Multistakeholder efforts
4. Cyber diplomacy
5. Main takeaways
6. Assignment
1 Quiz
KM3 Quiz
KM4 - Cyber Incident Management
Module objectives
1. Introduction
2. Types of Cyber Incident Response Teams
5 Topics
2.1. National Computer Security Incident Response Team
2.2. Product Security Incident Response Team
2.3. Sector CSIRTs
2.4. Security Operation Centre
2.5. Commercial CSIRT
3. What needs to be considered when establishing a National CSIRT?
2 Topics
3.1. CIRT framework
3.2. How to set up CSIRT and SOC
4. How to assess cyber incident readiness
3 Topics
4.1. Security Incident Management Maturity Model (SIM3)
4.2. Security Operation Centre Capability and Maturity Model (SOC-CMM)
4.3. CSIRT Maturity – Self-assessment Tool
5. Which services do the CSIRTs offer?
2 Topics
5.1. FIRST CSIRT services framework
5.2. ITU-T Recommendation X.1060 service categories
6. Who does the CSIRT serve?
7. Which Tools does a CSIRT need?
8. Policies, frameworks, and guidelines
9. Resourcing and funding a CSIRT
1 Topic
9.1. What does a CSIRT Budget look like?
10. CSIRT capabilities
3 Topics
10.1. Training and certification
10.2. Auditing
10.3. Cyber drills
13. Main takeaways
14. Assignment
1 Quiz
KM4 Quiz
2 of 5
Previous Lesson
Next Lesson

2. Types of Cyber Incident Response Teams

GFCE Cybersecurity Knowledge Modules 2. Types of Cyber Incident Response Teams

With the significant increase in computer security incidents which have social, economic and political implications, most African countries are considering various mechanisms to minimise and mitigate the impact of incidents including the setting up or improvement of the coordination teams responsible for incident handling and response.

Figure: Interactive map of some major cyberattacks with political backgrounds and consequences (Source: DiploFoundation)

Case study: Cybersecurity Incidents  in Africa during the COVID-19 Pandemic

Interpol’s African Cyberthreat Assessment Report, October 2021, identified that the most prominent threats in the region were online scams, digital extortion, business email compromise (BEC), ransomware, and botnets.

Experts in Kenya maintained that COVID-19 has triggered ‘an epidemic of cybercrimes,’ with a 37.3 per cent increase in cyberattacks in the period between April and June 2021, compared to January and March 2021.

The cyberattacks, including phishing, malware distribution, and attacks associated with remote working vulnerabilities have seen a substantial increase, as reported in the Africa Cybersecurity Report – Kenya, 2019/2020.  These include remote access, risks associated with reduced monitoring, and exploitation of new teleworking infrastructure.

There are various types of teams that monitor, warn, coordinate response and recovery efforts, and facilitate collaboration between government entities, individual organisations, manufacturers, service and utility sectors,  the academia and the international community on cybersecurity issues.

These teams are referred to with acronyms that include Computer Emergency Response Team (CERT), Computer Security Incident Response Team (CSIRT), Incident Response Team (IRT), Computer Incident Response Team (CIRT), Security Emergency Response Team (SERT), Security Operations Centre (SOC), National Computer Security Center (NCSC), Information Sharing and Analysis Center (ISAC) and more recently Cyber Defence Centres (CDC).

Subject to the mandate and the type of constituency, African stakeholders may use any of these terms to refer to the team managing cybersecurity incident management. National CSIRTs for example are often named using the CSIRT/CIRT/CERT abbreviation for example CERT-MU, EG-CERT. Teams servicing a sector include a shortened form of the sector and the two-letter country code for example, EG-FinCIRT.  The name of the company or organisation or a shortened version would be included if the team provides services to the company, for example Siemens CSIRT.The term CSIRT normally used to refer to a CIRT, CERT or SIRT.  An organisation using this term must provide an incident handling (response) service.  A SOC is used to refer to a team that monitors the operations for the security of networks and data centres.  It is important to note that the CERT is a worldwide registered trademark of the CERT Coordination Center (CERT/CC) which falls under the Software Engineering Institute (SEI) of Carnegie Mellon University (CMU) in the USA. Organisations who wish to use “CERT” in their team name must contact SEI-CMU to request permission (this policy may be amended in the future).

Resource – Definitions

Request for Comments (RFC) 2350 defines a CSIRT as a team that coordinates and supports the response to security incidents that involve sites within a defined constituency. In order to be considered a CSIRT, a team must provide a (secure) channel for receiving reports about suspected incidents.

The Forum for Incident Response Teams (FIRST) definition for a Computer Security Incident Response Team (CSIRT) is an organisational unit (which may be virtual) or a capability that provides services and support to a defined constituency for preventing, detecting, handling, and responding to computer security incidents, in accordance with its mission”. A specific set of individuals and/or organisations with common characteristics that a CSIRT provides services to is known as a constituency.

The International Telecommunications Union ITU-T Recommendation X.1060 defines cyber defence centre (CDC) as an entity within an organisation that offers security services to manage the cybersecurity risks of its business activities.

The SEI-CMU defines a Computer Security Incident Response Team (CSIRT) is a service organization that is responsible for receiving, reviewing, and responding to computer security incident reports and activity. Services are offered for defined constituency.

FIRST defines an Information Sharing and Analysis Center (ISAC) as  a cooperation platform for security teams in the same sector or with a shared goal, which can offer many of the services a CSIRT can offer, but does not do incident handling.

A Security Operations Center (SOC) provides centralised real-time monitoring of an organisation’s networks and systems, coordinated incident response and handling.

Lesson Content
0% Complete 0/5 Steps
Previous Lesson
Back to Course
Next Lesson

New post

Your email address will not be published. Required fields are marked *

Post a comment
Skip to content