CSIRT services
Services that AMRES CSIRT service provides to its users may be divided into:
Reactive Services
Reactive services comprise reaction to certain event or reaction to request, such as reaction to spreading of viruses, reporting of sending spam messages, reaction to log data or scanning detected via IDS (Eng. Intrusion Detection System) devices or systems for network traffic monitoring.
Incident Management
Service includes receiving, sorting, categorization, analysis and response to reporting of incidents. Reactions that may follow are:
- protection of systems and networks which could be compromised
- finding solutions and strategies for avoiding incidents
- checking of other parts of the network to prevent possible spreading of incident
- filtration of traffic
- system recovery and installation of necessary software patches (Eng. patch)
- creation of certain procedures
This service includes the following activities that AMRES CSIRT perform:
- Incident analysis - collecting and reviewing all available information and evidence related to the incident. The purpose of analysis is to identify the scope of incident, the type of incident and possible responses to incident. Within this activity CSIRT will try to reconstruct and document all events that led to safety incident. On the other hand, through analysis of incident, AMRES CSIRT will try to come to its origin and to identify programs, devices and persons responsible for reported incident.
- Reaction to incident - AMRES CSIRT service will provide technical aid and assistance to all users who are endangered or attacked during incident in order to ensure functioning of all systems as soon as possible. Assistance to users is provided via phone or email.
- Coordination between participants in incident - AMRES CSIRT will also make coordination between its users and external institutions or persons (Internet service providers for example) who are involved in the incident in any way. Coordination includes collecting contact data, informing all participants in the incident, collecting certain statistics or information etc..
Alarming
It is the service of spreading information about certain safety problem (attack, virus, worms, spam messages, etc.) and it includes recommended procedure as reaction to the problem. Alarm is sent in order to inform CSIRT users and in order to provide recommendation about protection or recovery of their endangered systems. The source of alarming may be CSIRT service itself or AMRES user. The process of alarming users will be performed via email communication or by phone, depending on how serious the incident is.
Malware Control
Malware is any file or object in the system which may be involved in scanning or attacking of systems and networks or in disabling safety systems. Malware includes: computer viruses, Trojans, worms, scripts and programs for abusing system vulnerability and similar programs and tools.
This service includes receiving information about malware, their detection and analysis of their use in case of attack, scanning or other malicious acts. Within this service, AMRES CSIRT service have the following tasks:
- Detection of malware in the network under the limit of their responsibility
- Identification of detected malware, threat analysis, strategy development and assistance provided to users for its control and removal
- Monitoring detection and identification of malware at global level and informing users via CSIRT web-pages
- Recommendations about use of certain software for malware detection and removal
Proactive Services
Proactive services should improve the safety of ICT infrastructure before any incident takes place. The main aim of these services is to prevent safety incidents, i.e. to reduce their number and their impact.
Technology Watch
Within this service, AMRES CSIRT service have the following tasks:
- Gathering information by various global and regional safety organizations and other CSIRT teams, and transferring information that would be significant for AMRES users
- Gathering information published by manufacturers of most frequently used computer operating systems, software and network devices of AMRES users, related to safety of the aforementioned systems
- Gathering information about development of new safety technologies, anti-virus software firewall systems, IDS/IPS systems (Eng. Intrusion Detection System / Intrusion Prevention System), etc.
Notification
This service includes notification about security incidents, warning about possible system vulnerabilities and safety recommendations. These notifications should inform users about implementation of new safety solutions or rules, as well as about their impact, established vulnerabilities of systems used by users or about new attacks detected within AMRES network.
Notification of users by AMRES CSIRT service will be performed via emailing list which includes all AMRES users.
Creation of Safety Recommendations and Documents
This service includes creation of recommendations for safe configuration and maintenance of ICT infrastructure, network devices, servers and services of CSIRT users. Based on created safety recommendations, AMRES CSIRT team will make configuration of network devices, servers and services in AMRES service centers. AMRES CSIRT will publish these recommendation on the website. and will offer advisory assistance to its users during their implementation.
Consultations
AMRES CSIRT service will provide advisory assistance related to ICT safety to its users. These services may include recommendations or identification of need to purchase, install or provide new systems, network devices or applications. This service includes provision of guidelines and assistance during elaboration of safety rules of AMRES user organizations.
Education
AMRES CSIRT will provide education service to its users in the field of ICT security through organization of seminars (Serbian version only). Prospective users of this service are primarily technical contacts of AMRES users. Education and increase of awareness of end users in terms of ICT security will be implemented through CSIRT documents (Serbian version only).