TR-35 What ressources do you need to setup a CERT Team

TR-35 What ressources do you need to setup a CERT Team

Back to Publications and Presentations

  1. Overview
  2. Infrastructure
  3. Forensic
  4. RT/RTIR + full text indexing
  5. Classification of this document
  6. Revision

You can report incidents via our official contact including e-mail, phone or use the Anonymous reporting form.

Search


CIRCL is accredited TI CIRCL is a FIRST member CIRCL is an OASIS member

Overview

Setting up a new CERT team will require you to gather some ressources in order to start working in good conditions.

Human ressources

This is probably the most important part: you need a team of people able to work together because you will have to investgate in cases that will requires a vast amount of competencies that cannot be covered by one single person.

Hardware

Infrastructure

It is always better to have your own infrastructure, which means some powerfull servers with a lot of RAM and fast disks for the investigations.

Forensic

Make sure you always have free and clean USB keys, you will use them a lot.

  • disk acquisition => tableau & write blocker

Software

RT/RTIR + full text indexing

Being able to keep track of incoming messages, incidents and linked investigations is critical for a CERT team. A proven software to support this task is Bestpractical’s RT with the RTIR extension. Also, as this is the place where most if not all critical information about incidents and constituents is stored, this component needs special security attention. Finally, extending RT/RTIR with fulltext indexing and search can be very helpful.

Components

Installation

Expect some time for the installation of the components, since they require the installation of many dependencies and sub-components.

Classification of this document

TLP:WHITE information may be distributed without restriction, subject to copyright controls.

Revision

  • Version 1.0 April 29, 2015 (TLP:WHITE)