The document provides an overview of Computer Security Incident Response Teams (CSIRTs), emphasizing the importance of coordination and collaboration in effectively responding to cybersecurity incidents across various sectors. It outlines typical CSIRT activities, capabilities, and structures, highlighting the necessity of immediate response and shared expertise to mitigate risks. The document also identifies challenges faced in coordination and offers solutions for improving collaboration among CSIRTs.

1. CSIRT COORDINATION AND
COLLABORATION OVERVIEW
BY M. S. MANGGALANNY

2. AGENDA
• OUR DISCUSSION WILL COVER:
• THE BASICS OF CSIRT,
• WHY COORDINATION IS IMPORTANT,
• THE BENEFITS OF COLLABORATION,
• THE CHALLENGES IN COORDINATION EFFORTS,
• AND TIPS ON OVERCOMING THOSE CHALLENGES.

3. MOST AFFECTED SECTORS
• GOVERNMENT
• WEB DEFACEMENT
• MALWARE ATTACK
• DDOS
• PHISHING
• DIGITAL ECONOMY
• MALWARE ATTACK
• PHISHING
• CREDENTIAL LEAKAGE
• FINANCIAL
• MALWARE ATTACK
• PHISHING
• EDUCATION
• WEB DEFACEMENT
• MALWARE ATTACK
• INDUSTRY
• MALWARE ATTACK
• PHISHING

4. WHY CSIRT IS NEEDED?
Even the best information
security infrastructure can not
guarantee security, any kind
of attack could happen at
any time
If an incident happen, the
organization need to respond
immediately in an effective
way to minimize damage and
reduce cost recovery
To prevent future event
occurrence by managing
security, sharing information to
update knowledge, and
collaborating with others
Focus on security vulnerability
to give early warning,
awareness, alert, protection,
mitigation and to ensure
security compliance

5. BUT, THE REAL REASON IS
• REQUIRED BY LAWS, REGULATION, POLICY, STANDARDS, AUDIT, INTERNATIONAL
AGREEMENT/TREATY
• BUSINESS COMPLIANCES, MARKET/USERS DEMAND, BEST PRACTICES AND
COMPETITIVE ADVANTAGES
• POINT OF CONTACT WHO RESPONSIBLE FOR IMMEDIATE ACTION AND
COORDINATION AMONG PARTY INVOLVED
• EXPERT GROUP WHO PROVIDE RECOMMENDATION AND TO DISCUSS SECURITY
ISSUES AND UPDATES
• WHEN REALITY BITES AND INCIDENT WILL COST YOU!

6. THE IMPORTANCE ROLE OF CSIRT
• COMPUTER SECURITY INCIDENT RESPONSE TODAY HAS BECOME AN EMBEDDED COMPONENT OF
INFORMATION TECHNOLOGY (IT) PROGRAMS
• CYBERSECURITY-RELATED ATTACKS HAVE BECOME NOT ONLY MORE NUMEROUS AND DIVERSE BUT
ALSO MORE DAMAGING AND DISRUPTIVE
• NEW TYPES OF SECURITY-RELATED INCIDENTS EMERGE FREQUENTLY, COLLABPRATION IS A NECESSITY
• PREVENTIVE ACTIVITIES BASED ON THE RESULTS OF RISK ASSESSMENTS CAN LOWER THE NUMBER OF
INCIDENTS, BUT NOT ALL INCIDENTS CAN BE PREVENTED
• AN INCIDENT RESPONSE CAPABILITY IS THEREFORE NECESSARY FOR RAPIDLY DETECTING INCIDENTS,
MINIMIZING LOSS AND DESTRUCTION, MITIGATING THE WEAKNESSES THAT WERE EXPLOITED, AND
RESTORING IT SERVICE

7. CSIRT BY DEFINITION
• AN ORGANIZATION OR CAPABILITY THAT PROVIDES SERVICES AND SUPPORT TO A
DEFINED CONSTITUENCY FOR PREVENTING, HANDLING AND RESPONDING TO
COMPUTER/CYBER SECURITY INCIDENTS
• NO SPECIFIC HIERARCHICAL POSITION FOR CSIRT’S WITHIN THE ORGANIZATIONAL
STRUCTURE. IT DEPENDS ON FUNCTION, AN AUTHORITY GIVEN, AND CONSTITUENCIES
• EVERY TEAM UNIQUE: DIFFERENT MISSION, AUTHORITY, AND ROLES WITHIN THE
MANAGEMENT PROCESS OR SERVICE
• ACKNOWLEDGEMENTS: RELY ON PERSONAL ENGAGEMENT, OR STATE TO STATE
(COUNTRIES), BETWEEN CSIRT’S/COUNTERPARTS AND PARTNERS

8. TYPICAL CSIRT ACTIVITY
• PROVIDES A SINGLE POINT OF CONTACT IN EVERY LOCAL PROBLEMS
• IDENTIFY, ANALYZE, IMPACT OF TREAT AND OR INCIDENTS (EVENT)
• RESEARCH, SOLUTION, MITIGATION, STRATEGY, PLANNING, TRAINING
• SHARE EXPERIENCES, RESPONSE INFORMATION, LESSON LEARNED ETC.
• AWARENESS, CAPACITY BUILDING, NETWORKING (WITHIN COMMUNITY)
• RESPONSE, DAMAGE CONTROL, RECOVERY/REMEDIATION, MINIMIZING RISK
AND MANAGEMENT, PREVENTION/RECURRENT, DEFENSE, AND RESILIENCE

9. CSIRT CAPABILITY
• CSIRT WITH OPERATIONAL CAPABILITY:
• HAS DIRECT AUTHORITY TO THE CONSTITUENCY AND ITS ASSETS
• PROVIDE INCIDENT RELATED SERVICES (PROACTIVE AND REACTIVE)
• CSIRT WITH COORDINATION CAPABILITY:
• NO DIRECT AUTHORITY TO THE CONSTITUENCY AND ITS ASSETS
• AS A COORDINATION CENTER FOR OTHERS OPERATIONAL CSIRT
• PROVIDE LIMITED NON INCIDENT RELATED SERVICES (SECURITY ASSURANCE)

10. Proactive Services
[Incident Related]
Reactive Services
[Incident Related]
Security Quality
Management Services
• Technology Watch, Review
• Security Audit, Assessment
• Configuration, Maintenance
Security Tools, Applications,
Infrastructures
• Development Security Tools
• Intrusion Detection Services
(Early Warning)
• Security Related Information
Dissemination
• Incident Response Plan,
Incident Preparedness
• Alert and Warnings
• Incident Handling
• Analysis
• Response on Site
• Response Support
• Response
Coordination
• Vulnerability Handling
• Analysis
• Response
• Response
Coordination
• Artifact Handling
• Analysis
• Response
• Response
Coordination
• Asset Valuation, Risk
Analysis, and
Management
• Business Continuity (BCP),
Disaster Recovery, (DRP)
• Security Consulting
• Awareness Building
• Education/Training, Cyber
Exercise/Drill
• Product Evaluation,
Certification
• Cyber Hygiene,
Resilience

11. VARIOUS KIND OF CSIRT BY STRUCTURE
• provide incident handling services to parent organization e.g.
Bank CSIRT, Gov-CSIRT
Internal CSIRT
• provide incident handling services to a country. Maintaining
national security and interest i.e. conducting Critical
Infrastructure Protection (CIP’s) e.g. CISA (US), ENISA (EU)
National CSIRT
• coordinate and facilitate the handling of incidents across
various CSIRT’s at the national level e.g. inter-sector CSIRT’s
and regional level e.g. JP-CERT/CC, My-CERT/CC
Coordination Center
(CC)

12. VARIOUS KIND OF CSIRT BY FUNCTIONS
Intelligence Analysis
• handle reports of vulnerabilities in their software or hardware
products (solution) e.g. social media security team,
application specific security team etc.
Vendor Teams
• offering an incident handling services commercially e.g.
security managed services
Incident Response
Providers
• Synthesizing data from various sources to determine trends and
patterns in incident activity (RND) e.g. Security Operation
Center (SOC’s), in-depth cyber threat and attack analysis

13. REGIONAL FORUM / ORGANIZATION FOR
COORDINATION AND COLLABORATION
• CSIRT Teams
• Security Teams
• Technology Vendors
• Expert and Academia
FIRST The Forum of Incident
Response and Security
Teams – Global Community
• European National CSIRT
• European CIP/CIIP Agencies
• ASEAN National CSIRT
EU CSIRTs Network, ANSAC
The ASEAN Network Security
Action Council
• Asia Pacific National CSIRT
• Organization of Islamic Cooperation
• Organizational Members
• Expert and Academia
APCERT The Asia Pacific
CERT, OIC CERT The OIC
CERT

14. SECTORS OF CONSTITUENCY
National
CSIRT
Sectors
CSIRT/CC
Government
CSIRT/CC
Industry
CSIRT
Academic
CSIRT
Private CSIRT,
Managed
Services
/CC and
CIIP’s

15. NATIONAL CSIRT
• TEAM WITH NATIONWIDE RESPONSIBILITIES SERVE AS COUNTRY AND/OR ECONOMY REPRESENTATIVES
• ACTING AS TRUSTED SINGLE POINT OF CONTACT (SPOC) AND THE FOCAL POINT FOR NATIONWIDE
INCIDENT COORDINATION, ANALYSIS, AND RESPONSE
• RESOURCE FOR THE GOVERNMENT AND OR KEY CRITICAL INFRASTRUCTURE, COLLABORATION WITH
OTHERS COUNTERPARTS AND PARTNERS E.G. VENDORS
• MANAGING NATIONWIDE GOALS/TASK/PROGRAM: DEVELOPING NATIONAL CYBER SECURITY STRATEGY,
PROVIDING EDUCATION AND AWARENESS, SERVING CONSTITUENCIES (E.G. BY SECTORS) INCLUDING
OTHERS CSIRTS
• ASSIST THE ESTABLISHMENT OF OTHERS CSIRTS (E.G. BY SECTORS)
• 24/7 INCIDENT REPORTING CALL CENTER, MONITORING, ALERT, EARLY WARNING
• ASSIST LAW ENFORCEMENT AGENCIES, CYBERCRIME INVESTIGATION PROCESS

16. SECTORS CSIRT/CC
• TEAM WITH PER SECTORS OR CI RESPONSIBILITIES SERVE AS SECTORS OR CI REPRESENTATIVES
• ACTING AS TRUSTED SINGLE POINT OF CONTACT (SPOC) AND THE FOCAL POINT FOR PER SECTORS OR CI
INCIDENT COORDINATION, ANALYSIS, AND RESPONSE
• RESOURCE FOR THE RESPECTED SECTORS OR CI, COLLABORATION WITH OTHERS COUNTERPARTS AND
PARTNERS E.G. VENDORS
• MANAGING PER SECTORS OR CI GOALS/TASK/PROGRAM: DEVELOPING PER SECTORS OR CI CYBER
SECURITY STRATEGY, PROVIDING EDUCATION AND AWARENESS, SERVING CONSTITUENCIES (E.G. BY
INDUSTRY) INCLUDING OTHERS INDUSTRY OR ORGANIZATIONAL LEVEL CSIRTS
• ASSIST THE ESTABLISHMENT OF OTHERS CSIRTS (E.G. BY INDUSTRY OR ORGANIZATION)
• 24/7 INCIDENT REPORTING CALL CENTER, MONITORING, ALERT, EARLY WARNING
• ASSIST LAW ENFORCEMENT AGENCIES, CYBERCRIME INVESTIGATION PROCESS

17. ROLE OF COORDINATION AND COLLABORATION
• COORDINATION IN CSIRT REFERS TO THE PROCESS OF BRINGING TOGETHER
VARIOUS STAKEHOLDERS, BOTH INTERNAL AND EXTERNAL, TO EFFECTIVELY
MANAGE AND RESOLVE CYBERSECURITY INCIDENTS AND IMPROVING THE
LEVEL OF CYBERSECURITY RESILIENCE.
• COLLABORATION IN CSIRT INVOLVES WORKING TOGETHER WITH OTHER
TEAMS, SECTORS, INDUSTRY, ORGANIZATIONS, OR EVEN NATIONAL CSIRTS TO
EXCHANGE INFORMATION, SHARE RESOURCES, KNOWLEDGES, EXPERIENCES
AND EXPERTISE, AND TO ACT COLLECTIVELY.
• COORDINATION AND COLLABORATION WITHIN A CSIRT ARE CRUCIAL FOR
EFFECTIVE INCIDENT RESPONSE AND IMPROVING CYBERSECURITY.

18. RELATION MAPS
• CONSTITUENCY REP.
• PHYSICAL SECURITY
• HUMAN RESOURCES
• LEGAL COUNCIL/LE
• ANALYST INVESTIGATOR
• LIAISONS AND PR
• COMMUNICATION
• OPERATION CENTER
• MANAGEMENT
CSIRT
Constituency
Physical
HRD
Legal/
LEA
SOC/
Analyst
Liaisons/ PR
Communication
Channel
Management

19. WHY IS COLLABORATION IMPORTANT?
Maximizes Resources
Effective coordination
ensures that all available
but limited resources are
being used efficiently,
minimizing time, effort and
cost.
Increase Effectiveness
CSIRTs can perform better,
faster, and more thoroughly
when they work together to
address a common goal
and share expertise.
Risk Reduction
Well-coordinated CSIRT
activities reduce the risk of
duplication of efforts,
conflicting actions, and
knowledge gaps, which
can result in ineffective
security postures.

20. 1 Shared Learning
CSIRT collaboration creates
opportunities to share knowledge,
skills, and expertise, helping each
member learn from one another's
experiences.
2
Expand Resources
Collaboration allows CSIRTs to
access a range of additional
resources that may not be available
to them individually, providing
greater capability to respond to
potential threats.
3 Improve Response Capability
With a collaborative approach,
CSIRTs have more diverse opinions,
strategies, and solutions to respond
to incidents and improve their
capabilities.

21. COORDINATION CHALLENGES
1 Communication Barriers
Language, culture, time zones, and
limited communication channels
can cause difficulties in information
flow and understanding.
2 Non-standardized Processes
Different CSIRTs may have diverse
processes for handling incidents,
which can cause confusion and
disrupt coordination efforts.
3 Limited Resources
Resource constraints can hamper cooperation efforts and limit the ability to share
knowledge.

22. TO OVERCOME THE CHALLENGES
Standardize Procedures
By implementing common
standardized procedures,
such as framework, incident
classification, CSIRTs can
agree upon a common
language and procedures
to help facilitate
cooperation.
Establish Communication
Protocol
CSIRTs should use a variety
of communication channels
to ensure the security of the
information being shared,
with a clear understanding
of terminology, language to
enable effective action.
Establish Trust
Building trust can be
facilitated through regular
communication, offline real
human networking, mutual
respect and transparencies.
Regular readiness drill and
exercise will improve trust.

23. REFERENCES
• WHAT IS: "COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)” [ARTICLE]
• NATIONAL CYBER SECURITY COUNCIL (NL): “
STARTING A COLLECTIVE CSIRT GUIDE” [PDF]
• CARNEGIE MELLON UNIVERSITY: “
THE SECTOR CSIRT FRAMEWORK: DEVELOPING SECTOR-BASED INCIDENT RESP
ONSE CAPABILITIES
” [PDF]

24. THANK YOU!
• CSIRT.ID
• INDONESIA CYBER SECURITY INDEPENDENT RESILIENCE TEAM
• EMAIL : INFO@CSIRT.ID ; AUTHOR : PATAKA@CSIRT.ID