Cybersecurity Structures 101: What Are CERTs and CSIRTs

Cybersecurity professionals regularly adopt new acronyms which can make this industry difficult to keep track of.

However, one of the longest-standing acronyms in the industry, and also one of the most important, is CERT.

The term ‘Computer Emergency Response Team,’ sometimes known as ‘Computer Emergency Readiness Team,’ was first used in 1988 by the CERT Coordination Center (CERT-CC) at Carnegie Mellon University (CMU).

A CERT is a specialised group of cybersecurity experts responsible for preventing, detecting, analysing and responding to cybersecurity incidents that threaten an organisation, government or a broader community.

Today, CERT is registered as a trade and service mark licensed by CMU’s Software Engineering Institute (SEI) in multiple countries worldwide. 

There are several types of CERTs:

• National CERTs run by government agencies but with a nationwide mission (e.g. US-CERT in the US, CERT-FR in France, ngCERT in Nigeria, Saudi-CERT in Saudi Arabia)
• Government-focused CERTs (e.g. govCERT in Austria, GOV-CERT in Russia)
• Intergovernmental CERTs (e.g. CERT-EU)
• Industry-specific CERTs (Austrian Energy CERT)
• CERTs run by cybersecurity companies (e.g. Orange-CERT-CC for Orange Cyberdefense, CERT-GIB for Group-IB)

Sometimes, national cybersecurity agencies assume the missions of a CERT even though there is no distinctive national CERT. This is the case with the Canadian Centre for Cyber Security, the National Cyber Security Centre of Finland (NCSC-FI) and the UK’s National Cyber Security Centre (NCSC-UK).

In parallel to the emergency of CERTs, another term has emerged: Computer Security Incident Response Team (CSIRT). While some argue that CSIRTs are CERTs that haven’t obtained an official license from Carnegie Mellon University, others claim that a CSIRT’s missions is a little different than those of CERTs.

Both CERTs and CSIRTs help organisations deal with cybersecurity threats and the terms are often used interchangeably, however there are key differences in the scope of their mandates.

• CERTs are proactive with a broader range serving communities or nation states. They work to prevent incidents before they happen by sharing threat intelligence, offering training and helping organizations improve their security posture. They also coordinate with other organisations to respond to cybersecurity incidents.
• CSIRTs are reactive and typically have a narrow focus on one organization. They step in when an incident occurs, investigating what happened, containing the damage and helping with recovery. They will also help with the development and maintenance of incident response plans. 

In 2022, members of the Forum of Incident Response and Security Teams’ (FIRST) CSIRT Special Interest Group defined the following team types that provide information security incident management capabilities:

• Computer Security Incident Response Teams (CSIRTs)
• Information Sharing and Analysis Centers (ISACs)
• Product Security Incident Response Teams (PSIRTs)
• Security Operations Centers (SOCs)

Today, FIRST lists 818 security teams across the world, including over 600 CSIRTs.

The Forum’s definition of CSIRTs includes CERTs as well as Computer Incident Response Teams (CIRTs), Computer Incident Response Center (CIRCs) and Computer Security Incident Response Capabilities (CSIRCs).

Most of the national CERTs and CSIRTS are FIRST members.

According to the FIRST definition, a “properly deployed CSIRT” has a clear mandate, a governance model, a tailored services framework, technologies and processes to provide, measure and continuously improve defined services to raise its maturity.

The Forum also outlined all features a CSIRT must offer and all the optional capabilities it can also include.

According to FIRST, the key features of a CSIRT that must be offered include:

• Information security incident report acceptance
• Information security incident analysis
• Information security incident coordination
• Mitigation and recovery

Some of the additional features a CSIRT can offer include, but are not limited to, event analysis, monitoring and detection as well as vulnerability discovery, disclosure, analysis and remediation.

CERTs and CSIRTs perform similar cybersecurity functions, like incident response and threat mitigation, but they sometimes differ in scope and formal recognition.

All CERTs are CSIRTs, as the term CERT is a trademarked designation from Carnegie Mellon University, while CSIRT serves as a broader, unlicensed category.

While CERTs often operate at a larger scale, some CSIRTs match their reach, making the distinction more about branding than capability.

ADVERTISEMENT

Enjoyed this article? Make sure to share it!

Looking for something else?