CSIRT Description for RAPID RESPONSE TEAM (RR TEAM) ------------------------------------------------- 1. About this document 1.1 Date of Last Update This is version 1.1, published 2021/08/10. 1.2 Distribution List for Notifications RR TEAM pushes notifications to subscribes to our mailing list. Subscription requests for this list shall be sent to . 1.3 Locations where this Document May Be Found The current version of this CSIRT description document is available from the RR TEAM website; its URL is https://rr.team/rfc2350.txt Please make sure you are using the latest version. 1.4 Authenticating this Document This document has been signed with RR TEAM’s PGP key. The signatures are also on our Web site, under: https://rr.team/rfc2350.txt.gpg 1.5 Document Identification Title: CSIRT Description for RAPID RESPONSE TEAM (RR TEAM) Version: 1.1 Document Date: August 10, 2021 Expiration: This document is valid until superseded by a later version. TLP: White 2. Contact Information 2.1 Name of the Team Full Name: RAPID RESPONSE TEAM Short Name: RR TEAM 2.2 Address Postal address: VS DATA / RR TEAM Swietojanska 55/16 81-391 Gdynia Poland 2.3 Time Zone Central European Summer Time (CEST; UTC+0200) Central European Time (CET; UTC+0100) 24/7/365 coverage via emergency lines 2.4 Telephone Number +48 570 006 005 (24/7/365 emergency line) 2.5 Facsimile Number +48 58 661 46 28 (this is *not* a secure fax) 2.6 Other Telecommunication Signal +48 570 006 005 2.7 Electronic Mail Address . This is a mail alias that relays mail to the human(s) on duty for RR TEAM. 2.8 Public Keys and Other Encryption Information RR TEAM has a PGP key PGP/GPG Key: Fingerprint: 4895 D408 9525 A91F D075 2581 E88F 390D DE74 4AD5 Key Available for download: https://rr.team/key.asc Please include a public key on all messages or use a key that can be downloaded and verified from well-known public PGP key-servers. RR TEAM members can read email encrypted with the above key. Individual may can use the above key if cannot find a key for a specific RR TEAM member. 2.9 Team Members Full list of RR TEAM members is not publicly available. Team members will identify themselves to the reporting party with their full name in an official communication regarding a cybersecurity incident. 2.10 Other Information General information about RR TEAM is available on the website https://rr.team. 2.11 Points of Customer Contact The preferred method for contacting RR TEAM is via e-mail at ; e-mail sent to this address will "biff" the responsible human, or be automatically forwarded to the appropriate backup person, immediately. If you require urgent assistance, put "urgent" in your subject line. If it is not possible (or not advisable for security reasons) to use e-mail, RR TEAM can be reached by telephone or by other means including Signal. Text messages are checked same often as e-mail. Use of fax and WhatsApp for reporting cybersecurity incidents should be avoided as much as possible. RR TEAM hours of operation are generally restricted to regular business hours (0900-1700 Monday to Friday except holidays). Out of office operation hours in case of emergency. RR TEAM has one team member on duty 24/7/365. 3. Charter 3.1 Mission Statement RR TEAM is a private Computer Security Incident Response Team (CSIRT) team's key objective is to support organizations in handling cybersecurity incidents efficiently and effectively. 3.2 Constituency RR TEAM constituency consists of the organizations who signed an agreement (Retainer or ad-hoc) to use RR TEAM cybersecurity incident response services. 3.3 Sponsorship and/or Affiliation RR TEAM is a special VS DATA project, private and self-funding entity. 3.4 Authority RR TEAM handles and coordinates cybersecurity incidents on behalf of its customers and is bound by contractual terms. 4. Policies 4.1 Types of Incidents and Level of Support RR TEAM handles various types of cybersecurity incidents. The level of support provided by RR TEAM varies depending on the severity and type of issue, and other circumstances relevant to the particular cybersecurity incident. Clients of Incident Response Retainer (IRR) services have guaranteed service level agreement (SLA). Other organizations may establish ad-hoc cooperation after an incident occurs, and in such cases the level of support depends on the availability of RR TEAM resources at the time. Ransomware incidents are handled by a dedicated Ransomware Expert Team (RET) of RR TEAM. 4.2 Co-operation, Interaction and Disclosure of Information All incoming information is handled confidentially by RR TEAM, regardless of its priority. Information being considered for release will not be released without the permission of the site in question, especially embarrassing information. Embarrassing information includes the statement that a cybersecurity incident has occurred, and information about its extent or severity. Competent authorities will receive full cooperation from RR TEAM, including any information they require to pursue an investigation, in accordance with applicable laws and relevant regulations. RR TEAM will not interact directly with the press concerning cybersecurity incidents, except to point them toward information already released to the general public. The above does not affect the ability of members of RR TEAM to grant interviews on general computer security topics; in fact, they are encouraged to do so, as a public service to the community. Other sites and CSIRTs, when they are partners in the investigation of a cybersecurity incident, will in some cases be trusted with confidential information. This will happen only if the foreign site's bona fide can be verified, and the information transmitted will be limited to that which is likely to be helpful in resolving the incident, after client's approval. Such information sharing is most likely to happen in the case of sites well known to RR TEAM. 4.3 Communication and Authentication RR TEAM uses PGP encryption. Unencrypted e-mail will not be considered particularly secure, but will be sufficient for the transmission of low-sensitivity data. Network file transfers will be considered to be similar to e-mail for these purposes: sensitive data should be encrypted for transmission. If it is necessary to send highly sensitive data by text message, Signal will be used. In view of the types of information that RR TEAM will likely be dealing with, telephones will be not considered sufficiently secure. 5. Services 5.1 Incident Response RR TEAM will assist in handling cybersecurity incidents. In particular, RR TEAM provides assistance and/or advice with respect to the following aspects of cybersecurity incident management: 5.1.1 Incident Triage - Cybersecurity incident occurrence investigation. - Determination of the extent of the cybersecurity incident and its impact, according to functional impact, information impact and recoverability. - Determination of the initial cause of the cybersecurity incident. - Determination of the network, systems and users affected by the cybersecurity incident. - Determination of the data breaches. - Preserving digital evidence for further proceedings (e.g. forensics, criminal prosecution). - Analysis of digital evidence for cybersecurity incident handling purpose (e.g. initial analysis). - Analyzing and reversing malware. - Documenting the cybersecurity incident. 5.1.2 Incident Coordination - Evaluating whether certain actions are likely to reap results in proportion to their cost and risk, in particular those actions aimed at an eventual prosecution or disciplinary action: collection of evidence after the fact, observation of a cybersecurity incident in progress, setting traps for intruders, etc. - Supervision, guidance and advise of non-RR TEAM professionals involved, if applicable. - Facilitating contact with competent authorities, if necessary. - Reporting to other CSIRTs and competent authorities, if applicable. - Composing announcements to users and/or public, if applicable. - Composing shared situational awareness, if necessary. - Facilitation of vendors support and resolving critical resource issues, if necessary. - Facilitation of contact with other sites which may be involved. - Advise on containment and/or mitigation strategy. - Prioritizing remediation. 5.1.3 Incident Resolution - Containment of the cybersecurity incident. - Removing the vulnerability. - Examination of the infected networks and systems. - Cleaning up the infected networks and systems, if could not be reinstalled. - Securing the system from the effects of the cybersecurity incident. - Hardening the networks. - Repairing the databases, if applicable. - Restoration of the networks and systems. 5.2 Proactive Activities RR TEAM coordinates and maintains the following services to the extent possible depending on its resources: - Threat Intelligence sharing. - Intrusion Detection - Tools development. - Audits and Pentests. - Consulting. - Training. Detailed descriptions of the below are available upon email request, as per section 2.7 above. To make use of RR TEAM cybersecurity incident response services, please send e-mail as per section 2.11 above. Please remember that the amount of assistance available will vary according to the parameters described in section 4.1. 6. Incident Reporting Forms There are no special forms required to report a cybersecurity incident to RR TEAM. 7. Disclaimers While every precaution will be taken in the preparation of information, notifications and alerts, RR TEAM assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within. Information provided by RR TEAM is "as is" for informational purposes only.