RFC-2350 CSIRT Description for DFN-CERT

1. Document Information

1.1 Date of Last Update

This version was published at 2024-01-26.

1.2 Distribution List for Notifications

None.

1.3 Locations where this Document May Be Found

The current version of this document can be found at: https://www.dfn-cert.de/summary/rfc-2350-csirt-description-for-dfn-cert/

1.4 Document Authenticity

This document can be retrieved from our webserver using TLS/SSL.

2. Contact Information

This section describes how to contact DFN-CERT.

2.1 Name of the Team

DFN-CERT

2.2 Adress

DFN-CERT Services GmbH
Incident Response Team
Nagelsweg 41
D-20097 Hamburg
Germany

2.3 Time Zone

CET/CEST,
Central European Time or Central European Summer Time,
UTC+0100/UTC+0200

2.4 Telephone Number

+49 40/808 077-590

2.5 Facsimile Number

+49 40/808 077-556

2.6 Other Telecommunication

None.

2.7 Electronic Mail Address

cert@dfn-cert.de

2.8 Public Keys and Encryption Information

Our X.509 certificate may be obtained at:

dfn-cert_x509.pem

Our current PGP-Key may be obtained at:

dfn-cert.asc

The DFN-CERT PGP key for 2024 has the following fingerprint: 9F2B E7BE 5003 577A 0540 BEA2 1AAE 2B99 1D47 DE6F

2.9 Team Members

Team lead is Christine Kahl:

https://www.dfn-cert.de/unternehmen/bereiche/

2.10 Other Information

General information about DFN-CERT may be found at:

https://www.dfn-cert.de/summary/dfn-cert/ (English)
https://www.dfn-cert.de/ (German)

The DFN.Security-Portal is available at:

https://portal.security.dfn.de/ (German)

2.11 Points of Customer Contact

DFN-CERT prefers to receive incident reports via e-mail. Please use our cryptographic keys above to ensure integrity and confidentiality.

We welcome automatic transfer of bulk data based on established international standards and formats. To negotiate a compatible working solution please contact the team directly before sending data automatically. This will help us to avoid any problems or issues in our tool chain, and ensures, that the data can be used in the best way possible.

2.12 Business Hours

DFN-CERT's hours of operation are generally restricted to regular business hours (09:00-17:00 Monday to Thursday, 09:00-16:00 on Friday) except public holidays.

2.13 Emergency Procedure

Team is not reachable outside business hours. Answering machine collects calls outside business hours.

3. Charter

Within this section our mandate is described.

3.1 Mission Statement

DFN-CERT's mission is to coordinate and investigate security incident response for IT-security problems at the level of the German Research Network (DFN).

3.2 Constituency

Our constituency constists of the institutions that participate in the DFN.

DFN-CERT is responsible for the following autonomous systems:

28, 288, 553, 680, 1275, 1754, 2123, 2124, 2857, 5475, 5501, 5520, 8365, 8531, 9020, 12643, 12816, 13040, 16108, 20588, 20633, 28714, 29484, 34520, 34878, 41289, 41969, 42873, 43066, 47610, 50595, 56357, 58069, 60344, 60824, 199578, 200943, 205046, 207592, 215797.

3.3 Sponsorship and/or Affiliation

DFN-CERT is the Computer Security Incident Response Team (CSIRT) for the German National Research and Educational Network (Deutsches Forschungsnetz).

Funding is provided by the DFN association (Verein zur Förderung eines Deutschen Forschungsnetzes - DFN-Verein).

DFN-CERT is a founding member of the German CERT alliance (CERT-Verbund), it is an accredited and certified TI (Trusted Introducer) team, and DFN-CERT is a full member of FIRST (Forum of Incident Response and Security Teams).

Founding member of EDUCV.

3.4 Authority

We coordinate security incidents on behalf of our constituency and at our constituents request.

4. Policies

This section describes our policies.

4.1 Types of Incidents and Level of Support

DFN-CERT addresses all kinds of security incidents which occur, or threaten to occur, within its constituency.

The level of support depends on the type and severity of the given security incident, the amount of affected institutions within our constituency, and our resources at the time.

We expect end users to contact their local systems or network administrators or their computer center.

4.2 Co-operation, Interaction and Disclosure of Information

DFN-CERT will exchange all necessary information with other CSIRTs as well as with other affected parties if they are involved in the incident or incident response process.

All information concerning one or more incidents passed on to other incident response teams, which include details about persons, organizations, IP-addresses, domain-names as well as other information revealing the identity of persons or organizations is anonymized unless explicitly stated otherwise by the persons or organizations in question. No information at all about any incident or vulnerability is given to other persons. German law enforcement personnel requesting information in the course of a criminal investigation is given the requested information within the limits of the court order and the criminal investigation, if they present a valid court order from a German court.

4.3 Communication and Authentication

All e-mail postings containing official statements on behalf of the team or team members should be signed using X.509 or PGP. All e-mail containing confidential information should be encrypted and signed using X.509 or PGP. Information received in encrypted form should not be stored permanently in unencrypted form.

For sensitive information we prefer to use encrypted e-mail. For other communication phone, facsimile, postal service, or unencrypted e-mail may be used.

DFN-CERT supports the Traffic Light Protocol (TLP)

4.4 Reaction Time

Usually our first response is timely at the same working day, if not we will respond the following working day.

Our contact information, the business hours and emergency procedure can be found in chapter 2.

5. Services

This section describes the services DFN-CERT offers.

5.1 Incident Response

DFN-CERT coordinates all activities related to incident response within its constituency. We provide support, help, and advice with respect to the following aspects of incident management:

5.1.1. Incident Triage

Check if the incident or the incident report is authentic. - Determine which constituents are affected by the incident.

5.1.2. Incident Coordination

Investigate the initial cause of the incident.
Contact other affected sites, if necessary.
Composing announcements to users, if applicable.
Notify other CSIRTs, if appropriate.
Maintain current database of sites, networks, domains, and security contacts.

5.1.3. Incident Resolution

Assure that security incidents are handled properly by the affected organisations.
Ask for feedback.
If necessary propose appropriate steps within the backbone network.

5.2 Proactive Activities

Advisory service
Maintain a database of networks, sites and security contacts
Mailing lists for security information
Regular tutorials on security topics
Network scans
Automated warning service
Regular talks on security topics

5.3 Reactive Activities

Automated warning service for all sites within the constituency to distribute bulk alerts from various sources.
Honeypot systems
Darknet monitoring

6. Incident Reporting Forms

We do not have an incident reporting form. Please report security incidents via encrypted e-mail to cert@dfn-cert.de.

Incident reports should contain the following information:

Incident date and time (including time zone)
Source IPs, ports, and protocols
Destination IPs, ports, and protocols

Preferable the report includes a log file in a common format.

7. Disclaimers

This document is provided 'as is' without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

Use of this document is at the user's sole risk. All users expressly agree to this condition of use.

If you notice any mistakes within this document please send a message to us by e-mail. We will try to resolve such issues as soon as possible.