CERT-XMCO Profile (rfc2350)

Established according to RFC-2350.

1. Document Information

This document contains a description of CERT-XMCO in according to RFC 2350. It provides basic information about the CERT-XMCO team, and the ways it can be contacted. It also describes its responsibilities and the services offered.

1.1 Date of Last Update

Version 1.1, created on 2018-12-20.

1.2 Distribution List for Notifications

There is no distribution list for notifications.

This document is kept up-to-date at the location specified in 1.3.

Updates are also reported to the Trusted Introducer publicly accessible directory (see https://www.trusted-introducer.org/directory).

Should you have any questions regarding updates, please contact the CERT-XMCO email address.

1.3 Locations where this Document may be Found

The current and latest version of this document is available from CERT-XMCO’s website. Its URL is:

https://www.xmco.fr/CERT-XMCO_rfc_2350.html

Please make sure you are using the latest version.

1.4 Authenticating this Document

This document has been signed with the CERT-XMCO’s PGP key. The signature is available from CERT-XMCO’s website. Its URL is:

https://www.xmco.fr/CERT-XMCO_rfc_2350.html.asc

See section 2.8 for more details.

1.5 Document Identification

Title: CERT-XMCO profile (RFC-2350)
Version: 1.1
Document Date: 2018-12-20
Expiration: this document is valid until superseded by a later version.

2. Contact Information

This section describes how to contact CERT-XMCO.

2.1 Name of the Team

Full name: CERT-XMCO
Short name: CERT-XMCO

CERT-XMCO is XMCO’s commercial CERT/CSIRT team (Computer Emergency Response Team / Computer Security Incident Response Team).

2.2 Address

CERT-XMCO
18 rue Bayard, 75008 Paris
France

2.3 Time Zone

GMT+1 (with Daylight Saving Time or Summer Time, which starts on the last Sunday in March and ends on the last Sunday in October)
also known as CET / CEST

2.4 Telephone Number

+33 (0)1 79 35 29 51
+33 (0)7 83 12 52 91

2.5 Facsimile Number

None available.

2.6 Other Telecommunication

Twitter: @certxmco

2.7 Electronic Mail Address

If you need to notify us about an information security incident or a cyber-threat targeting or involving your company or XMCO, please contact us at cert@xmco.fr. This is a mail alias that relays mail to CERT-XMCO’s analysts on duty.

2.8 Public Keys and Encryption Information

PGP/GnuPG is supported to secure communication.

Consequently, the CERT-XMCO has a PGP key (bound to the cert@xmco.fr mail address), whose KeyID is 0x17587ED8 and whose Fingerprint is 9266 2FB7 9428 AE8D 7051 1A2C 8B7D 2EA7 1758 7ED8.

The current CERT-XMCO team-key can be found at https://www.xmco.fr/CERT-XMCO_0x17587ED8.asc. The key can also be retrieved from the usual public key servers, such as http://pgp.mit.edu/.

This key shall be used whenever information must be sent to CERT-XMCO in a secure manner.

Please use this key when you want/need to encrypt messages that you send to CERT-XMCO.
When due, CERT-XMCO will sign messages using the same key.
When due, sign your messages using your own key please. It helps when that key is verifiable (for instance, using the public keyservers).

2.9 Team Members

CERT-XMCO’s team leader is Charles DAGOUAT.

The team consists of XMCO’s IT security analysts.

2.10 Other Information

General information regarding CERT-XMCO can be found at the following URL:

CERT-XMCO is listed by the Trusted Introducer for CERTs in Europe, see:

https://www.trusted-introducer.org/directory/teams/cert-xmco.html.

2.11 Points of Customer Contact

The preferred method to contact CERT-XMCO team is to send an email to the cert@xmco.fr address, which is monitored during hours of operation.

Urgent cases can be reported by phone during regular office hours on +33 (0)1 47 34 30 38.

You can also reach the CERT-XMCO by phone if it is not possible (or not advisable for security reasons) to use email.

Days/Hours of Operation: 09:00 to 18:00 local time, Monday to Friday (except public holidays in France).
Out of office hours operations in case of emergency.

3. Charter

This section describes CERT-XMCO’s mandate.

3.1 Mission Statement

CERT-XMCO is a private CSIRT team delivering Security services, mainly in France.

Its purpose is two-folded:

First, to assist its customer community in implementing proactive measures to reduce the risks of computer security incidents.
And second, to assist its customer community in responding to such incidents whenever they occur.

CERT-XMCO’s mission is to support its customer community to protect themselves against both intentional and opportunistic attacks that would hamper the integrity of their IT assets and harm their interests. The scope of CERT-XMCO’s activities cover prevention, detection, response and recovery. CERT-XMCO is in charge of digital forensics and incident response (DFIR) activities.

CERT-XMCO will operate according to the following key values:

CERT-XMCO strives to act according to the highest standards of ethics, integrity, honesty and professionalism.
CERT-XMCO is committed to deliver a high-quality service to its constituency.
CERT-XMCO will ensure to respond to security incidents as efficiently as possible.
CERT-XMCO will ease the exchange of good practices between constituents and with peers, on a need-to-know basis.

3.2 Constituency

CERT-XMCO’s primary constituency is composed of all the elements of XMCO’s Information System: its users, its systems, its applications and its networks.

However, notwithstanding the above, CERT-XMCO’s services are also delivered to a secondary constituency. As a commercial CSIRT, the CERT-XMCO also provides services to its Customers Community, who subscribed a Service Level Agreement support contract.

Current customers which are located in France and other countries are found among:

Private sector organisations
Public sector bodies
Commercial bodies

3.3 Sponsorship and/or Affiliation

CERT-XMCO is part of XMCO: https://www.xmco.fr.

CERT-XMCO maintains contact with various national and international CSIRT and CERT teams (mainly throughout France), on an as-needed basis.

3.4 Authority

CERT-XMCO coordinates security incidents on behalf of its constituency, and only at its constituents’ request.

Consequently, CERT-XMCO operates under the auspices of, and with authority delegated by its constituents.

CERT-XMCO primarily acts as an advisor regarding local security teams, and is expected to make operational recommendations. Therefore, CERT-XMCO may not have any specific authority to require specific actions. The implementation of such recommendations is not a responsibility of CERT-XMCO, but solely of those to whom the recommendations were made.

Generally, CERT-XMCO expects to work co-operatively with its constituents’ system administrators and users.

4. Policies

This section describes CERT-XMCO’s policies.

4.1 Types of Incidents and Level of Support

CERT-XMCO addresses all types of computer security incidents (cyber-attacks) which occur, or threaten to occur, in its constituency (see 3.2).

The level of support given by CERT-XMCO will vary depending on the type and severity of the incident or issue, its potential or assessed impact, the type of constituent, the size of the user community affected, and CERT-XMCO’s resources at the time. Depending on the security incident’s type, CERT-XMCO will gradually roll out its services which include incident response and digital forensics. In all cases, some response will be made within two working days.

Incidents will be prioritized according to their apparent severity and extent.

All incidents are considered normal priority unless they are labelled EMERGENCY. CERT-XMCO itself is the authority that can set and reset the EMERGENCY label. An incident can be reported to CERT-XMCO as EMERGENCY, but it is up to CERT-XMCO to decide whether to uphold that status.

CERT-XMCO is committed to keep its constituency informed of potential vulnerabilities, and where possible, will inform this community of such vulnerabilities before they are actively exploited. This communication will be in the form of: email alerts, or phone calls under certain circumstances.

Note that no direct support will be given to end users. They are expected to contact their Security Operation Center (SOC) or internal CSIRT for assistance. The CERT-XMCO will support the latter people.

4.2 Co-operation, Interaction and Disclosure of Information

CERT-XMCO considers the paramount importance of operational coordination and information sharing between CERTs, CSIRTs, SOCs and similar bodies, and also with other organizations, which may aid to deliver its services or which provide benefits to CERT-XMCO’s constituency.

Consequently, CERT-XMCO exchanges all necessary information with affected parties, as well as with other CSIRTs, on a need-to-know basis. However, neither personal nor overhead data are exchanged unless explicitly authorized. Moreover, CERT-XMCO will protect the privacy of its customers/constituents, and therefore (under normal circumstances) pass on information in an anonymised way only (unless other contractual agreements apply).

All incoming information is handled confidentially by CERT-XMCO, regardless of its priority.

All sensible data (such as personal data, system configurations, known vulnerabilities with their locations) are stored in a secure environment, and are encrypted if they must be transmitted over unsecured environment as stated below.

CERT-XMCO supports the Information Sharing Traffic Light Protocol version 1.1 (ISTLP, see https://www.trusted-introducer.org/ISTLPv11.pdf). Information that comes in with the tags WHITE, GREEN, AMBER or RED will be handled appropriately.

CERT-XMCO operates within the current French legal framework.

4.3 Communication and Authentication

CERT-XMCO protects sensitive information in accordance with relevant regulations and policies within France and the EU.

CERT-XMCO respects the sensitivity markings allocated by originators of information communicated to CERT-XMCO (“originator control”).

CERT-XMCO also recognises and supports the ISTLP version 1.1.

Communication security (which includes both encryption and authentication) is achieved using PGP primarily or any other agreed means, depending on the sensitivity level and context.

In particular, in CERT-XMCO’s context of operations, the following communication security levels may be encountered:

Telephones will be considered sufficiently secure to be used (even unencrypted), in view of the types of information that CERT-XMCO deals with.
Unencrypted email will not be considered particularly secure, but will be sufficient for the transmission of low-sensitivity data.
If it is necessary to send highly sensitive data by email, encryption (preferably PGP) will be used (See 2.8). Network file transfers will be considered to be similar to email for these purposes: sensitive data should be encrypted for transmission.

5. Services

This section describes CERT-XMCO’s services.

These services are primarily delivered to CERT-XMCO’s customers.

5.1 Announcements

CERT-XMCO provides information on the threat landscape, published vulnerabilities, new attack tools or artifacts and security measures needed to protect its constituency’s Information System.

5.2 Alerts and Warnings

CERT-XMCO disseminates information on cyberattacks, disruptions, security vulnerabilities, intrusion alerts, malware, and provides recommendations to tackle the issue within its constituency.

Alerts and warnings may be passed on to other CERTs, CSIRTs, SOCs and similar bodies if deemed necessary or useful to them on a need-to-know basis.

CERT-XMCO is not responsible for the implementation of its recommendations. Incident resolution is usually left to the responsible administrators within the constituency. However, CERT-XMCO will offer support and advice on request.

5.3 Pre-emptive Security Controls

CERT-XMCO performs pre-emptive security controls to detect potential breaches or vulnerabilities and misconfigurations that may be leveraged in cyberattacks. The security controls also check the compliance level of various systems and applications with the security policies.

This service is primarily delivered to CERT-XMCO’s customers.

5.4 Digital Forensics and Incident Response (Triage, Coordination and Resolution)

CERT-XMCO performs incident response for its constituency (as defined in 3.2).

CERT-XMCO handles both the triage and coordination aspects. Incident resolution is left to the responsible administrators within the constituency. However, CERT-XMCO will offer support and advice on request.

CERT-XMCO will assist IT Security team in handling the technical and organizational aspects of incidents. In particular, it will provide assistance or advice with respect to the following aspects of incident management:

Incident Triage:
- by investigating whether indeed an incident occurred
- by determining the extent of the incident
Incident Coordination:
- by determining the initial cause of the incident (vulnerability exploited)
- by performing Digital Forensics whenever necessary (including hard drive and memory forensics)
- by facilitating contact with Security Contacts and/or appropriate law enforcement officials, if necessary
- by making reports to other CSIRTs (if applicable)
Incident Resolution
- by fixing the vulnerability
- by securing the system from the effects of the incident
- by evaluating whether certain actions are likely to reap results in proportion to their cost and risk
- by collecting evidence where criminal prosecution, or disciplinary action, is contemplated
- by collecting statistics concerning incidents which occur within or involve its constituency

CERT-XMCO’s incident response service tries to cover at best all the ‘6 steps’: preparation, identification, containment, eradication, recovery and lessons to be learned.

Please remember that the amount of assistance available from CERT-XMCO will vary according to the parameters described in section 4.1.

5.5 Development of Security Tools

CERT-XMCO internally develops security tools for its own use, to support its activities and to improve its services.

Even though these security tools are used to provide benefits to CERT-XMCO’s constituency, they are not to be shared/used neither by members of its constituency or by members of the larger CERT, CSIRT and SOC communities.

6. Incident Reporting Forms

No local form has been developed to report incidents to CERT-XMCO.

In case of emergency or crisis, please provide at least the following information:

contact details and organizational information (contact name, organization name and address);
email address, telephone number;
IP address(es), FQDN(s), and any other relevant technical element with associated observation;
if any, scanning results or extract from the log showing the problem;
in case you wish to forward any emails, please include all email headers, body and any attachments if possible and as permitted by the regulations, policies and legislation under which you operate.

7. Disclaimers

While every precaution will be taken in the preparation of information, notifications and alerts, CERT-XMCO assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.