T4iTech Blog: Insights and News

Mitigation of criminal activity with CERT/CSIRT teams help

Written by Hleb Skuratau | May 20, 2025 3:15:35 PM

Why CERT/CSIRT Teams Are Critical in Combating Cyber Threats

CERT (Computer Emergency Response Team) and CSIRT (Computer Security Incident Response Team) teams are pivotal players in the global cybersecurity ecosystem. They act as coordination hubs between organizations, governments, and international entities, enabling rapid incident response and threat intelligence sharing. Effective collaboration with these teams not only safeguards individual organizations but also strengthens the resilience of entire industries and regions.

 

Step 1: Selecting the Right CERT/CSIRT

The first rule is to contact a team aligned with your organization’s geographical location or industry sector. 

Examples:

  • Banks: Sector-specific teams like CERT-Finance (EU) or FS-ISAC (Financial Services ISAC).
  • Telecoms: Industry-focused CSIRTs (e.g., telecom CERTs).
  • Small Businesses: Regional or national CERTs (e.g., CERT Polska in Poland, US-CERT, SingCERT).
  • Government/Energy: CERT.GOV.PL (Polish GovCERT) for public administration and critical infrastructure.

Why It Matters?

Sectoral teams understand sector-specific threats (e.g., ransomware targeting healthcare, phishing against banks), while regional teams navigate local regulations and infrastructure.

 

Step 2: Finding Contacts via Trusted Sources

Use authoritative platforms to identify legitimate teams:

 

Step 3: Preparing an Incident Report

Key Elements to Include:

  • Incident Details: Timestamp, attack type (e.g., DDoS, ransomware), affected assets.
  • Indicators of Compromise (IoC): Malicious IPs, file hashes, domains, malware signatures.
  • Context: Attack objectives, mitigation steps already taken.

Example Report:

“On 27.05.2024 at 14:00 UTC, a credential-stuffing attempt was detected via the phishing domain bank-clients[.]support. IoCs: IP 192.168.1.100, file invoice.exe (SHA256: a1b2c3...).”

Pro Tip: Granular details accelerate analysis and increase the likelihood of IoCs being added to shared threat feeds.

 

Step 4: Submitting the Report and CERT/CSIRT Response

After submitting via a dedicated portal or contact form:

  1. The team validates the incident.
  2. If deemed critical, IoCs are pushed to global threat feeds (e.g., MISP, AlienVault OTX).
  3. Affected entities are alerted via trusted channels (ISACs, closed communities).

Outcomes:

  • IoCs are automatically blocked by security tools (firewalls, SIEM, EDR).
  • The attack is contained not just within your network but across the ecosystem.

 


Step 5: Cross-Team Intelligence Sharing

CERT/CSIRTs operate as a trusted network:

  • Share IoCs, TTPs (Tactics, Techniques, Procedures), and MITRE ATT&CK patterns.
  • Leverage automated platforms (e.g., TheHive, Cortex) for analysis and response.

Case Study:

A German bank identified malware in its payment system. After reporting to CERT-Finance, the IoCs were distributed to threat feeds. Within hours, similar attacks targeting French and Italian banks were preemptively blocked.

Conclusion

Engaging with CERT/CSIRTs isn’t just compliance—it’s a strategic contribution to collective cyber resilience. Even a small organization’s report can prevent large-scale attacks. In cybersecurity, there’s no competition—only shared adversaries and shared defense.

P.S. Join industry-specific ISACs (Information Sharing and Analysis Centers) to amplify your threat intelligence capabilities.

Materials:

The example of text to fill the form, which should be written once you encountered with scum activity:

Url: http://incydent.cert.pl/domena#!/lang=pl


Incident Report: Fraudulent Website Targeting Users with Scam Activities

Dear CERT/CSIRT Team,

We are writing to report a fraudulent website engaged in scam activities. 
Which we believe poses a significant risk to users. 
Below are the details of the incident and relevant indicators of compromise (IoCs) for your investigation.

1. Incident Overview
Type of Activity: Scam / Phishing

Targeted Audience: General public (e.g., fake lottery, investment fraud, or impersonation of legitimate services).
Website URL: hxxps://scam-example[.]com (replace with actual URL, using hxxps to prevent accidental clicks).
Domain Registration Date: [If known, e.g., 2024-05-01]
First Observed: [Date/Time of Detection, e.g., 2024-05-27 14:30 UTC]

2. Indicators of Compromise (IoC)
Malicious Domain: scam-example[.]com
IP Address: 192.0.2.1 (hosting the fraudulent site)
SSL Certificate: Issuer: "Let's Fake Encrypt" | SHA-1: [Insert if available]
Associated Phishing Emails:
Sender: noreply@scam-example[.]com
Subject: "You’ve Won $1,000,000! Claim Now!"

Attachments/Links: hxxps://scam-example[.]com/claim

3. Additional Context
Behavior Observed:
The site mimics a legitimate lottery platform, requesting personal data (ID, credit card) under false pretenses.
Uses urgency tactics ("Act within 10 minutes!") to pressure users.
Victim Reports: [Optional: Include anonymized examples, e.g., "3 employees received phishing emails linking to this site."]
Mitigation Steps Taken:
Blocked the domain/IP internally.
Alerted employees/users via internal channels.

4. Supporting Evidence
Screenshots: Attached (e.g., scam website, phishing email).
Network Logs: [Attach HAR files, packet captures, or firewall logs if available.]
WHOIS Data: [Include if retrieved from domains.google or similar.]

5. Requested Action
We kindly ask your team to:
Investigate the domain/IP for malicious activity.
Add the IoCs to shared threat intelligence feeds (e.g., MISP, PhishTank).
Notify relevant stakeholders (e.g., hosting provider, registrars) for takedown.
Confidentiality: This report is intended for authorized use only. Please confirm receipt and provide a tracking ID for future reference.
Thank you for your prompt attention to this matter.

Best regards,
[Your Full Name]
[Your Position]
[Organization Name]
[Contact Email/Phone]
View full post