---
name: computer-emergency-response-team
description: Manage computer emergency response team (CERT) operations including incident response planning, threat hunting, digital forensics, malware analysis, and incident reporting. Use when responding to cybersecurity incidents, conducting threat hunts, performing forensics, or improving incident response capabilities. Triggers on phrases like "CERT", "CSIRT", "computer emergency response team", "incident response", "threat hunting", "digital forensics", "malware analysis", "incident reporting", "breach response", "forensic analysis", "malware", "ransomware", "phishing response", "incident classification", "containment", "eradication", "recovery", "lessons learned".
---

# Computer Emergency Response Team (CERT)

Manage CERT operations including incident response planning, threat hunting, digital forensics, and incident reporting.

## Workflow

### 1. Incident Response Plan

```
INCIDENT RESPONSE LIFECYCLE (NIST SP 800-61)
═══════════════════════════════════════

Phase 1: PREPARATION
═══════════════════════════════════════

  → IR team roster and contact tree
  → Communication plan (internal, external, legal)
  → Tool inventory (forensics, analysis, containment)
  → Runbooks for common scenarios
  → Training and tabletop exercises (quarterly)
  → Retained forensic firm contact

Phase 2: DETECTION & ANALYSIS
═══════════════════════════════════════

  Sources:
    → SIEM alerts (Splunk, Sentinel)
    → EDR alerts (CrowdStrike, SentinelOne)
    → User reports (phishing, suspicious activity)
    → External threat intelligence
    → Vulnerability scanning
    → Honeypots/deception technology

  Triage:
    → Validate alert (false positive vs real)
    → Classify incident type
    → Assign severity
    → Assign incident handler
    → Begin investigation

Phase 3: CONTAINMENT, ERADICATION & RECOVERY
═══════════════════════════════════════

  Containment (short-term):
    → Isolate affected systems (network segment)
    → Disable compromised accounts
    → Block malicious IPs/domains
    → Preserve evidence (forensic image)

  Containment (long-term):
    → Deploy temporary firewall rules
    → Patch vulnerabilities
    → Reset credentials
    → Monitor for lateral movement

  Eradication:
    → Remove malware/backdoors
    → Patch exploited vulnerabilities
    → Harden systems
    → Rebuild compromised systems (preferred over clean)

  Recovery:
    → Restore from clean backup
    → Verify system integrity
    → Monitor for reinfection (30 days)
    → Return to normal operations
    → Document recovery steps

Phase 4: POST-INCIDENT ACTIVITY
═══════════════════════════════════════

  → Lessons learned meeting (within 1 week)
  → Root cause analysis (RCA)
  → Update runbooks and playbooks
  → Implement preventive controls
  → Report to management and regulators (if required)
```

### 2. Incident Classification

```
INCIDENT CLASSIFICATION
═══════════════════════════════════════

Severity Levels:
═══════════════════════════════════════

Level    Description                    Response Time    Escalation      Examples
───────────────────────────────────────────────────────────────────────────────
SEV1    Critical: Active breach,       15 min           CISO + CEO      Ransomware, data exfiltration,
        data exfiltration, ransomware                           Security team   APT detected, C-level account

SEV2    High: Confirmed compromise,    1 hour           CISO            Phishing with credential theft,
        malware on critical systems                             IR lead       malware on server, insider threat

SEV3    Medium: Suspicious activity,   4 hours          IR lead         Failed brute force, policy violation,
        potential vulnerability                                         suspicious login, vulnerability

SEV4    Low: Informational,            24 hours         IR analyst      Failed login attempts, scan detected,
        policy violation                                                benign alert
```

### 3. Threat Hunting

```
THREAT HUNTING METHODOLOGY
═══════════════════════════════════════

Hunting Process:
═══════════════════════════════════════

  1. Hypothesis generation:
     → Based on threat intelligence
     → Based on adversary TTPs (MITRE ATT&CK)
     → Based on internal data analysis

  2. Data collection:
     → EDR telemetry (process, file, network)
     → Authentication logs (Active Directory, Okta)
     → Network flows (NetFlow, Zeek)
     → Cloud logs (CloudTrail, Azure AD)
     → Email logs (Exchange, M365)

  3. Analysis:
     → Statistical analysis (anomalies)
     → Correlation across data sources
     → Timeline reconstruction
     → Indicator extraction

  4. Validation:
     → Check against known good behavior
     → Investigate false positives
     → Confirm malicious activity

  5. Response:
     → Escalate to incident response
     → Contain threat
     → Share IOCs with security team

HUNTING HYPOTHESES (Examples):
═══════════════════════════════════════

Hypothesis 1: Credential dumping
  → Query: EDR processes → lsass.exe access
  → Indicators: mimikatz, procdump, rundll3