CERT (Computer Emergency Response Team) India is a national nodal agency that’s been around since 2004 and responsible for responding to cyber security incidents as they occur.
India has faced an increasing level of cyber attacks over the last few years.
In fact, according to an article by Business Standard, India is among the top 3 most affected nations with respect to cyber attacks.
On 28-Apr-2022 the CERT-In team has released a set of guidelines to further strengthen incident response measures implemented by public and private sector organisations. Organisations and government bodies would require to comply with these within 60 days.
With this post, we intend to break down these guidelines and provide a practical approach towards complying with them.
Who does it apply to?
We’ll refer to these as “entities” in the remaining post.
What is the CERT-In 70B directive?
First up, let’s look at what those guidelines call out.
Entities would be required to connect to the Network Time Protocol (NTP) Server of National Informatics Centre (NIC) or National Physical Laboratory (NPL) or with NTP servers traceable to these NTP servers, for synchronisation of all their ICT systems clocks. Entities having ICT infrastructure spanning multiple geographies may also use accurate and standard time source other than NPL and NIC, however it is to be ensured that their time source shall not deviate from NPL and NIC.
Incident Reporting Timeline
Entities shall mandatorily report cyber incidents to CERT-In within 6 hours of noticing such incidents or being brought to notice about such incidents. The incidents can be reported to CERT-In via email, phone or fax. The format for reporting incidents is available at the CERT-In website here.
The type of incidents that need to be reported include targeted scanning / probing of critical systems or networks, compromise of critical systems or networks, defacement or intrusion into a website, data breach, data leak, attacks or suspicious attacks on cloud infrastructure, among others. The complete list can be found in the Annexure I of the directive here.
Entities would be required to securely retain logs of their information systems for a rolling period of 180 days within the Indian jurisdiction. These logs would need to be provided to CERT-In along with the incident being reported or when directed by CERT-In.
Maintain User Information for Infrastructure Providers
Data Centres, Virtual Private Server (VPS) providers, Virtual Private Network (VPN) providers and Cloud Service providers would require to maintain information on subscribers and customers for a period of 5 years or longer as mandated by law after cancellation or withdraw of service.
KYC Information for Virtual Assets, Exchanges and Wallets
Organisations falling in this category would need to maintain all KYC (know your customer) and records of financial transactions for a period of 5 years.
Further details of the directive can be found here.
Complying with the CERT-In 70B Directive
Now that we’ve discussed what the directive is all about, let’s look at how organisations can go about addressing its requirements in a practical manner.
The below project outline would help achieve this piece by piece.
Step 1 – Identify & Prioritise Event Sources
Before dealing with cyber incidents, organisations need to comprehensively define what their adversaries are; how to detect and respond to them in the most efficient manner. Logs or system / application events are key to this detection process. Looking at Annexure I of the CERT-In directive, one can easily identify the systems or applications that need to be prioritised from a threat detection perspective. Some of these sources are listed as under:
- Active Directories
- End User Systems
- Public Cloud Activity
One of our articles on logging best practices provides further insights from a public cloud perspective. However, the same underlying thought process can be applied to other environments.
- Ensure application logs are not left out from the list
- Update source NTP settings in the identified sources point to NIC or NPL as directed by CERT-In
Compliance Tip: Ensure log retention is set to 180 days as per the CERT-In directive.
Step 3 – Threat Detection
Step 4 – The Process
- How do we prioritise alerts?
- Who should action on them and how quickly?
- What is our incident management strategy?
- Do we need to contact regulatory authorities?
Compliance Tip: Ensure timelines for incident reporting is defined as 6 hours as per the CERT-In directive