CSIRT Inter

Document Information

This document contains the description of CSIRT Inter according to RFC 2350.

1.1 Date of last update

June 29, 2021

1.2 Distribution list for notifications

There is no distribution list for notifications of new versions of this document.

1.3 Locations where this document can be found

The current version of this document can be found at (bancointer.com.br/seguranca/csirt/rfc2350)

For validation purposes, a GPG-signed ASCII version of this document is located at marketing.bancointer.com.br/arquivos/seguranca/rfc2350

The key used for signing is the CSIRT Inter key as listed in section 2.8.

2. Contact Information

2.1 Team name

Name in English:
CSIRT - Computer Emergency Response Team in Banco Inter

Name in Portuguese:
CSIRT – Grupo de Resposta a Incidentes de Segurança no Banco Inter

2.2 Address

CSIRT Inter

Av. Barbacena, 1219, Santo Agostinho
Belo Horizonte | MG | CEP 30190-131 |
Brazil

2.3 Time Zone

CSIRT Inter is located in Belo Horizonte, Minas Gerais, Brazil, UTC-0300.

2.4 Phone number

Not applicable.

2.5 Fax number

Not applicable.

2.6 Other telecommunications

Not applicable.

2.7 Email address

Incident reports should be sent to: csirt@bancointer.com.br

2.8 Public keys and cryptographic information

The CSIRT Inter PGP key has annual validity and the year key is generated in June. The main information can be found at:

marketing.bancointer.com.br/arquivos/seguranca/pgp

2.9 Team members

No public information is provided about CSIRT Inter members

2.10 Other information

For more information on how to contact CSIRT Inter, see:

bancointer.com.br/seguranca/csirt

CSIRT Inter is a member of CERT.br details at:

https://www.cert.br/csirts/brasil/

2.11 Customer contact points

To contact CSIRT regarding security incidents related to Brazilian networks, send an email to csirt@bancointer.com.br.

CSIRT operates Monday through Friday, from 09:00 to 18:00, UTC-0300.

3. Charter

3.1 Mission statement

CSIRT Inter's mission is to act in the detection, analysis, response and prevention of security incidents, in addition to contributing to the national cybersecurity effort within the scope of the National CSIRT Network.

3.2 Constituency

CSIRT Inter provides incident analysis and coordination for any information security incident that uses Internet resources allocated to Banco Inter

CSIRT Inter will always try to coordinate with more specific Brazilian CSIRTs and security teams. If none are available, it will do its best to locate the autonomous system owner.

Educational material is made available to the general public at: bancointer.com.br/seguranca/

3.3 Sponsorship and/or affiliation

Banco Inter, an institution authorized to operate by the Central Bank of Brazil, has the responsibility to comply with its regulations. CSIRT Inter has the responsibility to respond to the Institution's Incident Action and Response Plan, according to CMN Resolution No. 4,893

Reference

CMN RESOLUTION No. 4,893, OF FEBRUARY 26, 2021

3.4 Authority

CSIRT Inter has no authority over its constituency, all activities are based on collaborative relationships with other entities.

4. Policies

4.1 Types of incidents and level of support

CSIRT Inter provides a focal point for incident notification in the country, providing the necessary coordination and support to organizations involved in incidents, including:

• Support in the analysis of compromised systems and their recovery process;
• Establish collaborative relationships with other entities, such as other CSIRTs, universities, Internet service and access providers, and telecommunications companies;
• Maintain public statistics of incidents handled and spam complaints received.

4.2 Cooperation, interaction and information disclosure

CSIRT Inter treats all information as confidential by default, but will use shared information to help resolve security incidents. Information may be distributed to other teams/organizations as needed. Information will be made anonymous whenever possible.

CSIRT Inter adheres to the traffic light information sharing protocol according to FIRST definitions and usage guidelines: https://www.first.org/tlp/. Information labeled with WHITE, GREEN, AMBER, or RED tags will be treated appropriately.

4.3 Communication and authentication

For normal communication that does not contain confidential information, CERT.br uses conventional methods such as unencrypted email. See sections 2.7 and 2.8. For confidential information, the use of PGP encryption is strongly encouraged. If it is necessary to authenticate a person before communicating, this can be done through other methods such as call-back, mail-back or even a face-to-face meeting if necessary.

5. Services

5.1 Incident response

CSIRT Inter will advise other teams in handling the technical and organizational aspects of incidents.

5.1.1. Incident triage

CSIRT Inter will help validate the incident, as well as evaluate and prioritize it.

5.1.2. Incident coordination

CSIRT Inter encourages all teams to directly contact the most specific CSIRT or security team possible.

CSIRT Inter will then:

• Determine if all involved organizations have been contacted and if any additional contact needs to be made;
• Facilitate contact with other parties who may help resolve the incident;
• If any help is needed, it will contact the involved organizations to help them take appropriate action.

The most valuable service we can offer is to act as an information center, which knows where to send the correct incident reports to help and facilitate the resolution of security incidents.

Due to staffing levels, we cannot guarantee that we can respond to all incident reports received. If the report has already been sent to the best possible contacts, CSIRT Inter will record the incident for statistical purposes, but may not send a response. If you have not received any feedback on a report and need some action from the CSIRT Inter team, contact us again, clearly stating the type of help needed.

Automatically generated reports and data feeds will be handled as automatically as possible.

5.1.3. Incident resolution

Since CSIRT Inter is a coordinating team, this means we have no authority to enforce takedown requests, shutdowns, or any other specific action. To the best of our ability, we will:

• Advise local security teams and system administrators on appropriate actions;
• Identify any new type of incident that requires disclosure of best practices for preventing future incidents;

5.2 Proactive activities

CSIRT Inter has several activities that aim to help our audience prevent and better deal with computer security incidents:

• Provide formal training in incident management;
• Observe current trends in technology;
• Aggregate, validate and redistribute data feeds;
• Transfer relevant knowledge to the public, through best practice documents, presentations and training;
• Provide forums for community building and information exchange within the constituency;
• Collect contact information from local security teams.

6. Incident report forms

No forms are available. See section 2.7.

7. Disclaimers

While all care is taken in preparing information and notifications, CSIRT Inter is not responsible for errors, omissions or damages arising from the use of the information provided.