When an IT security incident threatens to cause data loss and reputational damage, speed is of the essence. In such cases, most organisations need prompt professional support. Here, the BSI acts in its role as the central clearinghouse for IT security incidents for the federal administration, operators of critical infrastructure and the world of business. If a given incident is particularly serious, the BSI can put together a team of experts from CERT-Bund to provide direct on-site support. MIRT, the mobile arm of CERT-Bund, is then deployed. This team can draw on a wide range of skills and equipment to provide expert local assistance to those affected. The first and most important goal is to help the affected organisation keep their mission-critical processes running or to restore them as soon as possible.

Timeline of a typical MIRT deployment

An organisation affected by ransomware contacts the BSI via the National IT Situation Centre because data has become encrypted on its core systems. Following an initial situation analysis, the company is provided with important information to help it handle the incident. The incident is a particularly sensitive one, however, so the BSI coordinates a MIRT deployment: A team of BSI experts is sent out, while other specialists based back at the BSI provide analysis and insights from their respective areas of expertise. After an initial assessment and impact estimate, the MIRT carries out a technical analysis and advises the affected organisation on how best to manage the incident. This may include reviewing log data, for example, securing technical evidence and working with the organisation to draw up a strategy for containing and resolving the incident. After completing its analysis, the BSI team draws up a set of recommendations designed to prevent further attacks. The actual implementation of these recommendations can then be reviewed and initiated by the organisation's own IT managers.

Dialogue and insights

The work of the experts in the Mobile Incident Response Teams is key when it comes to building expertise in detecting and responding to IT security incidents. The close cooperation between the BSI’s experts and IT security experts at companies and other organisations—coupled with extensive debriefings on attacks—enables the BSI to maintain an accurate assessment of the current threat situation. This assessment is incorporated into longer-term security recommendations and plays a key role in the efficient prevention of IT security incidents, as well as in ensuring accelerated response times in worst-case scenarios. The work of the Mobile Incident Response Teams is an important pillar of the responsive duties performed by the BSI. With the Nationalen IT Situation Centre, CERT-Bund and the Cyber Response Centre, the BSI is well-positioned to meet any challenge, from threat monitoring right through to MIRT deployment.