-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 CTIR Gov RFC2350 1. Document Information 1.1 Date of Last Update Is version 1.0, published September 2, 2021. 1.2 Distribution List for Notifications There is no distribution list for notifications of new versions of this document. 1.3 Locations Where This Document May Be Found The current version of this document can be found at https://www.ctir.gov.br/sobre/rfc2350/ For validation purposes, a GPG signed ASCII version of this document is located at https://www.ctir.gov.br/sobre/rfc2350/rfc2350-ctirgov.txt The key used for signing is the CTIR Gov key as listed under 2.8. 2. Contact Information 2.1 Name of the Team CTIR Gov - Cyber Incident Prevention, Handling and Response Center of Brazilian Government. 2.2 Address CTIR Gov Palácio do Planalto - Anexo III - Ala A - sala 107 CEP: 70150-900 - Praça dos Três Poderes - Brasília, DF - Brazil. 2.3 Time Zone America/Sao_Paulo (GMT-0300). 2.4 Telephne Number Not applicable. CTIR Gov does not accept incident reports via telephone. 2.5 Facsimile Number Not applicable. 2.6 Other Telecommunication iNOC-DBA: 266031*800 (see https://inoc.nic.br/). 2.7 Electronic Mail Address Incident reports should be sent to ctir@ctir.gov.br. 2.8 Public Keys and Other Encryption Information The CTIR Gov has a PGP key, whose fingerprint is 9798 2E5B 6EC7 B6ED B98E 60F4 9409 D6F7 6438 EEFF and can be found at: https://www.ctir.gov.br/arquivos/certificados/ctir-site.asc 2.9 Team Members No public information is provided about CTIR Gov members. 2.10 Other Information For additional information about how to contact CTIR Gov, see: https://www.ctir.gov.br/contact/ 2.11 Points of Customer Contact The preferred method for contacting the CTIR Gov is via e-mail at . CTIR Gov is full operate from Monday through Friday, from 09:00h to 19:00h, GMT-0300. 3. Charter 3.1 Mission Statement The Brazilian Government Cyber Incident Prevention, Treatment and Response Center (CTIR Gov) coordinates responses to cyber security incidents related to networks belonging to the Brazilian Federal Public Administration. 3.2 Constituency Networks belonging to the Brazilian Federal Public Administration. 3.3 Sponsorship and/or Affiliation CTIR Gov was formally created in 2006, by initiative of the Brazilian Government through Institutional Security Office (GSI). GSI is the executive cabinet office of the federal government of Brazil that is responsible for national security and defense policy. The activities performed by CTIR Gov are in accordance to the Information Security Department of GSI attributions, as defined in the Presidential Decree 10748 [1], from 2021: I - to coordinate the activities of the cyber incident prevention, treatment and response teams of the members of the Federal Cyber Incident Management Network related to the prevention, treatment and response to cyber incidents; II - to connect with the Government CSIRT teams for prevention, treatment and response referred to in item I using a dedicated computing platform to coordinate them; III - to create, update and publish the cyber incident management plan for agencies and entities of the Federal Public Administration; IV - to establish a working relationship with related agencies from other countries; V - to seek international cooperation, with an emphasis on sharing information about cyber threats, vulnerability and incidents; VI - to share alerts, recommendations and statistics related to cyber incidents to members of the Federal Cyber Incident Management Network; and VII - to keep updated the website of the CTIR Gov with alerts, recommendations and statistics about cyber incidents. Reference (in Portuguese): [1] http://www.planalto.gov.br/ccivil_03/_Ato2019-2022/2021/Decreto/D10748.htm 3.4 Authority CTIR Gov has no authority over its constituency, all activities are based on collaborative relationships with other entities. 4. Policies 4.1 Types of incidents and level of support CTIR Gov provides a single point for Brazilian Government incident notification, providing the coordination for organizations involved in incidents, including: Support in the analysis of compromised systems and in their recovery process; Establish collaborative relationships with other entities, such as other CSIRTs, universities, Internet service and access providers and telecommunication companies; Maintain public statistics of incidents handled; CTIR Gov is also committed to keeping its constituency informed of new trends and threats through alerts, recommendations and mailing list. 4.2 Co-operation, interaction and disclosure of information CTIR Gov treats all information as confidential by default, but will use the information shared to help solve security incidents. Information might be distributed forward to other teams/organizations on a need-to-know basis. Information will be anonymised whenever it is feasible. CTIR Gov adheres to the Information Sharing Traffic Light Protocol according to the FIRST Standard Definitions and Usage Guidance: https://www.first.org/tlp/. Information that is labelled with the tags WHITE, GREEN, AMBER, or RED will be handled appropriately (see: https://www.ctir.gov.br/sobre/#TLP). 4.3 Communication and authentication For normal communication not containing sensitive information CTIR Gov uses conventional methods like unencrypted e-mail. Please refer to sections 2.7 and 2.8. For sensitive information, the use of PGP encryption is strongly encouraged (see section 2.8). If it is necessary to authenticate a person before communicating, this can be done either through other methods like call-back, mail-back or even face-to-face meeting if necessary. 5. Services 5.1 Incident response CTIR Gov will provide assistance to other teams in handling the technical and organizational aspects of incidents related to networks belonging to the Brazilian Federal Public Administration. 5.1.1 Incident triage CTIR Gov will help to validate the incident, as well as to assess it, does the correlation and prioritise it. 5.1.2 Incident coordination CTIR Gov encourages all teams to directly contact the most specific CSIRT or security team as possible, and to maintain CTIR Gov in the copy of the communication. CTIR Gov will then: * Determine if all involved organizations where contacted and if any additional contact needs to be made; * Facilitate contact to other parties which can help resolve the incident; * If any help is needed, it will contact the involved organizations to help them to take the appropriate steps; and * The most valuable service we can provide is to act as an coordinator, which knows where to send the right incident reports to in order to help and facilitate the resolution of security incidents. Due to staffing levels we can not guarantee we can reply to all incident reports received. If the report was already sent to the best possible contacts, CTIR Gov will record the incident for statistical purposes, but it might not send any reply. If you haven't received any feedback to a report and need any action by CTIR Gov staff, please contact us again, clearly stating the type of help needed. 5.1.3 Incident resolution As CTIR Gov is a coordinating team, this means we do not have any authority to enforce the request of takedowns, shutdowns or any other specific action. To the best of our ability we will: * Advise local security teams and system administrator on appropriate actions; * Identify any new type of incident that could require the dissemination of best practices for prevention of future incidents; and * Collect and publicly disclose statistics on incidents and trends, as way to create situational awareness in our constituency. 5.2 Proactive activities CTIR Gov has several activities which aim to help our constituency to prevent as well as better handle computer security incidents: * Raise security awareness in its constituency; * Observe current trends in technology; * Aggregate, validate and redistribute data-feeds; * Transfer relevant knowledge to the constituency, through alerts, recommendations and mailing list; and * Collect contact information of local security teams. 6. Incident reporting forms There are no forms available. Please refer to section 2.7. 7. Disclaimers While every precaution is taken in the preparation of information and notifications, CTIR Gov assumes no responsibility for errors or omissions, or for damages resulting from the use of the information provided. -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEK77LSew61P5cTZ/5vQ8v8CIb/3gFAmTRWmoACgkQvQ8v8CIb /3hb2w//aQKUIFhD7wA5J0TzC4eSXlCtzZbEo1OoC/cmCQ1Shk1f6UV4Yc8XquaA JGM01fQ+pBUaT6JgyhW42J4wxKOzdq9pZ8vjLKuvjWS+FvMR/PzXq5Qfohq4Kr0g JOpuxPS6ZPD6QFnMDhzkztbtjw2XW/Lpd8vKeViYCnfXf0U9oU2WYhZMRwlnTLtN ybidanNqAhhRG5edxqLlBAE6VZT7gfl9/K+jis3zTkIOSLw+wHT/QZiquPLDJ4vn wv0Wj716dZdGEPAmgGn9RjcDpiiRHELK8hLeubbN9a7HwpjlnP98M8X1l4ryvvm/ 7RVOnCAIuJmtxyjRNJ3ZNAkTk1gxu1w2lyLCjJyACbjVgqiH7JnNLA3tQ3SbLiYg /HfASQOln0GPBppeF7yZHBZqu5397JZ+UP98KQ8fHaTAyCwxLoUr3ZF5FkvgQ+fh cVX0mupAGInGNDVhb81/q7V4iY7pvYWum0iuq8m/PD9wtuvfTeAmcilX3X3QF7WL on/iE30/EWKJHSLy27aA6n6ap3hkfuv/wDzPE30YmqmmanYZumScRf2/PFzo9+hC 4dULb18jj6Y25WP5xM1Lwakq+wA5iQm3rnylIYW5g3XjNJ4Aai794etu/RcEXM93 tqyn3zbMHxR56vTLzqaDnVDap6wWdxvKhoc/lbzVN0ABahYJpgc= =kfOt -----END PGP SIGNATURE-----