Interaction with RuCERT

In KUMA, you can interact with the National Computer Incident Response & Coordination Center (hereinafter RuCERT) in the following ways:

• Export incidents to RuCERT.
• Supplement the exported incident with data when requested by RuCERT.
• Send files to RuCERT.
• Exchange messages with RuCERT experts.
• View the changes made by RuCERT to the exported incidents settings.

Data in KUMA and RuCERT is synchronized every 5-10 minutes.

Conditions for RuCERT interaction

To interact with RuCERT, the following conditions must be met:

• The application license includes the GosSOPKA module.
• RuCERT integration is configured.
• The Can interact with RuCERT check box is selected in the settings of the users whose responsibilities include interaction with RuCERT.

RuCERT interaction workflow

In KUMA, the process of sending incidents to RuCERT to be processed consists of the following stages:

1. Creating an incident and checking it for compliance with RuCERT requirements

   You can create an incident or get it from a child KUMA node. Before sending data to the RuCERT, make sure that the incident category meets RuCERT requirements.

2. Exporting the incident to RuCERT

   If the incident is successfully exported to RuCERT, its Export to RuCERT setting is set to Exported. In the lower part of the incident window, a chat with RuCERT experts becomes available.

   At RuCERT, the incident received from you is assigned a registration number and status. This information is displayed in the incident window in the RuCERT integration section and in automatic chat messages.

   If all the necessary data is provided to RuCERT, the incident is assigned the Under examination status. The settings of the incident having this status can be edited, but the updated information cannot be sent from KUMA to RuCERT. You can view the difference between the incident data in KUMA and in RuCERT.

3. Supplementing incident data

   If RuCERT experts do not have enough information to process an incident, they can assign it the More information required status. In KUMA, this status is displayed in the incident window in the RuCERT integration section. Users are notified about the status change.

   You can attach a file to the incidents with this status.

   When the data is supplemented, the incident is re-exported to RuCERT with earlier information updated. The incidents in the child nodes cannot be modified from the parent KUMA node. It must be done by employees of the child KUMA nodes.

   If the incident is successfully supplemented with data, it is assigned the Under examination status.

4. Completing incident processing

   After the RuCERT experts process the incident, the RuCERT status is changed to Decision made. In KUMA, this status is displayed in the incident window in the RuCERT integration section.

   Upon receiving this status, the incident is automatically closed in KUMA. Interaction with RuCERT on this incident by means of KUMA becomes impossible.

Special consideration for successful export from the KUMA hierarchical structure to RuCERT

If multiple KUMA nodes combined into a hierarchical structure are deployed in your organization, you can forward incidents, which are received from the child KUMA nodes, from the KUMA parent nodes to RuCERT. For this purpose, the following conditions must be met:

• Integration with RuCERT is configured in the parent and child KUMA nodes. The URL and Token settings in the Settings → RuCERT section are required for the parent node but are not required for the child node.
• RuCERT integration is enabled in both nodes.

In this case, interaction with RuCERT is performed only at the level of the node exporting the incident to RuCERT.

Settings of the incident received from a child KUMA node cannot be changed from a parent KUMA node. If there is not enough data for performing RuCERT export, the incident must be changed at the child KUMA node, and then exported to RuCERT from the parent KUMA node.

Exporting data to RuCERT

It is impossible to export incidents that are closed in KUMA to RuCERT if the Description field was not filled in at the time of closing.

To export an incident to RuCERT:

1. In the Incidents section of the KUMA web interface, open the incident you want to export.
2. Click the Export to RuCERT button in the lower part of the window.
3. If you have not specified the category and type of incident, specify this information in the window that opens and click the Export to RuCERT button.

   This opens the export settings window.

4. Specify the settings on the Basic tab of the Export to RuCERT window:
   • Category and Type—specify the type and category of the incident. Only incidents of specific categories and types can be exported to RuCERT.
   • TLP (required)—assign a Traffic Light Protocol marker to an incident to define the nature of information about the incident. The default value is RED. Available values:
     • WHITE—disclosure is not restricted.
     • GREEN—disclosure is only for the community.
     • AMBER—disclosure is only for organizations.
     • RED—disclosure is only for a specific group of people.
   • Affected system name (required)—specify the name of the information resource where the incident occurred. You can enter up to 500,000 characters in the field.
   • Affected system category (required)—specify the critical information infrastructure (CII) category of your organization. If your organization does not have a CII category, select Information resource is not a CII object.
   • Affected system function (required)—specify the scope of activity of your organization. The value specified in RuCERT integration settings is used by default.
   • Location (required)—select the location of your organization from the drop-down list.
   • Affected system has Internet connection—select this check box if the assets related to this incident have an Internet connection. By default, this check box is cleared.

     If this check box is selected, the Technical details tab is available. This tab displays information about the assets related to the incident. See below for more details.

   • Product info (required)—this table becomes available if you selected Notification about a detected vulnerability as the incident category.

     You can use the Add new element button to add a string to the table. In the Name column, you must indicate the name of the application (for example, MS Office). Specify the application version in the Version column (for example, 2.4).

   • Vulnerability ID—if necessary, specify the identifier of the detected vulnerability. For example, CVE-2020-1231.

     This field becomes available if you selected Notification about a detected vulnerability as the incident category.

   • Product category—if necessary, specify the name and version of the vulnerable product. For example, Microsoft operating systems and their components.

     This field becomes available if you selected Notification about a detected vulnerability as the incident category.

5. If required, define the settings on the Advanced tab of the Export to RuCERT window.

   The available settings on the tab depend on the selected category and type of incident:

   • Detection tool—specify the name of the product that was used to register the incident. For example, KUMA 1.5.
   • Assistance required—select this check box if you need help from GosSOPKA employees.
   • Incident end time—specify the date and time when the critical information infrastructure (CII object) was restored to normal operation after a computer incident, computer attack was ended, or a vulnerability was fixed.
   • Availability impact—assess the degree of impact that the incident had on system availability:
     • High
     • Low
     • None
   • Integrity impact—assess the degree of impact that the incident had on system integrity:
     • High
     • Low
     • None
   • Confidentiality impact—assess the degree of impact that the incident had on data confidentiality:
     • High
     • Low
     • None
   • Custom impact—specify other significant impacts from the incident.
   • City—indicate the city where your organization is located.
6. If assets are attached to the incident, you can specify their settings on the Technical details tab.

   This tab is active only if you select the Affected system has Internet connection check box.

   You should change or supplement the information previously specified on the Technical details tab in your personal GosSOPKA dashboard, even if the RuCERT experts request from you additional information, and you can change the exported incident.

   The categories of the listed assets must match the category of the affected CII in your system.

7. Click Export.
8. Confirm the export.

Information about the incident is submitted to RuCERT, and the Export to RuCERT incident setting is changed to Exported. At RuCERT, the incident received from you is assigned a registration number and status. This information is displayed in the incident window in the RuCERT integration section.

It is possible to change the data in the exported incident only if the RuCERT experts requested additional information from you. If no additional information was requested, but you need to update the exported incident, you should do it in your GosSOPKA dashboard.

After the incident is successfully exported, the Compare KUMA incident to RuCERT data button is displayed at the bottom of the screen. When you click this button, a window opens, where the differences in the incident data between KUMA and RuCERT are highlighted.

Supplementing incident data on request

If RuCERT experts need additional information about the incident, they may request it from you. In this case, the incident status changes to More information required in the RuCERT integration section of the incident window. The following KUMA users receive email notifications about the status change: the user to whom the incident is assigned and the user who exported the incident to RuCERT.

If an incident is assigned the "More information required" status in RuCERT, the following actions are available for this incident in KUMA:

• Upload files to RuCERT.
• Re-export the incident data to RuCERT with updates or additions to the previously provided information. This action completes supplementing the incident data.

Sending files to RuCERT

If an incident is assigned the More information required status in RuCERT, you can attach a file to it. The file will be available both in RuCERT and in the KUMA web interface.

For a hierarchical deployment of KUMA, files can only be uploaded to RuCERT from the parent KUMA node. At the same time, log entries about the file download are visible in the child nodes of KUMA.

In the incident change log, messages about the files uploaded to RuCERT by KUMA users are added. Messages about adding files by RuCERT are not added to the log.

To attach a file to an incident:

1. In the Incidents section of the KUMA web interface, open the incident you want to attach a file to. The incident must have the More information required status in RuCERT.
2. In the RuCERT integration section of the incident window, select the File tab and click the Send file to RuCERT button.

   The file selection window opens.

3. Select the required file no larger than 50 MB and confirm your selection.

The file is attached to the incident and available for both RuCERT experts and KUMA users.

Data in KUMA and RuCERT is synchronized every 5-10 minutes.

Sending incidents involving personal information leaks to RuCERT

KUMA 2.1.x does not have a separate section with incident parameters for submitting information about personal information leaks to RuCERT. Since such incidents do occur and a need exists to submit information to RuCERT, use the following solution.

To submit incidents involving personal information leaks:

1. In the KUMA web interface, in the Incidents section, when creating an incident involving a personal information leak, in the Category field, select Notification about a computer incident.
2. In the Type field, select one of the options that involves submission of information about personal information leak:
   • Malware infection
   • Compromised user account
   • Unauthorized disclosure of information
   • Successful exploitation of a vulnerability
   • Event is not related to a computer attack
3. In the Description field, enter "The incident involves a leak of personal information. Please set the status to "More information required"".
4. Click Save.
5. Export the incident to RuCERT.

After RuCERT employees set the status to "More information required" and return the incident for further editing, in your RuCERT account, you can provide additional information about the incident in the "Details of the personal information leak" section.

Communication with RuCERT experts

After the incident is successfully exported to RuCERT, a chat with RuCERT experts becomes available at the bottom of the screen. You can exchange messages since successful incident export to RuCERT until it is closed in RuCERT.

The chat window with the message history and the field for entering new messages is available on the Chat tab in the RuCERT integration section of the incident window.

Data in KUMA and RuCERT is synchronized every 5-10 minutes.

Supported categories and types of RuCERT incidents

The table below lists the categories and types of incidents that can be exported to RuCERT:

Notifications about the incident status change in RuCERT

In the event of certain changes in the status or data of an incident at RuCERT, KUMA users receive the following notifications by email:

• Notification about receiving a message from RuCERT.
• Additional data request notification.
• Notification about the incident status change in RuCERT.
• Notification about automatic closure of an incident.

The following users receive notifications:

• The user to whom the incident was assigned.
• The user who exported the incident to RuCERT.