In many organizations, a computer security incident response team (CSIRT) has become essential to deal with the growing number and increasing sophistication of cyber threats. Unlike a security operations center (SOC) —a dedicated group with the tools to defend networks, servers, and other IT infrastructure—a CSIRT is a cross-functional team that bands together to respond to security incidents. Some members may be full-time, while others are only called in as needed.
Unlike a SOC, the comprehensive response provided by an incident response team reaches beyond the technical actions taken to remediate an incident. It includes recommending changes to systems or organizational practices to protect against future incidents. Plus, it includes nontechnical responsibilities, such as managing internal communications, status reporting, assisting counsel, and handling personnel issues in the event an incident resulted from insider actions.
Ten Best Practices for Creating Your Incident Response Team
Creating an effective incident response team involves different processes and talent compared to establishing a SOC. In this blog, we will review ten effective best practices, leveraging the latest techniques and technologies.
1. Build a friendly team.
Part of building an effective CSIRT is educating your entire organization about its critical, cross-functional nature. Every team member needs to understand the value of complementary skills and roles. This helps eliminate friction between, for example, technical members in the SOC and nontechnical CSIRT members.
2. Recruit an effective advocate or executive sponsor.
This should be a staff member at the level of a CISO or executive staff member who can effectively communicate the impact of an incident to other executives, as well as to board members. This person is also responsible for ensuring that the incident response team receives appropriate attention, a workable budget, and retains the authority to act swiftly during a crisis.
3. Define key roles and recruit from across the organization.
The cross-functional team members should include:
- An Incident Manager who can work across the organization, call meetings, and hold team members accountable for their action items. This person rolls up findings before communicating incidents to the company.
- A Lead Investigator, such as a security analyst or dedicated SOC incident responder who takes charge of investigating a security incident.
- A Communication and Public Relations specialist who handles everything from fielding press enquires to communicating to employees and monitoring social media.
- A Lead Legal/Privacy expert such as your general council or a deputy legal team member, who advises on issues. An example is the need to disclose a breach or deal with potential legal impacts of a security incident.
4. Create a deep bench based on realistic IT budgets.
Since security incidents can occur at any time, you will need to have CSIRT staff geographically dispersed to ensure someone will be available 24/7. If you can’t “follow the sun,” then the next-best option is to implement shifts comprised of those who are trained and qualified to lead an incident. You should also have redundancy through cross-training for each CSIRT member and their role.
However, few IT organizations have the budget to staff to this ideal level. So as part of this best practice, plan for real-world staffing limitations before an incident occurs. Job shadowing and cross-training also help.
5. Insulate team members from distractions.
Security incidents can be intense; the effort required for breach response could take years. CSIRT members may experience burnout from responding to an ongoing deluge of audits, legal needs, HR requests, various daily fires to put out, and so on. So, while your incident response team team needs to be “friendly,” they should also practice distraction avoidance. This requires isolation from unplanned external requests as well as establishing a process for work intake.
6. Make incident response a shared responsibility.
When building the team structure, never put team members in a position where they simply throw an incident over the wall—either from the SOC to the CSIRT, or vice versa.
7. Clearly establish roles and responsibilities as nonlinear.
The SOC and CSIRT need to work in parallel, co-owning problems. They will require feedback loops for observations, ongoing investigative support, and technical recommendations. This helps the work of the incident response team extend beyond simply responding to incidents. It involves learning why incidents occur, then cascading that information through the organization to help prevent similar future incidents.
8. Ensure your CSIRT makes IR both “proximal and distal”.
A comprehensive incident response involves more than responding and mitigating an incident and its outcomes. Your team needs to respond technically, but they also need to step back and examine the common causes and responses in order to provide the most effective recommendation.
For example, if your SOC sees an uptick in crypto ransomware, an expected response is to take systems offline and ensure that no additional systems are infected—this is the proximal. Root cause analysis might show the compromise was begun by an employee opening an emailed Excel file that triggered an embedded macro to run. The unique CSIRT response might be to educate the organization. And it may suggest that a technically enforced policy change be enacted that prohibits employees from allowing Excel macros to run. This could take months to explain the risk, deploy a solution, and socialize throughout the company—this is the distal. Here, the convenience of automation is far outweighed by the security risk to the organization and its employees.
9. Make your IR team not only friendly but also diverse.
Recruit people who understand various aspects of tribal knowledge. For example, in the crypto ransomware example above, email is a delivery mechanism (much like many of the current attacks). Knowing this, a source of CSIRT talent might be a member of the messaging team—someone among those managing your email infrastructure. Involving technically diverse teams and recruiting from them over time will dramatically improve your IR.
10. Use analytics and automation to be both repeatable and friendly.
By executing on your IR plan and holding regular drills in response to various scenarios, you can estimate how long it takes to respond to incidents, and what can go wrong in the heat of battle. This includes using the latest tools, such as a combination of machine learning and artificial intelligence models. And it includes techniques such as Exabeam’s user and asset state tracking, which natively ties together every IP address, host, and user to support real-time risk scoring and response.
Using these capabilities, in addition to those found in the Exabeam IR platform, gives your CSIRT repeatability. It enables you to define a preapproved set of actions or playbooks to deal with an attack or other incident. And since CSIRT actions are cross-functional, they should include all aspects of negative event response—from locking down an impacted system, to inbox cleanup, and rapid communication to impacted stakeholders. This makes the response much friendlier—or eliminating the “scary” aspect of automated responses.