A Practical Guide to Building a Cyber Incident Response Team

While there are a number of threat and risk management solutions that help your team deal with low-level security events by automating responses, high-level threats (sophisticated and stealthy attacks) including advanced persistent threats (APTs) require a cyber incident response team — equipped and ready to act, fast.

This team could be:

• A standing team within a security operations center (SOC)
• One that comes together from key players within the IT and security function of a small to medium sized organization
• An external team that parachutes in when called upon

Regardless of where the team comes from, your incident response plan must define your incident response team and their roles/responsibilities. A well-detailed incident response plan that includes defined roles within your team can save more than a few headaches (not to mention millions of dollars, data, and a PR disaster) should when security incidents occur. This post covers the basics of cybersecurity incident response and how to build an incident response team.

What Is a Cyber Incident Response Plan?

The term “cyber incident response” refers to an organized approach to handling (responding to) cybersecurity incidents. Incident response (IR) should be executed in a way that mitigates damage, reduces recovery time, and minimizes costs. The set of instructions an organization uses to guide their incident response team when a security event (i.e. a security breach) occurs is the Incident Response Plan.

A documented IR plan helps organizations respond quickly by streamlining decisions, outlining processes, and defining appropriate use of the technologies available.

There are six phases, as defined by SANS, of incident response that you should plan for:

1. Preparation—preparing the security staff to handle potential incidents. This includes training, equipping, and practicing.
2. Identification—detecting and deciding if an incident fulfills the conditions to be considered a security incident by the organization, and its severity.
3. Containment—containing the incident by isolating compromised systems to prevent future damage.
4. Eradication—detecting the cause of the incident and eliminating the threats from affected systems.
5. Recovery—restoring affected systems and making sure no threat remains.
6. Lessons learned—analyzing the incident logs, updating the response plan, and completing the incident documentation.

Your IR plan should include the following sections:

• Plan overview
• Roles and responsibilities
• List of incidents that require action
• Overview of the security posture and the network infrastructure
• Procedures for detection, investigation, and containment
• Eradication plan and capabilities
• Recovery plan (how long will it take you to restore from backups?)
• Protocol for breach notifications
• An updated call list
• Follow up-tasks

The details of the plan should go in depth on the following areas:

• Incident response team details
  Response team members consist of employees and/or third-party members. It is crucial that all members of the incident response team are mentioned in detail in the IR plan, including their roles and responsibilities in case of an incident, and the training undertaken for that matter. It is especially important to separate the roles of incident handlers from the responsibilities of the resource managers.
• System and network information
  These include network and data flow diagrams and the hardware inventory. It’s important to know how an adversary could potentially move through your network from a particularly compromised host or system.
• Procedures for incident handling and reporting
  This section should include a model to complete an incident intake report with a detailed description of the incident and the compromised files.
• Lessons learned
  Two questions that should be asked following an incident are how to prevent similar incidents from occurring again and what about the incident response plan could be improved. Ask what worked and what didn’t, how the staff responded, and what parts of the plan need an update.
• Reporting to third parties and authorities
  Should include policies about when and how to report to the authorities, third parties, vendors, and users. Most incident reporting is governed by regulation standards.

How To Build An Effective Cyber Incident Response Team

Who’s who within an incident response plan.

These are the core functions of an IR team with their basic responsibilities. However, nothing is written in stone, so the actual responsibilities vary greatly from one organization to the other.

• Team leader—coordinates all incident response team activities.
• Communications—manages communications across the organization and with third parties. Should be trained in or supported by public relations.
• Lead Investigator—gathers and analyzes technical evidence, determines the cause of the attack, and directs other analysts and IT components to implement system and service recovery.
• Analysts/Researchers—support the investigator providing the threat intelligence and context for an incident. Cyber forensic analysts may be necessary to perform deep autopsies on compromised systems.
• Legal representation—it is essential to have HR and legal guidance to address potential criminal charges derived from the incident.

A team may consist of internally sourced members, partially or fully outsourced members on an as-needed basis. Third parties may, for example, provide experts that do more in depth forensics or help handle public/customer communications.

Where should the team be located?

CSIRT members are often distributed geographically to ensure the most time-zone coverage. This ensures that someone can be on guard and available at any time of the day. Redundancy is a must, with designated delegates when team members are unavailable. Small organizations usually benefit from outsourcing incident response functions to cover after hours or holiday periods but these usually require retainers to guarantee response time.

What is the role of Automation in Cybersecurity Incident Response?

With the lack of experienced professionals to fill these roles, automation is topping the list of initiatives in security operations, especially the new DevSecOps discipline coming to the cloud scene. Automation plays a crucial role in enabling these teams to continue providing secure quality work, without compromising on quality. The latest trends in automated incident response are implemented using playbooks which are code-less workflows that execute many of the repetitive tasks automatically once kicked off.

For many response scenarios though, there is no substitute for an experienced human analyst as not everything can be fully automated. Incident response can vary greatly from one incident to another and you’ll often have to make decisions with limited information.

Wrap Up

An effective CIRST can help respond quickly to security incidents, mitigating the damage caused to the organization. Thus, defining and building your CIRST is an important step that cannot be taken lightly.

Depending on the size and needs of your organization, a mix of in-house staff with third-party cybersecurity experts can be an option. Other companies outsource their managed security services to an MDR provider, giving them 24×7 peace of mind and allowing their IT team to focus their time elsewhere.

However you choose to assemble your IR team, you now know the core roles and responsibilities they should cover, as well as some best practices to develop a solid incident response policy.