How to develop an effecient Incident Response Team
Relying on an Incident Response Team (IRT) is the best way to defend against cyber attacks, manage and deal with the occurrence of a cyber security incident. It is not only about cyber compliance with regulations that require the adoption of appropriate and proportionate technical and organisational measures to manage risks, and to prevent and minimize the impact of incidents on network and information system security, to ensure service continuity for organisations.
But how can we organise and make such a strategic structure for corporate security fully operational? It is necessary to identify roles, responsibilities, procedures that, within the framework of company policies, the available budget and the organisation's business objectives, can intervene to prevent and manage security incidents.
Defining Incident Response Team
A IRT is an organizational entity, normally formalised in the corporate organization chart, consisting of two or more staff members, who are assigned the responsibility of coordinating and supporting the response to an IT security incident or event. The objective of a CSIRT is the maximum reduction and control of damage resulting from security incidents, providing effective guidance for response and recovery activities and the prevention of future incidents.
The activities of the IRT are varied and very heterogeneous: this depends both on the multitude of different critical issues it may have to deal with and the different levels of management required. Although there are many frameworks and models ready to regulate the work of a IRT, they can all be traced back to six main pillars: preparedness, identification, containment, eradication, recovery, post-mortem, with the last step being an in-depth analysis of how the criticality was managed.
Composition and roles of an Incident Response Team (IRT)
In the composition of an Incident Response Team, diverse figures are required, ranging from: Management, Technical lead, Legal support, Communications, Interface to the security committee, Security Officer. Each of these figures can be involved according to a role-responsibility matrix depicted below, in which the responsibilities of the Owner who makes the decisions and owns the process, Helper who helps with the process, Advisor who advises on the process, Implementer who carries out the work, and Updater who updates the status and actions of the other team members are distinguished.
(PIC)
What a IRT does: the tasks of an Incident Response Team
Key responsibilities of an Incident Response Team include: the creation and management of an incident response plan, incident investigation and analysis, management of internal communications and updates during or immediately after incidents, incident communication to employees, shareholders, customers and the press, implementation of incident remediation, post-incident recommendations for changes to technology, policy, governance, and training.
In order for the Incident Response Team to operate effectively, it is necessary that all the above-mentioned activities are included in special procedures that are communicated to the personnel involved, accessible when needed, summarized for quick reference and referred to in the company's Incident Management process issued and managed within the company's processes, and if necessary certified according to current regulations.
Incident Response Teams may vary their focus depending on the sector to which the organization belongs. For instance, law enforcement IRTs may focus on the prosecution of cybercrime incidents, collecting and analyzing computer forensic data from affected or involved systems. Government or private IRTs may be involved in security awareness training and general incident management activities, but they never conduct forensic activities, which are handled by ad hoc investigators and professionals.
Differences between IRT, CERT, and SOC
In order not to confuse the role of IRTs with that of Computer Emergency Response Teams (CERTs) and that of Security Operations Centers (SOCs), please note that:
- a CERT collects and disseminates security information;
- a IRT responds to incidents;
- the SOC is where the network, servers, applications, and endpoint computers are monitored and defended.
An explanatory diagram is shown here: (PIC)
SOCs, CERTs and IRTs work in a cyclic, seamless manner, and even moments of (relative) calm require the Incident Response Team to be prepared to seize every slightest alert in order to take timely action. To do this, a continuous study and updating of policies, tools and skills is essential, to approach each critical issue in the right way and guarantee business continuity to the affected infrastructure as much as possible.