Author: Tim Coakley
At its core the CSIRT (Cybersecurity Incident Response Team) comprises one or more individuals who will respond to a cyber security incident. The team members are typically internal employees of an organization, but they can also include external third-party security providers who specialize in providing contractual incident response services.
Team members are generally specialists in technical roles, so it is not unsurprising that staff are drawn from technical cyber security, IT departments, or engineering teams. In addition to the technical staff, there may also be personnel with specialisms in stakeholder management and those who have detailed knowledge of the organization. There will also be additional supportive members including, but not limited to, corporate communications, legal, data protection and human resource, all of which are very much dependent on each incident.
Within large or mature organizations, incident response capabilities will often be full-time roles dedicated to working on incidents or preparing for future incidents. In smaller or less mature organizations, it is common for incident response teams to be composed of part-time staff who are called upon when needed. In some situations, there may be a hybrid setup where a large organization has no incident response capability and is entirely outsourced through managed security services (MSP).
Note: Financial budgets play a large part in all aspects of cybersecurity, so the size, capability, and availability of a CSIRT team vary. This is balanced against how much budget is available, the perceived risks to the business, the likelihood of a CSIRT team being required and estimated frequency.
Where does a CSIRT reside? That depends on the organization. Localized organizations will naturally opt for all team members to be present together, physically sitting alongside colleagues close to other business units. Global organizations will opt for hub and spoke, where a central CSIRT team is present, but regional security representatives in key areas around the world are placed. In more recent times, there has been a huge shift in hybrid/remote working, and it is even more common now for CSIRT members to be working and coordinating virtually, the opposite of the traditional office roles we may have been used to in the past.
Is a CSIRT necessary? Each organization will be concerned about particular risks to its business data, people, and operations. Because of these risks, some CSIRT capability is needed. It’s common for organizations to create CSIRT teams after a security incident has already impacted a business and the lessons learned through that experience taught leaders the value of having this incident response capability. Surprisingly, however, there are organizations that still do not have any CSIRT, and this could be due to maturity, low risk, no budget or all of the above. Finally, it’s important to note some organizations must have CSIRT. This could be the case for a variety of reasons, spanning industry regulations to cyber security insurance mandates for a policy to remain valid.
The structure of an incident response team will vary, from the bottom-up approach a team may consist of, but certainly not be limited to:
- Security analysts
- Subject matter experts
These members will feed into a security incident response lead, who will coordinate between these investigative roles. The security incident response lead will liaise above with the security incident manager, the manager will communicate between other team leads from legal, data protection or communications teams, to name a few. The security incident manager is also often the one who will brief executives and C-Level staff as well as any escalation activities that may require approval.
Outside of the immediate team, there will also be other interested groups, such as local or national law enforcement and outsourced providers and even vendor-specific support.
Important Note: Some of these team roles may be performed by the same person.
Communication is key
The escalation and communication process is critical. Without it, valuable time, effort, and resources may be wasted, which in turn could further impact any security incident. It is important each team member understands their own role, what to do and where to send information and reports, and uses approved communication methods.
Security incident reports should be collated and coordinated to all the stakeholders that need the information. It is important to limit the incident response communication chain to only those that need the information.
Communications channels should be approved prior to an incident, not during. This is especially true when an organization is required to release information publicly or to the press.
An organization will determine when CSIRT should operate and coverage can include working days only, excluding evening and weekend. Many global organizations that have 24x7 operations will equally have 24x7 CSIRT coverage. Availability will require having an employee on standby in the event of an incident.
Preparation prior to any incident occurring is perhaps the single most important step, and the detail required varies. Examples of security incident preparedness can include but are not limited to, creating template forms and procedural documents that walk team members through certain actions to maintain up-to-date contact information of key stakeholders.
Training and continual development
IT training and development is really important as the pace and change of technology means incident responders need to keep up to date with the latest technological developments. This type of training helps them to face a variety of technological aspects that an untrained person could find overwhelming in a high-pressure situation.
Key incident response team members will also require specific cybersecurity training so that they have up-to-date knowledge of current security tools, technology and incident response processes. This type of training could include blue team defender training, as an example.
Finally, incident responders learn and gain experience during each security incident. The lessons learned after each incident help inform the team what went well or not so well to help better prepare for the next incident. It is also equally important to share some of this knowledge with the wider organization to learn from and improve awareness why CSIRT is such an important organizational security function.