First Responders Course - Session 2 - Incident Response Teams [2004]


Published on

The second session from a two day for potential first responders across a large financial services client.

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

First Responders Course - Session 2 - Incident Response Teams [2004]

  1. 1. Phil HugginsFebruary 2004
  2. 2.  Client Relationship Team Services Team Roles TeamTypes ExternalTeams Team Management Preparation Initial IncidentTeam Meeting Ongoing ManagementTasks
  3. 3.  Incident Response teams are customer serviceteams. Adversarial relationships with business units onlyleads to poor incident performance. Incidents are very high stress events for businessmanagers. If their expectations are different fromthe team then they will become adversarial. Set performance targets, let business units know whatthey are and measure them. Establish a protocol for team members when interactingwith business unit staff.
  4. 4.  What capabilities is the team going to offerthe business units ? Extra services such as: Auditing Specific Platform Skills Forensic Acquisition Forensic Analysis Post-Incident Support
  5. 5.  Team Manager and LogisticsOfficer Administration and personnel management. Usually reports to CSO. Logistics and administrative support. Team Leader Coordinator of an individual incident. Able to make operational decisions in most cases. SeniorAnalyst Experienced specialist incident responders. Able to work independently of team leader for extended periods. Analyst The incident responders Not necessarily a dedicated resource Strong technical skills (At least a power user) Equipment Maintainer Maintains the availability of all Incident Response equipment. Responsible for acquiring new equipment as required during an incident.
  6. 6.  Always more tasks than people to do them. Internal Distributed CSIRT A loose collection of pre-identified system administrators who can be re-tasked at short notice to perform incident response duties. Only works in organisations that are able to easily and successfully make andbreak teams on the fly. Requires significant buy in from business line managers, incident team mayneed to overcome ‘tunnel vision’ as are closer to the systems day to day. Internal Dedicated CSIRT A dedicated team to provide nothing but security support to the business. Generally better trained and with a higher availability. Can provide a moreindependent viewpoint on an incident. Necessary for more formal organisations where crossing group boundaries isdifficult and fraught.
  7. 7.  Corporate Efficient use of resources, available corporate wide Slower response times, political implications IT Easy access to system staff as required Business Unit Specialised, fast response, minimises downtime Even when only high risk business units are served it becomes costly Hybrid Centralise function for awareness, training and shared resources Local teams to provide speed of response and specialist skills
  8. 8.  Public CSIRT CERT/CC JANET CERT FIRST Good first points of contact if incident involves systemsowned by constituents. Commercial CERTTeams Expensive Good source of specialist knowledge / equipment
  9. 9.  Location Where has the incident occurred? Situation What has happened? Find out as much as possible. How did the incident come to light? Intelligence Get as much detailed information as possible to enable you to make decisions and briefyour team Mission What is the aim of this incident response? Execution How are you going to achieve your aim? Follow the company standard incidentresponse procedures Have an outline plan of action. Administration What do you need to achieve your mission? Contact details of key people etc Operations including Security What are the constraints? Need to know basis. Do not make it company wide gossip Who else should be informed – legal, HR, PR, senior management Logistics Do you need any specific items of kit or software to achieve your aim
  10. 10.  When first establishing an Incident Responseteam theTeam Leader andTeam Managerneed information. The initial team meeting will either: collate the information you need to plan theresponse identify who is going to gather and analyse thatinformation for you
  11. 11.  Who are the key players? Sponsor, stakeholders, external suppliers What are the constraints? Roles ? Explain what everyone will contribute and their responsibilities Make it clear that teamwork is vital for success Do the company incident response procedures detail who tocall upon? If not, identify skills, knowledge and experience required Identify who is required and for how long Are they available full-time or part-time?
  12. 12.  Keep the team focused, deal withdistractions Keep your team informed of progress andwhat is happening Remember: the incident could well be fastmoving and this could impact the membersof the team, who may never have worked asa team in such conditions