First Responders Course - Session 2 - Incident Response Teams 
Phil HugginsFebruary 2004
Client Relationship Team Services Team Roles TeamTypes ExternalTeams Team Management Preparation Initial IncidentTeam Meeting Ongoing ManagementTasks
Incident Response teams are customer serviceteams. Adversarial relationships with business units onlyleads to poor incident performance. Incidents are very high stress events for businessmanagers. If their expectations are different fromthe team then they will become adversarial. Set performance targets, let business units know whatthey are and measure them. Establish a protocol for team members when interactingwith business unit staff.
What capabilities is the team going to offerthe business units ? Extra services such as: Auditing Specific Platform Skills Forensic Acquisition Forensic Analysis Post-Incident Support
Team Manager and LogisticsOfficer Administration and personnel management. Usually reports to CSO. Logistics and administrative support. Team Leader Coordinator of an individual incident. Able to make operational decisions in most cases. SeniorAnalyst Experienced specialist incident responders. Able to work independently of team leader for extended periods. Analyst The incident responders Not necessarily a dedicated resource Strong technical skills (At least a power user) Equipment Maintainer Maintains the availability of all Incident Response equipment. Responsible for acquiring new equipment as required during an incident.
Always more tasks than people to do them. Internal Distributed CSIRT A loose collection of pre-identified system administrators who can be re-tasked at short notice to perform incident response duties. Only works in organisations that are able to easily and successfully make andbreak teams on the fly. Requires significant buy in from business line managers, incident team mayneed to overcome ‘tunnel vision’ as are closer to the systems day to day. Internal Dedicated CSIRT A dedicated team to provide nothing but security support to the business. Generally better trained and with a higher availability. Can provide a moreindependent viewpoint on an incident. Necessary for more formal organisations where crossing group boundaries isdifficult and fraught.
Corporate Efficient use of resources, available corporate wide Slower response times, political implications IT Easy access to system staff as required Business Unit Specialised, fast response, minimises downtime Even when only high risk business units are served it becomes costly Hybrid Centralise function for awareness, training and shared resources Local teams to provide speed of response and specialist skills
Public CSIRT CERT/CC JANET CERT FIRST Good first points of contact if incident involves systemsowned by constituents. Commercial CERTTeams Expensive Good source of specialist knowledge / equipment
Location Where has the incident occurred? Situation What has happened? Find out as much as possible. How did the incident come to light? Intelligence Get as much detailed information as possible to enable you to make decisions and briefyour team Mission What is the aim of this incident response? Execution How are you going to achieve your aim? Follow the company standard incidentresponse procedures Have an outline plan of action. Administration What do you need to achieve your mission? Contact details of key people etc Operations including Security What are the constraints? Need to know basis. Do not make it company wide gossip Who else should be informed – legal, HR, PR, senior management Logistics Do you need any specific items of kit or software to achieve your aim
When first establishing an Incident Responseteam theTeam Leader andTeam Managerneed information. The initial team meeting will either: collate the information you need to plan theresponse identify who is going to gather and analyse thatinformation for you
Who are the key players? Sponsor, stakeholders, external suppliers What are the constraints? Roles ? Explain what everyone will contribute and their responsibilities Make it clear that teamwork is vital for success Do the company incident response procedures detail who tocall upon? If not, identify skills, knowledge and experience required Identify who is required and for how long Are they available full-time or part-time?
Keep the team focused, deal withdistractions Keep your team informed of progress andwhat is happening Remember: the incident could well be fastmoving and this could impact the membersof the team, who may never have worked asa team in such conditions