Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

First Responders Course - Session 2 - Incident Response Teams [2004]


Published on

The second session from a two day for potential first responders across a large financial services client.

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

First Responders Course - Session 2 - Incident Response Teams [2004]

  1. 1. Phil HugginsFebruary 2004
  2. 2.  Client Relationship Team Services Team Roles TeamTypes ExternalTeams Team Management Preparation Initial IncidentTeam Meeting Ongoing ManagementTasks
  3. 3.  Incident Response teams are customer serviceteams. Adversarial relationships with business units onlyleads to poor incident performance. Incidents are very high stress events for businessmanagers. If their expectations are different fromthe team then they will become adversarial. Set performance targets, let business units know whatthey are and measure them. Establish a protocol for team members when interactingwith business unit staff.
  4. 4.  What capabilities is the team going to offerthe business units ? Extra services such as: Auditing Specific Platform Skills Forensic Acquisition Forensic Analysis Post-Incident Support
  5. 5.  Team Manager and LogisticsOfficer Administration and personnel management. Usually reports to CSO. Logistics and administrative support. Team Leader Coordinator of an individual incident. Able to make operational decisions in most cases. SeniorAnalyst Experienced specialist incident responders. Able to work independently of team leader for extended periods. Analyst The incident responders Not necessarily a dedicated resource Strong technical skills (At least a power user) Equipment Maintainer Maintains the availability of all Incident Response equipment. Responsible for acquiring new equipment as required during an incident.
  6. 6.  Always more tasks than people to do them. Internal Distributed CSIRT A loose collection of pre-identified system administrators who can be re-tasked at short notice to perform incident response duties. Only works in organisations that are able to easily and successfully make andbreak teams on the fly. Requires significant buy in from business line managers, incident team mayneed to overcome ‘tunnel vision’ as are closer to the systems day to day. Internal Dedicated CSIRT A dedicated team to provide nothing but security support to the business. Generally better trained and with a higher availability. Can provide a moreindependent viewpoint on an incident. Necessary for more formal organisations where crossing group boundaries isdifficult and fraught.
  7. 7.  Corporate Efficient use of resources, available corporate wide Slower response times, political implications IT Easy access to system staff as required Business Unit Specialised, fast response, minimises downtime Even when only high risk business units are served it becomes costly Hybrid Centralise function for awareness, training and shared resources Local teams to provide speed of response and specialist skills
  8. 8.  Public CSIRT CERT/CC JANET CERT FIRST Good first points of contact if incident involves systemsowned by constituents. Commercial CERTTeams Expensive Good source of specialist knowledge / equipment
  9. 9.  Location Where has the incident occurred? Situation What has happened? Find out as much as possible. How did the incident come to light? Intelligence Get as much detailed information as possible to enable you to make decisions and briefyour team Mission What is the aim of this incident response? Execution How are you going to achieve your aim? Follow the company standard incidentresponse procedures Have an outline plan of action. Administration What do you need to achieve your mission? Contact details of key people etc Operations including Security What are the constraints? Need to know basis. Do not make it company wide gossip Who else should be informed – legal, HR, PR, senior management Logistics Do you need any specific items of kit or software to achieve your aim
  10. 10.  When first establishing an Incident Responseteam theTeam Leader andTeam Managerneed information. The initial team meeting will either: collate the information you need to plan theresponse identify who is going to gather and analyse thatinformation for you
  11. 11.  Who are the key players? Sponsor, stakeholders, external suppliers What are the constraints? Roles ? Explain what everyone will contribute and their responsibilities Make it clear that teamwork is vital for success Do the company incident response procedures detail who tocall upon? If not, identify skills, knowledge and experience required Identify who is required and for how long Are they available full-time or part-time?
  12. 12.  Keep the team focused, deal withdistractions Keep your team informed of progress andwhat is happening Remember: the incident could well be fastmoving and this could impact the membersof the team, who may never have worked asa team in such conditions