As the cyber-threat landscape evolves and data breaches escalate, incident response becomes more important than ever for any business. Consequently, to overcome any common challenges in security and to prevent, as much as possible, the often disastrous consequences of an intrusion, companies of all sizes are enlisting the help of team professionals specialized in rapid response when IT problems occur.

A computer security incident response team (CSIRT) is a body of people tasked with the difficult feat to address, timely and efficiently, all incidents that affect the organization. They are responsible for safeguarding the confidentiality, integrity and availability (CIA) of the business’ assets (computer systems or networks) and data. Expert services can be provided by in-house CSIRTs or outsourced to external service providers (MSSPs). In smaller organizations, an ad-hoc team can also be convened to provide response to an incident when the need arises.

A CSIRT’s main objective is to minimize the impact of any incidents. In order to do that, the team must include professionals with different expertise, from security analysts and incident handlers to network and system administrators, vulnerability handlers, trainers and management-level employees. The team must also involve other sections of the company, from human resources and legal to public relations and customer support. This is because resolving an incident doesn’t just mean stopping an intrusion, isolating the affected systems, recovering data and applying countermeasures. It also means responding to managers, keeping communication open with customers and the public, as well as requesting disciplinary actions if applicable.

A CSIRT might be part of an organization’s security operation center (SOC), a group responsible for the overall IT security of an organization including policies, compliance, governance and security of systems and applications. It can also coexist, providing the SOC with incident response (IR) capabilities in case of an incident.

As the number of computer security incidents continues to grow, more and more organizations are relying on IR teams who work independently from the SOC to provide effective response times and that make use of technologies, like SIEM products, to detect abnormal activity. No matter what type of CSIRT an organization decides to employ, the set of functions or services that a CSIRT provides is key to supporting critical business processes and systems. To be working in a 24/7 SOC environment position involves critical duties and responsibilities that must continue to be performed during crisis situations and contingency operations. And then it is obvious that particular attention needs to be given to choosing the right people to fulfil the necessary roles.

What Roles & Functions Should a CSIRT Perform?

According to The State of Incident Response 2017 survey, CSIRTs perform many different incident handling functions, from assessing the organization’s IR program to “perform[ing] collaborative, interactive investigations to scale the incident response function effectively within a security operations center.” The study also found there are a variety of staff members with IR roles. “When asked about their involvement with incident response, 31.8% of respondents stated that their duties were dedicated to the SOC or IR. However, 62.9% reported that they had some responsibility for incident response or the security operations center, or that they had oversight of IR and/or the SOC.”

Some CSIRT members will run internal IR exercises with the purpose to make improvements in accuracy, response time and reduction of attacks that surface. Others will be placed in positions assigned to analyst roles conducting deep incident analyses, as needed, to ensure the continuity of critical business functions. Other CSIRT members will be told to perform comprehensive IR services that will include the monitoring of an IT environment, assessing threats and providing intelligence against potential breaches or system weaknesses.

No matter what job roles make up the CSIRT team, members need to communicate with each other to work in synergy and “understand the functionality and use of various tools to facilitate the review and interpretation of incident data (compressed file formats and tools, archiving tools such as UNIX tar or WinZIP, uuencode/decode, etc.).”

What Technical Skills Are Needed When Staffing Your CSIRT?

The CSIRT comprises of professionals with different technical, communication and administrative expertise. In addition to their expertise, education and certifications, a set of skills that CSIRT staff members should have include basic knowledge of incident-handling services.

It is obvious that all CSIRT members need to have a knack for
incident response and solid technical skills to include acquaintance of the tools for managing risks when used in the organization to discover potential weak points. They also need to be well versed in understanding attack vectors, as well as vulnerabilities, severity of flaws, malicious codes, access control issues, and physical security requirements regarding CIA (confidentiality, integrity, availability) of data or resources to ensure they are available. Furthermore, to quickly identify and respond to incidents, all professionals in a CSIRT need to be well versed in network technologies, their applications, communication protocols and security issues.

What’s more, professionals must recognize intrusion techniques and apply analytical skills to analyze data, logs, inappropriate traffic and network behavior as well as possible motives for attack. The patterns they can identify and the information they can collect, evaluate and put in perspective could be invaluable in stopping further attacks and discovering the culprits. Specific technical skills, however, are not the only requirements in the personal experience baggage of CSIRT professionals.

What Soft Skills Are Needed When Staffing Your CSIRT?

As important are a number of other abilities and soft skills that are often just as important, which employers should look for in their candidates.

  • Communication skills. This is one of the main personal skills needed by all members of the team. Whether it is to communicate with other team members while in emergency mode, or to communicate calmly and effectively with clients, the public and executives, the ability to convey information clearly and at the appropriate level are essential in a CSIRT professional. Written communication is also important, as members need to be able to write effective policies, communicate clearly with stakeholders via emails and notices, as well as document incidents thoroughly.
  • Listening skills. The ability to pause and listen to the concerns and requests of clients as well as management is paramount when working during the resolution of an emergency. A CSIRT member who doesn’t take the time to listen to fellow team members or customers, diminishes his or her ability to resolve the incident in a more effective way.
  • Tact and diplomacy. Any time professionals are asked to deal with an emergency, they might find themselves in situation where they are hard pressed for information or deal with anxious, angry customers and/or managers. The ability to calmly handle all situations with tact and diplomacy can go a long way in keeping the organization focused on what needs to be done to minimize the impact of an incident, as well as to prevent the release of information that shouldn’t be public domain.
  • Teamwork. This is obvious. In an intricate group of professionals with different technical skills, experience and roles, it is important that all members are able to work well in a group, accept differences of approach, understand each other’s roles and be able to support each other’s functions without reserve. They also need to be able to interact with other sections of the organizations and non-technical staff, as well as recognize and accept leaders in their work group.
  • Trustworthiness and discretion. Members of a CSIRT are often made privy to highly sensitive information and need to preserve the information there are given. Members need to be able to strike the right balance between what is legitimate to divulge to stakeholders and what information should be well guarded from unnecessary disclosure.
  • Problem solving. This is one of the most important skills. Not all incidents are created equal, and professionals need to be able to adapt to changing situations, new scenarios and a variety of attacks in order to respond as quickly as possible. Strong problem solving skills and creativity support the technical abilities of team members and allow them to face and resolve even the most unexpected situations.
  • Ability to cope with stress. Although all jobs require the ability to keep calm and collected in difficult times, this is particularly important when dealing with incident response. A highly-skilled professional who crumbles under pressure is a weakness that no CSIRT team can afford.
  • Organizational skills. In an emergency, the ability to organize the work, prioritize it and apply time management skills is one of the most important traits. Juggling between the actual technical response to the attack or vulnerability while informing stakeholders, documenting findings and actions, and keeping the rest of the organization’s systems running, if possible, requires both types of skills to perform a certain job or task.

Ethical Hacking Training – Resources (InfoSec)

What Experience Are Employers Looking for When Staffing A CSIRT?

Employers tend to look for staff with the following experience:

  • Security-related experience detecting and collecting threat intelligence
  • Demonstrated problem-solving skills
  • Ability to conduct preventive and predictive analysis to help mitigate future threats

So, how does one become a dedicated a CSIRT member? Many organizations will hire staff who have earned a certificate by taking IR courses or have acquired a certification.

Companies will also look for professionals with expertise in
SIEMs. SIEM stands for security information and event management and it is a software for managing and investigating intruder alerts. A SIEM tool, therefore, is considered the core piece of software in a SOC. It can be utilized for automatic security management (incident response) to find suspicious or malicious activity by analyzing alerts by source, destination and type. Yet, a SIEM needs to be run by people who possess good skills to perform such an evaluation.

There’s also the option for companies to train existing team members. Additional training and certifications for staff can help them respond and resolve network security issues very quickly. Those that lack a certain set of skills and technical expertise may find InfoSec Institute’s hands-on
Incident Response course valuable to know what it takes to properly detect, contain and mitigate security incidents.

New CSIRT technical staff may consider the
GIAC Certified Incident Handler (GCIH) certification to ensure they have mastered the skills necessary for this role, including how to identify common attack techniques, vectors and tools used in defending against and/or responding to threats when they occur.

Certificate programs are also available. A CERT Incident Response Process Professional Certificate, available through the Software Engineering Institute (SEI) operated by Carnegie Mellon University, for example offers training courses (both Fundamental and Advanced Incident Handling) that can prepare learners for the next steps in their careers. The courses will neither give official academic credentials nor award academic credit toward a degree; nonetheless, they can add to the professional knowledge bank of any CSIRT member. This certification is intended for computer security incident response team (CSIRT) technical staff with one to three months of experience, and is designed to provide an understanding of incident handling practices and functions. However, SEI CERT also provides a Certified Computer Security Incident Handler (CSIH) certification. This program is recommended for those with one or more years of experience in incident handling and/or equivalent security-related experience.

Conclusion

The presence of a CSIRT in an organization can help enhance security and ensure business continuity. It’s members gain insight into threats against the organization, provide quick and efficient incident recovery, control and minimize any damage, and prevent future incidents.

Time and again, businesses fail to understand how security incidents happen in the first place. With online crime continuing to surge in 2018, CSIRTs are becoming essential. Given the frequency and complexity of today’s cyber attacks, IR is a critical function for organizations. There are resources available to gain a better understanding of the structure and functions of existing teams: For example, the
NIST Special Publication 800-61 Revision 2 of the Computer Security Incident Handling Guide or the
CMU/SEI-2003-HB-002 Handbook for Computer Security Incident Response Teams (CSIRTs) describes the tools, procedures and roles necessary to implement the team. However, creating ad-hoc teams requires finding the right mix of people, processes and technologies (CSIRT/SOC/SIEM). In other words, it’s all about striking the right balance between workforce talent and the right security tools. In particular, it is important to employ professionals who possess the special skills (technical and personal) and knowledge that will help them support the long-term resiliency of companies’ IT infrastructures.

References

Admin. (2016, January 24). Common Cyber Security Mistakes Made by Organizations. Retrieved from
http://infosecnewswire.com/common-cyber-security-mistakes-made-by-organizations/

Agarwal, V. & Redmond, M. C. (n.d.). The Important Role of a Cyber Security Incident Response Program. Retrieved from
http://www.disaster-resource.com/index.php?option=com_content&view=article&id=2535:the-important-role-of-a-cyber-security-incident-response-program&catid=6:information-technology

Carnegie Mellon University. (n.d.). CSIRT Frequently Asked Questions (FAQ). Retrieved from
https://www.cert.org/incident-management/csirt-development/csirt-faq.cfm?

Carnegie Mellon University. (n.d.). What Skills Are Needed When Staffing Your CSIRT? Retrieved from
https://www.cert.org/incident-management/csirt-development/csirt-staffing.cfm?

Carnegie Mellon University. (2017). What Skills Are Needed When Staffing Your CSIRT? (Whitepaper. REV-03.18.2016.0). Retrieved from
https://resources.sei.cmu.edu/asset_files/WhitePaper/2017_019_001_485684.pdf

CyberSponse, Inc. (2017, April 26). The Difference Between CERTs and CSIRTs? What are They? Retrieved from
https://cybersponse.com/the-difference-between-certs-and-csirts-what-are-they

Demisto, Inc. (2017). The State of Incident Response 2017. Retrieved from
https://go.demisto.com/hubfs/Resources/Reports/State%20of%20Incident%20Response%202017/The%20State%20of%20Incident%20Response%202017.pdf

Horne, B. (2014, October 15). On Computer Security Incident Response Teams. IEEE Computer Society Research. Volume: 12, Issue: 5, Sept.-Oct. Page(s): 13 – 15. DOI:
10.1109/MSP.2014.96

Incident Response Consortium. (2017, May 11). SOC vs CSIRT… What is the Difference? Retrieved from
https://www.incidentresponse.com/soc-vs-csirt-what-is-the-difference/

Killcrece, G. (2013, July 2). Incident Management. Retrieved from
https://www.us-cert.gov/bsi/articles/best-practices/incident-management/incident-management

Mertens, X. (2017). Pro & Con of Outsourcing your SOC. Retrieved from
https://isc.sans.edu/forums/diary/Pro+Con+of+Outsourcing+your+SOC/22253/

Williamson, L. (2017, September 22). When it comes to cyberattacks, it’s not enough to have the best technology. HR needs to take an active hand in staff training. Retrieved from
https://www.hrmonline.com.au/technology/prevent-security-breach/