Incident response

DHS Cyber Hunt and Incident Response Teams (HIRT) Act: What you need to know

October 28, 2020 by Greg Belding


Not a month goes by without the new media reporting that another city or municipality has fallen victim to a cyberattack, and oftentimes this attack comes in the form of ransomware. To help federal and non-federal entities with this ever-present risk, the DHS Cyber Hunt and Incident Response Teams Act of 2019, also known as HIRT, was passed. This law builds on DHS’s previous cybersecurity initiatives to strengthen DHS’s cybersecurity posture. 

This article will detail the HIRT act. We will give an overview of what the HIRT Act is and the benefits that HIRT offers, as well as how HIRT fits into DHS’s efforts to prepare for large-scale cyberattacks. 

What is HIRT?

The DHS Cyber Hunt and Incident Response Teams Act (HIRT) is a step towards a stronger cybersecurity posture for federal and non-federal entities and critical infrastructure (CI). This is achieved in part by coordinating with federal, state and local governments, as well as with owners, operators and vendors of control systems. Collaboration initiatives include efforts involving Computer Emergency Response Teams, or CERTS, in the private sector. HIRT operates under the National Cybersecurity and Communications Integration Center (NCCIC).

HIRT buttresses cybersecurity efforts contained in the Homeland Security Act of 2002 with the most dramatic change that it offers — permanently operating cyber hunting and incident response teams capable of aiding in the event of a large-scale cyberattack. This is especially important during debilitating ransomware attacks upon entities that do not have the resources or capability to pay the ransom or effectively respond to or mitigate the cyberattack.

The benefits of HIRT

HIRT offers distinct benefits over and above the Homeland Security Act of 2002 that make HIRT a more responsive and effective approach to cybersecurity and a solid step in the right direction in terms of security. Think of it as the team member that ties DHS’s cybersecurity and readiness together into something better.

Incident response

The most substantive benefit that HIRT offers organizations (in fact, HIRT is named after this benefit) is urgent investigation and resolution of cyber incidents in the form of a Hunt and Incident response team for free. This team forms DHS’s front-line response force for cyberattacks and offers proactive hunting for malicious cyber incidents.

The HIRT team begins a typical investigation by a notification of a cyberattack. The team performs a preliminary diagnosis to uncover the extent of the compromise. Based upon the organization’s request, the team can meet with the organization to identify compromised systems, review network topology, image drive for deeper analysis and collect other necessary data on an as-needed basis for complete analysis and investigation. After analysis, the team can provide mitigation strategies, help to restore service and offer recommendations for improving overall security of the organization’s network and control systems.

Advanced Analytical Laboratory

Available to the HIRT team is the use of the Advanced Analytical Laboratory, or AAL. This key service offering allows for advanced analysis of malware faced by control system environments. AAL offers on-site assistance, forensics analysis, remote analysis and recovery efforts.

Vulnerability coordination

To ensure timely ICS vulnerability mitigation in order to avert the likelihood of cyberattack success against US critical infrastructure, NCCIC offers vulnerability coordination. HIRT uses a five-step vulnerability coordination process:

  1. Detection and collection
  2. Analysis
  3. Mitigation coordination
  4. Application of mitigation
  5. Disclosure

Site assistance and evaluation for ICS and CI

To strengthen US ICS and CI control system security postures, NCCIC offers site assistance and evaluations. Other offerings provided by NCCIS are incident handling and vulnerability coordination by using on-site analysis, assessment and mitigation techniques to counter cyber intrusions and exploits.

Cybersecurity Evaluation Tool

Another useful offering provided by HIRT is the Cybersecurity Evaluation Tool, or CSET. CSET is a desktop tool that allows users to create a self-assessment of their network security and ICS security practices. This data is held against industry and government guidelines, standards and recommended practices. The CSET report gives the organization a prioritized list of improvements for its respective network and ICS security practices as well as the steps needed to reach the recommended level of security.

How HIRT fits into DHS cybersecurity

NCCIC was created in 2009 to streamline and coordinate the nation’s response to cyber threats and HIRT was rolled out to advance these responsibilities. Before HIRT was created, NCCIC did not offer teams to organizations facing cyberattacks and lacked the ability to report on the effectiveness of its cyber risk mitigation capabilities. 

HIRT addresses both of these weaknesses by serving as an on-demand cyber hunting and incident response team as well as providing enhanced data gathering capabilities and metrics to measure and report on its effectiveness in cyber-risk mitigation. In effect, HIRT gives DHS stronger cybersecurity capabilities which are more measurable.


Cybersecurity is not a new focus for DHS; however, the application of their cybersecurity savvy was hampered to an extent by the original NCCIC, which did not translate into the advanced cybersecurity capabilities the age required. In response, HIRT was enacted into law, providing cyber hunt and incident response teams to federal and non-federal organizations that suffer large scale cyberattacks. 

HIRT is not a magic bullet in the war against cyberattacks, but it is a substantial jump in the direction of a stronger DHS cybersecurity posture.



What Is The DHS Cyber Hunt And Incident Response Teams Act?, Triaxiom Security

NCCIC ICS, National Cybersecurity and Communications Integration Center

Senate Report 116-27 – DHS Cyber Hunt and Incident Response Teams Act of 2019,

Posted: October 28, 2020
Greg Belding
View Profile

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.