CSIRT – What to do:
- A CSIRT may perform both reactive and proactive functions to help protect and secure the critical assets of an organization.
- There is not one standard set of functions or services that a CSIRT provides.
- The team chooses their services based on the needs of their constituency.
- Whatever services a CSIRT chooses to provide, the goals of a CSIRT must be based on the business goals of its constituent or parent organizations.
- Protecting critical assets are key to the success of both an organization and its CSIRT.
- The CSIRT must enable and support the critical business processes and systems of its constituency.
- A CSIRT is similar to a fire department – Just as a fire department “puts out a fire” that has been reported, a CSIRT helps organizations contain and recover from computer security breaches and threats. The process by which a CSIRT does this is called incident handling. But just as a fire department performs fire education and safety training as a proactive service, a CSIRT can also provide proactive services. These types of services may include security awareness training, intrusion detection, penetration testing, documentation, or even program development. These proactive services can help an organization not only prevent computer security incidents but also decrease the response time involved when an incident occurs.
Where to Begin:
- Creating an incident response policy and plan.
- Developing procedures for performing incident handling and reporting.
- Setting guidelines for communicating with outside parties regarding incidents.
- Selecting a team structure and defining responsibilities for each team member.
- Establishing relationships and lines of communication between the incident response team and other groups, both internal and external.
- Determining what services the incident response team should provide.
- Staffing and training the incident response team
- Handling priority.
- Effective methods of collecting, analyzing and reporting.
- One of the benefits of having an incident response capability is that it supports responding to incidents systematically (following a consistent incident handling methodology) so that the appropriate actions are taken. Incident response helps to minimize loss or theft of information and disruption of services caused by incidents. Another benefit of incident response is the ability to use information gained during incident handling to better prepare for handling information security incidents.
- Incident response plan includes the following elements
- Strategies and goals.
- Senior management approval.
- Organizational approach to incident response.
- How the incident response team will communicate with the rest of the organization and with other organizations.
- Metrics for measuring the incident response capability and its effectiveness.
- Roadmap for maturing the incident response capability.
- How the program fits into the overall organization.
- When an incident is analyzed and prioritized we need to notify the appropriate individuals so that all who need to be involved will play their roles. Incident response policies should include provisions concerning incident reporting—at a minimum, what must be reported to whom and at what times (e.g., initial notification, regular status updates).
- Typically individuals that will be notified: CIO, Head of information security, Local information security officer, Other incident response teams within the organization, System owner, Human resources (for cases involving employees, such as harassment through email), Legal department & Law enforcement.
- Plan and prepare several appropriate communication methods to provide status updates to certain parties.
Handling incidents effectively:
- Acquire tools and resources that may be of value during incident handling.
- Try to Prevent incidents from occurring by ensuring that networks, systems, and applications are sufficiently secure.
- Identify precursors and indicators through alerts generated by several types of security software.
- Establish mechanisms for outside parties to report incidents.
- Learn profile, networks and systems patterns to recognize abnormal behavior more easily.
- Create a log retention policy.
- Perform event correlation.
- Keep all host clocks synchronized
- Build and update the knowledge base of useful information – The knowledge base should include general information, such as data on precursors and indicators of previous incidents.
- Start recording all information as soon as the team suspects that an incident has occurred.
- Safeguard incident data.
- Prioritize handling of the incidents based on the relevant factors.
Incident information sharing
- Plan incident coordination with external parties before incidents occur.
- Consult with the legal department before initiating any coordination efforts.
- Perform incident information sharing throughout the incident response lifecycle.
- Attempt to automate as much of the information sharing process as possible.
- Balance the benefits of information sharing with the drawbacks of sharing sensitive information.
- Share as much of the appropriate incident information as possible with other organizations. Organizations should consider which types of tech
Tips and implementation points
- Institutionalization and definition of SLA for the team.
- Define team members POC to outside & inside factors.
- A roundtable with IT should be held once every two weeks/one month.
- Take care of the team growing knowledge, skills & responsibility.
- Should have team weekly review.
- Team member critical skills: Sysadmin background, programming, intrusion detection, teamwork.
- Build a containment strategy for incident handling.
- Distribution of events for treatment according to categories that are affected by the level of risk and impact (according to predefined definitions).
- Definition of distribution of relevant information within the organization.
- Build response guides for the incident by type, importance, categories and accordingly appropriate action scenarios.
- Establishing a local site for knowledge sharing, regular updates, training and more.
- Define evidence gathering Processes & procedures.
- Delegating various powers to information security trustees who will be defined as critical focal points in the organization.
- Must have Incident Handling Checklist.
- Branding, Branding, Branding: Collaboration with influential technical people, HR, Legal Bureau and more.