When there’s an emergency in the physical world, first responders, like paramedics, police and firefighters, play a vital role in urgent triage. In the digital realm, incident responders do the exact same thing for security breaches and cyber incidents. They can be the difference between a thwarted cyber attack and mass data theft.
Despite the necessity of cyber security incident response teams (“CSIRT”), 77% of security and IT professionals recently stated they do not have a cyber security incident response plan applied consistently across the enterprise. In many instances, a lack of understanding, resources and technical expertise is preventing organisations from responding to cyber incidents in those first crucial hours – if not minutes.
When thinking about data breaches, organisations should consider ‘when, not if’. Putting together a CSIRT is critical. To help you understand more about security incident responders and how to compile your own team, read on below.
Who is a security incident responder?
A security incident responder is a member of an organisation’s CSIRT – a team of people who handle responses to cyber security incidents. Despite the name’s focus on cyber security, the team is not just made up of IT staff. Key participants also include members of the HR, legal and communications departments, as outlined below:
- Team leader: Oversees and manages all incident response activities.
- Communications: Responsible for communications about the incident internally and with third parties, such as customers and the press. This function has multiple facets: HR representatives, public relations personnel and customer relations staff.
- Lead investigator: Like a forensic detective, this person analyses evidence from the attack to determine the cause. They then share this information with other members of the team for management and remediation.
- Analysts: Support the investigator in understanding the incident, remediation and minimising further damage.
- Legal: Support with any potential regulatory and legal issues arising from the event, such as whether a mandatory personal data breach notification is required if customers or employees are impacted.
- Finance: Assist by releasing funds and resources as needed to respond to an incident.
In small and medium-sized businesses, the core team is typically made up of internal employees, who take on incident response duties on top of their usual day-to-day roles. Many companies also outsource elements of incident response, calling upon an external team to help with preparation and parachute in as a situation arises.
What do security incident responders do?
The CSIRTs role is to prevent, respond to, and mitigate security incidents in a coordinated and planned manner. They are tasked with minimizing the impact of an event and getting operations back to business-as-usual as soon as possible.
As part of their duties, they are also responsible for creating incident response plans (“Plan”), policies and protocols, and raising awareness within the organisation of how to respond effectively to an incident. Below, is a step-by-step example of how the CSIRT operates.
- Planning: The Plan should set out roles and responsibilities, details about who is in the team, and authority level requirements for invoking the Plan and mobilising the CISRT. The Plan should be supported by documents setting out strategies for responding to specific threats, as well as how to contain and recover from them generally and on specific systems.
- Activation: Should a security event occur, the team leader will quickly notify each member of the team so that they can commence their responsibilities, in line with the Plan.
- Assessment: The lead investigator and cyber security analysts will assess the event to identify the cause, what information (if any) has been impacted and what response is needed.
- Triage: Following this, the team will work together to minimise harm caused by the event. This will likely include isolating the impacted systems to avert further disclosure of sensitive data. At this point, the HR and communications team may need to communicate the incident to employees, and ask them to take specific steps to prevent further damage.
- Recovery: When the incident is under control, the team can move to reconnect or recover systems and get the organisation back up and running. This could mean restoring from backups, rebuilding systems from the ground up, patching, changing authentication details, tightening controls and running enhanced monitoring on compromised systems in the immediate aftermath.
- Notification: Depending on the severity of data loss, the legal and communications representatives will work together to notify regulatory bodies and individuals affected by the breach.
- Review: Once the incident is over, the team should set time aside to learn from the event: what did they do well and/or badly? How could a similar breach be prevented in future? Does the Plan need more detail so they can respond better next time?
How to create an incident team
While the size and structure of your CSIRT will depend on your company’s needs, expertise, resources and staff availability, there are some fundamental principles that apply to creating one.
- Choose based on expertise: Incident response requires in-depth, technical knowledge, so at least some of your team members should come from an IT/security background. Where your company lacks the breadth and depth of technical skills, the National Institute of Standards and Technology advises outsourcing some of your CSIRT, as “outsourcers may possess deeper knowledge of intrusion detection, forensics, vulnerabilities, exploits, and other aspects of security than employees of the organization.”
- Allocate roles and responsibilities: You will need to create a cross-functional team, which covers the core functions of a CSIRT. Each member should be given defined responsibilities, so they know what is expected of them. Where possible, try and disperse your team geographically, to enable 24/7 coverage.
- Coordinate with third parties: It is very rare that an incident response team does not rely on an external party in some form. Be it an outsourced security specialist or legal advice, your team should know whom to contact and whom they can lean on for support.
- Empower your team: When choosing employees to be on the team, you should ensure that at least one member – preferably the team leader – has the authorisation to make decisions without needing approval from someone higher up the ranks. This is a must for a fast response.
- Assign back-ups: To further ensure your team can respond to an incident at any time, we advise assigning a back-up for each member of the team. This will also ensure that nothing falls through the gaps if someone is ill or on holidays.
- Build morale: The team may not usually work together on a day-to-day basis, so it’s important for each member to understand everyone else’s roles, and feel comfortable communicating and collaborating.
- Plan, plan, plan: Once you have the who, it’s time to think about the how. Planning is key. To help you formulate an incident response strategy, we’ve compiled this helpful guide – all about creating and managing incident response.
- Training: Incident response is a high-alert activity. It’s essential your team feels prepared and confident before an event. Otherwise, they risk feeling overwhelmed. You should therefore conduct regular training to exercise your Plan, breach notification processes, escalation procedures and communications plans. As a starting point, the National Cyber Security Centre (“NCSC”) has published various incident response exercise resources in their Exercise in a Box You can also work with third parties, who can create bespoke incident response exercises for you based on agreed scenarios and objectives.
Ultimately, an averted breach is not a stroke of luck. It’s the result of careful planning and coordination. To feel confident about your cyber security posture, the combination of a well-defined, practiced incident response plan and CSIRT is an invaluable tool.