How To Form An Effective IR Team
Cyber security incidents can be very stressful, with uncertainty regarding cause, remediation, and extent of the impact. However, firms often must respond to an attack immediately with whatever information is available, or run the risk of greater loss. This stress intensifies when firms do not know what to do or who to call, leaving them seemingly helpless and more susceptible to loss.
To better prepare for cyber emergencies, firms must invest in a team of responders who are equipped with technical knowledge to act quickly and reliably. The incident response team is responsible for mitigating the effects of an incident in an organized manner, including analyzing the intrusion, containing the impact, investigating the root cause, and remediating the issue.
Structures and Forms
An incident response team can take on varying structures, including both internal and external parties whose scope of responsibilities differ depending on the nature of an incident. The team can be comprised of a company’s own dedicated Security Operations Center (SOC), an internal division consisting of IT and security personnel, or an external partner committed to activating as needed to provide an advanced level of digital forensics and crisis management expertise.
Depending on the selected structure, an incident response team may be referred to by different names such as Computer Security Incident Response Team (CSIRT), Computer Security Incident Response Capability/Center (CSIRC), Computer Incident Response Capability/Center (CIRC), Computer Incident Response Team (CIRT), Incident Handling Team (IHT), Incident Response Center or Incident Response Capability (IRC), Incident Response Team (IRT), Security Emergency Response Team (SERT), or Security Incident Response Team (SIRT). Likewise, the team may have varying scope that may cover security, crisis management, or resiliency.
Roles and Responsibilities
Regardless of the source and size of the incident response team, companies must have a stable central team consisting of an IT or cybersecurity designee who acts as the leader in managing and coordinating cyber incidents and conducts initial response measures. Having a core team will help secure critical business assets and data as well as prioritize incident management in a repeatable, quality-driven manner. This team must have an understanding of overall business processes in the organization as well as have full visibility over the network infrastructure. Furthermore, this ￼core team must have unique skillsets to cover these essential roles and responsibilities:
Senior/Executive Management, who will effectively lead and manage all activities, providing all critical decisions and directives;
Incident Response Lead, who will head the overall incident response process, ensuring important information and evidence are properly documented, analyzed, reported and escalated to the appropriate channels;
Department Leads, who will lead actions outside forensics investigations including timely dissemination of communications, media relations, HR and employee coordination (especially if an employee is discovered to be part of the incident), and legal representation and guidance on any liability issues that may ensue;
Technical Lead/Recovery Manager, who will be on top of securing affected assets and ensuring these materials can be recovered;
Security Analysts and Researchers, who will conduct regular monitoring of technical activities to identify risks; they will also provide threat intelligence and security reports to help the lead investigator understand the entire context and scope of the incident, and be aware of other potential intrusions.
￼Skills & experience
The nature of your business and relative need for incident response will determine the required level of skill and experience for your in-house incident response team. Particular skills your team may need include digital forensics capabilities, malware analysis and reverse engineering, data analysis, as well as soft skills like effective communication, collaboration, and documentation. Nevertheless, there are some practices that must be observed to ensure a highly effective and reliable team.
The core team must have auxiliaries or deputies, especially when members are unavailable, to ensure all functions are operational and can provide the required support. Additionally, the team must be armed with the right set of tools and training to identify gaps in the team’s performance and enhance its members’ capabilities. Having advanced tools and training will improve the detection, response, and recovery times as well as provide other creative approaches to accurately assess and remediate cyber incidents. These trainings will also keep the team informed on the latest risk and security trends, bracing them well to fight new threat actors and attack strategies.
No matter how the incident response team is formed, as long as the core team is kept intact and harnessed with competence and best practices are observed, ￼you can be assured that your incident response team is best equipped to handle security challenges, provide support and services, and maintain business operations.