Building A Strong Incident Response Team

Breaches happen to major organisations on a regular basis. While it isn’t realistic for organisations to expect that it will never happen to them, a rapid, professional and continuous response can limit their scope and reputational impact. However, you can only respond effectively if you are properly prepared.

A successful incident response effort must involve the right mix of people, processes and technology. It must also be a continuous effort that never stops. Organisations should be constantly analysing attacker behaviors to both thwart attacks in real-time and feed threat intelligence back into the overall response strategy to better prevent future incidents.

Strong response teams

The first step in planning for incident response should be the creation of appropriate security incident response teams.

These should include both an operational computer security incident response team (CSIRT) and a multidisciplinary threat management group. CSIRTs typically include technical professionals including 1) security analysts who figure out what happened, extract relevant indicators, and determine necessary remediation, and 2) security engineers who monitor the network for incidents and keep detection and log collection systems running, up-to-date with intelligence, and automated where possible.

The wider threat management group consists of leaders from throughout the organisation. At a minimum, it should include representation from the information security group, IT, operations team, legal, public relations and human resources. Some organisations will also choose to supplement both their CSIRT and threat management group with third-party consultants during an incident if needed. 

Effective processes

CSIRT team members should be seasoned IT professionals who come to the job with much of the expertise that they need. However, incident response related skills can always be developed, and they need to be kept fresh. It’s important to provide CSIRT team members with access to opportunities for continuing education, and to assess CSIRT readiness through regularly scheduled exercises.

The most mature organisations not only have a CSIRT in place, but also have meaningful operational metrics they can use to measure whether the CSIRT is able to respond to incidents effectively. The time and effort required to identify, respond to and resolve each incident are important components of the overall cost of the incident to the organisation.

It is also critical for incident response teams to have defined rules of engagement. For example, is your CSIRT permitted to interact with malicious hosts for the purpose of intelligence gathering? And in the event of an incident, can the CSIRT autonomously decide to pull infected systems off the network? These types of policies need to be clearly defined in advance so that unnecessary roadblocks do not get in the way of fast incident remediation.

Critical communications

Management team

While many security teams may not want to report bad news to the executive management team, sharing information with these individuals can be extremely valuable in strengthening management support for incident response efforts. Additionally, C-level executives are often targeted by phishing and other online scams, so it is critical for them to be aware of the various attacks facing their organisation.

General public

One of the most significant negative consequences associated with security breaches is the impact they can have on the victim’s reputation. In the event of a material exposure of customer data, it may be necessary for the organisation to disclose facts about the breach to the general public. Having a pre-defined plan in place for exactly how and what to communicate is the key to success in this arena.

Industry peers

A thorough incident investigation should result in intelligence surrounding Indicators of Compromise (IoCs) for a specific attack. Putting this intelligence to work internally can enable continuous response and help detect subsequent attacks by the same adversary. Sharing it amongst industry peers can create tremendous value when it comes to our collective ability to fend off future attacks.

Key technologies

The specific incident response tools needed within your organisation will vary based on your resources and business needs, but you should consider implementing 1) Syslog collection with a SIEM, 2) NetFlow collection, and 3) collection of full packet captures.

These technologies provide incident responders with a record of activity that enables real-time threat detection and may also contain key pieces of evidence and indicators that can be used to detect future breaches.

One other incredibly important tool that every incident response team needs is regular system and server backups. They provide a way to rapidly roll back the environment to a state prior to the compromise, and often they can capture evidence of the attack as well.

A properly equipped and trained incident response team should be able to contain breaches more rapidly, reduce their impact on the organisation, and continuously apply its findings to protect the organisation against future attacks. Creating and maintaining a strong incident response plan should be a top priority for all organisations.

Tom Cross is director of security research at Lancope