2. Client Relationship
Team Services
Team Roles
TeamTypes
ExternalTeams
Team Management Preparation
Initial IncidentTeam Meeting
Ongoing ManagementTasks
3. Incident Response teams are customer service
teams.
Adversarial relationships with business units only
leads to poor incident performance.
Incidents are very high stress events for business
managers. If their expectations are different from
the team then they will become adversarial.
Set performance targets, let business units know what
they are and measure them.
Establish a protocol for team members when interacting
with business unit staff.
4. What capabilities is the team going to offer
the business units ?
Extra services such as:
Auditing
Specific Platform Skills
Forensic Acquisition
Forensic Analysis
Post-Incident Support
5. Team Manager and LogisticsOfficer
Administration and personnel management.
Usually reports to CSO.
Logistics and administrative support.
Team Leader
Coordinator of an individual incident.
Able to make operational decisions in most cases.
SeniorAnalyst
Experienced specialist incident responders.
Able to work independently of team leader for extended periods.
Analyst
The incident responders
Not necessarily a dedicated resource
Strong technical skills (At least a power user)
Equipment Maintainer
Maintains the availability of all Incident Response equipment.
Responsible for acquiring new equipment as required during an incident.
6. Always more tasks than people to do them.
Internal Distributed CSIRT
A loose collection of pre-identified system administrators who can be re-
tasked at short notice to perform incident response duties.
Only works in organisations that are able to easily and successfully make and
break teams on the fly.
Requires significant buy in from business line managers, incident team may
need to overcome ‘tunnel vision’ as are closer to the systems day to day.
Internal Dedicated CSIRT
A dedicated team to provide nothing but security support to the business.
Generally better trained and with a higher availability. Can provide a more
independent viewpoint on an incident.
Necessary for more formal organisations where crossing group boundaries is
difficult and fraught.
7. Corporate
Efficient use of resources, available corporate wide
Slower response times, political implications
IT
Easy access to system staff as required
Business Unit
Specialised, fast response, minimises downtime
Even when only high risk business units are served it becomes costly
Hybrid
Centralise function for awareness, training and shared resources
Local teams to provide speed of response and specialist skills
8. Public CSIRT
CERT/CC
JANET CERT
FIRST
Good first points of contact if incident involves systems
owned by constituents.
Commercial CERTTeams
Expensive
Good source of specialist knowledge / equipment
9. Location
Where has the incident occurred?
Situation
What has happened? Find out as much as possible. How did the incident come to light?
Intelligence
Get as much detailed information as possible to enable you to make decisions and brief
your team
Mission
What is the aim of this incident response?
Execution
How are you going to achieve your aim? Follow the company standard incident
response procedures
Have an outline plan of action.
Administration
What do you need to achieve your mission? Contact details of key people etc
Operations including Security
What are the constraints?
Need to know basis. Do not make it company wide gossip
Who else should be informed – legal, HR, PR, senior management
Logistics
Do you need any specific items of kit or software to achieve your aim
10. When first establishing an Incident Response
team theTeam Leader andTeam Manager
need information.
The initial team meeting will either:
collate the information you need to plan the
response
identify who is going to gather and analyse that
information for you
11. Who are the key players?
Sponsor, stakeholders, external suppliers
What are the constraints?
Roles ?
Explain what everyone will contribute and their responsibilities
Make it clear that teamwork is vital for success
Do the company incident response procedures detail who to
call upon?
If not, identify skills, knowledge and experience required
Identify who is required and for how long
Are they available full-time or part-time?
12. Keep the team focused, deal with
distractions
Keep your team informed of progress and
what is happening
Remember: the incident could well be fast
moving and this could impact the members
of the team, who may never have worked as
a team in such conditions