MD1 Incident Response Operations: Incident response teams Flashcards
Incident response teams
A successful response to security incidents doesn’t happen in isolation. It requires a team of both security and non-security professionals working together with defined roles.
Computer security incident response teams (CSIRTs)
CSIRTs, are a specialised group of security professionals that are trained in incident management and response.
The goal of CSIRTs are to effectively and efficiently manage incidents, provide services and resources for response and recovery, and prevent future incidents from occurring.
Security is a shared responsibility, which is why CSIRTs must work cross functionally with other departments to share relevant information. For example, if an incident resulted in the breach of sensitive data, like financial documents or PII, then the legal team must be consulted. Some regulatory compliance measures may require organizations to publicly disclose a security incident within a certain timeframe. This means that CSIRTs must collaborate with the organisation’s public relations team to coordinate efforts for public disclosure.
How exactly does a CSIRT function?
ROLES IN CSIRTs
First, there’s the SECURITY ANALST. The analyst’s job is to investigate security alerts to determine if an incident has occurred. If an incident has been detected, the analyst will determine the criticality rating of the incident. Some incidents can be easily remediated by the security analyst and don’t require escalation. But if the incident is highly critical, it gets escalated to the TECHNICAL LEAD , who provides technical leadership by guiding security incidents through their lifecycle.
During this time, the iINCIDENT COORDINATOR tracks and manages the activities of the CSIRT and other teams involved in the response effort. Their job is to ensure that incident response processes are followed and that teams are regularly updated on the incident status. Not all CSIRTs are the same. Depending on the organization, a CSIRT can also be referred to as an Incident Handling Team, or IHT, or Security Incident Response Team, SIRT. Depending on an organization’s structure, some teams can also have a broader or specialized focus. For example, some teams may be solely dedicated to crisis management and others may be incorporated with a SOC. Roles can have different names too. For example, a technical lead can also be known as an Ops lead.