Module 1 - Intro to Incident Reponse and Team Roles Flashcards
Upon the completion of this module students will be able to: Characterize the roles of help desk technicians and first responders Evaluate the different roles an incident response plan and how incident responders fill those roles Critique the key elements of staffing and teaming models for incident response Analyze volatile data
Goal if Incident Response Team
- Quickly respond to an incident
- Protect top 2 assets for organization (people & information)
Defining an Incident
Each organization needs to based on:
- Impact
- Scope
- Risk
Components of Plan
- defining an incident
- separation of duties
- integrated approach
- incident response plans
- contain contact lists
- communication plan
- rules and regulations, address legal issues
- escalation procedures
- address documentation
- be tested and realistic
- be endorsed by management
Advisory Groups in IR
- Should be in place to avoid “group think” from taking over
Purpose:
Ask questions
Identify technical challenges
Address management concerns
Contact Lists (groups to include)
Internal: team members, management, stakeholders
External: ISP, Tech/Support Maintenance for hardware/software, Law Enforcement
Rules and Regulations
FISMA requires Federal agencies to report incidents to the United States Computer Emergency Readiness Team (US-CERT).
Releases of Personally Identifiable Information (PII) must be reported:
- To US-CERT and Privacy Officers
- To government agencies in certain states
- Within a certain amount of time
IR Team Models
- Central Incident Response Team (only 1 team handles all)
- Distributed Incident Response Teams (regionalized or segregated)
- Coordinating Team (advising team)
IR Staffing Models
- Employees
- Partially Outsourced
- Fully Outsourced
Questions for Staffing a Team
- type of team
- type of services
- how big
- where located
- what groups
- cost
CSIRT Team Roles
manager or team lead assistant managers, supervisors, or group leaders hotline, help desk, or triage staff incident handlers vulnerability handlers artifact analysis staff platform specialists trainers technology watch
CSIRT Secondary Roles
Other roles may include : support staff technical writers network or system administrators, CSIRT infrastructure staff programmers or developers (to build CSIRT tools) web developers and maintainers media relations legal or paralegal staff or liaison law enforcement staff or liaison auditors or quality assurance staff marketing staff
IR Plan must be evaluated
- After tests
- After incidents (not during)
-> Documentation and education
Focal Points in developing Team
Preparing - practice (policies/procedures, training)
Handling
Follow-up