Preparation: Incident Response Teams Flashcards
IR Teams
Incident response teams are responsible for handling incidents when they occur. This lesson will cover the need for these specialist teams, who should be included in them, and how they should operate.
Why do we Need Them?
A dedicated incident response team is crucial to be able to respond to confirmed incidents properly and reduce the impact they have on the business, working to ensure continuity and reduce costs as a result of the successful attack. By bringing together people with all the skills that are needed, this specialist team can be activated when an incident occurs, minimizing the time that damage can be caused. Larger organizations tend to opt for a full-time staff that focuses purely on preparation, testing, and incident response, whilst smaller organizations may have team members that have other roles but can step up when an incident is discovered.
Incident Response Team Members
Incident response teams are made up of skilled individuals from a wide range of departments, not just security analysts! In this section, we’ll cover everyone that should be included in an IR team.
Incident Commander
This is the name given to the individual that is in charge of dealing with the incident, typically a dedicated Incident Response Manager. It is their job to coordinate response efforts and ensure communication is maintained between all relevant parties throughout. They will be the point of contact for all departments, and will typically provide periodic updates to management and the C-suite.
Security Analysts
The most obvious individuals that should be included in the team are Security Analysts, individuals with a deep technical understanding of networks, and how to triage and investigate security alerts generated by platforms such as IDPS or SIEM. These guys and girls will provide first-hand analysis of incidents and collect information such as the systems affected, the time, and the specific activity that is happening.
Forensic Analysts
Arguably the most technically-knowledgeable analysts are those with skills in digital forensics and incident response (also known as DFIR). It is their job to take a deeper dive into the incident and retrieve and preserve digital evidence so that it can be used in court if there is a legal prosecution as a result of the incident.
Threat Intelligence Analysts
As you know from the Threat Intelligence domain, work in this field can help to provide context around an incident, such as working to identify the actor(s) behind the attack, performing further exposure checks using IOCs and artifacts collected by forensic analysts, and relaying intelligence to other organizations so they can prepare for similar attacks to the one currently being dealt with.
As mentioned previously, it’s not just cybersecurity professionals that should be included in this team. Below is a list of other individuals that should be included.
Management/C-Suite
Having members of the company’s management board such as Chief Information Security Officer (CISO), Chief Operations Officer (COO), and Chief Technology Officer (CTO) is important so that responders have the resources they need to both prevent and respond to incidents properly.
Human Resources (HR) If an employee is the cause of an incident, individuals from the HR department will need to be involved, as they will coordinate the organization’s response to discipline the employee, whether that’s to take legal action, fire them, or give them a warning.
Public Relations
If an incident affects the public, employees, or customers (such as a data breach) then by law this needs to be announced as soon as possible. The PR department will handle how the news should be announced, what information to include, and who needs to be notified. They will also likely communicate with stakeholders to inform them of any important events.
Legal
Members of this department will provide legal advice, and support forensic analysts, HR, and public relations to ensure that everything that happens is legal and the organization has completed any tasks it is required to do by law, such as notifying affected persons, and ensuring digital evidence is forensically sound.