Building your incident response team

What do you normally do when you find an infected machine on the network? if you don’t have a good answer to that question then building your incident response team could be one of the most beneficial things you do as a company.

A CSIRT (Cyber Security Incident Response Team) is a group/team of network, security, and system administrators that reside in your company to work together, in the event that there is a security issue. In this blog, I want to go over some key points that you should take into mind when putting this group together, and listing out how it should operate.

Who should be part of your CSIRT?

When coming up with the members of your CSIRT, you should keep in mind that you are going to want members with a wide variety of knowledge and experience. You wouldn’t want all network engineers trying to troubleshoot crypto wall that is running rampant on Windows PCs on your network – you would want a System Administrator to do that. The team should contain a mix of Security Admins, Network Engineers, and System Administrators. You should have a clear escalation chain as well, making sure that the correct parties are involved and you are not wasting time. This leads me straight into my next point.

When should you escalate up your CSIRT?

Since every network and organization operate differently, this is something you will need to discuss with your team; figure out what would be the most efficient and effective times to get more people involved. We usually give the first level of our CSIRT 30minutes to 1 hour before we require them to escalate it up the chain. From there it’s a matter of escalation, if there is not a root cause or remediation found for the issue. Remember, at the time of incident, there could be a lot of panic going around, so it is important to have clear roles setup so everyone knows exactly what to do, and there are no questions.

Keeping your CSIRT Qualified:

As with all fields of technology, CSIRT is rapidly changing and new tactics are being used to infiltrate your network, which is why it’s very important to make sure you keep your team properly trained to handle these kinds of attacks.

As you have seen in the recent data breaches, establishing a CSIRT within your organization is becoming more and more important. You don’t want to wait for an incident to occur before you find out that you should have put this in place. Do it today and plan for the future! If you have any questions on this, feel free to contact us or look into taking one of our Malware Incident Response classes coming to a city near you.