Incident Response: Drafting the Team
What are the Key Skills for Your Organization?Although the malware solutions were able to tell them which systems were currently infected, they had no way of telling which systems had been compromised, or whether the malware had been removed or instead rolled over to something that was not being detected.
Using the information available, Weber and his team took a step back from data analysis and developed a perl-based tool that detected specific registry keys that would work on live systems. Using this tool, the client's security team was able to distribute and reach all of their resources. This allowed them to systematically (over the course of several days) identify approximately 10 systems out of over 30,000 that needed to be added to the scope of the incident.
"Without team effort and initiative, we would not have been able to provide much value beyond the initial data analysis efforts," says Weber, currently a senior security analyst with InGuardians, Inc., a consultancy based in Washington D.C.
This example illustrates that even the best information security infrastructure cannot guarantee that intrusions or other malicious acts will not happen. When computer security incidents occur, an organization must have an effective team to respond. "The effort with which an organization can recognize, analyze and respond to an incident will limit the damage and lower the cost of recovery," Weber says.
Types of Incidents
An incident can be defined as any real or suspected adverse event in relation to the security of computer systems or computer networks. Types of incidents that organizations face frequently include:
- Attempts to gain unauthorized access to a system or its data;
- Unwanted disruption or denial of service;
- Unauthorized use of a system for the processing or storage of data;
- Changes to system hardware, firmware or software characteristics without the owner's knowledge, instruction or consent.
"Managing incidents is much more than just response to incidents; it is the proactive ability to continuously protect ourselves," says Georgia Killcrece, a current member and prior team lead of the computer security incident response team at Carnegie Mellon University.
Organizations therefore, need a team of competent staff with certain skills and technical expertise to stay ahead of the curve.
Putting Together the Incident Response Team
Team sizes vary based on the type of organization, but there are usually 2-3 full-time technical personnel in mid-to-large organizations. The team also includes a group of individuals from varied functional areas such as legal, marketing, public relations, customer service and IT security. These members participate in incident management and handling services on a part-time basis."What is the legal and regulatory impact of an incident? How will the company position itself to respond to customers and media? How will the notification process be handled? These are all areas which need to unify in incident management and response," says one senior IT executive at a large, regional bank (he requested his identity not be disclosed).
His incident response team at the bank represents professionals from each of these functional areas, plus two dedicated IT security technicians who work full-time in monitoring, analyzing and preventing attacks. The entire team of eight reports to him. Among the skills needed for the incident response team:
- Leadership -- You need an individual who understands what the team's priorities are and establishes a solid incident response and management plan with defined roles and responsibility for each staff member. "The team needs a champion with a plan for every crisis situation," says Weber. "What you don't need is a leader who doesn't have technical understanding of issues, lacks in good communication and cannot make decisions in a crisis."
- Fraud investigators -- who can grab information quickly and determine the relevance of the data provided, including answers to questions such as: Who is involved? What has happened? Where did the attack originate? "With each type of attack, they should understand the associated risks and effects, the severity and the mitigation, prevention or recovery methods," says the banking/security leader.
- Application and network security professionals -- For each application they should understand the purpose of the application or service, how it works, common usage, secure configurations and the common types of threats. In addition, they should understand the different types of malicious code attacks that occur and how these can affect their systems and networks.
- Communications and public relations pros -- Their participation is critical because when an incident occurs, they need to know the details to be able to communicate effectively to media and their customers on what's happening. "They should be able to effectively determine what is happening, what facts are important, and how the matter needs to be communicated and reported to different parties involved," says Killcrece.
Additionally, teams may draw upon other experts within the organization, such as marketing, HR, legal, privacy officers, technical writers, etc., who can provide advice and guidance in developing appropriate responses when the need arises.
Demand in the Job Marketplace:
Recent attacks on Google have drawn both the government and the private sector closer in resolving incidents, and the job markets are becoming more intertwined as the two sectors look for similar skill sets, says Evan Lesser, co-founder and director of ClearanceJobs.com, a site that matches U.S. job seekers with security clearances and government contractors and agencies.Companies are increasingly looking for professionals who can configure IDS, firewalls and can analyze log files and data to identify what information is important, missing or might be misleading or incorrect. "These are people on the front lines of defense and are greatly in demand in the present and future," Lesser says.
Credentials such as an academic degree in computer science, information assurance and certifications offered by training organizations such as SANS Institute, MIS Training Institute and ISC2 are preferred.
Some hiring managers favor candidates with prior law enforcement background. These individuals are very charged and know exactly how to deal with these situations.
"Incidents happen and they can be very valuable experiences," says Killcrece. "The success factor lies in protecting the systems and ensuring that an organization responds correctly and reasonably to an incident given the right mix of people."