A computer security incident response team, or CSIRT, plays a critical role in an organisation’s approach to managing and mitigating cyber incidents.
In this blog post, we discuss the benefits of CSIRTs, as well as key issues to consider to ensure a fast and effective response in the event of a cyber-attack.
What is a CSIRT?
A CSIRT is a group of experts that responds to, manages and mitigates security incidents. A CSIRT may also be referred to as a computer incident response team (CIRT) or an incident response team (IRT).
Because an effective and comprehensive response to an incident should address both technical and non-technical aspects, a CSIRT usually includes security, IT and digital forensics specialists, but can also include HR, PR or legal personnel.
What are the responsibilities of a CSIRT?
A CSIRT’s responsibilities include activities such as investigating, analysing and remediating incidents and managing internal and external communications in the event of an incident. However, they can also include more strategic duties such as developing and maintaining an incident response plan (IRP) and assessing potential changes in technology, training and other aspects after a security incident. The team may share some of these responsibilities with other organisations.
Another important role for CSIRTs is running trials of an organisation’s incident response approach based around real-world scenarios. These could be large-scale or focused on specific aspects.
What experience and skills are required in a successful CSIRT team?
To be truly effective, a CSIRT should bring together a wide range of specialists with complementary skills. The nature of your organisation and incident response function will define the specific skills and experience required by your CSIRT. However, the expertise within a CSIRT will usually range from the manager, who puts together the incident response plan, to the incident handlers, who advise and support those managing the response, to the specialist technical staff, who review and analyse the technology. Expertise within a CSIRT should include:
Incident response knowledge and experience: Incident response knowledge and experience are of course critical to a successful CSIRT team. The specialists involved should have a proven track record of working on many different types of incidents.
Ongoing learning and development: A CSIRT should always remain up to date with emerging cyber security threats and trends to effectively plan for different types of incidents.
Communication skills: Effective incident response should involve good communication, both within and from an organisation. Whether that is ensuring technical specialists are sharing information effectively or updating clients and stakeholders in the event of a cyberattack, good communication skills are essential.
Organisational skills: Cyber incidents have the potential to create complex, fast-moving situations in which organisational skills are vital. A CSIRT needs the ability to act quickly and effectively and balance many different tasks within a short timeframe.
How to build a CSIRT team
There are a number of approaches to establishing your CSIRT team:
- Created from within your organisation: One approach is to conduct all incident response activities through the use of internal resources alone. However, this requires extensive resources that may be out of reach for all but the largest organisations.
- Combining internal resources and external support: A more hybrid strategy involves some of your employees supporting part of your incident response plan, while arranging for a third party to manage other activities.
- Fully outsourced incident response: In this approach, a specialist or a number of specialists are fully responsible for all aspects of your incident response requirements.
Why outsourcing could be more effective
Outsourcing your CSIRT offers a number of advantages. It removes the complexity and costs of setting up, training and overseeing your own internal CSIRT. Additionally, it helps ensure that you have effective and highly experienced round-the-clock support. A partnership with an external provider can also help to highlight other related incident response issues that your organisation may have overlooked.
Outsourcing can also be beneficial when you need to set up a team quickly or if have a high-profile infrastructure which could be put at significant risk by an attack. Costs can also be more manageable with an outsourced option as you can pay one fee to cover all support, rather than having to cover employees’ salary and benefits.
How Kroll can help
Kroll is a leading provider of end-to-end cyber security, digital forensics and breach response services—responding to over 3,200 security events every year. Our experienced CSIRT professionals are skilled at investigating cyber-attacks and mitigating their adverse effects. Kroll is well-placed to help you respond effectively to many types of incidents and enhance your organisation’s incident response procedures, with experts on hand 24/7 to provide assistance across the incident lifecycle.