A Computer Security Incident Response Team (CSIRT) is a group of IT professionals that provides an organization with services and support surrounding the prevention, management and coordination of potential cybersecurity-related emergencies. The overarching goals of a CSIRT include responding to computer security incidents to regain control and minimize damage, providing or assisting with effective incident response and recovery and inhibiting computer security incidents from reoccurring.
A central assumption of this definition is that a CSIRT is an organized entity with defined mission, structure and roles and responsibilities. This assumption excludes any ad hoc or informal incident response activity that does not have a defined constituency and documented roles and responsibilities. This assumption is driven by the belief that without a formalized incident response capability, it is not possible to deliver effective incident response.
The Forum of Incident Response and Security Teams (FIRST), an international confederation of CSIRTs that cooperates on handling computer security incidents, has released the “FIRST CSIRT Framework.” This is a detailed CSIRT services framework that builds upon and expands the CERT/CC CSIRT services list that has been in use since the late 1980s. It also outlines seven service areas that CSIRTs might want to consider offering its constituents including incident management, incident analysis, information assurance, situational awareness and research and development.
CSIRT processes and key responsibilities
Individual CSIRTs are personalized and unique. Every CSIRT has three attributes that differentiates them from other incident response teams. Those attributes are the mission statement, list of services and the constituency.
The mission of a CSIRT is a statement of purpose, or its reason for existing. A CSIRTs mission defines its area of responsibility and serves to set expectations with its constituency.
An example of a CSIRT mission statement may be:
“It is the mission of XYZ CSIRT to protect XYZ Corp. by creating and maintaining the capability of detecting, responding and resolving computer and information security incidents.”
The delivery of CSIRT services to its constituency is how the CSIRT mission is carried out. There are many services that a CSIRT may offer, but there are fundamental services that a CSIRT must offer in order to be considered a formal incident response organization. At its most basic level, a CSIRT must be able to do the following:
- Receive an incident report from a constituent- In order to receive an incident report from the CSIRT constituency, the constituency needs to know that the CSIRT exists, what it does, how services are accessed and the service and quality levels that they can expect. This requires that the CSIRT has developed a definition of its mission and services, has announced itself to its constituency and published guidance on how incident services are requested. This includes publishing the incident response policy, processes, procedures, forms and resources necessary to inform and enable the constituency to file an incident report.
- Analyze an incident report to validate and understand the incident- Once an incident report has been received, the CSIRT must analyze the report to validate that an incident, or other type of activity that falls under the CSIRT mission, has occurred. They then must determine if they understand the report and the incident well enough to create an initial response strategy that fulfills the goal of regaining control and minimizing damage. Part of being able to analyze an incident report and respond efficiently is having a sufficient number of appropriately trained staff that can perform a variety of tasks. Each member of the CSIRT staff should have written plans, policies and procedures that document the roles and responsibilities of the CSIRT technical staff and management.
- Provide incident response support- The third basic incident response service is to provide support for the constituent making the report. Depending upon how the CSIRT is organized and the service levels offered, a CSIRT may provide incident response support in one of several ways:
- On-site incident response services delivered directly to the constituent.
- Incident response services delivered virtually, over email or the phone.
- Coordinated incident response services that combine and allocate the efforts of multiple incident response teams across multiple constituents.
In some situations, an organization’s CSIRT simply develops and oversees the incident response strategies and services rather than implement them. Other groups or departments like network engineers, information technology professionals or system and data owners carry out the response strategy with the CSIRT managing the effort and ensuring that it is effective.
Lastly, a CSIRT must have clearly defined constituency. A constituency is the CSIRT’s customer base or recipients of the incident response services. The constituency is assumed to be unique to a given CSIRT and is often the parent organization.
How to build a CSIRT
Developing effective incident response means an organization is able to detect and respond to a computer or information security incident in a way that limits the damage done and keeps the cost of recovery as low as possible. While the organization should have a multi-layer approach to protecting business operations, one strategy to accomplish this is building a CSIRT.
Strategies that support the creation of an effective incident response team include:
- Deciding what types of technical backgrounds, roles and responsibilities are required on the CSIRT.
- Assigning a team leader to oversee CSIRT efforts and communicate incidents and progress to the executive staff.
- Determining the best suited CSIRT organizational model and required functioning hours for the company.
- Creating security plans, policies and procedures for a variety of potential threats and incidents.
- Providing team members with routine cybersecurity education and awareness training.
- Conducting system risk assessments.
- Identifying critical incident response assets, including information, business processes, technology and people.
- Having a well-documented asset management
- Implementing a configuration management program that ensures all software is patched and updates are tested and applied in a timely manner.
- Executing a defensive network architecture using routers, firewalls, intrusion detection and prevention systems, network monitors and security operations.
There are a number of organizational models that a CSIRT can follow. Some considerations for how a CSIRT may be structured include a need for 24/7 coverage, availability of trained employees, full or part-time team members and cost.
In a centralized CSIRT, a single incident response team serves the entire organization and all incident response resources are contained within the dedicated unit. This kind of CSIRT is good for small organizations or organizations with limited geographic scope.
In a distributed CSIRT, several independent incident response teams exist. The distribution of CSIRT resources may depend upon wide geographic scope of the organization or the location of major facilities. Other attributes that may influence the distribution of CSIRT include a company organized by a business unit structure or simply by the distribution of employees and information assets. Most distributed CSIRT models also require CSIRT coordination.
A coordinating CSIRT is a CSIRT that manages other, often subordinate, CSIRTs. This CSIRT model coordinates incident response activities, information flow and workflow among the distributed teams. A coordinating CSIRT may not provide any independent incident response services itself, but focuses on the efficient and effective use of the resources in the distributed teams as its value-add. CERT/CC is an example of a coordinating CSIRT that orchestrates activities among national, governmental and regional CSIRTs.
A hybrid CSIRT is one that combines some of the attributes of centralized and distributed CSIRTs. Often, the central CSIRT component is full-time and the distributed component is composed of subject matter experts that may not be attached to the incident response activity except as needed during computer security incident response. In this model, when the central CSIRT component detects an incident, it analyzes the incident and determines what kind of specialized help it needs. The appropriate experts can then be called up to assist in response activities.
It must be noted that even though the hybrid CSIRT relies upon subject matter experts that are not full-time CSIRT members, the hybrid CSIRT is very much a formal incident response organization. The hybrid CSIRTs distributed units of experts are designated as incident response professionals with defined roles and responsibilities, receive formal incident response training and may be required to obtain and maintain certification as an incident handler.
There is another hybrid CSIRT model that has come about recently driven largely by the increase in the number of security operations centers (SOC). In this hybrid model, the SOC is responsible for receiving all alerts, alarms or user security reports that may be indicative of an incident. As the SOC clears the volume of alerts at tiers 1 and 2, there are some indicators of compromise that rise up through the SOC levels that require additional analyses to understand if they represent a computer security incident or not. For those alerts and indicators that are in fact security incidents, the CSIRT is activated. In this model, the SOC acts as a front-end for the CSIRT, performing incident detection and passing incidents to the CSIRT.
The last CSIRT model is the outsourced CSIRT. There are a number of reasons to outsource CSIRT activities with cost and the time to build an internal CSIRT as the predominant reasons to outsource. Other factors include the ability to find and train enough incident responders or the need to provide 24/7 service, which also puts a strain on finding sufficient numbers of trained incident responders.
Variations to the outsourced CSIRT model include staffing an internal CSIRT with contractors rather than employees or outsourcing specialized services that may be only occasionally needed, like digital forensics.
Since incidents cannot always be predicted, it is important to have a dispersed but well-managed CSIRT. Most CSIRTs are structured to have enough staff to maintain 24/7 monitoring. This is done by dividing operating hours into three shifts each with a designated shift lead. Additionally, larger companies will not only separate employees by time but also geographic location. Smaller companies may want to accomplish this by outsourcing CSIRT processes for after hours.
Due to this distributed nature, emphasis should be placed on management. Shift leads should communicate with each other to determine what was, or was not, resolved during their timeframe. This should then be relayed to the overall CSIRT team leader or executive staff representative so as to maintain transparency to the rest of the organization.
SOC vs CSIRT vs CERT
Three types of incident response teams with overlapping responsibilities are the security operations center (SOC), the computer security incident response team (CSIRT) and the computer emergency readiness team (CERT).
The most unique of the three is the SOC as this is a dedicated facility in charge of monitoring and defending technology and hardware. An SOC acts as a command and control center for an organization, region or country. It protects networks, servers, applications and endpoints.
The concept of the CERT derived from the need to search the internet for vulnerabilities and share that information with parties that might be affected. The primary objective of an organization’s CERT is to collect as much information from as many sources as possible surrounding network or information security threats and disseminate that information to the actual incident responders. CERT is also a trademarked term that can refer to documentation, education and certification in incident response.
With this in mind, a CSIRT is the team of incident handlers. Additionally, a CSIRT is built to be more cross-functional and aid all departments with all types of incidents. This could include handling legal issues, communicating with press or working with human resources on behalf of the organization as a whole.
However, a Cybersecurity Center may include the capabilities of CSIRTs, CERTs, SOCs, product security incident response teams (PSIRT), threat intelligence centers, threat hunting teams and other cybersecurity functions.