The second session from a two day for potential first responders across a large financial services client.

1. Phil Huggins
February 2004

2.  Client Relationship
 Team Services
 Team Roles
 TeamTypes
 ExternalTeams
 Team Management Preparation
 Initial IncidentTeam Meeting
 Ongoing ManagementTasks

3.  Incident Response teams are customer service
teams.
 Adversarial relationships with business units only
leads to poor incident performance.
 Incidents are very high stress events for business
managers. If their expectations are different from
the team then they will become adversarial.
 Set performance targets, let business units know what
they are and measure them.
 Establish a protocol for team members when interacting
with business unit staff.

4.  What capabilities is the team going to offer
the business units ?
 Extra services such as:
 Auditing
 Specific Platform Skills
 Forensic Acquisition
 Forensic Analysis
 Post-Incident Support

5.  Team Manager and LogisticsOfficer
 Administration and personnel management.
 Usually reports to CSO.
 Logistics and administrative support.
 Team Leader
 Coordinator of an individual incident.
 Able to make operational decisions in most cases.
 SeniorAnalyst
 Experienced specialist incident responders.
 Able to work independently of team leader for extended periods.
 Analyst
 The incident responders
 Not necessarily a dedicated resource
 Strong technical skills (At least a power user)
 Equipment Maintainer
 Maintains the availability of all Incident Response equipment.
 Responsible for acquiring new equipment as required during an incident.

6.  Always more tasks than people to do them.
 Internal Distributed CSIRT
 A loose collection of pre-identified system administrators who can be re-
tasked at short notice to perform incident response duties.
 Only works in organisations that are able to easily and successfully make and
break teams on the fly.
 Requires significant buy in from business line managers, incident team may
need to overcome ‘tunnel vision’ as are closer to the systems day to day.
 Internal Dedicated CSIRT
 A dedicated team to provide nothing but security support to the business.
 Generally better trained and with a higher availability. Can provide a more
independent viewpoint on an incident.
 Necessary for more formal organisations where crossing group boundaries is
difficult and fraught.

7.  Corporate
 Efficient use of resources, available corporate wide
 Slower response times, political implications
 IT
 Easy access to system staff as required
 Business Unit
 Specialised, fast response, minimises downtime
 Even when only high risk business units are served it becomes costly
 Hybrid
 Centralise function for awareness, training and shared resources
 Local teams to provide speed of response and specialist skills

8.  Public CSIRT
 CERT/CC
 JANET CERT
 FIRST
 Good first points of contact if incident involves systems
owned by constituents.
 Commercial CERTTeams
 Expensive
 Good source of specialist knowledge / equipment

9.  Location
 Where has the incident occurred?
 Situation
 What has happened? Find out as much as possible. How did the incident come to light?
 Intelligence
 Get as much detailed information as possible to enable you to make decisions and brief
your team
 Mission
 What is the aim of this incident response?
 Execution
 How are you going to achieve your aim? Follow the company standard incident
response procedures
 Have an outline plan of action.
 Administration
 What do you need to achieve your mission? Contact details of key people etc
 Operations including Security
 What are the constraints?
 Need to know basis. Do not make it company wide gossip
 Who else should be informed – legal, HR, PR, senior management
 Logistics
 Do you need any specific items of kit or software to achieve your aim

10.  When first establishing an Incident Response
team theTeam Leader andTeam Manager
need information.
 The initial team meeting will either:
 collate the information you need to plan the
response
 identify who is going to gather and analyse that
information for you

11.  Who are the key players?
 Sponsor, stakeholders, external suppliers
 What are the constraints?
 Roles ?
 Explain what everyone will contribute and their responsibilities
 Make it clear that teamwork is vital for success
 Do the company incident response procedures detail who to
call upon?
 If not, identify skills, knowledge and experience required
 Identify who is required and for how long
 Are they available full-time or part-time?

12.  Keep the team focused, deal with
distractions
 Keep your team informed of progress and
what is happening
 Remember: the incident could well be fast
moving and this could impact the members
of the team, who may never have worked as
a team in such conditions