The Computer Security Incident Response Team

The Computer Security Incident Response Team (CSIRT)

Chapter 5

The purpose of the CSIRT

The Computer Security Incident Response Team (CSIRT) must respond to notifications of emergencies by assessing the type of information at risk, determining what has occurred, and preventing these occurrences from happening again. The incident response team works round the clock to ensure that operations are restored to normal (Whitman & Mattord, 2021). The IR team may comprise a team of active professionals or on-call experts whose expertise is utilized only when an incident is reported within the organization.

The Eight Steps When Building the CSIRT

Step 1: Obtain management support and buy-in.

CSIRT is created by assigning additional duties to employees within the organization. These employees can then execute these responsibilities on an as-needed basis. Therefore, the management team should avoid assigning CSIRT roles to members with common challenges regarding their primary job responsibilities.

Step 2: Determine the CSIRT strategic plan.

The organization should then proceed to develop a CSRIT plan that entails components such as the time frame for executing it, training and testing requirements, proper funding of CSIRT operations, and the procedures that can be adopted in updating and modifying CSRIT documents and activities (Willumsen et al., 2019). The organization’s management should also determine whether the team formed will fall under distributed CSIRT, central CSIRT, or coordinating team. Besides this, some factors to be considered in selecting staffing models include their expertise, availability, employee morale, and whether the employees will work part-time or full-time (Willumsen et al., 2019).

Step 3: Gather relevant information.

In this step, the IRPT collects an enormous amount of information about the incident response team within the organization. This information is essential because it would be used in crafting the CSIRT by ensuring that the right skills are brought together to counter any arising situation.

Step 4: Design the CSIRT’s vision.

Developing the vision of CSIRT involves various components, including but not limited to the identification of the organization’s constituency; the definition of CSIRT’s mission, goals, and objectives; selection of the services that CSIRT would provide to the constituency; identification of the required resources and the determination of the funding sources (Willumsen et al., 2019).

Step 5: Communicate the CSIRT’s vision and operational plan.

The vision of CSIRT and its operational plan can be communicated through the enumeration of highlights and success stories. This would involve the presentation of issues together with concerns to the champion within the organization in advance.           Based on these issues, the champion is better placed to advise the management team on the additional resources required, support, and activities that would foster the success of the CSIRT operation.

Step 6: Begin CSIRT implementation.

The implementation process begins with the recruitment of CSIRT staff, the purchase of the required equipment and network infrastructure, and the definition of policies and procedures. This would then be followed by the coordination of the additional IT members, the definition of the incident tracking system, and the preparation of reporting guidelines and forms (Willumsen et al., 2019).

Step 7: Announce the operational CSIRT.

This stage would be comprised of informing the entire organization that the CSIRT is operational and accessible. This announcement would include various components such as mission and goals, leadership and staff members, operating hours, and services and functions.

Step 8: Evaluate the CSIRT’s effectiveness.

Finally, the effectiveness of CSIRT is assessed by utilizing two mechanisms: IR plan tests and the CSIRT performance metrics. The performance metrics serve as the measures of evaluating the suitability and comprehensiveness of the IR plan.

Advantages and Disadvantages of Outsourcing the IR Process.

Some advantages of outsourcing the IR process are that it guarantees 24/7 monitoring, timely notification of potential problems, and no additional training costs. On the other hand, the disadvantages of outsourcing this process are that it leads to potential loss of response to incidents, loss of services upon the expiry of the contract, and increased accessibility of classified data by service providers (Whitman & Mattord, 2021).

The Exceptional Circumstances of CSIRT Interaction with the Security Operations Center

The CSIRT interacts with the security operations center (SOC) in the sense that when a member of the SOC detects any incident, they are obligated to conduct an appropriate member of CSIRT representative who will then initiate response processes.

Chapter 6

Definition of Terms

Incident classification

This is the process of documenting the incident’s categories and severity based on predefined standards.

Incident candidates

This refers to an incident that could lead to a potential attack.

Cyber kill chain

This is the process of identifying and stopping enemy activities by intercepting the activities of the hackers.

Footprinting

This is an ethical hacking strategy that involves gathering data about a specific targeted computer system and identifying avenues of penetrating it.

Fingerprinting

This is a form of online hacking that is more invasive and is composed of developing a user profile based on the computer’s hardware, software, and any other add-on capabilities.

Security Operations Center

This refers to an in-house or outsourced IT team that is obligated to monitor the organization’s entire IT infrastructure by detecting cyber-security threats in real time and addressing them within the shortest possible time.

Types of Adverse Events that Indicate an Actual Incident Established by Pipkin.

The types of adverse events that indicate an actual incident include the presence of unfamiliar files, unusual utilization of computing resources, the unusual crashing of the system, and regular hanging of the PC.

Detection Strategies for Common Incidents.

Some common incident detection strategies include monitoring, alerting, and reporting. The monitoring strategy entails utilizing firewalls and intrusion prevention systems to assess the environment’s security. Alerting entails classifying the incident by creating an incident ticket, documenting initial findings, and assigning proper documents (Whitman & Mattord, 2021). Reporting involves enumerating the findings through escalation.

General Detection Strategies that Provide Insight into the Organization’s Operations.

Signature-based intrusion detection and anomaly-based intrusion detection are some examples of general detection strategies that provide insight into the organization’s operations.

References

Whitman, M. E., & Mattord, H. J. (2021). Principles of incident response and disaster recovery. Cengage Learning.

Willumsen, P., Oehmen, J., Stingl, V., & Geraldi, J. (2019). Value creation through project risk management. International Journal of Project Management, 37(5), 731-749.

ORDER A PLAGIARISM-FREE PAPER HERE

We’ll write everything from scratch

---

Describe the purpose of the CSIRT.
Name and explain briefly the 8 steps when building the CSIRT
Name the Advantages and Disadvantages of outsourcing the IR Process
Identify the special circumstances of CSIRT interaction with the security operations center (SOC) when outsourcing incident response operations.

Chapter 6:

Define the following terms:
Incident classification
Incident candidates
Cyber kill chain
Footprinting
Fingerprinting
Security Operations Center

2. Name the five types of adverse events that are definite indicators of an actual incident established by Pipkin.

3. Explain some detection Strategies for Common Incidents

4. Name some general detection strategies that provide insight into the operations of the organization.