The IR framework

Responding to a data breach, ransomware attack, or another security incident should never be an ad hoc process. Undefined processes or procedures will leave an organization unable to both identify the extent of the incident and be able to stop the bleeding in sufficient time to limit the damage. Further, attempting to craft plans during an incident may, in fact, destroy critical evidence or—worse—create more problems.

Having a solid understanding of the IR process is just the first step to building this capability within an organization. What organizations need is a framework that puts processes to work utilizing the organization’s available resources. An IR framework describes the components of a functional IR capability within an organization. This framework is made up of elements such as personnel, policies, procedures, and implementation. It is through these elements that an organization builds its capability to respond to incidents.

The IR charter

The first step to building this capability is the decision by senior leadership that the risk to the organization is too significant not to address the possibility of a potential security incident. Once that point is reached, a senior member of the organization will serve as a project sponsor and craft an IR charter. This charter outlines key elements that will drive the creation of a computer security IR team (CSIRT).

Information

While there are several titles for IR teams, the term CERT, short for computer emergency response team, is often associated with the US-CERT through the United States Department of Homeland Security (US DHS) or the CERT Coordination Center (CERT/CC), through the Carnegie Mellon Software Engineering Institute (SEI). For our purposes, we will use the more generic CSIRT.

The IR charter should be a written document that addresses the following:

• Obtaining senior leadership support: In order to be a viable part of the organization, the CSIRT requires the support of the senior leadership within the organization. In a private-sector institution, it may be difficult to obtain the necessary support and funding, as the CSIRT itself does not provide value in the same way marketing or sales does. What should be understood is that the CSIRT acts as an insurance policy in the event the worst happens. In this manner, a CSIRT can justify its existence by reducing the impact of incidents and thereby reducing costs associated with a security breach or other malicious activity.
• Defining a constituency: A constituency clearly defines which organizational elements and domains the CSIRT has responsibility for. Some organizations have several divisions or subsidiaries that, for whatever reason, may not be part of the CSIRT’s responsibility. The constituency can be defined either as a domain such as local.example.com or an organization name such as ACME Inc. and associated subsidiary organizations.
• Creating a mission statement: Mission creep or the gradual expansion of the CSIRT’s responsibilities can occur without a clear definition of what the defined purpose of the CSIRT is. In order to counter this, a clearly defined mission statement should be included with the written information security plan. For example, the mission of the ACME Inc. CSIRT is to provide timely analysis and actions for security incidents that impact the confidentiality, integrity, and availability of ACME Inc. information systems and personnel.
• Determining service delivery: Along with a mission statement, a clearly defined list of services can also counter the risk of mission creep of the CSIRT. Services are usually divided into two separate categories—proactive and reactive services, as outlined here:
  • Proactive services: These include providing training for non-CSIRT staff, providing summaries on emerging security threats, testing and deployment of security tools such as endpoint detection and response (EDR) tools, and assisting security operations by crafting intrusion detection systems/intrusion prevention systems (IDS/IPS) alerting rules.
  • Reactive services: These primarily revolve around responding to incidents as they occur. For the most part, reactive services address the entire IR process. This includes the acquisition and examination of evidence, assisting in containment, eradication, and recovery efforts, and—finally—documenting the incident.

Another critical benefit of an expressly stated charter is to socialize the CSIRT with the entire organization. This is done to remove any rumors or innuendo about the purpose of the team. Employees of the organization may hear terms such as digital investigations or IR team and believe the organization is preparing secret police specifically designed to ferret out employee misconduct. To counter this, a short statement that includes the mission statement of the CSIRT can be made available to all employees. The CSIRT can also provide periodic updates to senior leadership on incidents handled to demonstrate the purpose of the team.

CSIRT team

Once the IR charter is completed, the next stage is to start staffing the CSIRT. Larger organizations with sufficient resources may be able to task personnel with IR duties full-time. Often, though, organizations will have to utilize personnel who have other duties outside IR. Personnel who comprise the internal CSIRT can be divided into three categories: core team, technical support, and organizational support. Everyone within the CSIRT fulfills a specific task. Building this capability into an organization takes more than just assigning personnel and creating a policy-and-procedure document. As with any major project initiative, there is a good deal of effort required in creating a functional CSIRT.

For each of the CSIRT categories, there are specific roles and responsibilities. This wide range of personnel is designed to provide guidance and support through a wide range of incidents, ranging from minor to catastrophic.

CSIRT core team

The CSIRT core team consists of personnel who have IR duties as their full-time job or assume IR activities when needed. In many instances, the core team is often made up of personnel assigned to the information security team. Other organizations can leverage personnel with expertise in IR activities. Here are some of the roles that can be incorporated into the core team:

• IR coordinator: This is a critical component of any CSIRT. Without clear leadership, the response to a potential incident may be disorganized or, with multiple individuals vying for control during an incident, a chaotic situation that can make the incident worse. In many instances, the IR coordinator is often the chief security officer (CSO), the chief information security officer (CISO), or the information security officer (ISO) as that individual often has overall responsibility for the security of the organization’s information. Other organizations may name a single individual who serves as the IR coordinator. The IR coordinator is responsible for the management of the CSIRT prior to, during, and after an incident. In terms of preparation, the IR coordinator will ensure that any plans or policies concerning the CSIRT are reviewed periodically and updated as needed. In addition, the IR coordinator is responsible for ensuring that the CSIRT team is appropriately trained and also oversees testing and training for CSIRT personnel.

During an incident, the IR coordinator is responsible for ensuring the proper response and remediation of an incident and guides the team through the entire IR process. One of the most important of these tasks during an incident is the coordination of the CSIRT with senior leadership. With the stakes of a data breach being high, senior leadership such as the chief executive officer (CEO) will want to be kept up-to-date in terms of critical information concerning an incident. It is the responsibility of the IR coordinator to ensure that senior leadership is fully informed of the activities associated with an incident, using clear and concise language. One stumbling block is that senior leaders within an organization may not have the acumen to understand the technical aspects of an incident, so it is important to speak in a language they will understand.

Finally, at the conclusion of an incident, the IR coordinator is responsible for ensuring that the incident is properly documented and that reports of the CSIRT activity are delivered to the appropriate internal and external stakeholders. In addition, a full debrief of all CSIRT activities is conducted, and lessons learned are incorporated into the CSIRT plan.

• CSIRT senior analyst(s): CSIRT senior analysts are personnel with extensive training and experience in IR and associated skills such as digital forensics or network data examination. They often have several years of experience conducting IR activities as either a consultant or as part of an enterprise CSIRT.

During the preparation phase of the IR process, they are involved in ensuring that they have the necessary skills and training to address their specific role in the CSIRT. They are also often directed to assist in the IR plan review and modification. Finally, senior analysts will often take part in training junior members of the team.

Once an incident has been identified, senior analysts will engage with other CSIRT members to acquire and analyze evidence, direct containment activities, and assist other personnel with remediation.

At the conclusion of an incident, senior analysts will ensure that both they and other personnel appropriately document the incident. This will include the preparation of reports to internal and external stakeholders. They will also ensure that any evidence is appropriately archived or destroyed, depending on the IR plan.

• CSIRT analyst(s): CSIRT analysts are personnel with CSIRT responsibilities that have less exposure or experience in IR activities. Oftentimes, they have only 1 or 2 years of experience in responding to incidents. As a result, they can perform a variety of activities, with some of those under the direction of senior analysts.

In terms of preparation-phase activities, analysts will develop their skills via training and exercises. They may also take part in reviews and updates to the IR plan. During an incident, they will be tasked with gathering evidence from potentially compromised hosts, network devices, or various log sources. Analysts will also take part in the analysis of evidence and assist other team members in remediation activities.

• Security operations center (SOC) analyst: Larger enterprises may have an in-house or contracted 24/7 SOC monitoring capability. Analysts assigned to the SOC will often serve as the point person when it comes to incident detection and alerting. As a result, having a SOC analyst as part of the team allows them to be trained in incident identification and response techniques and serve as an almost immediate response to a potential security incident.
• IT security engineer/analyst(s): Depending on the size of the organization, there may be personnel specifically tasked with the deployment, maintenance, and monitoring of security-related software such as anti-virus or hardware such as firewalls or SIEM systems. Having direct access to these devices is critical when an incident has been identified. The personnel assigned these duties will often have a direct role in the entire IR process.

The IT security engineer or analyst will be responsible for the preparation component of the IR process. They will be the primary resource to ensure that security applications and devices are properly configured to alert to possible incidents and to ensure that the devices properly log events so that a reconstruction of events can take place.

During an incident, they will be tasked with monitoring security systems for other indicators of malicious behavior. They will also assist other CSIRT personnel with obtaining evidence from security devices. Finally, after an incident, this personnel will be tasked with configuring security devices to monitor suspected behavior, to ensure that remediation activities have eradicated malicious activity on impacted systems.

Technical support personnel

Technical support personnel are those individuals within the organization who do not have CSIRT activities as part of their day-to-day operations, but rather have expertise or access to systems and processes that may be affected by an incident. For example, the CSIRT may need to engage a server administrator to assist the core team with acquiring evidence from servers such as memory captures, acquiring virtual systems, or offloading log files. Once completed, the server administrator’s role is completed and they may have no further involvement in the incident. Here are some of the personnel that can be of assistance to the CSIRT during an incident:

• Network architect/administrator: Often, incidents involve the network infrastructure. This includes attacks on routers, switches, and other network hardware and software. The network architect or administrator is vital for insight into what is normal and abnormal behavior for these devices, as well as for identifying anomalous network traffic. In incidents where the network infrastructure is involved, these support personnel can assist with obtaining network evidence such as access logs or packet captures.
• Server administrator: Threat actors often target systems within the network where critical or sensitive data is stored. These high-value targets often include domain controllers, file servers, or database servers. Server administrators can aid in acquiring log files from these systems. If the server administrator(s) are also responsible for the maintenance of the Active Directory structure, they may be able to assist with identifying new user accounts or changes to existing user or administrator accounts.
• Application support: Web applications are a prime target for threat actors. Flaws in coding that allow attacks such as Structured Query Language (SQL) injection or security misconfigurations are responsible for some security breaches. As a result, having application support personnel as part of the CSIRT facilitates the finding of information directly related to application attacks. These individuals will often be able to identify code changes or confirm vulnerabilities discovered during an investigation into a potential attack against an application.
• Desktop support: Desktop support personnel are often involved in maintaining controls such as data loss prevention and anti-virus on desktop systems. In the event of an incident, they can assist in providing the CSIRT with log files and other evidence. They may also be responsible for cleaning up infected systems during the remediation phase of an incident.
• Help desk: Depending on the organization, help desk personnel are the proverbial canary in the coal mine when it comes to identifying an incident. They are often the first individuals contacted when a user experiences the first signs of a malware infection or other malicious activity. Thus, help desk personnel should be involved in the training of CSIRT responses and their role in incident identification and escalation procedures. They may also assist with identifying additional affected personnel in the event of a widespread incident.

Organizational support personnel

Outside of the technical realm, other organizational members should also be included within the CSIRT. Organizational personnel can assist with a variety of non-technical issues that fall outside those that are addressed by the CSIRT core and technical support personnel. These include navigating the internal and external legal environment, assisting with customer communications, or supporting CSIRT personnel while on-site.

Here are some of the organizational support personnel that should be included in a CSIRT plan:

• Legal: Data breaches and other incidents carry a variety of legal issues along with them. Many countries now have breach notification laws where organizations are required to notify customers that their information was put at risk. Other compliance requirements such as the Health Insurance and Portability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS) require the impacted organization to contact various external bodies and notify them of a suspected breach. Including legal representation early in the IR process will ensure that these notifications and any other legal requirements are addressed in a timely fashion. In the event that a breach has been caused by an internal source such as an employee or contractor, the impacted organization may want to recoup losses through civil action. Including legal representation early in the process will allow a more informed decision as to which legal process should be followed.
• Human resources (HR): A good deal of incidents that occur in organizations are perpetrated by employees or contractors. The investigation of actions such as fraud, all the way to massive data theft, may have to be investigated by the CSIRT. In the event that the target of the investigation is an employee or contractor, the HR department can assist with ensuring that the CSIRT’s actions are in compliance with applicable labor laws and company policies. If an employee or contractor is to be terminated, the CSIRT can coordinate with HR personnel so that all proper documentation concerning the incident is complete, to reduce the potential of a wrongful termination suit.
• Marketing/communications: If external clients or customers may be adversely impacted by an incident such as a DoS attack or data breach, the marketing or communications department can assist in crafting the appropriate message to assuage fears and ensure that those external entities are receiving the best information possible. When looking back at past data breaches where organizations attempted to keep the details to themselves and customers were not informed, there was a backlash against those organizations. Having a solid communications plan that is put into action early will go a long way in soothing any potentially adverse reactions from customers or clients.
• Facilities: The CSIRT may need access to areas after hours or for a prolonged time. The facilities department can assist the CSIRT in obtaining the necessary access in a timely manner. Facilities also may have access to additional meeting spaces for the CSIRT to utilize in the event of a prolonged incident that requires a dedicated workspace and infrastructure.
• Corporate security: The CSIRT may be called in to deal with the theft of network resources or other technology from the organization. Laptop and digital media theft are very common. Corporate security will often have access to surveillance footage from entrances and exits. They may also maintain access badges and visitor logs for the CSIRT to track the movement of employees and other personnel within the facility. This can allow a reconstruction of events leading up to a theft or other circumstances that led up to an incident.

External resources

Many industries have professional organizations where practitioners, regardless of their employer, can come together to share information. CSIRT personnel may also be tasked with interfacing with law enforcement and government agencies at times, especially if they are targeted as part of a larger attack perpetrated against a number of similar organizations. Having relationships with external organizations and agencies can assist the CSIRT with intelligence sharing and resources in the event of an incident. These resources include the following:

• High Technology Crime Investigation Association (HTCIA): The HTCIA is an international group of professionals and students with a focus on high-tech crime. Resources include everything from digital forensic techniques to wider enterprise-level information that could aid CSIRT personnel with new techniques and methods. For more information, visit the official website at https://htcia.org/.
• InfraGard: For those CSIRT and information security practitioners in the US, the Federal Bureau of Investigation (FBI) has created a private-public partnership geared toward networking and information sharing. This partnership allows CSIRT members to share information about trends or discuss past investigations. You can find more information at the following website: https://www.infragard.org/.
• Law enforcement: Law enforcement has seen explosive growth in cyber-related criminal activity. In response, a great many law enforcement organizations have increased their capacity to investigate cybercrime. CSIRT leadership should cultivate a relationship with agencies that have cybercrime investigative capabilities. Law enforcement agencies can provide insight into specific threats or crimes being committed and provide CSIRTs with any specific information that concerns them.
• Vendors: External vendors can be leveraged in the event of an incident, and what they can provide is often dependent on the specific line of business (LOB) the organization has engaged them in. For example, an organization’s IPS/IDS solution provider could assist with crafting custom alerting and blocking rules to assist in the detection and containment of malicious activity. Vendors with threat intelligence (TI) capability can also provide guidance on malicious activity indicators. Finally, some organizations will need to engage vendors who have an IR specialty such as reverse engineering malware when those skills fall outside an organization’s capability.

Depending on the size of the organization, it is easy to see how the CSIRT can involve several people. It is critical to putting together the entire CSIRT that each member is aware of their roles and responsibilities. Each member should also be asked for specific guidance on which expertise can be leveraged during the entire IR process. This becomes more important in the next part of the IR framework, which is the creation of an IR plan.