Forming a Computer Security Incident Response Team (CSIRT) is a complex affair. It normally involves a certain combination of staff, processes and technologies.
If the goal is handling DDoS related incidents, you probably need network engineers, a good relationship with your ISP and special hardware. If the enemy is phishing campaigns, your focus probably revolves around emailing.
However the essentials are the same in most situations, no matter what the mission of your CSIRT is. This publication attempts to provide a list of must-have technologies for all forming incident response teams out there.
Incident Response Coordination
Various tools for managing security incidents through their lifecycles.
Incident Tracking
The very first thing to document, share and track incidents is a dedicated ticketing tool, which is
- Not accessible to anyone outside the CSIRT (because tickets may contain sensitive data)
- Access can be granted to outsiders if needed
Recommended, purpose built tools: RTIR, CyberSponse, Syncurity
Non-specific tools: ServiceNow, Remedy, JIRA
On-call Tool
Pager tool to distribute new incidents amongst the team members
Recommended: PagerDuty, OpsGenie
War Room
A dedicated meeting room to gather around when major incidents are handled together
- Must have a door (i.e. privacy!)
- The room must be available at all times
- Must have good wireless reception (Wifi and phone)
Finally, a reusable sign that says something like: “Do not enter, all meeting room reservations are cancelled”. Don’t forget to stash some adhesive for attaching this onto the door.
Information Exchange
Because the CSIRT cannot act on its own, it has to interact with a lot of people inside and outside of the organisation. A seamless communication is key for effective incident handling.
Gear and Gadgets
Because your incident handlers also have a private life and they might be on the go.
- Lightweight laptop
- Laptop bag
- 3G/4G dongle (mobile Internet)
- Token for the company VPN
- Mobile phone with loud ringtone and long battery life
- Comfy headset
- Chargers
Phone
Incident reporters should be able to report incidents over the phone:
- Simple phone number assigned to the CSIRT
- Line should be forwarded to the appropriate incident analyst being on-call
As incident handling require a lot of coordination:
- Dedicated conference bridge
Team Chat
Eases information flow between members of the incident response team
- An effective chat tool archives chat logs and makes them searchable
- Messages are delivered even if the analyst is offline
- Supports modern chat bots such as Hubot (Recommended plugins)
- Team members can easily share files between each other
Recommended: Slack, HipChat, Kato
Distribution Lists
A private email distribution list with the members of the CSIRT subscribed.
- The list should facilitate communication inside the team
A public email distribution list should also be created.
- The email address of the list should be publicised inside the company
- Security incidents can be reported here
- Automated tools may dump their alerts to this list
- Incoming Emails should automatically generate tickets
Call Tree
The following list of contact details should be available for each member of the team:
- CSIRT members
- CSIRT contact person with the Business
- HR team
- Legal team
- PR team
This also comes handy:
- Company phone book
- Organisation chart
Contact details of third-parties:
- Software Vendors (e.g. your anti-virus support)
- Hardware Vendors (e.g. your IDS/IPS vendor)
- ISP
Abuse E-Mail Addresses
RFC2142 defines certain email addresses that every domain must maintain. Because external reporters might use these addresses to report incidents, the best course of action is to forward all emails to the CSIRT distribution list.
- abuse@yourcompany.com
- noc@yourcompany.com
- security@yourcompany.com
E-Mail Templates
The CSIRT may need to communicate in a semi-formal manner with the employees or external security reporters.
The CSIRT might warn the end-users of an ongoing email campaign, or let an independent security researcher know that they are working on the report. Pre-written email templates can help to respond in an timely and appropriate manner. The templates should be:
- Short and get to the point
- Translated to the local languages of your organisation
Finally templates intended for emails to third-parties should be pre-approved by your legal and PR departments.
https://www.youtube.com/watch?v=H-oH-TELcLE
Press Release Templates
Engage your PR team to formulate press release templates. Consider common incident scenarios such as:
- Small scale data breaches
- General data breaches affecting PII/credit card data
- High-profile data breaches (if you business critical data is affected)
- Unavailability of critical public facing services
Bear in mind that this type of communication with the public is usually handled by your PR team and the CSIRT is only consulted (what was affected, how long, what has been done etc.). Here are a few real-life statements.
Bonus point for leaving the “We take security seriously” nonsense out.
Email Encryption
Encrypts and/or signs emails with external incident reporters. It provides secrecy as well as authenticity when dealing with third-parties.
- Encryption software should be pre-installed
- Individuals should have a valid PGP key
- The CSIRT distribution list should also have a PGP key
- The CSIRT PGP key should be publicised on the Internet
Recommended: Enigmail
Asset Lists
Assists the CSIRT to find the involved systems in a security incident.
Software and Hardware Inventory
Helps identify systems affected in a security incident
- List of applications at your company
- List of associated servers, databases and network devices
- Network diagrams
Software Baselines
They help identify whether an asset was tampered with by comparing the asset’s configuration to the company baseline
- Linux and Windows gold images
- Internal OS configuration / hardening guidelines
- Standard JunOS, Cisco iOS configuration baselines
- Ansible playbooks, Puppet manifests, Chef recipes
Sharing Stuff
Secure File Storage
Provides a simple platform to share ad-hoc files with insiders our outsiders of the organisation
- Files should only be accessible to the CSIRT members by default
- Should be able to generate unique download links
- Unique download links should be accessible from the Internet as well
Recommended: Box.com, ownCloud Enterprise, SpiderOak Enterprise, DropBox for Business, tresorit
Password Safe
The CSIRT should have its own password safe to store sensitive stuff such as password or PGP private keys
- Should support two-factor authentication
- The safe should support multiple users at the same time
Recommended: Top 10 List of Enterprise Password Managers
An Actual Safe
A fireproof safe to store sensitive paper-based documents in addition to hard drives, USB drives and laptops waiting for forensics analysis.
Secure Courier
A postal service should be pre-arranged for sending in laptops for forensics analysis.
Conclusion
There is one thing in common between the tools and technologies listed above. They all connect incident analysts and reporters together, and foster a seamless information flow between them. It might not come as a surprise as incident handling is all about engaging the right people at the right time when things go pear shaped.
What are your favourite tools and why? Scroll down to the comments and feel free to share them!
Credits
Thanks for JP Bourget and disqus_cllpPuP4AB for the feedback
