Skip to main content
War Room

Checklist for Incident Response Teams

Forming a Computer Security Incident Response Team (CSIRT) is a complex affair. It normally involves a certain combination of staff, processes and technologies.

If the goal is handling DDoS related incidents, you probably need network engineers, a good relationship with your ISP and special hardware. If the enemy is phishing campaigns, your focus probably revolves around emailing.

However the essentials are the same in most situations, no matter what the mission of your CSIRT is. This publication attempts to provide a list of must-have technologies for all forming incident response teams out there.

Incident Response Coordination

Various tools for managing security incidents through their lifecycles.

Incident Tracking

The very first thing to document, share and track incidents is a dedicated ticketing tool, which is

  • Not accessible to anyone outside the CSIRT (because tickets may contain sensitive data)
  • Access can be granted to outsiders if needed

Recommended, purpose built tools: RTIR, CyberSponse, Syncurity

Non-specific tools: ServiceNow, RemedyJIRA

On-call Tool

Pager tool to distribute new incidents amongst the team members

Recommended: PagerDuty, OpsGenie

War Room

A dedicated meeting room to gather around when major incidents are handled together

  • Must have a door (i.e. privacy!)
  • The room must be available at all times
  • Must have good wireless reception (Wifi and phone)

Finally, a reusable sign that says something like: “Do not enter, all meeting room reservations are cancelled”. Don’t forget to stash some adhesive for attaching this onto the door.

War Room

Information Exchange

Because the CSIRT cannot act on its own, it has to interact with a lot of people inside and outside of the organisation. A seamless communication is key for effective incident handling.

Gear and Gadgets

Because your incident handlers also have a private life and they might be on the go.

  • Lightweight laptop
  • Laptop bag
  • 3G/4G dongle (mobile Internet)
  • Token for the company VPN
  • Mobile phone with loud ringtone and long battery life
  • Comfy headset
  • Chargers

Phone

Incident reporters should be able to report incidents over the phone:

  • Simple phone number assigned to the CSIRT
  • Line should be forwarded to the appropriate incident analyst being on-call

As incident handling require a lot of coordination:

  • Dedicated conference bridge

Team Chat

Eases information flow between members of the incident response team

  • An effective chat tool archives chat logs and makes them searchable
  • Messages are delivered even if the analyst is offline
  • Supports modern chat bots such as Hubot (Recommended plugins)
  • Team members can easily share files between each other

Recommended: Slack, HipChat, Kato

Distribution Lists

A private email distribution list with the members of the CSIRT subscribed.

  • The list should facilitate communication inside the team

A public email distribution list should also be created.

  • The email address of the list should be publicised inside the company
  • Security incidents can be reported here
  • Automated tools may dump their alerts to this list
  • Incoming Emails should automatically generate tickets

Dog on the Phone

Call Tree

The following list of contact details should be available for each member of the team:

  • CSIRT members
  • CSIRT contact person with the Business
  • HR team
  • Legal team
  • PR team

This also comes handy:

  • Company phone book
  • Organisation chart

Contact details of third-parties:

  • Software Vendors (e.g. your anti-virus support)
  • Hardware Vendors (e.g. your IDS/IPS vendor)
  • ISP

Abuse E-Mail Addresses

RFC2142 defines certain email addresses that every domain must maintain. Because external reporters might use these addresses to report incidents, the best course of action is to forward all emails to the CSIRT distribution list.

  • abuse@yourcompany.com
  • noc@yourcompany.com
  • security@yourcompany.com

E-Mail Templates

The CSIRT may need to communicate in a semi-formal manner with the employees or external security reporters.

The CSIRT might warn the end-users of an ongoing email campaign, or let an independent security researcher know that they are working on the report. Pre-written email templates can help to respond in an timely and appropriate manner. The templates should be:

  • Short and get to the point
  • Translated to the local languages of your organisation

Finally templates intended for emails to third-parties should be pre-approved by your legal and PR departments.

Press Release Templates

Engage your PR team to formulate press release templates. Consider common incident scenarios such as:

  • Small scale data breaches
  • General data breaches affecting PII/credit card data
  • High-profile data breaches (if you business critical data is affected)
  • Unavailability of critical public facing services

Bear in mind that this type of communication with the public is usually handled by your PR team and the CSIRT is only consulted (what was affected, how long, what has been done etc.). Here are a few real-life statements.

Bonus point for leaving the “We take security seriously” nonsense out.

Email Encryption

Encrypts and/or signs emails with external incident reporters. It provides secrecy as well as authenticity when dealing with third-parties.

  • Encryption software should be pre-installed
  • Individuals should have a valid PGP key
  • The CSIRT distribution list should also have a PGP key
  • The CSIRT PGP key should be publicised on the Internet

Recommended: Enigmail

xkcd on PGP

Asset Lists

Assists the CSIRT to find the involved systems in a security incident.

Software and Hardware Inventory

Helps identify systems affected in a security incident

  • List of applications at your company
  • List of associated servers, databases and network devices
  • Network diagrams

Software Baselines

They help identify whether an asset was tampered with by comparing the asset’s configuration to the company baseline

  • Linux and Windows gold images
  • Internal OS configuration / hardening guidelines
  • Standard JunOS, Cisco iOS configuration baselines
  • Ansible playbooks, Puppet manifests, Chef recipes

Sharing Stuff

Secure File Storage

Provides a simple platform to share ad-hoc files with insiders our outsiders of the organisation

  • Files should only be accessible to the CSIRT members by default
  • Should be able to generate unique download links
  • Unique download links should be accessible from the Internet as well

Recommended: Box.com, ownCloud Enterprise, SpiderOak Enterprise, DropBox for Business, tresorit

Fort Knox

Password Safe

The CSIRT should have its own password safe to store sensitive stuff such as password or PGP private keys

  • Should support two-factor authentication
  • The safe should support multiple users at the same time

Recommended: Top 10 List of Enterprise Password Managers

An Actual Safe

A fireproof safe to store sensitive paper-based documents in addition to hard drives, USB drives and laptops waiting for forensics analysis.

Secure Courier

A postal service should be pre-arranged for sending in laptops for forensics analysis.

Conclusion

There is one thing in common between the tools and technologies listed above. They all connect incident analysts and reporters together, and foster a seamless information flow between them. It might not come as a surprise as incident handling is all about engaging the right people at the right time when things go pear shaped.

What are your favourite tools and why? Scroll down to the comments and feel free to share them!

Credits

Thanks for JP Bourget and disqus_cllpPuP4AB for the feedback

Share on LinkedInShare on FacebookTweet about this on TwitterPin on PinterestShare on Google+Share on RedditFlattr the authorEmail this to someone
Share This Post!

Gabor

Founder of CryptoAUSTRALIA, privacy and info security enthusiast