Computer Security Incident Response Team (CSIRT)

Definition

Computer Security Incident Response Team (CSIRT)

a team that reacts to security incidents

A CSIRT is commonly also known as a:

• Computer Incident Response Team (CIRT)
• Incident Handling Team (IHT)
• Incident Response Team (IRT)
• Security Emergency Response Team (SERT)
• Security Incident Response Team (SIRT)

Classification

As illustrated in the preceding figure, Computer Security Incident Response Team is part of the following inheritance hierarchy:

• Type: Concrete
• Superclass: Engineering Team
• Subclasses:
  • Internal CSIRT
    a CSIRT providing security incident handling services for a parent organization
  • Coordination Center CSIRT
    a CSIRT that coordinates and facilitates the handling of security incidents across multiple CSIRTs
  • Analysis Center CSIRT
    a CSIRT that analyzes data from multiple sources to determine and report security incident trends and patterns
  • Vendor CSIRT
    a CSIRT that provides alerts regarding security vulnerabilities with its products
  • Managed Security Service Provider (MSSP)
    a CSIRT that commercially provides incident handling services to organizations

Responsibilities

The typical team-specific responsibilities of a CSIRT are to:

• Minimize and control the harm due to security incidents.
• Provide (and/or assist with) an effective response to security incidents.
• Help the organization recover from any harm due to security incidents.
• Provide a stable staff, the membership of which has security incident handling expertise.
• Provide a single point of contact for reporting security incidents.

A CSIRT team typically inherits the general team responsibilities from the team method component.

Roles

A CSIRT typically consists of persons playing the following roles:

• Security Analyst, who leads the team and performs security incident preparation, triage, and response.
• Incident Handler, who performs security incident detection, notification, triage, analysis, response, and reporting.
• Domain Experts, who provide expertise in platforms, attacker tools and techniques, media relations, law and law enforcement, etc.
• Technical Writer, who documents security incidents and actions taken to react to them.

Tasks

A CSIRT typically performs the following team-specific tasks in an iterative, incremental, parallel, and time-boxed manner:

• Security Engineering:
  • Security Incident Preparation,
    during which plans and conventions for reacting to security incidents are developed
  • Security Incident Detection,
    during which the occurrence of security incidents is detected
  • Security Incident Notification,
    during which stakeholders are notified of the occurrence of security incidents
  • Security Incident Triage,
    during which security incidents are prioritized, categorized, and assigned
  • Security Incident Analysis,
    during which security incidents are analyzed in order to determine the:
    • Events comprizing the security incident
    • Vulnerabilities exploited by the attacker
    • Negative impact (e.g., harm) caused by the security incident
    • Recovery or mitigation steps that should be taken
  • Security Incident Response,
    during which actions are coordinated to provide an appropriate and timely response to the security incident including the:
    • Technical Response
    • Management Response
    • Legal Response with the organization’s legal team and law enforcement agencies
  • Security Incident Reporting,
    during which one or more security incidents are reported to stakeholders
  • Security Incident Documentation,
    during which one or more security incidents are documented

A CSIRT typically inherits the common team tasks from the team method component.

Work Products

A CSIRT typically produces the following work products:

• Security Incident Management Plan
• Security Incident Policies
  (e.g., incident reporting policy, incident handling policy, external communications policy, media relations policy, information disclosure policy)
• Security Incident Procedures
  (e.g., incident tracking, notification, and evidence gathering, securing, and preserving)
• Security Incident Report
• Security Incident Alert

Guidelines

• Although effective security engineering can lower the rate of successful attacks, it cannot prevent all probes and unsuccessful attacks. When security incidents occur, it is critical that organizations have an effective response.
• This team collaborates closely with the:
  • Disaster recovery team when the disaster is due to a successful security attack.
  • Security team to ensure that security incidents do not reoccur.
  • Training team to provide security incident awareness training.
• A security team is largely proactive, whereas a CSIRT is largely reactive.
• In practice:
  • A single team may combine the responsibilities of the security team and the CSIRT.
  • There may be a large degree of overlap in membership between the security team and the CSIRT.
• A CSIRT typically inherits the common team guidelines from the team method component.