How to Build a Computer Security Incident Response Team (CSIRT)

An effective Computer Security Incident Response Team can mean the difference between safety and vulnerability in today’s cybersecurity landscape. The CSIRT ensures your organization is prepared for cyber incidents and can react quickly to minimize the damage. This article will go over precisely what a CSIRT is, what the roles on the team are, how to assemble a CSIRT and what the CSIRT’s responsibilities are.

What Is a CSIRT?

Every organization should have some kind of CSIRT — Computer Security Incident Response Team. This group is responsible for identifying and resolving cyberattacks. An effective CSIRT team is more important today than ever before.

Businesses are facing increasing rates of cyber attacks that will only continue to grow more numerous and more varied. A well-prepared CSIRT could mean the difference between successfully stopping a cyber attack or losing data, time and money recovering from one.

CSIRT Tasks and Objectives

The primary objective of the Computer Security Incident Response Team at any organization is to detect and respond to cyber incidents. Several tasks and responsibilities fall under this umbrella.

The job of any CSIRT team is creating the incident response plan  — or IRP. This is the ultimate handbook the CSIRT lives by. It includes all the necessary details on how your business and your CSIRT will react in a cyber incident. The IRP also outlines how to prepare ahead of time and any relevant policies, such as protocols for handling employees’ personal information. Critical information — such as the contact info for local law enforcement — should also be included in the IRP for quick reference.

The goal of an IRP is to minimize the negative impact of any cyber attack and potentially even stop a hacker in their tracks. Take a look at this IRP from Carnegie Mellon University for a good example of what a typical IRP looks like.

In addition to creating the IRP, the CSIRT is responsible for reviewing and updating your organization’s cybersecurity measures and policies. The CSIRT oversees the threat monitoring and alert system and ensures it is up to date on new and emerging issues. Similarly, running security audits regularly is also a task the CSIRT should handle.

The CSIRT is also responsible for running regular incident response training. The main training event is roleplay cyber incident sessions, which involve everyone on the CSIRT acting out exactly what they would do in a realistic mock cyber attack. This helps everyone practice and memorize their responsibilities and learn the best responses in certain situations.

Incident response training can also extend beyond the CSIRT members. For example, CSIRT personnel could run an anti-phishing course for employees, teaching them how to spot the signs of phishing and avoid falling victim to an attack. Training like this helps prevent cyber incidents — a top priority for the CSIRT.

CSIRT Members and Responsibilities

How should your organization go about putting together a CSIRT? It is a relatively straightforward process of finding the right group of people and making sure everyone understands their roles and responsibilities. Organizations of different sizes may combine or assign additional positions, but there are a few people who should be on every CSIRT.

Executive Sponsor

The first step in building a CSIRT is finding an executive sponsor. This person is one of the executives or a board member — often the CISO or CSO. They will act as the team leader, oversee CSIRT activities and ensure the team has the resources and budget needed to operate effectively. The executive sponsor is the face of the CSIRT within the company.

During cyber attacks, the executive sponsor is also the lead decision maker. For example, if the lead investigator rules that a server needs to be taken offline, the executive sponsor gets the final say in that decision. One crucial choice for the executive sponsor to consider is their organization’s response to ransomware — whether or not to pay ransoms will fall on the executive sponsor.

Incident Manager and Lead Investigator

Additionally, every CSIRT needs an incident manager and lead investigator. Ideally, these two roles are filled by people in the company with cybersecurity knowledge or hands-on experience.

The incident manager is primarily a communications-oriented role. This person is effectively the second-in-command to the executive sponsor. They make sure everyone is performing their responsibilities effectively, arrange CSIRT meetings and collect the findings of security investigations.

One of the incident manager’s most important jobs is ensuring all actions taken during a cyber attack are documented clearly and accurately. This documentation can be crucial for analyzing the CSIRT’s response and may also be necessary for law enforcement review or legal purposes. The incident manager should be aware of what everyone else on the CSIRT is doing before, during and after a cyber incident.

The lead investigator is the technical complement to the incident manager. This person is the lead cyber detective, someone with proven knowledge of cybersecurity. It is especially helpful for the lead investigator to have experience with digital forensics. The lead investigator oversees the investigation into how a cyber attack occurred, what the damage was and the potential motive.

As the primary technical expert of the CSIRT, the lead investigator is critical during an active cyber attack. They may work with other security and IT personnel, as well. Their priority is to work out exactly what the attacker is attempting to do and — if possible — stop them or minimize the damage. Afterward, the lead investigator will work with IT personnel and analysts to determine the exact extent of the damage done to the organization’s systems, devices and data.

PR and Communications Advisor

Every CSIRT team should also have a PR or communications advisor. This could be someone from your communications, marketing or HR department. Their job is to oversee interactions with the press, law enforcement and the public relating to any cyber attacks.

If a significant cyber incident does occur, the PR advisor will have the skills and communications knowledge to deter public panic and ensure your organization’s reputation stays intact. Don’t underestimate the importance of your PR advisor. As cyber expert Bruce Schneier points out, “The thing about incident response is it is not cyber, it’s crisis management.”

Like in natural disasters or internal crises, a sound and strategic PR response can make a crucial difference for your business, especially regarding public reactions. The PR advisor is someone with a level head and the tact to deliver truthful information about cyber incidents without inciting fear in the process. During and after cyber incidents, the PR advisor may write press releases, speak to local press, communicate with law enforcement and oversee any posts or comments on the organization’s social media pages.

Legal and HR Advisors

Many CSIRT teams also have a legal advisor. The legal consultant’s job is to determine when and how your company must disclose information regarding cyber incidents to the general public, law enforcement or shareholders. As a result, they may work closely with the PR or communications advisor. In a worst-case scenario, the legal advisor also manages any lawsuits resulting from a cyber incident.

It can be helpful to have an HR advisor on the CSIRT, as well. If a cyber incident involves an insider, the HR advisor will be responsible for navigating the situation. Additionally, the HR advisor can field any employee concerns resulting from a cyber incident. An HR advisor isn’t strictly necessary, but they can help act as a liaison between the CSIRT and the rest of an organization’s employees.

The CSIRT in Action

To illustrate how the various roles in the CSIRT work together, here is a walkthrough of a mock cyber incident. The CSIRT is initially called into action when the member on-call or a member of the security monitoring team sends out an emergency notification of a cyber attack. The entire CSIRT team should meet as soon as possible.

During a Cyber Attack

The lead investigator is particularly crucial to have on the scene right away. They will begin working with IT personnel to stop the cyber attack or start recovering data. For instance, they may pinpoint the compromised account being used to access the organization’s systems and lock that account out.

Constant communication is crucial for the incident manager. They will be the information hub during the cyber incident, aware of exactly what is going on and every step being taken to stop the cyber attack. The incident manager is responsible for relaying information between key parties during a cyber attack and ensuring they keep track of what is occurring. For example, they may update the executive sponsor and PR advisor regularly.

While the executive sponsor may not have hands-on cybersecurity experience, they should be available and focused during cyber incidents, whether they are in the office or not. If they must make a critical decision — such as choosing whether or not to pay a ransom — the executive sponsor needs to be available to make that call.

The legal advisor doesn’t necessarily have to be on-site in the office during a cyber incident, but they should be in contact with the incident manager and PR advisor. The incident manager should provide the legal advisor with details about the incident at hand so they can determine what information the PR advisor needs to release to the public. As soon as possible, the PR advisor should contact law enforcement to report a cyber attack, including details of any damage done and the type of attack.

After a Cyber Attack

Once the lead investigator and their IT team have gotten the cyber incident under control and conclude it is over, everyone moves into the post-incident phase. A cyber attack may end with the organization “losing” to the attacker by way of losing data or money. On the other hand, the lead investigator’s team may succeed in cutting off an attacker before they can do much damage. Either way, the critical part is the cyber attack is no longer underway.

At this stage, the lead investigator’s team begins analyzing the organization’s systems to determine the extent of the damage caused by the attack. They may be able to recover some damaged data or systems. They will also analyze the attack itself, determining the attacker’s motive and how they initially gained access to the organization’s systems. Most importantly, the lead investigator’s team will make sure the organization’s systems are secured again.

The PR advisor may post a press release or speak to the local press about the cyber incident. Suppose they do not know the full extent of the cyber attack or the data compromised. In that case, the PR advisor may simply report there was a cyber incident and release further details as they become available.

The incident manager should start compiling an organized, detailed report of the cyber attack at this stage. They may also begin working more closely with law enforcement to report exactly what happened, as well as any known information about the attacker. After the attack, the incident manager’s records of the attack will be used to do a full debrief with the CSIRT and identify ways for the team to improve.

Outsourcing CSIRT Services

Outsourcing isn’t ideal for everyone, but there are cases where you may want to consider it — one is location. Ideally, you want to have at least one person on the CSIRT awake and on-call 24/7, including holidays, after hours and weekends. This can be challenging for groups operating entirely in one location or time zone. In this instance, you may benefit from outsourcing roles on your CSIRT team to representatives in other countries or time zones.

Another case for outsourcing is threat monitoring. Some companies specialize in providing proactive network monitoring services that actively watch for suspicious activity on your network around the clock. Larger organizations may be able to provide their own threat monitoring, but outsourcing this service can be helpful and convenient for smaller companies.

CSIRT for Smaller Organizations

You may have gotten this far and realized your business is not big enough to support a full-time CSIRT reasonably. That’s okay! Smaller groups can still put together an effective CSIRT. In fact, you may not realistically need a large team of security personnel on full-time CSIRT duty.

You could assemble a group of existing employees who form the CSIRT in addition to their traditional roles. Alternatively, you could have a dedicated CSIRT leader or a condensed team of two or three people.

Either strategy can work well. Which one is best generally depends on where the cybersecurity knowledge lies in your company. If you have one person with significant experience and expertise in cybersecurity, they may be able to handle most of your CSIRT tasks independently.

Security and Preparedness with CSIRT

A Computer Security Incident Response Team is the key to detecting and resolving cyber incidents successfully. No matter the size of your organization, you can assemble a CSIRT to help protect against the increasing cyber threats facing businesses today.