Building the IR Team and Options for Team Composition
5 hours 19 minutes
less than 1.5, building the I R team and options for team composition.
In this lesson, we will look at the following objectives. First will discuss the typical skill sets and positions on I our team.
Second, we will understand how a sock and I our teamwork together.
Third will identify ways to divide and delegate work, and also I'll introduce you to the racy model if you're not familiar with that,
and four, identify various organizational structures and how ir may fit into the larger enterprise.
So let's jump in. The CERT team can range from one person to many people
and maybe on premise. Or it could be virtual or a combination, especially with Cove in 19. We have all seen now the benefits to having virtual workers
and those organizations that had the large socks with multiple people on the screens on the walls certainly looked cool, and it probably worked well to be able to bounce ideas off of each other, did not work well with Cove in 19. So as a result, we're seeing a lot of organizations distribute that workforce across the country
and to allow people to work from home that required a quick change in strategy.
New technologies, new infrastructure, new architecture. However, those companies that already had a remote workforce and doing incident response have seen tremendous growth because they were easily able to pick up where other organizations were not able to do that.
So just a consideration. The other benefit, of course, to work from home Incident Response Team's is the reduction and having to worry about
problems at the work site. So if a work site gets shut down because of an active shooter, hazardous material spill or some other reason that forces your I R team to leave, you don't have to worry about that. Of course, with work from home, you don't worry about commutes or anything happening to people on their way to and from work,
and it also broadens your ability to recruit. You're not stuck recruiting Onley from your physical location, but you really can recruit from anywhere.
Of course, there's down sides Teoh not as many, in my opinion, but if you are an organization that has classified information, for example, you may very well have to have a contingent of incident responders that either have to work on site or can come in on site to look at something in a classified environment.
Uh, you also want to look at how the I. R team fits in the overall organization. I'll show you some samples of this, but it can sit in a number of areas, and there's not necessarily a right or wrong answer to this. But I'll give you some food for thought.
Perhaps the incident response team is 24 by seven. Or maybe it's just Monday through Friday, 8 to 5. So you have to look at what's the risk? What budget do you have? How many people do you need and can you sustain? Or do you even need to sustain 24 7 incident response capabilities?
And it could be a joint effort between in house Resource Is
and contractors, consultants or manage security service providers, or MSs peas, which we will talk about Maura's. We go along in this course
when we look at the skill sets for certain members. Thes air. Typically what we see So malware reverse engineering that more on the advanced side, but certainly something that we would like to see on assert threat intelligence, maybe a separate group or you might have somebody within the CERT assigned to threat intelligence activities.
Network forensics is important.
I see a lot of individuals that are very well versed in
digital forensics. From a host based standpoint network forensics is a little bit more of a special skill set, and not quite so many people that I have seen have that
threat hunting. We'll talk about threat ending in a little bit, but that's certainly something that we like to see if we can afford to have that scripting encoding. While not required, it's great if you've got incident. Responders that understand power, shell and python and can write scripts is part of their
instant response capabilities and procedures. And then, of course, digital forensics is a must have. You have to be able to look at
hosts and memory and whether it's Windows or Lennox or Mac systems, servers and applications and databases. So you certainly need incident response capabilities with digital forensics. I want to introduce you to this concept that I mentioned earlier called Racy and Racy stands for
responsible, accountable, consulted and informed.
So who is responsible for activities? Who is accountable, ultimately, that they get done. Who needs to be consulted on this activity? And then who just simply needs to be informed more of a situational awareness type of a thing
on the screen. You see an example that I put together on the rolls or on the left hand side, and then we have different activity, so you'll see vulnerability, management, incident, detection and response and then recovery.
So what you do is you take the role and you go across and you say Who is responsible for this? Who's accountable, who is informed, who needs to be consulted and you can go through here and see, for example, the second line down the cyst so is accountable for vulnerability scanning.
They're also need to be consulted about I. T. S at management and high value assets
patching in mitigations they need to be informed about, but they're not accountable for that. That's I t. They're not consulted. I t handles that, but they do need to be made aware of what's going on and you can go across incident detection. They're accountable for all that recovery. They need to be consulted on it,
so it's a really great way to keep people in their swim lanes and to show visually who's responsible for what. So it's great for areas of responsibility and showing this kind of information.
Now I want to talk about the security Operations center or sock and incident response and how they may, ah, line to each other and play together.
It's not advisable. Toe have cert sits completely within the sock.
Otherwise, monitoring may stop during an incident. So if you think about you have people watching screens and looking it alerts and events, and if they're also the incident responders, as soon as they see something, they may stop looking and jump over on the response. That's obviously not what you want to have happen, because you may start missing things.
Cross training, though, and rotational assignments is highly encouraged. You want to give people different skill sets and a taste of what all the people do in the organization, because that just makes them better. It also leads to higher engagement and retention of employees.
Sock insert. Acting his peers or having some overlap is best practice. So either they're on the same tears as peers or there is a little bit of overlap, and that may be,
there's levels of sock analysts, and then once it's actually declared to be an incident, it flips over to the I. R team
or however you structure that. But just keep that in mind. And then if you only have one certain member, which is certainly common, then focus on updating plans in contract agreements. What I what I mean by this is if you have Onley one person responsible for incident response in the organization,
clearly that's not enough. If you think back to the Circle ad with all the skills, there's no way you're going to find one person that can do all of that.
So have this person, the one certain member you have probably doing some of the easier investigations, but also have them focus on having a really good incident response plan
and contracts, meaning who will you reach out to? Who do you have on retainer? If something happens, and then this certain member really becomes that liaison and trusted adviser to the organization during some sort of an incident.
Here's an example of how the certain may be located within an organization. So on this chart, you see, you've got the chief information security officer under the CIS. So you have governance, risk and compliance, or GRC have security operations, and then you have def SEC ops. And again, these are just examples.
Under the security operations,
there's threat hunters sock certain vulnerability management. This is a really common structure that we see, and it allows everybody to be on the same level. Great cross communications. You have to be worried about a little bit of silos, but that's the security operations manager's job to break those down.
But it helps to have people in these areas of responsibility as well, because they all have different functions and roles.
Here's another example. Here's a c i o under the sea I Oh, there's the CIS Oh, this is so is more of a policy and governance is so not an operational one. And under the CIS, so is the contract for that M SSP. We talked about the managed security services provider,
but then you've got a director of infrastructure and operations, probably balancing both i t and cybersecurity.
And within that directors purview is the sock, the Sirte and Data and Analytics. Just for an example, and the certain would report up into the I T organization. Not necessarily the cyst. So
here's another one where you have I t completely abstracted out of this one. You've got the chief risk officer under That is the cyst. So we see the sister reporting all sorts of people with C i o the CEO directly to the board. The chief risk officer, the CFO
there is just a little bit all over the place. But in this one, it's going to the chief risk officer
and then you see, under the CIS. So there's applications security manager threat, intelligence and incident response, network security and cloud security. This would be a pretty large organization. Have a team broken up like this within the threat Intel and I are managers. Organization would be cert sim Threat, Intel and
the Threat hunting team.
So thes air. Just some samples. There is no right or wrong answer. It really depends on the organization. And sometimes it depends on the person. There's
sometimes you see a C I o, for example, that has a really good knowledge of security. Sometimes you have a CEO that's not knowledgeable about security and in fact, doesn't really want anything to do with the security organization, so that could be problematic.
When I was a system and got promoted a C i o. They actually moved the security, working it
organization up under me. So the sister reported into me because I came from that world. I understood how important security was,
but in the past the c i o. And says So we're Pierce because the c i o. May not have thought security was quite as important. And I'm not saying that from where I came from. But I have seen in the past where CEOs say, Yeah, we've got bigger things to do We need to focus on I t operations.
We don't have time for all the security stuff and that can obviously
be a detriment to the organization. That's why I said it really depends on people sometimes, too.
So let's look at a quiz question here. True or false, the CIS so should always report to the CEO.
The answer for this one is false. As I mentioned before, there's no right answer. This is so could report to a number of different organizations, I would say most commonly we do see it report up to the C i O. But when you see the word always, you gotta be careful there. So this is definitely false.
Second quiz question. In order to have a true IR capability, what is the minimum number of personnel necessary?
A. At least five Be at least 10 or see at least one.
And on this one, the right answer is you just need one. That's maybe not a quote unquote team,
but you can have just one person being responsible for certain. And if you remember, I mentioned, if that's the case, they should be more focused on planning, keeping things up to date and managing those contracts for other people that can come in and help if there is an incident.
So another one here. What is racy? Stand for responsible, accountable, consulted and informed,
reasonable, actionable, continued and interesting
or reasonable, actionable, constrained and invited.
Well, if you answered a you got it correct. This is who's responsible, who's accountable, who's consulted and who just needs to be informed. I can't stress enough how important it is to have a structure like this. Racy works great for project management for all sorts of things but especially an incident response, so consider using it in your organization.
In summary, we covered a couple of things in this lesson. What are the typical skill sets and positions on an I R team?
Ways to divide and delegate work based on racy. And we learned how it works and why it's important how a sock and I, our team can work together and some various organizational structures and how ir may fit into the larger enterprise.