Part 2 - CIRC Team Composition

Video Activity

This lesson discusses the composition of the cyber incident response team (CIRC) which consists of: · Team leader · IR Team member · Incident manager · Local IT · Forensics · Admin Included in this team are dispatchers who work the Incident Response hotline and respond to calls accordingly. Best practices for the entire team include: · Awareness · ...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Advanced
CEU/CPE
7
Video Description

This lesson discusses the composition of the cyber incident response team (CIRC) which consists of: · Team leader · IR Team member · Incident manager · Local IT · Forensics · Admin Included in this team are dispatchers who work the Incident Response hotline and respond to calls accordingly. Best practices for the entire team include: · Awareness · What do we do now that we know? · React · Review policies and procedures

Video Transcription
00:03
>> Moving on from this slide,
00:03
we have another visual here
00:03
>> that lays out that CIRC Team Composition.
00:03
>> Depending on your organization,
00:03
it may or may not vary from this,
00:03
but at the center of that,
00:03
>> you're going to have that team leader.
00:03
>> Then you'll have that incident manager,
00:03
your forensics person, local IT support,
00:03
IT administrators maybe
00:03
>> if your system spans many geographical regions,
00:03
>> and then your incident response team members.
00:03
Also included in this incident response team
00:03
is going to be a dispatcher.
00:03
Dispatchers are going to essentially
00:03
man and answer the response hotline.
00:03
They may or may not be actual part of that team
00:03
>> but if you'd have a ticketing system
00:03
>> similar to maybe ARC site,
00:03
>> they might be the person who receives that initial call
00:03
>> and puts a ticket in the system that says,
00:03
>> "Hey, we've had some type of incident."
00:03
Essentially their responsibilities are to
00:03
receive distress calls from clients or employees
00:03
>> and they provide general information
00:03
>> about the various incident response services.
00:03
They'll fill out the reports,
00:03
they'll essentially assign a tracking number
00:03
so you can keep track of that incident,
00:03
and they'll connect clients with
00:03
the appropriate incident response team personnel
00:03
for further assistance.
00:03
Then technically this function is
00:03
going to be conducted around the clock
00:03
>> as many organizations have 24/7 up time,
00:03
>> especially if they're large global organizations.
00:03
Another aspect we're looking at
00:03
this incident response totality
00:03
is the awareness of something occurring.
00:03
That's going to be the first level of
00:03
the incident response that something happened
00:03
>> and that we may or may not know what happened,
00:03
>> but we want to know how do we know that this occurred.
00:03
Then we're looking for these indicators.
00:03
Indicators may come in various forms.
00:03
It could be something from IDS,
00:03
so maybe you've got a ping
00:03
>> or something that someone has tried to do something
00:03
>> to your network and you need to go
00:03
>> and investigate that to get exactly what that was.
00:03
>> Maybe you've had someone
00:03
>> who was cruising along the Internet
00:03
>> or they've opened up some type of file on
00:03
>> their email and all of a sudden you have
00:03
this virus scanner alert pop up
00:03
>> and say that your system is either
00:03
>> infected and/or that your virus scanner has quarantines
00:03
>> and that would warrant some type of incident response.
00:03
>> The next indication you might have is
00:03
a violation of acceptable use policies.
00:03
If you're monitoring traffic on your network
00:03
>> and you're seeing boys go to certain websites
00:03
>> that they're not supposed to,
00:03
or you see them using a computer
00:03
>> for other than its intended purpose.
00:03
>> That might be something that you want to investigate
00:03
>> and figure out further what exactly happened,
00:03
>> why they're doing what they're doing.
00:03
You may also have firewall notifications
00:03
that something's happening
00:03
or someone's trying to get into your network
00:03
>> or something's trying to escape your network,
00:03
>> that shouldn't.
00:03
>> You could also have self-reporting.
00:03
Maybe a user has opened up that email attachment
00:03
>> and they've notice that
00:03
>> they're now infected with ransomware
00:03
>> or maybe they've lost their laptop
00:03
>> or their mobile devices
00:03
>> that's connected to your network
00:03
and they're calling the dispatcher to report that.
00:03
Then lastly hopefully, this doesn't occur,
00:03
but it has in fact to a few several organizations
00:03
>> is that you get a report in the news
00:03
>> that you've been hacked
00:03
>> and you don't know about it,
00:03
>> or you're having to now respond
00:03
>> to this reported hack in the news
00:03
>> so you're definitely behind the power curve.
00:03
>> Moving on after the awareness stage,
00:03
we essentially have to question that
00:03
now that we know something happened,
00:03
>> how do we know?
00:03
>> We're going to identify what happened,
00:03
the who, what, when, where, how.
00:03
Then we ask ourselves the question,
00:03
is this actually an incident?
00:03
Oftentimes events may happen
00:03
>> and they may not rise to the level of
00:03
>> something being an incident.
00:03
>> Does the event violate any principle of
00:03
that CIA triad about confidentiality, integrity,
00:03
>> or availability of data on your network?
00:03
>> Hopefully, those things will be laid out
00:03
in your incident response policy.
00:03
But if not it's important to ask those questions.
00:03
Then, once you determine that
00:03
it is an incident that it does violate
00:03
>> some principle of that CIA triad,
00:03
>> you have to ask yourself how serious of
00:03
a problem is that incident.
00:03
If it's phishing with no data loss,
00:03
it may just warrant essentially blocking
00:03
that sender's email address
00:03
or if it's a DDoS attack that shuts down your network,
00:03
you're obviously going to have to spin up a lot more of
00:03
your incident response personnel
00:03
>> to essentially deal with that
00:03
>> and you'll probably call in your ISP provider
00:03
>> to essentially have some assistance in blocking
00:03
>> that large amount of traffic
00:03
that's coming into your network.
00:03
Then obviously,
00:03
>> once you're starting to respond to these incidents,
00:03
>> it's important to follow your organizational
00:03
>> procedures and policies as required.
00:03
>> After we've figured out that plan of action,
00:03
the next thing that we're going to have to do is
00:03
to react to that incident.
00:03
In reacting to that incident,
00:03
we've broken that down into a simple,
00:03
>> easy-to-remember process.
00:03
>> The first step that R is
00:03
>> to review the policies and procedures,
00:03
>> we keep hammering on that policy and procedures.
00:03
That just shows the necessity and the importance
00:03
>> of having good policies and procedures in place.
00:03
>> After you've done that,
00:03
we're going to evaluate the situation.
00:03
Determine again what we talked about, who, what, when,
00:03
where, why, how of the situation.
00:03
The next step is to avoid panic.
00:03
Oftentimes, when something happens,
00:03
such as a very serious incident,
00:03
a lot of people want to panic and make rash decisions.
00:03
Avoiding panic, thinking through the process,
00:03
logically coming up
00:03
>> with a good solution is a very important step.
00:03
>> Collecting information is obviously going to help us
00:03
>> come up with that solution to the problems.
00:03
>> Just like G.I. Joe said,
00:03
knowing is half the battle,
00:03
the more information that you
00:03
can collect and the more information
00:03
>> that you know about an incident will help tailor
00:03
>> that response to the incident.
00:03
>> Lastly, after you've collected that information
00:03
>> and you have an understanding of
00:03
>> the exact situation that's occurring,
00:03
you'll want to take the appropriate action.
00:03
But obviously, if you don't follow
00:03
the aforementioned steps in
00:03
reviewing your policies and procedures,
00:03
knowing and understanding the situation, not panicking,
00:03
and not collecting any information about the incident,
00:03
it's very difficult to come up with
00:03
>> the appropriate action to take.
00:03
>> It's very important to follow that REACT principle
00:03
>> in that step action that's outlined.
00:03
>> Looking at the REACT principle a little more in-depth,
00:03
let me talk about the first process
00:03
>> which is reviewing the policies and procedures.
00:03
>> Anytime that there's an incident,
00:03
you want to locate the policy
00:03
that addresses incident response.
00:03
Then you want to look at
00:03
the incident response procedures.
00:03
In those different procedures,
00:03
it should state what is and what is not allowed.
00:03
It should give a playbook of who to call
00:03
>> and who not to call
00:03
>> especially if you've got a large enterprise.
00:03
>> Maybe if you're in the United States
00:03
>> and you've got someone in Mongolia
00:03
>> or if you've got someone in China,
00:03
>> there may be other individuals
00:03
that you're going to have to call in as part
00:03
of that incident response plan of reaction.
00:03
Knowing who to call,
00:03
knowing what policies and procedures
00:03
>> to access are very important.
00:03
>> Then the question is,
00:03
what if you don't have
00:03
any incident response policies and procedures?
00:03
What do you do at that point in time?
00:03
Who do you call who can make some type of decision
00:03
>> in order to start beginning
00:03
>> to work this incident and remediate it?
Up Next