Video Activity

Part 4 - The Different Types of Incident Response Teams

Video Transcript

So the types of incident Response team's of the next topic we're gonna talk about. So the first type of incident response team is going to be the Central Incident Response Team, and with the Central Incident Response Team is going to be a single team will respond to handle incidents throughout the organization, and that model is going to be very effective for small organizations and for organizations that don't have a very large geographic footprint. The next type of team that you might see is a distributed incident response team, and this type of team is good for an organization that will have multiple incident response teams. And each of those teams will be responsible for a logical or physical segment of the organization.

So the model was going to be very effective for large organizations. Essentially, that had one team for division or for organizations with major computing. Resource is a different locations, so you might have one team, her geographic location or one team for major city. Nevertheless, the team should be part of a single and cohesive coordinated entities so that the incident response process is going to be consistent across the organization and that information is shared with each of the teams, and this is gonna be important because with multiple teams they may see different components of the same incident are they want to handle incidents in the same manner. So it's just going to be that consistency across all of your incident. Response Team's the next time the team, but you're going to see is going to be a coordinating team. And with the coordinating team on Incident Response Team will provide advice to other teams not really having the authority over those teams.

So an example that is going to be a department wide team that may assist some other agencies, team or some other team within the organization. And that model could be thought up is essentially a C sir, so you might see one or two of these across an organization. Or you might see kind of a hybrid, depending on what type of organization that you're dealing. So the next topic is going to be the incident response team staffing. So the first part of the organization team is going to be its employees. The nature they're gonna be the people that essentially perform all the incident response work, and they may have limited technical administrative support from contractors. Then you're going to have essentially those that are partially outsourced. So organization outsources portions of the incident response works. So although the incident response duties could be divided among the organization and one arm or outsources, in many ways, a few arrangements have been become commonplace.

So the most prevalent arrangement is for the organization to outsource 24 hours a day, seven days a week, monitoring of intrusion detection sensors, firewalls and other security devices to offset manage security service providers. So the M S S P identifies and analyze a suspicious activity, and they're going to report each detective incident to the organization's incident response team that after Theis M. S S P essentially reports that information, the team will then be able to go in the side and categorize what type of instant that they have going back to that. That earlier discussion about policy of how grave the incident might be in what type of response is needed Then some organizations perform basic incident response work in house and can call on contractors to assist with handling of incidents, particularly those that are more serious or wide spreads essentially have two diametrically opposed types of teams, one that is essentially taking care of the monitor and 24 hours a day, and then where you might actually monitor yourself and then call in some some expertise to help deal with that incident.

The next incident response team that your type team you're going to see is going to be a fully outsourced team, and the organization completely will outsource its incident. Response work, typically to an on site contractor on this model, was most likely the use when the organization needs a full time on site incident response team that does not necessarily have enough personnel or qualified personnel available. It is assumed that the organization will have employees supervising and overseeing the outsourcing incident Response team considerations. Does your organization need 24 7 availability? So most organizations need insert response staff to be available 24 7 Most organizations today are spread out globally.

Are they're going to have neat on 24 hour up time on their server, So this typically means that the incident handlers could be contacted by phone, but it can also mean them on site presence is required. So real time availability is the best for incident response because longer than an incident last. But more potential there is for damage and loss. So real time contact is needed when working with other organizations, for example, tracing an attack back to its source. So the quicker you can get to the incident, the more likely it is that you could minimize the damage. So 24 7 is something that you're probably going to see drink free. So full time and part time team members.

Organizations with limited funding, staffing or incident response needs may have only a part time incident response team members and these members might be serving as more of a virtual incident response team, and in this case, the response team could be thought of as a kind of volunteer fire department, said one emergency occurs, the team members or contact rapidly, and those who assist our can assist do so likely. It's possible that these individuals have other jobs or other duties that may take them away from incident Response. We're doing something completely separate. Could be the 30 people, but it's not no, but an existing groups such as the IT help desk can act as the first PFC for incident report and then the help desk members could be trained to perform the initial investigation and data gathering and then alert the incident Response team that pierced that.

Ah serious incident has occurred. Another consideration. Eyes going to be employee morale, so incident response work is very stressful. Often these employees are gonna be on call on this combination of the stressful work, and being on parole essentially is going to make incident response. Team members become overly stressed. Many organizations will struggle to find individuals who are willing, able on experience on skilled to participate in 24 hours. So incident response team considerations continued. You may have segregated rolls, particularly due to cost. So coughs is a major factors we discussed earlier, especially if employees are required to be on site 24 7 So organizations may fail to include incident response, specific costs in their budgets, such a sufficient funding for training and maintaining skills.

And because Incident Response Team's work with so many facets of I t. It's much members, we're gonna have to have a much broader knowledge of I T and other staff members, so they must understand how to use the tools of incident response, such as digital forensic software, which we're going to get into a little later. Other costs that may be overlooked our physical security for the team's work areas and communications mechanisms. So if you have an organization that wants to have an incident Response team, they may not understand that they need to have her say, maybe a Faraday Cage area for someone to conduct forensic investigations. So another consideration is going to be staff experience.

Incident handling require specialized knowledge and experience in several technical areas. So the breath and depth of knowledge requires requirements are gonna vary based on the severe e of the organization's risk. So outsourcers may possess deeper knowledge of intrusion, detection and forensics, vulnerabilities, exploits and other aspects of security that employees within the organization might be ableto provide. And also MSs Peace may be able to correlate events among customers so that they can identify new threats quicker and the individual that individual customers good. However, technical staff members within the organization will usually have a better knowledge of the organizations operating environment than per se, maybe an outsider, which can be identified, beneficial and identifying false positives associated with the organization, specific behavior and the criticality of the response required.

Course link:
Incident Response and Advanced Forensics
Need some incident response training on your path to becoming a network engineer or cyber defense analyst? This course will introduce you to incident response and prepare you to conduct forensic collections. Learn how to develop protection plans, dive into insider and malware threats, and commence incident recovery.
Instructed by
Max Alexander

I serve as the Chief Technology Officer and Director of Cybersecurity for Aveshka Inc. where I consult with federal and commercial clients in cyber and information security issues ranging from digital forensics, incident response, data loss prevention, risk management, COOP, disaster recovery, and insider threat.