Cyberattacks are increasingly common, and a growing number of organizations develop a Computer Security Incident Response Team (CSIRT) to respond to any attacks they face. These teams are tasked with responding to any incidents, and ensuring they regain control of systems as quickly as possible, while minimizing the damage caused and preventing similar attacks from reoccurring.
The Forum of Incident Response and Security Teams (FIRST) is an international body for these teams, and provides a framework that outlines what it believes are best practice guidelines for things such as incident analysis and management.
This framework outlines the kind of roles teams should contain, and how activities are coordinated. It even outlines the kind of support offered to the organization, including hours of operation and other basic service level agreements.
It perhaps goes without saying that the nature of your CSIRT will depend to a large extent on the nature of your organization. Do you have the skills in-house to staff your team appropriately? Are you able to maintain sufficient awareness of the ongoing threats your organization faces? Is your CSIRT able to perform exercises that test and hone their capabilities in the event of a cyberattack? Indeed, is the importance of such a team on the radar of the executive team?
The role of CSIRT teams have evolved over the years, and have become a standard feature of the cyber defense capabilities of many organizations. Does the same apply on a national level? New research from Cornell University explores how the field of incident response can help nations effectively defeat cyberwarfare, not least due to their ability to help teams transcend the political arena that can so often bog down progress.
I’ve written previously about the growing use of cyberwarfare to attack key infrastructure within a nation, whether that’s a country’s digital infrastructure, it’s cyber-physical systems, or even the very institutions of democracy themselves. The paper highlights how despite many of these attacks emanating from state-sponsored groups, there is still a requirement for security teams in the United States and Europe to cooperate with their counterparts in Russia and other hostile nations.
The researchers highlight how important it is for such groups to try and establish domains in which they can build a degree of mutual trust. They believe there is sufficient common ground in terms of keeping key infrastructure running to allow effective cooperation between state security teams, even when state-sponsored groups operate in the shadows.
Whereas CSIRT teams can often function within an organization, the international nature of things such as the internet require an international response. Incident response was a field that began life in the 1980s after a worm infected thousands of computers connected to the burgeoning internet.
The nascent nature of the web at that time meant that international cooperation was initially stunted, but the formation of groups such as FIRST in the 1990s began to see progress being made to formalize and guide effective responses to complex cyberattacks. The Cornell team believes this kind of cooperation can even occur between nations that are so often at loggerheads with one another. Indeed, they argue that without such cooperation, infrastructure such as the internet simply would not exist.
“It’s one thing to come up with a new algorithm or a new technique for, say, intrusion detection, but actually making it work and operate requires people to implement and maintain it on an ongoing basis,” they say. “It’s nice to think some innovative technology will fix everything. But in practice, people have to keep things up to date, particularly when you’re dealing with an intelligent adversary. You have to stay ahead of that.”
Successful incident response
The first point of any successful incident response should be a plan, which should contain key personnel, the procedure for escalating up the organization, processes to cover the full lifecycle of the incident, and basic legal and/or regulatory requirements.
A crucial task of the team is to accurately and efficiently triage any incidents so that the appropriate intervention is implemented. This triaging will be vital to ensure that the right personnel and other resources are deployed, and will probably consider factors such as the sensitivity of any data loss, the integrity of systems, and the impact on business output. These should enable the scale of the problem to be gauged.
Many teams utilize a severity matrix to allow teams to quickly gauge the seriousness of the situation, ranging from critical to low. They also categorize incidents to allow for an appropriate response, regardless of whether the attack is based around phishing or denial of service, malicious code or a data breach.
Incident response plans are a crucial part of any cybersecurity process, and the connected nature of so much of our work means that these will often involve people outside of your organization. Indeed, as the Cornell study reminds us, this can even include people you might ostensibly regard as your rivals.
There is often a mutual advantage in maintaining not only key infrastructure, but the reputation and trust of the services offered, so even rivals can have a strong incentive to work together to ensure cyberattacks don’t damage their operation. If you would like to learn more about building an incident response team, the UK’s National Cyber Security Centre has a good resource to get you started.