Forming a Computer Security Incident Response Team (CSIRT) is a complex affair. It normally involves a certain combination of staff, processes and technologies.

If the goal is handling DDoS related incidents, you probably need network engineers, a good relationship with your ISP and special hardware. If the enemy is phishing campaigns, your focus probably revolves around emailing.

However the essentials are the same in most situations, no matter what the mission of your CSIRT is. This publication attempts to provide a list of must-have technologies for all forming incident response teams out there.

Incident Response Coordination

Various tools for managing security incidents through their lifecycles.

Incident Tracking

The very first thing to document, share and track incidents is a dedicated ticketing tool, which is

Not accessible to anyone outside the CSIRT (because tickets may contain sensitive data)

Access can be granted to outsiders if needed

Recommended, purpose built tools: RTIR, CyberSponse, Syncurity

Non-specific tools: ServiceNow, Remedy, JIRA

On-call Tool

Pager tool to distribute new incidents amongst the team members

Recommended: PagerDuty, OpsGenie

War Room

A dedicated meeting room to gather around when major incidents are handled together

Must have a door (i.e. privacy!)

The room must be available at all times

Must have good wireless reception (Wifi and phone)

Finally, a reusable sign that says something like: “Do not enter, all meeting room reservations are cancelled”. Don’t forget to stash some adhesive for attaching this onto the door.

Information Exchange

Because the CSIRT cannot act on its own, it has to interact with a lot of people inside and outside of the organisation. A seamless communication is key for effective incident handling.

Gear and Gadgets

Because your incident handlers also have a private life and they might be on the go.

Lightweight laptop

Laptop bag

3G/4G dongle (mobile Internet)

Token for the company VPN

Mobile phone with loud ringtone and long battery life

Comfy headset

Chargers

Phone

Incident reporters should be able to report incidents over the phone:

Simple phone number assigned to the CSIRT

Line should be forwarded to the appropriate incident analyst being on-call

As incident handling require a lot of coordination:

Dedicated conference bridge

Team Chat

Eases information flow between members of the incident response team

An effective chat tool archives chat logs and makes them searchable

Messages are delivered even if the analyst is offline

Supports modern chat bots such as Hubot (Recommended plugins)

Team members can easily share files between each other

Recommended: Slack, HipChat, Kato

Distribution Lists

A private email distribution list with the members of the CSIRT subscribed.

The list should facilitate communication inside the team

A public email distribution list should also be created.

The email address of the list should be publicised inside the company

Security incidents can be reported here

Automated tools may dump their alerts to this list

Incoming Emails should automatically generate tickets

Call Tree

The following list of contact details should be available for each member of the team:

CSIRT members

CSIRT contact person with the Business

HR team

Legal team

PR team

This also comes handy:

Company phone book

Organisation chart

Contact details of third-parties:

Software Vendors (e.g. your anti-virus support)

Hardware Vendors (e.g. your IDS/IPS vendor)

ISP

Abuse E-Mail Addresses

RFC2142 defines certain email addresses that every domain must maintain. Because external reporters might use these addresses to report incidents, the best course of action is to forward all emails to the CSIRT distribution list.

abuse @yourcompany.com

@yourcompany.com noc @yourcompany.com

@yourcompany.com security@yourcompany.com

E-Mail Templates

The CSIRT may need to communicate in a semi-formal manner with the employees or external security reporters.

The CSIRT might warn the end-users of an ongoing email campaign, or let an independent security researcher know that they are working on the report. Pre-written email templates can help to respond in an timely and appropriate manner. The templates should be:

Short and get to the point

Translated to the local languages of your organisation

Finally templates intended for emails to third-parties should be pre-approved by your legal and PR departments.

Press Release Templates

Engage your PR team to formulate press release templates. Consider common incident scenarios such as:

Small scale data breaches

General data breaches affecting PII/credit card data

High-profile data breaches (if you business critical data is affected)

Unavailability of critical public facing services

Bear in mind that this type of communication with the public is usually handled by your PR team and the CSIRT is only consulted (what was affected, how long, what has been done etc.). Here are a few real-life statements.

Bonus point for leaving the “We take security seriously” nonsense out.

Email Encryption

Encrypts and/or signs emails with external incident reporters. It provides secrecy as well as authenticity when dealing with third-parties.

Encryption software should be pre-installed

Individuals should have a valid PGP key

The CSIRT distribution list should also have a PGP key

The CSIRT PGP key should be publicised on the Internet

Recommended: Enigmail

Asset Lists

Assists the CSIRT to find the involved systems in a security incident.

Software and Hardware Inventory

Helps identify systems affected in a security incident

List of applications at your company

List of associated servers, databases and network devices

Network diagrams

Software Baselines

They help identify whether an asset was tampered with by comparing the asset’s configuration to the company baseline

Linux and Windows gold images

Internal OS configuration / hardening guidelines

Standard JunOS, Cisco iOS configuration baselines

Ansible playbooks, Puppet manifests, Chef recipes

Sharing Stuff

Secure File Storage

Provides a simple platform to share ad-hoc files with insiders our outsiders of the organisation

Files should only be accessible to the CSIRT members by default

Should be able to generate unique download links

Unique download links should be accessible from the Internet as well

Recommended: Box.com, ownCloud Enterprise, SpiderOak Enterprise, DropBox for Business, tresorit

Password Safe

The CSIRT should have its own password safe to store sensitive stuff such as password or PGP private keys

Should support two-factor authentication

The safe should support multiple users at the same time

Recommended: Top 10 List of Enterprise Password Managers

An Actual Safe

A fireproof safe to store sensitive paper-based documents in addition to hard drives, USB drives and laptops waiting for forensics analysis.

Secure Courier

A postal service should be pre-arranged for sending in laptops for forensics analysis.

Conclusion

There is one thing in common between the tools and technologies listed above. They all connect incident analysts and reporters together, and foster a seamless information flow between them. It might not come as a surprise as incident handling is all about engaging the right people at the right time when things go pear shaped.

What are your favourite tools and why? Scroll down to the comments and feel free to share them!

Credits

Thanks for JP Bourget and disqus_cllpPuP4AB for the feedback