Establish and maintain a cyber incident response team that can be deployed by the organization within 24 hours.
A cyber incident response team (CIRT) is a team of experts that assesses, documents, and responds to cyber incidents so that organizational systems can recover quickly and implement the necessary controls to avoid future incidents. CIRT personnel include, for example, forensic analysts, malicious code analysts, systems security engineers, and real-time operations personnel. The incident handling capability includes performing rapid forensic preservation of evidence and analysis of and response to intrusions. The team members may or may not be full-time but need to be available to respond in the time period required. The size and specialties of the team are based on known and anticipated threats. The team is typically pre-equipped with the software and hardware (e.g., forensic tools) necessary for rapid identification, quarantine, mitigation, and recovery and is familiar with how to preserve evidence and maintain chain of custody for law enforcement or counterintelligence uses. For some organizations, the CIRT can be implemented as a cross organizational entity or as part of the Security Operations Center (SOC).
[NIST SP 800-61] provides guidance on incident handling. [NIST SP 800-86] and [NIST SP 800-101] provide guidance on integrating forensic techniques into incident response. [NIST SP 800-150] provides guidance on cyber threat information sharing. [NIST SP 800-184] provides guidance on cybersecurity event recovery.
The CIRT’s primary function is to handle information security incident management and response for the environments the SOC oversees. The primary goals of the CIRT are triage and initial response to an incident. They also communicate with all the proper people to ensure understanding of an incident and the response actions, including collection of forensic evidence, have been conveyed.
If and when an incident is detected by the organization’s SOC, the IR team is responsible for handling the incident and communicating what has happened to the appropriate people within the organization, as well to the authorities (as needed).
The deployment of a team does not necessarily mean they are “physically deployed.” Deployment may simply mean connecting to a remote system in a manner that is equivalent to being on the system’s keyboard. Remote access can provide just as much capability as local access in many cases.
Some situations require physical access. For instance, if the company has a physically isolated environment located at a remote location, a team must be physically present at the remote facility to perform the duties required.
You are the lead for an IR team within your organization. Your manager is the SOC lead, and she reports to the chief information officer (CIO). As the SOC is alerted and/or identifies incidents within the organization’s environments, you lead and deploy teams to resolve the issues, including incidents involving cloud-based systems. You use a custom dashboard that was created for your team members to view and manage incidents, perform response actions, and record actions and notes for each case. You also have your team create an after action report for all incidents to which they respond; this information is used to determine if a given incident requires additional action and reporting [a].
One day, you receive a message from the SOC that your website has become corrupted. Within minutes, you have a team on the system inspecting logs, analyzing applications, preserving key information, and looking for evidence of tampering/attack [b]. Your team runs through a procedure set for this specific incident type based on a handbook the organization has created and maintains [c]. It is found that a cyberattack caused the corruption, but the corruption caused a crash, which prevented the attack from continuing. Your team takes note of all actions they perform, and at the end of the incident analysis, you send a message to the website lead to inform them of the issue, case number, and notes created by the team. The website lead has their team rebuild the system and validate that the attack no longer works. At the end of the incident, the CISO and CIO are informed of the issue.
Potential Assessment Considerations
- Does the organization have a response capability that has remote access to the organization’s systems and system components within 24 hours in place of physical access [a,b]?