Keep Calm and Be Prepared: Know Your CSIRT

Picture this: A phone call wakes you, the CTO, at 6am on a Saturday morning. It’s a reporter from a large newspaper asking about your data breach. You have no idea what the reporter is talking about and you hang up the phone. You then start searching the internet to see if there’s any truth to this story and notice that it’s being reported all over  the web, Twitter, Facebook, etc. You’ve been compromised – Now what?!

In this blog post we’re going to talk a little about the response team you need to put together ahead of time, so that you’re not starting from scratch when you’ve been breached. Some roles in the Computer Security Incident Response Team (CSIRT) are common sense but others aren’t, and these are the ones I want to focus on in this post.

It’s not hard to know who’s in your Security, Networking, Windows, Linux, etc. teams, and selecting the right people for the CSIRT shouldn’t be all that difficult. But, these aren’t the only people you need. Let’s review some other roles you need in the CSIRT:

Compliance/Risk Management

During a breach your compliance team will obviously be heavily involved with the CSIRT. They must have full knowledge of the breach and what’s being done to address it so that they can answer the auditor’s questions at the next audit, which won’t be fun! The same goes for your risk management team. They will need to determine if there are any additional risks to the enterprise during and after the breach has been eradicated. This team will work directly with the security team to locate the risks across your environment and help to mitigate it.

Remote Sites

It’s very easy to forget about your remote sites if you’re a large company headquartered with multiple smaller sites, but you mustn’t leave them in the dark. Eventually the threat or the media are going to find their way to them, and you need to have people assigned as remote site liaisons to the CSIRT to relay information and updates about their location. You also need technical people from these remote locations in the CSIRT to handle any local technical issues.

Forensics

If you’re a large company with an in-house forensics team, you probably have the right resources to handle the forensics aspects of breach. If you don’t or you’re a small to medium size company, you should find the right expert vendor ahead of time. Doing the leg work upfront, such as finalizing financial and legal terms, will to save you a ton of valuable time (and money), when you need it.

Datacenter Team

Another area that’s often overlooked is your datacenter team. There’s a very good chance you have remote datacenters located in far flung places for business continuity purposes. But how do you manage the resources at these centers? It’s very possible that these systems are hosted by a third-party MSPs and the people working on your remote systems aren’t employees of your company. In the event of a breach, you probably won’t get the response or level of urgency from people who don’t have skin in the game.

If possible, you should establish a set of procedures for each remote datacenter, and assign a manager responsible in the event of a breach. Another good idea is to have regular fire drills for these resources so that they are fully trained on what they’ll need to do in the event of a breach. Many MSPs have high turnover so creating a runbook and assigning a manager will help expedite a few of these tasks if/when the time comes.

Non-Technical Leadership

The Technical personnel are key to the CSIRT, but there are also non-technical teams that you really need to have on your side in the event of a breach. These are customer-facing teams that will manage the reputation and integrity of your business during and after a breach. Here are a few that you should start working with now:

• Finance
  • Depending on what’s breached the financial team will play a very large role in the CSIRT especially if credit cards have been stolen. The finance team will need to liaise with the credit card companies and payment providers.
• Marketing/Public Relations
  • The marketing department needs to be on the same page with the CSIRT in order to determine how to communicate – externally and internally – about the breach. The marketing team will likely have to handle some very difficult questions from customers, reporters, etc. They need to be prepared, and they need to make sure that what they are saying about the breach is approved by executive management first. The marketing will also need to be on the lookout for what’s being said about the company during the breach, and they’ll be assisting you with analyzing the impact to the business’s reputation after a breach.
• Legal
  • This team goes without saying. Make sure they are involved from the get-go and counsel you about what is appropriate from a legal perspective. There will most likely be lawsuits afterward the breach and this is something they will need to be ready for too.
• Call centers
  • Just like the marketing team, this team is going to be taking direct questions from the public and they need to be trained on exactly what to say. Setting up a separate hotline to handle customer inquiries is a good idea, and team members should stick to a pre-approved script.
• Law Enforcement
  • Last, but not least, you need to involve law enforcement in the event of a breach. It’s a good idea to develop relationships with the FBI and local police department ahead of time, to allow a quicker response when dealing with a breach.

These are a few teams that you should consider including in your CSIRT. This by no means a definitive list and there are probably many other relevant teams that are unique to your company. The key thing is defining and educating these teams ahead of time. What you don’t want is to have to pull these teams together after a breach has already occurred. Make sure you have your CSIRT established and processes well documented before you actually need them.