An incident response team, also known as an IR team, is a group of experts who are responsible for responding to an information security incident, such as a data breach or ransomware attack. The IR team handles the full scope of the incident including preparation, response and recovery.
The core goal of the incident response team is to respond in a quick and efficient manner to regain control of the situation and minimize the resulting damage. Incident response- teams, also known as IR teams, are made up of information security specialists as well as non-security personnel.
In this blog post, you will learn:
- What is an incident response team?
- What does an incident response team do?
- What is an incident response team pool?
- The key departments to include in an IRT pool
- Real-world examples of IRT teams
- Helpful tips for incident response team members
What Is an Incident Response Team?
A cybersecurity incident response team responds to security incidents such as data breaches, cyber attacks and system failures. This multi-disciplinary team is crucial for protecting the company beyond just IT. In the event of an incident, the team's first priority is to contain and mitigate the damage. They will then work with experts to establish what happened and how to prevent it from occurring again in the future: both from a technical perspective and an organizational perspective.
The cyber incident response team is made up of the IR team lead and some of the members in a broader IR team pool. The IR team lead is the primary point person in an incident response situation. They will decide which members of the IR team pool need to be involved and are responsible for coordinating the activities of the incident response team.
The incident response team pool is a group of individuals who may be called upon to help respond to a cybersecurity incident. The pool is made up of personnel from various departments, including IT, security, human resources, and legal, among others.
Several common examples of IRTs that are designed to manage specific incidents are as follows:
- A Computer Security Incident Response Team (CSIRT) or Computer Emergency Response (or Readiness) Team (CERT) is responsible for preventing, detecting and responding to IT- or cyber-based incident response security events or incidents. CSIRT, CERT and CIRT are often used interchangeably in the field.
- A Security Operations Center (SOC) is typically responsible for an organization’s overarching cybersecurity. So while this does include prevention and incident response (IR), it often extends beyond stand-alone incidents to include compliance and risk management.
Let’s move on to understand the roles and responsibilities of IR teams.
What Does an Incident Response Team Do?
A cybersecurity incident response team assembles in the event of a security incident. They are charged with following an outlined incident response plan to appropriately respond to the incident.
The incident response team’s primary goal is to reduce harm to the organization overall, help meet legal obligations, and help get the organization back to business as usual, as quickly as possible.
The specific tasks performed during each phase of the response will vary depending on the nature of the incident. The roles of an incident response team can vary depending on the nature and severity of the incident at hand. These roles are crucial in coordinating an effective response and minimizing the impact of the incident.
Some typical roles that may be included in an incident response team are:
- Incident Commander: Responsible for overall incident coordination and decision-making.
- Triage Analyst: Assesses the incident severity, prioritizes response efforts and identifies critical areas requiring immediate attention.
- Forensic Investigator: Conducts detailed investigations to determine the root cause of the incident and gathers evidence for further analysis.
- Communications Specialist: Handles both internal and external communications, ensuring stakeholders are informed about the security incident and its progress.
- Remediation Expert: Develops and implements strategies to mitigate the impact of the incident, including containment and recovery of affected systems.
- Legal Advisor: Provides guidance on legal and compliance aspects, ensuring that the incident response efforts align with relevant regulations and requirements.
- Public Relations Representative: Manages the public image and perception during and after a cyber incident, working to maintain trust and credibility.
By having a well-defined and diverse incident response team in place, organizations can effectively respond to incidents and minimize the potential damage they may cause.
Cybersecurity vs Incident Response. What are the differences and why do they matter? We explain in this informative blog.
What Is an Incident Response Team Pool?
The incident response team pool includes personnel from a range of departments, some obvious and some less so. All members of the pool are trained on the IR Plan so they are ready to join IR teams on short notice for specific incidents as necessary. The team typically includes security professionals with expertise in various areas, such as forensics, network security and malware analysis. It will also include non-security personnel, for example, legal counsel or public relations staff.
An incident response team's activities can be divided into several phases:
The current Center for Internet Security (CIS) Critical Security Controls describes six main phases:
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Lessons Learned
The National Institute of Standards and Technology (NIST) Incident Response Handling Guide and Cybersecurity Framework generally follow the same process but are organized into four main phases:
- Preparation
- Detection and Analysis
- Containment, Eradication and Recovery
- Post-Incident Activity
Depending on the nature of a specific incident, different members of the IR team pool may be involved in an IR team for a particular incident at various stages of the process. For example, IT personnel will be heavily involved throughout, whereas public relations representatives will be more involved in the recovery stage.
How robust is your IR plan? Take a look and best practices when it comes to building an incident response plan.
What Are the Key Departments to Include in an IRT Pool?
Each department’s representative in the IR team pool should be chosen carefully. A good guide is to select members who know about at least one of the most important systems used by the department in case the system is impacted by a security incident. For example, knowledge of the general ledger, expense reimbursement and connections to external banks might be necessary for the finance department representative.
In addition, each incident response pool member should identify a delegate who will also become trained on the IR plan as a contingency plan in case the pool member is absent or for assistance during a significant incident.
The IR team pool should include:
- Information Security
- Legal
- IT
- Human Resources
- Finance
- Compliance / Risk Management
- Physical Security /Security Analysis
- Communications/PR
- Business Units
- Same departments in other geographic areas, if applicable
Additionally, external parties that may be involved include:
- Outside counsel
- Forensics firms
- Public Relations/Communications
Examples Of Incident Response Teams Who Coordinate With Other IR Teams Around The World
Many large organizations have designated incident response team members. Indeed, the Forum of Incident Response and Security Teams lists 627 companies from various industries, including the following (with some examples):
- Banking and Finance: Bank of America Partnerships Team and Deutsche Bank Cyber Threat Response Team
- Technology: Hewlett Packard Enterprise (HPE) PSRT, Comcast Cybersecurity Operations Center and CrowdStrike Security Incident Response Team
- Manufacturing: HP Inc. PSRT, Lenovo PSIRT, Sony PSIRT and Panasonic PSIRT
- E-commerce: Amazon Security Incident Response Team and Alibaba Security Response Center
- Consumer Goods: KraftCERT, Diageo CSIRT and PepsiCo Global Threat Assessment and Response Management
- Healthcare: Amgen
- Aviation: Lufthansa Group CERT and Airbus CERT
Incident response teams are not limited to businesses; states, provinces and countries often have IR teams at the ready. The Australian Cyber Security Centre, the Canadian Centre for Cyber Security, Computer Emergency Response Team of Ukraine , the National CERT Ghana, and the National Cyber Security Center or Hungary are a few examples of government-led incident response teams that operate at the national level to protect critical infrastructure, coordinate cybersecurity efforts and respond to cyber incidents within their respective regions.
Need buy-in from your Board of Directors? Here’s how to get started.
Helpful Tips for Incident Response Team Members
With many cybersecurity incident response team members lacking a background in information security, the role can feel like an overwhelming responsibility. However, each member is selected for a reason and can utilize their background knowledge about the company and their department, along with some critical thinking to contribute constructively to an incident response situation.
Here are some key tips to bear in mind:
- Keep a copy of the Incident Response Plan and checklists off-site. Depending on the incident, you may not be going into the office (systems are all down), accessing your email (it had to be disabled), or any company file storage (your cloud storage service provider was attacked). Don’t skip this simple step and wind up scrambling to figure out what to do in an incident when every minute counts.
- Keep a hard copy of IR Team Pool members’ contact information. When ransomware incidents seize an organization’s entire IT infrastructure, laptops and VoIP system, how will you call your IR Team Lead? How will the IR Team Lead contact HR? Don’t end up searching for colleagues on LinkedIn when every minute counts. Consider exchanging personal phone numbers and email addresses for this purpose.
- Know your sensitive information, most important systems and greatest harm. Revisit the lists in your IR Plan to spot potential issues or concerns. Don’t overlook important issues by trying to re-create company priorities off the top of your head.
- Consider your department’s needs compared to the organization’s overall needs. IR Team members will have many questions during an IR, and the answers are necessary for the Team members to do their jobs as employees and as IR Team members. Members should consider their requests in the context of the overall needs and priorities of the organization. Prioritizing as a group helps team members understand why their requests might take a back seat to others and keeps everyone focused on the overall top priorities. Hint: Prioritize based on the most important data, systems or harm laid out in the IR Plan.
- Use a checklist, not the IR Plan document in the event of an incident: If an IR Team member hasn’t received training, the first step should be contacting the IR Team Lead, not starting to read page 1 of the IR Plan. The IR Plan document should be used for training and practice, or as a reference guide during an incident. Make sure team members have their own easy-to-use checklists that identify their own specific tasks or concerns they should remember to address during a response effort.
- Ask; don’t assume. While it’s natural to go with gut instinct, it’s important that every line of inquiry is based on evidence. Spend time thinking through possible actions. Consult other members of the IR Team who you may not think would have helpful information. Using all of the IR Team resources can help avoid wasting valuable time. Some people operate better under pressure and may be extremely helpful even if their department isn’t impacted by an incident.
- Understand the consequences. When dealing with the aftermath of a cyber attack, you can find answers far quicker if you continue to seek information from the forensic team so you can determine harm that could be caused to the organization (e.g., leaked data, lost customers).
As with any team situation, sharing resources and strong collaboration and communication skills will go a long way in ensuring success.
Why Choose ZeroDay Law?
Cybersecurity is more important than ever, and ZeroDay Law has the expertise to protect your organization. We’ll help you plan for and respond to cybersecurity incidents quickly and effectively, so you can get back to business as usual. Cybersecurity attacks, legal obligations and technical threats are growing in prevalence and are not slowing down. As a best practice, ensuring your business has an IR plan in place, that it meets your legal obligations, and that it is reviewed and revised periodically is critical.
Unlike other law firms, we’re experts in matters related to cybersecurity and privacy, with a unique focus on incident response planning. We have a proven track record of success in a range of incident types, including large data breaches.
Our team of experts will work with you to create a custom plan that fits your needs and helps you stay prepared for any potential incident. You'll have peace of mind knowing that your business is safe and secure, no matter what surprises are in store.
Contact us today to learn more about how ZeroDay Law can help protect your business.