What makes a Good Incident Response Team?

Effective incident response ensures that your organisation counters cyber-attacks. However, there is more to incident response than just countering an attack; incident response requires an in-depth knowledge of how people, processes and technology work within a specific crisis.   

In the blog post below, we will highlight:  

• What makes an incident response team.  
• What the roles and responsibilities of an incident response team are.  
• How to train an incident response team.  
• How Sapphire provides incident response expertise.  

What is a Cyber Incident?  

Before delving into the details of incident response teams, we must first define what a cyber incident is.   

‘The NCSC defines a cyber incident as a breach of a system’s security policy to affect its integrity or availability and/or the unauthorised access or attempted access to a system or systems; in line with the Computer Misuse Act (1990).’  

However, there are a few different types of cyber incidents that organisations can be hit with, such as:  

• Attackers are attempting to gain access to an organisation’s system or data.  
• Attackers using an organisation’s plans to process or store data.  
• Someone is making unauthorised changes to a system’s software or hardware.  
• Disruption or denying service to an organisation (ransomware).  

What is an Incident Response Team?  

A cybersecurity incident response team (also known as CSIRT) is a team of cybersecurity experts available to deal with an incident occurring in an organisation. The team can be either internal or external, this depends on the nature of the incident and whether the team is equipped to deal with it effectively.  

Although many teams aren’t fully dedicated to incident response as a full-time job, it is helpful to have this internally or externally to create a set of strategic assets in advance, including a Readiness Review and Forensic Guidelines.  

In our blog post ‘The Importance of Incident Response’, we suggested that:  

‘IR teams are charged with preventing, managing, and responding to any cyber breaches or attacks. The team also extends to researching threats, developing and updating effective IRPs, and educating staff on cybersecurity best practices.’  

For more information about the importance of incident response strategies, please read our blog post here.  

What are the roles and responsibilities of an Incident Response Team?  

As an incident response team must respond to an incident whenever they happen, the roles and responsibilities of the team can vary. This also means that a CSIRT requires several different roles to coordinate incidents effectively.   

The roles can fall under a wide variety of headings such as:  

• Government and law enforcement roles. 
• Executive management roles.  
• Incident manager.  
• Technical lead or manager. 
• Crisis management roles.  
• Investigators and analysts, also known as cyber security specialists.  
• IT and infrastructure specialists.  
• Legal, PR, HR, customer services and more.  

What roles are critical during an Incident?  

Depending on the type and scale of the incident, different team members can be critical to ensuring the attack is dealt with efficiently and effectively.  

Although one individual can take up multiple roles, this is dependant on team structure. Some critical roles necessary during any cyber incident are.  

• Team leaders: help to coordinate incident response team activities and communicates actions to stakeholders and other employees.  
• Communicators: help aid the communication of incidents across the organisation and necessary third parties. Usually, these communicators are trained or at least supported by public relations experts.  
• Investigators: employees gather technical evidence and work to determine the cause of an attack as well as helping to direct other analysts to help recover systems.  
• Analysts: an analyst’s responsibility is to support the investigator to provide context to the incident via deep autopsies on compromised systems.  
• Legal Representatives: HR or legal department help address any criminal charges is essential following up from a cyber response to an incident.  

What hours of coverage do I need for my Incident Response team?  

Ensuring that team members are always available in case of an incident is vital to ensuring that the incident is dealt with quickly. This means that providing ‘deputies’ for these roles is essential for all functions in the incident response team. This is not just for one position, but for multiple roles in the team too.  

However, the hour of coverage depends on your sector and what requirements your organisation requires. The best way to decide on this is to balance your organisation’s risk as well as budget. There are a few questions that organisations can ask themselves to determine this:  

NCSC (National Cyber Security Centre) suggests that:  

‘When determining your coverage, an organisation should consider the following:  

How would you handle an incident that starts in the day and cannot be left overnight?  

Might incidents be detected out of hours that cannot wait until the next working day?  

What coverage is required? Weekdays only, extended business hours, or 24/7?  

What is the risk? Do you need official on-call support, or does the cost of this outweigh the risk?  

Is the use of suppliers appropriate? Is a ‘follow the sun’ Type model possible?’  

What are the benefits of an Incident Response team?  

Depending on needs, there can be varying benefits for different organisations. However, there are some universal benefits too: 

Creating team awareness  

Ensuring that your organisation is aware of both the latest cybersecurity news and incident reports is essential. By creating general awareness, the executive team will be mindful of the roles they play in case of an incident and improve their knowledge of said incidents.  

Executive-level awareness  

Although creating team awareness is essential to developing an effective incident response strategy, ensure that your organisation has executive-level understanding. This is because executives are required to make urgent decisions regarding incident responses.   

As a result, appointing deputies is a good idea if crucial staff are unavailable at the time of an incident.  

Improving the strategy  

To create an effective incident response strategy, the team must know any gaps based on real-life scenarios. By running exercises based on the types of scenarios that could occur, incident response teams can ensure that all the team know their roles and responsibilities in the event of an incident.  

One of the best ways to do this is by facilitating exercises by an external specialist. This provides a fresh set of eyes and impartial advice when it comes to developing and improving an incident response strategy.  

Trained team  

Suppose your team is trained appropriately for an incident. In that case, an organisation can see improvement in the readiness for a cyber incident and in general awareness of potential incidents.   

Sapphire’s Incident Response service  

With 25 years of experience working on incident response, Sapphire’s Managed Incident Response Service has a set of strategic assets in advance, ensuring that organisations have Readiness Review and Forensic Guidelines in place before an incident even occurs.   

We provide:

INCIDENT RESPONSE​

• 20 hours of Incident Response, delivered by Check Point Global Incident Response Team​.

FORENSIC READINESS GUIDE​

• A first responders guide & readiness pack​.

INCIDENT READINESS CHECK​

• An examination of perimeter security controls, internal systems and operating systems, remote access, cloud and data security and websites​.

POST INCIDENT REVIEW​

• Review of the incident once resolved to identify how to be better prepared to provide effective controls should the incident happen again​.