Module 1

CSIRT Fundamentals
[Presenter Name]
[Date]
 Copyright
Copyright © by Forum of Incident Response and Security Teams, Inc.

FIRST.Org is name under which Forum of Incident Response and Security Teams, Inc.
conducts business.

This training material is licensed under Creative Commons Attribution-Non-Commercial-

Share-Alike 4.0 (CC BY-NC-SA 4.0)

FIRST.Org makes no representation, express or implied, with regard to the accuracy of

the information contained in this material and cannot accept any legal responsibility or
liability for any errors or omissions that may be made.

All trademarks are property of their respective owners.

Permissions beyond the scope of this license may be available at [email protected]

Module 1, CSIRT Fundamentals, Version 1.1, © FIRST Inc.

 What This Course Is About

Welcome! Our goals are to improve the

future of security and share our ideas,
projects, and successes.

During this course, you will learn to:

• Improve your Computer Security Incident Response
Team (CSIRT) processes and procedures
• Deliver prompt and effective
resolutions to computer security
incidents
• Discuss incidents and discern causes
of problems

Module 1, CSIRT Fundamentals, Version 1.1, © FIRST Inc.

 Agenda
By the end of this module, you will be able to:
• Define incident management and establish the need for an incident handling
team
• Step through potential CSIRT requirements and define how a
CSIRT functions
• Define the range, levels of services, and organizational components
of a CSIRT
• Set expectations for meeting the needs of constituencies and stakeholders
• Define expectations for a newly created CSIRT and categorize roles and
responsibilities
• Set expectations for funding, staffing, and training
• Clarify hardware and software requirements
• Explain how to develop security configurations, including for
physical security
• Practice assessing needs for a CSIRT

Module 1, CSIRT Fundamentals, Version 1.1, © FIRST Inc.

 Section 1:
Why CSIRTs
Are Needed

Module 1, CSIRT Fundamentals, Version 1.1, © FIRST Inc.

 What Is an Incident?

• Incident: Unplanned interruption or quality reduction in

IT service

• Computer security incident: Compromise or violation

of security, a breach of:
— Confidentiality
— Integrity
— Availability

Module 1, CSIRT Fundamentals, Version 1.1, © FIRST Inc.

 What Is Incident Management?

• Incident Management (IM): Process to handle life

cycle of
an incident
— Detect and identify
— Triage and analyze
— Resolve, including prevent reoccurrence

Goal: Recover
quickly to normal
operations

Module 1, CSIRT Fundamentals, Version 1.1, © FIRST Inc.

 CSIRT: Dedicated IM Team

CSIRT: Computer Security Incident Response Team

• Supports defined constituency
• Provides services and support throughout incident life cycles
• Requires multitasking and organizational skills
• Custom implementation:
— Structure and staffing
— Services provided
— Policies and procedures

• PSIRTs focus on
product fixes

Module 1, CSIRT Fundamentals, Version 1.1, © FIRST Inc.

 Consider a Separate CSIRT Department

Questions to ask to determine whether a specialized CSIRT is needed

outside of the IT department:
 What needs does the constituency have?
 What are the critical assets that must be protected?
 What types of incidents are frequently reported?
 What computer security problems exist?
 What type of response is needed?
 What assistance and expertise is needed?
 What is the current advanced warning/vulnerability notification setup?
 Which processes are required?
 Who will perform what role?
 Is anyone currently performing that role?

Module 1, CSIRT Fundamentals, Version 1.1, © FIRST Inc.

 CSIRT Constituency Makeup Varies

CSIRT Constituency

Constituency

CSIRT Constituency

Constituency

CSIRT

CSIRT Constituency

CSIRT

Module 1, CSIRT Fundamentals, Version 1.1, © FIRST Inc.

 Learning Check

What are some advantages and

disadvantages of a CSIRT
serving more than one
constituency?

Module 1, CSIRT Fundamentals, Version 1.1, © FIRST Inc. Training Module 1, CSIRT Fundamentals, Version 1, © 2016 FIRST
 Questions

Module 1, CSIRT Fundamentals, Version 1.1, © FIRST Inc.

 Section 2:
CSIRT Business
Plan

Module 1, CSIRT Fundamentals, Version 1.1, © FIRST Inc.

 Scope of Responsibility and Services

Work with management or

executive sponsor to define and
document:
• Span of constituency
• Range of appliances and
applications
• Incident management
services
— Onsite incident response
— Incident response
support
— Incident response
coordination
Module 1, CSIRT Fundamentals, Version 1.1, © FIRST Inc.
 Positioning a CSIRT Organizationally

A CSIRT must be appropriately positioned within the

organization’s business structure
• Within the Chief Security Officer’s (CSO’s) direct chain

of command
• Accountability, visibility, and clout

Module 1, CSIRT Fundamentals, Version 1.1, © FIRST Inc.

 CSO*

CSIRTs
[Other Require
CSIRT
Various
Staff]
Roles
Manager

CSIRT CSIRT CSIRT CSIRT

Engineer Engineer Engineer Engineer

* Organization’s Chief Security Officer

Module 1, CSIRT Fundamentals, Version 1.1, © FIRST Inc.
 VP of
Operations
CSO*

[Other IT
Managers] Manager
CSIRTs Require CSIRT
Manager
[Other
Managers]

Security
Various Roles
Security
Engineer Engineer 1st Shift 2nd Shift 3rd Shift
Lead (US) Lead (India) Lead (Aus.)

CSIRT CSIRT CSIRT

Team Lead [Other Staff]
Engineer Engineer Engineer

* Organization’s Chief Security Officer

Module 1, CSIRT Fundamentals, Version 1.1, © FIRST Inc.
 CSIRT Mission Statement

Sets ground rules for how CSIRT will operate

• Services Provided
• Policies
• Quality

Module 1, CSIRT Fundamentals, Version 1.1, © FIRST Inc. Training Module 1, CSIRT Fundamentals, Version 1, © 2016 FIRST
 Each CSIRT Defines Services Provided

• Reactive services
Constituency-observed anomalies
Automatically-generated alerts and warnings
• Reactive services
Constituency-observed anomalies
Automatically-generated alerts and warnings
Subsequent incident management
• Proactive services
Analysis of constituency practices
Actions to improve the security posture
Communications such as security bulletins and best
practices guidelines
• Quality management services
Risk analysis and management
Disaster recovery and business continuity
Constituency education and training

Module 1, CSIRT Fundamentals, Version 1.1, © FIRST Inc. Training Module 1, CSIRT Fundamentals, Version 1, © 2016 FIRST
 Creating a Business Plan

• All CSIRTs need funding to exist and

operate effectively
• The funding process is:
1. Create a budget
2. Create a business plan
3. Present your budget
and plan

Module 1, CSIRT Fundamentals, Version 1.1, © FIRST Inc.

 1. Create a Budget

• Lay out a multi-year budget, differentiating

between operational costs and investment
costs
• Don’t overcommit and don’t pad your budget
• Be as succinct as possible and upfront about all
tangibles and intangibles
• Include budget for additional
hardware and software
• Include budget for
ongoing training

Module 1, CSIRT Fundamentals, Version 1.1, © FIRST Inc.

 2. Create a Business Plan

• See examples and coaching sites for business plans

• Your Executive Sponsor should be able to assist you
• The business plan should reflect the CSIRTs goals for
the organization and how those goals work in
conjunction with the budget
• Speak to ROI

Module 1, CSIRT Fundamentals, Version 1.1, © FIRST Inc.

 3. Present Your Budget and Plan

• Conduct research so that you are able to

defend your budget and the necessity of every
item
• Present the plan first to your Executive Sponsor
to receive feedback from a supportive source
• Then present it to others
who have to approve your
plans and your funding

Module 1, CSIRT Fundamentals, Version 1.1, © FIRST Inc.

 Consider CSIRT Workplace and Infrastructure During Planning

Physical location of staff for 24x7 operation: consider the best

level of privacy and protection

People’s conversations and notes and files

Equipment such as laptops, servers, and data-
storage devices
Other equipment:
• A secured center for operations
• A separate, secured data center
• Safe storage of non-electronic data

Module 1, CSIRT Fundamentals, Version 1.1, © FIRST Inc.

 Consider CSIRT Workplace and Infrastructure During Planning

Physical location of staff for 24x7 operation:

consider the best level of privacy and protection

• Staff require appropriate computer systems and

software and typical equipment: phone, fax, email
• LAN, firewall, IDS, VPN
• Disk storage and backup and archival system
• File system for non-electronic data
• Additional software

FIRST guidance: https://www.first.org/membership/site-visit-v2.5.pdf

Module 1, CSIRT Fundamentals, Version 1.1, © FIRST Inc.

 Learning Check

What are some examples of a

return on investment (ROI) that a
CSIRT can provide?

Module 1, CSIRT Fundamentals, Version 1.1, © FIRST Inc. Training Module 1, CSIRT Fundamentals, Version 1, © 2016 FIRST
 Questions

Module 1, CSIRT Fundamentals, Version 1.1, © FIRST Inc.

 Section 3:
CSIRT
Architecture and
Staffing

Module 1, CSIRT Fundamentals, Version 1.1, © FIRST Inc.

 Architecture for an Effective CSIRT

1. Operational Framework
— Clearly-defined mission
— Clearly-defined constituency
— Organizational home
— Formal relationships with
other teams
2. Services and Policies
— Capabilities and limitations
— Information-flow process
— Information-gathering
process

Module 1, CSIRT Fundamentals, Version 1.1, © FIRST Inc.

 Architecture for an Effective CSIRT

3. Quality Assurance
— Frequent measurement and
checking of quality
— Collection of constituency
feedback
4. Adaptability and Flexibility
— Future emerging threats
— Information leading to more
effective CSIRT
— Legal expertise and support
5. Internal Management Support

Module 1, CSIRT Fundamentals, Version 1.1, © FIRST Inc.

 CSIRT Staff Require Strong
Technical Skills

Security
• Basic security principles
• Generic risks and threats
• Encryption methods and implementations
— Hashing
— Symmetric and asymmetric encryption
Internet infrastructure
• Network security appliances
• Network applications
• Network infrastructure
• Common network protocols
Intranet infrastructure
• Internal topology

Module 1, CSIRT Fundamentals, Version 1.1, © FIRST Inc.

 CSIRT Staff Require Excellent
Soft Skills

Essential CSIRT skills:

• Follow procedures and protocols
• Make common sense and logical decisions
• Multitask with excellent organizational skills
• Communicate effectively both orally and written
• Handle stressful situations
with ease
• Deal with people with
diplomacy and patience

Module 1, CSIRT Fundamentals, Version 1.1, © FIRST Inc.

 Learning Check

How would you balance your

CSIRT’s resources between
reactive services and proactive
services?

Module 1, CSIRT Fundamentals, Version 1.1, © FIRST Inc. Training Module 1, CSIRT Fundamentals, Version 1, © 2016 FIRST
 Questions

Module 1, CSIRT Fundamentals, Version 1.1, © FIRST Inc.

Module 1, CSIRT Fundamentals, Version 1.1, © FIRST Inc.