Developing a private Cyber Security Incident Response Team (CSIRT)

The Nigeria National Cybersecurity Policies & strategy has not only mandated sectoral development of Cyber Security Incident Response Team (CSIRT), it has also given room for private organizations to develop their internal CSIRT or external CSIRT.
An internal CSIRT is developed as a response-oriented internal team ready to respond to a cybersecurity incident, while an external CSIRT is designed and develop as a service-oriented cybersecurity incident responder.
First, let’s understand what exactly is a Cyber Security Incident Response Team (CSIRT). They are also known or referred to as Computer Incident Response Team (CIRT). They are a team of professionals trained to respond to cybersecurity incident which can come in form of a data breach, cyber-attack, or any computer-related security incident.
We should understand that a Cyber Security Incident Response Team (CSIRT) is completely different from a Computer Emergency Response Team (CERT). While the CERT is established for the sole purpose of managing and disseminating computer security-related information to the public for security consciousness and vigilance, the CSIRT is established to respond and mitigate cybersecurity incidents.
Now let’s look at the comprehensive objective of a CSIRT Team. The most important objective of the CSIRT Team is to develop, update and implement an Incident Response Plan (IRP). An Incident Response Plan is a documented approach a CSIRT will use to respond to a cyber-attack or security incident. The IRP is usually detailed and comprehensive enough to direct the activities of the CSIRT. It contains every step a CSIRT should take at every possible documented security incident. For every potential security incident, the IRP must contain how to prepare for the incident, how to identify the incident, how to contain the incident, how to eradicate the incident, how to recover from the incident and lessons to be learned from the incident.
After an incident response plan (IRP) is designed and implemented the next step the CSIRT will do is to set up a monitoring appliance. The monitoring appliance will assist in checking the packet moving through the network and the behavior of system users. It will detect and react to an anomaly of users and systems within the network. Some CSIRT can outsource the monitoring of IT infrastructures to Managed Security Service Providers or firms engaged in incident detection and response if the organization doesn’t have the capacity or capability to engage a 24/7 team of network surveillance.
The CSIRT is also responsible for the investigation of any computer security incident. In a case where a cyber attack is uniquely carried out, the CSIRT will deploy some members of its team to investigate the security incident using computer forensic examination skills. Even though the cybersecurity incident is a well-known form of attack, the CSIRT will still need to investigate the incident to know the type of attack, which will enable the CSIRT to know what part of the incident response plan should be implemented. Although, some CSIRT will outsource the part of computer incident investigation to an experience forensic company for optimal results.
Remediating a security incident is solely the responsibility of the CSIRT. Incident Remediation is an act of containment of security and decontamination of infected systems. Once a CSIRT is notified of a security incident, they will first implement a containment strategy to prevent and mitigate the spread of the security breach to other systems on the network. After which they will decontaminate the identified infected systems and finally cross-check with the unidentified infected system to be sure that the systems are safe.
That said, there are other functions and responsibilities of CSIRT. However, some organizations will prefer to develop their own Computer Emergency Response Team (CERT) to help to manage a security incident with the public.
Public Relations (PR) is part of the function CSIRT can be responsible for or the specially developed CERT. This will assist the company to manage how information is disseminated to the public regarding the attack. Another function is Internal Communication (IC) which managing how employees communicate with each other pending when the regular communication channel is restored. And finally, the legal responsibility of the company that will manage all legal matters. The Legal team will be responsible for managing all aspects of the data privacy infringement, government fines, lawsuits, and other legal matters that may be induced because of the security incident.
While the function of the CSIRT is important, it is also relevant that we know the type of professionals that will be required when forming your private Cyber Security Incident Response Team (CSIRT) as an organization or a service provider.
So a CSIRT must have the following professionals as members of the team. Forensic Analysts that will carry out forensic investigation, Ethical Hacker & Cyber Security Analyst or Engineer that will be engaged in possible incident remediation, Public Relations Officers that will assist in disseminating information to the public, Lawyers that will assist with legal matters, Incident Manager or Handler that will assist in managing the security incident. For cases where the CSIRT is different from CERT, the Incident Response Manager will head the CSIRT and the Chief Information Security Officer (CISO) will head the CERT. However, if the function of both teams is integrated into the CSIRT, it will be head by the CISO and assisted by the Incident Response Manager.