Day 2 - Preparation: Building a Response Team
Last Updated: 2008-10-08 13:30:04 UTC
by Marcus Sachs (Version: 2)
For the second day of Cyber Security Awareness Month we will look at how to build a response team. If you are part of a response team and have any anecdotes you can share please send them to us via our contact page. Here are some questions that frame what we are looking for:
- What does your team look like in terms of skill sets?
- How did you recruit and staff it?
- Does it answer to the CIO side of your organization? If not, then where is it?
- Do you outsource your team?
- How do you train them?
- What does your budget look like?
We will update this diary with your comments and thoughts throughout the day, so start sending them in.
A reader wanting to remain anonymous sent us this:
I run an IR team for a large global manufacturer. We have six full-time handlers and another ten or so guys that split duty between investigation/analysis work and traditional security operations. We have a mix of:
- former sysadmins/network admins with a wide breadth of experience
- ex-military infosec analysts
- greyhat penetration testers/reverse engineers
- coders / perl/python/ruby monkeys
We have folks that are good at identifying anomalous activity, good at understanding how different enterprise apps communicate and log, good at obtaining information from hosts, good at staring at pcaps, log analysis, scripting, malware analysis, etc.
Most are in a salary range of a high-end sysadmin. We have a semi-formal training program to get new folks ramped up on tools and the network / infrastructure we are defending, and expect them to learn the basic "PICERL" process with time, since it seems to be better caught then taught. We report to a security operations manager, who reports to the CISO, who reports to the CIO, etc.
I find locating tried-and-true handlers is difficult - we end up having to take folks with a security slant and turn them into handlers. Love to hear suggestions on what kind of experience/backgrounds have been more successful in recruits from other managers.
Marcus H. Sachs
SANS Internet Storm Center