Incident response and management requires continual growth. Your team will not become proficient overnight, and acquiring knowledge, expertise and maturity takes time, effort, training and a lot of practice. It’s also not a single milestone that you reach and then rest on your laurels. As attackers continue to apply innovative techniques and use new tools, it’s necessary to lay out a development plan to keep up with the ever-evolving threat landscape.
Create an Incident Response Development Plan
Building an incident response team can be a challenging task. Keeping the team relevant and up-to-date and making sure it gradually improves and becomes more mature can be even more difficult. The vast majority of services covered in the FIRST CSIRT Services Framework and the expectations around incident response in RFC2350 make it clear that you can not do it all at once. So which aspects of your team should you focus on first?
One of the common pitfalls in maturing an incident response team is only focusing on tooling. Naturally, this is an essential aspect of the job, but having a tool set under your belt with no standing guidance on how best to use it to provide repeatable results is a recipe for failure. After all, your constituency and stakeholders expect you to deliver a reliable, qualitative and somewhat predictable service, and that cannot be achieved with ad-hoc solutions only.
Additionally, when you respond to an incident, you’ll often have to work with other teams inside and outside your organization. This collaboration will only be effective if communication channels and trusted relationships were previously established and embedded in your processes and approach. To address all this with a properly developed security maturity model, you need to come up with a plan and focus on four key elements:
- The organizational structure of your team and how it fits into the organization
- A human development plan that includes pathways for team expansion
- Improving processes for a more structured method of working
- Acquiring essential incident response tools
As you develop your plan, it’s essential that you have a sustainable team with a clear mandate. Most of this should already be addressed in your team charter and will follow from management buy-in, sponsorship and a balanced budget. Other focal points for your plan will depend on the expectations of your stakeholders and will likely be influenced by compliance and regulatory requirements as well. Make sure your responsibilities, roles and constituencies are clearly defined in the early stages before you move on to frameworks.
Utilize Proven Frameworks to Measure Your Progress
There are a number of frameworks that can help you produce your security maturity model and give you guidance on where you need to invest energy and resources first.
NIST Cyber Security Framework
The NIST Cyber Security Framework (CSF) is based on existing standards and practices and allows you to better manage and reduce cybersecurity risks. The framework describes a set of actions, desired outcomes and applicable references. The actions are built around five functions that you will recognize from incident response methodology: identify, protect, detect, respond and recover.
These functions have categories to address objectives (for example, physical, personnel, asset management) and sub-categories, which are outcome-driven. Your organization can select the categories and sub-categories that align most with your business needs, collect them in a profile and determine what works best for your “Current” profile and the situation you eventually want to grow into, the “To Be” profile. Essentially, these profiles can be seen as a road map to identify areas for improvement within your organization.
Another component of the framework is the tiers, which represent the degree to which your organization implements the elements of your framework. This is characterized over a range, from partial to adoptive. According to NIST, tiers should not be seen as maturity levels, but you can use the concept of profiles to define the level you’d like to work toward and then use tiers as a check on the actual implementations.
Global CSIRT Maturity Framework
The Global CSIRT Maturity Framework is an approach from the GFCE for stimulating the development and maturity enhancements of national CSIRTs. Although it’s aimed toward national CSIRTs, the methodology and concepts can also be applied to other CSIRTs or incident response teams.
The framework relies on two building blocks: the Security Incident Management Maturity Model (SIM3) and a three-tier CSIRT maturity approach by ENISA.
The Security Incident Management Maturity Model (SIM3) is a maturity model that has been in use since 2009 and has been applied by teams all over the world. This includes the Nippon CSIRT Association (NCA) for improving the maturity of their members, TF-CSIRT as the basis for the highest tier of their membership and ENISA as the starting point for maturity of the national CSIRTs team.
SIM3 is built on three basic elements:
- The parameters are the items for which maturity is being measured. A parameter represents an attribute that’s relevant to the operations or functions of a CSIRT.
- Each parameter belongs to one of four categories or quadrants: organization, human, tools and processes.
- A parameter is measured by level of maturity.
The quadrants can help you focus on the key parameters needed for improvement in a natural way. The maturity levels of these parameters express how well implemented they are. The levels include:
- 0 — It does not exist, or we are not aware of it.
- 1 — Implicit. It is known or considered but not written down. Seen as “tribal knowledge.”
- 2 — Explicit, Internal. Written down but not formalized.
- 3 — Explicit. Written and formalized on authority of the team lead.
- 4 — Explicit. Audited on authority of governance levels above the team lead. Indicated by a control process.
The ENISA CSIRT maturity assessment model, on the other hand, applies a three-tiered approach:
- The Basic level guarantees that the team has a mandate, authority, a service description and a basic process for handling incidents. This level requires that the activities on all parameters are started, but the primary focus is on organizational parameters.
- An Intermediate level further pushes the organizational parameters and requires work on the human, tooling and process parameters. This includes internal processes and training of staff members. Almost all of the parameters require explicit documentation, either for internal use or publication. This is also the level required for teams to participate in joint activities.
- The highest level, Advanced, means that the team pushed the remaining parameters for human, tooling and process and is able to coordinate incident handling and further support joint activities.
Implement and Track Your Security Maturity
If you’re measuring maturity via the SIM3 model, then you can advance by first raising awareness around a certain parameter (improve from 0 to 1), writing the procedure or process (1 to 2), making it part of the standard approved operating model (2 to 3) and introducing a review and control mechanism (3 to 4).
SIM3 supports three ways of reporting: a list of all parameters, a radar diagram of the parameters or a simplified chart per quadrant. The radar diagram is most suited if you want to have a visual representation of the areas where your team needs to improve or has improved.
Who should do the reporting and measuring? You can start with a self-assessment and determine which areas need immediate improvement. In the next iteration, you could request a peer review and proceed with a certified auditor of SIM3 to help with the improvement process.
By using the frameworks covered above, you should be able to start improving your organization’s incident response functions and your security team’s readiness as a whole. Remember, the key points to tackle are as follows:
- Start with RFC2350 for a basic approach
- Develop an organizational framework that is specific to your business
- Describe your services and the expected service levels to outline the steps toward improvement
- Have a clear hiring process and development program for staff
- Set up escalation and feedback processes to ensure continual growth