Are you tasked with building an Incident response team for your company or organization? Have you thought about what their responsibilities will be, how they will be engaged and who the key members will be?

Tasks of the Incident Response Team
Considering these important questions, most individuals tasked with the above project agree that the incident response team (IRT) will be responsible for receiving, reviewing and responding to computer security incidents. Issues can include but, are not limited to:

• attempts (either failed or successful) to gain unauthorized access to a system or its data
• unwanted disruption or denial of service
• unauthorized use of a system for the processing or storage of data
• changes to system hardware, firmware, or software characteristics without the owner's knowledge, instruction, or consent

Computer security incident activity can be defined as network or host activity that potentially threatens the security of computer systems.

4 Specialties
Whether the IRT is a formal dedicated team or an ad-hoc group of individuals, certain skill sets are generally required to fulfill this role. Here are 4 specialties that are often required:

1. A good ongoing understanding of the types of threats that exist. This usually requires membership to news groups as well as a passion for understanding and combatting the intensions of malware.
2. An understanding of the applications that exist on the corporate network, how they generally behave and what the normal traffic patterns look like. A solid aptitude is paramount when working with a packet analyzer or more often today – an IPFIX / NetFlow analyzer.
3. The ability to use tools such as WinPrefetchView with proficiency to identify malware on the suspect computer.
4. Good personality traits including communication and people skills. Uncovering and tracing malware often introduces many people with different personalities. Those infected can become defensive and management can become very demanding. The ability to stay cool under pressure is a must.

Getting Started
Are you ready to get started? Have you already got key members of your future team in mind? Great! First and foremost make sure you have management support and buy-in. This is the most critical first step because your new incident response team will need funding for staffing, training and product purchases. For example, a good incident response system can be a considerable investment and will be the go to solution for almost all malware that takes advantage of the corporate network.

Incident Response System
The incident response system is part of the overall Incident Response Plan (IRP) for Cyber Attacks. This guide is the topic of another post but, in short it is an orderly and effective process that lays out the steps and goals when trying to mitigate a computer related intellectual property theft. A good incident response system is a critical component of the IRS and is absolutely paramount if you are serious about addressing the 4 key focuses of cyber attack - incident response.