To properly prepare for and address incidents across the organization, a centralized incident response team should be formed. This team is responsible for analyzing security breaches and taking any necessary responsive measures. At its core, an IR team should consist of:

• Incident Response Manager: The incident response manager oversees and prioritizes actions during the detection, analysis, and containment of an incident. They are also responsible for conveying the special requirements of high severity incidents to the rest of the company.
• Security Analysts: The manager is supported by a team of security analysts that work directly with the affected network to research the time, location, and details of an incident. There are two types of analysts:
  • Triage Analysts: Filter out false positives and watch for potential intrusions.
  • Forensic Analysts: Recover key artifacts and maintain integrity of evidence to ensure a forensically sound investigation.
• Threat Researchers: Threat researchers complement security analysts by providing threat intelligence and context for an incident. They are constantly combing the internet and identifying intelligence that may have been reported externally. Combining this information with company records of previous incidents, they build and maintain a database of internal intelligence.

Get Cross-Functional Support

The incident response team should not be exclusively responsible for addressing security threats. All business representatives and employees must fully understand and advocate for the incident response plan in order to ensure that emergency procedures run smoothly. Each area of the company has unique responsibilities during an incident:

• Management: Management buy-in is necessary for provision of resources, funding, staff, and time commitment for incident response planning and execution.
• Human Resources: HR is called upon when an employee is discovered to be involved with an incident.
• Audit and Risk Management Specialists: These specialists help to develop threat metrics and vulnerability assessments while encouraging best practices across the organization.
• General Council: An attorney ensures that any evidence collected maintains its forensic value in the event that the company chooses to take legal action. They can also provide advice regarding liability issues when an incident affects customers, vendors, and/or the general public.
• Public Relations: PR will communicate with team leaders, ensuring an accurate account of any issues is communicated to stockholders and the press.

Pro Tip: Communication Within and Across Teams is Critical

Communication during an incident should be conducted in a manner with protects the confidentiality of the information that is being disseminated. The incident response manager should be the central point of all communication and only those with a valid need-to-know should be included in communications regarding key incident details, indicators of compromise, adversary tactics, and procedures. Securing this communication so that Mr. Threat Actor is unable to snoop your messages is extremely vital to avoid tipping them off that an ongoing investigation is occurring. Any indication that ‘you’re onto them’ may lead to swift changes by the attackers to further mask their activity.

Read more in our Field Guide to Incident Response Series

1. 5 Key Criteria for Creating an Incident Response Plan that is Practical for YOUR Organization
2. The Do’s and Don’ts of Incident Response
3. Building Your Incident Response Team: Key Roles and Responsibilities
4. Creating an Incident Response Classification Framework
5. The Five Steps of Incident Response
6. 3 Tips to Make Incident Response More Effective
7. Using Existing Tools to Facilitate Incident Response
8. Learning From a Security Incident: A Post-Mortem Checklist