Picture yourself knee deep in an incident, racing to contain an adversary that is actively moving laterally within your network. You have people tasked, based on skill set, that will enable you to achieve this goal as quickly as possible. Some may be looking at network data, some at host/log data, some at malware found, and others building detection for what has already been learned. Response actions seem to be going well until you get the word that a second, unrelated, intrusion was detected. My question is, would you be able to shift people based on your team members individual skill sets and be confident that it was being responded to appropriately or even confident that they would be able to handle it at all.
I’ve talked to a few people and have even seen myself how an overall team is structured can severely limit your capabilities. I attended a IANS symposium last week on incident response and brought this topic up to the group. Some people agreed with what I was saying while others seemed to be dead set against the idea. I understand that there are reasons for these types of roles within your overall team, such as providing defined positions for hiring purposes and creating clear structure (often for management). Here are my reasons why I think that it can hinder, not only your overall capabilities, but you teams morale as well.
1. The more teams within teams you have, the more rigid you become.
If you look at my example above, there are several areas within a single response where skills are needed. If multiple response activities are running concurrent to each other and the people available to respond only have skills in writing detection, this is a problem. Your only option at that point may be to expand the scope of some of your analysts to include the second intrusion and run the risk of missing critical pieces of information or burning them out completely.
2. Overall team communication will likely decrease.
People who have a common focus or interest usually communicate well with each other. If you break those people apart into new groups with an even more defined focus, then wrap unique processes and goals tied to each of those new groups, people will naturally focus on those and will not be attune to what others are doing to support the overall mission. If people perceive they no longer need to collaborate to accomplish their tasks or goals then the overall communication will suffer.
3. Career progression
I wrote a post not long ago where I described how I thought a CIRT should be structured. One of the positions I described was an incident handler. Here’s how I described that position:
The incident handler is your subject matter expert. He/she should be a highly technical person that is also cognizant of risk and business impact. The IH needs to understand the threats that your company faces and be able to direct efforts based on these threats and data being relayed by others performing analysis. The IH should have the ability and freedom to say “contain this device based on these facts” (of course, good or bad, business needs can always trump these decisions). All aspects of response should flow through this person so that they can delegate duties appropriately. The IH should also be the go to person for any information/explanation related to the response efforts.
If I’m a new analyst and I’m only allowed to focus on a single area within IR, will I ever gain the experience to do what’s described above? I emphatically say no. If I’m a junior analyst I may get a little discouraged at this fact and unfortunately I have not had the opportunity to gain the additional skills and knowledge where I can easily move to a different silo within the defined team structure.
Additionally, if I have an incident handler that decides to quit and go somewhere else (yes it does happen), have I put myself in the best position where I can easily promote someone within my team. I would argue that you would most likely have to hire someone external in order to fill all of the requirements needed for that position.
4. Handling response activities
The other issue with this approach that I see is for the incident handler. If all of the work and new capabilities being developed are within these separately defined structures it may leave the person who may need to know most blind in certain areas, especially if the overall team communication has dropped. It also may be difficult for the IH to assign individual tasks as he/she likely is not fully aware of individual talents across the entire team.
I feel that often you can break down these silos and not lose focus on critical areas by tasking senior and mid level people to projects that they can lead. Allowing them to define, develop and work with others on the team to accomplish these tasks or goals will help increase communication and likely motivation. Speaking from experience, it’s great when you can dive into something completely new and interesting while having an experienced person there to guide the overall project. It’s also extremely beneficial when you know what others are working on and can bounce questions off of because it has peaked your interest, which doesn’t typically happen in silos.
I know that companies have reasons for creating these focus areas and my blog post will likely not change any of this. I think at a minimum we need to be able to cross train across these silos though. I’m not just talking about introducing them to a new area that they may not be familiar with, but a method in which they can continue to grow and progress. I will argue that you will lose minimal momentum on current projects if you allow for a set number of hours a week to grow your people. You will likely keep them happier if they are learning something completely new to them and your overall capabilities will increase over time. I hear time and time again that companies have a difficult time trying to hire qualified people, this is one way to grow, well rounded, responders from within an organization and may be able to promote talent from within vs. always needing to bring in an experienced person from the outside when the need arises.