CYBR 171: Incident Response and CSIRT Notes

Course Context and Incident Response

  • CYBR 171 T1 2026: Ngā whakapūtanga o Te Haumaru rorohiko (Cybersecurity Fundamentals) Week 12, School of Engineering and Computer Science (Te Kura Mātai Pūkaha, Pūrorohiko).

  • Material based on Chapter 1, Incident Response, Digital Forensics and Incident Response, Gerard Johansen, Pakt Publishing (2017).

  • Organizations must have a plan beforehand, as attacks leave no time for strategy development while managing users and managers.

  • Objectives include limiting attack damage and facilitating recovery.

The Incident Response Process

  • #1 Preparation: Establishing plans, staffing, training, forensic hardware/software acquisition, and exercises to avoid making incidents worse (e.g., the Morris worm).

  • #2 Detection: Distinguishing system events from computer security incidents (policy violations like ransomware) using firewalls, logs, and Intrusion Detection Systems (IDS).

  • #3 Analysis: Collecting evidence (memory, logs, network) with tools like Wireshark or Encase, and performing root cause analysis from compromise to detection.

  • #4 Containment: Blocking actions like lateral movement, command-and-control traffic, or data exfiltration without causing unnecessary system shutdowns.

  • #5 Eradication and Recovery: Removing threat actors (reinstalling OS, resetting passwords), restoring data from backups, patching vulnerabilities, and auditing permissions.

  • #6 Post-incident: Stakeholder post mortem review to identify what worked and update the incident response process.

Computer Security Incident Response Team (CSIRT)

  • CSIRT is a generic term; CERT is often associated with CERT NZ.

  • Core Team: Incident response coordinator, CSIRT senior analyst, security operations analyst (SOC), and IT security engineer.

  • Technical Support: Network/server admins, application/desktop support, and help desk.

  • Organisational Support: Legal, HR, Marketing/communications, Facilities, and Corporate security.

  • External Resources: High tech crimes NZ Police, NZ CERT, InternetNZ, and NZITF (New Zealand Internet Task Force).

Plans, Playbooks, and Escalation

  • Incident Response Plan: Defines the Incident response charter (mission statement), services, roles, and 24/7 contact lists.

  • Playbooks: Instructional sets for specific scenarios (e.g., social engineering) to simplify actions under pressure.

  • Escalation Procedure: Clearly defined hierarchy identifying who flags incidents to minimize staff burnout and decision paralysis.

Maintaining Capability

  • Tabletop Exercises: Facilitator-led classroom simulations to test plans and identify gaps using no fault answers.

  • Socialisation: Publishing mission statements and reports to clarify focus is on security, not employee misconduct.

  • Reviews: Regular training courses and annual updates to the overarching incident plan.