Airbus Protect explains: What is a CSIRT?

Check out our 101 guide to computer security incident response teams. What do they do? And why should they be part of any organisation’s cyber-security strategy?

Under attack? Contact our incident response helpline

But first, what is a CSIRT?

Computer security incident response teams handle live cyber-security incidents affecting organisations. They aim to react to threats and minimise their impact. They’re also responsible for creating processes that help organisations prepare for an attack. You can think of the CSIRT as the cyber-security version of the ‘A Team’. Large organisations/companies often have their own in-house team. But other organisations procure the services of a third-party specialist partner like  Airbus Protect. Our CSIRT team is often deployed to work on cyber-security incidents throughout Europe. Our clients include governments, critical infrastructure, the Airbus ecosystem, the public sector and overall, private organisations in all sectors. A CSIRT is typically managed by a team leader, who bears ultimate responsibility for following proper protocol. Within a CSIRT, there’s also a range of highly trained incident responders – technical experts who can eradicate problems swiftly. Regardless of their role, all members of a CSIRT boast the following qualities – speed, efficiency under pressure and an analytical mindset.

Discover CSIRT jobs at Airbus Protect – Talk to us about our CSIRT services

I’m an incident responder. This means I’m responsible for identifying, containing, and mitigating cyber-security incidents for Airbus Protect’s CSIRT customers. This might include responding to security breaches, investigating cyber-attacks to establish a timeline of malicious actions, or finding the modus operandi of threat actors. Each incident responder has a different set of skills, such as reverse-engineering malware or conducting forensics in cloud-based or mobile environments.
Julien Houry, incident responder, Airbus Protect

Disaster has struck! What does a CSIRT do?

Every cyber-security crisis is unique. But regardless of the incident, CSIRT teams have a robust
set of protocols they must follow. The basic pillars of their process are to:

• Diagnose the incident, establishing the root cause using advanced investigation techniques
• Eradicate the problem while maintaining the digital chain of evidence
• Reconstruct the system and deliver it in working order
• Investigate further, providing a detailed report with recommendations for how to secure systems and support data recovery

Let’s dive into more detail on what’s involved in each of these pillars.

Diagnosis

Incident qualification: Understanding the nature of an incident, as well as its scope and impact, is usually the CSIRT’s first priority. Working quickly is essential, as it enables the CSIRT to kickstart its response. Identifying which systems are compromised and how also helps teams to understand attackers’ motives (more on this below). Incident handling: The next port of call is creating an action plan for resolving the incident. To do this, a CSIRT uses its deep internal pool of knowledge. After all, it isn’t their first rodeo.

Eradication

Incident containment: The first step to eradicating an incident is preventing any further damage. Incident containment is all about stopping the spread to more systems, networks and assets.
Incident eradication: This is arguably the most critical part of the process! After an incident is contained, the CSIRT moves fast to remove malicious code from a system and kick out any cybercriminals who’ve gained access.

Further investigation

Digital forensics investigation: Digital forensics analysts are the CSI of the CSIRT world. By establishing and maintaining a digital chain of evidence, they help us understand emerging cyber threats and develop new, better ways to respond.
Incident remediation and prevention: The CSIRT team isn’t just here to bring the chaos under control. They also want to prevent it from happening again. That means developing detailed recommendations to help organisations improve their cyber-security posture.

A digital forensics analyst focuses on identifying, soundly recovering and analysing data from devices – ranging from laptops to games consoles.  Their analysis focuses on events that have already taken place and can include investigating various types of crime, not just cyber-related offending. In my previous role, I could be working on a child protection case one day, and then trying to find if the person that stole your property has listed it on Gumtree the next.”
Emma Mullins, first line cybersecurity analyst, Airbus Protect

Role comparison: Cyber-security and digital forensics analysts

Discover the difference between cyber-security and digital forensics analysts by hearing from someone with experience in both roles.

How can engaging a CSIRT help your organisation?

Too often, when organisations are hit with a cyber-attack, they (understandably) panic. Your reflex response might be simply to unplug everything. Wrong. You’ll destroy the digital chain of evidence. And you’ll likely lose a huge quantity of important organisational data. Incident responders are trained to work under this kind of pressure, so you don’t have to.

Today, any organisation with an IT system is a target for cybercriminals. So, in theory, anyone could need the services of a CSIRT. That’s why it’s a good idea to talk to a partner before an incident happens. Usually, you’ll need administrative and financial approval before calling in a CSIRT. In other words, a contract will need to be signed. The first hours of an incident aren’t a good time to be drawing up and reviewing an agreement through endless emails, calls and meetings. You’ll be in a much better position to negotiate if you’re not simultaneously trying to handle a crisis!

I’m very proud of the work that we do in the CSIRT. Throughout my career, I’ve contributed to many assignments that successfully take the worst people off the streets by using digital forensics. One standout project involved using vehicle forensics to pull digital data from vehicles. Another was an internal security
breach within a business, caused by an employee stealing customer data. We secured a search warrant to set up a wiretap, then installed a few tools onto the
network to gather evidence that later supported their arrest.

Theodore Wiggins, CSIRT and pentesting technical lead for Germany, Airbus Protect

Want to learn more about Airbus Protect’s computer security incident response teams? Contact us here