I have a three day course on SIRT starting tomorrow. I went ahead and created my own braindump of SIRT process breakdown on what's critical to a organization-wide SIRT team. Some of this I've had in my notes for awhile, other is stuff that's off-top of mind.
At the top of the hierarchy is "Response Program". That breaks down into roughly six components depending on how you break it down. Those are, in no specific order: Training & Awareness, Evidence Retention & Documentation, Management & Committee, Response, Detect, Escalate & Communicate. Lets break it down further:
Training & Awareness. Three components: Training of the staff to understand their part in these six components. Communication Campaigns in order to keep these individuals up to speed on changes, training, or simply to keep awareness high. Finally, Drills on a consistent basis. These drills may be paper-based, table top, or live fire.
Evidence Retention & Documentation. This includes a process for keeping Chain of Custody (and it's verification) as well as other Evidence Handling procedures such as storage or destruction. Finally; any documentation that must exist to satisfy any regulations, laws, audits, etc that need completed. Indeed, an audit of such procedures should be done on a regular basis to verify conformance with the procedure as well as best practice.
Management and/or Committee. The designation of an organization-wide membership of members who are responsible for three items: Providing the overall leadership and direction of the SIRT capabilities, Governance or oversight that such capabilities are mature, capable, practiced and ready when necessary, and finally the ability to grant the authority necessary for a SIRT to do what is needed in face of both certain and uncertain times.
Response. I see response as containing three key components (as outlined in NIST 800-61) which include containing a threat, eradicating the threat (and mitigation of vulnerabilities to prevent it in the future) as well as recovery into normal operations and further monitoring controls to confirm the threat has indeed been eradicated.
Detect. I keep the detect separate from response component; this is probably personal preference but I believe it allows for more accountability and focus on making sure all detection capabilities are in place. Detect focuses on processes targeted at the Identification, Validation, and Escalation of an event into an incident.
Escalate & Communicate. Three key areas: Triage/escalation protocols, contact lists, and definition of roles.
I'll add and subtract from these thoughts in followup posts after I complete the course.