Computer Incident Response and Forensics Team Management

In this excerpt of Computer Incident Response and Forensics Team Management, author Leighton R. Johnson III explains the personal skills team members need to successfully handle a security incident.

The following is an excerpt from the book Computer Incident Response and Forensics Team Management written by Leighton R. Johnson III and published by Syngress. This section from chapter four explains the personal skills team members need to successfully handle a security incident. 


These skills can become paramount for each team member to have as incidents are investigated, events happen, and breaches are found and disclosed to management, customers, and clients.

  • Common sense to make efficient and acceptable decisions whenever there is no clear ruling available and under stress or severe time constraints. This one skill can be the most important in a crisis situation - "clearheaded" thinking and even decisive decision-making. The SIRT member who is technically competent and has excellent communication skills can solidify the reputation of the team and strengthen the respect with which a team is held (both by the customer and by others with whom the team interacts). On the other hand, the interactions of a SIRT member who is a technical expert but who possesses poor communication skills or no "common sense" can result in miscommunications and/or actions that can severely damage a team's reputation and standing in the community, especially when those communications are misinterpreted or mishandled.
  • Strong, effective oral and written communication skills (in native language and English) to interact with clients and other teams. All communications need to be conducted so that there is no misunderstanding or misinterpretation of the needs of the responders. The SIRT member needs to be effective in his/her communications to ensure that they obtain and supply the information necessary to be helpful. They need to be good listeners, understanding what is said (or not said) to enable them to gain details about an incident that is being reported. The SIRT member needs to remain in control of these communications to most effectively determine what is happening, what facts are important, and what assistance is necessary.
  • Diplomacy when dealing with other parties, especially the media, the senior management, and customers. Each response effort will involve the outside response staff personnel and management. Each interchange with these personnel needs to be handled in a proper and secure manner. Diplomacy and tact are essential when dealing with outside parties. The SIRT member needs these skills to be able to anticipate potential points of contention, be able to respond appropriately, maintain good relations, and avoid offending others.

Computer Incident Response and Forensics Team Management

Author: Leighton R. Johnson III

Learn more about Computer Incident Response and Forensics Team Management from publisher Syngress.

At checkout, use discount code PBTY14 for 25% off

  • The dedicated ability to follow policies and procedures. Every response team has corporate policies and procedures defined for their efforts, investigations, and reporting mechanisms. Each of these documents needs to be followed during the response effort. To ensure a consistent and reliable incident response service, the SIRT member must be prepared to accept and follow the rules and guidelines, even if these policies, procedures, guidelines, and rules are not fully documented and regardless of whether the team member personally agrees with them. On the other hand, if the SIRT member feels that change is required and if they want to approach management with suggested changes, they should be permitted to propose changes.
  • Always willing to continue education - learn new ways to handle and contain incidents. One of the hallmarks of a good investigator is the willingness to learn new techniques, tactics, and investigative procedures. The incredible diverse ways of attack available today demand constant learning of response methods and attack mechanisms to stay current.
  • Extremely strong ability to cope with stress and work under pressure. Any incident response has several focus points which require direct and immediate attention. The identification of the incident, the containment of the harm from the incident, and the quick removal or eradication of the cause of the incident all are "pressure-packed" actions to be accomplished by the response team and its members as expeditiously as possible. The SIRT member, particularly, needs the ability to remain calm in tense situations; ranging from an excessive workload to an aggressive caller to an incident where human life or a critical infrastructure component could be at risk. The SIRT's reputation, and the team member's personal reputation, will be enhanced or will suffer depending on how such situations are handled.
  • Must be a team player - no "lone wolf" personnel. In a response setting, SIRT members don't usually have the time for individual actions. These efforts are conducted by a team of incident responders which have varying degrees of expertise in different areas, so no one responder needs or should have all of the knowledge needed to completely handle any single incident. The SIRT members need to be aware of their responsibilities, contribute to the goals of the team, and work together to share information, workload, and experiences. Each team member must be flexible and willing to adapt to change as well as having team skills for interacting with other parties, both internal to the team and external to the organization.
  • Integrity and trustworthiness of the member to keep a team's reputation and standing, especially in the face of possible criticism. Full trust and understanding of the team member's capabilities and expertise must be had by the team leader to ensure the integrity and trust of the team is maintained. Often, in response efforts, data becomes available to the SIRT member which is newsworthy. In this case, the team member must be trustworthy, discrete, and able to handle information in confidence according to the SIRT rules and guidelines, any customer agreements or regulations, and/or any organizational policies and procedures. The SIRT member may find himself in a position where he knows about information and could comment on a topic, but doing so could acknowledge or disclose information that was provided in confidence or that could affect an ongoing investigation or response effort. So the SIRT member must remain aware of his responsibilities and not be caught "off guard" and make unauthorized disclosures of his own.
  • A willingness to admit to one's own mistakes or knowledge limitations about a topic and then go out and research it. However difficult it may be to admit a limitation, the SIRT member must recognize his or her limitation and actively seek support from their team members, other experts, or SIRT management. Always learning, examining, growing in knowledge and understanding of techniques are areas for each team member to actively pursue and update throughout their career.

    Read the full excerpt

    Download the PDF of chapter 4 to learn more!

  • Problem-solving skills to address new situations and efficiently handle incidents as they happen. New techniques for attacks, new methods for response, new technologies are always arriving within the organization and need to be added to the repertoire of the team members' skills. SIRT members can become overwhelmed with the volumes of data related to incidents and other tasks that need to be handled if they don't have good problem-solving skills. Problem-solving skills also include an ability for the SIRT members to "think outside the box" or look at issues from multiple perspectives to identify relevant information or data.
  • Time management skills and abilities, in order to concentrate on priority work. Focusing on the task at hand during the response and subsequent investigation is vitally important to the proper and quick resolution for any incident. Effective time management is important for the SIRT member because they will often be confronted with a multitude of tasks ranging from analyzing, coordinating, and responding to incidents to performing duties such as prioritizing their workload, attending, and/or preparing for meetings, completing time sheets, collecting statistics, conducting research, giving briefings and presentations, traveling to conferences, and possibly providing onsite technical support.
  • Ability to consistently deliver briefings and possibly even court testimony. Expert witness testimony is always possible in any incident resolution effort, so each team member must have skills in properly explaining their efforts, and making it straightforward for potential external parties, such as court officers, lawyers, and juries. The SIRT member needs skills to present a technical briefing, management, or sponsor presentations, a panel discussion at a conference or seminar, or some other form of public-speaking engagement as required by the SIRT or management.

The SIRT member presentation skills probably will include providing expert testimony in legal or other proceedings on behalf of the SIRT or a customer.

All of these skills, abilities, and knowledge areas are found best when the team members are blended together to form a cohesive unit for incident response. Not many people are going to have all of these at one time, but the team concept comes into play here with certain skills and expertise on the team, rather than in people. Our response efforts are too varied to try to gather all these skill-sets into one or two individuals.

SP 800-61, the NIST Guide for Incident Response, also provides some guidance on ensuring team members stay active and engaged while participating in team activities and events as follows:

More on incident response from SearchSecurity

Turn your computer incident response team into counter-threat operations

Incident response team best practices

Information security incident response - detection and analysis

"It is important to counteract staff burnout by providing opportunities for learning and growth. Suggestions for building and maintaining skills are as follows:

  • Budget enough funding to maintain, enhance, and expand proficiency in technical areas and security disciplines, as well as less technical topics such as the legal aspects of incident response. Consider sending each full-time team member to at least two technical conferences per year and each part-time team member to at least one.
  • Ensure the availability of books, magazines, and other technical references that promote deeper technical knowledge.
  • Give team members opportunities to perform other tasks, such as creating educational materials, conducting security awareness workshops, writing software tools to assist system administrators in detecting incidents, and conducting research.
  • Consider rotating staff members in and out of the incident response team.
  • Maintain sufficient staffing so that team members can have uninterrupted time off work (e.g., vacations)
  • Create a mentoring program to enable senior technical staff to help less experienced staff learn incident handling.
  • Participate in exchanges in which team members temporarily trade places with others (e.g., network administrators) to gain new technical skills.
  • Occasionally bring in outside experts (e.g., contractors) with deep technical knowledge in needed areas, as funding permits.
  • Develop incident handling scenarios and have the team members discuss how they would handle them.
  • Conduct simulated incident handling exercises for the team. Exercises are particularly important because they not only improve the performance of the incident handlers, but also identify issues with policies and procedures, and with communication."

About the author:
Leighton Johnson is the CTO and Senior Security Engineer for Information Security and Forensics Management Team (ISFMT), a provider of computer security, forensics consulting & certification training. He has over 38 years experience in Computer Security, Software Development and Communications Equipment Operations & Maintenance. Primary focus areas have included computer security, information operations & assurance, software system development life cycle focused on modeling & simulation systems, systems engineering and integration activities, anti-terrorism/cyber terrorism, database administration, business process & data modeling. He just completed service as the AT/COOP task lead for a DOD Field Agency, based in Alexandria, VA. He recently was the CIO for a 450 person directorate within Lockheed Martin IS&GS covering 9 locations within the Eastern and Midwestern parts of the U.S. He previously served as Security Operations Program Manager for a US DOD Field Agency, based in Arlington, VA. He is a member of the CSA CloudSIRT working group developing the model for response collaboration among cloud providers, responders and users; the CSA Security-as-a-Service working group developing the definitions for SECaaS requirements and models, as well as a member of the IEEE Education working groups on Cloud and on Computer Software Security. He recently served as a member of the IS Alliance - NIST joint working group on VOIP SCAP security. He has taught Digital and Network Forensics courses at Georgia Regents University. He holds CISM (Certified Information Security Manager), CISA (Certified Information Systems Auditor), CISSP (Certified Information Systems Security Professional), CIFI (Certified Information Forensics Investigator), CSSLP (Certified Secure Software Lifecycle Professional), CAP (Certified Authorization Professional), CRISC (Certified in Risk & Information Systems Control), CMAS (Certified Master Antiterrorism Specialist), CAS-CTR (Certified Antiterrorism Specialist - Cyber Terrorism Response) and MBCI (Certified Member Business Continuity Institute) credentials.

This was last published in May 2014

Dig Deeper on Information Security Incident Response-Information