Thoughts on Cyber Incident Response Teams

Posted by

I just finished attending Tracer FIRE 6 and found it to be an amazing experience. It’s essentially free and a fantastic opportunity to skill-up and meet others.

I found it very interesting that the Tracer FIRE speakers, cited an older blog about Cyber Incident Response Teams (CIRT).

See Handler Diaries blog here:

After a couple years of working for an Incident Response team, I’ve found the following roles and model is quite effective. This assumes that all members of your Incident Response team are technical minded, but also strong communicators.


(Entry Level | Tier-1)

This is where you put the least experienced member of the team (perhaps an intern) to review events and alerts from your SIEM, Web Proxy, Anti-Virus, Intrusion Detection Systems, etc. This person is young in this career and is hungry to learn!


(Mid-Level | Tier 2)

Put your rising-star here. This person might not be a Reverse Engineer, Malware Analyst, or supremely technical yet, but he/she is ready for more responsibility. The Threat Analyst/Incident Coordinator typically handles the more difficult things that Tier-1 comes across.

This person works with closely with the SOC Manager to ensure tedious things like tickets, alerts, emails, etc are up-to-date and with the Senior Threat Analyst to escalate a select-few items for advanced analysis.


(Senior-Level | Tier 3)

This is your high-dollar analyst where single cases can take days, weeks, or months to resolve. Once the case is complete, the Senior Threat Analyst should present their findings to the CSIRT manager for additional actions (if appropriate). Since the Senior Threat Analyst should handle only the deep-dive stuff, make sure their time is respected, and case volume is light.



The buck stops here. The CSIRT Manager is the decision maker for the Cyber Security Incident Response Team (CSIRT). This person’s job is to keep the team organized, equipped, and without distractions. For most organizations, this is what a Senior Threat Analyst’s next promotion to pseudo-management (half-technical, half-management) looks like. The CSIRT manager must be wise enough to battle the political battles and make sure administrative things are taken care of (time off, work tasks, staff evaluations, etc). Having this person as highly technical will earn the respect of his team and allows this person to be a practical resource who can pick up work whenever the team is behind.

Internal & External  SME/POC

(Network, server, & other admins| insider vendor contacts for each of your tools  )

I agree with the Handler Diaries blog post for this specific role/contact. You need a few good people from your IT organization to help you get things done. Additionally, you will benefit from having vendor insiders to get direct information from without pouring through documentation, websites, or formal support.

Leave a Reply

Your email address will not be published. Required fields are marked *