EH-Net

Ethical Hacking Discussions and Related Certifications => Incident Response => Topic started by: snortymcsnort on October 14, 2009, 11:06:49 AM


Title: Mock exercises for CSIRT
Post by: snortymcsnort on October 14, 2009, 11:06:49 AM
Hi, I am looking for ideas to revitalize my CSIRT team.  One of the best suggestions I have heard of was having an incident drill so the team members can practice their functions.  Does anyone have some an example of a drill they have run?

Thanks

Title: Re: Mock exercises for CSIRT
Post by: unsupported on October 14, 2009, 01:30:05 PM
There are a few ways to accomplish this.  You can do a live read through any one of Ed Skoudis' scenarios (as outlined here on EH-Net) minus the entertaining themes (Brady Bunch, Simpsons, Matrix, etc).  Ed has given permission and suggestion to do this in the SEC504 course.

You can also hire or have a skilled team member perform a penetration test to see how the team reacts/notices the test or just ignores it.  You should probably only do this with a seasoned group who has worked together for awhile so everyone is not tripping over themselves.

Title: Re: Mock exercises for CSIRT
Post by: dalepearson on October 14, 2009, 03:20:39 PM
It is good practice to regularly carry out a CSIRT drill.
I would suggest thinking about a real world scenario that could impact your organisation, and then go through the stages as you would in real life, but in a drill scenario.

So bringing the teams together, brain storming etc.
If your a global organisation follow the sun so each region has a part to play, and cease the drill when a full rotation has been completed.

Then review the process, improvements, etc.

Title: Re: Mock exercises for CSIRT
Post by: timmedin on October 14, 2009, 10:44:23 PM
NIST has some scenarios in Appendix B of 800-61 Computer Security Incident Handling Guide (http://csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf). While there aren't any super technical things to be done it does provide good food for thought.

Title: Re: Mock exercises for CSIRT
Post by: snortymcsnort on October 15, 2009, 09:46:03 AM
Thanks for the replies!  These are all good ideas.

Title: Re: Mock exercises for CSIRT
Post by: brima99 on October 18, 2009, 02:42:17 AM
A bit late, but check out these:

http://www.enisa.europa.eu/act/cert/support/exercise

Soon we'll also publish Live DVDs

Cheers,
Marco

Title: Re: Mock exercises for CSIRT
Post by: snortymcsnort on October 19, 2009, 02:16:12 PM
Thanks Marco.  There are a lot of good materials on the site.  Looking forward to the Live DVDs.

Title: Re: Mock exercises for CSIRT
Post by: snortymcsnort on January 06, 2010, 10:45:57 AM
ENISA has the ISO images for their live DVDs available now http://www.enisa.europa.eu/act/cert/support/exercise
They have some really good exercises here and I am looking forward to using them in our training

Title: Re: Mock exercises for CSIRT
Post by: UNIX on January 08, 2010, 12:33:47 AM
Sounds interesting, will have a look at it too. Thanks for notifying.


Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com