.

Mock exercises for CSIRT

<<

snortymcsnort

Newbie
Newbie

Posts: 17

Joined: Fri May 30, 2008 12:00 pm

Post Wed Oct 14, 2009 11:06 am

Mock exercises for CSIRT

Hi, I am looking for ideas to revitalize my CSIRT team.  One of the best suggestions I have heard of was having an incident drill so the team members can practice their functions.  Does anyone have some an example of a drill they have run?

Thanks
<<

unsupported

User avatar

Sr. Member
Sr. Member

Posts: 318

Joined: Sun Feb 08, 2009 3:38 pm

Location: 407

Post Wed Oct 14, 2009 1:30 pm

Re: Mock exercises for CSIRT

There are a few ways to accomplish this.  You can do a live read through any one of Ed Skoudis' scenarios (as outlined here on EH-Net) minus the entertaining themes (Brady Bunch, Simpsons, Matrix, etc).  Ed has given permission and suggestion to do this in the SEC504 course.

You can also hire or have a skilled team member perform a penetration test to see how the team reacts/notices the test or just ignores it.  You should probably only do this with a seasoned group who has worked together for awhile so everyone is not tripping over themselves.
-Un
CISSP, GCIH, GCIA, C|EH, Sec+, Net+, MCP
<<

dalepearson

Sr. Member
Sr. Member

Posts: 357

Joined: Thu Nov 09, 2006 10:03 am

Post Wed Oct 14, 2009 3:20 pm

Re: Mock exercises for CSIRT

It is good practice to regularly carry out a CSIRT drill.
I would suggest thinking about a real world scenario that could impact your organisation, and then go through the stages as you would in real life, but in a drill scenario.

So bringing the teams together, brain storming etc.
If your a global organisation follow the sun so each region has a part to play, and cease the drill when a full rotation has been completed.

Then review the process, improvements, etc.
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Wed Oct 14, 2009 10:44 pm

Re: Mock exercises for CSIRT

NIST has some scenarios in Appendix B of 800-61 Computer Security Incident Handling Guide. While there aren't any super technical things to be done it does provide good food for thought.
twitter.com/timmedin | http://blog.securitywhole.com
<<

snortymcsnort

Newbie
Newbie

Posts: 17

Joined: Fri May 30, 2008 12:00 pm

Post Thu Oct 15, 2009 9:46 am

Re: Mock exercises for CSIRT

Thanks for the replies!  These are all good ideas.
<<

brima99

Newbie
Newbie

Posts: 1

Joined: Sun Oct 18, 2009 2:36 am

Post Sun Oct 18, 2009 2:42 am

Re: Mock exercises for CSIRT

A bit late, but check out these:

http://www.enisa.europa.eu/act/cert/support/exercise

Soon we'll also publish Live DVDs

Cheers,
Marco
<<

snortymcsnort

Newbie
Newbie

Posts: 17

Joined: Fri May 30, 2008 12:00 pm

Post Mon Oct 19, 2009 2:16 pm

Re: Mock exercises for CSIRT

Thanks Marco.  There are a lot of good materials on the site.  Looking forward to the Live DVDs.
<<

snortymcsnort

Newbie
Newbie

Posts: 17

Joined: Fri May 30, 2008 12:00 pm

Post Wed Jan 06, 2010 11:45 am

Re: Mock exercises for CSIRT

ENISA has the ISO images for their live DVDs available now http://www.enisa.europa.eu/act/cert/support/exercise
They have some really good exercises here and I am looking forward to using them in our training
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Fri Jan 08, 2010 1:33 am

Re: Mock exercises for CSIRT

Sounds interesting, will have a look at it too. Thanks for notifying.

Return to Incident Response

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software