Training the Team

One of the major advantages of a virtual team is that members stay current on technology through their normal operations jobs. A full-time team, if there aren't sufficient incidents (or the incidents do not impact certain systems or applications), can become out of touch as new technology is deployed within the company. No incident response team member can possibly know a system as well as the people responsible for maintaining it on a daily basis.

If the focus of the team members is on daily operations, however, they might not consider that many things change during an incident. For example, a systems administrator will think nothing of logging in as root to investigate a malfunctioning server. If the server has been compromised, however, logging on directly can destroy evidence or trigger logic bombs installed by the attacker.

The team will, as a minimum, require periodic training in evidence-handling procedures. This is perhaps the most dramatic difference between normal operations and incident response. Team members must be aware of the proper steps to take when securing digital evidence. If a team member is also the administrator for those systems, the problem is even greater. He or she must be reminded that his or her responsibilities change after an incident is formally declared. It might even be preferable to have another team member collect the evidence as a check and to prevent the appearance of impropriety or a conflict of interest.

If the team consists of full-time members, they must constantly strive to remain current and technically competent. Some teams do this by having team members conduct training or by issuing technical advisories. Although this might be a good method for maintaining proficiency, it is even more vital that the members be accurate. Issuing a technical advisory to operational units that contains errors will quickly undermine the credibility of the team and its members. Technical inaccuracy during training and awareness sessions will do the same.

Unfortunately, there are no easy answers to these issues. However, some practices have proven valuable in other organizations.As covered in Chapter 4,"Forming and Managing an Incident Response Team," training in the form of attendance at technical conferences, bringing in outside speakers and resources, making technical journals and books available, and having staff engage in operations with other incident response teams are well established types of training. However, as you organize for incident response, you might find that these types of training are insufficient for the variety of training needs that exist. Thus, the following types of training might also be appropriate:

• Establish a mentoring program. Senior staff can assist in training (both formally and informally) junior, less experienced team members. Senior full-time staff can also mentor virtual members.

• Encourage self-study and ensure that appropriate technical references are available. Individuals should subscribe to free trade magazines. The company should consider subscribing to periodicals that are not free. An incident response library, including technical references, legal documents, and information about the specific processes (such as forensics), can be invaluable during an incident.

• Full-time team members, especially if they are on call all the time, should be given some time off from incident handling. This is not the same as vacation (they will probably get called while on vacation anyway), but it gives them some time away from the pressures of incident response to explore appropriate technical issues. This might include Internet research, testing new tools, or simply doing research and hands-on familiarization with new technologies.

• Have team members periodically review the post-mortem reports that have been written. As mentioned in Chapter 3,"A Methodology for Incident Response," these provide one of the best ways to convey lessons learned to team members, especially newer ones.

• Involve team members in incident simulations. The next section of this chapter discusses this idea in detail.