Responsibilities of a CSIRT include:
• Reporting: receiving reports of suspected incidents and reporting as appropriate to senior management
• Detection: investigation to determine if an incident occurred
• Triage: immediate action to address urgent needs
• Response: coordination of effort to address all aspects in a manner appropriate to severity and time demands
• Post-mortem: declaring the incident over and arranging to review the case to improve future response
• Education: preventing harm by advising on good security practices and disseminating lessons learned from past incidents
The proactive role of a CSIRT in preventing attacks is increasing in importance, reports Robin Ruefle’s team [RUE14]. Teams study current data to predict future attack trends as a way to determine where to invest preventive resources.