Monday, March 19, 2007

Incident Response Teams

Over the weekend I went out and picked up a new game Ghost Recon for my computer (that's right I said my computer, not an Xbox). The objective, like many other first person shooter games where you lead teams is to save the day by completing your missions without getting your team killed.
In one scenario I was approaching an abandoned 18 wheeler trailer after sniping a bad guy by shooting his exposed knee caps and bang! my world came to a crashing halt. I'd been sniped and killed with a head shot. The game fades to black and white and you can hear your digital teammates calling your name as your vision blurs. Kind of cool..but it made me think of a few things.

I always push for the formation of incident response TEAMS when I can. In many cases a team will work much better than a single person. I recommend that at a minimum all response efforts involve two people. One person should handle the mainline incident response effort - investigation, live analysis etc. and the other person should handle backline response - the documentation, dealing with management, basically a person to take the administrative load of the incident off of the mainline responder(If you have a bigger team than this then of course it would vary). One of the core rules I learned early on was CYA (we all know what it means now). If I had had someone watching my back after I shot the bad guy in ghost recon, I probably wouldn't have been shot. When responding to incidents, try not to go it alone, or else you may end up as a casualty of the incident response world.

This brings me to my second point...
In the Ghost Recon scenario above..I didn't manage my team properly when I got shot. I had three other team members with me. One was a heavy weapons expert, another was an assault team member, and the last was a sniper. Had I been smart about this, I would have placed my sniper on overwatch somewhere, put the heavy weapons guy behind some cover with a good field of view, and had the assault team member move with me to the truck. Obviously I did none of that and wound up dead.

Incident Response Teams are many times groups of individuals with many specific skill sets, and it is the responsibility of the team leader to utilize the skillsets of their teams members to maximum efficiency. If you have a Windows Expert and a *nix expert on your team, it doesn't make much sense to send the Windows guy out as the lead incident handler when you have an incident on a Redhat box. Identify the areas of expertise in your teams before you send them out to respond and utilize their specialties when it makes sense to. Get your people trained, cross train them for redundancy but make sure you feed their expertise as well. i.e, all of my guys could shoot a gun, but they all had specialty weapons. Remember to never go out to an incident without the proper team and tools for the job.

When I load up ghost recon again, I'll remember to manage my team and utilize their skills and I bet you I won't get dead at the same spot ;)