WEBVTT

0:00:03.760000 --> 0:00:07.540000
 IR teams, same role, different names.

0:00:07.540000 --> 0:00:12.080000
 So in the previous video, we got an
 understanding of the various types

0:00:12.080000 --> 0:00:19.720000
 or models of IR teams, more specifically
 with regards to their structure

0:00:19.720000 --> 0:00:21.500000
 and how they work.

0:00:21.500000 --> 0:00:27.180000
 But one of those important aspects of
 incident response that often goes

0:00:27.180000 --> 0:00:34.460000
 unexplained is the different names
 by which IR teams are referred to.

0:00:34.460000 --> 0:00:37.220000
 And you may already be
 familiar with this.

0:00:37.220000 --> 0:00:40.740000
 Indeed, we did cover it
 in the previous course.

0:00:40.740000 --> 0:00:44.180000
 Of course, we only covered some
 of the more common names.

0:00:44.180000 --> 0:00:50.140000
 And really, we were distinguishing between
 the CSERT and standard incident

0:00:50.140000 --> 0:00:54.780000
 response team. But this video is quite
 important because, again, this

0:00:54.780000 --> 0:00:58.340000
 may have been a question or something
 that, you know, is at the back of

0:00:58.340000 --> 0:01:02.000000
 your mind if you are getting
 into incident response.

0:01:02.000000 --> 0:01:08.120000
 And that is, why do I keep on hearing,
 you know, names like CERT or CERT

0:01:08.120000 --> 0:01:11.120000
 with an S, IRT, et cetera.

0:01:11.120000 --> 0:01:13.420000
 And the answer to that is fairly obvious.


0:01:13.420000 --> 0:01:17.900000
 So, you know, incident response teams
 are often referred to by different

0:01:17.900000 --> 0:01:23.260000
 names, which can sometimes cause, you know,
 obviously confusion or misunderstanding.

0:01:23.260000 --> 0:01:27.600000
 And this is especially the case for
 those new, for those who are new to

0:01:27.600000 --> 0:01:28.700000
 the field, right?

0:01:28.700000 --> 0:01:33.620000
 Now, regardless of whether it's called
 a CERT, CSERT or CERT or simply

0:01:33.620000 --> 0:01:38.540000
 an incident response team, IRT,
 the purpose remains the same.

0:01:38.540000 --> 0:01:40.920000
 And that's one of the core things
 that I wanted to point out.

0:01:40.920000 --> 0:01:45.640000
 And again, we've already covered the
 purpose, but just in case we, you

0:01:45.640000 --> 0:01:46.980000
 know, we need to go through it again.

0:01:46.980000 --> 0:01:51.500000
 And that is to detect, respond to, and
 recover from security incidents.

0:01:51.500000 --> 0:01:56.360000
 Now, you may be asking, well, do the
 names have something to do with the

0:01:56.360000 --> 0:02:00.360000
 type of, or the scope of incident
 response performed?

0:02:00.360000 --> 0:02:05.640000
 And you may be onto something there
 because that indeed is the case in

0:02:05.640000 --> 0:02:07.020000
 certain instances.

0:02:07.020000 --> 0:02:10.520000
 So, in the next or, you know, in the
 following slides, we'll be exploring

0:02:10.520000 --> 0:02:15.040000
 the most commonly used names for incident
 response teams, how they differ,

0:02:15.040000 --> 0:02:20.100000
 why these differences exist, if any,
 and how naming conventions like,

0:02:20.100000 --> 0:02:27.100000
 you know, CERT, CSERT often reflect an
 organization's structure, maturity,

0:02:27.100000 --> 0:02:28.560000
 or focus, right?

0:02:28.560000 --> 0:02:33.380000
 So, you know, sort of adding onto that,
 different organizations and industries

0:02:33.380000 --> 0:02:37.800000
 use various names, or different names
 for the incident response teams.

0:02:37.800000 --> 0:02:41.440000
 These are often based on their structure,
 function, or focus area, as

0:02:41.440000 --> 0:02:46.860000
 we, you know, and one important thing
 that you need to be aware of, and

0:02:46.860000 --> 0:02:49.660000
 you, you know, you'll typically see
 it, whether you're browsing online

0:02:49.660000 --> 0:02:54.180000
 or engaging in discussions, is that
 these names are typically, commonly,

0:02:54.180000 --> 0:02:56.640000
 I should say, used interchangeably.

0:02:56.640000 --> 0:03:04.160000
 But, you know, to be more functional,
 or to be more specific, they signal,

0:03:04.160000 --> 0:03:12.520000
 or they technically refer to a team
 being organized in a certain way,

0:03:12.520000 --> 0:03:16.280000
 or have, you know, referring to specific
 roles or responsibilities.

0:03:16.280000 --> 0:03:21.080000
 In essence, you know, generally speaking,
 or in general conversation,

0:03:21.080000 --> 0:03:24.000000
 you'll see these terms
 used interchangeably.

0:03:24.000000 --> 0:03:30.160000
 But, you know, when we're speaking technically,
 these team names may be

0:03:30.160000 --> 0:03:35.700000
 referring to a slight difference in
 the, as it's listed here, the roles

0:03:35.700000 --> 0:03:40.900000
 or responsibilities of, you know,
 they're in a specific IR team.

0:03:40.900000 --> 0:03:45.580000
 So, I've sort of summarized some of
 the more common ones, or, you know,

0:03:45.580000 --> 0:03:48.620000
 the ones you're likely to run into a
 table, and then I'll sort of outline

0:03:48.620000 --> 0:03:52.720000
 some important, some of
 the important ones.

0:03:52.720000 --> 0:03:56.320000
 So, first and foremost, the most common
 nowadays, as of recording this

0:03:56.320000 --> 0:04:07.680000
 video, is the CSIT, right?

0:04:07.680000 --> 0:04:08.640000
 So, I'm going to talk about the most
 common, the most common, the most

0:04:08.640000 --> 0:04:13.420000
 common, most common, most common, most
 common, most common, most commonly

0:04:13.420000 --> 0:04:18.240000
 used, modern term, cyber security, and
 enterprise environments when referring

0:04:18.240000 --> 0:04:20.580000
 to an incident response team.

0:04:20.580000 --> 0:04:22.980000
 And I've just added some
 notes or differences.

0:04:22.980000 --> 0:04:28.160000
 In this case, this particular team name
 emphasizes both the word security

0:04:28.160000 --> 0:04:33.140000
 and incident response, which is preferred
 for formal IR teams that are

0:04:33.140000 --> 0:04:36.200000
 focused on prevention, detection,
 and response.

0:04:36.200000 --> 0:04:43.140000
 This is part of the standard term, you
 know, in industry best practices.

0:04:43.140000 --> 0:04:46.200000
 So, I'm specifically referring
 to NIST and ISO.

0:04:46.200000 --> 0:04:52.280000
 So, you'll typically see, you know,
 in NIST documents and standards on

0:04:52.280000 --> 0:04:54.840000
 IR team referred to as a CSIT.

0:04:54.840000 --> 0:04:57.140000
 You then have the SERT, right?

0:04:57.140000 --> 0:05:00.860000
 CIRT, which is the computer
 incident response team.

0:05:00.860000 --> 0:05:08.180000
 Now, in comparison to the CSIT, the
 SERT is an older or simplified term,

0:05:08.180000 --> 0:05:12.200000
 and it's still used by some organizations,
 you know, as just a matter

0:05:12.200000 --> 0:05:15.920000
 of legacy. And the fact that when they
 started, the team was formally

0:05:15.920000 --> 0:05:18.640000
 called a SERT, and then
 now we have the CSERT.

0:05:18.640000 --> 0:05:29.500000
 But moving on to the notes and technically
 is on incident response without

0:05:29.500000 --> 0:05:32.980000
 explicitly highlighting
 security operations.

0:05:32.980000 --> 0:05:37.280000
 And this is used where the team is primarily
 reactive rather than proactive.

0:05:37.280000 --> 0:05:41.860000
 Now, of course, those are just those
 notes of what I've said then is not

0:05:41.860000 --> 0:05:42.580000
 written in stone.

0:05:42.580000 --> 0:05:47.280000
 I'm sort of juxtaposing each of these
 so that you have an understanding

0:05:47.280000 --> 0:05:52.460000
 of where you're likely to find,
 you know, CSERT or a SERT.

0:05:52.460000 --> 0:05:55.620000
 And really, you can see there's
 no real difference.

0:05:55.620000 --> 0:05:59.040000
 It's just that one in this case
 is older than the other.

0:05:59.040000 --> 0:06:02.660000
 You then have the SERT, which is actually
 quite common, which is, when

0:06:02.660000 --> 0:06:07.420000
 I say SERT, SIRT, this stands for
 security incident response team.

0:06:07.420000 --> 0:06:11.060000
 Now, the usage context here is that,
 you know, flexible general term used

0:06:11.060000 --> 0:06:12.760000
 across different industries.

0:06:12.760000 --> 0:06:18.160000
 And in terms of the notes and differences,
 the SERT SIRT emphasizes response

0:06:18.160000 --> 0:06:20.920000
 to any security incident.

0:06:20.920000 --> 0:06:25.700000
 What that means is regardless of whether
 it's related to, whether it's,

0:06:25.700000 --> 0:06:28.760000
 you know, IT related
 or physical security.

0:06:28.760000 --> 0:06:34.100000
 So this is, this name is used where
 IR responsibilities cover a broader

0:06:34.100000 --> 0:06:36.720000
 scope beyond just IT systems.

0:06:36.720000 --> 0:06:38.320000
 So it's more general.

0:06:38.320000 --> 0:06:44.960000
 You then have the SERT or C-E-R-T, which
 is quite common or commonly known.

0:06:44.960000 --> 0:06:46.880000
 In fact, some of you may know about this.


0:06:46.880000 --> 0:06:50.060000
 This is the computer emergency
 response team.

0:06:50.060000 --> 0:06:54.600000
 This term or this name was originally
 coined and I should say trademarked

0:06:54.600000 --> 0:06:56.060000
 by Carnegie Mellon.

0:06:56.060000 --> 0:06:58.720000
 So SERT CC as it were.

0:06:58.720000 --> 0:07:04.340000
 And it is used globally for national,
 regional and sector-based IR teams.

0:07:04.340000 --> 0:07:07.880000
 So you may have heard of SERT before
 and I'll sort of explain it now.

0:07:07.880000 --> 0:07:13.120000
 So SERT is often used in government,
 military or large sector-wide teams.

0:07:13.120000 --> 0:07:18.400000
 For example, US SERT, so that's the United
 States emergency response team,

0:07:18.400000 --> 0:07:20.060000
 computer emergency response team.

0:07:20.060000 --> 0:07:23.220000
 You also have SERT, EU,
 SORN and so forth.

0:07:23.220000 --> 0:07:26.720000
 In fact, your country probably uses
 the same nomenclature here or the

0:07:26.720000 --> 0:07:32.940000
 same name for the, you know, sector
-wide or government IR teams.

0:07:32.940000 --> 0:07:38.500000
 What this means is that it implies a focus
 on large-scale incident coordination

0:07:38.500000 --> 0:07:43.440000
 or emergency response,
 not just enterprise IR.

0:07:43.440000 --> 0:07:44.980000
 So that's the SERT.

0:07:44.980000 --> 0:07:48.040000
 And then of course we have the standard
 IR-T, right, which is just incident

0:07:48.040000 --> 0:07:52.600000
 response team. And as you can see in
 the usage context column, it's a

0:07:52.600000 --> 0:07:54.760000
 generic catch-all term.

0:07:54.760000 --> 0:07:59.360000
 Notes and differences, it's typically
 used in smaller organizations or

0:07:59.360000 --> 0:08:01.020000
 non-technical environments.

0:08:01.020000 --> 0:08:06.840000
 Really, you'll see RRT, you know, organizations
 referring to their team,

0:08:06.840000 --> 0:08:10.940000
 the incident response team, you know,
 as an IRT, where there's nothing,

0:08:10.940000 --> 0:08:14.520000
 this is not always the case, but you
 know, there's no real formalization

0:08:14.520000 --> 0:08:17.620000
 of the team and, you know,
 so on and so forth.

0:08:17.620000 --> 0:08:23.880000
 In any case, you can see the really
 preferred or used in non-technical

0:08:23.880000 --> 0:08:28.860000
 environments where simplicity is preferred
 and it refers to any team responsible

0:08:28.860000 --> 0:08:34.440000
 for handling security incidents, security
 related or not, for handling

0:08:34.440000 --> 0:08:37.740000
 incidents, security related
 or not, I should say.

0:08:37.740000 --> 0:08:42.400000
 So that brings us to sort of a key question
 that, again, you might have,

0:08:42.400000 --> 0:08:48.860000
 and that is how do IR team names influence
 the roles and structure of

0:08:48.860000 --> 0:08:51.060000
 an IR team, which is a very
 important question.

0:08:51.060000 --> 0:08:55.820000
 So while the core mission of all incident
 response teams is the same,

0:08:55.820000 --> 0:08:59.820000
 that being detect, respond and recover
 from security incidents, the name

0:08:59.820000 --> 0:09:05.560000
 used for the team often reflects its
 scope, A, B, the structure and C,

0:09:05.560000 --> 0:09:08.380000
 the responsibilities within
 the organization.

0:09:08.380000 --> 0:09:11.800000
 So let's start off with CSERT, right?

0:09:11.800000 --> 0:09:16.160000
 CSIRT, I'm using an example here that
 is the computer security incident

0:09:16.160000 --> 0:09:20.380000
 response team, its enterprise or
 internal security focus, right?

0:09:20.380000 --> 0:09:24.240000
 So a CSERT is typically an internal
 dedicated security team responsible

0:09:24.240000 --> 0:09:28.880000
 for managing and responding to cybersecurity
 incidents within a single

0:09:28.880000 --> 0:09:33.420000
 organization. Their responsibilities are
 usually technical and operational,

0:09:33.420000 --> 0:09:38.580000
 for example, threat detection and monitoring,
 incident handling and forensics,

0:09:38.580000 --> 0:09:42.300000
 coordinating containment and recovery,
 improving security controls and

0:09:42.300000 --> 0:09:46.540000
 playbooks. Key point here is
 a CSERT operates typically.

0:09:46.540000 --> 0:09:50.900000
 This is typically the case as part
 of a security operations center or

0:09:50.900000 --> 0:09:52.940000
 reports directly to the CSIRT.

0:09:52.940000 --> 0:09:56.920000
 So they can operate within a SOC or they
 can sort of be a separate department

0:09:56.920000 --> 0:10:02.080000
 or team, but in the end, they all report
 to security operations chief

0:10:02.080000 --> 0:10:05.100000
 or in this particular case, the CSIRT.

0:10:05.100000 --> 0:10:09.400000
 So hopefully that gives you an idea as
 to where you're likely to encounter,

0:10:09.400000 --> 0:10:13.980000
 you know, or where you're likely to find
 the IR team being called a CSERT.

0:10:13.980000 --> 0:10:21.680000
 So this is again the most popular term
 or team name used today to refer

0:10:21.680000 --> 0:10:25.260000
 to an incident response team, a formalized
 incident response team within

0:10:25.260000 --> 0:10:26.980000
 an organization.

0:10:26.980000 --> 0:10:30.600000
 You then have the CSERT, which I've
 already, we already explained in the

0:10:30.600000 --> 0:10:34.960000
 table, but this is your computer emergency
 response team, you know, national

0:10:34.960000 --> 0:10:37.400000
 sectorwide or public facing focus.

0:10:37.400000 --> 0:10:43.520000
 So a CSERT, C-E-R-T, often operates at
 a national or industry sector level.

0:10:43.520000 --> 0:10:44.880000
 And I gave you those examples previously.


0:10:44.880000 --> 0:10:49.060000
 So you have US SERT, E-U and SERT-CC.

0:10:49.060000 --> 0:10:52.780000
 Their role extends beyond internal
 incident handling.

0:10:52.780000 --> 0:10:56.440000
 So they also provide national national
 level threat intelligence.

0:10:56.440000 --> 0:11:01.220000
 They're actually quite famous for this,
 especially US SERT coordination

0:11:01.220000 --> 0:11:05.920000
 between multiple organizations, advisories,
 alerts and best practices,

0:11:05.920000 --> 0:11:09.000000
 and of cross sectors.

0:11:09.000000 --> 0:11:11.960000
 So think government finance
 critical infrastructure.

0:11:11.960000 --> 0:11:15.840000
 The key point here is that SERT teams
 don't directly manage incidents

0:11:15.840000 --> 0:11:17.580000
 inside individual companies.

0:11:17.580000 --> 0:11:23.040000
 They guide, coordinate and support response
 efforts across multiple organizations.

0:11:23.040000 --> 0:11:27.440000
 So whenever you as an organization have
 a breach, let's say in the United

0:11:27.440000 --> 0:11:32.220000
 States, you typically make a disclosure
 to US SERT, as an example, I'm

0:11:32.220000 --> 0:11:35.520000
 just sort of giving you an
 idea as to what a SERT is.

0:11:35.520000 --> 0:11:40.700000
 So you, you know, you don't confuse
 SERT as in C-I-R-T and SERT as in

0:11:40.700000 --> 0:11:44.760000
 C-E-R-T. You can see that they're not
 really doing any incident response

0:11:44.760000 --> 0:11:51.120000
 as the point here suggests they don't
 directly manage incidents inside

0:11:51.120000 --> 0:11:52.540000
 individual companies.

0:11:52.540000 --> 0:11:56.040000
 They guide, coordinate and support the
 response efforts across multiple

0:11:56.040000 --> 0:12:00.420000
 organizations when and if required
 or, you know, called upon.

0:12:00.420000 --> 0:12:03.980000
 You then have another example,
 in this case, the SERT, right?

0:12:03.980000 --> 0:12:08.680000
 So S-I-R-T, this is the Security Incident
 Response Team and, you know,

0:12:08.680000 --> 0:12:11.140000
 broader security scope beyond IT.

0:12:11.140000 --> 0:12:16.700000
 So some organizations use SERT S-I-R
-T when the team is responsible for

0:12:16.700000 --> 0:12:21.220000
 responding not only to cybersecurity incidents,
 but also to physical security

0:12:21.220000 --> 0:12:25.480000
 incidents inside the threats, which
 are not computer related.

0:12:25.480000 --> 0:12:28.360000
 They, you know, are linked
 but not related.

0:12:28.360000 --> 0:12:32.980000
 Fraud investigations, corporate
 security breaches, etc.

0:12:32.980000 --> 0:12:37.200000
 And this name indicates a broader cross
-functional team often involving

0:12:37.200000 --> 0:12:42.200000
 departments like HR, legal and
 physical security teams.

0:12:42.200000 --> 0:12:47.200000
 So again, hopefully this clarifies,
 you know, the differences between

0:12:47.200000 --> 0:12:50.340000
 these team names as it were.

0:12:50.340000 --> 0:12:56.840000
 And, you know, you can actually see
 that for, you know, for C SERT, C

0:12:56.840000 --> 0:13:00.620000
-S-I-R-T and SERT, C-I-R-T, there's
 not really a difference.

0:13:00.620000 --> 0:13:02.280000
 They have used interchangeably.

0:13:02.280000 --> 0:13:06.280000
 The more specific ones are the ones
 that actually are quite different

0:13:06.280000 --> 0:13:11.520000
 based on what their responsibilities
 are, are going to be ones like SERT,

0:13:11.520000 --> 0:13:16.720000
 C-E-R-T. That's really the only one that
 is actually, you know, that actually

0:13:16.720000 --> 0:13:20.520000
 tells you that, you know, you're probably
 dealing with national sector

0:13:20.520000 --> 0:13:24.840000
-wide or, you know, public facing, you
 know, you're dealing with a public

0:13:24.840000 --> 0:13:28.380000
 facing or sector-wide incident
 response team.

0:13:28.380000 --> 0:13:33.200000
 So with that being said, that brings
 us to the end of this video.

0:13:33.200000 --> 0:13:37.020000
 And I think by this point, we, you know,
 you should have a good idea of

0:13:37.020000 --> 0:13:42.220000
 the various types or models of IR teams
 and now, of course, their names.

0:13:42.220000 --> 0:13:47.600000
 And we can sort of move on now to the incident
 response process or lifecycle,

0:13:47.600000 --> 0:13:52.180000
 take a look at some of the popular commonly
 used incident response frameworks.

0:13:52.180000 --> 0:13:57.340000
 And then we'll also touch on the roles
 and responsibilities within an

0:13:57.340000 --> 0:14:01.060000
 IR team. But with that being said, that's
 going to be it for this video.

0:14:01.060000 --> 0:14:03.200000
 And I will be seeing you
 in the next video.