The name Computer Security Incident Response Team is given to a group of experts that handle computer security events or incidents.
Computer security events are:
Verified or suspected breaches
Violations of security policy
Unauthorized use
Denial of service
Unauthorized changes to hardware or software
The CSIRT is responsible for:
Incident Containment
Preservation of Evidence
Forensics Analysis
Recommendations for Recovery
Lessons Learned
During the
incident containment phase the CSIRT will identify all machines
involved in the incident and isolate these machines from the
environment.
The investigator(s) will capture live memory and hard drive images of any machines involved in the incident and maintain Chain Of Custody documents for all evidence.
All evidence will be secured in a locked area when not under review.
Forensic examination will help determine the method of attack and any potential loss of data. The results of the examination will be provided with recommendations for recovery and remediation for future incidents.
A lessons learned session is held with the client to discuss and document updates in processes and procedures.