Resources to Support Training Programs for CSIRTs

Problem• There is a long trend which shows CSIRTs are having a problem

training their staff

• A recent survey* by Jeff Yuetter had two interesting results– Staff expertise or availability is a very challenging problem to 49% of teams

(51 responded)

– 54% of the teams do not have a formal training or mentoring program in place (56 responded)

• Similar findings were reported by – CERT/CC in 2009 – CERT/CC in 2003

* update d version of CSIRT State of the Practice independently carried out by Jeff in Fall 2011

Causes

• We assume that there will be multiple causes for this issue. We will primarily focus on:– Lack of identified resources to compose a

comprehensive training plan– Lack of knowledge on how to prepare and execute

a training plan

• Thus, we believe the major issues are related to building and executing Training Plans

Major Steps to Creating a Training Plan

• (1) Identify all of the topics required • (2) Create a check-list that summarizes all the

training topics • (3) Identify the resources • (4) Develop a procedure for evaluation and

correction (to include assessment materials)

A Relook at Causes

• We assume that there will be multiple causes for this issue. We will primarily focus on:– Lack of identified resources to compose a

comprehensive training plan• This is step (3) in Creating a Training Plan

– Lack of knowledge on how to prepare and execute a training plan• This is part of step (4) in Creating a Training Plan

• This means the major issues are related to executing Training Plans

What has been done

• What about steps (1) and (2)?• The (U.S.) National Initiative for Cybersecurity

Education (NICE) has a framework– http://csrc.nist.gov/nice/framework/– Nice addresses steps (1) and (2)

What Can We do

• We are proposing that a pilot could focus on Incident Responders. In NICE this is – Protect and Defend: Incident Response: Tasks

and KSAs (pgs 70-73) • http://csrc.nist.gov/nice/framework/documents/NICE-C

ybersecurity-Workforce-Framework-printable.pdf

• We could identify and document the resources for the tasks and KSAs [step (3)]

The Pilot

• Pilot: An attempt to address step (3)• Identify resources for NICE specialty areas

tasks/KSAs – Focus on specialty area - Incident Responders

• Protect and Defend: Incident Response: Tasks and KSAs (pgs 70-73)

• We believe this material is part of the missing information needed by CSIRT managers to develop a training plan

Pilot

• Work with 6 to 7 domain experts within a community to identify resources to match against Tasks and KSAs– This would also identify gaps

• We could either host the material on our website or assist with the community hosting it on theirs– Initially we think a wiki format might be best

Benefits

• If we can identify what resources will be required to meet specific Tasks and KSAs at various levels, it will also assist with– Management of professional development for

staff– Better inform Human Resources in recruiting– Inform new recruits what the expectations are for

role/position within a team

Long Term

• It is not sufficient to just have resources and a plan

• Assessments of the resources(4) will be required before we have a complete solution for CSIRTs

OVERVIEW OF NICE

NICE Framework -1

• Generic Outline– Framework Category

• Specialty Area – Tasks – KSAs (Knowledge, Skills, and Abilities)

• Example– Protect and Defend

• Incident Response– 16 Tasks– 26 KSAs

NICE Framework - Categories

• There are seven framework categories– Securely Provision (SP)– Operate and Maintain (OM)– Protect and Defend (PD)– Investigate (IN)– Operate and Collect (OC)– Analyze (AN)– Support (S)

NICE Framework - Specialty AreasThere are a total of 31 Specialty Areas SP: Information Assurance Compliance PD: Computer network Defense Infrastructure Support

SP: Software Engineering PD: Security Program Management

SP: Enterprise Architecture PD: Vulnerability Assessment and Management

SP: Technology Demonstration IN: Digital Forensics

SP: Systems Requirements Planning IN: Investigation

SP: Test and Evaluation OC: Collection Operations

SP: Systems Development OC: Cyber Operations Planning

OM: Data Administration OC: Cyber Operations

OM: Info Systems Security Management AN: Cyber Threat Analysis

OM: Knowledge Management AN: Exploitation Analysis

OM: Customer Service and Technical Support AN: All Source Intelligence

OM: Network Services AN: Targets

OM: System Administration S: Legal Advice and Advocacy

OM: System Security Analysis S: Strategic Planning and Policy Development

PD: Computer Network Defense S: Education and Training

PD: Incident Response

Similar Initiatives

• Matrix: NICE specific specialty areas to training/classes

• Training Plans: Interview teams to create generic training plans for the CSIRT community

Initiative: Matrix

• We would like to create a Matrix that would identify by NICE framework specialty areas what training courses or college classes (language unspecific) meet the Tasks and/or KSAs

• An example of a similar project done by SANS can be found at (pg 2): www.sans.org/critical-security-controls/winter-2012-poster.pdf

Initiative: Matrix cont.

• For a pilot we will be working with the FIRST Education and Training Committee– We are looking for a few more experts to join the effort

• Our initial area of focus will be the Protect and Defend framework category – We would further subdivide each specialty area into Junior /

Intermediate / Senior• Instead of freely available resources we will take a

different look to address step (3)– Training Classes– College Classes (to include freely available online)

Initiative: Training Plans

• Use the resource from the 2 previous Pilots• Interview CSIRTs with existing training plans• Develop templates and resources to assist

CSIRT managers in creating and managing training within their organization