Resources to Support Training Programs for CSIRTs
Jan 12, 2016
Resources to Support Training Programs for CSIRTs
Problem• There is a long trend which shows CSIRTs are having a problem
training their staff
• A recent survey* by Jeff Yuetter had two interesting results– Staff expertise or availability is a very challenging problem to 49% of teams
(51 responded)
– 54% of the teams do not have a formal training or mentoring program in place (56 responded)
• Similar findings were reported by – CERT/CC in 2009 – CERT/CC in 2003
* update d version of CSIRT State of the Practice independently carried out by Jeff in Fall 2011
Causes
• We assume that there will be multiple causes for this issue. We will primarily focus on:– Lack of identified resources to compose a
comprehensive training plan– Lack of knowledge on how to prepare and execute
a training plan
• Thus, we believe the major issues are related to building and executing Training Plans
Major Steps to Creating a Training Plan
• (1) Identify all of the topics required • (2) Create a check-list that summarizes all the
training topics • (3) Identify the resources • (4) Develop a procedure for evaluation and
correction (to include assessment materials)
A Relook at Causes
• We assume that there will be multiple causes for this issue. We will primarily focus on:– Lack of identified resources to compose a
comprehensive training plan• This is step (3) in Creating a Training Plan
– Lack of knowledge on how to prepare and execute a training plan• This is part of step (4) in Creating a Training Plan
• This means the major issues are related to executing Training Plans
What has been done
• What about steps (1) and (2)?• The (U.S.) National Initiative for Cybersecurity
Education (NICE) has a framework– http://csrc.nist.gov/nice/framework/– Nice addresses steps (1) and (2)
What Can We do
• We are proposing that a pilot could focus on Incident Responders. In NICE this is – Protect and Defend: Incident Response: Tasks
and KSAs (pgs 70-73) • http://csrc.nist.gov/nice/framework/documents/NICE-C
ybersecurity-Workforce-Framework-printable.pdf
• We could identify and document the resources for the tasks and KSAs [step (3)]
The Pilot
• Pilot: An attempt to address step (3)• Identify resources for NICE specialty areas
tasks/KSAs – Focus on specialty area - Incident Responders
• Protect and Defend: Incident Response: Tasks and KSAs (pgs 70-73)
• We believe this material is part of the missing information needed by CSIRT managers to develop a training plan
Pilot
• Work with 6 to 7 domain experts within a community to identify resources to match against Tasks and KSAs– This would also identify gaps
• We could either host the material on our website or assist with the community hosting it on theirs– Initially we think a wiki format might be best
Benefits
• If we can identify what resources will be required to meet specific Tasks and KSAs at various levels, it will also assist with– Management of professional development for
staff– Better inform Human Resources in recruiting– Inform new recruits what the expectations are for
role/position within a team
Long Term
• It is not sufficient to just have resources and a plan
• Assessments of the resources(4) will be required before we have a complete solution for CSIRTs
OVERVIEW OF NICE
NICE Framework -1
• Generic Outline– Framework Category
• Specialty Area – Tasks – KSAs (Knowledge, Skills, and Abilities)
• Example– Protect and Defend
• Incident Response– 16 Tasks– 26 KSAs
NICE Framework - Categories
• There are seven framework categories– Securely Provision (SP)– Operate and Maintain (OM)– Protect and Defend (PD)– Investigate (IN)– Operate and Collect (OC)– Analyze (AN)– Support (S)
NICE Framework - Specialty AreasThere are a total of 31 Specialty Areas SP: Information Assurance Compliance PD: Computer network Defense Infrastructure Support
SP: Software Engineering PD: Security Program Management
SP: Enterprise Architecture PD: Vulnerability Assessment and Management
SP: Technology Demonstration IN: Digital Forensics
SP: Systems Requirements Planning IN: Investigation
SP: Test and Evaluation OC: Collection Operations
SP: Systems Development OC: Cyber Operations Planning
OM: Data Administration OC: Cyber Operations
OM: Info Systems Security Management AN: Cyber Threat Analysis
OM: Knowledge Management AN: Exploitation Analysis
OM: Customer Service and Technical Support AN: All Source Intelligence
OM: Network Services AN: Targets
OM: System Administration S: Legal Advice and Advocacy
OM: System Security Analysis S: Strategic Planning and Policy Development
PD: Computer Network Defense S: Education and Training
PD: Incident Response
Similar Initiatives
• Matrix: NICE specific specialty areas to training/classes
• Training Plans: Interview teams to create generic training plans for the CSIRT community
Initiative: Matrix
• We would like to create a Matrix that would identify by NICE framework specialty areas what training courses or college classes (language unspecific) meet the Tasks and/or KSAs
• An example of a similar project done by SANS can be found at (pg 2): www.sans.org/critical-security-controls/winter-2012-poster.pdf
Initiative: Matrix cont.
• For a pilot we will be working with the FIRST Education and Training Committee– We are looking for a few more experts to join the effort
• Our initial area of focus will be the Protect and Defend framework category – We would further subdivide each specialty area into Junior /
Intermediate / Senior• Instead of freely available resources we will take a
different look to address step (3)– Training Classes– College Classes (to include freely available online)
Initiative: Training Plans
• Use the resource from the 2 previous Pilots• Interview CSIRTs with existing training plans• Develop templates and resources to assist
CSIRT managers in creating and managing training within their organization