Resources to Support Training Programs for CSIRTs

Problem There is a long trend which shows CSIRTs are having a problem training their staff A recent survey* by Jeff Yuetter had two interesting results – Staff expertise or availability is a very challenging problem to 49% of teams (51 responded) – 54% of the teams do not have a formal training or mentoring program in place (56 responded) Similar findings were reported by – CERT/CC in 2009 – CERT/CC in 2003 * update d version of CSIRT State of the Practice independently carried out by Jeff in Fall 2011

Causes We assume that there will be multiple causes for this issue. We will primarily focus on: – Lack of identified resources to compose a comprehensive training plan – Lack of knowledge on how to prepare and execute a training plan Thus, we believe the major issues are related to building and executing Training Plans

Major Steps to Creating a Training Plan (1) Identify all of the topics required (2) Create a check-list that summarizes all the training topics (3) Identify the resources (4) Develop a procedure for evaluation and correction (to include assessment materials)

A Relook at Causes We assume that there will be multiple causes for this issue. We will primarily focus on: – Lack of identified resources to compose a comprehensive training plan This is step (3) in Creating a Training Plan – Lack of knowledge on how to prepare and execute a training plan This is part of step (4) in Creating a Training Plan This means the major issues are related to executing Training Plans

What has been done What about steps (1) and (2)? The (U.S.) National Initiative for Cybersecurity Education (NICE) has a framework – – Nice addresses steps (1) and (2)

What Can We do We are proposing that a pilot could focus on Incident Responders. In NICE this is – Protect and Defend: Incident Response: Tasks and KSAs (pgs 70-73) Cybersecurity-Workforce-Framework-printable.pdf Cybersecurity-Workforce-Framework-printable.pdf We could identify and document the resources for the tasks and KSAs [step (3)]

The Pilot Pilot: An attempt to address step (3) Identify resources for NICE specialty areas tasks/KSAs – Focus on specialty area - Incident Responders Protect and Defend: Incident Response: Tasks and KSAs (pgs 70-73) We believe this material is part of the missing information needed by CSIRT managers to develop a training plan

Pilot Work with 6 to 7 domain experts within a community to identify resources to match against Tasks and KSAs – This would also identify gaps We could either host the material on our website or assist with the community hosting it on theirs – Initially we think a wiki format might be best

Benefits If we can identify what resources will be required to meet specific Tasks and KSAs at various levels, it will also assist with – Management of professional development for staff – Better inform Human Resources in recruiting – Inform new recruits what the expectations are for role/position within a team

Long Term It is not sufficient to just have resources and a plan Assessments of the resources(4) will be required before we have a complete solution for CSIRTs

OVERVIEW OF NICE

NICE Framework -1 Generic Outline – Framework Category Specialty Area – Tasks – KSAs (Knowledge, Skills, and Abilities) Example – Protect and Defend Incident Response – 16 Tasks – 26 KSAs

NICE Framework - Categories There are seven framework categories – Securely Provision (SP) – Operate and Maintain (OM) – Protect and Defend (PD) – Investigate (IN) – Operate and Collect (OC) – Analyze (AN) – Support (S)

NICE Framework - Specialty Areas There are a total of 31 Specialty Areas SP: Information Assurance CompliancePD: Computer network Defense Infrastructure Support SP: Software EngineeringPD: Security Program Management SP: Enterprise ArchitecturePD: Vulnerability Assessment and Management SP: Technology DemonstrationIN: Digital Forensics SP: Systems Requirements PlanningIN: Investigation SP: Test and EvaluationOC: Collection Operations SP: Systems DevelopmentOC: Cyber Operations Planning OM: Data AdministrationOC: Cyber Operations OM: Info Systems Security ManagementAN: Cyber Threat Analysis OM: Knowledge ManagementAN: Exploitation Analysis OM: Customer Service and Technical SupportAN: All Source Intelligence OM: Network ServicesAN: Targets OM: System AdministrationS: Legal Advice and Advocacy OM: System Security AnalysisS: Strategic Planning and Policy Development PD: Computer Network DefenseS: Education and Training PD: Incident Response

Similar Initiatives

Matrix: NICE specific specialty areas to training/classes Training Plans: Interview teams to create generic training plans for the CSIRT community

Initiative: Matrix We would like to create a Matrix that would identify by NICE framework specialty areas what training courses or college classes (language unspecific) meet the Tasks and/or KSAs An example of a similar project done by SANS can be found at (pg 2): security-controls/winter-2012-poster.pdfwww.sans.org/critical- security-controls/winter-2012-poster.pdf

Initiative: Matrix cont. For a pilot we will be working with the FIRST Education and Training Committee – We are looking for a few more experts to join the effort Our initial area of focus will be the Protect and Defend framework category – We would further subdivide each specialty area into Junior / Intermediate / Senior Instead of freely available resources we will take a different look to address step (3) – Training Classes – College Classes (to include freely available online)

Initiative: Training Plans Use the resource from the 2 previous Pilots Interview CSIRTs with existing training plans Develop templates and resources to assist CSIRT managers in creating and managing training within their organization