CSIRT: The last line of defence for digital resilience  

The CSIRT is a specialized team for handling IT security incidents. While the SOC acts as a control centre, monitoring infrastructure around the clock, detecting threats, and neutralizing them automatically, the CSIRT intervenes when attacks overcome standard defences or require in-depth analysis and expert intervention. 

An incident usually starts with an alert from the SOC, which uses platforms like SIEM (Security Information and Event Management) or SOAR (Security Orchestration, Automation and Response) to collect, correlate, and analyse suspicious signals. The goal is to filter billions of log entries from various systems and identify unusual or malicious activities. If, for example, a complex attack is detected – such as malware in a suspicious document –, the SOC escalates the incident to the CSIRT specialists. 

The CSIRT's work follows a globally recognized standard process based on a SANS Institute model, ensuring structured and rigorous crisis management: 

1. Preparation: Define roles and processes, provide tools (forensics, isolation), and raise employee awareness. 
2. Identification: Confirm the incident, assess scope and criticality; handover from SOC to CSIRT. 
3. Containment: Rapid isolation of affected systems (network separation, account suspension, segmentation) to limit spread and damage. 
4. Eradication: Removal of the root cause (malware, backdoors, compromised accounts). 
5. Recovery: Restoration of systems after threat elimination and integrity verification. Lessons 
6. Learned: Post-incident analysis to optimize processes and strengthen the security strategy. 

Upon receiving an incident, the CSIRT analyst must act quickly to limit damage – isolate compromised devices, suspend affected accounts, etc. But the work doesn't end there: it's crucial to identify Indicators of Compromise (IoCs) to uncover the attacker's trail and ensure no backdoors remain. This involves analysing logs, network data, and suspicious files. Knowledge of attackers' TTPs (Tactics, Techniques and Procedures) provides a framework for the investigation and facilitates the detection of complex incidents. Every incident is a puzzle that must be solved under time pressure – with the utmost precision. 

The CSIRT works closely with the SOC: The SOC processes alerts and hands over critical incidents to the CSIRT. Additionally, the CSIRT trains SOC analysts, develops new Detection Use Cases, and automates repetitive incident workflows using modern technologies such as EDR (Endpoint Detection and Response), XDR (Extended Detection and Response), and SOAR. 

The experience gained from such incidents strengthens detection and response capabilities, helps anticipate new attack patterns, and continuously optimizes tools, processes, and training. Proactive prevention and continuous improvement are crucial – as is teamwork. 

The role of a CSIRT analyst requires technical expertise, versatility, and rapid responsiveness. A CSIRT not only provides support in containing attacks, restoring systems, and strengthening the security architecture – discreetly and professionally – but also offers preventive services such as assistance with: 

•  Tabletop Exercises (simulations of security incidents)  
• Compromise Assessments (verification of existing or past compromises). 

These measures raise management awareness, test incident response processes, and uncover hidden threats. They are aimed at SMEs as well as large enterprises and increase the ability to react quickly and effectively to incidents. Because in today's threat landscape, no one is safe from cyberattacks. 

In case of doubt or a confirmed incident: Don't wait if you need support! Contact our CSIRT – available 24/7. We will help you contain the attack, restore security, and guide you through all necessary steps. 

Theophane Ngne Djoua is a DFIR Analyst (Digital Forensic and Incident Response) in the CSIRT for B2B customers at Swisscom.