Incident responders have a daunting responsibility. They must comprehensively understand the hardware, software, operating systems, networks, access permissions, etc. deployed in their employer’s IT ecosystem — plus the technologies and processes used to protect them and potential attack methods used to exploit them. With the vastness of most organizations’ ecosystems, ephemerality of many assets, and in-flux nature of today’s working environment, incident responders must possess a plethora of technical skills to master their craft. However, technical mastery is far from the only requirement to achieve excellence in this challenging role.
When an incident occurs, incident response (IR) teams must determine:
- What systems, assets, data, networks, etc. are used in the organization’s daily operation?
- How are systems and software configured?
- Who's accessing them? Has unauthorized access occurred?
- What security controls were in place and how were they defeated?
- What known vulnerabilities may have contributed to the event/incident?
- What are the attack paths that could have allowed an attacker to penetrate the environment?
- What damage did they cause? Are any backdoors still open?
- What technical controls can be used to eradicate the threat and reduce vulnerabilities and risks for the future?
These tasks already require an enormous amount of information and skill — but good incident responders can’t simply produce technical details and call it a day. IR serves the business — they help identify and eradicate cyber threats, which allows the business to resume normal operations as soon as possible — and must therefore connect what is happening or has happened to business outcomes. It’s therefore incumbent upon IR staff to understand business goals and needs, and tie technical details to them.
IR is a high burnout job, possibly in part because incident responders aren’t always equipped with the right skills. Below are the top six key skills for incident response staff to have or invest in for future excellence.
Essential Business Skills
1. Communication: As cybersecurity has grown from a technical role to a strategic one, the industry has seen the importance of effective communication on individual careers and business outcomes. Incident responders have the added pressure of needing to communicate when circumstances are at their worst — when the organization is victim of a cyberattack.
For a standout career in IR, approach communication skills just like technical skills. Take courses, read books, listen to podcasts, ask for advice, and practice becoming a better communicator.
Learn how to communicate with different types of people and understand the right level of detail to communicate. Ensure your communication — both written and verbal — relays accurate information. Learn to distinguish facts from fears when discussing an incident and its potential impacts. Be proficient at adapting communication details and styles for internal versus external audiences appropriately. Make certain you have the most up-to-date information at the time you are presenting it. And last but not least, learn how to maintain a level of diplomacy in high-stress situations.
2. Collaboration: IR staff must work with team members — security, IT, and business, internal and external — to share workloads and information. They must complement each other’s skill sets and step in where and when necessary. This requires the capacity to navigate potentially conflicting goals (e.g., IT’s need for availability versus cybersecurity’s need for confidentiality) and work together toward an outcome that serves the business (i.e., not grinding the business to a halt while investigating an incident) while ensuring thoroughness.
3. Problem Solving and Persistence: Without the ability and desire to persistently solve problems and think creatively about incidents and the attackers who commit them, an incident responder is unlikely to become top of their field. As such, problem solving and persistence should be applied to the recommendations above as well as serve as a standalone category.
Essential Technical Skills
4. Investigation/Analysis: Needless to say, incident responders must be highly skilled at investigating and analyzing incidents. Important questions they need to be able to answer using their business savvy and technical mastery include: What has been compromised? How? What tactics, techniques, and procedures (TTPs) were used? What is the potential damage to affected assets and the business?
They need to understand, have baselines for, and be able to remediate problematic network protocols, applications, and services, plus, security issues, host-level issues (OS, configurations, system privileges), and patching processes. Additionally, file/log analysis, understanding of how malicious code works, and drawing correlation between known and unknown TTPs to accurately assess the severity of an incident are of utmost importance.
Investigation and analyses must be fact-finding missions, not assumption-based assertions. So, incident responders must have the technical proficiency, analytical skills, and the right technologies that will help accurately and comprehensively identify evidence.
Further, the following may prove useful during investigations:
- Malware analysis and reverse engineering: IR teams must understand how malware works and may benefit from competency with malware detection tools, SCA tools, and intrusion detection systems.
- Programming: Becoming fluent in the major programming languages will allow incident responders to move quickly and efficiently find the “needles in the haystack,” and reduce reliance on outside teams during a major incident.
- Pen testing techniques: Looking at assets and the attack methods used to compromise them from an attacker’s perspective will provide a deeper understanding of how and why an attack was perpetrated.
5. Forensics: While some organizations employ or contract with dedicated forensic experts, incident responders will benefit greatly from some ability to find artifacts, identify intruder techniques, and determine the root causes of an incident. Questions like Which downstream systems/users have been impacted? Who is involved? What assets are involved? How did the attack happen? Will a system vulnerability allow it to happen again? What was the timeline of the attack? will help IR teams determine the effect and scope of a cyberattack.
6. Monitoring: Be a master of monitoring — systems, usage, and behavior — before an incident begins. Incident responders must determine, understand, and constantly adjust baselines (i.e., “normal”) to identify abnormalities and investigate incidents. Failure to continuously monitor for security control gaps and vulnerabilities prior to an incident could turn catastrophic during an incident. Therefore, IR teams should work with IT and security staff to deploy the right tools and ensure they are functioning as intended at all times.
Want to learn how Axonius can help accelerate incident response investigations? Watch the video now.