One of our most popular blog posts covers the skills and qualifications required to be a successful penetration tester, so we decided to follow up with a similar post outlining the skills and qualifications incident response professionals need.
It’s a commonly known fact that cyber security is a growing industry and organizations are always looking for new talent. Incident response (IR) positions are in high demand, but they tend to be harder to fill than some other cyber security positions. When we’re hiring for incident response professionals, we’re looking for someone familiar with common IR processes, some level of computer forensic skills, and experience in cloud security and analytics.
Learn the Incident Response Life Cycle
This should go without saying, but if you’re interested in becoming an IR analyst or handler you need to be very familiar with the IR life cycle. You shouldn’t plan to just do the forensics and dump a technical report on someone’s desk.
When we assist our clients with an IR engagement, we not only help with the forensics to determine initial attack vector, we’re also there to help provide guidance on containment, eradication, and recovery of that incident. Good incident response professionals translate findings from their forensic investigation into recommendations for the next steps of the IR life cycle.
Our incident response team helps clients resolve issues 24×7 in their network and cloud environments, including AWS, Office 365, and Azure. Learn more here.
Know Your Forensic Artifacts
The term “forensic artifacts” is vague, but essentially it refers to all of the small digital “breadcrumbs” left behind any time anyone does something on a system or network. You’ll be analyzing a wide range of systems and artifact types, like RAM, network traffic, and many different log sources. If you’re looking for an IR job in-house within a specific company, learn as much as you can during the interview process, or as you’re researching the company, about their operating systems, logging capabilities, and other potential sources of evidence specific to their network.
If you’re planning to be a consultant, whether for a security company or an independent contractor, you should develop an understanding of where to find logs and other artifacts on different operating systems. You should be familiar enough with general network devices to be able to ask for logs that may be stored on them. Be prepared to be flexible. The logs and resources you have access to, and the tools you can use, can vary widely from customer to customer. No one is a master of all operating systems or applications, but every incident response professional should be familiar with the common ones like the Master File Table (MFT), event logs, etc.
Understand Your Attacker’s Favorite Tactics
If you’ve never done a technical interview for an incident response position before, I can promise you, you’ll get at least one, if not more, questions related to a common attack tactics. These questions tend to be somewhat broad. For example, you might be asked about common methods of lateral movement in a Windows environment or how an attacker might steal passwords from a device.
This kind of knowledge helps responders focus their investigation more effectively. Keeping up with current attacks and threat actor methods can also help you generate recommendations for containment and recovery actions. One way to do this is by reading blogs like this one. You can also find blog posts from hundreds of other vendors every day on the Security Bloggers Network, or sign up for their RSS feed.
Become a Google Ninja
There is no possible way to know every attack method or evidence source. This is especially true for consultants, who have customers with extremely diverse networks. You should be a self-starter when it comes to researching threat actors, attack techniques, or familiarizing yourself with new software or log sources. Everyone (even senior incident handlers) is forced to check with all-knowing Google on some investigations. If you’re not already a search engine expert, make it a priority to beef up your search skills.
Develop Your Communication Skills
Communication skills are lower on this list, but they are just as important (and in some cases, more important) than some of the skills above. Incident response professionals, especially consultants, step in to help after something has gone horribly wrong. People are stressed out and emotions tend to be running high, so incident response professionals, especially team leads, need to be the calm in the storm for the customer.
You also need to be able to translate the technical details into action items for the organization and provide clear guidance throughout the process. If you’re not comfortable directly engaging with customers, make sure to communicate that to your IR team. Don’t expect to use that excuse to get out of helping with the final report, though.
Get Your Certifications
As with any technical position, certifications help you stand out, but they don’t guarantee you the job. It’s more important for a candidate to be able to articulate answers to the technical questions than it is for them to have every IR-related certification available. The certifications that do stand out the most to us are AWS Certified Cloud Practitioner and SANS IR and Forensicscertifications, but other tool- specific certifications like Encase are also beneficial.
The number of position openings for incident response professionals will likely continue to grow along with the cyber security industry. So, if you’re looking to make a career move to become an incident response professional, remember to keep these things in mind:
- Become familiar with the incident response life cycle
- Develop your computer forensic skills
- Brush up on your cloud analytic skills
- If you’re applying for a position with a specific company, get to know the operating systems they use and logging capabilities
- Do your research on threat actors and attack techniques
- Get certified!