Cyber Incident Responder
The NICE Workforce Framework defines the Cyber Defense Incident Responder role as someone who:
"Investigates, analyzes, and responds to cyber incidents within the network environment or enclave."
This role may also be referred to as an 'Incident Responder', a 'Cyber Incident Responder', an 'Incident Response Analyst' or an 'Incident Response Consultant'.
What is Incident Response
Cybersecurity incidents occur when an organisation's IT policies are violated. Incidents can be caused by an external attacker exploiting vulnerabilities in systems remotely, an unwitting employee opening a malicious email attachment or a disgruntled insider destroying data on their last day of employment.
Incident response teams are responsible for dealing with cybersecurity incidents. They operate across the entire Incident Response Life Cycle (defined in NIST's Computer Security Incident Handling Guide):
- Detection and Analysis
- Containment, Eradication and Recovery
- Post-Incident Activity
Some incident responders will operate across all parts of the lifecycle, whilst others will choose to specialise in certain areas. Some activities, particularly containment, eradication and recovery, will require close working with other teams (such as the IT department).
What does an incident responder do?
Although some large organisations, such as financial institutions, may have internal incident response teams, most victims of significant cyber incidents will call in a third-party provider who specialises in incident response. An incident responder will be responsible for the process outlined above.
First, incident responders will seek to understand the attack, using logging and tools such as Endpoint Detection and Response agents to determine which systems may have been compromised. Responders must combine observations with analysis and cyber threat intelligence better understand the nature of the attack. For example, is this a cybercrime group using ransomware to extort a victim or is it more likely an advanced persistent threat (APT) conducting espionage?
Once the attack is understood, responders will work with the victim organisation to develop a strategy for containing the attackers so that they can't do further damage (such as isolating parts of the network). Once the attack is contained, all traces of the attacker must be eradicated (for example, deleting any malicious files and resetting compromised credentials) before finally working to recover the systems back to full operational capability.
Finally, incident responders will be involved in post-incident reporting and lessons learned. Typically this process will capture the extent of the attack, the remediation activities performed, how to avoid similar compromises in the future, and any lessons learned about the incident response processes used.
Typical Incident Responder Job Requirements
Different cyber incident response roles will have different focuses. For example, some positions may focus on endpoint (also known as host-based) response whilst others specialise in network detection and response. However, some key skills and areas of knowledge that may be required are:
- Knowledge and understanding of the incident response lifecycle.
- Understanding of logging sources and how to apply detection criteria to them.
- Awareness of cyber threats and the threat actors that perpetrate them.
- Knowledge of different operating systems (Mac, Linux, Windows).
- Experience working with the different layers of the TCP/IP protocol stack.
- Awareness of the MITRE ATT&CK framework and the use of cyber threat intelligence.
- Experience using a SIEM (Security Information and Event Management) platform (such as Splunk or the Elastic Stack).
- Host or network-based forensics skills.
- Proficiency with one or more scripting language (such as Python or PowerShell).
Incident Response Certifications
There is no single certification required to work in incident response; however, the following may be relevant.
- GIAC Certified Intrusion Analyst (GCIA)
- GIAC Certified Incident Handler (GCIH)
- GIAC Certified Forensic Analyst (GCFA)
- GIAC Network Forensic Analyst (GNFA)
- CREST Practitioner Intrusion Analyst
- CREST Registered Intrusion Analyst
Incident Response Employers
There are several different types of organisations that employ incident response professionals:
- Dedicated incident response companies that offer incident response (IR) as a primary service.
- More general Managed Service Providers who provide IR to other people alongside their other services.
- Large large companies with their own dedicated in-house IR teams.
How to become an Incident Responder
There are many routes to becoming an incident responder, and people may transition from another role such as a Security Operations Centre (SOC) analyst, systems administrator or network engineer. The following list breaks down some of the core competencies you will need to develop if you wish to pursue a career in incident response.
- Computer operating system foundations - for Windows and ideally at least one of Mac and Linux.
- Computer networking foundations - understanding of TCP/IP and experience using tools such as Wireshark to analyse network traffic.
- Learn how to automate basic tasks with Python or another scripting language.
- Develop an understanding of the cyber threat landscape, cyber threat intelligence and the MITRE ATT&CK Framework.
- Get familiar working with a SIEM, such as the Elastic Stack or Splunk.
- Consider specialising further in host-based or network-based forensics.