As part of our ongoing series highlighting various roles in the cybersecurity industry, this article shines the light on the incident response professional. While there are many misconceptions surrounding the role, let’s examine a few frequently asked questions.
How in-demand is this particular role? Why?
Year after year, the story is the same: Cybersecurity jobs are one of the most in-demand roles in the country. But recent data from Cyberseek, a cybersecurity workforce analytics platform developed in partnership with NIST, Lightcast and CompTIA, demonstrates a significant skills gap.
For the 12-month period ending in September 2022, 769,736 job openings for cybersecurity positions or jobs requiring cybersecurity skills were listed. Employer demand for people with cybersecurity skills increased 2.4 times faster than the overall rate across the U.S. economy.
For incident responders, in particular, a recent search on Indeed lists over 7,600 available jobs.
Were there any recent events in the last few years that made this role more in demand?
A recent IBM X-force study reported a nearly 25% increase in cybersecurity incidents with which their IR team engaged between 2020 and 2021. Plus, Check Point Software Technologies’ research indicates a 50% increase in overall weekly network attacks in 2021 compared to 2020. Accordingly, the demand for more cybersecurity professionals has grown.
The cybersecurity industry must respond to more prevalent and advanced cyberattacks. However, there are clearly not enough well-trained and skilled security professionals to fill the gap and help with the response.
As a result, many IR teams are forced to take on multiple battlefronts. Not only that, but organizations may also lack the necessary resources to mitigate and recover from attacks. The IBM study reports 68% of incident responders surveyed often had to respond to two or more cybersecurity incidents simultaneously.
What are the basic qualifications needed?
Like any role in cybersecurity, both hard skills and soft skills are required.
For hard skills, incident responders should:
- Have at least a basic understanding of Internet-based application security
- Be familiar with forensics software
- Be comfortable with backup/archiving processes
- Possess fluency in major programming languages such as SQL, Java, PHP, C++ and Python
- Have solid proficiency in computer operating systems such as Linux, UNIX and Windows.
Incident responders should have the following soft skills:
- Quick thinking and confident in making high-pressure decisions
- Willing to adapt during emergency situations
- Excellent problem-solving skills, with the ability to also think logically and rationally
- Strong communication skills.
According to CISA, the core competencies of an incident responder include:
- Business continuity
- Computer forensics
- Computer network defense
- Incident management
- Information systems/network security
- Infrastructure design
- System administration
- Threat analysis
- Vulnerability assessment.
What degrees and/or certifications do incident responders need?
Incident responder jobs typically do not require a bachelor’s degree or post-secondary education. Especially considering the skills gap, there’s a good chance that someone can land a role without significant experience or certifications. Still, technical degrees in computer science or cybersecurity will open the door to many more career options.
It is also likely that a management position will require a post-secondary degree in Information Security or Assurance.
A few common certifications that future incident responders may wish to consider:
- Certified Reverse Engineering Analyst
- Certified Ethical Hacker
- GIAC Certified Intrusion Analyst
- Certified Computer Forensics Examiner
- Certified Penetration Tester
- GIAC Certified Incident Handler
- GIAC Certified Forensics Analyst
- Certified Computer Examiner.
What are the primary responsibilities of this role?
The role of today’s incident responder is not all that different from first responders like police officers or firefighters: both represent the human first line of defense in protecting and preventing major threats and/or attacks from occurring. Before and after major incidents, they must also create change to prevent future attacks or events.
Here are some typical IR duties:
- Discover errors or vulnerabilities within networks or systems, consistently looking for suspicious activity
- Develop and deploy procedures on how threats are handled and how to relay critical information to key stakeholders
- Collaborate with other security team members
- Run vulnerability assessments, penetration tests, risk analyses and security audits
- Provide robust incident reports to team members, management and key stakeholders.
According to CISA, core tasks for an incident responder include examples such as:
- Collect intrusion artifacts (e.g., source code, malware, trojans) and use discovered data to enable mitigation of potential cyber defense incidents within the enterprise. (T0278)
- Coordinate and provide expert technical support to enterprise-wide cyber defense technicians to resolve cyber defense incidents. (T0041)
- Coordinate incident response functions. (T0510)
- Monitor external data sources (e.g., cyber defense vendor sites, Computer Emergency Response Teams, Security Focus) to maintain currency of cyber defense threat conditions and determine which security issues may have an impact on the enterprise. (T0503)
- Perform cyber defense trend analysis and reporting. (T0164)
- Perform initial, forensically sound collection of images and inspect to discern possible mitigation/remediation on enterprise systems. (T0170)
- Receive and analyze network alerts from various sources within the enterprise and determine possible causes of such alerts. (T0214)
- Write and publish after-action reviews. (T0395)
- Write and publish cyber defense techniques, guidance and reports on incident findings to appropriate constituencies. (T0246)
Who does this role typically report to?
Incident responders will typically report to a team leader or lead investigator. While the IT or security team usually leads the incident response effort, the incident response team should be in frequent communication with key stakeholders from each major business unit — especially HR and legal teams.
What is a typical day like?
Depending on the organization, the typical day of an IR professional will vary. Some incident responders may experience a workday that resembles a cybersecurity help desk, in which the role is more entry-level. These roles often provide great exposure to tools and experience to prepare for other roles and a lucrative cybersecurity career. Other incident responders will be deep in the trenches of detecting, managing and remediating threats. But depending on how proactive the employer is with regard to cybersecurity posture, the incident responder’s job can be hectic or more relaxed.
Unless there is a critical threat or attack, an incident responder’s day will typically focus on “pre-boom” tasks, such as:
- Seeking vulnerabilities in code, networks, hosts and other types of infrastructure
- Researching threat actors and their tactics, techniques and procedures
- Reviewing threat intelligence and other industry news
- Analyzing alerts and alarms for positivity rates or performing deduplication
- Configuring tools and correlating behaviors
- Performing trend analyses and report writing
- Closing out long-term investigations and review of related forensics.
However, in the event of an obvious attack, panicked call or glaring red flags on the dashboard, life for the incident responder can go from chill to all-systems-go in a heartbeat.
During an incident, the IR professional must be ready to classify the event, spot indicators of compromise, potentially begin forensics and chain of custody requirements, review logs and devices and even keep an eye out for anything going on in the public domain. Pulling cables and disabling systems is not uncommon.
Above all, an incident responder must keep a level head. Being able to leap into action as soon as possible while keeping up with pre-boom tasks during lull periods are both essential parts of an IR professional’s toolbox.