How incident responders fight infotech fires
When systems fail, or hackers strike, incident responders represent an organisation's first line of defence. They are equivalent to firefighters when networks or systems are in peril. They need to work rapidly to resolve issues and take the necessary actions to prevent further problems.
First, they need a comprehensive understanding of the entire tech ecosystem, including hardware, software, operating systems, networks and access permissions.
In addition to the tech stack used by the organisation, incident responders must understand the technologies and processes used to secure systems and the potential attack methods used to exploit the organisation.
The ephemeral nature of many assets, along with the vastness and constantly evolving nature of corporate environments, mandates that incident responders must possess a plethora of technical skills to master their craft. Yet technical mastery is far from the only requirement to achieve excellence in this challenging role.
When an incident occurs, incident response (IR) teams must determine:
- What systems, assets, data and networks are used in the organisation's daily operation?
- How are systems and software configured?
- Which staff are accessing them? Has access been authorised?
- What security controls were in place, and how were they defeated?
- What vulnerabilities may have contributed to the event or incident?
- What attack paths could have allowed an attacker to penetrate the environment?
- What damage did they cause? Are any backdoors still open?
- What controls can be used to eradicate the threat and reduce vulnerabilities and risks for the future?
All these tasks require an enormous amount of information and skill, yet good incident responders need to do more than produce technical details. Since IR serves the business, they help to identify and eradicate cyber threats.
When a security event is identified, their activities allow the business to resume normal operations as soon as possible, so they must connect what is happening, or has happened, to business outcomes. Clearly, it is essential for IR staff to understand business goals and needs and ensure they align with technical needs.
Not surprisingly, IR is a high burnout job, possibly in part because incident responders aren't always equipped with the right skills. Below are the top six critical skills for incident response staff to have or invest in for future excellence.
Essential business skills
1. Communication: As cybersecurity has grown from a technical role to a strategic one, the industry recognises the importance of effective communication on individual careers and business outcomes. Incident responders have the added pressure of needing to communicate when circumstances are at their worst: when a cyberattack strikes.
IR must approach communication skills just like technical skills. Take courses, read books, listen to podcasts, seek advice and practise becoming a better communicator.
Learn how to communicate with different types of people and understand the right level of detail to communicate. Ensure that communication, both written and verbal, relays accurate information. When discussing an incident and its potential impacts, learn to distinguish facts from fears.
Be proficient at appropriately adapting communication details and styles for internal versus external audiences. Make sure to have the most up-to-date information when presenting it. Finally, learn how to maintain a level of diplomacy in high-stress situations.
2. Collaboration: IR staff must work with team members in security, IT and business, internal and external, to share workloads and information. They must complement each other's skillsets and work effectively where and when necessary. They need to navigate potentially conflicting goals and work together towards an outcome that serves the business.
3. Problem-solving and persistence: The ability and desire to solve problems persistently and think creatively about incidents and the attackers who commit them. Problem solving and persistence should be applied to the recommendations above as well as serving in a standalone category.
Key technical skills
Investigation/analysis: Incident responders must be highly skilled at investigating and analysing incidents. They need to answer important questions using their business savvy and technical mastery. These include: What has been compromised? How? What tactics, techniques and procedures (TTPs) were used? What is the potential damage to affected assets and the business?
They need to understand, have baselines for, and the ability to remediate problematic network protocols, applications and services, plus security issues, host-level issues (OS, configurations, system privileges), and patching processes. Also of utmost importance is file/log analysis, understanding how malicious code works and drawing a correlation between known and unknown TTPs to accurately assess the severity of an incident.
Investigation and analyses must be fact-finding missions, not assumption-based assertions. So incident responders must have the technical proficiency, analytical skills, and the right technologies that will help accurately and comprehensively identify evidence.
The following skills are key:
Malware analysis and reverse engineering: IR teams must understand how malware works and may benefit from competency with malware detection tools, SCA tools, and intrusion detection systems.
Programming: Fluency in the major programming languages allows incident responders to move quickly and efficiently, find 'needles in the haystack' and reduce reliance on outside teams during a major incident.
Pen testing techniques: Looking at assets and the attack methods used to compromise them from an attacker's perspective will provide a deeper understanding of how and why an attack was perpetrated.
Forensics: Some organisations employ or contract with forensic experts, yet incident responders will benefit from some ability to find artifacts, identify intruder techniques and determine the root causes of an incident.
Questions like: Which downstream systems/users have been impacted? Who is involved? What assets are involved? How did the attack happen? Will a system vulnerability allow it to happen again? What was the timeline of the attack? These will help IR teams determine the effect and scope of a cyberattack.
Monitoring: Be a master of monitoring, including systems, usage and behaviour, before an incident begins. Incident responders must determine, understand and constantly adjust baselines (i.e., 'normal') to identify abnormalities and investigate incidents.
Failure to monitor continuously for security control gaps and vulnerabilities could turn catastrophic during an incident. Therefore, IR teams should work with IT and security staff to deploy the right tools and ensure they always function as intended.
IR is a critical business function. As companies continue their digital transformations, the role of IR increases correspondingly in importance. Professionals with the right blend of technical and soft skills will only become substantial assets to their organisations and achieve continued excellence and professional success throughout their careers.
Article by Axonius senior product marketing manager, Katie Teitler.