-
Incident responder careers: What’s it like to work in incident response?
- 2021/09/02
- 再生時間: 6 分
- ポッドキャスト
-
サマリー
あらすじ・解説
As the well-known saying goes, it’s not a matter of if you will be breached, but when. Cybercriminals are relentless in their pursuit to break into your organization’s systems, so to protect themselves, organizations must be at least equally as persistent with their defenses. When a breach occurs, it’s the job of incident responders to mitigate the security violation and restore defenses as quickly as possible. Incident responders are sometimes referred to as digital forensics incident responders or DFIR. The National Institute of Standards and Technology (NIST) defines digital forensics as the application of science to the identification, collection, examination and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data. (For more on this job title, see Digital forensics careers: Public vs. private sector.) But in fact, there are nuanced differences between an incident responder and someone who works as a DFIR. While a DFIR may be narrowly focused on the intricacies of a specific attack (similar but not the same as a malware analyst who works to reverse-engineer attacks), an incident responder is sometimes referred to as a cybersecurity first-responder. They are the first line of defense an organization relies on to mitigate a real-time attack and ensure a quick recovery. “Every incident is slightly different,” says Keatron Evans, a senior instructor at Infosec and managing consultant at KM Cyber Security, LLC. “I feel like I learn something every time. It’s a very exciting career to be in.” What does an incident responder do? NIST defines incident response as the mitigation of violations of security policies and recommended practices. Incident responders are first on the scene to assess what happened and then apply effective mitigation strategies that are both effective and efficient. Cyber incidents are costly, and the quicker the bleeding can be stopped, the better. On a more strategic level, incident responders are also responsible for designing and implementing an incident response plan. These plans will often look different from one organization to the next. However, their goal is the same: to identify, remediate and recover from cyber incidents. In the NIST Computer Security Incident Handling Guide, they recommend an incident response plan that contains four primary subject areas: Preparation, which includes the identification of preventative measures Detection and analysis, which includes areas such as indicators, required documentation and notification Containment, eradication and recovery, which includes choosing a containment strategy, gathering evidence and identifying attacking hosts Post-incident activity, which includes lessons learned and evidence retention policies Some incident responders work for a large company as part of an incident response team led by an incident manager. Others, like Evans, work as part of a consulting firm that provides incident response services, or they may work independently. As a consultant, Evans says he’s “worked with incident responders within an organization when they realize which skills they have on their team and which skills they don’t. They know to reach out and get [a team like his consultancy] involved.” What does it take to be an incident responder? Core to being a good incident responder are two common security positions: strong communication skills and problem-solving. “We think about incident response as more of a technical thing, and it is, but there’s a whole soft management side to it where you have to communicate details of the incident to the right people, at the right time,” Evans says. Communication and being calm are keys, Evans explains. One real-life example is the LinkedIn data breach from a few years ago when the company first announced 7 million records were hacked. Then, they had to come back out and say it was actually 117 million records. “The technical side is binary. Your techniq...