Skip to main content

What Does it Take to be a Modern Incident Responder?

July 07, 2014

There is a shortage of qualified incident responders out there, and the time to ramp up and become capable continues to get longer and longer. In fact, the hiring process for bringing people into this role can take months or even years to find the right candidate.

In the past, the process of incident response was largely a forensic process, and most incident response consulting engagements were performed by forensic shops. But, as technology and malware have evolved, traditional forensics plays an increasingly smaller role in incident response.

From my perspective, there are seven primary buckets of skills in addition to more intangible soft skills that are important when conducting incident response. They are as follows, and I will explain each one of them:

  • File System Forensics
  • Memory Forensics
  • Network Forensics
  • Malware Analysis
  • General Information Security and Tools Awareness
  • Program development: security gap assessments, policies, procedures, playbooks, training, tabletop testing
  • eDiscovery (yes, I said that)
  • Soft Skills 

Now for more detail… For starters, file system forensics will always play a part in incident response. When you need to dig into an affected machine and determine what exactly happened, how a system was infected and what may have been taken, file system forensics is a first step.

But these days, the speed of infections, particularly malware contaminations, move at a rapid pace. In fact, it is not uncommon to see 10’s of thousands of machines affected within hours. In such cases, file systems forensics is painfully slow and to a large extent, irrelevant. So, moving at the speed of incident response requires a firm understanding of memory forensics and being able to rapidly analyze volatile data for dynamic indicators of compromise.

More specifically, much of the malware these days is dynamic/polymorphic and/or memory resident only. Each instance of the malware on each machine is unique to that machine, and there are often no forensic artifacts in common with those affecting other machines. They will often have a different name, size, hash, path, persistence mechanism and communicate with different command and control servers (mostly because of malware implementing domain generation algorithm (DGA)).

Moreover, just as memory forensics is vital to incident response, network forensics is equally important. They are two halves of the same whole. Some of the best artifacts are only available from the network. This is often a result of the fact that memory resident malware leaves few to no traces. A side comment on this pursuit, however, is that network analysis these days is being complicated by most malware using encryption (such as SSL) for communication. So, implementing SSL decryption is recommended.

Next, because malware is so ubiquitous, the ability to perform at least some level of malware analysis is critical. The ability to perform full reverse engineering is preferable, but at least having a firm understanding of behavioral analysis is required.

Moving into a more general requirement, when we go into incident response scenarios, affected parties all have a unique environment and toolset. As such, having a firm understanding of most of the common information security and investigative tools is key.

Moving into the fluffier side of incident response, most customers are now looking for a plan. A plan includes taking stock of their current incident management posture (via a gap analysis) as well as the ability to put together a plan for them. A comprehensive plan involves all aspects of program development - security gap assessments, policies, procedures, playbooks, training and tabletop testing.

Increasing in fluffiness, while eDiscovery is an investigative pursuit all its own, it is also an integral part of incident response. This is particularly true when you need to identify evidence of sensitive information being exploited or trying to identify targeted data that is at risk.

Finally, it is time to discuss the most important of all skills. Soft skills might not be the first thing that comes to mind when you consider the highly technical nature of incident response. But, they are absolutely critical for being able to survive it.

It is not uncommon to walk into a war room with 30 people staring at you, looking for leadership and often pointing fingers at each other and sometimes at you. It is imperative to be able to deal with difficult and stressful situations and be able to think critically at the same time. 

All things considered, one needs to be a digital renaissance man to be successful as an incident responder. In fact, a successful incident responder must be a multifaceted security ninja and therapist all at the same time. If you fit the job description, we are hiring.

Related Blogs

July 06, 2017

Indicators of Compromise (IOCs) are Not Intelligence

When discussing the topic of cyber threat intelligence, I frequently hear questions about Indicators of Compromise (IOCs). IOCs are not intelligence b...

See Details

January 25, 2017

Escape and Evasion Egressing Restricted Networks

A command kill chain consists of payload delivery, code execution on a target system, and establishing a command and control (C2) channel outside of a...

See Details

April 09, 2014

The Evolution of Malware and Security Compromise

Malware is evolving and changing at an unprecedented rate. The fact is that 95% of all organizations have been compromised, without their knowledge, i...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

related Insights

June 16, 2014

Planning for a DDoS Attack

Last week several prominent DDoS (distributed denial of service) attacks were in the news, specifically targeting the popular note-taking app Evernote...

See Details

September 08, 2010

Malware Mitigation Trends: Utilizing the Latest Weapons Against the Modern Malware Threat

In the malware mitigation market, there are divisions among the vendors. The perspective of the vendor, detection philosophy and technology approaches...

See Details

August 24, 2017

Enterprise Incident Management Brief

Learn how Optiv’s workshop helps security leaders evolve their technical incident response practices to broad scope enterprise incident management.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.