What Does it Take to be a Modern Incident Responder?
July 07, 2014
There is a shortage of qualified incident responders out there, and the time to ramp up and become capable continues to get longer and longer. In fact, the hiring process for bringing people into this role can take months or even years to find the right candidate.
In the past, the process of incident response was largely a forensic process, and most incident response consulting engagements were performed by forensic shops. But, as technology and malware have evolved, traditional forensics plays an increasingly smaller role in incident response.
From my perspective, there are seven primary buckets of skills in addition to more intangible soft skills that are important when conducting incident response. They are as follows, and I will explain each one of them:
- File System Forensics
- Memory Forensics
- Network Forensics
- Malware Analysis
- General Information Security and Tools Awareness
- Program development: security gap assessments, policies, procedures, playbooks, training, tabletop testing
- eDiscovery (yes, I said that)
- Soft Skills
Now for more detail… For starters, file system forensics will always play a part in incident response. When you need to dig into an affected machine and determine what exactly happened, how a system was infected and what may have been taken, file system forensics is a first step.
But these days, the speed of infections, particularly malware contaminations, move at a rapid pace. In fact, it is not uncommon to see 10’s of thousands of machines affected within hours. In such cases, file systems forensics is painfully slow and to a large extent, irrelevant. So, moving at the speed of incident response requires a firm understanding of memory forensics and being able to rapidly analyze volatile data for dynamic indicators of compromise.
More specifically, much of the malware these days is dynamic/polymorphic and/or memory resident only. Each instance of the malware on each machine is unique to that machine, and there are often no forensic artifacts in common with those affecting other machines. They will often have a different name, size, hash, path, persistence mechanism and communicate with different command and control servers (mostly because of malware implementing domain generation algorithm (DGA)).
Moreover, just as memory forensics is vital to incident response, network forensics is equally important. They are two halves of the same whole. Some of the best artifacts are only available from the network. This is often a result of the fact that memory resident malware leaves few to no traces. A side comment on this pursuit, however, is that network analysis these days is being complicated by most malware using encryption (such as SSL) for communication. So, implementing SSL decryption is recommended.
Next, because malware is so ubiquitous, the ability to perform at least some level of malware analysis is critical. The ability to perform full reverse engineering is preferable, but at least having a firm understanding of behavioral analysis is required.
Moving into a more general requirement, when we go into incident response scenarios, affected parties all have a unique environment and toolset. As such, having a firm understanding of most of the common information security and investigative tools is key.
Moving into the fluffier side of incident response, most customers are now looking for a plan. A plan includes taking stock of their current incident management posture (via a gap analysis) as well as the ability to put together a plan for them. A comprehensive plan involves all aspects of program development - security gap assessments, policies, procedures, playbooks, training and tabletop testing.
Increasing in fluffiness, while eDiscovery is an investigative pursuit all its own, it is also an integral part of incident response. This is particularly true when you need to identify evidence of sensitive information being exploited or trying to identify targeted data that is at risk.
Finally, it is time to discuss the most important of all skills. Soft skills might not be the first thing that comes to mind when you consider the highly technical nature of incident response. But, they are absolutely critical for being able to survive it.
It is not uncommon to walk into a war room with 30 people staring at you, looking for leadership and often pointing fingers at each other and sometimes at you. It is imperative to be able to deal with difficult and stressful situations and be able to think critically at the same time.
All things considered, one needs to be a digital renaissance man to be successful as an incident responder. In fact, a successful incident responder must be a multifaceted security ninja and therapist all at the same time. If you fit the job description, we are hiring.