How to become a computer security incident responder

CERT-Certified Computer Security Incident Handler (CERT-CSIH) · Certified Information Systems Security Professional (CISSP) · Certified Ethical ... SkiptoprimarynavigationSkiptomaincontentSkiptoprimarysidebar Computersecurityincidentresponderscanbefoundinlargecorporationsandsmallbusinessesalike.Theyareneededingovernmententitiesandnon-profits.Theycanbeanintegralpartofanin-housesecurityteamoranindependentconsultant.Regardlessoftheorganization,theincidentresponder,firstandforemost,providesthefirstlineofdefenseafteranattackissuspectedorhasbeendetected.  Justaspoliceandfirefightersrespondtoimmediatephysicalthreats,theincidentresponderanswersthecallfromcomputerdefensivesystemsandwieldsthedigitaltoolsofacomputerforensicanalyst.Theyquicklyrespondtoneutralizetheimmediatethreat,bringorderandcontroltothesituation,anddocumentthecrisisforattributionandpossiblelegalprosecution.  Ad cybersecurityguide.orgisanadvertising-supportedsite.Clickinginthisboxwillshowyouprogramsrelatedtoyoursearchfromschoolsthatcompensateus.Thiscompensationdoesnotinfluenceourschoolrankings,resourceguides,orotherinformationpublishedonthissite.Gotit! FeaturedCybersecurityTraining SchoolNameProgram MoreInfo MITxPROProfessionalCertificateinCybersecurity website Liketheirphysicalsecuritycounterparts,incidentrespondersoftenworkirregularhoursduringasecurityincidentandimmediatelyafterwhileprovidinginvestigativeservices.Individualsseekingacareerinthisspecialtyshouldexpecttoworkforlongandunpredictableperiods,onoccasion,thatwillbecompensatedbyflex-timerulesafterward.   Stepstobecomingacomputersecurityincidentresponder Aswithmostcybersecuritycareers,therearemultiplepathsleadingtothesameposition.Somegeneralrules,however,applyuniversally.Thejobofanincidentresponderisrarely,ifever,anentry-levelposition. Ataminimum,employerswillwantacandidatetohaveworkedseveralyearsaspartofasecurityteaminanorganizationsimilartotheirs.Familiarityandexperiencewithsecurityprinciplesaswellasdefensivestrategies,tactics,andmethodscomprisetheentrypoint.Formaleducationrequirementswillvarywidelyfromemployertoemployer.Forthoseemployersthatgenerallyvalueprofessionalcertifications,thesamewillapplyforthisrole.  Itisimportanttonotethatgovernmententitiesandgovernmentcontractorswilloftenrequirethatcomputersecurityincidentrespondersobtainasecurityclearance. 1.EducationWhilenotalwaysrequired,suggestededucationforsomeoneseekingemploymentasacomputersecurityincidentresponderincludesobtainingoneofthefollowingcollegedegrees:BSincomputerscience,BSincybersecurity,oraBSininformationtechnology.Amaster’sdegreeinoneofthesedisciplineswillfurtherenhancecareeropportunities. 2.CareerpathCommoncareerpathsincludetwotothreeyearsworkingasacomputersecurityexpert,securityadministrator,networkadministrator,orsystemadministrator.Determinedbythespecificneedsofanemployerandtheverticalinwhichtheyoperate,otherworkexperiencesuchasaforensicexaminerorevenoffensivesecurityexperiencemaybeexpected. 3.ProfessionalcertificationsAhostofprofessionalcertificationsexistthatdemonstratetheskillsandknowledgenecessaryforsuccessasanincidentresponder.Eachemployerwilllikelyvaluethesecertsdifferently.Theyinclude: CERT-CertifiedComputerSecurityIncidentHandler(CERT-CSIH)  CertifiedInformationSystemsSecurityProfessional(CISSP) CertifiedEthicalHacker(CEH) CiscoCertifiedNetworkAssociate(CCNA) CertifiedComputerExaminer(CCE) GIACCertifiedForensicExaminer(GCFE) GIACCertifiedForensicAnalyst(GCFA) GIACCertifiedIncidentHandler(GCIH) GIACCertifiedIntrusionAnalyst(GCIA) CertifiedComputerForensicsExaminer(CCFE) CertifiedPenetrationTester(CPT) CertifiedReverseEngineeringAnalyst(CREA) 4.ExperienceWorkasanincidentrespondergenerallyrequirespriorexperienceincomputerinvestigationsorcomputerforensics.Experiencewithcomputerforensictoolsisdesirable.Workexperiencethatdemonstratesanabilitytowriteconcise,easytoread,technicalreportsisacommonrequirement.  Whatisacomputersecurityincidentresponder? Thecomputersecurityincidentresponderisthekeyrolewithinanorganization’sComputerSecurityIncidentResponseTeam(CSIRT).Thisroleisakintothatofanyfirstresponder.InthecaseoftheCSIRT,theyarethefirsttorespondtoacybersecurityincident. Theseincidentsmay,ormaynot,beactualcybersecuritybreaches.Makingthatdeterminationisaprimaryfunctionoftheteam.Ahostofcyberdetectiontoolsmonitortrafficandbehaviorpatternsrelatedtodigitalsystemsandassets.Whenananomalyisdetectedandreportedbythesetoolsitisthejoboftheincidentrespondertoquicklymakeaninitialdeterminationregardingthepotentialthreat,conductaninvestigationtosupportormodifytheinitialdetermination,andworktoidentifyandmitigateanyactualthreatthatmayexist.  Theroleofanincidentresponderisreactionaryinnatureandcanbeveryfast-pacedduringasecurityevent.Theurgencytoidentifyandappropriatelyrespondtowhatcansometimesbeavirtualfloodofautomatedalertsdemandsapersoncapableofworkingcalmlyinahigh-pressureenvironment.Aftertheinitialattackhasbeenidentifiedandcontrolleditisthejoboftheincidentrespondertoprovideinvestigativeservices.Theseservicesareneededtodeliverthedetailsrequiredforsecurityanddevelopmentteamstoimplementsecuritycontrolsthatwillpreventasimilarattackinthefuture. Computersecurityincidentresponderskillsandexperience Thespecificskillsrequiredbyanygivenemployerwillbelargelydependantontheoperatingsystemsused,systemsarchitecture,andotherfactorsuniquetothem.Generally,theabilitytodemonstrateskillsrelatedtocomputerinvestigationsandforensicswillbeneeded.Familiaritywithindustry-standardforensictoolsisimportant.  Communicationsskills,bothverbal —inthemidstofahigh-pressureevent —andwrittenarecritical.Writtencommunicationskillsmustincludeanabilitytotranslatehighlytechnicaldetailsintoeasilyunderstoodreports.Managementteamsandevenlawenforcementrelyonreportsfromincidentresponderstogainaclearandaccurateunderstandingofthesituation.  Skillsrelatedtounderstandinglegacyaswellascutting-edgeattackvectorsareessential.Otherdesirableskillsinclude:  Windows,UNIXandLinuxoperatingsystems AbilitytocodeusingC,C++,C#,Java,ASM,PHP,PERL TCP/IP-basednetworkcommunications Computerhardwareandsoftwaresystems Operatingsysteminstallation,patching,andconfiguration Backupandarchivingtechnologies Web-basedapplicationsecurity eDiscoverytools(NUIX,Relativity,Clearwell,andothers) Forensicsoftwareapplications(e.g.EnCase,FTK,Cellebrite,XRY,andmore) EnterprisesystemmonitoringtoolsandSIEMs Cloudcomputing Whatdocomputersecurityincidentrespondersdo? Oftenworkingwithinthesecurityoperationscenter(SOC),theprimaryresponsibilityofanincidentresponderistorapidlyinvestigateanddocumentcybersecurityincidentswithinanorganization.Onceapossibleincidenthasbeenidentifiedthrougheitherautomatedormanualtools,theincidentresponderistaskedtoinvestigatetheeventandmitigatepotentialdamages.AsamemberoftheCSIRT,theincidentresponderworkscloselywiththeenterprise’ssecurityorganizationtocategorizeandclassifyattackmethodsandintendedpayloadsinsupportofanefforttobuildinprotectionforfurthersimilarincidents.  OftencalledaCSIRTengineerorintrusionanalyst,theincidentresponderusesvariouscomputerforensictoolstoexamineandanalyzeamyriadofdigitalanomaliesthatcouldpotentiallyleadtothediscoveryofanattemptedbreachortheexistenceofanadvancedpersistentthreatwithintheorganization’ssystems.Theyworkaspartofacybersecurityinvestigativeteam.  Anincidentresponderwilloftenbecalledupontowritereportsthatdocumenttheirfindingsrelativetocybersecurityinvestigations.Thesereportsmustreflectatechnicalunderstandingofthesubjectincidentandyetuselanguagethatcanbedigestedbymanagementorothernon-technicalreaders.Thesereportscan,onoccasion,beusedasevidenceinthelegalprosecutionofhackers.Anincidentrespondermaybecalledupontotestifyincourt. Computersecurityincidentresponderjobdescription Thefollowingarecommontasksexpectedofanincidentresponder: Respondimmediatelytopossiblesecuritybreaches Beproficientwithvariouscomputerforensictools Obtainandmaintainasecurityclearance Performwellinhigh-stressenvironments Stayabreastofcutting-edgeattackvectors Activelymonitorsystemsandnetworksforintrusions Identifysecurityflawsandvulnerabilities Performsecurityaudits,networkforensics,andpenetrationtesting Performmalwareanalysisandreverseengineering Developasetofresponseproceduresforsecurityproblems Establishinternalandexternalprotocolsforcommunicationduringsecurityincidents Producedetailedincidentreportsandtechnicalbriefsformanagement,administrators,andend-users Liaisonwithothercybersecurityandriskassessmentprofessionals Outlookforcomputersecurityincidentresponders Thedemandforincidentrespondersisexpectedtogrowsignificantlyintheforeseeablefuture.AccordingtoIDC,cybersecuritywillbeamongthe20mostin-demandITrolesforthenextdecade.Incidentresponseisoneofthefastest-growingcareersegmentswithincybersecurity.  Whilesomecybersecuritydutiescanbeautomatedwithnewtechnology,thetasksofanincidentresponderarenotinthisclass.Allindicationsarethatthoseindividualswiththeproperexperienceandskillsetareexpectedtobeemployableformanyyearstocome.  Howmuchdocomputersecurityincidentrespondersmake? Theaverageannualsalaryforthecomputersecurityincidentrespondersresearchedforthisguideis$80,000.Thisamountwillvarydependingonlocation,requiredduties,education,professionalcertifications,andindustry.AnexperiencedsecurityprofessionalintheSanFranciscoBayareacanexpecttocommandasalaryintheneighborhoodof$120,000. incidentrespondersoftenenjoyflextime.Asanexample,duringasecurityevent,anincidentrespondermightneedtoworktwoback-to-back18-hourshiftstodealwiththesituation.Theymightthenhavetherestoftheweekoff. Forlargecorporations,telecommutingandremoteworklocationsareoftenofferedtoenhancethebenefitspackageforincidentresponders. PrimarySidebar