Guide to Careers in Cyber Incident Response
The central objective of cybersecurity operations is to defend digital infrastructures against unwanted intrusions and thus prevent the potential loss of valuable data, breaches in privacy, and/or systemic computer network failures. However, a comprehensive approach to cybersecurity accepts the reality that incursions and attacks of various types and varying levels of severity are likely to take place. Thus, large organizations, corporate entities, government agencies, and other organizations with significant cybersecurity concerns plan for hacks and other types of cyberattacks and commonly have designated personnel and/or consultants who are trained to counter cyber breaches, reduce their overall impact, and mitigate potential damage and disruption.
This function falls under the general heading of cyber incident response, a cybersecurity specialization that combines knowledge of computer systems, network security protocols, malware, and common attack vectors with investigative computer forensics skills and an ability to respond quickly and effectively to unexpected cyber events.
Employment Opportunities in Cyber Incident Response
Organizations that maintain and rely on large, networked, digital systems that perform vital functions and/or contain sensitive/valuable information are generally aware that they are subject to potential cyber incursions and thus employ specially trained professionals who are responsible for responding to unexpected cyber incidents. Smaller companies may also have personnel on staff who have incident response training, and there are private cybersecurity firms who employ incident response specialists and provide incident response services to various types of clients, large and small.
Incident response personnel and capabilities are most commonly found in areas of the private and public sector in which the risk and potential cost of cyber breaches are high, and the systems at risk provide critical services and/or contain sensitive information. This includes banks and financial institutions, many parts of the healthcare system, branches of the military, defense contractors, large retail and manufacturing companies, technology and media companies, and public and private utilities. Even in sectors of the economy that are less prone to cyberattacks and in smaller enterprises that have less at stake in the event of cyber incursion, there is often demand for cybersecurity and IT professionals who have some incident response training.
There are a number of different names for jobs associated with cyber incident response, the most common of which are listed below:
- Incident Handler
- Incident Responder
- Incident Response Analyst
- Incident Response Engineer
- Incident Response Coordinator
- Intrusion Analyst
- Computer Network Defense Incident Responder
- Computer Security Incident Response Team Engineer
- Cyber Defense Incident Responder
Knowledge, Skills, and Abilities (KSAs) for Cyber Incident Response Professionals
As is the case with most areas within cybersecurity, cyber incident response requires foundational training and proficiencies in the various components of computer networks (hardware, software, databases, routers, etc.), the ability to code and analyze common computer languages, and familiarity with information security architectures and protocols. In addition, cyber incident responders are typically trained to quickly recognize and identify system and network anomalies that indicate security breaches, deploy both short- and long-term mitigation measures, document and preserve evidence of cyberattacks for follow-up investigations, and coordinate and/or participate in data and systems recovery efforts.
Thus, there are many technical skills, tools, and areas of cybersecurity knowledge that incident response professionals rely on in order identify and respond to cyber incidents. For example, there are specific software packages that are commonly used in cyber incident response, including but not limited to Dynatrace, InsightIDR, IBM’s Security ORadar, AT&T’s AlienVault USM, and DERDACK Enterprise Alert.
There are also methodologies and modes of thinking that are associated with incident response. For example, incident response professionals are often encouraged to think like a hacker in order to sharpen their instinctive response to cyber incidents and better understand the motivation and purpose of cyberattacks.
The NICE Workforce Framework, a comprehensive breakdown of the many jobs and employment areas within cybersecurity, list dozens of KSAs for Cyber Defense Incident Responder, the Framework’s current classification for cybersecurity incident response professionals. The lists below provide an overview of some of the key KSAs that are commonly valued by clients and employers.
General Technical Knowledge
- Common networking and routing protocols
- Computer network security architecture
- Database systems and SQL
- Data communications systems
- Human-computer interface concepts
- Object-oriented computer programming
- Physical components of computers and computer systems
- Technical specifications of computer and telephone networks
Cyber Incident Response Knowledge and Skills
- Ability to respond in real-time to cyber incidents and implement immediate remediation measures
- Analysis methods for network traffic logs, firewall logs, and intrusion detection system logs
- Business continuity, disaster recovery, and continuity of operations plans
- Common system and application security threats and vulnerabilities
- Cyberattack modes and classifications
- Cyberattack stages (reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, and covering tracks)
- Cyber defense incident triage protocols and the ability to implement cyber incident plans
- Forensic methodologies for collect and preserving intrusion artifacts, such as source code, malware, and images
- Host and network access control mechanisms
- Incident categories, incident responses, and timelines for responses
- Intrusion detection methodologies and techniques for detecting host and network-based intrusions
- Malware analysis concepts and methods
- Network traffic monitoring and analysis methods
- System administration, network, and operating system hardening techniques
- Ability to explain incident details using both technical and non-technical language
- Ability to write and publish post-incident reports
- Advanced problem solving and critical thinking skills
- Knowledge of law enforcement investigative procedures and an ability act as a liaison with law enforcement officials
- Knowledge of relevant laws and statutes relating to computer security and privacy
- Team leadership skills and the ability to coordinate the response actions of individuals and teams within an organization
Training and Credentials in Cyber Incident Response
Cyber incident response requires knowledge of an organization’s data security systems, the different modes and stages of cyberattacks and how to counteract them, and how to gather data on intrusions in order to mount stronger cyber defenses. Many of the specialized skills required for work in cyber incident response can be cultivated on the job by professionals who have training in computer science, cybersecurity, and information technology systems. Students and professionals who are interested in cyber incident response may want to explore programs that provide formal training in digital forensics, malware investigation and triage, and incident monitoring.
Bachelor’s, Master’s, and Graduate Certificate Programs in Cyber Incident Response
There are cybersecurity degree programs at the bachelor’s degree level that are designed to provide students with a solid grounding in essential cybersecurity knowledge and skills, including computer programming proficiencies and an understanding of the principles and practices of computer and network systems security. Additionally, some bachelor’s programs offer advanced and/or elective courses in computer/digital forensics which can be helpful for students who are interested in pursuing a career in cyber incident response.
At the graduate level, there are many schools that offer master’s degree programs in cybersecurity and digital forensics. These programs provide advanced training that has applications throughout the field of cybersecurity, including in cyber incident response. Some of these master’s programs include one or more courses that address cyber incident response proficiencies and there are master’s programs that offer designated specializations in cyber incident response and investigations. The three or four courses that commonly comprise a specialization in cyber incident response may also be offered in the form of a graduate certificate program for eligible students who have completed their undergraduate studies and who are not interested in completing a full master’s program.
Professional Credentials and Certifications in Cyber Incident Response
Another way to acquire cyber incident response skills is through non-credit courses and intensive bootcamps offered by private industry groups and member organizations. There are numerous cybersecurity credentials available through industry certification programs, some of which focus specifically on cyber incident response. Most cybersecurity certification organizations offer exam-preparation modules and training courses in various cybersecurity specializations.
The list below provides an overview of some of the certifications that are available in the area of cyber incident response:
- Certified Computer Security Incident Handler (CSIH), offered by the Software Engineering Institute (SEI)
- Certified Incident Handler (ECIH), offered by the International Council of Electronic Commerce Consultants (EC-Council)
- Certified Incident Handling Engineer (CIHE), offered by Mile2
- Certified Incident Responder (eCIR), offered by eLearnSecurity
- CREST Certified Incident Manager (CCIM), offered by the Council for Registered Ethical Security Testers
- GIAC Certified Incident Handler (GCIH), offered by the Sans Institute’s Global Information Assurance Certification (GIAC) program
Examples of Jobs in Cyber Incident Response
Drawing on research into actual cybersecurity job listings, the examples detailed in the section below provide an overview of the types of employment that are available in field of cyber incident response.
Associate Incident Response Consultant
- Primary Responsibilities: Assist in network forensics, log analysis, and malware triage operations in support of incident response investigations.
- Education: Bachelor’s degree preferred.
- Credentials: None specified.
- Experience: One or more years of experience working in information technology, computer programming, or a related technical field.
- Technical Proficiencies: Knowledge of Windows disk and memory forensics; static and dynamic malware; scripting with Perl, Python, or Ruby; network protocols; Unix/Linux/Mac/Windows operating systems; and security testing platforms such as Hack the Box, TryHackMe, and Overthewire.
- Other Attributes: Strong technical acumen; time management skills; client communication skills; and technical writing skills.
Cyber Incident Response Senior Consultant
- Primary Responsibilities: Conduct computer and network forensic investigations related to various forms of malware, computer intrusion, theft of information, denial of service, and data breaches in order to assist clients in addressing security issues.
- Education: Bachelor’s degree in computer science, cybersecurity, management information systems, or another related technical field.
- Credentials: Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), EnCase Certified Examiner (EnCE), or GIAC Certified Incident Handler (GCIH) credential preferred.
- Experience: Five or more years in information systems security, incident handling and response, exploit analysis, cyber intelligence gathering, vulnerability management, and/or digital forensics.
- Technical Proficiencies: Experience with Linux/Unix operating systems; digital forensics investigation tools (X-ways Forensics, Forensic Explorer, EnCase Forensic, EnCase Enterprise, AccessData FTK, Volatility, SANS SIFT, Carbon Black, and/or Internet Evidence Finder/Axiom); malware analysis; and network, host, and user activity data.
- Other Attributes: Personal interest in computing, security, and digital communications; and strong written and verbal communication skills.
Network Incident Response Engineer
- Primary Responsibilities: Manages all aspects of incident response and resolution, including documentation and customer interface; and independently administers incident monitoring for communications systems, database content, network management platforms, and shared logging applications.
- Education: Bachelor’s degree with a major in engineering or technology preferred.
- Credentials: None specified.
- Experience: Three or more years of relevant work experience working with information technology and communication systems.
- Technical Proficiencies: Experience working with SQL server and web tool projects related to the database systems; network-related technologies and network hardware; and advanced computer network and communication systems and platforms.
- Other Attributes: Strong critical thinking, technical writing, and client communication skills.
Incident Response Manager
- Primary Responsibilities: Develop and manage incident response plans across an environment that includes cloud, datacenters, and disparate and geographically distinct business units; engage with and assist a team of incident responders in cybersecurity exercises associated with managing cyber incidents at various impact severity levels; and review and develop recommendations for current FBI incident response policy based on Department of Justice guidance, agency regulations, federal and state laws, and industry best practices.
- Education: Bachelor’s degree.
- Credentials: Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), GIAC Certified Incident Handler (GCIH), or similar industry credential preferred.
- Experience: None specified.
- Technical Proficiencies: Experience working with a broad range of cybersecurity tools, enterprise IT architectures, and penetration testing tools and platforms.
- Other Attributes: Able to operate with minimal managerial assistance; communicate with technical staff, law enforcement agencies, and individuals at all levels of an organization; and provide leadership to technical personnel and non-technical staff.