Three primary traits are required for the Incident Responder. The individual in this role conducts the highest-level incident analysis, will be responsible for incident tracking and handling, conducts in-depth threat research of the incident, while developing and executing remediation plans. In this role they also conduct forensic analysis such as drive imaging, litigation support and other high level incident analysis/research. Along with traditional forensics, they may also conduct malware analysis and will coordinate closely with individuals in Security Tool Engineering and Intelligence. This role is considered the last line of defense and is often proactively hunting the adversary.
Responsibilities: This position requires deep forensic analysis of events and indicators that have been escalated by the Incident Analysts. The Incident Responder utilizes many tools, among them, Command Line Interface (CLI) and custom programs to perform deep forensic analysis to aid in finding threats/suspicious activities in the environment. The team is also responsible for contributing to the threat intelligence community on a regular basis. In case of threat identification, the incident responder is required to work with asset owners and stakeholders, Security Operations, and management leadership teams to develop and execute high level remediation plans, author Incident Response reports, and implement lessons learned. This position is also required to work with law enforcement authorities as necessary. The Incident Responder may be required to assist during non-core business hours in the event of an emergency.
Skills required: The Incident Responder must have the ability to lead, motivate, and develop; while managing workflows, projects, and personnel. The position requires a detailed technical understanding of security incidents and alerts. The Incident Responder will be required to recreate attacker maneuvers and must be skilled in all aspects of the attacker/incident lifecycle. Reverse engineering and penetration skills will be required to diagnose a threat and fully comprehend holistic impacts. They are considered the most highly skilled security personnel within the organization.
Qualifications: A bachelor’s degree (or equivalent), strong understanding of security principles and concepts, and team leadership experience. Multiple Security certifications are a must. Examples of typical certifications for the incident responder may include: SANS GCIH, GREM, GCFA, GPEN, GWAPT, CEH, CISSP.
Experience: Individuals with a minimum of four (4) years of penetration testing or reverse engineering experience may be considered qualified. Incident analysis and response experience of at least four (4) years should also be sought. A qualified candidate will also have more than eight (8) years of overall security experience. The role requires in-depth understanding of security issues across platforms and the ability to communicate clearly in both technical and non-technical settings. The ideal candidate is familiar with the SOC/CIRC workflow and has likely held Event Analyst and Incident Analyst roles previously in his/her career. Knowledge of Microsoft Windows, Unix systems, security tools, networking, and applications is required. Experience with the following is also necessary:
- CLI tools such as NetCat, NMAP, HPing, Hydra, etc.
- Vendor DPI and SIEM solution experience (NetWitness, Solera, enVision, Arcsight, Q1, Nitro, Splunk)
- Security penetration testing packages such as CoreImpact, Canvas, Metasploit, Qualys, or Kali
- Forensic software such as EnCase or FTK.
- High level programming languages (e.g., perl, python, Java, C, C++)
- Web application development (e.g., NET, ASP, PHP, J2EE, JSP)
As designated above, this role should have the ability to program in various languages to fulfill security capabilities designated during an incident. Managerial experience is preferred, as the Incident Responder will have to lead the shift and/or the investigation. The Incident Responder is the technical liaison to the other business units during an incident or breach.
Technical Interview: This senior role will require an extensive technical and non-technical interview to determine the qualified candidate not only can technically perform the job, but also can maneuver non-technical challenges often present in the business environment. The candidate should meet with other Incident Responders as well as the SOC/CIRC Manager during an interview. Potential interview scenarios may include a piece of malware being submitted to the candidate to reverse engineer and provide a written explanation. This would be a timed scenario where time management/written skills are tested. Another scenario would likely be PCAP analysis where the candidate is required to decipher what the traffic is doing and verbally describe to the team his/her analysis. A third exercise consists of providing a simple web form and or application that the candidate must be able to exploit to gain command of the host. The candidate should also be asked to walk through their previous roles leading incident investigation/response and their involvement in SOC/CIRC’s. Candidates in this role frequently contribute back to the community through articles, conference appearances, blogs, and patents, which should be reviewed and discussed.