How to Become an Incident Responder
To become one in my humble opinion, it takes a positive attitude and passion on both knowing defensive and offensive Cybersecurity. It is not an on-the-dot job where you sit in the office from 9am-5pm every day and wait for an attack to happen. It is an operational and proactive profession where either you detect breaches to lessen down time or prevent the zero-day attack.
Knowing all the arsenals would not mean becoming as effective as an incident responder but would definitely help for detection and threat hunting. Even though you have different SIEMS (security incident and event management systems) and a million dollar EPP (endpoint protection platforms) plus EDR (endpoint detection and response), it is not bulletproof. There is no cyber threat intelligence yet that can feed APT’s (advanced persistent threats) even though most providers have sources from the dark web.
There are too many to mention here, but it is more important to understand the Threat Modelling to be able to come up with the right solution.
But then again, I will be going back to basics where attitude and passion are the keys to becoming a true Blue Team.
Motivation and Skillset
Mindset is very important from day 0, that, in operations, time is very important since it is not a typical routine clerical job. Every day in Cybersecurity, there is something new to learn.
If your background is in Red Team, that would be useful for identifying possible attacks based on the “kill chain” and will be able to defend your turf against APT’s. While if you are a Programmer, Malware Analysis and Reverse Engineering would be easy for you when analyzing Phishing attacks against exploits and ransomware.
A former Network engineer would also be helpful in analyzing network traffic against DDOS, lateral movements, and other suspicious attacks from both outside and inside threats. And if you are a System Administrator on either Windows, Unix, or Linux then Forensics would be easy for you to handle.
What it is Not...
In some companies when they form CERT (computer emergency and response team) or DFIR (digital forensics and incident response) teams, they prefer individual members who are from different backgrounds and then create table top exercises so that all will be ready and efficient when real attacks occur.
IR is not a 24x7 monitoring, it’s SOC’s (security operation center) job. They are exclusive so to speak. There is an overlapping with the SOC but just on the basic tasks. Hence remaining is an advance, with broader knowledge and understanding on different Cyber threats.
When I am to ask if what skills or tools needed to become an Incident Responder, I would stick to what I have mentioned in my previous Cyberblog (Is SOC an IR or IR is SOC?); Networking, Systems Administration, and Scripting/Programming are the recipes of becoming a successful Cybersecurity professional.