Why and How to Become an Incident Responder
An incident responder is considered as a cyber firefighter within any organization. This job is often referred to as a Computer Science Incident Responder Team (CSIRT) Engineer or an Intrusion Analyst. The main function of this person within the organization is to react immediately to any occurrences of security incidents or any threats within the organization. An incident responder will rely heavily on several forensics tools that could be used in the industry such that he could be able to identify the reasons behind the incidents and know the problems to try to avoid them in the future for the sake of improving the level security for the entire organization. You should be expecting to spend some time educating other colleagues for better security practices and some other time to help prevent any potential upcoming threats.
You should always put in your mind that your main goal is to prevent any occurrences of cyber-attacks or to immediately limit their effects on the systems. The following list attempts to mention the mostly common responsibilities that you should expect to take whilst working as an Incident Responder.
- It is your responsibility to keep checking and monitoring the organization’s networks and systems to spot any intrusion and prevent it.
- You have to look for and define all the security flaws and holes within these systems and networks.
- One of your main roles is to conduct several security audits on the systems, perform penetration testing tasks, network forensics, and risk assessment and analysis.
- You will have to conduct many tasks related to malware analysis and reverse engineering.
- It is one of your main responsibilities to define and undertake a defined course of actions in order to respond to any security problems that happen to exist in the system.
- You should also define and make use of protocols for the sake of communication within the organization and dealings with law enforcement when a security incident occurs.
- You should design and set a development plan which targets evaluations of security gaps inside the organization in terms of policies and procedures. Your development plan should also include scheduled training and tabletop testing.
- You have to explain in a detailed technical report what happened and the reasons why this incident occurred in the first place. You should then submit such report to your administrator, upper management, or end users.
- You should always build relations with other entities that are responsible for conducting cyber threat analyses.
I want to point out that you may work as an independent consultant if you choose to become an incident responder. On the other hand, if you choose to have this job in a large scale organization, then you may become a part of CSIRT, and you will typically report your findings and analyses to the CSIRT Manager.
It is also worth mentioning that the fields of incident response and forensics are gradually merging, yet we preferred to create a separate job page for the Forensics Specialist job position.
You could begin your cybersecurity career with an entry level job that could provide you with the necessary information and experience for your career ahead of you. Some of these jobs are given by the following list.
- Security Administrator
- Network Administrator
- System Administrator
After proving yourself successful in one of these jobs, you can consider moving into the Incident Responder job position. However, you can get to the same job from experience as a Forensics Expert First.
During your job time period as an Incident Responder, try to gain experience as much as possible, dealing with stresses and security problems. After that, you may consider becoming a CSIRT Manager or even the Director of Incident Response.
Many job postings attach one more word to the Incident Responder job. Most of the times, the title and its associated responsibilities are perfectly the same as those of a normal Incident Responder. However, a job like Computer Network Defense incident Responder, the candidate should be dealing more with Networking issues in case of any incident occurrences.
- Computer Security Incident Response Team (CSIRT) Engineer
- Cyber Incident Responder
- Incident Response Engineer
- Cyber Security Incident Responder
- Computer Network Defense (CND) Incident Responder
It is a common case that the required qualifications for job posting such as Intrusion Detection Specialist, Network Intrusion Analyst and Forensics Intrusion Analyst are quite the same.
Due to the high specialization of this job, there are no clear salary figures for such job on the BLS or PayScale. This should even be unsurprising since even the job timings are really weird. You may work for 2 consecutive days for 48 hours in the workplace in order to deal with a specific security incident. You may also find yourself taking the rest of the week off after these two days. However, imagine the amount of stress associated with these two days!
Searching for the term “Incident Response” on Indeed, we were able to get two popular salary ranges: first between $50,000 and $70,000, while the second goes from $70,000 to $90,000. Furthermore, when searching for the term “Incident Response Analyst” instead of the previous term the two popular ranges went up dramatically. The two ranges became from $70,000 to $90,000 and from $90,000 to $110,000. Finally, it comes with no surprise that a CSIRT Manager or Leader is paid a higher salary than all of these mentioned salary figures. He should expect a range between $100,000 and $150,000 on an average base.
I would say that a bachelor’s degree in Computer Science or any equivalent field such as Math, Electrical Engineering, Cyber Security, etc. would work quite well. However, employers usually do not require a certain degree from their candidate for this job. In addition, you can consider a master’s degree in Information Assurance or Information Security with a focus on incident response. This should provide you with a great push in your incident response career where you may become a CSIRT manager or get a high salary while being a CSIRT member. If you are still into academics, I could also recommend considering a university which offers an incident response management track. This would be really great for you for the best opportunities.
Most employers require from their candidates to spend 2 to 3 years in the field of security or preferably incident response in specific. On the other hand, if you are considering a senior level job such as Senior Incident Responder and Senior Intrusion Analyst, you should have at least 5 years of experience in the respected fields.
The main thing that employers expect you to know is to understand and get to know their systems from inside out and being able to identify all the potential security flaws. They will also look carefully for advanced forensics skills, especially when it comes to a target-rich environment in large scale organizations such as Google. The following list attempts to give you an overview of the main technical skills that you should have before considering this amazing job.
- A perfect candidate has to be experienced in both Windows and Unix like systems (like Linux)
- Programming languages such as C, C++, C#, Java, ASM, PHP, and PERL should be absorbed well by a candidate.
- You should be comfortable when dealing with computer networking and communications especially those based on TCP/IP protocols.
- You should have a solid knowledge of both the hardware aspect and software aspect of computers.
- You should be able to install different operating systems on the organization’s different machine and system and further apply and configure any needed patches on them.
- You should be experienced with technologies used for backing up information and archiving.
- You have to be knowledgeable of main security concepts and practices when it comes to web-based applications used by the organization.
- You should be aware of eDiscovery tools such as NUIX, Relativity, Clearwell, etc.
- You should also be comfortable using different software applications designed for forensics purposes. These applications are like EnCase, FTK, Helix, Cellebrite, XRY, etc.
- You should be confident when using enterprise tools for system monitoring and when using Security Information and Event Management (SIEM) which is really useful and desirable for an incident responder to function perfectly in his position.
You should have knowledge of the main concepts and practices of cloud computing.
First things first, if you are a procrastinator, it is now time to work on evading this trait before applying for this job. Employers will love to see that their candidate is really flexible person who is willing to get adapted to any changes and who can work under extended stress. Remember that you never know when a security incident is going to happen. You should not be that type of person who easily panics when faced with hard or unpleasant situations.
Moreover, an Incident Responder is expected to be a creative thinker who has great problem-solving skills as well as analytical skills. Also, you should work on your ability to convey technical concepts and approaches –either orally or through technical reports– to your management or to other colleagues who may be of a lower technical background that you. You will face these situations a lot in your corporate life generally. So finally, your oral and communication skills are really important to become the perfect Incident Responder in an organization.
There are several certifications that you should consider gaining by the time you become an Incident Responder. The following list provides you with most of these suggested certifications that we think would help you a lot along the way in your Incident Response job functions. Nevertheless, it is always advisable to check with potential employers or other senior level employees to check the required certificates and the most powerful ones as they perceive.
- CCE: Certified Computer Examiner
- CEH: Certified Ethical Hacker
- GCFE: GIAC Certified Forensic Examiner
- GCFA: GIAC Certified Forensic Analyst
- GCIH: GIAC Certified Incident Handler
- GCIA: GIAC Certified Intrusion Analyst
- CCFE: Certified Computer Forensics Examiner
- CPT: Certified Penetration Tester
- CREA: Certified Reverse Engineering Analyst