Incident Response: 5 Critical SkillsRecent Breaches Require Pros to Add New Skills
For Reid, incident response is all about hiring the right people with the right skills. "The majority of my team is made up of broad IT background," he says. "I look for people that can understand priority and sensitivity of responding to events in a large-scale environment and know what are the risks and tradeoffs in handling an event."
Cisco's experience isn't unique. Consider some of the recent incidents we all have witnessed:
- RSA's SecurID breach;
- Loss of personally identifiable information at Sony;
- Alleged trading fraud at Switzerland-based UBS;
- Frequent attacks by hacktivist groups such as Anonymous and LulzSec.
These and other breaches have forced many regulated organizations to re-examine their incident response plans and personnel. The result: As in Cisco's case, incident response professionals not only need strong technical expertise, but also a slew of softer skills to help organizations repair the damage and recover from these events.
The New Rules
Traditionally, incident response has been viewed as the capability to respond effectively to security threats. It has been a highly technical, hands-on role filled by professionals from network operations, system administration and security engineering. Their focus has been largely to understand common attack techniques to handle, detect and respond to various types of incidents and policies related to incident handling.
However, with increased regulations like breach notification, advanced threats and malware this role has expanded into specific areas like investigations, application development and forensics.
"Incident response has evolved into a more holistic, analytical function, as compared to a compartmentalized operations approach," says Marcus Ranum, CSO at Tenable Network Security, an IT security consulting company based in Maryland. "Often responders can take control of the situation if they have the right expertise in forensics, critical thinking and malware analysis."
In these new roles, new skills are required. "Communication and coordination skills are becoming crucial for incident responders, as different parts of the organization are increasingly involved in breach prevention and mitigation," says Robin Ruefle, a senior analyst from Carnegie Mellon University's Computer Emergency Response Team. "Often the gaps are found in responders' failure to work together to escalate the issue or collaborate with the right person to move things forward."
5 Critical Skills
So, what are the must-have skills for today's incident response professionals? Here are the top five selected by information security leaders:
- Collaboration: This is significant because when an incident occurs, the responders need to know how to work with the right people to stop the attack. Often, responders must work beyond their organization with ISPs and other points of contact within the industry to arrive at a solution, Ruefle says. "The key skill is to have points of contact outside of the immediate team in incident response and know how and where to collaborate."
Also, assisting with breach notification is quickly becoming an important step in incident handling, requiring responders to work with breach notification teams to get appropriate information from different groups. They also must help determine exactly what happened, and provide effective response to customers, stakeholders and federal authorities in case the breach involves compromise of personal information.
"Coordinating response and effectively disseminating information on the incident by getting input from legal, public relations and business owners today is paramount for good incident handlers," Ruefle adds. Pros need to frequently test response plans and breach scenarios to ensure they are building on their collaboration skills by preparing contact lists and defining communication parameters: who will be talking to whom, how, and for what purpose.
- Database Analysis: All too often, incident handling is "looking for the needle in the haystack," Reid says. Take, for example, a user's machine, which is suddenly compromised and is accessing sales, stock and financial data from different parts of the network. Here, the incident response team is on alert to see a varying pattern on the dateline of user activity and understand that an unauthorized user has gained access to the system. In this case, they immediately need to analyze large databases, log audit trails and perform searches through hundreds of thousands of terabytes to correlate and trend different data sets to get answers on type of activity, frequency of occurrence, impact of damage and technologies used to understand the reason behind this attack and how best to mitigate it.
"Prevention of these attacks depends on how quickly and efficiently the incident response team sifts through the data and narrows their search parameters to go after the bad guys," Reid says and further adds that it is hard to find people with these skills, but recommends pros to have a strong IT background and learn technologies like flat files and clusters for effective data analysis.
- Digital Forensics: This skill is in demand because many existing and emerging regulations now require organizations to protect sensitive information and quantify how much information was exposed during the course of a breach. In addition, the move to cloud and mobile has further strengthened the market for forensic pros, as the need to access data on demand and work with data in a virtual environment requires them to conduct live investigation and analysis. Forensics is applied to determine the cause, scope and impact of incidents, stop unwanted activity, limit damage, preserve evidence and prevent recurrence of events.
"Incident handlers need to have forensics capabilities to facilitate faster and more effective responses to incidents," Ranum says.
In the case of unauthorized data access, for example, responders typically need to use their forensics skills to recover lost data from systems, analyze log entries and correlate them across multiple systems to understand specific user activity. These skills were always in demand, Ranum says, "but new types of malware intrusions and analysis are further pushing the need for forensics skills in this field." To build on this skill, practitioners need to enroll in forensics training and education offered by academic institutions and certification organizations, like SANS Institute, that offer hands-on programs focused on understanding chain of custody and how an investigation is conducted using appropriate tools and analysis techniques.
- Malware Analysis: Global consumerism of applications and mobile devices has led to an increase of malicious software attacks targeting smart phones, tablets and the company's infrastructure. Because of this increase in application threats and likelihood of such incidents to affect many users and systems within a short time, understanding how to analyze malware effectively has become a critical skill for responders, Ruefle says.
Incident handlers, therefore, must know how to perform surface analysis to understand a piece of malware, its properties and all basic facts from a high-level perspective. Further, incident handlers who are familiar with the organization's implementations and configurations of malware detection tools such as anti-virus and intrusion prevention software should be in a position to analyze supporting data and identify the characteristics of threats and necessary mitigation strategies. Ruefle recommends pros to access CERT's resources, including research papers, seminars and problem-solving kits to help develop this skill further.
- User Behavior: "Detecting and monitoring the growing insider threat is a complicated challenge," says Julie McNelley, a senior analyst from Aite Group, a financial research and consulting firm. However, organizations can prevent these attacks by equipping incident response teams with the skills and knowledge to monitor and track data leakage and understand user behavior. This encompasses a whole range of activities, from looking at what external website accesses people have to whether someone has the ability to download data to a USB drive or retrieve information from print tabs or screen checks. McNelley says that there are a number of data protection technologies available, which organizations should leverage and make part of their incident response capabilities in order to get automated system alerts that go off when users access information which they are not authorized to.
In addition, she suggests that individuals in incident response develop skills for understanding behavior analytics to recognize the patterns of suspicious behavior and the types of anomaly actions taken by users in their roles. "Incident response should know when data protection policies are not followed to lock down systems and control damage," McNelley says. Pros need to learn network behavior analysis and identity-based monitoring technologies to understand and monitor user behavior effectively.
For Gavin Reid at Cisco, improving the incident response team's skills doesn't reduce the number of unexpected phone calls. But it does improve his confidence in addressing those calls.
"Incident response skills often come with a premium," Reid says. "It's very hard to find experts in this field, but being the yes-man with all answers and having passion in technology goes a long way."