6 Critical Skills Required for Incident Response Team Members
Whether an organization possesses the personnel and budget to create an internal Incident Response Team, or determines that outsourcing is a more viable option, vetting the team candidates for requisite experience is critical. Unfortunately, many companies use the wrong selection criteria.
NOTE TO SENIOR LEADERSHIP: “related to the boss,” “really cool title,” and “may file lawsuit if not selected” are not valid reasons for team selection no matter what your MBA adviser told you.
The composition of the Incident Response Team will be highly diverse and represent specialized capabilities in both technical and non-technical disciplines. The non-technical disciplines – such as legal counsel, human resources and public relations – play critical roles in the process. However, they are ancillary and fall outside the scope and intent of this writing.
Although there is no such thing as a “perfect” Incident Response Team member, it is critical that those candidates being considered for team placement have a familiarity and understanding of these six technical areas for the remediation and eradication actions to be successful.
#1) Technological Investigations
The candidate must have experience with investigations involving technology, not just investigations in separate disciplines. While candidates may possess superior investigative skills, lacking expertise in technology places them at a significant disadvantage.
#2) Computer Forensics
The ability to examine and analyze forensic images secured from networks (live acquisition) or independent devices (“dead box”) is critical to developing actionable leads and answering investigative questions.
#3) Network Traffic Analysis
A knowledge of information flows with a network is vital when distinguishing normal behaviors from potential anomalies. Additionally, a working knowledge of traffic analysis software will enhance the process by facilitating efficient and effective automation.
#4) Relevant Industry Applications
Every industry uses certain related software to manage every aspect of its operation. While vendors may change from organization to organization, the applications share commonality that will allow experienced investigators to quickly understand the functionality if they are familiar with industry applications.
#5) Enterprise IT Architecture
Understanding enterprise architecture and general network topology provides a level of insight that allows investigators to identify many behavioral anomalies of standard network devices. If an investigator can identify anomalies against known and acceptable device behaviors, the remediation process can be greatly enhanced.
#6) Malicious Code Analysis
Understanding functionality of a malicious code can very often reveal its purpose – as well as the motivation and intent of the attacker. Possessing this capability also removes the need to outsource this function to third-parties, which in many cases is neither desired nor feasible.
None of these skills are difficult to acquire if an individual has the proper mindset, motivation, and desire to expand his or her body of knowledge. Once these skills are acquired, proper mentoring, guidance, and continual learning will allow the team members’ level of subject matter expertise to increase exponentially.
If senior leadership is committed to making the right hiring decisions and potential candidates are committed to dedicating the energy to make themselves viable, the potential and possibilities for an effective Incident Response Team are endless.
If not, I happen to know a guy named Bob – the son of the CEO’s second cousin – who will be happy to show up for an interview … and probably sue you and your company if you choose not to hire him.