Cybersecurity is a vast field with many specialty areas and focuses. It can be hard to understand the differences between roles, and even harder to narrow down which one is right for you. In this post, we demystify the role of an incident responder and discover what goes on behind those firewalls. Let’s look at what goes on in a day in their life and what steps you can take to join the ranks of these cyber firefighters.

Note: Throughout this blog post series, we refer to certain cybersecurity skill sets as "roles." We’ve done this to ensure we cover all security roles and align with the functions of the Cybersecurity Framework and  NICE Framework. Each organization may define these roles and responsibilities differently, and there can be many variations of specific title names. 

An incident responder takes action in urgent situations to mitigate any immediate and potential cyber attacks. Using set approaches, and an intimate knowledge of the system, they can deduce what’s out of place, close up any holes, and ensure information stays secure.

There are a few core defensive security roles you’ll find within an organization that ensure data is kept safe. Roles like SOC analyst, threat hunter, and penetration and vulnerability tester tend toward more project-based, day-to-day sorts of things. Incident responders are a little different.

“You have to be ready to go at any time, because incidents always happen, regardless of vacations or holidays,” explains Colin Jackson, Pluralsight Senior Security Engineer. When you get that first indication that your system is getting hacked, or something malicious is going on, “you immediately need to spin up and respond.” Incident responders are the firefighters of an organization, jumping in at a moment's notice to put out those spot security fires.

Cyber security incident response can be stressful, but it’s also exciting. 

“When I'm not handling an incident, I do have projects that I'm working on. We're building out security tools, security engineering. But as soon as an incident happens we jump right in. My whole team is activated, day or night, twenty-four-seven,” says Colin.

That’s not to say high-severity incidents happen all the time. Frequency varies from organization to organization. Those holding more personal identifiable information (PII), health records, or financial data will present a greater target, so it’s important that security teams have best practices in place to minimize impacts.

Not every incident presents a ‘jump out of bed in the middle of the night’ situation, but an incident responder needs to be ready when that Bat-Signal shines. Just ask anyone who had to deal with the Log4J vulnerability at the end of 2021.

From the moment a cyber attack is reported, the cyber security incident response clock starts ticking. Depending on the severity and nature of the attack, resolution and reporting might be required within a set time. So, work has to begin immediately. The first step is to note the time that the report was made (that ticking clock isn’t just a figure of speech). The incident responder will begin taking notes and screenshots—documenting everything so a timeline can be built out.

They’ll go into the initial system—the first indication of compromise. In a scenario where a malicious email has been reported, or suspicious emails are being sent from an internal address, they’ll go through the email log and see when these emails were sent out—where did they go, which account were they sent from, and what IPs were detected?

Then it’s time to start peeling back the onion. A login had to have occurred in order for a malicious actor to get access. When did the compromised account log in to send the emails? Retrace those steps, recreate the crime scene, and follow the clues to figure it out. 

Cyber security incident response might require connecting with other teams, such as an email admin to double check security logs and look for things like: Where did they log in? What type of computer was it from? And most importantly, what did they do? Were other systems affected? 

Once the initial severity has been determined, they’ll know what predefined security protocols need to be followed, including who needs to be alerted. After analysis, and ensuring all the evidence has been noted down (no one likes an evidence stomper), they get started on eradication. They’ll put that fire out, secure what needs to be secured, and ensure outside actors are locked back out.

Next, they’ll need to notify anyone who needs to be notified. Depending on the organization (and the nature of the attack), this might include managers, executives, or customers.

Once incident responders feel things have been resolved, and they've informed all the right people, it’s time for the incident responders to write the post-mortem. They’ll talk about what happened, and most importantly, lessons learned. What could have prevented this? What can be added to prevent this from happening in the future? Document it out and inform people as needed. 

“That's why I think of it like a firefight,” says Colin. “Because it kind of is.”

As with many IT careers, there isn’t one true way to get into cyber security incident response. There are common paths that IT professionals can take, but an important first step to pursuing any cybersecurity role is to establish foundational knowledge. You’ll need a basic understanding of computers, networking, protocols, and programming. Getting your head in the clouds with some fundamental cloud computing knowledge will help, as will taking every opportunity you can to get hands-on with the learning experience.

But what about other skills that can help you succeed in cyber security incident response?

Good communication skills, particularly when dealing with stressful situations, are critical for cyber security jobs. You’ll find yourself constantly asking other teams to check on something for you. You may even need to wake people up in the middle of the night. It’s critical that you can be clear and concise—ask for exactly what you need—to resolve the situation promptly.

Cyber security incident response requires gathering evidence, creating documentation, and writing post-mortem reports. Often post-mortems get written up to provide a summary that can be shared internally. You’ll want to have caught all the details needed when dealing with the incident, and know how to present the important facts. What happened? Why did it happen? How did we resolve it? And how can we prevent it from happening again? 

If you can boil it down to those things, you're doing pretty well.

This one sounds obvious, but in order to spot what’s out of place, you’ll first need to know where everything belongs. Organizations will be set up with different infrastructures, but having general knowledge of networking, and keeping up to date on systems, will help you stay on top of things when you need to jump into action.

The most important thing you can do in cyber security incident response is stay calm. Think of a building on fire; people are running around screaming or in shock. If the firefighters show up and also start running around, screaming, and waving their axes around, that’s not helping anything. A measured approach to any situation is always going to be the best solution.

Are you ready to step up to cyber security incident response? Measure your Incident Response Skills IQ and check out our incident responder role-based learning path. Colin also recommends Incident Detection and Response: The Big Picture for more insights into what the role entails.

There are great community resources available if you’re interested in dipping your toes into the broader world of cybersecurity, too. Bleeping Computer can help you keep on top of any cyber security incidents in the wild that you should be looking out for, and there are books detailing security case studies, if you’re looking for more real-world examples.

And if you want to learn more from Colin, check out his course Protective Technology with Pi-hole. You’ll learn how to set up a Pi-Hole in your home or business and block unwanted advertisements and tracking data about your internet-connected devices.