So I have one year under my belt and I don't feel like I'm drinking from a fire house any more, just a regular hose (on full blast). I have gotten to the point where I want to start to move from just learning basics and start to focus on things, maybe one certain thing that an incident handler should know, I'm just not sure where to start. My day-to-day mostly has to do mainly with network analysis which has been great for getting my network skills level up and very little end point. I don't know any scripting but have become good at finding Power Shell scripts and tailoring them for my environment. I know this is a loaded question and a lot of people will say too hard of a question to answer but any input to help me focus my time would be appreciated, thanks.
Not sure what your current skills are but from my time in IR here are the things that I would recommend, mix of hard and soft skills:
1. Work on learning PowerShell or Perl scripting to make creating automation tools easier
2. Get familiar with WireShark and Packet Captures, if not already
3. Find good intel feeds and work on getting the company to take a more proactive rather than reactive stance
4. Foster relationships with other teams so that when that major event happens you have contacts to immediately pull together
5. Any tools that you don't manage, but have access to, work with the admins to learn as much about the tool and the information that you can get from it. - I had a great ArcSight admin at my last job that taught me a lot of the basics of the tool, and the more I used it the better I was able to get the information I needed. Eventually, got elevated permissions to the tool that allowed me to do even more.
Find an area of IR that you really like, or that sounds interesting and start studying up on it, and start networking with others that are in that area of IR. Things like Pen Testing, Forensics, etc.
Hope this helps a little, and good luck in your IR journey.
I have been trying to stay in Wireshark most days if for no other reason then to see what traffic is supposed to look like and get comfortable with it. I have touched on forensics a little bit and that did seem to be the most interesting so far. Your reply did help, thanks for taking the time, I know it's a big question.
Forensics looks glamorous on TV, not so much in real life. You HAVE to have keen attention to detail; be able to perform the same steps over and over, in a repeatable, predictable fashion; and know how to document what you find without putting your opinion in it. Unless you clearly state "That it is of the investigators opinion that such and such happened....."
It can be a fun position, just know the best people in it really love details and being able to provide facts.
OK so maybe not Forensics, lol. It did look interesting but I don't know how well I would do in a very detail oriented position. Not that I'm sloppy but it is not my best quality.
Don't get me wrong, I think IR people should definitely learn forensics at a basic level so they can be careful enough when performing the initial response as to not accidentally destroy or alter evidence.
You should try different aspects of information security to find out what you like. I like it all and that is why a CISO position suits me well. I would also learn some system administration stuff too. Knowing how something is supposed to work can help you determine why it didn't work as expected or was violated by someone who got it to perform in an unexpected manner.
The key is to find what YOU like to do.