Puneet Khandelwal, a senior incident response analyst at Gradient Cyber, a cybersecurity consulting start up, fills us in on the role incident responders play in protecting an organization's sensitive data. Read on to know the everyday responsibilities of an incident responder, the challenges they face, the six steps of incident response for any attack, and how organizations can address the widening skills gap in the industry.
I began my journey in cybersecurity as a security analyst. This role involved monitoring the day-to-day network traffic of our clients, researching about new attack methodologies and vectors, and writing reports and bulletins for the clients. My role has now shifted to incident response and forensics.
Let's say an employee gets a phishing email and they click on a malicious Excel file, word document, or link. Then malware is downloaded onto the system, infecting the machine, and eventually the whole organization. When this happens, it's the incident response (IR) team that gets called in. They will do a thorough investigation of all the systems, try to identify the first machine that got infected, and pinpoint the root cause of the infection. They will also find out when the infection actually occurred, how serious it is, and whether it is ongoing. Once this is done, they will analyze the best ways to contain the infection.
After finding the root cause, the responders try to eradicate the malware or the malicious files from the system. There are multiple tools and solutions available on the market that enable incident responders to do this effectively.
IR teams also work on forensics, wherein we collect digital evidence of everything that occurred.
There are two hurdles we commonly face.
There are two approaches to cybersecurity: proactive and reactive. Most cybersecurity techniques are reactive. Only after an incident happens, you react—conduct an investigation, forensics, identify what is wrong, what is missing, and so on. With the proactive approach, you try to stop an attack before it happens.
ML and AI are based on identifying behavioral patterns in the network, and help with proactive security. The ML algorithms depend on a large set of test or training data. Attackers will try to circumvent the ML measures you have put in place. So you have to do continuous testing to evaluate the performance of your anomaly detection engine.
Yes, we create rules. We research different methodologies criminals use to carry out attacks. MITRE ATT&CK, for example, is a framework that helps us understand the behavior of attackers. It has a comprehensive list of the techniques and sub-techniques used by cybercriminals. We also have our in-house lab which we use to identify patterns, in case we do not find the code on the internet. We create rules for several types of attacks this way. We also write rules for east-west traffic, internal traffic of an organization as well as internet traffic. We also write rules for our IDS systems.
You're an employee who has come home from the holidays and opens your system to see that all files are encrypted, and you are unable to access any of them. Then you see a text file on the desktop. It is a ransom note. You will contact your supervisor who will reach out to your in-house security team. If your in-house security team says it does not have the capability to deal with this, you will call seasoned incident responders. Small companies usually don't have specialized incident response teams. Bigger companies that can afford them have in-house SOC teams.
There are six stages in which an incident response plan is phased out:
A SIEM solution can be used from the identification to recovery stages.
For any organization, false positives are always a concern. An analyst's job is to identify anomalies in network traffic. Even if they do have an automated alert system in the background, based on some pattern, they will need to identify whether the alert is worth investigating or is a false positive. Ninety percent of the time, it is a false positive. False positives never go away. But organizations can aim to reduce them by 30-40% using a SIEM solution so that a person who normally spends six hours can now spend only three hours on them.
There is a need for proper training. We interview a lot of people here, and I've seen people who say they have three to four years of experience and have completed certified courses. But when you ask them to perform tasks as part of the recruitment process, they are unable to execute them. For one cybersecurity position, you get 700-1000 applications. But skilled people are limited in number. The practical knowledge most professionals possess is insufficient. To pick up practical knowledge, I would recommend they do online challenges. There are multiple websites where they can advance their skills and learn multiple tools.
You will receive regular updates on the latest news on cybersecurity.
© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.