Incident Response
Role overview
Incident Response is the preparation for, handling of and following up of cyber security incidents, to minimise the damage to an organisation and prevent recurrence.
In this role, you will:
- Cyber Incident Response depends on the organisation and the scale of the threat it faces and there may be several or many apparent incidents every day which need handling. Once an incident response is in progress, they need to understand what is happening, so that damage is minimised, and the attack is stopped. Then Incident Response analyses the causes and proposes changes to stop the same kind of thing happening again.
- Throughout this, Cyber Incident Response works closely with colleagues in the cyber security team, and with colleagues in other departments too. It is essential to remain calm, ensuring that there is clear communication in a timely fashion with everyone who needs to know what is going on. Finally, it is vital that every significant event and action is logged, so that lessons can be learnt and the response to the next incident is even more effective.
- In some roles, Cyber Incident Response may configure and maintain system and network monitoring software and hardware. Quieter days may involve drafting or agreeing policies and procedures for handling incident or planning and carrying out exercises to test these.
Typical role level expectations
At this role level, you might:
- respond to alerts from monitoring/detection systems within defined SLAs
- following procedures, respond to and/or escalate cyber security incidents
- monitor security appliance health, performing basic troubleshooting of security devices and escalating severe problems to engineers
- maintain logs of all actions taken
Typical role level expectations
At this role level, you might:
- respond to alerts from monitoring/detection systems within defined SLAs
- use configured tools and scripts to identify potential cyber security breaches
- following procedures, analyse, respond to and/or escalate cyber security incidents
- monitor security appliance health, performing basic troubleshooting of security devices and escalating severe problems to engineers
- contribute to the development of incident response capabilities, policies and procedures
- maintain logs of all actions taken
Typical role level expectations
At this role level, you might:
- analyse the source, nature and impact of breaches to support threat intelligence
- monitor security appliance health, performing basic troubleshooting of security devices and escalating severe problems to engineers
- analysing unexpected network or system events, assessing their impact, and devising and implementing actions to stop them
- managing the sharing of important information quickly and accurately
- contributing to incident management policies, and investigation procedures and processes
Skills
| Skill | Associate | Lead | Principal |
|---|---|---|---|
| Incident management, incident investigation and response | Practitioner | Practitioner | Expert |
| Information risk assessment and risk management | Practitioner | Practitioner | Practitioner |
| Intrusion detection and analysis | Working | Practitioner | Expert |
| Threat intelligence and threat assessment | Working | Practitioner | Practitioner |
| Applied security capability | Awareness | Working | Working |
| Protective security | Awareness | Awareness | Awareness |
| Threat Understanding | Awareness | Awareness | Awareness |
Accreditation link
https://www.ukcybersecuritycouncil.org.uk/media/y25hlfbu/contextualisation-incident-response-v2.pdf
Core Learning
| Entry Level | Associate | Lead | Principal |
|---|---|---|---|
| Certificate in Digital Forensics Fundamentals |
CREST Registered Intrusion Analyst (CRIA) “Certificate in Digital Forensics Fundamentals |
CREST Certified Host Intrusion Core Analyst (CCHIA) EC-Council Certified Incident Handler |
CREST Certified Incident Manager (CCIM) |
| CREST Practitioner Intrusion Analyst (CPIA) |
EC Council Computer Hacking Forensic Investigator | ||
| EC Council Computer Hacking Forensic Investigator |