Incident Response
Role overview
Incident Response is the preparation for, handling of and following up of cyber security incidents, to minimise the damage to an organisation and prevent recurrence.
Cyber Incident Response depends on the organisation and the scale of the threat it faces and there may be several or many apparent incidents every day which need handling. Once an incident response is in progress, they need to understand what is happening, so that damage is minimised, and the attack is stopped. Then Incident Response analyses the causes and proposes changes to stop the same kind of thing happening again.
Throughout this, Cyber Incident Response works closely with colleagues in the cyber security team, and with colleagues in other departments too. It is essential to remain calm, ensuring that there is clear communication in a timely fashion with everyone who needs to know what is going on. Finally, it is vital that every significant event and action is logged, so that lessons can be learnt and the response to the next incident is even more effective
In some roles, Cyber Incident Response may configure and maintain system and network monitoring software and hardware. Quieter days may involve drafting or agreeing policies and procedures for handling incident or planning and carrying out exercises to test these.
Role levels
Typical role expectations
At this role level, you might:
- respond to alerts from monitoring/detection systems within defined SLAs
- following procedures, respond to and/or escalate cyber security incidents
- monitor security appliance health, performing basic troubleshooting of security devices and escalating severe problems to engineers
- maintain logs of all actions taken
Typical role expectations
At this role level, you might:
- respond to alerts from monitoring/detection systems within defined SLAs
- use configured tools and scripts to identify potential cyber security breaches
- following procedures, analyse, respond to and/or escalate cyber security incidents
- monitor security appliance health, performing basic troubleshooting of security devices and escalating severe problems to engineers
- contribute to the development of incident response capabilities, policies and procedures
- maintain logs of all actions taken
Typical role expectations
At this role level, you might:
- analyse the source, nature and impact of breaches to support threat intelligence
- monitor security appliance health, performing basic troubleshooting of security devices and escalating severe problems to engineers
- analysing unexpected network or system events, assessing their impact, and devising and implementing actions to stop them
- managing the sharing of important information quickly and accurately
- contributing to incident management policies, and investigation procedures and processes
Skills
| Skill | Associate | Lead | Principal |
|---|---|---|---|
| Incident management, incident investigation and response | Practitioner | Practitioner | Expert |
| Information risk assessment and risk management | Practitioner | Practitioner | Practitioner |
| Intrusion detection and analysis | Working | Practitioner | Expert |
| Threat intelligence and threat assessment | Working | Practitioner | Practitioner |
| Applied security capability | Awareness | Working | Working |
| Protective security | Awareness | Awareness | Awareness |
| Threat Understanding | Awareness | Awareness | Awareness |
Core learning
Entry level
Certificate in Digital Forensics Fundamentals
CREST Practitioner Intrusion Analyst (CPIA)
EC-Council Certified SOC Analyst
Associate level
CREST Registered Intrusion Analyst (CRIA)
EC Council Computer Hacking Forensic Investigator
CompTIA Cybersecurity Analyst+
Lead level
CREST Certified Host Intrusion Core Analyst (CCHIA)
EC-Council Certified Incident Handler
BCS Certificate in Information Security Management Principles
Principal level
CREST Certified Incident Manager (CCIM)
Certified ISO27001 Practitioner
CompTIA Advanced Security
Accreditation
Uk Cyber Security Council: Standard of Professional Competence and Commitment: Incident Response