A firefighter would be working in the Cyber Security Incident Response Team (CSIRT). Any company with an online presence makes it a vulnerable global target to cyber threats with a challenging cyber-attack landscape pursued by an intelligent and evolving enemy.

Incident response (IR) is a structured methodology for handling security incidents, breaches, and cyber threats. A well-defined incident response plan allows you to effectively identify, minimize the damage, and reduce the cost of a cyber attack, while finding and fixing the cause to prevent future attacks.

During a cybersecurity incident, security teams will face many unknowns and a frenzy of activity. In such a hectic environment, they may fail to follow proper incident response procedures to effectively limit the damage. This is important because a security incident can be a high-pressure situation, and your IR team must immediately focus on the critical tasks at hand. Clear thinking and swiftly taking pre-planned incident response steps during a security incident can prevent many unnecessary business impacts and reputational damage.

Links with the CyberEPQ Modules

• 6. Intrusion Detection and Analysis, Incident Investigation and Analysis
• 9. Information Security Identity and Access Management
• 11. Risk Assessment and Management and Information Security Governance and Management

What does a Firefighter do?

A Fire-fighter is expected to detect and respond to cyber security incidents. As a firefighter you will continually grow your skills and experience. When not responding to incidents, you may be working to build in-house incident response capabilities, which may include; building and developing cyber response tools, authoring and adapting runbooks/playbooks, assessing the incident response maturity, and assisting in table-top cyber scenario exercises.

A firefighters main roles may include running thorough investigations of external cyber threats throughout the incident response (IR) cycle to protect customers, employees and brand. A firefighter may be expected to cross information from different security controls and collaborate with relevant teams and third parties to run analysis which reach accurate findings.

You can help your team perform a complete, rapid and effective response to a cyber security incident by having a comprehensive incident response (IR) plan in place. In addition, completing an incident response plan checklist and developing and deploying an IR policy will help before you have fully developed your IR plan.

The first priority is to prepare in advance by putting a concrete IR plan in place. Your organization should establish and battle-test a plan before a significant attack or data breach occurs. It should address the following response phases as defined by NIST Computer Security Incident Handling Guide (SP 800-61).

• Preparation: Planning in advance how to handle and prevent security incidents
• Detection and Analysis: Encompasses everything from monitoring potential attack vectors, to looking for signs of an incident, to prioritization
• Containment, Eradication, and Recovery: Developing a containment strategy, identifying and mitigating the hosts and systems under attack, and having a plan for recovery
• Post-Incident Activity: Reviewing lessons learned and having a plan for evidence retention

What are companies looking for?

• Highly analytical people with the right mindset to think as a cyber criminal and the ability to understand data flows, access mechanisms and infer conclusions, could be more important than knowledge.
• Team player – IR is a team effort by definition
• Work well in fast changing environment with interfaces to both internal and external teams.
• Independent and self-motivated to overcome new challenges,
• Highly verbal and written English communications skills.
• Hands on - Coming across new systems is an everyday task which requires dynamic and adaptive person
• Flexible and multitasking, able to cope with changes in assignments.
• Discipline, diligence and accuracy.
• Integrity – dealing with sensitive cyber security incidents requires facing both good and bad points when operating in an IR team.

UK Earning Potential

Upwards of £35,000 depending on geography, experience and definition *

* source: Indeed March 2020

References

Luke Voigt, Sept 2018, Incident Response Steps: 6 Tips for Responding to Security Incidents, viewed 11 March 2020

Learn more about the Seven Personae of Cyber