Cyber Work with Infosec: How to become an incident responder
In this episode of Cyber Work with Infosec, Chris Sienko interviewed Keatron Evans, Infosec instructor, managing consultant at KM Cyber Security, LLC and subject-matter expert.
Keatron discussed a wide range of issues related to becoming an incident responder (IR), including what piqued his interest in security, whether the milestones he faced still exist today, the day-to-day activities of an IR, what projects or activities should an IR be interested in, what certifications an IR should pursue, and more.
When did you become interested in computer security?
Keatron became interested in computer security through a series of milestones that progressively unfolded over time. Beginning as a PC technician, he eventually broke into networking and earned the Novell Certified Netware Engineer (CNE) certification and worked mainly on the application and infrastructure side of things.
Later, at a conference, he learned about a compromised MIT lab and was handed a makeshift whitepaper on how the attack happened. This is the point where he was bitten by the information security bug. He started picking networking jobs that had a security aspect to them and eventually got a job in Wheaton, Illinois. During this time, Keatron brushed shoulders with Infosec founder Jack Koziol and the rest is history.
Are your milestones still presently applicable?
Keatron’s milestones are still applicable today, although he did take a slightly unconventional path. He started with foundational knowledge and skills; today, many opt to have less of a foundational mastery but earn high-level professional certifications. This results in a knowledge gap of foundational knowledge that a security expert is expected to have, though this is unspoken.
Today, you can learn foundational knowledge and skills in parallel to security. The most important thing to remember is the old adage: “Luck is where preparation meets opportunity.” Keatron recommends over-preparing; this will help you to seize an opportunity when it presents itself.
What are the day-to-day activities of an incident response expert?
According to Keatron, this ranges from the management aspect of IR to handling the technical side when the response team is not as technically-minded. He can perform his work from home most days, but sometimes he has to travel to other cities to support a 24/7 IR operation.
What projects or activities should an incident responder be interested in?
Keatron recommends problem-solving, even over certification skills. Problem-solving skills are key for this role.
Communication and interaction with people is his second recommendation, and for good reasons. This is the soft side of IR skills that many still have not mastered. You need to know who to communicate with, when to communicate and even how to calm them down. Most organizations have not experienced a major attack, so calming down is vital. It’s important that people keep a cool head.
What certifications should you pursue?
According to Keatron, EC-Council’s Certified Ethical Hacker and GIAC®️’s Certified Incident Handler are your go-to certifications for IR.
His path began with penetration testing and ethical hacking. This is because you want to know the mindset of the attacker so that you can have a better idea of how the attackers will act when working in IR. From there, Keatron moved into more forensics-based certifications.
Do most companies have an in-house incident response professional, or is it more contract work?
Keatron mainly works on a contract basis but there are some that work in-house in a devoted role for a company. He says that it is smart to start working in-house for a company because often, when there is expertise needed that the in-house team does not have, outside experts like him will be called in to help. Those new to IR will find that they can learn much from these outside experts.
What are some common mistakes incident response aspirants make and how can you avoid them?
When many enter an organization, they do not properly examine the current IR policies and procedures used by the organization and often find that their previous procedures violate the organization’s policies. Instead, aspiring IRs should put their knowledge and skills within the organization’s current framework and work with it.
Another common mistake is that new IRs do not conduct environment discovery of the organization. This includes points of ingress, points of egress and the number of devices in the environment. This is vital knowledge that even some organizations do not have, so if you find yourself in this situation, add some value by performing discovery.
What one action can you take today that moves you one step closer to incident response?
Hacking and penetration testing are the foundation for IR and forensics. With this said, start looking at backtrack forms and other hacking-related forms. There are free hacking tutorials online that can be very helpful too.
Keatron also recommends to get Kali and run it in a virtual environment and then take one machine, learn all you can about one vulnerability and then move on to others. It would be helpful to get to know what the process of discovery, enumeration, vulnerability mapping and exploitation looks like. Lastly, he recommends to learn how to perform an exploit against a server and client-side phishing until they become second nature.
All these recommendations will allow you to better understand the mindset of adversaries.
How do you expect incident response will change in the years to come?
Keatron sees cloud computing as the future of incident response which means the days of IR onsite are numbered. He has seen four to five incidents in the last few months where his clients had compromised servers they did not want to shut down, so Keatron sent them emails with URL links to download an agent that allowed him to use the cloud to analyze images of their compromised servers. This took minutes — nothing like the hours of onsite work it took in the old days.
Keatron successfully predicted that the cloud would be the pivot point for attackers in 2012 at the East Tennessee Security Summit, and this proved true.
Lastly, since attackers are very adept at covering their tracks on hard drives, analyzing memory dumps will become used more and more in the future.
Any final tips?
Keatron recommends that no matter what you are doing for preparation or learning, including simply trying to make a command work, don’t give up. Your organization will notice your tenacity and this will end up being a feather in your cap, because constant learning and striving to stay ahead of attackers is what they are looking for in an IR.
Chris Sienko interviewed Keatron Evans in this podcast about how to become an incident responder. This podcast revealed much of the mindset and thought processes that this celebrated subject-matter expert has gone through that has effectively brought him to the pinnacle of IR professionals.
For more information or to watch this podcast yourself, you can watch it here.