Share this page!

Lesley Carhart Profile picture
Twitter logo
8 Oct, 7 tweets, 2 min read
Hey, so I’m not sure who needs to hear this, but there’s a debate in cybersecurity as to if incident response can even ^be* an entry level job. I won’t even wade into that, but at a minimum to do traditionally defined DFIR / incident response you need some fundamentals.. (thread)
An “entry level” incident responder already has strong high level knowledge of security concepts like how hackers work, common attack and lateral movement vectors, and ways systems can be infected / exploited.
They should also have moderate knowledge of disk, memory, and network forensics. Being able to analyze evidence and figure out if and how a computer was infected is an important part of our jobs.
Of course, this means good foundational knowledge of how computers and orgs work. From how the internet, packets, and networks work, to how operating systems, system administration, ops, scripts, and programs work.

That’s needed to understand and analyze how incidents happened.
After *all that* comes the incident response and handling skills - IR methodology, investigation processes, time-lining, report writing, and presenting findings. Those are crucial, but the tech and experiential fundamentals glue them all together.
I *personally* think it’s totally possible to create a training pipeline that takes someone off the street and gets them to this end state. But first, both employers and candidates have to realize there *is* a substantial pipeline with a lot of requisite skills and ops exposure.
I’m not trying to turn this into a “can you / can’t you” debate on entry level DFIR. However, I see more candidates and orgs trying to put people into IR roles without the tools they need. We should do much better at getting people the training and experience they deserve. (FIN)

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Lesley Carhart

Lesley Carhart Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @hacks4pancakes

Lesley Carhart Profile picture
8 Oct
SOC alert triage analysts, learn to threat hunt...
A lot of people up in my DMs upset about this because they think I’m overselling ML. I’m really cynical about ML. However, machine-aided automation has definitely reduced the manual work in security ops in the past 15 years. The job I did back then would be almost unrecognizable.
Good security teams and vendors have made a definite push to automate simple and repetitive tasks and rightly so. This goes for detection and triage. Playbooks, automated workflows, smarter SIEMs, better event correlation and statistics in bigger indexed data sets.
Read 6 tweets
Lesley Carhart Profile picture
6 Oct
I totally agree with the fury about home security companies not considering DV as a threat in their advertisements, but let’s be honest - they already designed systems that can be configured to push a notification when a specific person enters or leaves the home, so...
Much like car anti-theft tracking systems, home security installs have always been usable by DV perpetrators because of poor consideration of account separation and individual protection, and I hardly ever see anyone talking about either one.
Always, always consider DV in your physical or digital security system design. If you build it, they will come. Privileged security tools are often wonderful human monitoring appliances.
Read 4 tweets
Lesley Carhart Profile picture
4 Aug
Grab a bag of M&Ms. Put them in a bowl. Let’s pretend that green ones are infected people. Pull out all green ones but a couple.

Close your eyes and start pulling out M&Ms. Check the colors. The more you check, the more clear it becomes that there are a low number of green M&Ms.
Now, add a bunch of green M&Ms back. Start pulling M&Ms out blindly again. You will notice that now a lot of the M&Ms you grab are green. It’s obvious that there are a lot of green M&Ms in comparison to other colors. The ratio has clearly changed.
Checking *more* M&Ms has not changed the fact that if there are more green M&Ms, you pull more out randomly from the bowl.

The *percentage you identify* of green M&Ms to other colors has to do with how many were in the bowl, not how many times you checked another M&M.
Read 5 tweets
Lesley Carhart Profile picture
21 Jul
I think the most numbing part of the last year is that I’ve kept making really unpleasant predictions, and very smart authority figures I respect continually reassured me I was wrong. The pandemic. Lockdowns ending too early. Vegas. Disney. The protests. I haven’t been wrong yet.
After the election, my dad shrugged quietly and told me, “science and reason will always exist in my house”.

For the indefinite future, I can only see my dad masked, outside, and briefly anymore, for his own safety.
This isn’t an “I told you so”. I wanted to be wrong about everything.
Wear a mask.
Distance.
Take care of your neighbors.
Be informed and care about your nation.
Vote.
Read 4 tweets
Lesley Carhart Profile picture
16 Jul
STORYTIME: I once worked an IR case which ended up being an org substantially compromised by an advanced adversary when an employee was spear phished on his *personal* email using pretext surrounding his previous job at another company. He was logged in on his work PC.
The org that paid a boatload for IR and had to do lots of cleanup was never the intended target. They were just an unintended victim whose system was exploited though webmail as part of a campaign against an unrelated company.
The adversary still did extensive recon, password theft, and moved laterally through their network because they likely didn’t know where they were at first, and once they figured out where they were, likely decided it was a windfall to have a foothold somewhere else. Opportunism.
Read 4 tweets
Lesley Carhart Profile picture
8 Jul
Here’s a scary thing about dealing with the Chinese or Russian gov as a state adversary:
If you talk to any one of us who has spent our career dealing with them, we will give you a slightly different picture and think our findings and experiences are the scariest.
It’s because their plans are so big and so long term. We aren’t used to that kind of long game as a culture. We each see vignettes. They impact us profoundly. Mere parts of the model. We are talking about plans that cross every sector and span decades.
Until you start to wrap your head around the scale, you’re dealing with tactics, not strategy or logistics.
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get email notifications when new thread is out from this Author!

Check out other threads from this Author!

Read all threads by @hacks4pancakes