Hey, so I want to talk about something that riles up or disheartens a lot of jr cybersecurity people and raises questions about gatekeeping, my perspective, and why I don't think it's as catastrophic as it looks from the outside. It has to do with experience required to do IR.
There is this unwritten set of rules that are constantly bandied about by senior DFIR people, and they go something like this:
"To do IR, you need 1-2 years of experience in cybersecurity (usually SOC)"
&
"To lead IR engagements you need 1-2 years of experience in DFIR"
"To do IR, you need 1-2 years of experience in cybersecurity (usually SOC)"
&
"To lead IR engagements you need 1-2 years of experience in DFIR"
OK, so is this gatekeepy? If you make it a static part of your hiring process, probably. Is it a bad guideline? No, and that's not so bad.
Let's talk about what Digital Forensics and Incident Response (DFIR) entails.
Let's talk about what Digital Forensics and Incident Response (DFIR) entails.
DFIR is really two disparate job roles in one. The digital forensics portion is analytic and methodological investigation. Incident response is crisis management.
Let's talk about the digital forensics part. That part a college or course or apprenticeship can mostly teach.
Let's talk about the digital forensics part. That part a college or course or apprenticeship can mostly teach.
I can take somebody almost off the street with good computer fundamentals and put them to work doing routine forensics processes. In fact, that helps me a ton as a senior person and educates the junior person as they watch the case unfold.
Sure, there is nuance and a variety of tools, but a large portion of routine forensics can be processized pretty well. So, there's a lot of opportunity for junior people to get involved in DFIR that way. The investigative and IR elements, however, are different.
So why do we say we'd like to see junior IR people do some time in a NOC / SOC / TOC (like many of us) before they move into that role? Well, because incident response (I'm not talking event triage, but actual incident response), has a lot of variety and scope. Cases are unique.
So a couple years of experience in just seeing a big, constant array of events, false positives, escalated incidents and their outcomes, and security tools can be a great boon to leaving static workflows and orchestration and thinking through odd scenarios and requirements.
Now, let's talk about the one regarding doing a year or two as a junior incident responder before handling big incidents solo.
Again, this isn't hard and fast, but it's a solid plan!
First, incident response is a puzzle. At the start, you only see a few pieces of a big picture.
Again, this isn't hard and fast, but it's a solid plan!
First, incident response is a puzzle. At the start, you only see a few pieces of a big picture.
Experience in security monitoring and IR at a junior level help you see the big picture using less pieces to begin with, because you've seen so many before. In IR, I often have to make snap judgement calls about risk and human safety based on very little evidence and info.
I'm able to make those snap decisions solo simply because I have Seen A Lot of Crap. I also am able to identify my own biases well because I've run into them and learned the hard way many times before in my career. This is simply a skill that will grow with you over time.
Also, IR - particularly consultant IR - is crisis management. I'm having to make these decisions based on the evidence and corroboration I have, and present my recommendations scientifically and with confidence to often panicking, litigious, or angry stakeholders. It's stressful.
So, that confidence and experience just comes with time. It's not something that can really be taught academically. It's like police detective work.
But that's okay. Because it's part of the journey, and your employer and mentors should present it as such.
But that's okay. Because it's part of the journey, and your employer and mentors should present it as such.
Just because you aren't leading IR engagements doesn't mean you aren't making immensely helpful contributions by doing the routine forensics tasks, or note-taking, or handling evidence collection. If you pay attention to the case and decision making, it's also very educational.
And just because you're a SOC analyst and handling the ticket mill-triage farm for a couple years, that doesn't mean you aren't gaining DFIR skills right now! You are, every day - every time you learn to recognize a new false positive, or learn a new security tool, or escalate.
You should be constantly learning to achieve that next level, and if you workplace, manager, and mentors are not facilitating that education and pipeline, and discussing it with them doesn't help, it might eventually be time to leave.
I know this is a frustrating thread for a lot of junior people out there, but:
- You are contributing by helping and growing!
- There is a path ahead for you into senior DFIR
- I did ~2 years in a SOC and ~2 years in IR before I lead engagements on my own, like many, many others.
- You are contributing by helping and growing!
- There is a path ahead for you into senior DFIR
- I did ~2 years in a SOC and ~2 years in IR before I lead engagements on my own, like many, many others.
- Remember what I said about seeing the puzzle with only a few pieces. Every single thing you learn in cybersecurity and being a part of triage or incident response will help you be better at identifying the big picture with only a little evidence and context. Constant exposure.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
