The cybersecurity skills gap continues to haunt IT leaders. Troublingly, incident response -- the boots-on-the-ground discipline within infosec -- has not gone unaffected. Training and tooling up incident response teams is critical for enterprises, which need to have a plan of action for not if but when a breach occurs.
"I consider this particular area of security to be the most challenging by far, but it is also the most fulfilling," said Nick Mitropoulos, global security operations and engineering manager at professional services firm Alvarez & Marsal.
Mitropoulos, who has more than 14 years of experience in incident handling, authored GCIH GIAC Certified Incident Handler All-in-One Exam Guide to help security practitioners better understand the tools, processes and techniques of incident response. The book serves as a roadmap for incident detection, response and remediation and includes resources, practice questions and an exam index to help candidates confidently prepare for the certification exam.
Here, Mitropoulos details his experience obtaining the Global Information Assurance Certification (GIAC) Certified Incident Handler (GCIH) advanced cybersecurity certification and offers additional insights on the incident response career path.
Editor's note: This transcript has been edited for length and clarity.
What knowledge is measured in the GIAC GCIH certification process?
Nick Mitropoulos: The primary objective of the certification is to ensure individuals have enough knowledge and context around advanced threats. This includes how network and application attacks take place, as well as how attackers leverage open source intelligence and other information to gain valuable knowledge about a target.
The certification covers specific sets of commands used to check if systems are under attack and to determine what actions an attacker took in those systems. Incident response tooling is also presented throughout the book to help readers understand how attackers leverage those tools -- and how defenders can respond to those types of attacks.
How does this certification add value to a candidate's current or prospective employer?
Mitropoulos: Hiring or retaining an individual with GIAC Certified Incident Handler certification means the employer is getting someone who is well versed in how attackers infiltrate businesses. Some exam questions require candidates to perform practical tasks. In completing those labs, candidates demonstrate they know exactly what to do and in what order to perform proactive incident response. The value to an employer comes from the candidate's combination of a proven theoretical background with practical skills.
How much professional experience should someone have before pursuing this certification?
Mitropoulos: There is no set amount of professional experience needed to be adequately prepared for the exam. However, it is beneficial to have a solid networking background or some security exposure. 'Newbies,' as we call them, will just find it more difficult. They will need to cover the basics before they start preparing for the exam, including common networking protocols and attack vectors.
What study habits helped you obtain your GIAC GCIH certification?
Mitropoulos: The first element required is patience. With an exam of this magnitude, I wouldn't rush someone to take it until they're feeling adequately prepared. Time management is also crucial. Putting a plan of action in place regarding when an individual would like to take an exam is beneficial. Also, determine how to prepare -- whether that's using the labs throughout this book or a subscription to an online program, such as a cyber range or Hack The Box -- to add more experience.
Whichever resources they choose to study with, I would highly recommend exam-takers to create a solid index, such as the one included in the appendix of GCIH GIAC Certified Incident Handler All-in-One Exam Guide. The exam is open book. However, to be adequately prepared, people need to have an index of all the different materials they're using. The benefit is it saves them from wasting time searching through reference materials. When the time comes and they need to reference a particular term, they know exactly which book mentions it on which page.
Which exam topics or domains do you find most challenging for test-takers?
Mitropoulos: It heavily depends on the skill set and experience of each candidate. Many people with heavy networking or network security analysis experience often find web application attacks are quite difficult to understand. I would highlight Chapter 9, which relates to web application attacks, as a place of focus for them to acquire enough knowledge. Other candidates struggle with types of malware and how malware infects a machine; at which point, going over Chapter 10 and 11 in detail would be more beneficial.
What soft skills do all the best incident handlers have?
Mitropoulos: The ability to work well under pressure is a predominant skill needed to offer effective incident response services. The ability to interact with different types of audiences, including stakeholders, is also key. There can be significant pressure to perform responses in tight windows of opportunity. Especially in cases with more severe incidents, we have management breathing down our necks; potential -- or multiple -- clients might be in play in the incident. It's necessary to work in tandem with leadership from our side and with internal teams to respond and assist affected clients. There may be between 10 and 20 people responding to large-scale incidents, who all need to be ready to move at the drop of a hat.
Incident response is a constantly evolving area of expertise. Incident responders need to have an inquisitive nature and a willingness to learn -- the best ones constantly seek to learn new information, technologies and tools. People can learn, evolve and gain experience by shadowing a colleague, learning from a client team, taking a course, pursuing a certification or reading a book like this one.
Why should someone pursue a career in incident response?
Mitropoulos: There is nothing more difficult in security than working as an incident handler. This difficulty makes it quite unique, which is appealing to people in security. I've never seen a person doing this job -- not a single person in my life -- that has been doing it for the money. Everyone does it for a higher calling. They feel a need to help others; they want to help organizations get through a difficult time.
I've seen some of the most brilliant incident handlers develop customized tools and release them to the community on GitHub. There's an innate need to lend a hand to others and give back to the security community. Many participate in conferences or share what they've seen from the fields. That spreading of knowledge is amazing.
What broader security considerations or trends do incident response teams need to keep top of mind today?
Mitropoulos: With the coronavirus, we've seen an uptick in trying to attack the remote operation of networks. Instead of attacking the infrastructure within an environment, like an office, adversaries attack specific software. For example, conferencing or remote access software are primary targets.
At the same time, they're also trying to leverage social engineering attacks. Vishing and smishing have increased in combination with traditional phishing emails. Such attacks may say, 'Click on this link to get information about COVID deployments around the world,' or 'Download this attachment, which details how COVID has propagated within an area of interest or within a set time frame.'
The timely element of the coronavirus's spread is repeatedly used by attackers to fool victims into giving up network credentials or providing other types of information that would give them an advantage on how to attack a particular organization.
About the author
Nick Mitropoulos is the global security operations and engineering manager at Alvarez & Marsal. He has more than 14 years of experience in security training, cybersecurity, incident handling, vulnerability management, security operations, threat intelligence and data loss prevention. He has worked for a variety of organizations, including the Greek Ministry of Education, AT&T, F5 Networks, JPMorgan Chase, KPMG and Deloitte and has provided critical advice to many clients regarding various aspects of their security. He is SC/NATO security cleared, a certified (ISC)² and EC-Council instructor, a Cisco champion and a senior IEEE member, as well as a GIAC advisory board member. He has an MSc, with distinction, in advanced security and digital forensics from Edinburgh Napier University. He holds more than 25 security certifications, including GCIH, GPEN, GWAPT, GISF, Security+, SSCP, CBE, CMO, CCNA Cyber Ops, CCNA Security, CCNA Routing & Switching, CCDA, CEH, CEI, Palo Alto ACE, Qualys Certified Specialist in AssetView and ThreatPROTECT, Cloud Agent, PCI Compliance, Policy Compliance, Vulnerability Management, Web Application Scanning, and Splunk Certified User.