Cybersecurity’s First Responders: Managing Incident Response

Cyber incident response management involves not only identifying and containing security breaches when they occur. It also means working to prevent breaches, develop response plans, and, in the event of an incident, prevent similar events from recurring.

Building an effective cyber response management plan requires skilled cybersecurity professionals across a variety of roles to create a unified cybersecurity team — incident response analysts, incident response engineers, and security analysts all have roles to play. Additionally, businesses need a consistent cybersecurity framework for detecting, containing, and mitigating a wide range of cybersecurity risks to keep their data and finances secure.

What Are the Key Aspects of a Cyber Incident Response Plan?

Cyber incident response plans include important steps to contain, limit, and mitigate threats. Cybersecurity expert Ramesh Nagappan explains how incident response plans should operate:

Ramesh Nagappan has been a cybersecurity practitioner for more than 25 years, working in database encryption, data protection, identity insurance, and cyber incident response. He’s taught at Harvard Extension School for more than 10 years. 

“There should be a rapid response,” Nagappan says, to immediately stop the attack. “But there must also be a step-by-step plan. A ‘run-book’ that explains how to handle a response and who is involved, otherwise it will be a panic.”

IBM provides a helpful framework for incident response:

• Preparation: Create a plan with clearly defined roles so cybersecurity, legal, and PR teams will know how to respond when an incident occurs. Document who will do what, create backups and failsafes, and keep legal and compliance in the loop.
• Detection and Analysis: Skilled cybersecurity professionals are needed to correctly identify a range of security incidents. Once a clear pattern has emerged that signifies a cybersecurity incident, teams need to move quickly to correctly analyze and categorize the threat to determine a response. Detecting a threat could involve looking at traffic logs, network traffic, and application design.
• Containment: Once a threat has been discovered and identified, security teams need to contain the threat to prevent data exfiltration and hijacking. It’s also critical to cordon off legitimate customers from illegitimate site traffic. 
• Eradication: Once the threat has been contained, it needs to be eradicated from the system to prevent further infection.
• Recovery: After a threat has been contained and eradicated, cybersecurity teams need to assess the damage. This includes recovering corrupt files, data, or documents following a cybersecurity event.
• Post-Incident Review: Cyber incidents should be used as learning opportunities to introduce new safety controls. After an incident, IT teams should update the necessary systems or protocols to prevent a similar event from happening again and notify affected departments of the change.

What is the purpose of cyber threat modeling?

Cyber threat modeling helps organizations proactively identify, assess, prioritize, and mitigate potential threats or vulnerabilities. 

“Threat modeling includes proactively strengthening defenses in anticipation of known threats, prioritizing security controls, and identifying the minimum security requirements needed,” Nagappan explains.

According to Nagappan, threat models should perform four key cybersecurity tasks:

1. Identify threats
2. Show how an attacker might exploit a weakness
3. Rate all potential threats from highest impact to lowest impact (risk score)
4. Create a document showing the current security posture (threats mitigated, risks accepted, assumptions made), share it with compliance, and perform due diligence

What Are Examples of Cyber Incident Response Team Roles?

Cyber incident response team roles include incident response analysts, incident response engineers, and security analysts. Each team member has specific skills and responsibilities to help properly identify, contain, and mitigate cyber incident attacks. 

With multiple differentiated roles on a cybersecurity team, CISOs and other cybersecurity leaders ensure that they have the depth of skill to address various attacks. A diverse team also makes it easier to give each person a clearly defined role in the event of a cyber incident — a key element of any successful incident response plan. 

Cyber incident response analyst

A cyber incident response analyst responds to known data breaches or data thefts. They conduct periodic reviews of security systems, run drills, and maintain security hygiene.

“These are the people who do detection and response and prepare the organization in terms of readiness,” Nagappan says. “They ask and answer questions like: ‘What are the potential indications of a compromised system? What led to the compromise? What kind of controls were absent?”

To succeed in this role, analysts need a solid grasp of OS systems like Windows, Linux, and macOS, in addition to an understanding of Cloud platforms, such as AWS and Google Cloud. They also need to understand network protocols and know how to identify and analyze malware, recover lost or damaged files, and more.

Incident response engineer

An incident response engineer builds the eradication and recovery protocols around security breaches.

“Say a major website is compromised, but some legitimate customers are now listing service because of an attack,” Nagappan says. “The incident response engineers isolate the illegitimate traffic, but keep the legitimate customers on the site.”

While this role is critical in providing a rapid response to an incident, Nagappan says it’s just as important that incident response engineers develop proactive strategies, too.

“Incident response engineers need to do proactive security thinking. They shouldn’t stop at, ‘okay, I have the remediation, I have the short-term fix for the problem,’” he says. “They need to refactor the application or environment and enforce preventative controls.”

According to Boston-based cybersecurity company Cynet, primary skills for this role include familiarity with operating systems and cloud platforms, knowledge of network protocols and analysis tools, and an understanding of malware analysis forensics.

Security analyst

A security analyst is an “all-around” cybersecurity professional who conducts security design and analysis. Like anyone involved in risk assessment, security analysts need to identify the security requirements for a particular application and make threat models and response plans.

A security analyst should have a strong understanding of their business domain, including the security requirements needed for data protection, access control, and compliance. 

Security analysts commonly use SIEM platforms, endpoint detection tools (like CrowdStrike), network analyzers, and ticketing systems, such as JIRA. They need to understand operating systems, networking, and scripting to excel in this position.

Harvard Extension School Cybersecurity Alumni Stories

What Are Some Trends in Cyber Incident Response Management?

As threat technology evolves, so do cyber incident response trends. One trend that has been altering how organizations think about cybersecurity is “shift left security.” Instead of adding security controls onto software at the end of the development process, developers consider security approaches as they’re building the software. This methodology shifts security thinking earlier in the software timeline, or to the “left” when thinking of a project timeline.

Applying steganography in cyber incident response

Steganography is a tool to conceal data. While not an official cybersecurity protocol, steganography acts like a watermark to protect and identify certain kinds of data. It’s one method of protecting sensitive information.

Text, image, video, and audio content can be concealed using steganography. The concealed data is hidden inside another type of digital content and is usually encrypted.

“Say you are using an LLM as a chatbot. How do you verify that this is AI, not human?” Naggan says.  “You put in steganography, like a watermark.”

Organizations that want to ensure users and clients know certain digital communications are legitimate can use steganography as a watermark to show the text is authoritative. However, bad actors can also use steganography to sneak information into harmless-seeming digital assets. Cybersecurity professionals need to understand how to use steganography as a verification tool — and how to guard against cybercriminals deploying steganography as a threat. 

Using social media in cyber incident response

Social media presents another channel for cyber incidents, and using social media tends to expose organizations to a greater number of bad actors. Add AI to the mix, and social media presents a complex arena for cybersecurity professionals.

“Social media is an evolving threat,” Nagappan says. “How do we know that a social media profile is representing a human or an agentic AI system?”

Organizations need to be prepared to deal with the threats social media presents, and this is where identity assurance comes in. For cybersecurity professionals, prevention is the best medicine when it comes to social media interactions.

“A human can be verified through biometrics, ID cards, knowledge — but organizations can’t do that,” Nagappan says. “Organizations need to be more vigilant about who they’re connecting with.” 

Connecting with other organizations’ social media profiles or personas can be dangerous. Cybersecurity professionals should be wary of social media profiles they can’t verify as legitimate.

Navigating complex regulations

Not only do cybersecurity professionals need to adapt to a constantly shifting threat landscape, but they also need to quickly adhere to new regulations and requirements. New technology can often create a flurry of new regulations — something that cybersecurity professionals are likely to see with AI.

Right now, that means understanding how to use AI, defend against AI, and remediate AI threats. 

Nagappan emphasizes the need to stay on top of how the industry is evolving.

“AI is built on training data,” he says. “If the model is trained with biased or illegitimate information, that could present an AI-generated attack vector.”

In practice, that could look like deep-fake audio or video content that tricks a customer, or AI-written code that fools a developer or software engineer. Learning to identify AI biases is one way to quickly pinpoint malicious AI adversaries. 

There are currently few regulations around AI. And while regulations can help guide practitioners toward best practices, security protocols evolve based on incidents or potential incidents. Cybersecurity professionals need to be prepared long before any regulations go into effect.

A human can be verified through biometrics, ID cards, knowledge — but organizations can’t do that. Organizations need to be more vigilant about who they’re connecting with.

Ramesh Nagappan

Is It Difficult to Get Into Cybersecurity and Incident Response?

Starting a career in cybersecurity or specializing in incident response will take technical training. Additionally, the best cybersecurity professionals possess three key traits: 

1. Natural curiosity
2. Critical thinking and creative problem-solving skills
3. Ability to quickly understand and apply new technical concept

Cybersecurity students should focus on developing a well-rounded understanding of data infrastructure and software development. They should also understand the software development lifecycle, the roles and responsibilities involved, and how the development cycle is evolving with AI.

Nagappan says current students should focus on building AI-related skills.

“They should know how to do AI-augmented threat modeling — which just means using AI to find potential indicators of compromise — and adversarial machine learning, which shows how AI models can be poisoned with false information and inaccurate data.”

There are various paths toward a fulfilling career in cybersecurity. Interested students could consider specializing in one of these cybersecurity fields:

• Architecture and policy
• Data loss prevention
• Governance, risk, and compliance
• Identity and access management
• Penetration testing
• DevOps security
• Secure software development

Explore a Cybersecurity Program at Harvard Today

“It’s important to contribute to the community and make connections,” Nagappan says. “At Harvard, there’s a cybersecurity interest group people can join, and there are Cloud security communities for Amazon, Microsoft, and Google. The OWASP community can also help people build connections and better understand the threat landscape.”

Ready to continue building your cybersecurity skills and develop a professional network? Visit the Cybersecurity Master’s Degree Program or the Cybersecurity Graduate Certificate pages to learn more.