eLearnSecurity Blog

The #1 Difference Between Good & Great IR Professionals

What makes the difference between a “good” cyber Incident Response professional and a “great” one? Here’s what we think.


With cyber crooks getting smarter in their ways to target their new victims, security defenders need to adapt and stay up to date. For this reason, good IR professionals have extensive knowledge of the tools and techniques required to respond to security incidents.

However, this is missing critical elements to doing cyber Incident Response in 2019.

Indeed, according to Carbon Black Inc., 59% of IR professionals say their organization only follows a reactive approach to Incident Response.

To better prepare for potential cyberattacks early, it’s crucial to adopt a PROACTIVE approach to Incident Response. What this means is shifting from a reactive “if they come, we will respond” or even active “when they come, we will respond” to a proactive mindset “before they come, we will be ready”.

Parts of becoming proactive is focusing on the preparation phase of Incident Response to become ready for any and all types of attacks that might happen next. To do this, great IR professionals need an extra set of skills, which include (but is not limited to):

  • Intrusion detection by analyzing traffic: How to detect attacks in the IEEE 802.x Link and IP layers, how to analyze common application protocols for suspicious behavior, how to effectively leverage open-source IDS solutions to detect real-world attacks, etc.

  • Intrusion detection by analyzing flows: How visualizing flows can be leveraged to detect intrusions, lateral movement, malware beacons, etc.

  • Security Information & Event Management (SIEM) fundamentals: How to make the best out of open source SIEM solutions like ELK stack, Splunk, Osquery, etc.

  • Logging: Track security-related information on computer systems, including formats, manipulations, custom parsing, etc.

  • SMTP, DNS & HTTP(S) analytics: how common protocol analytics can increase network visibility in an attempt to detect abnormal and probably malicious actions, how to extract actionable intrusion-related information by performing SMTP, DNS, HTTP and HTTPS analytics, etc.

  • Endpoint analytics: How logs/events, correlation strategies, regex usages and SIEM queries can help detect adversaries on your endpoints, how tactical threat intelligence and adversary simulation software can help upgrade endpoint adversary detection capabilities, etc.

  • Creating a baseline & detecting deviations: How base-lining an environment can result in easier, more efficient and more effective intrusion detection, etc.


There’s no laying back and waiting for an intrusion to happen in the Incident Response field. The key to staying secure is being proactive! This means adapting your company’s security strategy to focus on detection and prediction of what’s coming before anything happens.

Here are a few ways companies can prepare for and prevent malicious intrusions, and stay secure in the process:

  • Risk assessments ‌help identify these inherent business risks and provide measures, processes and controls to reduce the impact of these risks to business operations.

  • Penetration tests evaluate the overall security of an IT infrastructure by safely trying to exploit vulnerabilities.

  • Host security ‌refers to securing the operating system, file system, and the resources of the Host from unauthorized access or modification or destruction. Doing a good job at Host Security on all of your hosts is one of the most important ways to prevent break-ins.

  • Network security is used to take preventative measures to protect the networking infrastructure from unauthorized access, misuse, malfunction, modification, destruction, or improper disclosure. In other words, to create a secure platform for computers, users, and programs to perform their functions within a secure environment.

  • Malware prevention tools provide a vital layer of protection for your computer or network. Good ones can also recognize (and warn against) even previously unknown malware threats, based on technical features (such as attempting to “hide” on a computer) that are characteristic of malware.

  • User awareness and employee training is the first and most important line of protection. Companies focus so much on protecting hardware and software against cyber threats that they forget about securing humans (often the weak link) and providing adequate training for people not usually involved in cyber security.

Learn more about how to prepare for and prevent cyber incidents.

Good incident response professionals know the right strategies, tools, and techniques to respond to cyber incidents. Great ones know how to prevent them from happening in the first place.

Want to learn the basics all the way up to advanced incident response skills? Our newly-launched IHRP training course will help you become a better security defender. Take a sneak peek by requesting your free trial:

And to help you jumpstart your blue teamer’s career, we’re offering you a FREE UPRADE to the higher Edition when you enroll in IHRP before April 30.


Connect with us on Social Media:

Twitter | Facebook | LinkedIn | Instagram

Tags: , , , , , ,

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Go to top of page