Communication and planning
Communication and Planning is the most important part of your day-to-day job in cyber security.
There are multiple roles across the cybersecurity industry in which different people work.
Nowadays people work in security operation centers, “Developers” who develop security software, and crisis handlers with a lot of experience in multiple fields like Law, Physical Security, Administration, etc…
The other critical areas where people closely work with cyber security professionals are people from infrastructure and network teams.
Now given this background, a cyber security professional might need to communicate with any of the above-mentioned people and also with the customer day to day depending on the developing situation.
Follow the process and protocol defined in your organization to communicate a specific situation or observation.
Check and re-check your communication before you send it, the keyword is “due diligence”
If you need to answer a technical question, please work in your lab or collaborate with your team members and superiors before sending your response, often people who work on specific products or technical environments need to follow this.
Please find more information on listening skills
If you need an interactive session on this subject please let us know in the comments.
Lesson 1 How to Handle a cyber security Incident
Let us discuss based on possible scenarios you might face in day-to-day threat hunting or troubleshooting.
Scenario 1: You might get a question as simple as why my laptop is slow or i suspect clicked a wrong link and since then my laptop behaving weirdly. this is a question more often asked by the users of personal laptops or it might be from an office user who is using his office-given laptop which is managed by the IT team of your organization concerning what software it should have and what configuration it should have.
what could be the approach you should have here concerning planning and communication?
The answer for this problem could be as simple as an underlying hardware issue like the laptop does not have sufficient hardware to cater to the applications and operating system the laptop has, or as complex, it can be like a tricky configuration issue or a more worrisome scenario where the laptop is infected with a malware or virus or Trojan.
Remember most security incidents start with people complaining about performance issues or weird behaviors noticed while using the laptop or application, or it could be nothing and the user had a misunderstanding.
so coming back to the question, how do you attack this problem?
The answer in one line is “Follow a standard troubleshooting process”, what could be this process?
- Identify the asset value for which the incident is being reported, if the asset is critical to the organization or contains critical personal and business data for the user, then check first whether a backup is in place, if not proceed to have a backup first.
- talk to the end user and try to understand what the user says or get information from the user via phone call or email.
- Check to see to get an answer, If the complaint of the user is a commonly known issue that might be easily found the answer with google searches or by referring to your organization’s developed FAQ.
- If you are not able to find an answer, then get into deeper troubleshooting which requires more knowledge and expertise, above three steps are usually done by an L1 professional in the incident management process, If an L1 is not able to identify the answer to the problem, he should escalate this to next level professional who can take it from there, inform the user that the issue had been escalated to the next level of troubleshooting process for a deeper analysis and resolution.
More complex scenarios
I know if you are working for a company or planning to get employed as a cyber security professional, then what could be possible scenarios you work on day to day?
it depends on the specific specialization you are being associated with.
Here below some specializations, you might be a team member.
Vulnerability scanning and reporting.
Managing a SIEM solution
Managing and Monitoring the Network devices for traffic and configuration management.
Testing web applications for security issues and documenting them.
Preparing compliance reports with the help of other teams like IT infrastructure and security.
Configuration management to improve the security of the windows servers, and network devices.
Member of the Security operations center, handling L1, L2, and L3 security incidents.