Cybersecurity Career Path: Detection and Response

Career Path Series

In this series, we’re going to go over different career paths in Cybersecurity.

Each one allows for many options and the ability to go deep within that domain.

From a broader view, there’s Blue Team and Red Team, Defense and Offense. But the Umbrella of Cybersecurity is much more nuanced than that.

That’s what we’ll be covering in this series.

Detection and Response

In this issue, we’re gonna be doing a deep dive on Detection & Response and Incident Response.

This is the area where I focus on myself today. With 8 years of experience in the Security Operations area, I have gained some insights into these domains.

We can think of Security Operations as covering any of the following

• Detection & Response

• Forensics

• Incident Response

• Threat Hunting

Let’s discuss Detection & Response. The day to day of Detection and Response can vary as our scope is wide but in a nutshell, it can consist of the following:

• Ingesting logs

• Normalizing those logs

• Writing rules to alert on various threat activity

• Responding to activity from those written rules

• Analyzing logs to tell a story of what events took place

For more on normalizing logs, see this post by Monad.

The goal is to minimize the threats the company faces and detect as early as possible.

But as mentioned, the day to day will look different depending on a lot of factors such as company, Security org dynamics, and usage of an MDR (Managed Detection & Response)

Abbreviated version of the IR lifecycle

Detection & Response can be done for endpoints (laptops), network, email, or cloud environments.

Some of the skills necessary for this field are: workflow automation, familiarity with attack frameworks and how to use them, data analysis, and managing ambiguity.

From here you can make a career out of specializing in SIEM (Security Information and Event Management). For example, Splunk, SumoLogic, ELK, Gravwell, etc. This means ingesting logs for the Security teams usage and then using them to form queries and detections to alert on said threats.

Detection Engineers build, test, and deploy systems that validate security controls and detect suspicious behaviors. The goal is to protect the “Crown Jewels” and prevent or detect incidents in the company.

Getting started as a Detection Engineer involves mapping and classifying systems (and data) by importance. Then, with this understanding, detections are created that flag varying degrees of behaviors. This can be done at the SIEM level, at the EDR level, or at the Network IDS level.

For more on Detection Engineering, see this previous post.

At the end of the day you can’t detect what you can’t see. So it all starts with the data.

Another area you can pivot to from Detection & Response (or vice versa) can be Incident Response (IR), which we’ll discuss next.

---

---

Incident Response

Incident response is sometimes used interchangeably with the terms SOC or Security Operations

You can think of this area of Cybersecurity as paramedic work, often working in adverse circumstances but needing to execute the task at hand.

When you read about a breach and all the work that was done in recovery of it, the Incident Response team was behind the scenes coordinating the efforts to remediate. This last piece of the job is Traffic Control, needing to be able to coordinate the moving parts and keep order in an otherwise stressful situation.

Some of the skills necessary for this field are: calm under pressure, effective writing skills, good cross-collaboration skills, and security tools knowledge.

If you can effectively write up reports and post-mortem actions, directing traffic on what needs to be done in an incident, this is what is needed for this role.

Someone could make an entire career in Incident Response as it is always in demand and is a sought after skill set.

The IR lifecycle, sometimes abbreviated as the PICERL

As these domains are closely related, people often pivot between Detection & Response and Incident Response roles in their cybersecurity careers. You can move from Detection & Response, or from vice versa.

A lot of the times in practice, these can be the same team. In my experience, these have been the same team.

At a large company let’s say Google, these would be separate teams.

For more details on the Incident Handling lifecycle see SANS definition of the PICERL.

https://www.sans.org/media/score/504-incident-response-cycle.pdf

---

What I Read This Week

• Drivers on macOS A Good Deep Dive on macOS Internals

  • Good to know with the rise in macOS malware and infostealers.

• Dissecting JA4H for Silver C2 detections

  • Using JA4H fingerprints to uncover additional Sliver C2 servers

• From Detection to Enforcement: Migrating from IMDSv1 to IMDSv2 Everyone loves a good migration

  • Challenges and Steps to take for an IMDSv2 migration

---

Conclusion

Hope this was helpful in understanding the career path and domains of Detection & Response & Incident Response.

As discussed, both Detection & Response and Incident Response play crucial roles in cybersecurity.

They are both high in demand areas of Cybersecurity, and either of these paths will continue to show growth. They provide the critical defense mechanisms that organizations rely on to secure their 'Crown Jewels'.

While the roles vary, they share common ground in terms of goals: reducing risk, detecting threats, and responding to incidents effectively.

Stay tuned for the next part of this series, where we will dive into another career path of Cybersecurity.

---