Leading from the Frontlines: Developing Strong Incident Commanders

The cybersecurity incident commander role is a difficult one. In addition to having a good grasp of technical roles and tasks, the incident commander needs to understand the skills, talents, and personalities of those under their leadership. Even more, the incident commander should be able to use all of these aspects of their team members advantageously for the benefit of the incident response team.

What Is an Incident Commander?

The incident commander (IC) is the person in charge of a cyber incident. That includes understanding the scope of the attack (realizing as soon as a bad actor accesses the server, for example), determining actions to take or to not take against an attacker, and managing the team throughout the incident and recovery.

The IC receives communication about what actions each person is taking and what they find, so they are aware of all information and can consolidate it. ICs determine when to take a passive or active stance, how to get rid of the threats, and when to transition to hardening and prevention.

They don’t always get on a machine and do things with their hands, but they will keep notes, analyze and direct next steps, and write the report. 

The team lead and/or SOC lead is trained to manage the incident. Some others train so they can step in if the lead is out or if needed simultaneously.

Understanding Strengths and Weaknesses

An effective incident commander will understand both their own and their incident response team members’ strengths and weaknesses. That is crucial to leadership for several reasons:

1. Optimal Resource Deployment

Recognizing each team member's strengths enables ICs to assign tasks that align with their expertise, ensuring that the response effort is efficient and effective. Placing analysts in the most effective position during an incident is crucial to ensure that all artifacts are found and correctly identified. 

2. Team Cohesion in High-Stress Situations

By understanding the capabilities of each team member, ICs can foster a cohesive team environment even under intense pressure. This facilitates smooth collaboration and communication during critical moments.

3. Tailored Strategic Planning

Awareness of team capabilities allows for strategic planning that leverages strengths and mitigates weaknesses. ICs can develop response strategies that capitalize on the team's expertise while addressing any skill gaps.

4. Personal and Team Development

Incident commanders who acknowledge their own strengths and weaknesses can actively seek personal development and support in areas where they may lack expertise. Similarly, they can provide guidance and training to team members, enhancing the overall proficiency of the response team.

5. Informed Decision Making

Understanding the strengths and weaknesses of the team helps ICs make informed decisions during a cybersecurity incident. They can delegate tasks effectively, anticipate challenges, and implement appropriate mitigation measures.

6. Conflict Resolution and Incident Management

Awareness of team dynamics enables ICs to anticipate potential conflicts and manage them swiftly during incident response operations. This ensures that the team remains focused on resolving the cybersecurity incident efficiently.

7. Boosting Team Morale and Retention

When team members feel valued for their expertise and supported in their areas of development, they are more likely to remain engaged and satisfied with their roles. This, in turn, fosters a positive work environment and promotes retention within the cybersecurity incident response team.

Communication Is Key

Effective communication is paramount for an incident commander. Despite potential challenges like misplaced team members or overlooked needs, success hinges on clear communication.  

It's essential to treat all analysts equally, regardless of their role. A common flaw in incident response is assuming that answers found are incorrect, often due to subconscious dismissal of junior analysts or the commander's overconfidence in their understanding of the situation. Consistently acknowledging and deliberating on all reported artifacts, even those likely to be incorrect, is key to effectively managing an incident.

A good practice for an IC is to continuously reevaluate their understanding and the attack’s nature, asking questions like, “What were they after?” and “Do the pieces fit together?”

A proficient incident commander understands their team and maintains constant communication to grasp the incident's full scope. Even if analysis slows, communication remains the most effective tactic for faster incident resolution.

How Cyber Range Solutions Can Help

Training in team-based, live-fire cyber attack simulations on a cyber range can greatly benefit an incident commander in several ways:

1. Hands-On Experience

Cyber attack simulations provide hands-on experience in dealing with real-world cyber threats in a controlled environment. This allows the incident commander to develop practical skills and insights into various attack scenarios.

2. Team Collaboration

Working in team-based simulations fosters collaboration and communication among team members. The IC learns how to effectively coordinate and delegate tasks to optimize team performance during a cyber incident.

3. Decision-Making Skills

Simulations present the incident commander with complex, real-world scenarios where quick and informed decisions are necessary. Through practice, they enhance their ability to analyze situations, prioritize actions, and make effective decisions under pressure.

4. Understanding Attack Tactics

By participating in Cloud Range’s cyber attack simulations, which are all aligned with the MITRE ATT&CK Framework, the IC gains a deeper understanding of different attack tactics, techniques, and procedures (TTPs) used by adversaries. This knowledge helps them anticipate and respond to cyber threats more effectively in real-world situations.

5. Testing Response Plans

Simulations provide an opportunity to test and refine incident response plans in a realistic setting. The incident commander can identify strengths and weaknesses in the response plan and make necessary adjustments to improve its effectiveness.

6. Building Confidence

Training in simulated cyber attack scenarios with the whole incident response team builds the IC’s confidence in their ability to handle real-world incidents. They gain experience and proficiency in managing cyber threats, which translates to greater confidence when facing actual incidents.

7. Continuous Improvement

Cyber attack simulations promote a culture of continuous learning and improvement within the incident response team. The incident commander can debrief with team members after each simulation to identify areas for improvement and implement corrective measures.

Prepare Your Incident Commanders

Cloud Range’s Incident Commander Training is a cutting-edge program designed to equip cybersecurity professionals with the leadership skills crucial for managing cybersecurity incidents. This first-of-its-kind training, offered at no cost for a limited time, fills a critical gap in existing tools and focuses specifically on the Incident Commander role. 

Aligned with FEMA and NIMS guidelines, the training emphasizes soft skills essential for orchestrating SOC teams during cybersecurity incidents. Participants gain hands-on experience through real-world scenarios, learning to assign tasks, communicate effectively, and lead teams to swift resolution.

Upon completion of the first course, trainees receive a badge and can advance to full certification by participating in Cloud Range's live-fire cyber attack exercises. This comprehensive training ensures ICs are equipped to manage incidents, improve team performance, and navigate complex cybersecurity challenges effectively.