Roles

avatar
Created by
EarlyHorse17571

Cards (12)

  • SOC Analyst
    • A SOC analyst is a person that deals with the various events and alerts that happen in the SOC. There are usually different levels of analysts. Ultimately, analysts are usually some of the first members that would get involved in dealing with an incident.
  • SOC Lead
    • The SOC lead, also called the SOC Manager or Head of SOC, is responsible for dividing the tasks in the SOC and deciding to escalate an alert to the level of incident. Usually, the SOC manager understands the technical information required to perform an investigation to better help them divide the different tasks during an incident.
  • Forensic Analyst
    • A forensic analyst is a person that performs an investigation to better understand what happened during an incident. This is often digital forensics that must be investigated by reviewing artefacts such as the memory or hard drive of a device.
  • Malware Analyst
    • A malware analyst is a forensic analyst who focuses on understanding how the malware works. These analysts often have significant technical capabilities to debug and decompile malware to understand how it works. These analysts often help to uncover Indicators of Compromise (IoCs) that are signatures of the malware that can be used to identify the malware in the environment.
  • Threat Hunter
    • A threat hunter is a person that actively tries to uncover new threats in the environment. The goal of threat hunting is to try and create new alert rules based on information available in logs and other sources. By performing threat hunting, an alert would be generated that could help the team discover an attacker that attempted to use the same technique.
  • First Responder
    • In certain cases, it isn't actually the SOC that is first alerted to an incident. Often, a cyber incident could have started as a business incident. For example, a product team discovers that their application has slowed down and isn't responding as it should. In these cases, that team becomes the First Responders to the incident. There are some key steps that first responders should take to ensure that they don't compromise information that will be required to better understand the cyber incident.
  • Security Engineer
    • While security engineers are not directly involved with the SOC, they can often be involved in incidents. Security engineers are responsible for the security of their division, application, or system. In the event that there is an incident in their area, they will often be relied upon as a subject matter expert to aid in the investigation. Furthermore, security engineers will often work closely with the SOC to ensure that the SOC is receiving log information from their division.
  • Information Security Officer
    • Similar to a security engineer, an information security officer (ISO) is responsible for the security of their division. However, this is usually more management focused than technical, such as security engineers. ISOs are also often involved in incidents as subject matter experts and responsible for acting as the bridge between the Incident Response team and their division team that will have to implement the actions provided by the Incident Manager.
  • Incident Manager
    • An incident manager is a person that was trained in performing the management duties for Incident Response and Management. Incident Managers have to be exceptional in note-taking and organised to ensure that everything during an incident is properly documented and that the processes are followed.
  • Project Owner
    • A product owner is usually the person that takes the lead during the development of a solution. In the past, with the waterfall method, products were only released after they were fully completed. However, today, using Agile processes, products are released and continuously updated. As such, since a version of the project is already live as the team is still performing development, incidents can already occur. In the event of an incident, the product owner is often called in as a subject matter expert to help with the investigation.
  • Subject Matter Expert
    • The blue team cannot be expected to be experts in every single technology or system. As such, Subject Matter Experts (SMEs) are often relied upon based on the specific incident at hand. For example, if, in the incident, Active Directory has been compromised, one of the Domain Admins could be called in as an SME. SMEs are often relied on to provide more information that allows the blue team to better understand the incident scope and what potential actions can be taken against the threat actors.
  • Crisis Manager
    • A crisis manager is the lead for the crisis management team. This is usually an executive such as the CIO or COO. This person is responsible for ensuring that the CMT functions as they should and can deal with the crisis.
    Executive
    • In the event that an incident is sufficiently severe, executives of a company will be involved in the CMT. This includes the CEO, COO, CIO, CTO, and CISO.