The National Cyber Security Strategy sets a strategic objective of making the UK more resilient to cyber attacks. Such attacks can vary in terms of persistence, sophistication and impact. In order to assist organisations with their response to a potential compromise, there is a twin track approach for the provision of certified Cyber Incident Response services.
A broad-based scheme focused on maintaining an appropriate standard for incident response, managed by an industry professional body, delivered by industry and endorsed by NCSC and CPNI. This scheme is currently administered by CREST and is known as the CREST Certified Incident Response Scheme (CSIR).
A small focused Government run Cyber Incident Response (CIR) scheme certified by NCSC and CPNI Industry partners deliver services that are focused on responding to sophisticated targeted cyber attacks against networks of national significance.
From August 2015, the UK Government will require that companies providing Cyber Incident Response services within the terms of the NCSC/CPNI CIR scheme, have at least one qualified CREST Certified Incident Manager on their team. The CIR scheme is certified by NCSC and CPNI to deliver a focused service dealing with sophisticated, targeted attacks on networks of national significance.
The Cyber Security Incident Manager
An Incident Manager will determine the path an investigation should take based on considerable real world incident handling experience and the pertinent information currently available. As greater information becomes available, it is their responsibility to continuously re-evaluate the situation and make any necessary changes from minor course corrections to a total change in direction if that is required. To stay in control of a rapidly changing situation requires strong leadership and interpersonal skills as well as sufficient technical capabilities to understand reports and findings being presented back from other team members. It is also the responsibility of the Incident Manager to determine what additional skills need to be brought in to the team to ensure the response programme runs effectively and efficiently. The Incident Manager will be the key point of contact with the client organisation and possibly third parties such as regulators, government or media organisations – as such they will need the ability to stay calm and focussed while distilling the key facts of the engagement to explain both to board level and technical customer within the client organisation.
An Incident Manager will be responsible for leading and presenting all elements of the Incident Response project lifecycle including identification, containment and eradication. They will need to be aware of any relevant legal and regulatory matters.
An Incident Manager’s role is expected to be fulfilled by highly experienced personnel who have spent considerable time working on incident response engagements. It is likely that many will have previously (or may still be) practitioners in one of the technical disciplines associated within incident response, however this is not a mandatory prerequisite. It is, however, essential that those in this role have sufficiently strong and broad technical skills to be able to play a key part in understanding the details of the incident in order to make accurate, informed decisions at both the strategic and technical team lead levels.
The CREST Certified Incident Manager (CC IM) Examination
The (CC IM) examination tests a candidates’ knowledge across a range of areas wider than traditional intrusion analysis including conventional incident response technical tasks and also a wide range of general technology areas to ensure they are competent to assess and handle a range of potential incident scenarios. The detail in these areas is high level but broad with “an awareness of” being a good description of the level of detail required. The Syllabus for the CC IM examination is available from the link below and specifically, Appendix G focuses in detail on the core response manager skills that will be assessed. The level of detail required here is greater as this is assumed to be the core domain of knowledge for an incident manager. Particular emphasis is placed on the following skill sets:
- Client management
- Containment techniques
- Project management and time management
- Evidence handling
- Recovery and remediation
- On-going technical prevention
- Judgement making and critical reasoning
- Written skills
- Third Parties
- Reporting Agencies
- Threat intelligence, Contextualisation Attribution and Motivation
- Industry Best Practice
- Risk Analysis
- Attack & compromise lifecycle
- Legal and Jurisdictional Issues
- Technical vulnerability root cause identification
- Physical threats
- Insider attacks
The CC IM examination is delivered in Pearson Vue centres. It is divided into two parts (IM1 and IM2). Part One must be taken before Part Two and overall results will be released once both examination Parts have been taken.
- IM 1 will comprise multiple-choice questions and one compulsory long form question
- IM 2 will comprise two long form questions and a scenario-based question.
Candidates are required to meet or exceed a two-thirds pass mark in both sections independently in order to pass the exam overall. A candidate’s overall result will be released once both parts of the examination have been taken (ie. there will be no result given after taking part 1).
You can download the following documents from the links below:
The Certified Incident Manager examination costs £1,600 + VAT
Recommended Preparation Material
The following material and media has been cited as helpful preparation for this examination by previous candidates:
Useful Information for Candidates
Details of the Logistics and Timings of CREST examinations can be found in the Examination Preparation page for your country of choice
CREST’s Policy for Candidates requiring special arrangements including additional time to accommodate a medical condition (including examinations delivered via Pearson Vue)
Terms and Conditions for CREST Examinations (includes hard disk drive wiping policy)