As a cybersecurity incident responder, your life can go from zero to 100 in a heartbeat. One moment you are sipping a beverage reading the latest threat intelligence or getting the kids ready for bed; the next, you may be lunging for your “go bag” because you cannot remote in to the breached system. It’s all part of the game.

Seasoned incident responders can handle this jab: “Why would you want a job like this? Are you crazy?” The truth is, some thrive in it. Ask around, and you’ll find that incidents responders:

  • Are driven by a sense of duty to protect something important.
  • Appreciate (and even seek) challenges and problems.
  • Even if stressed, find a way to enjoy the chaos.
  • Love the constant change, which offers an opportunity to keep growing professionally.

But what is a day in the life of a cybersecurity incident responder really like – and what happens when the alarms start flashing?

How the average day can start

The Cybersecurity and Infrastructure Security Agency (CISA) gives a good run-down of the types of tasks to expect in this line of work, along with some core competencies. The U.S. Department of Defense also has a more detailed view.

Keep in mind: An internal incident responder (e.g., in-house) versus an external one (e.g., consulting firm) may have differing “pre-boom” activities. But when the incident hits, many tasks are similar.

What are some pre-boom tasks? Here’s a quick list:

  • Seeking vulnerabilities in code, networks, hosts and other types of infrastructure.
  • Researching threat actors and their tactics, techniques and procedures.
  • Reviewing threat intelligence and other industry news.
  • Analyzing alerts and alarms for positivity rates or performing deduplication.
  • Configuring tools and correlating behaviors.
  • Performing trend analyses and report writing.
  • Closing out long-term investigations and review of related forensics.

Of course, this is just a short list. If you are on the consultant side, you may be participating in business development activities to build your book of business through incident response retainers. These are all relevant activities in the incident response lifecycle.

The average day goes sideways

Whether you are an internal or external responder, everything changes with that panicked call or red alert on the dashboard. Enjoy your coffee because life is about to get real.

The National Institute of Standards and Technology (NIST) Special Publication 800-61, Computer Security Incident Handling Guide, outlines the incident response lifecycle with associated tasks. The four phases are:

  • Preparation
  • Detection and Analysis
  • Containment, Eradication, and Recovery
  • Post-Incident Activities

With the first hours of the incident being the most stressful, the initial two phases play a crucial role in what happens next. Depending on your level and rank, you may be collecting artifacts, triaging severity, initiating communication fan-outs, seeking ways to stop propagation or outright system disconnections, getting ready to brief leadership or even teeing up negotiations with threat actors.

This is the zero to 100 in a heartbeat moment. But at this point, things are just getting started.

Preparation shapes how the crisis unfolds

Firstly, an incident responder needs to be able to classify the event, spot indicators of compromise, potentially begin forensics and chain of custody requirements, review logs and devices, and even keep an eye out for what is going on in the public sphere. You may even need to start pulling cables! If you are not in crisis mode, you should be ready to enter it.

The following types of preparedness activities can reduce harm to the network, as well as to the emotionally torqued-up responders:

  • A clear understanding of your estate and assets.
  • Well-defined roles and responsibilities.
  • Recovery point/time objectives established.
  • Tested and validated backup and restore procedures.
  • Agreements in place with third-party vendors and suppliers, including a strong understanding of who is responsible for what; the “shared responsibility” thing is real.

Also, be mindful of emotional and psychological impacts. Even the type of incident you face can really ramp up emotions. For example, ransomware incidents prey not only on the emotions of the victims but exacerbate the stress levels of responders.

This is why preparation is so important. If many of the items above are documented and can be easily referenced, valuable time is saved, uncertainty is reduced and emotions can be better kept in check.

Life during response

In the heat of battle, responders may start hitting 12-hour days or more. And while you want your A-Team running the show, be mindful that after so many hours of battle and bloodshot eyes, coordination and performance deteriorate. During this time, responders could be:

  • Gathering evidence
  • Performing attribution analysis
  • Carrying out complex searches
  • Conducting damage assessments
  • Maintaining service availability

This still leaves one of the most difficult tasks: managing stakeholder expectations while fulfilling that sense of responsibility to their team or client.

Responders cannot simply shut off their “human” side – nor should they – which makes the first three days so difficult. Jitters and high emotions are to be expected, empathy is important and rest is essential. In addition, it is not uncommon for cybersecurity incident responders to require additional leave or mental health support after a rough go.

All the more reason why proactive planning matters so much.

What to keep in mind

Whether you want to jump into the cybersecurity life for the first time or are a seasoned professional, here are a few reminders:

  • You will always be learning. Attackers are smart, and they evolve; so must you.
  • You can be a specialist (e.g., focus on malware analysis) but appreciate the need to be a bit of a generalist (e.g., know a bit about networking, monitoring, architecture and the essentials of risk management, business continuity and disaster recovery).
  • Your life will go through peaks and valleys, so keep an eye on your health and well-being.

A successful response goes beyond technical ability. Because incident response resembles more of a feast/fast cycle, it can eventually lead to burnout. This differs from other types of cybersecurity roles, which may have a more constant pace.

For all incident responders: enjoy peacetime. Business managers and leaders should support in-house groups to use the time between incidents for preparation, remediation and training. On the external side, keep those utilization numbers in check if your firm uses the more traditional consulting billing model; that model does not work here.

There is an important consideration that goes across the board, too: take remediation seriously. Few actions can be more demoralizing than giving it all to put out the fire, only to find out – further down the line – that the faulty wires responsible for the blaze have not been replaced.

In closing, incident responders are your digital fire brigade. Those in the emergency services business know the toll that irregular hours and high-pressure situations can take. Perhaps those in the cybersecurity business can learn something from their operating model.

This Cybersecurity Awareness Month give a shout-out to a #CyberResponder going above and beyond to keep us secure: https://celebrate-cyber-responders

Watch the IBM Security Incident Response team’s on-demand webinar where X-Force incident responders discuss what it takes to defend the digital front line.

Author’s Note: A special thank you to Meg West for her added insights for this piece.

More from Incident Response

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

How CIRCIA is changing crisis communication

3 min read - Read the previous article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis. When the Colonial Pipeline attack happened a few years ago, widespread panic and long lines at the gas pump were the result — partly due to a lack of reliable information. The attack raised the alarm about serious threats to critical infrastructure and what could happen in the aftermath. In response to this and other high-profile cyberattacks, Congress passed the Cyber Incident Reporting for Critical…

PR vs cybersecurity teams: Handling disagreements in a crisis

4 min read - Check out our first two articles in this series, Cybersecurity crisis communication: What to do and Crisis communication: What NOT to do. When a cyber incident happens inside an organization, everyone in the company has a stake in how to approach remediation. The problem is that not everyone agrees on how to handle the public response to cyber crisis communication. Typically, in any organization, the public relations team handles the relationship between the company and the media, who then decide…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today