As a cybersecurity incident responder, your life can go from zero to 100 in a heartbeat. One moment you are sipping a beverage reading the latest threat intelligence or getting the kids ready for bed; the next, you may be lunging for your “go bag” because you cannot remote in to the breached system. It’s all part of the game.
Seasoned incident responders can handle this jab: “Why would you want a job like this? Are you crazy?” The truth is, some thrive in it. Ask around, and you’ll find that incidents responders:
- Are driven by a sense of duty to protect something important.
- Appreciate (and even seek) challenges and problems.
- Even if stressed, find a way to enjoy the chaos.
- Love the constant change, which offers an opportunity to keep growing professionally.
But what is a day in the life of a cybersecurity incident responder really like – and what happens when the alarms start flashing?
How the average day can start
The Cybersecurity and Infrastructure Security Agency (CISA) gives a good run-down of the types of tasks to expect in this line of work, along with some core competencies. The U.S. Department of Defense also has a more detailed view.
Keep in mind: An internal incident responder (e.g., in-house) versus an external one (e.g., consulting firm) may have differing “pre-boom” activities. But when the incident hits, many tasks are similar.
What are some pre-boom tasks? Here’s a quick list:
- Seeking vulnerabilities in code, networks, hosts and other types of infrastructure.
- Researching threat actors and their tactics, techniques and procedures.
- Reviewing threat intelligence and other industry news.
- Analyzing alerts and alarms for positivity rates or performing deduplication.
- Configuring tools and correlating behaviors.
- Performing trend analyses and report writing.
- Closing out long-term investigations and review of related forensics.
Of course, this is just a short list. If you are on the consultant side, you may be participating in business development activities to build your book of business through incident response retainers. These are all relevant activities in the incident response lifecycle.
The average day goes sideways
Whether you are an internal or external responder, everything changes with that panicked call or red alert on the dashboard. Enjoy your coffee because life is about to get real.
The National Institute of Standards and Technology (NIST) Special Publication 800-61, Computer Security Incident Handling Guide, outlines the incident response lifecycle with associated tasks. The four phases are:
- Detection and Analysis
- Containment, Eradication, and Recovery
- Post-Incident Activities
With the first hours of the incident being the most stressful, the initial two phases play a crucial role in what happens next. Depending on your level and rank, you may be collecting artifacts, triaging severity, initiating communication fan-outs, seeking ways to stop propagation or outright system disconnections, getting ready to brief leadership or even teeing up negotiations with threat actors.
This is the zero to 100 in a heartbeat moment. But at this point, things are just getting started.
Preparation shapes how the crisis unfolds
Firstly, an incident responder needs to be able to classify the event, spot indicators of compromise, potentially begin forensics and chain of custody requirements, review logs and devices, and even keep an eye out for what is going on in the public sphere. You may even need to start pulling cables! If you are not in crisis mode, you should be ready to enter it.
The following types of preparedness activities can reduce harm to the network, as well as to the emotionally torqued-up responders:
- A clear understanding of your estate and assets.
- Well-defined roles and responsibilities.
- Recovery point/time objectives established.
- Tested and validated backup and restore procedures.
- Agreements in place with third-party vendors and suppliers, including a strong understanding of who is responsible for what; the “shared responsibility” thing is real.
Also, be mindful of emotional and psychological impacts. Even the type of incident you face can really ramp up emotions. For example, ransomware incidents prey not only on the emotions of the victims but exacerbate the stress levels of responders.
This is why preparation is so important. If many of the items above are documented and can be easily referenced, valuable time is saved, uncertainty is reduced and emotions can be better kept in check.
Life during response
In the heat of battle, responders may start hitting 12-hour days or more. And while you want your A-Team running the show, be mindful that after so many hours of battle and bloodshot eyes, coordination and performance deteriorate. During this time, responders could be:
- Gathering evidence
- Performing attribution analysis
- Carrying out complex searches
- Conducting damage assessments
- Maintaining service availability
This still leaves one of the most difficult tasks: managing stakeholder expectations while fulfilling that sense of responsibility to their team or client.
Responders cannot simply shut off their “human” side – nor should they – which makes the first three days so difficult. Jitters and high emotions are to be expected, empathy is important and rest is essential. In addition, it is not uncommon for cybersecurity incident responders to require additional leave or mental health support after a rough go.
All the more reason why proactive planning matters so much.
What to keep in mind
Whether you want to jump into the cybersecurity life for the first time or are a seasoned professional, here are a few reminders:
- You will always be learning. Attackers are smart, and they evolve; so must you.
- You can be a specialist (e.g., focus on malware analysis) but appreciate the need to be a bit of a generalist (e.g., know a bit about networking, monitoring, architecture and the essentials of risk management, business continuity and disaster recovery).
- Your life will go through peaks and valleys, so keep an eye on your health and well-being.
A successful response goes beyond technical ability. Because incident response resembles more of a feast/fast cycle, it can eventually lead to burnout. This differs from other types of cybersecurity roles, which may have a more constant pace.
For all incident responders: enjoy peacetime. Business managers and leaders should support in-house groups to use the time between incidents for preparation, remediation and training. On the external side, keep those utilization numbers in check if your firm uses the more traditional consulting billing model; that model does not work here.
There is an important consideration that goes across the board, too: take remediation seriously. Few actions can be more demoralizing than giving it all to put out the fire, only to find out – further down the line – that the faulty wires responsible for the blaze have not been replaced.
In closing, incident responders are your digital fire brigade. Those in the emergency services business know the toll that irregular hours and high-pressure situations can take. Perhaps those in the cybersecurity business can learn something from their operating model.
This Cybersecurity Awareness Month give a shout-out to a #CyberResponder going above and beyond to keep us secure: https://celebrate-cyber-responders
Watch the IBM Security Incident Response team’s on-demand webinar where X-Force incident responders discuss what it takes to defend the digital front line.
Author’s Note: A special thank you to Meg West for her added insights for this piece.