As a cybersecurity incident responder, your life can go from zero to 100 in a heartbeat. One moment you are sipping a beverage reading the latest threat intelligence or getting the kids ready for bed; the next, you may be lunging for your “go bag” because you cannot remote in to the breached system. It’s all part of the game.

Seasoned incident responders can handle this jab: “Why would you want a job like this? Are you crazy?” The truth is, some thrive in it. Ask around, and you’ll find that incidents responders:

  • Are driven by a sense of duty to protect something important.
  • Appreciate (and even seek) challenges and problems.
  • Even if stressed, find a way to enjoy the chaos.
  • Love the constant change, which offers an opportunity to keep growing professionally.

But what is a day in the life of a cybersecurity incident responder really like – and what happens when the alarms start flashing?

How the average day can start

The Cybersecurity and Infrastructure Security Agency (CISA) gives a good run-down of the types of tasks to expect in this line of work, along with some core competencies. The U.S. Department of Defense also has a more detailed view.

Keep in mind: An internal incident responder (e.g., in-house) versus an external one (e.g., consulting firm) may have differing “pre-boom” activities. But when the incident hits, many tasks are similar.

What are some pre-boom tasks? Here’s a quick list:

  • Seeking vulnerabilities in code, networks, hosts and other types of infrastructure.
  • Researching threat actors and their tactics, techniques and procedures.
  • Reviewing threat intelligence and other industry news.
  • Analyzing alerts and alarms for positivity rates or performing deduplication.
  • Configuring tools and correlating behaviors.
  • Performing trend analyses and report writing.
  • Closing out long-term investigations and review of related forensics.

Of course, this is just a short list. If you are on the consultant side, you may be participating in business development activities to build your book of business through incident response retainers. These are all relevant activities in the incident response lifecycle.

The average day goes sideways

Whether you are an internal or external responder, everything changes with that panicked call or red alert on the dashboard. Enjoy your coffee because life is about to get real.

The National Institute of Standards and Technology (NIST) Special Publication 800-61, Computer Security Incident Handling Guide, outlines the incident response lifecycle with associated tasks. The four phases are:

  • Preparation
  • Detection and Analysis
  • Containment, Eradication, and Recovery
  • Post-Incident Activities

With the first hours of the incident being the most stressful, the initial two phases play a crucial role in what happens next. Depending on your level and rank, you may be collecting artifacts, triaging severity, initiating communication fan-outs, seeking ways to stop propagation or outright system disconnections, getting ready to brief leadership or even teeing up negotiations with threat actors.

This is the zero to 100 in a heartbeat moment. But at this point, things are just getting started.

Preparation shapes how the crisis unfolds

Firstly, an incident responder needs to be able to classify the event, spot indicators of compromise, potentially begin forensics and chain of custody requirements, review logs and devices, and even keep an eye out for what is going on in the public sphere. You may even need to start pulling cables! If you are not in crisis mode, you should be ready to enter it.

The following types of preparedness activities can reduce harm to the network, as well as to the emotionally torqued-up responders:

  • A clear understanding of your estate and assets.
  • Well-defined roles and responsibilities.
  • Recovery point/time objectives established.
  • Tested and validated backup and restore procedures.
  • Agreements in place with third-party vendors and suppliers, including a strong understanding of who is responsible for what; the “shared responsibility” thing is real.

Also, be mindful of emotional and psychological impacts. Even the type of incident you face can really ramp up emotions. For example, ransomware incidents prey not only on the emotions of the victims but exacerbate the stress levels of responders.

This is why preparation is so important. If many of the items above are documented and can be easily referenced, valuable time is saved, uncertainty is reduced and emotions can be better kept in check.

Life during response

In the heat of battle, responders may start hitting 12-hour days or more. And while you want your A-Team running the show, be mindful that after so many hours of battle and bloodshot eyes, coordination and performance deteriorate. During this time, responders could be:

  • Gathering evidence
  • Performing attribution analysis
  • Carrying out complex searches
  • Conducting damage assessments
  • Maintaining service availability

This still leaves one of the most difficult tasks: managing stakeholder expectations while fulfilling that sense of responsibility to their team or client.

Responders cannot simply shut off their “human” side – nor should they – which makes the first three days so difficult. Jitters and high emotions are to be expected, empathy is important and rest is essential. In addition, it is not uncommon for cybersecurity incident responders to require additional leave or mental health support after a rough go.

All the more reason why proactive planning matters so much.

What to keep in mind

Whether you want to jump into the cybersecurity life for the first time or are a seasoned professional, here are a few reminders:

  • You will always be learning. Attackers are smart, and they evolve; so must you.
  • You can be a specialist (e.g., focus on malware analysis) but appreciate the need to be a bit of a generalist (e.g., know a bit about networking, monitoring, architecture and the essentials of risk management, business continuity and disaster recovery).
  • Your life will go through peaks and valleys, so keep an eye on your health and well-being.

A successful response goes beyond technical ability. Because incident response resembles more of a feast/fast cycle, it can eventually lead to burnout. This differs from other types of cybersecurity roles, which may have a more constant pace.

For all incident responders: enjoy peacetime. Business managers and leaders should support in-house groups to use the time between incidents for preparation, remediation and training. On the external side, keep those utilization numbers in check if your firm uses the more traditional consulting billing model; that model does not work here.

There is an important consideration that goes across the board, too: take remediation seriously. Few actions can be more demoralizing than giving it all to put out the fire, only to find out – further down the line – that the faulty wires responsible for the blaze have not been replaced.

In closing, incident responders are your digital fire brigade. Those in the emergency services business know the toll that irregular hours and high-pressure situations can take. Perhaps those in the cybersecurity business can learn something from their operating model.

This Cybersecurity Awareness Month give a shout-out to a #CyberResponder going above and beyond to keep us secure: https://celebrate-cyber-responders

Watch the IBM Security Incident Response team’s on-demand webinar where X-Force incident responders discuss what it takes to defend the digital front line.

Author’s Note: A special thank you to Meg West for her added insights for this piece.

More from Incident Response

Alert fatigue: A 911 cyber call center that never sleeps

4 min read - Imagine running a 911 call center where the switchboard is constantly lit up with incoming calls. The initial question, “What’s your emergency, please?” aims to funnel the event to the right responder for triage and assessment. Over the course of your shift, requests could range from soft-spoken “I’m having a heart attack” pleas to “Where’s my pizza?” freak-outs eating up important resources. Now add into the mix a volume of calls that burnout kicks in and important threats are missed.…

SIEM and SOAR in 2023: Key trends and new changes

4 min read - Security information and event management (SIEM) systems remain a key component of security operations centers (SOCs). Security orchestration, automation, and response (SOAR) frameworks, meanwhile, have emerged to fill the gap in these capabilities left by many SIEM systems. But as many companies have begun reaching the limits of SIEM and SOAR systems over the last few years, they have started turning to other solutions such as extended detection and response (XDR). But does this shift spell the end of SIEM…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…