December 30, 2022 By Mark Stone 4 min read

Working in cyber incident response can certainly make life interesting. Experiences typically run the gamut from exciting, dull, fun, repetitive and challenging.

IBM Security commissioned a study from Morning Consult that surveyed over 1,100 cybersecurity incident responders across ten countries. Unsurprisingly, over two-thirds of respondents experienced daily stress or anxiety due to the pressures of responding to a cyber incident. Despite the challenges, responders are willing to take on the IR role because of their exemplary sense of duty.

But perhaps one of the underrated perks of working in incident response is the ability to tell outrageous true stories. We spoke with three incident responders about some of the most exciting experiences they’ve had working in the field.

Shadow IT: Ransomware gone wild

Michael Clark, Director of Threat Research at Sysdig, was on an IR engagement in which a workstation was connected to both a cable modem and the internal network.

“We traced through countless machines back to a lab system no one knew about,” Clark said. “It was dual-homed (two network cards), one connected to the corporate network, the other to a cable modem on the Internet.”

Clark also responded to an incident where malware was spreading using a Windows vulnerability, and the client couldn’t patch their systems quickly.

“We had to deploy EDR to isolate infected systems while also not bringing down the whole network until they could green-light a patch,” he said.

The network was compromised with worm-like ransomware, so it would constantly traverse the network looking for new systems to compromise.

“What made this one interesting was the vulnerability exploited couldn’t be easily patched, and it affected the Active Directory infrastructure,” he said. “A new gold image had to be made and tested first because if you brought up a clean server without the patch, it would just be compromised again. So we had to keep as much isolated as we could with the network still operational while the new image was made. It was a bit of a balancing act.”

Punked by a third-party

Eric Florence is a cybersecurity consultant for and a former incident responder. Years ago, he dealt with an incident where someone had changed an executive’s desktop wallpaper to an NSFW image.

“We deleted the photo, changed his credentials and made certain that no malware had been installed,” he said. “The computer was clean. Weeks later, same thing, new photo. After the second day of playing this time-wasting game, I did some digging.”

He found no evidence of disgruntled IT employees, and their credentials would be invalid even if he had. There was also no evidence of malware accessing the network remotely.

“After the third time this happened, we set up a camera in his office. A couple of weeks later, we got something. The person who cleaned the office must have found his credentials written down on a scrap of paper and was doing this as a prank periodically. They lost their job, and I had to explain the importance of never writing down passwords, but it fell on deaf ears. How does this keep happening?”

Surgical strike: Rescuing a healthcare client from HIPAA fines

Tom Kirkham, founder and CEO of IronTech Security and author of Hack The Rich, has been a part of several incident response teams and shared several stories with us. One of them was undoubtedly the most outrageous on this list.

But first, Kirkham relayed an incident in an oral surgeon’s office. This lateral movement ransomware attack required his team to bring in not just their vendor partners but their response teams as well.

“It was vicious, and I was just sitting there watching it all unfold in the EDR Control Panel in real-time,” he said. “It was just hammering our EDR, and hitting every computer in the office a hundred times per second trying to propagate and even encrypt files. This particular ransomware was known for delivering multiple payloads, but we were reasonably certain that the BIOS or boot sectors weren’t compromised.”

The attack lasted about three or four hours, and the teams were concerned that the EDR would crash.

“The EDR stayed up and gave one of our vendor partners time to write custom code to kill the attack. We had to shut the surgeon’s office down that afternoon, but it definitely saved them HIPAA fines. We had to wipe all the machines, which took us several weeks to overcome. Without that depth of defense expertise, they could have been compromised. We were able to orchestrate the actions of vendors that quite frankly were competitors.”

Saving the most outrageous for last

Life for incident responders can be thrilling, but it should never actually get you killed. While Kirkham is very much alive and well, he must live his life continuously looking over his shoulder.

“The reason I’m so passionate about cybersecurity and incident response is because of a data breach that put me on an ISIS kill list,” he said.

After talking to the FBI and doing his own research, Kirkham figures the hack came from a simple badge swipe. At a trade show conference in the late 90s, SUN Microsystems was demonstrating an unreleased product. He had to have special permission and found himself in a specific database. Somehow, bad actors obtained that database and filtered out all U.S. citizens.

“They had my name, address, and everything. I had an FBI agent visit me, and he tells me I’m in big trouble — but not with the FBI. It kind of bothers you a little bit when it happens to you. I never was concerned about somebody flying over here from the Middle East to kill me, but they used it as a recruiting tool for those already here who are sympathetic (to their cause). It was a big recruiting tool for them. They had the added benefit of all these thousands of people tying up the FBI, who had to speak to everyone on this list; that’s not a five-minute conversation. So they create chaos, which fits right into their objectives. It scares a lot of people like my family and me.”

The outrageousness of your incident response stories will undoubtedly vary. Hopefully, they will never reach the level that Kirkham experienced. It’s clear that working as an incident responder can be exciting, amusing and even dangerous — but it’s bound to leave you with a tale or two.

Want to learn more about what it’s like to work incidents live? Hear directly from IBM Security X-Force incident responders in the webinar, “Tales from the Digital Frontlines” – available on demand.

More from Incident Response

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

X-Force uncovers global NetScaler Gateway credential harvesting campaign

6 min read - This post was made possible through the contributions of Bastien Lardy, Sebastiano Marinaccio and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related…

Tequila OS 2.0: The first forensic Linux distribution in Latin America

3 min read - Incident response teams are stretched thin, and the threats are only intensifying. But new tools are helping bridge the gap for cybersecurity pros in Latin America. IBM Security X-Force Threat Intelligence Index 2023 found that 12% of the security incidents X-force responded to were in Latin America. In comparison, 31% were in the Asia-Pacific, followed by Europe with 28%, North America with 25% and the Middle East with 4%. In the Latin American region, Brazil had 67% of incidents that…

Alert fatigue: A 911 cyber call center that never sleeps

4 min read - Imagine running a 911 call center where the switchboard is constantly lit up with incoming calls. The initial question, “What’s your emergency, please?” aims to funnel the event to the right responder for triage and assessment. Over the course of your shift, requests could range from soft-spoken “I’m having a heart attack” pleas to “Where’s my pizza?” freak-outs eating up important resources. Now add into the mix a volume of calls that burnout kicks in and important threats are missed.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today