Working in cyber incident response can certainly make life interesting. Experiences typically run the gamut from exciting, dull, fun, repetitive and challenging.

IBM Security commissioned a study from Morning Consult that surveyed over 1,100 cybersecurity incident responders across ten countries. Unsurprisingly, over two-thirds of respondents experienced daily stress or anxiety due to the pressures of responding to a cyber incident. Despite the challenges, responders are willing to take on the IR role because of their exemplary sense of duty.

But perhaps one of the underrated perks of working in incident response is the ability to tell outrageous true stories. We spoke with three incident responders about some of the most exciting experiences they’ve had working in the field.

Shadow IT: Ransomware Gone Wild

Michael Clark, Director of Threat Research at Sysdig, was on an IR engagement in which a workstation was connected to both a cable modem and the internal network.

“We traced through countless machines back to a lab system no one knew about,” Clark said. “It was dual-homed (two network cards), one connected to the corporate network, the other to a cable modem on the Internet.”

Clark also responded to an incident where malware was spreading using a Windows vulnerability, and the client couldn’t patch their systems quickly.

“We had to deploy EDR to isolate infected systems while also not bringing down the whole network until they could green-light a patch,” he said.

The network was compromised with worm-like ransomware, so it would constantly traverse the network looking for new systems to compromise.

“What made this one interesting was the vulnerability exploited couldn’t be easily patched, and it affected the Active Directory infrastructure,” he said. “A new gold image had to be made and tested first because if you brought up a clean server without the patch, it would just be compromised again. So we had to keep as much isolated as we could with the network still operational while the new image was made. It was a bit of a balancing act.”

Punked by a Third-Party

Eric Florence is a cybersecurity consultant for and a former incident responder. Years ago, he dealt with an incident where someone had changed an executive’s desktop wallpaper to an NSFW image.

“We deleted the photo, changed his credentials and made certain that no malware had been installed,” he said. “The computer was clean. Weeks later, same thing, new photo. After the second day of playing this time-wasting game, I did some digging.”

He found no evidence of disgruntled IT employees, and their credentials would be invalid even if he had. There was also no evidence of malware accessing the network remotely.

“After the third time this happened, we set up a camera in his office. A couple of weeks later, we got something. The person who cleaned the office must have found his credentials written down on a scrap of paper and was doing this as a prank periodically. They lost their job, and I had to explain the importance of never writing down passwords, but it fell on deaf ears. How does this keep happening?”

Surgical Strike: Rescuing a Healthcare Client From HIPAA Fines

Tom Kirkham, founder and CEO of IronTech Security and author of Hack The Rich, has been a part of several incident response teams and shared several stories with us. One of them was undoubtedly the most outrageous on this list.

But first, Kirkham relayed an incident in an oral surgeon’s office. This lateral movement ransomware attack required his team to bring in not just their vendor partners but their response teams as well.

“It was vicious, and I was just sitting there watching it all unfold in the EDR Control Panel in real-time,” he said. “It was just hammering our EDR, and hitting every computer in the office a hundred times per second trying to propagate and even encrypt files. This particular ransomware was known for delivering multiple payloads, but we were reasonably certain that the BIOS or boot sectors weren’t compromised.”

The attack lasted about three or four hours, and the teams were concerned that the EDR would crash.

“The EDR stayed up and gave one of our vendor partners time to write custom code to kill the attack. We had to shut the surgeon’s office down that afternoon, but it definitely saved them HIPAA fines. We had to wipe all the machines, which took us several weeks to overcome. Without that depth of defense expertise, they could have been compromised. We were able to orchestrate the actions of vendors that quite frankly were competitors.”

Saving the Most Outrageous for Last

Life for incident responders can be thrilling, but it should never actually get you killed. While Kirkham is very much alive and well, he must live his life continuously looking over his shoulder.

“The reason I’m so passionate about cybersecurity and incident response is because of a data breach that put me on an ISIS kill list,” he said.

After talking to the FBI and doing his own research, Kirkham figures the hack came from a simple badge swipe. At a trade show conference in the late 90s, SUN Microsystems was demonstrating an unreleased product. He had to have special permission and found himself in a specific database. Somehow, bad actors obtained that database and filtered out all U.S. citizens.

“They had my name, address, and everything. I had an FBI agent visit me, and he tells me I’m in big trouble — but not with the FBI. It kind of bothers you a little bit when it happens to you. I never was concerned about somebody flying over here from the Middle East to kill me, but they used it as a recruiting tool for those already here who are sympathetic (to their cause). It was a big recruiting tool for them. They had the added benefit of all these thousands of people tying up the FBI, who had to speak to everyone on this list; that’s not a five-minute conversation. So they create chaos, which fits right into their objectives. It scares a lot of people like my family and me.”

The outrageousness of your incident response stories will undoubtedly vary. Hopefully, they will never reach the level that Kirkham experienced. It’s clear that working as an incident responder can be exciting, amusing and even dangerous — but it’s bound to leave you with a tale or two.

Want to learn more about what it’s like to work incidents live? Hear directly from IBM Security X-Force incident responders in the webinar, “Tales from the Digital Frontlines” – available on demand.

More from Incident Response

Expert Insights on the X-Force Threat Intelligence Index

5 min read - Top insights are in from this year’s IBM Security X-Force Threat Intelligence Index, but what do they mean? Three IBM Security X-Force experts share their thoughts on the implications of the most pressing cybersecurity threats, and offer guidance for what organizations can do to better protect themselves. Moving Left of Boom: Early Backdoor Detection Andy Piazza, Global Head of Threat Intelligence at IBM Security X-Force, sat down with Security Intelligence to chat with us about the rise in the deployment…

5 min read

How Morris Worm Command and Control Changed Cybersecurity

4 min read - A successful cyberattack requires more than just gaining entry into a victim’s network. To truly reap the rewards, attackers must maintain a persistent presence within the system. After establishing communication with other compromised network devices, actors can stealthily extract valuable data. The key to all this is a well-developed Command and Control (C2 or C&C) infrastructure. The number of C2 servers used for launching cyberattacks increased by 30% in 2022. More than 17,000 of these servers were detected last year,…

4 min read

The Important Role of SOAR in Cybersecurity

4 min read - Understaffed security teams need all the help they can get, and they are finding that help through SOAR. SOAR — security orchestration, automation and response — is defined by Gartner as the “technologies that enable organizations to collect inputs monitored by the security operations team.” Gartner identifies a SOAR platform’s three prime functionalities: Threat and vulnerability management, security operations automation and incident response. The number of threats coming across the network and endpoints each day overwhelms most organizations. Adding SOAR…

4 min read

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read