Working in cyber incident response can certainly make life interesting. Experiences typically run the gamut from exciting, dull, fun, repetitive and challenging.

IBM Security commissioned a study from Morning Consult that surveyed over 1,100 cybersecurity incident responders across ten countries. Unsurprisingly, over two-thirds of respondents experienced daily stress or anxiety due to the pressures of responding to a cyber incident. Despite the challenges, responders are willing to take on the IR role because of their exemplary sense of duty.

But perhaps one of the underrated perks of working in incident response is the ability to tell outrageous true stories. We spoke with three incident responders about some of the most exciting experiences they’ve had working in the field.

Shadow IT: Ransomware Gone Wild

Michael Clark, Director of Threat Research at Sysdig, was on an IR engagement in which a workstation was connected to both a cable modem and the internal network.

“We traced through countless machines back to a lab system no one knew about,” Clark said. “It was dual-homed (two network cards), one connected to the corporate network, the other to a cable modem on the Internet.”

Clark also responded to an incident where malware was spreading using a Windows vulnerability, and the client couldn’t patch their systems quickly.

“We had to deploy EDR to isolate infected systems while also not bringing down the whole network until they could green-light a patch,” he said.

The network was compromised with worm-like ransomware, so it would constantly traverse the network looking for new systems to compromise.

“What made this one interesting was the vulnerability exploited couldn’t be easily patched, and it affected the Active Directory infrastructure,” he said. “A new gold image had to be made and tested first because if you brought up a clean server without the patch, it would just be compromised again. So we had to keep as much isolated as we could with the network still operational while the new image was made. It was a bit of a balancing act.”

Punked by a Third-Party

Eric Florence is a cybersecurity consultant for securitytech.org and a former incident responder. Years ago, he dealt with an incident where someone had changed an executive’s desktop wallpaper to an NSFW image.

“We deleted the photo, changed his credentials and made certain that no malware had been installed,” he said. “The computer was clean. Weeks later, same thing, new photo. After the second day of playing this time-wasting game, I did some digging.”

He found no evidence of disgruntled IT employees, and their credentials would be invalid even if he had. There was also no evidence of malware accessing the network remotely.

“After the third time this happened, we set up a camera in his office. A couple of weeks later, we got something. The person who cleaned the office must have found his credentials written down on a scrap of paper and was doing this as a prank periodically. They lost their job, and I had to explain the importance of never writing down passwords, but it fell on deaf ears. How does this keep happening?”

Surgical Strike: Rescuing a Healthcare Client From HIPAA Fines

Tom Kirkham, founder and CEO of IronTech Security and author of Hack The Rich, has been a part of several incident response teams and shared several stories with us. One of them was undoubtedly the most outrageous on this list.

But first, Kirkham relayed an incident in an oral surgeon’s office. This lateral movement ransomware attack required his team to bring in not just their vendor partners but their response teams as well.

“It was vicious, and I was just sitting there watching it all unfold in the EDR Control Panel in real-time,” he said. “It was just hammering our EDR, and hitting every computer in the office a hundred times per second trying to propagate and even encrypt files. This particular ransomware was known for delivering multiple payloads, but we were reasonably certain that the BIOS or boot sectors weren’t compromised.”

The attack lasted about three or four hours, and the teams were concerned that the EDR would crash.

“The EDR stayed up and gave one of our vendor partners time to write custom code to kill the attack. We had to shut the surgeon’s office down that afternoon, but it definitely saved them HIPAA fines. We had to wipe all the machines, which took us several weeks to overcome. Without that depth of defense expertise, they could have been compromised. We were able to orchestrate the actions of vendors that quite frankly were competitors.”

Saving the Most Outrageous for Last

Life for incident responders can be thrilling, but it should never actually get you killed. While Kirkham is very much alive and well, he must live his life continuously looking over his shoulder.

“The reason I’m so passionate about cybersecurity and incident response is because of a data breach that put me on an ISIS kill list,” he said.

After talking to the FBI and doing his own research, Kirkham figures the hack came from a simple badge swipe. At a trade show conference in the late 90s, SUN Microsystems was demonstrating an unreleased product. He had to have special permission and found himself in a specific database. Somehow, bad actors obtained that database and filtered out all U.S. citizens.

“They had my name, address, and everything. I had an FBI agent visit me, and he tells me I’m in big trouble — but not with the FBI. It kind of bothers you a little bit when it happens to you. I never was concerned about somebody flying over here from the Middle East to kill me, but they used it as a recruiting tool for those already here who are sympathetic (to their cause). It was a big recruiting tool for them. They had the added benefit of all these thousands of people tying up the FBI, who had to speak to everyone on this list; that’s not a five-minute conversation. So they create chaos, which fits right into their objectives. It scares a lot of people like my family and me.”

The outrageousness of your incident response stories will undoubtedly vary. Hopefully, they will never reach the level that Kirkham experienced. It’s clear that working as an incident responder can be exciting, amusing and even dangerous — but it’s bound to leave you with a tale or two.

Want to learn more about what it’s like to work incidents live? Hear directly from IBM Security X-Force incident responders in the webinar, “Tales from the Digital Frontlines” – available on demand.

More from Incident Response

5 Golden Rules of Threat Hunting

When a breach is uncovered, the operational cadence includes threat detection, quarantine and termination. While all stages can occur within the first hour of discovery, in some cases, that's already too late.Security operations center (SOC) teams monitor and hunt new threats continuously. To ward off the most advanced threats, security teams proactively hunt for ones that evade the dashboards of their security solutions.However, advanced threat actors have learned to blend in with their target's environment, remaining unnoticed for prolonged periods. Based…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

People, Process and Technology: The Incident Response Trifecta

Let's say you are the CISO or IT security lead of your organization, and your incident response program needs an uplift. After making a compelling business case to management for investment, your budget has been approved and expanded. With your newfound wealth, you focus on acquiring technology that will improve your monitoring, detection and analysis of data traffic. Has the incident program really improved by the technology acquisition, or is the uplift merely cosmetic? If no other changes have been…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…