Light Dark
December 30, 2022 By Mark Stone 4 min read
Incident Response
Risk Management

Working in cyber incident response can certainly make life interesting. Experiences typically run the gamut from exciting, dull, fun, repetitive and challenging.

IBM Security commissioned a study from Morning Consult that surveyed over 1,100 cybersecurity incident responders across ten countries. Unsurprisingly, over two-thirds of respondents experienced daily stress or anxiety due to the pressures of responding to a cyber incident. Despite the challenges, responders are willing to take on the IR role because of their exemplary sense of duty.

But perhaps one of the underrated perks of working in incident response is the ability to tell outrageous true stories. We spoke with three incident responders about some of the most exciting experiences they’ve had working in the field.

Shadow IT: Ransomware gone wild

Michael Clark, Director of Threat Research at Sysdig, was on an IR engagement in which a workstation was connected to both a cable modem and the internal network.

“We traced through countless machines back to a lab system no one knew about,” Clark said. “It was dual-homed (two network cards), one connected to the corporate network, the other to a cable modem on the Internet.”

Clark also responded to an incident where malware was spreading using a Windows vulnerability, and the client couldn’t patch their systems quickly.

“We had to deploy EDR to isolate infected systems while also not bringing down the whole network until they could green-light a patch,” he said.

The network was compromised with worm-like ransomware, so it would constantly traverse the network looking for new systems to compromise.

“What made this one interesting was the vulnerability exploited couldn’t be easily patched, and it affected the Active Directory infrastructure,” he said. “A new gold image had to be made and tested first because if you brought up a clean server without the patch, it would just be compromised again. So we had to keep as much isolated as we could with the network still operational while the new image was made. It was a bit of a balancing act.”

Punked by a third-party

Eric Florence is a cybersecurity consultant for securitytech.org and a former incident responder. Years ago, he dealt with an incident where someone had changed an executive’s desktop wallpaper to an NSFW image.

“We deleted the photo, changed his credentials and made certain that no malware had been installed,” he said. “The computer was clean. Weeks later, same thing, new photo. After the second day of playing this time-wasting game, I did some digging.”

He found no evidence of disgruntled IT employees, and their credentials would be invalid even if he had. There was also no evidence of malware accessing the network remotely.

“After the third time this happened, we set up a camera in his office. A couple of weeks later, we got something. The person who cleaned the office must have found his credentials written down on a scrap of paper and was doing this as a prank periodically. They lost their job, and I had to explain the importance of never writing down passwords, but it fell on deaf ears. How does this keep happening?”

Surgical strike: Rescuing a healthcare client from HIPAA fines

Tom Kirkham, founder and CEO of IronTech Security and author of Hack The Rich, has been a part of several incident response teams and shared several stories with us. One of them was undoubtedly the most outrageous on this list.

But first, Kirkham relayed an incident in an oral surgeon’s office. This lateral movement ransomware attack required his team to bring in not just their vendor partners but their response teams as well.

“It was vicious, and I was just sitting there watching it all unfold in the EDR Control Panel in real-time,” he said. “It was just hammering our EDR, and hitting every computer in the office a hundred times per second trying to propagate and even encrypt files. This particular ransomware was known for delivering multiple payloads, but we were reasonably certain that the BIOS or boot sectors weren’t compromised.”

The attack lasted about three or four hours, and the teams were concerned that the EDR would crash.

“The EDR stayed up and gave one of our vendor partners time to write custom code to kill the attack. We had to shut the surgeon’s office down that afternoon, but it definitely saved them HIPAA fines. We had to wipe all the machines, which took us several weeks to overcome. Without that depth of defense expertise, they could have been compromised. We were able to orchestrate the actions of vendors that quite frankly were competitors.”

Saving the most outrageous for last

Life for incident responders can be thrilling, but it should never actually get you killed. While Kirkham is very much alive and well, he must live his life continuously looking over his shoulder.

“The reason I’m so passionate about cybersecurity and incident response is because of a data breach that put me on an ISIS kill list,” he said.

After talking to the FBI and doing his own research, Kirkham figures the hack came from a simple badge swipe. At a trade show conference in the late 90s, SUN Microsystems was demonstrating an unreleased product. He had to have special permission and found himself in a specific database. Somehow, bad actors obtained that database and filtered out all U.S. citizens.

“They had my name, address, and everything. I had an FBI agent visit me, and he tells me I’m in big trouble — but not with the FBI. It kind of bothers you a little bit when it happens to you. I never was concerned about somebody flying over here from the Middle East to kill me, but they used it as a recruiting tool for those already here who are sympathetic (to their cause). It was a big recruiting tool for them. They had the added benefit of all these thousands of people tying up the FBI, who had to speak to everyone on this list; that’s not a five-minute conversation. So they create chaos, which fits right into their objectives. It scares a lot of people like my family and me.”

The outrageousness of your incident response stories will undoubtedly vary. Hopefully, they will never reach the level that Kirkham experienced. It’s clear that working as an incident responder can be exciting, amusing and even dangerous — but it’s bound to leave you with a tale or two.

Want to learn more about what it’s like to work incidents live? Hear directly from IBM Security X-Force incident responders in the webinar, “Tales from the Digital Frontlines” – available on demand.

 |  |  |  |  |  |  |  | 
Mark Stone

More from Incident Response
April 9, 2024

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

March 6, 2024

Why federal agencies need a mission-centered cyber response

4 min read - Cybersecurity continues to be a top focus for government agencies with new cybersecurity requirements. Threats in recent years have crossed from the digital world to the physical and even involved critical infrastructure, such as the cyberattack on SolarWinds and the Colonial Pipeline ransomware attack. According to the IBM Cost of a Data Breach 2023 Report, a breach in the public sector, which includes government agencies, is up to $2.6 million from $2.07 million in 2022. Government agencies need to move…

February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature