Outrageous Stories From Three Cyber Incident Responders
Working in cyber incident response can certainly make life interesting. Experiences typically run the gamut from exciting, dull, fun, repetitive and challenging.
IBM Security commissioned a study from Morning Consult that surveyed over 1,100 cybersecurity incident responders across ten countries. Unsurprisingly, over two-thirds of respondents experienced daily stress or anxiety due to the pressures of responding to a cyber incident. Despite the challenges, responders are willing to take on the IR role because of their exemplary sense of duty.
But perhaps one of the underrated perks of working in incident response is the ability to tell outrageous true stories. We spoke with three incident responders about some of the most exciting experiences they’ve had working in the field.
Michael Clark, Director of Threat Research at Sysdig, was on an IR engagement in which a workstation was connected to both a cable modem and the internal network.
“We traced through countless machines back to a lab system no one knew about,” Clark said. “It was dual-homed (two network cards), one connected to the corporate network, the other to a cable modem on the Internet.”
Clark also responded to an incident where malware was spreading using a Windows vulnerability, and the client couldn’t patch their systems quickly.
“We had to deploy EDR to isolate infected systems while also not bringing down the whole network until they could green-light a patch,” he said.
The network was compromised with worm-like ransomware, so it would constantly traverse the network looking for new systems to compromise.
“What made this one interesting was the vulnerability exploited couldn’t be easily patched, and it affected the Active Directory infrastructure,” he said. “A new gold image had to be made and tested first because if you brought up a clean server without the patch, it would just be compromised again. So we had to keep as much isolated as we could with the network still operational while the new image was made. It was a bit of a balancing act.”
Eric Florence is a cybersecurity consultant for securitytech.org and a former incident responder. Years ago, he dealt with an incident where someone had changed an executive’s desktop wallpaper to an NSFW image.
“We deleted the photo, changed his credentials and made certain that no malware had been installed,” he said. “The computer was clean. Weeks later, same thing, new photo. After the second day of playing this time-wasting game, I did some digging.”
He found no evidence of disgruntled IT employees, and their credentials would be invalid even if he had. There was also no evidence of malware accessing the network remotely.
“After the third time this happened, we set up a camera in his office. A couple of weeks later, we got something. The person who cleaned the office must have found his credentials written down on a scrap of paper and was doing this as a prank periodically. They lost their job, and I had to explain the importance of never writing down passwords, but it fell on deaf ears. How does this keep happening?”
Tom Kirkham, founder and CEO of IronTech Security and author of Hack The Rich, has been a part of several incident response teams and shared several stories with us. One of them was undoubtedly the most outrageous on this list.
But first, Kirkham relayed an incident in an oral surgeon’s office. This lateral movement ransomware attack required his team to bring in not just their vendor partners but their response teams as well.
“It was vicious, and I was just sitting there watching it all unfold in the EDR Control Panel in real-time,” he said. “It was just hammering our EDR, and hitting every computer in the office a hundred times per second trying to propagate and even encrypt files. This particular ransomware was known for delivering multiple payloads, but we were reasonably certain that the BIOS or boot sectors weren’t compromised.”
The attack lasted about three or four hours, and the teams were concerned that the EDR would crash.
“The EDR stayed up and gave one of our vendor partners time to write custom code to kill the attack. We had to shut the surgeon’s office down that afternoon, but it definitely saved them HIPAA fines. We had to wipe all the machines, which took us several weeks to overcome. Without that depth of defense expertise, they could have been compromised. We were able to orchestrate the actions of vendors that quite frankly were competitors.”
Life for incident responders can be thrilling, but it should never actually get you killed. While Kirkham is very much alive and well, he must live his life continuously looking over his shoulder.
“The reason I’m so passionate about cybersecurity and incident response is because of a data breach that put me on an ISIS kill list,” he said.
After talking to the FBI and doing his own research, Kirkham figures the hack came from a simple badge swipe. At a trade show conference in the late 90s, SUN Microsystems was demonstrating an unreleased product. He had to have special permission and found himself in a specific database. Somehow, bad actors obtained that database and filtered out all U.S. citizens.
“They had my name, address, and everything. I had an FBI agent visit me, and he tells me I’m in big trouble — but not with the FBI. It kind of bothers you a little bit when it happens to you. I never was concerned about somebody flying over here from the Middle East to kill me, but they used it as a recruiting tool for those already here who are sympathetic (to their cause). It was a big recruiting tool for them. They had the added benefit of all these thousands of people tying up the FBI, who had to speak to everyone on this list; that’s not a five-minute conversation. So they create chaos, which fits right into their objectives. It scares a lot of people like my family and me.”
The outrageousness of your incident response stories will undoubtedly vary. Hopefully, they will never reach the level that Kirkham experienced. It’s clear that working as an incident responder can be exciting, amusing and even dangerous — but it’s bound to leave you with a tale or two.
Want to learn more about what it’s like to work incidents live? Hear directly from IBM Security X-Force incident responders in the webinar, “Tales from the Digital Frontlines” – available on demand.
Mark Stone is a Hubspot-certified content marketing writer specializing in technology, business, and entertainment. He is a regular contributor to Forbes Bra…
5 min read – 2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets…
4 min read – As with many other aspects of life and business, 2022 held fewer overall surprises in cybersecurity than in recent years — thank goodness. Instead, many trends brewing over the past few years began to take clearer form. Some were unexpected,…
2 min read – In September 2022, Microsoft patched an information disclosure vulnerability in SPNEGO NEGOEX (CVE-2022-37958). On December 13, Microsoft reclassified the vulnerability as “Critical” severity after IBM Security X-Force Red Security Researcher Valentina Palmiotti discovered the vulnerability could allow attackers to remotely…
As threat actors grow in number, the frequency of attacks witnessed globally will continue to rise exponentially. The numerous cases headlining the news today demonstrate that no organization is immune from the risks of a breach. What is an Incident Response Plan? Incident response (IR) refers to an organization’s approach, processes and technologies to detect and respond to cyber breaches. An IR plan specifies how cyberattacks should be identified, contained and remediated. It enables organizations to act quickly and effectively…
This post was written with contributions from Joseph Lozowski. Comprehensive incident preparedness requires building out and testing response plans that consider the possibility that threats will bypass all security protections. An example of a threat vector that can bypass security protections is “shadow IT” and it is one that organizations must prepare for. Shadow IT is the use of any hardware or software operating within an enterprise without the knowledge or permission of IT or Security. IBM Security X-Force responds…
Generation Z, which Pew Research Center defines as those born after 1996, is considered the first digital-native generation. This group of young people always has the latest technology at their fingertips. Yet even with this strong digital connection, the National Cybersecurity Alliance (NCSA) found that Gen Zers have higher cyber incident victimization rates than previous generations. How can those with the most digital experience fall victim to the most scams? Gen Z was exposed to emerging tech at a young…
Tired of cybersecurity tips that don’t really make an impact? This post is for you. The year is winding down to an end. Everyone, including security teams, is busy and preoccupied. Cyber actors know this and are gearing up to launch attacks. Over the holiday season, the global number of attempted ransomware attacks has increased by 30% YOY. Also, a 70% average increase in attempted ransomware attacks appears to occur in November and December compared to January and February. One…
Analysis and insights from hundreds of the brightest minds in the cybersecurity industry to help you prove compliance, grow business and stop threats.
Outrageous Stories From Three Cyber Incident Responders – Security Intelligence
