The day was proving to be an exciting one for team Havoc, the Company’s cyber Red Team, as the L2 report he had just read showed that 4 of the core company servers were vulnerable to a very common exploit. Glacier, the Red Team leader, was evaluating the report and figuring out how he was going to communicate this to the Global IT leaders. It was important to not just inform IT of the vulnerability, but to have recommended solution sets to present that were reasonable and that would allow them to be able to
remediate the vulnerabilities. Glacier was on his second read through of the report when he noticed a section that mentioned end user data on the systems being encrypted.
“Hey Hammerhead come over here.” Hammerhead is the teams best Wintel expert. “What’s up?” “Take a look at these systems and check out what is happening with the data on the shared drive. I’m thinking we’ve already been hacked and have a serious issue here. What do you think?” “Oh man Glacier, it looks like we have an active ransomware attack, maybe using something like Cryptowall. ”
Glacier immediately contacts NightShade, the Cyber Incident Response Team (CIRT) coordinator and asks her to get the team assembled.
While the above scenario does happen more often than we would like it to, thankfully it is not an everyday occurrence. Most days consist of conducting risk assessments on malware and zero-day events, investigating abnormal system behavior, and investigating employee or corporate security reports of suspicious activity. Each of these events has to be analyzed and assessed quickly, all the while knowing that each of the actions decided upon will be second guessed by arm chair quarterbacks across corporate IT leadership. Let’s say the Incident Response (IR) team makes a decision to patch systems based on their initial intelligence gathering and risk analysis. If any of these systems have a production failure due to the patch, pushback from IT immediately begins and argument over the need and criticality of the patch ensues. Even when the actions taken, such as having corporate executives change their passwords, are less impactful to productivity than leaving a building due to a fire alarm, second guessing by business leaders is inevitable. Even though the IR team’s decisions are rooted in cyber intelligence followed by an appropriate risk analysis, they are frequently told they are overreacting.
The business and IT leaders who do this second guessing often ask that in the future when these decisions are made they be made by group consensus. This thinking shows a complete lack of understanding on how fast cyber-attacks can move. For example: When the blaster worm came out as a zero day event it took down Fortune 500 companies around the globe in less than 15 minutes. The other issue with this type of reasoning is that these business and IT resources, while highly intelligent, have limited knowledge of cyber security and what it takes to prevent or quickly remediate data breaches. This fact has been made obvious by the long line of large data breaches all in companies that had limited Cyber Security resources or that did not listen to the ones they did have.
The same business and IT leaders who are doing the second guessing of Cyber Security professionals most likely read the first paragraph of this paper with thoughts that it is silly and bizarre for Cyber Security IR teams to use nicknames. Experienced IR professionals understand that hackers and fraudsters are highly intelligent and capable of conducting social engineering research to find the names of IR members so they can track those names on chats and systems in an effort to disrupt response capabilities. In the past, law enforcement professionals have had the bad guys call police stations pretending to be a hospital where their wife or husband had just arrived after being in a car accident. it is very possible that cyber attackers would try some of the same tactics to disrupt IR response capabilities. There are many IR teams that only have one UNIX or one Wintel resource and having them not engaged would cause a large negative impact to team operations. So, not only should IR teams use nicknames but these nicknames should also be treated as restricted data.
So, after that interlude, let’s get back to a day in the life of a senior IR professional. As with most jobs, coffee is the beginning of the day. While drinking their coffee, the IR professional reviews a variety of Cyber Intelligence sources to determine potential impact to the current employer. On some days this leads into the intelligence gathering and risk analysis work discussed above, on other days it leads to a check through emails to make sure that the Level 1 (L1) or Level 2 (L2) Security Operations Center (SOC) did not have any urgent findings for immediate handling. If there are no urgent needs in email, then a variety of L1 and L2 SOC reports are reviewed and analyzed and items of interest are followed up on as needed. Being a student of Stephen Covey’s 7 habits and the Corporate Athlete methods, lunch is something lite and is followed by a walk or quick work out. After lunch, the senior IR professional performs a quick check-in with each of the team members to see what items they are working on and to make sure that moral is high. This is followed by another quick email review to make sure nothing urgent has come in from Corporate Security, the company’s See Something – Say Something campaign, or either of the SOCs. Assuming nothing needing attention has come in, the IR professional brings up the SIEM dashboard to conduct a Quality check of the work being done by the L1 and L2. This often leads to some phone calls or a meeting with their team leaders to reinforce Standard Operating Procedure (SOP) items that are not being correctly followed. The end of the day usually consists of going through all the emails that have had to sit while the daily tasks were completed.