The Balancing Act of an Incident Responder
… the people and see the effect that an incident had on them. You walk in there and everybody’s just defeated. And every time, it doesn’t matter how many I do, I just get that initial drop of the gut when I see that.
CF: After organizations have gone through something like this, are you seeing improvements in their cybersecurity to prevent this from happening again?
RM: For the most part, yes. Usually there’s a reason somebody got in. A company can do just about everything right and people can still get in. Now that’s always the problem with the way it is right now. We’re in a red team upswing, which is where the attackers kind of have the advantage on everybody, and it goes back and forth to where sometimes the attackers have the advantage and sometimes the businesses have been able to keep up and take over the advantage a little bit.
CF: How’s 2020 going compared to 2019?
RM: 2020 started off very heavy and that’s coming from not just me, but other people that I talked to within the industry. Pretty much everybody I know was calling at the beginning of 2020. So that’s kind of how you’re looking at this year.
CF: So what are you expecting as the year moves forward?
RM: In general, I think the first six to seven months at least are going to be fairly tough. There’s a lot out there right now, and there’s a lot of evolving going on with the attacking tools and things that are available to groups wanting to do this.
CF: What would be your advice for someone just starting out as an incident responder?
RM: Starting out, learn how networks work. Until you can go in and understand how a network works, there’s really only so much you can do because you’ve got to be able to dig in and find the full scope of a breach.
CF: Are you in the middle of an incident right now and then do you have another one coming up? What’s your day-to-day situation like?
RM: I don’t have one going on right now. Coming up I usually have about five hours notice before I have to leave. Fortunately, this is really like running a fire department. You know we do our day-to-day operations, which is hopefully preventing breaches because we have clients that pay us to have the best of tools and the best of the team to prevent them. But every once in a while we get a call from our security partner or from a client or perspective client and they have to have a response same day or next day, and we don’t know if we’re going to be working there one week or three months, depending on the organization size, to bring order to everything over there.
CF: Do you feel like progress is being made? Is there reason for optimism?
RM: I think when users are your No. 1 vulnerability, people are getting smarter about it. It’s not perfect … but as a whole we start to see people realizing what phishing emails are, what a malicious link looks like and how to look at an email and say, “Hey, I don’t think this is right,” and do that education and growth. There’s where it will start to change towards the better.