Where Incident Response Is Like An Episode Of House
I’ve decided that cyber incident response is very much like the TV show House, MD.
Let’s take a recent example: the episode begins when the customer calls us and tells us the symptoms, and indeed they sound terrible.
Half their environment has been potentially hacked, but they’re not sure, but it sure seems as if it was. But they think this is an over-reaction. But you should come tomorrow. After we finish the Statement of Work, which will take three days.
Can you come tomorrow?
We review the customer situation and, weh-heh-hay! It seems interesting. That is, there is something about this that can likely be answered by our investigation. And the symptoms, remember, they sound awful.
The caring one on our team says, “It’s Russia,” but we know … it’s never Russia.
So we show up and gather with everyone who might be able to give us a patient history, and we gather all the information, and of course, because they have no visibility other than what we bring with us, and a decade or two of technical debt, we need to ask more than they think, and stick our nosy noses into more hidey holes than they ever expected. And as we go, we keep asking questions, until we come up with a diagnosis that fits the limited facts that we have.
But here is where we screw the pooch, and make an incredibly stupid mistake. We’ve followed some paths that lead to a brick wall, and all of a sudden, everything looks worse. The husband of one of the customer team-family punches me in the face, after the wife tells me I am stupid and I say at least I’m not fat and stupid. Maybe that was a little out of line. Anyway, I messed up.
But then, suddenly, as we find things, different people who know the customer start to get all secretive. We push, push, push into their secretive face, knowing something, and we fade to black.
After the commercial, after we’ve postulated and diagnosed, and now we start to treat to prove or disprove.
At which point, something else happens and it turns out they’ve been lying to us since the beginning – half the people we’ve spoken with withheld information (some, because they wanted to see if we would uncover it, some because they didn’t think it was “important” and some because they don’t care), and as it turns out, they do have the ability to give us access to the evidence that will get us the answer, but no one wanted to tell us, because they didn’t think it was relevant.
Of course, throughout the episode, there’s always, interwoven, a number of people who are wild characters, liars, assholes, and colorful friends, who second-guess us, and ask aloud whether they really shouldn’t call someone better – after all, how many years of experience at this do you have, anyway?
And when the correct diagnosis comes, the very thing that will solve the problem can also kill the customer, so we’d better be right.
In the meantime, we’ve also exposed something truly unpleasant about the customer that the customer never told his/her spouse/significant other/CEO. This is usually revealed in act three, right before the big finish (and usually involves Legal), and the spouse/significant other/CEO decides to stay with the customer, or maybe to throw the customer’s main security person under the bus and out with the bathwater.
And throughout, I get to be a cantankerous asshole, who seems too irreverent for his own good, who is disrespectful of the process and all of the politics, who calls the ugly baby, “Your seriously hideously ugly baby,” and blames for his being so blunt his chronic pain, and his chronic pain medication.
It’s a wonderful job.