Incident response is like running a fire department.

Edward Gately, Senior News Editor

March 4, 2020

10 Min Read
Ransomware skull and crossbones

Ransomware attacks throw organizations into chaos, and incident responders like Rob Morrow are thrust right into the middle of it to help regain control while navigating among terrified staff as an outsider.

Morrow is a network security engineer/incident response at Beyond Computer Services, an Atlanta-based provider of managed IT services. He didn’t start out in IT, but found his calling after an organization he worked for experienced a cyberattack. His diverse background has allowed him to look at both IT and incident response through a unique lens — that of a victim.

In a recent blog, Morrow chronicled his recent experience responding to a ransonware attack. The following is an excerpt:


Beyond Computer Solutions’ Rob Morrow

“I walk into the office of said undisclosed location, at which point I only had an address and point of contact. I still had no idea of what was waiting for me once I was able to settle in. I get the usual “oh … who is that and why is he here” looks I have come to love and hate. I know what I have in store from a personal standpoint, yet I still have very limited knowledge of what I am actually there for. I make the rounds and introductions, and start to realize the depth of the hell that I have just walked (voluntarily) into. While a lot in my position would say ‘oh, it is just another ransomware attack,’ I have the problem that will lead to my eventual burnout and downfall, the dreaded empathy. I feel for these people, they have been working night and day trying to make sense of what happened, and finally the hopelessness set in and I got the phone call. This of course means I am already behind the proverbial 8-ball. This is never a good place to be. I understand the embarrassment that comes with an attack, the feeling of what did we do wrong, what could we have done differently, etc. The questions are endless. Now not only do I get to fight the battle of containment, I have to fight the battle of people hating me right out the gate because they feel I am there to pass blame or say what they did wrong. This is the part of the job I always dread.”

Addressing the incident, which involves containing the network and recovering data, requires gaining the trust of overworked and demoralized staff members, and in this case, communicating with two CIOs who didn’t get along.

“[I] have to get these two to understand that the betterment of the company comes first and nothing else matters at this point until it is rebuilt,” Morrow wrote in his blog. “Sounds easy right? Not so much, these two were not having it and trying to sabotage each other at every turn. Option B, keep them separate, have them delegate projects listed by priority, cross reference lists, build my own and try to keep them happy in the process. This includes finishing bits and pieces of what they want interspersed within what needed to be done. OK, challenge accepted, I like to multitask. Not the way I wanted to do things, but when does leaving backdoors for access ever go as first planned. It works so between getting work done, I now have to answer to both separately, have separate meetings and alternating phone calls. Plus, help fix a problem with a third-party program that tested my development skills. For those that don’t know me I am in no way a developer, but Google and GitHub are my friends.”

Chris Noles, president of Beyond Computer Solutions, said his company services businesses in an industry that is being widely compromised because …

… they do wire transfers. Morrow’s role is just one part of the overall incident response and restoration process.


Beyond Computer Solutions’ Chris Noles

“Rob is involved in a very strategic part of it in terms of making sure that our external team is meshing quite well with their internal IT or lack of IT in some cases,” he said. “On the business side of things, we have to work carefully with the cyber response investigation team. We have a partner that actually provides that service and usually these types of responses are done under some type of cyber insurance that’s paying for us to do the remediation work, and so, while I can’t speak 100% to how that whole process wraps up, I can let you know that once we’ve engaged and we feel like we’ve restored the data and we’ve neutralized the threat, it then goes back to their investigation team to work with legal to wrap things up, and that’s usually just maybe two weeks post-incident response.”

It takes an average of 500-1,000 hours to contain a breach, Noles said. A business that has been compromised doesn’t always recover without significant losses. There are legal fees, compliance violations, they may have to report the breach, which hurts their reputation, and key employees may be terminated, usually the CIO, said Noles.

“Obviously, there is a lot less drama when organizations take proactive measures to prevent a breach by partnering with the right MSSP,” he said.

In a Q&A with Channel Futures, Morrow talks about life as an incident responder, which includes being ready at all times to respond to an attack, and navigating uncomfortable environments to stop cybercriminals in their tracks.

Channel Futures: Are you busier than ever? Are the types of incidents you’re responding to evolving?

Rob Morrow: It’s ever-evolving. On this one I was able to find a variant that hadn’t been seen in the wild before, so it changes from incident to incident.

CF: Is the incident you describe in your blog just a typical day for you?

RM: I’m a network engineer. I do this when we get the opportunity … [but] you can’t do too many or you will burn out quickly.

CF: Do you always know how to respond to these incidents or are there new mysteries to solve in each one?

RM: Every one is different. I mean, you’re walking into a network or an environment you’ve never seen before, so you’ve got a very short time to learn exactly what’s going on, where things are, how their system works, and because of that, even if what they were hit with was the same, it changes the scope; that changes the project on every response.

CF: It’s not just about responding to the incident, but working with the people in these organizations. Does that task vary from organization to organization? Sounds like a delicate balancing act.

RM: I come from a very different background. I’ve been a mechanic, I’ve been a chef and I’ve been in the service industry. I was also a paralegal, and the reason I got into this was I worked for a company that was hacked. I kind of fell in love with the work as we worked through that one and decided to go this route as a career. So being able to look at it from the perspective of, I’ve been in that situation, just really allows me to both empathize with the client and want to help them. And with that I mean … you have to learn to read people and you get better with it with time.

CF: What would you describe as your best and worst experiences at an incident responder?

RM:  The best experience is when you start to see the light at the end of the tunnel in every response. Usually that’s once things are starting to stand back up, then you’re getting them back on their feet and they’re starting to feel comfortable again, and feel like they can move forward. Worst experience, it’s gut-wrenching to walk into these places and just see …

… the people and see the effect that an incident had on them. You walk in there and everybody’s just defeated. And every time, it doesn’t matter how many I do, I just get that initial drop of the gut when I see that.

CF: After organizations have gone through something like this, are you seeing improvements in their cybersecurity to prevent this from happening again?

RM: For the most part, yes. Usually there’s a reason somebody got in. A company can do just about everything right and people can still get in. Now that’s always the problem with the way it is right now. We’re in a red team upswing, which is where the attackers kind of have the advantage on everybody, and it goes back and forth to where sometimes the attackers have the advantage and sometimes the businesses have been able to keep up and take over the advantage a little bit.

CF: How’s 2020 going compared to 2019?

RM: 2020 started off very heavy and that’s coming from not just me, but other people that I talked to within the industry. Pretty much everybody I know was calling at the beginning of 2020. So that’s kind of how you’re looking at this year.

CF: So what are you expecting as the year moves forward?

RM: In general, I think the first six to seven months at least are going to be fairly tough. There’s a lot out there right now, and there’s a lot of evolving going on with the attacking tools and things that are available to groups wanting to do this.

CF: What would be your advice for someone just starting out as an incident responder?

RM: Starting out, learn how networks work. Until you can go in and understand how a network works, there’s really only so much you can do because you’ve got to be able to dig in and find the full scope of a breach.

CF: Are you in the middle of an incident right now and then do you have another one coming up? What’s your day-to-day situation like?

RM: I don’t have one going on right now. Coming up I usually have about five hours notice before I have to leave. Fortunately, this is really like running a fire department. You know we do our day-to-day operations, which is hopefully preventing breaches because we have clients that pay us to have the best of tools and the best of the team to prevent them. But every once in a while we get a call from our security partner or from a client or perspective client and they have to have a response same day or next day, and we don’t know if we’re going to be working there one week or three months, depending on the organization size, to bring order to everything over there.

CF: Do you feel like progress is being made? Is there reason for optimism?

RM: I think when users are your No. 1 vulnerability, people are getting smarter about it. It’s not perfect … but as a whole we start to see people realizing what phishing emails are, what a malicious link looks like and how to look at an email and say, “Hey, I don’t think this is right,” and do that education and growth. There’s where it will start to change towards the better.

Read more about:


About the Author(s)

Edward Gately

Senior News Editor, Channel Futures

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like