Shutterstock
The Balancing Act of an Incident Responder
Ransomware attacks throw organizations into chaos, and incident responders like Rob Morrow are thrust right into the middle of it to help regain control while navigating among terrified staff as an outsider.
Morrow is a network security engineer/incident response at Beyond Computer Services, an Atlanta-based provider of managed IT services. He didn’t start out in IT, but found his calling after an organization he worked for experienced a cyberattack. His diverse background has allowed him to look at both IT and incident response through a unique lens — that of a victim.
In a recent blog, Morrow chronicled his recent experience responding to a ransonware attack. The following is an excerpt:
Beyond Computer Solutions’ Rob Morrow
“I walk into the office of said undisclosed location, at which point I only had an address and point of contact. I still had no idea of what was waiting for me once I was able to settle in. I get the usual “oh … who is that and why is he here” looks I have come to love and hate. I know what I have in store from a personal standpoint, yet I still have very limited knowledge of what I am actually there for. I make the rounds and introductions, and start to realize the depth of the hell that I have just walked (voluntarily) into. While a lot in my position would say ‘oh, it is just another ransomware attack,’ I have the problem that will lead to my eventual burnout and downfall, the dreaded empathy. I feel for these people, they have been working night and day trying to make sense of what happened, and finally the hopelessness set in and I got the phone call. This of course means I am already behind the proverbial 8-ball. This is never a good place to be. I understand the embarrassment that comes with an attack, the feeling of what did we do wrong, what could we have done differently, etc. The questions are endless. Now not only do I get to fight the battle of containment, I have to fight the battle of people hating me right out the gate because they feel I am there to pass blame or say what they did wrong. This is the part of the job I always dread.”
Addressing the incident, which involves containing the network and recovering data, requires gaining the trust of overworked and demoralized staff members, and in this case, communicating with two CIOs who didn’t get along.
“[I] have to get these two to understand that the betterment of the company comes first and nothing else matters at this point until it is rebuilt,” Morrow wrote in his blog. “Sounds easy right? Not so much, these two were not having it and trying to sabotage each other at every turn. Option B, keep them separate, have them delegate projects listed by priority, cross reference lists, build my own and try to keep them happy in the process. This includes finishing bits and pieces of what they want interspersed within what needed to be done. OK, challenge accepted, I like to multitask. Not the way I wanted to do things, but when does leaving backdoors for access ever go as first planned. It works so between getting work done, I now have to answer to both separately, have separate meetings and alternating phone calls. Plus, help fix a problem with a third-party program that tested my development skills. For those that don’t know me I am in no way a developer, but Google and GitHub are my friends.”
Chris Noles, president of Beyond Computer Solutions, said his company services businesses in an industry that is being widely compromised because …
