Table of Contents
When you choose, or feel called, to be a defender, there are certain realities you accept as part of that mission. The constant change, potential sleepless nights, and a sense that you’re constantly under siege. We know and accept these stresses because the good we provide outweighs all of that to us. But there are some realities that we encounter, and that we can act against, that contribute more than any ransomware response could.
USB devices pose several risks, related to a higher number of threats than most people ever consider. It is important that these common, yet potentially dangerous, items are not forgotten in your security program. Regularly scanning for them, not just for connections or uploads to them, but their general activity, is a missed opportunity too often. That’s the first part of success here, knowing the full picture and vectors of the threat landscape, then accounting for them in your defense strategy. Going beyond simple awareness, scanning and monitoring for activity from the device are next-step tactics that are too often unknown.
The discovery of illegal activity, specifically activity of this nature here, is a possibility you have to be aware of in the world as a defender. Not every discovery you make fits nicely into standard buckets or procedures, things that can be easily automated, so you can just set it and forget it. No, some items, the nefarious items, require an understanding of the law and handling a sensitive investigation, without compromising the investigation or alerting the perpetrator that they’ve been discovered too soon.
All security programs should have an established working relationship with law enforcement. It requires human contact and human interaction. Not all events are the same, so being able to contact law enforcement, share your intelligence, and then take actions as proscribed by them, even if it means not overtly acting right away, requires understanding, coordination, and a moral sense of right and wrong.
It’s easy to sound the alarm as soon as any threat or malicious activity is discovered. But you always need to be able to consider the context and details specific to every single event. All your experiences provide insight, context, and guidance in every new incident that a security practitioner encounters. It requires taking that extra step, sometimes confirming the unthinkable, before acting. You must be aware of all risks, practically at all times. That includes the risks associated with being wrong about an initial analysis. Defenders must possess the wherewithal to confirm what they see, verify its accuracy, and know exactly what action to take next, given the totality of the circumstances.
Our ability to prevent cyber incidents for the companies we protect is very rewarding. It fills you with a sense of purpose, of pride. But being able to act and make an impact on those grander issues, the ones unthinkable, there is no greater sense of purpose than when you get to fulfill that. It takes fortitude and resilience. To see something abhorrent, yet know to act rationally, follow proper steps to allow for the greatest impact. To know when an event needs to be taken out of the usual procedural loop and acted upon with deference and sensitivity.
