The Calm Heroes Fighting Cyber-Crime

Last updated at Mon, 28 Oct 2019 16:57:37 GMT

The call everyone had been waiting for came in: the shuffleboard table arrived, and was ready to be brought upstairs and constructed! The team had been hard at work all morning in the open-style office space with conference rooms and private offices along the perimeter. The Security Operations Center (SOC) with computers, many monitors and an open layout was behind a PIN activated door. The team wanted something fun in the office to do when they took a break from defending networks.

My office-mates for the week were casually dressed in jeans and either t-shirts or button downs, and they were sweating while laughing and strategizing for how to get a 20-foot shuffleboard table up two flights of stairs and into the office. About five minutes later, the shuffleboard table parts were placed in the open space in the office, and the team was back downstairs figuring out how to dispose of the wood and other protective covering that came with it.  They were calm and happy—the consistent mood throughout the week even when larger puzzles arose. The next morning, the table was fully assembled and there were tests underway for how to straighten the slope.

What does a shuffleboard table have to do with my trip to Alexandria and the team I visited?

The shuffleboard assembly showed me a lot about how some of the best problem solvers work together to get the job done. The team quickly, quietly, and efficiently solves problems regularly, and they have a lot of fun doing so. They work well together—they collaborate together, eat together, smoke together, and joke together. One way that they mark their success: you never heard about the incident that they solved, it's just solved—similar to how they built the shuffleboard table. One minute, there were many parts in a box that needed to be brought up the stairs and constructed.  A day later, there was a shuffleboard table set up and the packaging has been recycled. Most of the time, however, this teamwork is put to solving some of the largest, most complicated cyber security breaches and problems. Everyone on the team has a distinct role and they rely on each other to creatively problem solve. These are the crime fighters that you don't see or hear. So, how do they do it?

They divide and conquer. The team is broken up into three smaller teams—there's an analytic response team, an incident response team, and a threat intelligence team. Their knowledge and collaboration enable quicker threat detection and response and a deep, unparalleled understanding of the threat landscape, user behavior, and attacker behavior.

What are these three different teams and how are they not duplicative?

Analytic Response

The Analytic Response team is a group of people who work in the security operations center and continuously keep an organization's environment safe. The combination of people and technology of Analytic Response act as “detectors” in the environment. With this team monitoring, detecting, and responding to what's going on in your environment, when an incident comes up, you gain an understanding of what is happening and how serious it is. There are three tiers of analysts in the SOC, and each has a different role in detecting and responding. They make it possible to detect and respond to threats in hours instead of months. These people eat, sleep, and breathe problem solving and do so calmly and with ease. Many of these analysts have been coding and participating in hacking events since they were young and have a lot of experience spotting anomalies.

Incident Response

The Incident Response team is another subset of this larger IDR ecosystem. This group helps teams come up with proactive strategies so that they have a program. They are also the boots on the ground if there's an issue; as the team lead put it, “we're the people you don't want to see at your organization.” When the Incident Response team is called in unexpectedly, it's because there's a cyber-incident that needs to be solved, immediately. They examine and make sense of the virtual crime scene.

Threat Intelligence

The Threat Intelligence team analyzes information on threats and generates intelligence that feeds both analytic and incident response and gives all of the teams situational awareness of emerging and evolving threats. Our leader of the threat intelligence practice is a former Marine Corps network warfare analyst. Threat intelligence helps defenders understand threats and their implications and speeds decision making in the most urgent situations.

The three teams that make up Rapid7's broader IDR Services all support each other and make it better for the customer. They may seem like three distinct teams, but they all come together to solve problems quickly and create a vast amount of knowledge to be used by all. The analytic response team is made more efficient by threat intelligence, and the incident response team helps customers experiencing major incidents and utilizes the work done by both teams to solve the problems. They are a integrated, fun, quirky team that calmly and easily solves problems… and they also find time for shuffleboard!

Learn more about Analytic Response here.