Defender Spotlight Mandy Cunningham

Interview with Mandy Cunningham, Seasoned Incident Responder


Profile photo of Mandy Cunningham

Interviewer: Can you tell us about a favorite incident that you responded to?

Mandy: Sure! The wind turbine incident stands out to me. Picture this: I’m five months pregnant with twins. I get called out to fly halfway across the country, drive 6 hours from the airport to this remote wind turbine in the middle of a massive field in the dead of winter. It had been compromised by a foreign adversary that was seeking knowledge in how to kinetically cause damage. It was quite the adventure just getting there, but once we arrived, they jokingly asked if I wanted to climb to the top while we waited for the forensics to complete. It was a joke, but I totally would have gone up to the top.


Interviewer: Have you ever had an incident go according to plan?

Mandy: I don’t think I’ve ever experienced an incident where everything went exactly according to plan. I think that’s part of Incident Response I enjoy the most: you have to problem solve on the fly, work together as a team and use any resources at your disposal.


Interviewer: How do you communicate with stakeholders and affected parties throughout the incident response process?

Mandy: Communication is key during an incident. We use bridges, calls, and escalation paths to keep everyone informed and coordinated. It’s important to have leadership control the conversation to the rest of the business while letting the analysts focus on their work.


Interviewer: What has not worked well when communicating during an incident?

Mandy: My one pet peeve is when everyone is working on the same thing. The same splunk search, the same host. When you don’t communicate who has what task, everyone wants to work on the cool thing. While there may be an email or a host compromised that hasn’t made it on our radar yet.


Interviewer: Are there common issues you see during the remediation phase?

Mandy: App owners not wanting to bring their application down because it may cause a business impact, or not wanting to fix a vulnerability in cert lib packages as it hasn’t been tested on 30 year old software.


Interviewer: What advice would you offer to other incident responders based on your experience?

Mandy: Practice, practice, practice. Do forensics on your home machine, set up a lab environment, and find what works best for you. Also, having a mentor who’s been through the trenches can be invaluable. And from a tool perspective, evaluate what works for your business – whether it’s open-source tools, I love KAPE, or commercial solutions.

Interviewer: What else would you like to see in the community to help?

Mandy: Alignment on naming actors. We have numbers, storms, action figures, It’s hard to know who’s talking about what.


Interviewer: What would you like to see infosec vendors do?

Mandy: Think about response in the cloud. A lot of vendors focus on endpoint detection and response. Current cloud security focuses on vulnerabilities.


In the constantly-evolving landscape of cybersecurity, incident responders like Mandy play a vital role in defending against threats and mitigating the impact of security incidents. Through their experience, expertise, and dedication, they continue to navigate the complex challenges of incident response, ensuring the resilience and security of organizations in the face of evolving threats. We thank Mandy for participating and furthering the knowledge of the Incident Response community!

Related Blogs