@sroberts advanced persistent incident responder

Imposter Syndrome in DFIR

Impostor syndrome can be defined as a collection of feelings of inadequacy that persist even in face of information that indicates that the opposite is true. It is experienced internally as chronic self-doubt, and feelings of intellectual fraudulence.

Imposter Syndrome ~ The CalTech Counseling Center

There isn’t an easy way to start a post like this and there doesn’t need to be. Imposter Syndrome is something most people don’t know a lot about (I’d never heard the idea until I started working at ) but it’s something everyone is intimately familiar with.

Which one is the boogie man?

Imposter Syndrome is like the boogie man: open the closet, turn on the lights, look around, and you see that nothing is there. You feel better. Exposing it, taking a good hard look, and considering the thing is what nullifies it. But it never goes away entirely. It’s just temporarily gone, and you’ll have to expose it again.

While everyone experiences imposter syndrome, it manifests itself in unique and individualized ways. So with that in mind, and knowing that openness and honesty are the these keys (both to help myself and others), this is my take on the symptoms of imposter syndrome I have experienced as a Digital Forensics & Incident Response professional:

The “Blinky Lights” Inferiority

“What if they make a box that does what I do? Like the Terminator but for SOC work.”

Early in my career I read an article the then-upcoming Windows XP SP2 release and its focus on security (built-in firewall, DEP/NX, Security Center, etc). This was a formative time in my career and this was a major advancement that I misunderstood entirely.

A Blink Light Box

My first thought was simple: “I may as well give up on security, they’re just going to make hacking impossible with this release.”

I was naive and mistaken but this fear has never gone away completely. I thought the same thing years later when I first saw a FireEye appliance. What if they fix all the bugs? What if someone builds a box that does what I do? What if machine learning actually becomes a real thing and it’s better than I am?

Reality is much different. I sometimes feel like an imposter because someday someone will build a box that does what I do better than I can. Someday won’t be today and tomorrow isn’t looking promising either. This is the easiest inferiority to look at and dismiss as silly, but that doesn’t make it less potent from time to time.

The Offensive Inferiority

“Red team bros just constantly say how easy it is to get around what I spent months building.”

There’s a joke I love that goes like this (with my own small modification):

How do you tell if someone is a vegan, a crossfitter, or red team bro? Give them two minutes and they’ll tell you.

Hang out with offensive types (pentesters, exploit developers, etc) and you’ll hear stories that can basically get boiled down to “Defense is garbage, defenders are useless, we always win, I’m super awesome.” It’s never said that way (otherwise get new friends) but as a DFIR, this feels like being called an idiot all night.

Hacker Bragging Origins

To be clear: This is my hang up. This is not my offensive friends’ fault. We all tell stories focused on our successes, not our failures. It’s tough when you never hear a pentester talk about the time they failed for a week straight to compromise a target. Instead you hear about the epic success when they got their shell. You never hear a vulnerability researcher describe the weeks in IDA (or Vivisect) getting frustrated. But you do hear about when they launched their exploit and saw calc.exe pop up.

A defensive team can succeed 999 out of 1000 times and the thing everyone cares about is the 1 in 1000 where they failed. In the same way, offensive teams never discuss the 999 times they failed, only the final time when they succeed. This leads to the feeling among DFIR folks that thinking they can stop APT:EquationShark (or even the local red team bros) is in vain — that they’re imposters. I would argue defense succeeds often; we just rarely acknowledge it.

The Jack of All Trades Inferiority

“I’m a worse RE than our RE and a worse 4n6 than our 4n6icator and a worse developer then our developer and a worse ops than our ops.”

Shifting to an individual perspective, incident handlers are not T-Shaped People. While most people have one skill they’re a 8 of 10 on, and lots of skills they’re a 3 of 10 in, most DFIR types are a 5 out of 10 in four or five skills and 3s on the rest.

Because of this we Fake the Funk, assuming we should know more and trying to avoid admitting we don’t. This lack of self honesty to preserve face has caused me to wastes talented coworkers time & skill, wastes valuable learning experiences, and it has kept me from focusing on the tasks I do better than anyone.

It’s easy to feel like an imposter when the rest of your team seems deeply skilled, even if it’s their area of expertise. I’m not as good at working with malware as a RE, but I’m much better at reversing than most forensics engineers, and I know more about intelligence too. It’s a unique set of skills to see the big picture that has a unique and important place on a team.

The “80/20” Inferiority

“About 80% of the time I just sit around being a mediocre software developer or systems engineer.”

I structured this in the order of my imposter syndrome issues. I’m less concerned that RSA is going to release a @SRoberts Replacement Box than the Pentester Bros frustrate me by bragging about their conquests (and ignoring their defeats). The toughest? DFIR types live for emergencies in the way ER doctors live for injuries. What do you do when everything is healthy?

80/20 Rule

No organization is without incidents, but the fact is that (even though there’s always something to do) there are also non-emergency times where as an incident handler it’s easy to feel like a 3rd wheel, unnecessary, an imposter. I spend a lot of that time building new systems, either as an ops engineer or a developer. This ties into the Jack of All Trades issue, but I know I’m not nearly as good a developer as our real developers. Nor am I as good an ops engineer as our real ops engineers. It’s easy to feel somewhat ancillary until the next emergency.

The “Human Being” Inferiority

Don’t think everyone feels like an imposter sometimes? I remember reading a note by a noteworthy colleague that no one would ever expect to feel like an imposter, writing a brutally honest account of feeling like others were going to find out she was a fraud. The text was a moment of pure humility on the author’s part. It didn’t say woe is me, but it was instead expressing a sense that she was handling this but wanted others to know it was normal and they could handle it too.

So What’s the Solution?

  • Acknowledge Imposter Syndrome is real. It’s not unique, you aren’t alone.
  • Stop faking it until you make it. Reach out to experts and either rely on them or learn from them.
  • Use it as motivation. Feel like you’re weak in RE? Take some time to read Practical Malware Analysis. Imposter Syndrome isn’t an excuse.
  • Share your experience handling your own Imposter Syndrome with others.

In The End

I often don’t feel like I’m prepared to be a part of this profession I’ve chosen. I feel like I should know more, read more, write more, and be a whole lot better at RE, forensics, coding, etc. I’m pretty sure all that is normal.

No one gets away from Imposter Syndrome entirely. It’s a human condition, but we can seek to understand it, to control it, and not let it control us. I think a willingness to confront this, with ourselves and our teams, can make everyone stronger.