When the SOC Goes to Deadwood: A Night to Remember
Melissa is a content strategist with a 20-year background in writing instruction and editorial work across B2B and B2C industries. She joined the security world five years ago as a BHIS penetration-test report editor, helping her team to sharpen the structure and impact of every client report. Lately, she’s been digging into the stories behind BHIS’s tools, analysts, and culture—capturing narratives of how cybersecurity really works behind the scenes.D
When people imagine a cybersecurity incident response, they usually picture a dark operations room filled with monitors and blinking dashboards. What they don’t picture is a historic hotel in Deadwood, South Dakota … or a company conference dinner abruptly turning into a 14-hour overnight incident response.
But that’s exactly what happened during BHIS’s annual Wild West Hackin’ Fest fall conference, when most of the Black Hills Information Security (BHIS) Security Operations Center found themselves in the same place at the same time—a rare moment for a largely remote team.
I sat down with SOC Operations Lead Hayden Covington to talk about that night: a live ransomware incident that unfolded in a conference room meant for planning and team sessions, not containment calls. What followed was exhausting, surreal, occasionally funny, and a very real test of how the BHIS SOC performs when the margin for error disappears.
A Quick Step Back
In Inside the BHIS SOC, Hayden described how BHIS runs its Security Operations Center differently: no rigid escalation tiers, no ticket handoffs, and no alert-only relationship with customers. Analysts own investigations end to end, collaborate in real time, and stay on calls through active incidents because context matters.
Deadwood wasn’t just a good story from Hayden’s logbook. It was a stress test of BHIS’s team model—played out live, overnight, with a customer’s environment actively under attack.
“A Dark Comedy”
Melissa: You mentioned there was a story from Deadwood—a dark comedy, you called it.
Hayden: [Laughs] Yeah, that’s a good way to put it. It was during the conference, and most of the SOC was already together. That almost never happens—we’re usually remote.
The BHIS SOC plans coverage even during our own conferences. We set up a watch schedule where people sign up for blocks of time so that we always have someone who’s working and available for anything that might happen.
Around six in the evening, Tom had just rotated into the backroom, and I had just sat down for dinner with some of the other team members—and an alert came in.
Melissa: Of course it did.
Hayden: Of course it did. Tom had been reviewing alerts when one stood out. Someone stepped out of the room and said, “Hey … you should probably go talk to Tom.” And immediately I’m like, Oh no. Oh gosh.
The Wrong Bell at Dinnertime
Hayden: I went back there, and Tom very quickly and concisely relayed, “Hey, we’ve been seeing these alerts for this customer, and we saw that they started deleting VSS shadows.”
This is a precursor to ransomware.
So we observed it together and, sure enough, agreed that it was very, very bad. … Tom had already started communicating to the customer when all of our risk-based alerts started triggering for a number of different users, which is indicative of something pretty substantial.
Melissa: So it was going quickly from weird to bad to worse to holy smokes.
Hayden: Yeah, cooked. Right away, we got with our guy (Patterson) who heads up the IR [Incident Response] side of BHIS, and we all got on a big conference call because we knew we weren’t dealing with a single compromised endpoint anymore.
Dinner plans were dropped. Laptops came out. The room shifted from conference chatter to incident response.
What was Actually Happening
Melissa: What was in play right then, and was the catalyst for it obvious?
Hayden: What we know in hindsight is that there had been some suboptimal configurations: the customer had safelisted items that inadvertently reduced their protection, and this had allowed their EDR to just observe and allow all of these malicious executions.
Melissa: But you guys were on the watch. Tom was on the watch. And you caught it, right?
Hayden: Yeah, but this wasn’t theoretical. Files were already being damaged. We had this incredible alignment of everyone at hand and ready to do their thing—just in time. But at the time, we were handling an active attack.
I mean, we had the whole SOC in the backroom on the call with Patterson, and our elastic engineer was there, too. I was like, “Can you remove every exclusion in our alerts we have for this customer?” And he was on it—so fast—connecting to the back end of our elastic to automate all of this stuff that none of us would have known how to do. So it was amazing that he was right there.
Patterson was hooked into their EDR platform and wiping things off the face of the earth as they came in. At one point, John (Strand) is back there adding his feedback and suggestions. I remember he said something like, “I don’t think any customer would have been so lucky as to have their whole SOC in one room when they got hit with an attack like this.”
Melissa: What was particularly dangerous about what was happening?
Hayden: The malware was creating scheduled tasks, decoding binaries, establishing command-and-control, and preparing the environment for lateral movement. It wasn’t loud, and it wasn’t crashing systems, but it was methodical. It was purposeful.
What made it especially dangerous was the customer’s endpoint configuration. Large portions of their EDR had been effectively neutralized by exclusions—some of them fairly broad.
The ransomware wasn’t encrypting entire files; it was encrypting just enough of each file to make it unusable, then moving on. It was like ripping out random pages from every book in a library. The books still exist … but they’re useless.
Melissa: How and why could that have happened?
Hayden: So at some point, there had been an intentional exclusion added that was probably to keep volume down or maybe to effect a quick fix to something that wasn’t working. But an exclusion setting that would effectively disable their EDR in one instance was now behaving as though it had been told, “If it runs here, let it run.”
Because of that, the attacker had room to operate.
Melissa: So you were in the customer’s environment at the same time as the attacker. Who was in there? Who was the attacker, and how did you guys save the day?
Hayden: We actually did identify the strain of malware, but as to the specific actor—they remain nameless, so to speak. Regardless, had it reached backups, the outcome of all this would have been very different. But … What made our response unusually effective was a special stroke of, maybe some luck, as John said, but it was really proximity and this rapport we have as a team.
Pretty much the entire SOC was in that room. Everyone but maybe two or three people. And poor Patterson, who at this point is inextricably involved, was one of the two or three people who happened to be remote for this, but he still worked seamlessly with us.
Detection engineers removed alert exclusions on the fly. Analysts tracked new indicators as they appeared. Incident response worked containment directly inside the customer’s environment. No one had to explain context. Everyone already had it.
We identified SMB traffic associated with ransomware staging, mapped out internal communication paths, and began feeding indicators of compromise (IOC) to both the customer and BHIS’s incident response team in real time.
Melissa: And it never reached the backups.
Hayden: Right. That was the line. If backups had been hit, we’d be having a very different conversation.
They weren’t.
Such a Long Night
The call started around 6:00 p.m. It didn’t end until roughly 8:30 the next morning.
People rotated out strategically so coverage could continue the next day. Others stayed because they were already deep in the incident.
Hayden: People want to help—and that’s a good thing—but incidents like this need focus. At a certain point, if you’re not actively part of the SOC response, you can’t be in the room.
The team locked things down: fewer voices, clearer ownership, faster decisions. The incident became manageable—not because it was small but because it was controlled.
As the night wore on, the room narrowed.
Fried, but Ever Focused
Hayden: At the end, it was myself, Tom, Ethan, our incident response lead Patterson—working remotely—and Phil, one of our SOC client partners.
Phil had the customer’s EDR access and the MFA token we needed, so every time we got logged out, we had to wake him up. Eventually he just stayed in a chair behind us.
Around 3:00 a.m., exhaustion started to set in.
Hayden: I asked Ethan if he’d heard what I just said. He goes, “Hayden, you didn’t say anything.” I realized I’d only thought it.
After that, he kept turning to me and saying, “What did you say?” just to mess with me.
Then my Garmin watch buzzed and told me I’d slept for one minute and was “not prepared for the day.” That felt unnecessary.
And Then … the Dawn
By morning, the ransomware had been stopped before it could reach backups. Recovery guidance was underway. The customer avoided a ransom payment, and the worst-case scenario never materialized.
And then came company headshots.
Hayden: My slot was around 10:00 a.m. I messaged the photographer and said, “I’m not letting you take my picture. I will look like a ghost. Please keep the old one.”
Melissa: And that’s the Deadwood SOC story.
Hayden: That’s it. [Laughs] I think there’s picture somewhere of Ethan, Tom, and me, sitting with our laptops sharing a small counter, with Phil asleep in a chair behind us, having somehow procured himself an electric blanket—unforgettable. And I love this story because it’s such a great illustration of what the BHIS SOC is built for: escalation tempered with ownership, collaboration over queues, and calm decision-making when the stakes are very real.
Ready to learn more?
Level up your skills with affordable classes from Antisyphon!
Pay-Forward-What-You-Can Training
Available live/virtual and on-demand
