Digital forensics and incident response: Is it the career for you?
From fraud to extortion to intellectual property theft, new cybercrimes are being committed daily. Digital forensics and incident response (DFIR) professionals help piece together those crimes so that organizations can better protect themselves — and the bad guys get prosecuted.
This episode of the Cyber Work podcast is a rebroadcast of a webinar featuring Cindy Murphy, President at Gillware Digital Forensics. In this podcast, you’ll get the inside scoop on what it’s like to be a DFIR professional from someone with more than 25 years in the field and learn practical information on how to kickstart a career in DFIR.
Chris Sienko: Hello and welcome to this weeks episode of the Cyber Work with Infosec podcast. Each week, I sit down with a different industry thought leader, and we discuss the latest cyber security trends, how those trends are affecting the work of infosec professionals, while offering tips for those trying to break in or move up the ladder in the cyber security industry. Today’s episode is the audio component of a webinar we recorded in November titled “Digital forensics and incident response: Is it the career for you?”. For those of you who are fan so cybersecurity and cyber crime procedurals, a career in digital forensics and incident response, or DFIR, might seem like the best combination since chocolate and peanut butter, but are you on the right track to pursue this career track? Join Cindy Murphy, President of Gillware Forensics, and Jeff Peters, Product Marketing Manager of Training at Infosec, as they discuss how to get started in digital forensics and incident response, different careers related to DFIR, the types of work done by DFIR professionals, lessons from Cindy’s career in law enforcement and at Gillware, plus we took DFIR questions from live viewers. Now I’ll turn you over to Cindy Murphy and Jeff Peters, along with our moderator Camille DuPuis, for our webinar entitled “Digital forensics and incident response: Is it the career for you?”.
Camille DuPuis: All right, let’s go ahead and get started. So, hello everyone. Thank you for joining us on today’s webinar: “Digital forensics and incident response. Is it the career for you?”. My name is Camille DuPuis. And I will be moderating today’s webinar. So we will go ahead now and move onto the good part, which is introducing our speakers. So first I’d like to pass it off to my colleague, Jeff Peters. He is the product marketing manager here at Infosec.
Jeff Peters: Hello everyone, and thanks for joining us. I’m really excited to have with us today Cindy Murphy, the president at Gillware Digital Forensics. Cindy Murphy is as I mentioned the president of Gillware Digital Forensics, which is an incident response cyber risk management, and digital forensics firm, based here in Madison, Wisconsin along with Infosec. She is a prominent figure in the digital forensics industry with over 20 years of experience. She began her career in the military, and then law enforcement where she first established the Madison Police Department’s Digital Forensics Unit. She has instructed thousands of digital forensics professionals across the globe, and continues to lead the Gillware team as it investigates incidents such as ransomware attacks, business email compromise, intellectual property theft, insider threats, and more. I’m so very excited to get her insight now, and all of that, and what it is like to be a digital forensics professional. Thanks for joining us today, Cindy.
Cindy Murphy: Thank you, nice to be here.
Jeff: Yeah, so what you can expect from today’s webinar we’re gonna talk just a little bit about what digital forensics and incident response is in general. Then we’ll get some advice from Cindy on how you can get started as a DFIR professional, and how she got started in there. We’ll talk about a few of the different career paths, some of the skills and job tasks that you could do as a digital forensics and incident response professional. And then I think the bulk of the webinar we’d really like to use to kind of go through some of those like case studies, or examples of actual incidents, or jobs that you would actually be doing as entry level, or mid-level, or senior person in the field, and get some good stories around that. Then we’ll save some time for Q and A, and, also, if you have any questions throughout the webinar feel free to drop them in the question panel, and we’ll be sure to keep this pretty informal, and ask Cindy along the way. So, yeah, to get started maybe we should talk a little bit about what is DFIR? I have a little bit of knowledge about it through some of the courses that we teach here at Infosec, but I guess how would you explain what it is that you do, Cindy, to someone?
Cindy: Well, there are all sorts of technical explanations, but I think one of the best ways to explain it is to say that if you want a career where you’re never ever gonna be bored this might be a good career to look at. It is ever-changing, ever-growing, and ever-expanding. So what we do is investigate incidents that happen on computer networks, or individual computers. We look at data to try to recreate what happened, or to try to figure out the root cause of an incident, and to try to help an individual, or a company, or an organization better secure their networks. Really that can include endless sorts of things. You have to have a little bit of knowledge about all sorts of different subjects. And there’s a lot of specialization in the field. I mean, we’re talking about everything from cell phones, and SIM cards, and flash memory, to 2,000, 3,000, 50,000 machine networks. So there’s a lot of ground in this industry to cover. There’s really aside from the technical portions of this work there’s a lot of people work. In other words, teaching people about social engineering, and how to harden the human network against these attacks, teaching people smart computing habits. It’s a great field, super interesting, and as broad or as narrow as you need it to be.
Jeff: Yeah, I guess, when I think about it as an outsider I always picture you guys as like a little digital Sherlock Holmes type character. I don’t know if you think that that’s accurate? Is that like a?
Cindy: Yeah, I mean, there’s a little bit of digital Sherlock Holmes, and a little bit of mad scientist, computer scientist, right? There’s a lot because computer’s operating systems, technology are always changing. We often have to figure things out as we go, and that takes a great deal of problem-solving, puzzle working, so not only the investigative side of things, but from a sleuth standpoint, but also from a scientific standpoint what made that happen? How do I prove that that’s what made that happen? So it’s a little bit detective, and a little bit scientist.
Jeff: Yeah, so we have someone asking a question. Would you classify DFIR as a blue team?
Cindy: I would say blue team is part of DFIR. We have digital forensics. We have incident response. We have the red teams that look for an attack systems. We’ve got purple teams. Everybody is trying to wrap their minds around this, so we have malware analysis that would fit in. We have all of those incident response pen tester roles, proactive response roles. Yeah, I would say those fit in. Network security is part of digital forensics, and incident response because we have to have those knowledge bases in the jobs that are in the sector.
Jeff: Before we get too far down the road into the actual job duties maybe we could sort of set the stage with how you got started. I guess was it a career that you always wanted to pursue, or something you kind of fell into? How did you get involved?
Cindy: Well, funny you should say. I literally fell into this career. My path is maybe a little different than other peoples might be. I started in the military at 18 years old as a military police officer. Policing is what I wanted to do with my life. I felt a call to serve. I’m also a very active person, and like to help people, and like to figure things out. So I got into policing, and started my digital forensics career in 1998 after being injured on duty, and being assigned on light duty to help an older detective, John Malkay is his name, who was working on one of the first computer crimes ever investigated by Madison Police. Someone had stolen physical signatures out of historical books at the State Historical Library, and they were selling those on bulletin boards, and newsgroups on the Internet, which was a very different place in the 1990s than it is now. So that was the first investigation I worked on. At that point there were no standardized methods for doing drive imaging. There were no standardized methods for doing the investigations on that host machine to prove things. It was at the ground level. It turned out that there was a computer system from MIT involved in this and so one of my very first contacts in this investigation was with Owen Casey, who was at the time working at MIT, and, obviously, he and I have developed a long-term friendship past that. We really didn’t figure out again until 2012 that one of my first investigations, and his first investigations were connected to each other, but we had parallel paths as a result. So lots of lucky pieces, but really I literally fell into it.
Jeff: Yeah, I mean, I imagine it’s changed quite a bit since stealing signatures to now. I mean, probably a huge question, but is there anything you think is like the biggest change, or has had the biggest impact on professionals?
Cindy: Well, I think Moore’s law, right? The size of the hard drives getting huger and huger over time. And the amount of data that we’re dealing with over time has just increased exponentially. Around that same time, 1998, my father gave me a one gigabyte hard drive for Christmas. This is the amount of change we’ve gone through since the ’90s, and said, “That’s the largest drive you’ll probably ever need.” My dad was not a stupid man, and he was very computer savvy. He was professor at the University of Iowa, and was spending his time processing on data cards, and reel-to-reel tape in the blue room at the University of Iowa, so that’s where I spent my formative years, but I don’t think we understood in the mid to late ’90s how things were going to look in 2020. How things were going to look in 2019. Whether it’s cell phones, and the fact that computing power has become ubiquitous around us, and in people’s pockets everywhere they go, or whether we’re talking about just the amount of data collection that happens on any individual, all of those things have to do with the amount of data in the world. So I think that’s probably the biggest change.
Jeff: Yeah, if we can maybe shift gears a little, and talk about some of the potential careers. Obviously, you mentioned it’s a pretty wide field. There’s tons of different stuff that you could do. I guess in my mind I’ve kind of broken it down into public sector versus private sector, and then maybe people who are doing more forensics first responding to different types of incidents. I don’t know if you’d break it down in a similar way. How would you describe the different types of roles?
Cindy: Yeah, I think this is a good broad breakdown. Public sector forensics is where I cut my teeth in the industry, and maybe actually a harder place to get into in terms of starting a forensics career. Most police departments still operate on a seniority level, so if you go into your career saying, hey, I want to become a computer forensic examiner for a police department. I want to fight child exploitation in that way you’re likely gonna have to become a police officer first. And then you’re gonna likely have to work in the field as a police officer for several years before you’re eligible to promote to a position where you’re doing crime scene forensics, or detective work, or promote into a digital forensics position. The structural setup of law enforcement agencies is such that it makes it somewhat hard to break into that world unless you’re wanting to be a cop, too. Now that has started to change. There are regional crime labs, and individual police departments that hire civilians, specifically, to do digital forensics work, so that is slowly changing. I wish it would change faster. And, of course, at the state and federal levels you may find direct entry civilian digital forensics work as well. But, yeah, this is usually doing cell phone forensics, and computer forensics, so looking at individual machines, or sets of machines, devices like SIM cards, and SD cards. You name it, really it could be anything, for evidence of a criminal activity. In the private sector we do much the same work. We’re supporting investigations into data theft, civil litigation work. There’s a lot of financial crimes that get prosecuted civilly rather than in the criminal courts. We also do data breach investigations, look at insider threats, malware investigations, cyber security incidents, and those sorts of things. We also support law enforcement. At Gillware here we do a certain amount of forensics still for law enforcement when law enforcement doesn’t have the resources, or there’s some technical issue that they’re unable to get around with the equipment, and software they have. If they need some custom work done either repairing a device, or some complex problem they will come to a private company such as ours. And then incident response would be support of those incident response issues, the cyber security incidents. You can see these sort of cross back and forth into each other. And I guess we also have those proactive sorts of roles, proactive services the folks who are doing the network security surveys ahead of time, the folks who are doing pen testing, and making sure networks are safe, as safe as possible before an incident happens. So that maybe fits into there as well. There are no real borders between these jobs, which is probably good, because my digital forensics experience works really well when we’re looking at incident response cases. Those skills that I learned about looking at registries, looking at linked files, looking at whatever the forensic artifact is all apply really well to incident response, but if there were that wall between those jobs there would be a lot less flexibility there.
Jeff: Yeah, I wonder if you could maybe like walk us through a particular case, or a typical case like what is the process? You mentioned like investigating stuff on computers, and mobile devices where do you start with that? And what’s the goal? And then is it like a whole team of people doing it, or is it one person that kind of handles one particular case, or is it broken down by the kind of activity that you’re doing?
Cindy: Sure, well, I think that’s gonna depend on the organization you’re working for. Here at Gillware we’re very collaborative, and we try to leverage the skills that our employees have to work in teams on problems. If we talk about a typical incident response kind of case. I’ll take one of the most common, ransomware. Somebody has a ransomware attack they’ve been affected by whatever the variant is. They will typically either come to us directly, or through their insurance provider, or through whatever the referral is, but the first thing we’re gonna do is have what we call a scoping call to try to figure out the scope of that incident. If we look at the incident response process this is part of preparing and identifying, right? We’re preparing for our investigation, but we’re trying to identify the scope of the incident, and we find out as much as we can. What is that network topography? How many machines are on that network? How many of those were affected? We’re trying to identify all of the virtual, and physical servers involved, all of the workstations that are involved, and get a picture of what that looks like from that standpoint, and then we’re going to try to figure out what do they know about what happened? Has there been a progressive spam campaign ahead of this? Are we dealing with potentially Emotet or Trickbot that has dropped a word document with PowerShell scripts, and then that was the precipitating event to the ransomware event. We sit down, we have that call to identify those sorts of factors. Who is gonna be our main point of contact from a technical standpoint? Who is gonna be our main contact from an administrative standpoint? And what are their goals? What’s most important to them to get back, and, also, what are their responsibilities? Are they in a field, or a sector where data is protected? Are they healthcare? Are they storing PII or payment information? And do they have a regulatory requirement to report? In those cases we’re gonna need to know more about, we’re gonna have to do a deeper investigation to see whether data was exfiltrated, whether it left that network. So we’re going to have to do forensic examinations on a number of workstations, and servers, and then environment. And so once we have that scoping call taken care of we then work on identifying what we need to collect immediately, and how we’re going to do that. At the same time we’re working on trying to contain, and recover from the incident. So there’s a lot going on in those first 24 hours or so. And it may include engaging with a ransomer. To start again that process of negotiating a ransom doesn’t necessarily mean we’re gonna pay it, but we want to get the information we can from that incident about what’s involved in that side. So lots going on. Once we get that data in then we’re looking for specific samples of malware in that system, both from the standpoint of that initial infection vector we’re looking for how their systems were breached, and we’re also looking for that executable file that was the ransomer. We want to know if it is capable of data exfiltration, or if something ahead of time was capable of data exfiltration. Then we just work it through. You have to remind yourself it’s the old proverb how do you eat an elephant? One spoonful at a time, right? You take this huge problem, and you break it down into the smallest, most important parts, and you tackle them one at a time. Obviously, this is easier with a team of people who specialize in different areas. We have folks who are really good at looking at malware. Folks who are really good at encryption problems. Folks who are really good at if we get a decrypter, and it doesn’t work right modifying that decrypter, so that it will work right. And we have folks who are really good at the part about containment and eradication. Are we gonna deploy Carbon Black or Sophos, or another tool on that network? Do they already have one deployed? Do they even know what all their endpoints are? You’d be surprised at how often they don’t. So there’s like I said a lot going on. Those blue team, red team, purple team, pen testing experiences can all be brought to bear to give us a good broad perspective on efficiently, and effectively responding to the problem.
Jeff: Yeah, I mean it sounds like it’s a lot of different pieces along that process. Is there any particular spot, or type of work that you enjoy doing the most when it comes to that, or anything that you enjoy doing the least?
Cindy: It’s a question of that word enjoyment, right? I enjoy doing the things I know the best, which is host machine forensics, right? Like figuring out what and when. What the breach was when it happened. And then what the bad guys did when they were in the machines. How they moved laterally across from machine to machine, but I also enjoy being out of my comfort zone, right? So working with and learning from the folks who are doing that containment, and eradication side of things is really rewarding for me. In law enforcement 31 years of first try not to change anything, right? Make sure you’re not changing that original evidence. When we get into incident response cases we’re going to be making changes, right? We have to in order to secure the network that we can’t totally bring down while we’re doing the investigation. All of it for me is enjoyable. I really, really enjoy looking at the malware itself, trying to decompile it, unpack it, look at what’s going on underneath the surface. While I’m not a programmer it’s really interesting for me to look at what’s there, and to try to figure out what’s happening. Obviously, there are great tools that help us do that. Some of them free. There’s all sorts of sandboxes out there that will pull things apart, and give you more information about them, but I like it all. That’s why I’m still doing it all this time later.
Jeff: Yeah, well, that’s always good. Yeah, I think maybe we should talk a little bit about how people can get started. You mentioned you have a pretty strong team. I imagine you’re hiring people. So people who are listening whether they’re here live, or watch or listen on demand later, is there anything in particular that you look for? I guess you could start with like the education standpoint when it comes to digital forensics do you prefer people, do you think you get a lot of value out of going to school, and getting a degree, or do you look for certifications? Anything along those lines?
Cindy: So I think all of the educational options are good ones. When you’re in a digital forensics position where you’re likely to be in court doing straight machine forensics, or doing civil litigation work in the private sector, or in law enforcement having formal training certification, and formal education is really helpful for building your curriculum vitae your CV, and showing the court your background, and expertise in an area. It looks better to a jury, to a judge, to attorneys to have that formalized education, but that doesn’t mean that’s the end all be all, right? I ended up learning very experientially to start with in my formative years, and then moved to a more formalized training through National Crime Center, what was then EnCase and FTK through those vendor supported training programs, through the SANS Institute. And then decided, hey, I keep learning these same things over and over again. I kind of want to go beyond that, and decided to do my master’s degree in Forensic Computing, and Cyber Crime through University College in Dublin. All of that was focused on building my credentials as an individual, but also building my knowledge about what I was doing as I was doing it. Informal training, though, can’t be underestimated either. Those people who come in as a candidate who have some formalized education, but are also running their own personal sandbox, they’ve set up their own network, they might be running a honeypot, or they might be experimenting with some scripting. They’ve got hobbies they’re in the tech area. Those people are really interesting to us because it shows that not only are they going to school to do this, but they’re also interested in it outside of their formal education. So I think a mix of those things is really good. While I have a law enforcement background I realize that many hackers are not criminals, right? They’re just curious human beings who are exploring technology deeply, and figuring out how to do things. Probably if I weren’t in law enforcement would have been considered a hacker growing up. So that’s not a negative thing, but it is something where people have to be able to fit those tendencies into some rules and restrictions, and boundaries, right? Because you can’t either in the private sector, or the public sector just do what you want, right? There has to be some structure wrapped around all of it, but I think both formal, and informal education are important. Do you want to just move onto skills?
Jeff: Sure, well, one question I had was a lot of the people that we talk to, or when you see surveys about like say with student professionals there seems to be a lot of confusion, I guess, uncertainly about career paths. As you mentioned there’s just so many things even within digital forensics you can do. So I didn’t know if you had any advice for people who are listening, or maybe they’re interested in the field, but they’re not sure which of the dozen sub roles is for them?
Cindy: Yeah, I mean, I think, trying to balance yourself between good general knowledge, and some specific subset of interest, some specialization is a positive thing. You don’t want to walk into a job interview and say, hey, I’m an expert at cell phone forensics, and I want to do a job that is primarily incident response. You can be an expert at cell phone forensics, and that’s really great experience, but I also am gonna want you to know a lot about incident response, see what I mean? So make sure you get that good broad coverage in your educational background, but also pursue the things that interest you, and you’re gonna find that somebody needs that area of expertise.
Jeff: Yeah, so when you talk about like certain skills is there any like particular tools that people should know that are generally used a lot in the field, or any particular skills or processes, or kind of anything that, hey, if you’re in this field you should really be able to talk about this at least at the surface level?
Cindy: Oh, see, now you and I gonna go in really different directions on this. I want people who have hard skills and soft skills. I want people who are able to talk to other people, and explain difficult concepts in simple ways. I want people who are good at writing, who have good grammar, and who write clearly and concisely, and can express technical things in simple words on paper. And I want people who can present to non-technical people what they’ve learned about the technology. I want people who are curious, people who are passionate about what they do, and people who are flexible. Flexible enough to say I don’t know that, but I’m gonna learn it. I haven’t done that before, but I want to, right? And so, yes, there are tools that are used all of the time in this field, but if you’ve used one forensic suite you should be flexible enough to take those skills, and figure out how to use another, right? Not to say that you’re gonna become an expert at it, but if you’ve been using EnCase, and you walk into an organization where they primarily use something else whether it’s Magnet, or whether it’s X-Ways, or Forensic Explorer, I’m hoping that you’re going to have enough technical savvy, and intuitive knowledge of user interfaces to figure out the software. I’m more interested in your problem-solving behind that. When you use that software what are you looking at? What are you tearing apart? And what are you digging deeper into if you see what I mean? So, yeah, you need to learn the basics. You can learn the basics of imaging through FTK Imager. The next time you use a different tool to do your imaging those concepts should be there. I’m gonna have my original evidence. I’m gonna have a target device. I need to know how to set up the past with both of those, and then make the software work, and then I need to know to go back, and verify my image, and what that means conceptually, but those concepts are supported by the different kinds of software that we use. I don’t want someone who knows EnCase so well that they don’t have enough flexibility to go and use a different tool if you know what I mean?
Jeff: Yeah, yeah.
Cindy: So rather than teaching the tools I would like to see people with a broad level of knowledge that whatever tool they have access to they’re gonna use that to figure out what they need to know. And I guess another thing is I like people who read. People don’t read enough these days. I mean, we could go back to RTFM. I won’t say the acronym out loud, but reading and having a voracious appetite for reading means that you’re going to be able to figure things out. So we find a lot of people that end up short cutting. They want to be hand-fed an answer in 40 characters or less, and that’s not always possible, especially when we’re looking at some of the more complex systems and concepts involved in these fields.
Jeff: Yeah, we did some research earlier this year, and we found that I think it was 92% of all the info cycle professionals we surveyed said they’re learning new skills every single month. I guess I hear that from a lot of people I talk to. That’s really what they’re looking for more when hiring those people who are curious and want to learn, and they’re willing to kind of continually learn all those new things.
Cindy: Yeah, and I mean the goal should be for anybody whose teaching in this field to teach people how to learn. Like teach people how to do basic science. Like how to test things, and change one variable at a time, and rerun your test and see what changed, and figure things out. So if you’re a person who knows how to learn new things you’re going to be successful in this field.
Jeff: Yeah, we have another question that came in from looks like Cynthia, she asked, is there any demand for digital forensics professionals right now? I mean, I assume the answer is probably lots, but I don’t know maybe you could put that in context of like over your career is there more demand now or less?
Cindy: There is huge demand for digital forensics, incident response, and network security folks, not only in the private sector, but in the public sector. There’s a huge shortage of people with these skillsets. With the technical skillset and those soft skills. Those two things together are super important, but if we just take my company, Gillware has been around for 3-1/2 years roughly. And in that first year it was me doing the forensics, and Nathan Little came onboard to do forensics as well. These days we are hiring literally three to six people per month, and we need more. We need more good candidates at all levels. I’m talking about people who want to get into this job at the entry level as interns or co-ops, people who have a tiny bit of experience, and want to get in as a beginning forensics, or incident response person. People who have that experience, and want to do it at a higher level and run their own cases, run their own scoping calls, and work at the director level, and, also, people who want to support this work. Folks who can answer phones and speak intelligently to the questions that our customers are asking, or perspective customers are asking. And people who have the skills to do the marketing work in this area. So people who have the skills to organize the evidence, right? We need all of those functions. And we’re also looking for people who have general IT skills to help us after an incident help our customers get back to where they need to be in a secure way. Our proactive services side is also looking for people. We are growing as fast as we can. In this field I don’t think it’s too controversial for me to say that among incident response in forensics companies we aren’t competitors with each other for getting work. There’s more work out there than any of us can handle on our own. We’re competitors in terms of getting people. So you will see a lot of cybersecurity companies trying to poach each others people. That wouldn’t necessarily be the case if we had enough folks coming in with the skills and educational backgrounds that we need. So, yeah, there’s a huge demand.
Jeff: Yeah, I wanted to ask you a little bit about some of the like entry level stuff because that seems to be, I guess, a little bit of pushback the stuff you hear when you go on forums a lot of people they know there’s a lot of opportunity in cybersecurity, and they want to break in, but maybe they have a little bit of difficulty kind of like seeing the path in. So maybe talk to them a little bit about experience is there anything in particular that someone can do to like start getting that experience? I know you mentioned setting up honeypots and things, but if someone wanted to sort of stand out from the crowd so that way they apply for an entry level job is there anything in particular you look for along those lines?
Cindy: Yeah, I mean, there are, and I think there is a disconnect here, right? We keep talking about all of these jobs, but people say, hey, I put my application out there, and nobody picks me. I think part of this is, again, those soft skills. If you want to stand out in this crowd take the time to send a thank you card after you get an interview you’ll probably get hired. That’s my tip for people, okay? I don’t know how many people are currently, or will be listening to this, but if you want to stand out work on those people skills like connect with the people that you’re trying to apply with because that will make you stand out in the crowd. Send a physical card. Send an email follow-up. Take the time to pick up the phone and call back afterwards. And keep your name and your resume at the top of that pile. Have a resume that doesn’t look like everybody else’s resume, right? And really focus on bringing out your quirks, and your humanity in that resume. It’s really effective because if we’re looking through resumes your resume, honestly, the first time around is probably gonna get five minutes or less time in review. People are gonna look, and if you have exactly the same experience as everybody else in that pile, if there’s something that makes you stick out whether it’s volunteering in your local school to help people who need to have malware cleaned off their computers, or whether it’s I’m trying to think of some. Whether it’s volunteering to help secure a network, or whether it’s an internship at a police department in the forensics lab, those sorts of things you have to be a little bit creative, and put yourself out there. I think you also have to express that willingness to do anything. People misinterpret sometimes those entry level positions as I’m applying for this position. This is the position I want. If we’ve already made a selection for that position, and you haven’t said, hey, I will literally do anything in your company to get my foot in the door, the person who says that is probably gonna get hired before you. Just because there’s a job description out there, or you’ve applied for a particular position make sure you make it clear that you’re really basically willing to do other job roles in order to get your foot through the door.
Jeff: Yeah, we got about 10 or 15 minutes left here. Maybe we could share just a couple more examples of types of cases or interesting things that you work on. I know we talked a little bit about ransomware. One interesting thing that kind of piqued my attention was in your bio you talked about business email compromise. I know that’s extremely common. I’m just curious how that relates to forensics, and incident response, and anything you do around that?
Cindy: Sure, well, and it also relates to ransomware. As people know phishing whether it’s spear fishing, or the regular variety is just absolutely rampant. Many of those phishing attempts either come with a weaponized attachment, or with a link to go provide your credentials. Those credentials when harvested can then be used to get into somebody’s account, and then set up forwarding rules, or to add new users, and at that point generally an attacker will sit in an email system and just monitor. And then at an auspicious time jump into a conversation, and redirect funds, or use that information to move further into a network, and out of the email system. We often see that those business email compromised cases come hand-in-hand with a subsequent ransomware attack. So it’s just a chain in the monetization of that compromise. Oftentimes, when those business email compromise cases come in it will be, hey, I work for such and such a company. We had a wire transfer fraud for $1.3 million, and we need to know where it came from because while it says it came from this email address we’re not seeing it in the inbox and the outbox. We can’t find this email what happened? So we’ll see upon further investigation that they had a relationship with a vendor. Somebody found out about this relationship from a vendor because it was probably announced on a website someplace, so they developed an email address one letter off, or something similar to that, and just cold emailed in, and started into a conversation and said, hey, we’ve changed our bank account information due to fraudulent activity. Here is the new routing number and bank account number, so the next time you pay the invoice send it here. Then nobody catches that it came from the wrong email address. It gets forwarded to the finance folks who think they’re taking an instruction from someone above them, and they dutifully change the bank account number, and the routing information, and the next time that invoice gets paid it gets paid to someone who it shouldn’t go to. A couple months later when the legitimate company says, hey, this invoice went unpaid we need to collect, and they go, no, we paid that then people figure out something happened, right? So there’s kind of a man in the middle attack there, but it’s a very common sort of attack. We also get straight-up data theft investigations. We have hired a new employee. The employee came to us from a different company, and we just received a letter telling us that we have to hold all data associated with this person because they took data with them when they left their previous company, or alternatively we believe when this guy left, or this gal left they took with them our proprietary information. So in that case we’re looking for there’s a traditional forensics role there. We’re looking for around the time the person left. Did they insert a USB device to that computer? Are there linked files showing what they accessed? Did any of that material end up on the new employer’s network? Was there a cloud account involved? Those sorts of things. It’s pretty general, but it gives you an idea. We also get occasionally the spy versus spy sort of case. I am a reporter for a national level news outlet, and I believe that someone has been intercepting my emails. They know where I’m at, where I’m gonna be. They know confidential information that’s provided to me by a source. And so we will look at computers. Sometimes we’re looking to see if there’s been spyware involved. Sometimes it has to do with a firmware compromise, or something like that. We also will look at very low-level at flash memory. What’s going on underneath the flash translation later? Can we recover data from flash memory even if our forensics tools show us that it’s all zeros. And the answer is yes, yes, you can, which is really part of the reason I left law enforcement to come to the private sector. That realization that there’s a lot possible that I was unaware of, so it was the lure of something new to learn.
Jeff: Yeah, it looks like we’re getting pretty close to the end here so if you guys have any other questions feel free to throw them in the chat. I know we got a few coming in that Camille’s monitoring. Before we get to questions I just wanted to mention that anyone whose watching today gets a free week of training with Infosec Skills. There’s a couple ways you can train with Infosec. We have Infosec Flex boot camps with different digital forensics, and computer mobile forensics, incident response boot camps. Then we also have a new product that we launched this year Infosec Skills, which I think is really great for people trying to really explore forensics because you can go in and there’s more than 500 courses. And you can just kind of play around, and try to get a sense of what you’re like if you’re one of those people who maybe is a bit uncertain on what career is for you. So if you go to infosecinstitute.com/skills you can sign up, free week, and then it’s 34 bucks a month after that if you want to keep going after your free week is up, but with that I will pass it over to Camille. She’s monitoring the questions, and we’ll close out with that.
Camille: All right, thanks, Jeff. And thank you, Cindy, so much for being on the webinar with us today it’s really been interesting, and just to kind of hear about your job transition, and kind of where you came from has really been interesting, and I think inspiring. Coming from that a lot of the questions are still regarding employment in the cybersecurity field. So, again, I know you said it’s changed quite a bit, but I think people are still kind of looking here looking at some of the questions about getting into the field with in terms of digital forensics and incident response what are those technical certifications if you’re familiar with any that would pop out to you on a resume, or just those technical skills? I know we kind of discussed this earlier, but if you have any more insight there that would be great.
Cindy: Sure, so I think that any certification you have is not a negative thing. I think that depending on the job function you’re going for you may find that there are requirements to have particular certifications. If your resume comes across my desk, and you are certified if you’ve got your EnCE I know you’re gonna have basic skills in using EnCase to do forensics. If you’re certified with FTK I’ll know you’ve got basic skills with that school. It tells me something if you’ve done your CISSP. Those things do help you to stand out. If you have a particular job that you absolutely want to go after, and they have a requirement that makes sense to get that particular thing. That being said after 20 plus years in forensics, and incident response, and 30 years in law enforcement I understand that there are some people with zero certifications that are extremely good at this work, and there are people who have alphabet soup behind their name who spend all of their time working on their certifications, and none of their time actually practicing the work. Certifying for this work and doing this work are two very different things. While I will place a certain amount of weight on the fact that somebody’s taken the time, and the effort to do a certification, and to get re-certified, and I know that it shows they have a basic level of knowledge and/or skills in a particular area it’s never gonna be the total differentiating factor for me. Those differentiating factors for me as an employer looking at bringing people on have to do more with the combination of the technical knowledge and skills, and the people knowledge and skills. Are you good on the phone? Can you explain things that are hard in a way that’s easy to understand? Do you write well, or am I gonna have to worry about every report that goes out the door? Is it gonna take a lot more time in peer review of reports? So, again, if you’re super good at the very technical stuff, and you aren’t able to express yourself well in writing, or verbally, it makes it harder to make the decision to hire somebody, but if you have a combination of those skills, and some certifications that’s certainly gonna be a good solid candidate.
Camille: Sure, thanks Cindy. I think that’s some really nice advice, and I think that’s something that’s starting to be a little bit more recognized in the industry is those soft skills, right?
Camille: So I think that that’s important. I know we have an industry friend who says she translates geek speak.
Camille: I think that that’s kind of a fun way of saying it, but, also, really important for those that are looking for jobs, and looking to get into the industry.
Cindy: Sure, if I can just hop in, and say one last thing while we have a little time. Some people say, or they say but you can’t teach me that. You can’t teach me to be comfortable speaking, or to say things more simply, or to express myself better in writing. I’m either good at it or I’m not. I’m here to tell you those are things you can learn as well. So for people who know they’re strong in the technical areas, but have some concerns about those soft skills, those are definitely things you can learn.
Camille: Sure, thank you, Cindy, that’s good advice, and I think that answers several of the questions kind of in the question panel. So thank you everyone who participated, and asked questions today. So this is kind of wrapping up our session here. So, once more, thank you Cindy and Jeff for a really fascinating presentation today. And, also, to everyone for joining the webinar, and those asking questions, and participating in that way, too. So as we wrap up here I just wanted to let you know that you can watch for the recording of the webinar coming in your email soon. And if you’d like more information right away about Infosec you can head over to our website, infosecinstitute.com, or you can call to speak with a rep if you’re interested in a course or anything. And we’d appreciate if you’d share your thoughts, and experiences by filling out a real quick survey that will appear just as I close the webinar here. These answers can help us to better understand what folks are looking for in a webinar, and make future webinars even better. So to end here if you have any other questions you can email [email protected], and we will get back to you. Otherwise, have a great rest of your day. Thanks again to Cindy Murphy from Gillware for joining us.
Chris Sienko: I hope you enjoyed today’s webinar. Just as a reminder, many of our podcasts contain video components, which can be found on our YouTube page. Just go to YouTube.com and search Cyber Work with Infosec to catch our collection of tutorials, interviews, and other webinars. And as ever, search Cyber Work with Infosec in your podcast app of choice for more episodes. Thanks again to Cindy Murphy and Jeff Peters. Thanks you all for listening. We’ll speak to you next week.
Cyber Work listeners get a free month of Infosec Skills.
Use code “cyberwork” to get access to 500+ IT and security courses today.
About Cyber Work
Knowledge is your best defense against cybercrime. Each week on Cyber Work, host Chris Sienko sits down with a new industry thought leader to discuss the latest cybersecurity trends — and how those trends are affecting the work of infosec professionals. Together we’ll empower everyone with the knowledge to stay one step ahead of the bad guys.