What does a military forensics and incident response expert do?
Digital forensics is an interesting field, but one that also can be a bit murky. It's handled in different ways in the private sector, military scenarios or government applications. (Spoiler: If you perform investigations on extremists and terror groups, be prepared to watch some fairly disgusting videos.) Learn all about military digital forensics and incident response from today's guest, Daniel Young, managing partner and co-founder of QuoLab Technologies. He discusses what it's like working on huge multi-person operations in the DoD and Air Force, as well as the importance of comprehensive threat information sharing, both internally and externally.
With nearly 15 years of experience in digital forensics and incident response, Dan Young helps drive the overall direction of his new company, QuoLab Technologies, a developer of a collaborative and threat driven Security Operations Platform (SOP). Prior to QuoLab, Dan was involved with the U.S. Department of Defense and United States Air Force in several digital forensics analyst positions. Dan is very passionate about bridging the gap between technological efficiency and human ingenuity, and firmly believes that our best way forward as an industry is to focus on collaboration and data sharing at all levels.
Chris Sienko: We recently hit yet another huge milestone here at the Cyber Work Podcast, 25,000 YouTube subscribers. Thanks to all of you who watch and listen each week, to those of you watch the YouTube videos go live and chat with each other in the comments and everyone who is helping us to grow this great community.
To give back, we’re now giving you 30 days of team training for teams of 10 or more. Your Infosec skills account will help you and your entire team develop their skills and earn CPEs to a hundreds of IT and security courses, cloud-hosted cyber ranges, hands-on projects, skills assessments and certification practice exams. Plus, you can easily monitor, assign and track training progress with team admin and reporting features.
If you have 10 or more people who needs skills training, head over to infosecinstitute.com/cyberwork, or click the link in the description to take advantage of the special offer for Cyber Work listeners. Thank you once again for listening to and watching our podcast. We appreciate each and every one of you coming back each week.
On that note, I’ve got someone I’d like you to meet, so let’s begin the episode.
Welcome to this week’s episode of the Cyber Work with Infosec Podcast. Each week I sit down with a different industry thought leader and we discuss the latest cybersecurity trends, how those trends are affecting the work of infosec professionals, while offering tips for those trying to break in or move up the ladder in the cybersecurity industry.
Daniel Young is the managing partner and co-founder of QuoLabs Technologies, a developer of collaborative and threat-driven security operations platforms. His career includes a stint with the US Department of Defense and the United States Air Force, where he was involved with a variety of digital forensics analyst positions.
Digital forensics is an interesting field, but one that can also be a bit in murky and especially one that’s handled in different ways in the private sector versus military scenarios versus government applications. We’re going to talk today about large-scale cybersecurity operations across multiple teams and even across continents, as well as the importance of comprehensive threat information sharing, both internally and externally, as well as some of the different ways that forensics can be dealt with in different industries.
Nearly 15 years of experience in digital forensics and incident response, Dan Young helps drive the overall direction of his new company QuoLab Technologies, developer of a collaborative and threat-driven security operations platform. Prior to QuoLab, Dan was involved with the department of defense in the United States Air Force in several digital forensics analyst positions.
Dan is very passionate about bridging the gap between technological efficiency and human ingenuity and firmly believes that the best way forward as an industry is to focus on collaboration and data sharing at all levels. Dan, welcome to Cyber Work today.
Dan: Thank you very much, Chris. Happy to be here.
Chris: Good to have you. I want to talk to you first as we all do with our guests about your general security journey. How did you first get interested in computers and tech and cybersecurity? Was this something you’re interested in before you got in the military? Did you pick it up in line of duty?
Dan: No. I picked it up back when I was a young little warthog, as I would say. Picked it up, started out with a 8086, IBM 8086 with a big, old giant floppy drives, thee five and quarters. I put one in for your operating system, one end for the program you’re trying to run and load and cycle way back to those days DOS. 622 was my pride and joy. I loved working at that. From there, it migrated up through gaming as in the early ages of Warcraft is a big thing. They’re talking about the relaunch of different things like that. I’m talking the heyday of gaming.
Chris: Quite the conversation on the Slack channels around – their job now that was working from home.
Dan: Exactly. Same here. That’s one of my challenges with our developers, everything like, guys, I understand that you’re at home and there’s all this going on, but some work.
Chris: Head in the game.
Dan: Yeah, head in the game. Yeah. Got into gaming computer. Then from there, building my own computers. When I went to building them and then working on doing different things with them, went to college and got taken over the wing by a really good man there at M State College. He brought me into this – He was the lab manager, so he ran all the different labs for the computer sciences and then the engineering teams and so forth, as well as the general use labs. Had me run and helping out in the lab environments. Got a lot of experience there. Fell passionately in love with that operation space. Then when I joined the Air Force, it just took off from there.
Chris: Okay. Well, that jumps nicely to my next question here. Could you give me a compressed version of the types of projects, positions, or training that you had with Department of Defense and the Air Force? What were some of the major steps along the way in terms of becoming someone who was – went from basic programming and gaming into someone who really understood forensics? What were some of the milestones that pushed your knowledge forward?
Dan: The biggest milestone for me initially was a chance, luck, right? I initially joined the Air Force right after 9/11. It’s a heyday of combating Islamic insurgencies and so forth. Joined and when actually to DLI for language goals. I was an Arabic linguist. I got to my first duty station and they said, “Okay, so you have a background in computer science. Very strong. As well as you speak Arabic. You want to go to this team that does digital forensics?” That was actually my first time I’ve ever really heard of digital forensics outside of something like CSI type stuff, right? I never touched it.
Went in, started playing around in there. Got a lot of OJT hands-on training, so they were using my linguistic skills to look at the media that would so capture media, battlefield media is what it was; cellphones, laptops and everything that come off of different individuals that are captured in the battlefield. Looking through that in finding the intelligence that we needed; videos, documents, contact lists, all that good stuff. Then passing that information on.
OJT started out. Then there was several good courses that I went to, both the DOD courses that – DC-3 and some other institutions, Air Force institutions put together these. Air Force on the side for example has a lot of digital forensics investigators. They have different courses and recommended paths. Also through SANS Institute. I heavily relied on their forensics 408 back in the day and then 508 training, which is the GIAC certified incident – GIAC, certified forensics analyst, excuse me. Going through those courses and training is really what got up my game and got me at the professional level I needed.
Chris: Okay. I want to pull back and talk about the general concept of computer and digital forensics for people who are just coming to this, maybe they typed in what is digital forensics or whatever. What are the most common types of forensics cases you are asked to carry out with DOD and with the Air Force? I mean, obviously you can’t reveal anything specific, but what were some of the types of things that you were you were working on in these two positions and were there any procedural, or technical differences between the way the two departments worked in this respect?
Dan: Absolutely. Great questions. Before I answer that, I’m just going to caveat that by saying that I am no longer affiliated with the DOD or the Air Force. I’m wearing a QuoLab shirt. Once we got all that, so this is to talk about my experiences and my opinions on that.
There was two major types that we worked with. The typical ones that you would think of, counter hackers, right? Working on blue team activities, where you’re going in and you’re trying to – you’re doing hunt activities throughout a network, you’re trying to find out how did the intrusion happen, where did it come from. Then looking at the individual systems, laptop, server, whatever it may be that was affected by it and do it conducting a forensic examination of that device. That’s the one type. That’s more cyber-focused.
The other focus that I had a lot of my career in as well is that counterterrorism type focus. That’s focused more on the individual using the device, versus it’s a persona approach, right? It’s not looking at software per se, it’s more content on the device. Very similar applications. You’re still using the same tools across both to acquire the data. It’s what you do with that data afterwards that matter.
Chris: Right. Okay. Yeah, and you’re looking for different clues. You’re looking for a turn of phrase, or something that could mean two things, or a keyword or something, right?
Dan: You’re looking at his chat logs if he happened to archive and save them off. Back in the heyday of Skype, a lot of people like to save their Skype logs, or if they had cookies where —
Chris: Yeah. Or you didn’t know you were saving your chat logs. Yeah.
Dan: You didn’t know. We knew and we were taking advantage of that. Or you’re looking at the types of media that are producing or watching, so your browsing history find out, okay, usually not extremists, but you’re incredibly active on all these different forums, you’re looking at all this violent, vile content. That’s the persona. Then you build out that data and extract – Not build it out, but you extract that data and build out your case based off of what you find in there and pass that on up the chain.
Chris: Were you required to watch all of the horrendously violent stuff? Or were you able to delegate some of that? Or did you were able to say, “Okay, I get the point.”
Dan:: I could go –
Chris: You’ve seen some things.
Dan: There’s a reason why I’m not doing it anymore. That brings up a very good interesting point about the digital forensic sphere, especially from the military context. I think and my colleagues that I’ve talked to in the law enforcement sector go through the exact same thing. It’s the burnout, right? You can only expect somebody to do so many hours, years, whatever it is of watching child pornography before it starts messing with you, right? Same thing with violent extremist media.
I think every professional has to reach that point and say, “Okay. I think I’ve had enough. I need to step back permanently, or step back for a few years or whatever the time may be and then maybe come back.” Mental health is a big component of that journey. You’re absolutely right. It involves hours and hours and hours of looking at incredibly vile stuff. You do it knowing that you’re doing it for a greater good. Not to sound too idealistic but you truly are. I mean, at the end of the day, for law enforcement going after child pornographers, they’re doing it for the altruistic reason of stopping the people that are engaging in that violent stuff. For my context, it was stopping other attacks from happening, or catching the guys who are actively plotting attacks against our troops. That’s what the focus is. It keeps your head in the game. Keeps you straight locked on and keeps you from freaking the hell out.
Chris: Right. Also, I think that’s worth – I’m glad we brought that up, because you might be saying, “Oh, I want to get involved in forensics in the military context,” but you don’t really think about that’s what you’re going to actually be doing, is you’re going to be pushed to your limits in this regard.
Dan: I mean, the technical side of the job is huge. You have to be passionate. You have to be engaged in it and wanting to have an inquisitive mind, right? To go after the data, to go after and look for and seek. You also have to be able to – like you were just saying, you have to be able to handle that data and understand that sure, I need to look at this video to find out everything I can about what this guy was doing, because I have to detail it for my counter parson in the DA or whoever else is going to use that data to convict this individual. You have to counter that with can I actually spend those hours looking at and watching this sample data? That’s the challenge.
Chris: You’ve done it in these military and government context, but also in private sector. Is there a level of difficulty on the technical side on one side for the other? Do you find that extremists have a better security posture, or is it – I mean, is it easier now? Is it harder now? Do you people lock up their files more? I don’t know if that’s even something you can compare necessarily.
Dan: Back in the day – I mean, I’m talking back in 2007-2008 timeframe. I know that that people were doing this before that. My experience start roughly in that timeframe. It was much easier than it is today. People were passing stuff in the clear. You’d look at cases child pornography back then that law enforcement was working on, they were doing mailing drives back and forth and that thing, with CDs and DVDs.
Nowadays, a lot of is almost all exclusively online. It’s not that the people’s, their technical ability has gone up, or their security awareness posture has gone up. It has, thanks to individuals like Snowden and others that have done certain things that were very damaging to our country. If you look at it from the perspective of what happened in the industry, you have encryption that’s huge, right? You have Skype claiming to have an encryption, or Zoom claiming to have an encryption and everything is going through the encryption route, right? That made it much more difficult.
When I get on a hard drive and the entire hard drive is encrypted at boot, instead of just files on it being encrypted, that’s a vastly different approach, right? Yes, that has changed, but I think it’s more at the technical level, versus the people level.
Chris: Okay. From getting into the game perspective, what types of skills, or interests, or backgrounds with these branches of government be looking for when adding new people to their teams? Obviously, I know you’ve been out of the military frame, but based on what you remember, and I guess just universally speaking, what things should you have in your background to make yourself desirable to these type of positions?
Dan: Obviously, a passion for technology and a passion for this for the space, right? You have to have an inquisitive mind. If you’re spending hours and I mean, hours and hours and hours digging through somebody’s hard drive, or a server, a mainframe, whatever it may be, looking for those nuggets of information, that takes perseverance and dedication. It’s a mindset thing.
You have to be able to handle the type – if you’re going down the law enforcement military route, you’re going to have to be able to handle the exposure to objectionable material. If your focus is more on the cybersecurity defense side, that goes away. The flip side of that too is I think that you lose a little bit of the tactical impact of your work, because countering malware that’s affecting a Fortune 500 is one thing. It’s awesome. Taking down a child pornography ring, or taking down a terrorist cell is a totally different application, right?
Looking at the skills that you have to have the technical background, I would highly encourage people to – I mean, the field changes and evolves all the time. Back in our day, it was learning how to – reassembling platters on a hard drive, right? You don’t do that with a SSD. Going down the software engineering, or the cybersecurity training routes and then just starting to learn on your own and getting into it if you have the money, pay for a SANS class to see if that’s something that you want to do, right? Tons of resources out there. DC-3s, got a lot of resources on their website and other areas.
Chris: Also pay for it.
Dan: It’s also on – Yeah. Not affiliated. They didn’t pay me for that.
Chris: Right, right. Just dropping it. Yeah, I wanted to talk a bit – so let’s talk from individual, because you’re talking about yourself as an individual incident, a forensics person, but we also mentioned in the intro that you’ve led multidisciplinary teams of cyber analysts and developers and linguists in the acquisition of digital media throughout Europe and Africa. Again, I know this is in your past, but could you tell me a little bit about this experience, what were some of the types of cases you were involved with? Is this more or less what you’re talking about before? If so, can you talk about what it’s like to manage this team on these larger types of projects?
Dan: I could talk a little bit about that. Obviously, I’m very limited to what level. What I can say is that there’s – the experience of working, it was incredibly humbling in many ways, because you’re interacting and working with people with very vast skill sets. They’re very highly specialized in those skill sets. I mean, a network operator versus a digital forensics individual who is expert at taking data off of a hard drive, for example, versus a language analyst who knows and understands a culture and what you’re talking about. All these different components have to play well together to be able to generate that report at the end of the day, get your hand to the decision-maker that decides what to do with that data.
For me, it was juggling a lot of different types of communications, being able to talk to the analyst, the language analyst at the cultural level where they’re being aware of their needs and requirements and what they’re bringing to the table, versus the technical requirements that are coming from our counterparts. One of the biggest challenges was also a difference in technical capability of the partners.
You see this in the private sector within the commercial sphere. You have very large companies, organizations that have a lot of money to put toward their SOC teams, so they might have a very well-defined SOC structure with tier 1 through 4. They might have the dedicated threat intelligence team and dedicated forensics incident responders.
Then you can flip the coin and be working with another client that does not have any of the above and they pretty much look and go, “What do I do?” You say, “Okay, do you have a firewall at least? Okay, what are the rules like? What do you guys got going on? Do you have an EDR? Can I go through the logs and see that?” That translates extra credibly well over to the government side as well in those activities. It’s being able to manage multiple disciplinary teams across different focuses and be able to consume and bring all that data together into one cohesive format that you can deliver.
Chris: Okay. We’ve had digital forensics, mobile forensics experts on the show before, talking about from private sector and court-based forensics work. I and I do want to talk to you, because obviously, I was doing stuff more on that side. Can you talk a little more? You had mentioned that obviously, now you’re more protecting enterprises from malware and stuff, but can you give me some differences about private-public sector forensics versus military government forensics in that regard, in terms of what your targets are, what your methods are? Just the overall day-to-day difference. Like you said with the military stuff, you have a much more sharp mission to be accomplished, whereas it might be more financial and private sector. What are some other examples of that?
Dan: Going back to what we said earlier, the technical level, it’s pretty much the same, right? You’re getting the same training. I think the DOD has done a really good job. The US government as a whole has done a really good job of saying, “Okay, we learn these capabilities, we learn these skill sets.” Now let’s push that down to the private sector, or push that out to corporate America and say, “Look, you guys need to up your game in this area.”
NSA released Ghidra last year. Stuff like that that keeps happening in this space is awesome. We love it. Makes me super happy to see that happening. The technical skill set is roughly the same. What happens is policy and it’s more at the procedure level. By that if you’re in a combat zone and you’re doing digital forensics for in support of X team, or X organization, or unit, whatever, the rules of engagement in that environment are vastly different than say, if you’re helping a corporation in who has a presence in Europe deal with in a forensics case.
They’ve got GDPR requirements. They have data protection issues and stuff. What you’re actually allowed to look at are you allowed to look at the cookies on the browser history and all that other stuff, because that’s private data, right? Am I even allowed to share that with the threat intelligence team, because they haven’t been read on?
There’s all these different components that make it incredibly hard to migrate between the two, but also a lot of fun, because you get to learn – When I started my journey as a young forensicator doing what I did back then, I never once thought I would have to step outside of the technical bubble, because I was like, I’m technical. I’m extracting. I’m doing. I’m having fun. I’m using EnCase and all those other tools. I kept doing things, right?
To nowadays, you can’t just do that. When you’re an investigator and you’re going into a company, you have to understand, clear cut up at the top what you’re allowed to do and what you’re not allowed to do. Same applies in the government sector, right? If it’s you as person data, if it’s – depends on the operational train set that are placed upon you, who owns the data, do you not rank? Those are all fun things, but it’s a vastly flexibility, so you asked earlier what it takes from to be a good forensicator in the sphere, or a forensics operator, intellectual flexibility and technical flexibility as well.
Chris: Yeah. It seems like it’s so many different types of problem-solving that I imagine if you’re the person that used to play the point-and-click problem solver games, or just use that side of your brain, like I’m sure it’s just perfect for you.
Dan: You’re absolutely correct. That is absolutely the driver and the passion behind it. That’s why I love it and that’s why the colleagues of mine, yeah, poin-and-click games and stuff like that and carry on the – yep, that’s tons of similarities there and driving passion.
Chris: Yeah, get lamp. I wanted to talk to about a thing that you mentioned in, or we mentioned in your bio. You talked about the importance of comprehensive threat information sharing internally and externally. Last week we had a guest on, Cody Cornell from Swimlane who talked about the open exchange of security information between organizations. I want to know about how your specific mission works in this regard. What are you aiming for in terms of threat sharing and collaboration? How does it work practically and what is the stated goal with it?
Dan: That brings up a great point and going to our earlier conversations too in the shift in forensics, right? The shift in this field and how we did things. Back in the day, if I was reporting law enforcement, if I was supporting military, whatever, you go through a hard drive, you’re going to rip out all the data that you care about, you’re going to encapsulate it and throw it on a shared drive, throw it on a hard drive, whatever, and you’re just going to pass it up.
From there, little teams are going to – individual components are going to take a look at that and do what they need to do and keep passing up the chain. Then you might get something circling back to you with a block list, or a blacklist, or a list of different things to look out for and flag immediately if you ever see them.
I today’s world, data has – I mean, back when I started, it was normal to have a 100 gigabyte hard drive to a 150 hard drive. That’s not the case anymore, as we both know. Not only is it not the case on the individual devices, it’s no longer localized. It’s spread out. The vast amount of data that you have to go through and curate, it makes it impossible for you to just pick up an image. You rip out image of a laptop and see it’s a 2 terabyte image that you’re taking a laptop. That 2 terabyte image might compress down to I don’t know, 700 gigs, right? 700 gigs, try and push that across a byte, how long is that going to take you to push that, right?
Then now you’re talking real-time when people want decisions yesterday. When you have money going out the door because it’s a hack-related, or people’s lives online because it’s law enforcement or counterterrorism related, what are you going to do? How are you going to do it? That breaks it down to the need to proceduralize and split out the process and determine the individual points that you need to be able to share and push out as quickly as possible between organizations and teams.
No longer can I just give you a huge bulk dump of everything and say, “Look, my job is done. Go with it.” I have to do the processing and say, “Okay, you truly care about this.” Mitre Attack Framework is a great example of that. We’re using that heavily in our platform and we’re using it because it’s exponentially increasing the ability for us to communicate about different topics. If I’m talking about executable, I no longer have to sit there and give you a long explanation of what that executable does. Or if I’m tagging data, how I interpret my tags for you, right? I can just say it’s got this miter attack reference number ID.
Chris: There you go. Yup.
Dan: Boom. They immediately know that executable can do this and it’s like this, or might have three or four different, because it has different capabilities, like if it’s command control note or whatever. You have that ability, so that translates to you need to have a vector and a mechanism to be able to translate and share that information. Swimlane is doing an awesome job. I’m very familiar with them and I love those guys. Looking forward to partnering with them maybe.
From what we’re doing is we’re focusing on the same area saying, what are the commonly available communication vectors for threat intelligence artifacts? You have NISP, you have sticks taxi and OTX and all those other different frameworks that are available and transport mechanisms that are available to share threat information data. You also have vendor-specific capabilities, right? I don’t want to start name dropping a bunch of vendors out there, but there’s –
Chris: Feel free.
Dan: There’s connect, there’s others. One of our partners Intel 471, they all have their way of collecting, categorizing, cataloging their threat information data. What we do, what we’re looking at doing is saying how is the easiest way that I can get from the operator, the guy doing the forensics job, from the network instant responder from the threat intelligence team, how can we get that data in a unified way and share it back and forth? Obviously and again, we can’t keep passing back terabytes of data. We got to be at the level we’re sharing truly actionable, real-time live inferent information.
Chris: Okay. That’s not just information sharing, but also a standardizing and streamlining of the way you report the data. Like you say, you’re not going to have to sit there and explain every single procedure if you have the miter attack matrix to help you with that.
Dan: Yup. That’s exactly right.
Chris: Yeah. We love the miter attack. Our Infosec resources blog, we have dozens of articles that each one is a breakdown of a different miter attack matrix points and stuff like that. They’re great fun.
Dan: When they came out with that and released it, it was a few years ago, I was like, “Where the hell has this been? How come I haven’t –”
Chris: Yeah, I know. It seems so obvious.
Chris: It seemed like it should’ve already been with us. Yeah.
Dan: Correct. It’s like, “Wait a minute. We already did this for networking protocols. We already had the exact same thing.”
Chris: Now everybody gets to have it.
Dan: Yeah, now everybody gets to have it. Share the wealth. For us, it’s about being that that data aggregator and connector.
Chris: That’s interesting too, because yeah, that mean that’s a related, but different take on and what Cody was talking about with regards to security sharing where he was talking about sharing previous breaches and hacks and best practices of how things were dealt with. That seemed to be more the way police departments in separate counties might share criminal data to catch a serial killer or something like that. Where is this is a standardizing of procedure in order to speed up, like use up the process of the biggest of big data.
Dan: Yeah, it’s giving you a playbook, right? Or I’m sorry, a workspace. Our focus is not on getting down to procedures and processes. The individual teams can do that. Our job is to be a more, if it can be able to let them within our platform, or whatever platform they choose to use that we’re connecting with in exchanging data with, let them have the ability to have a unified place where they can come together and analyze and investigate data in ways that make sense to their organization.
To be able to do that, you have to be a data integrator, right? You have to be a tool integrator. Our focus is more on the people workflow, the collaboration between the individual teams and people. You mentioned earlier what are some of the challenges that I faced when I was working for the government, US government in Europe and running those teams and doing that work, data exchange was a huge problem and it still is a huge problem. I don’t think the US government, or NATO, or wherever you want to throw a label on, I don’t think anybody has it totally nailed down and that’s what we’re trying to – our vision, our passion is to nail down the best way to do data exchange and collaboration.
It has to have that technical component, right? As a techie back in the day is still applicable, so you have that passion and love what that individual miter attack mapping is to and say, “Okay, how can I best represent that for somebody else over here that needs to work with in a different context?” From there, make the world safe, or a better place. I mean at the end of the day, that’s the goal here, right?
Chris: Right. That would be a great place to end the show, but I have more questions for you. I wanted to talk about another point on your bio about and you’re going to have to explain this to me as if a six-year-old were asking the question. Tell me about the use of graph modeling and threat analysis is another thing that you said you’re very interested in. What aspect of threat analysis would this change and how would it improve the practice of incident response?
Dan: Graph modeling in our context is how we can best display the data, interact with the data. I’m talking behind the scenes in the core, the platform core, how the data is being manipulated and interact with. It also comes down to how that data is being visualized and displayed and the frequency, the live updating that’s happening with analysts. In practice, this means that when I put data into QuoLab, I want to know that it’s immediately being, which is QuoLab does is immediately if I inputted, say 50,000 different IP addresses in QuoLab from IP domain type spacing, QuoLab is automatically going through and it’s going to be pulling together all the different data points that it knows about that touch those IPs and also substance those IPs.
If you have an Intel report that came in from your intel provider, your threat intelligence provider that you have within the system, you’re immediately going to notified to that. The other thing I was going to notify you too is the external tools that you have connected. If you’re using domain tools, or if you’re using a showdown for example, it’s going to automatically go through hey showdown, task these 50,000, go out there, pull the data back, bring it in and display it contextually. That’s all happening automatically by the platform. Where that becomes critical is that within the link analysis viewer within QuoLab and I’m not trying to get tool specific here, I’m just saying that’s how we’re doing it.
Chris: Yeah, absolutely.
Dan: You’re able to visually track through okay, and just point here’s where I saw it, here’s where it’s going and this is why I care about it in a visual way and that’s bringing in the human part to it. The only way that we could truly do this, there’s a lot of data bases out there that do really good at bang-up job and I’m not ragging on them for their specific use case. The problem is a lot of those are not human-centric.
I love Splunk. Been using splint forever. I love Elasticsearch. Been using it forever. The truth is that unless you’re the guy writing the queries and the guy that’s looking at the data in a database all the time, that doesn’t really translate very well to others, to non-Splunk experts, or non-Elastic experts. That’s why they have dashboards. Those dashboards can be really hard to configure. Every time you do and you change your back and you got to update your dashboard and so forth.
Well it says, “Look, we’ll be the visualizer for you of that and we’re going to bring all these other different data components in that you didn’t have access tools.” If you’re like me and incident respond, or forensics investigator, if I need to do dynamic analysis of a piece of malware, I’m going to send it to VMRay, or I’m going to send it to Cuckoo, right?
Then if I’m doing static analysis. I’m going to send it to Ghidra, or Binary Ninija, or whatever the tool that you’re using to do your static analysis, then all those different data points that those tools produce bring it back in and now I can visualize it and look at it and I’m not just looking at a type of view, I’m seeing the interactions between those data frame, data points and then you throw in stuff we we’re talking about earlier like miter attack mapping. Now all of a sudden, the kill chains become blatantly obvious to everybody.
Chris: Yeah. I like this too, because it makes me think of the way people say they’re worried about AI, or whatever taking away security jobs. As you’re dealing with data at this size, you need these automation methods and these types of things, they’re still going to need people to understand all this stuff. We haven’t gotten to that point where you can both – AI can both take the data and then say, “Oh, yeah. Here’s a great solution for it.”
Dan: Exactly right. You still need that human intuition and it’s why the government still has forensics investigators and analysts, because you still need that human logic and intuition to be able to look at all the different data points and say, “I’m seeing a trend here that a computer just can’t pick out, or I’m seeing a pattern here that makes me say I want to go look at that deeper, whereas a computer just totally overlooked it because it didn’t match a certain set of rules.”
Chris: Yeah, you’re seeing human nature in.
Dan: Hey, until Johnny Five comes alive, we’re not going to be able to –
Chris: That could be a while.
Dan: We’re going to be doing this ourselves for a bit.
Chris: Oh, man. We are definitely the same age.
Dan: Yeah, we are.
Chris: A lot of people watching this might not get that reverence. Anyway, YouTube folks at YouTube, check it out. I want to talk – the Cyber Work Podcast, we want to talk about jobs and careers and so forth. For listeners who are interested in pursuing careers in digital forensics, or incident response, or related things, what are some skills, experienced certifications they should be looking into now to get into the game? If you were hiring someone at QuoLab for these type of positions, what are some things you would absolutely want to see on that person’s resume, or hear in an interview, or seeing a cover letter that would make you say, “This person has the right background or whatever.”
Dan: I’m not a traditional interviewer, primarily because of the opportunities that I was given in my life and in my career. I was a linguist. I didn’t have a formal training in computer science. I had taken a lot of computers science classes, had a lot of passion and involvement in it, but I was given the opportunity to be – to break into forensics and become where I am.
I like to see, I’m looking at it more from a personality type focus and I’m not looking at checkboxes on a resume. The check boxes that I do like to see and I think a lot of my colleagues would probably agree with me in liking to see is definitely some computer science background. Not programmer specifically. That can be helpful, but programmers have a different mindset. They’re makers, not breakers.
Can’t fault them, we need them, right? They’re the guys that I go to to automate XYZ function that I need, right? I’m looking for that analytic mindset. I’m looking for people who have taken a lot of courses, probably network forensics, or network security. Security plus and all the security type trainings. Then taking it the next step and said, “Okay. I’m interested in forensics and I want to take courses on for example, Udemy has different courses available to them for example, acquiring a hard drive.” How do you use basic DD, or whatever you’re going to use to get a forensics image of a hard drive? What does a forensics image look like?
There’s great training. Again, I go back to SANS. I’m again, not being paid sponsored or affiliated with them. I just happen to love their training and their products. I’ve used them for years, both for myself the members of my team. I can’t say enough how that is if you can afford the couple thousand dollars for the course, take that. You go into any pretty much any police department or the US government and say, “Hey, I have this.” That starts the conversation that you need to have and then you can back that up with those other things I was talking about.
The forensics and the incident responder courses that SANS offers, I definitely would recommend people taking a look at that. Or through their local university, right? If you have – same thing through your local university. If they offer incident response courses, or cybersecurity courses, practical, tactical application, not the policy side.
Chris: Okay. Yeah, as we wrap up today, you talked a little bit about QuoLab, but give the full pitch. What’s it all about? What are some exciting projects you’ve got going right now and so forth?
Dan: Yeah. Company just actually moved from we were in Europe, or Frankfurt, Germany and we just actually launched in – relaunched in the US and we’re headquartered and proud to be American rocking and rolling here and making waves as far as we anticipate, or the way we see it in in our sphere. We have a data fusion analysis investigation platform. What that does is it fuses your internal and external data feeds, data sources. Internally, that could be your SIEM, your Splunk, your whatever your data lake is that you have, as well as your tools internally. We’ve talked about some of them for dynamic and static analysis of malware.
Could be other types of tools that you have within your ecosystem that you want to use on a procedural basis. Fuses all that into one unified platform, along with all the external threat intelligence data that you might want to have brought in, whether you’re paying for it, whether it’s open source data and NIST circle or something like that. All those different data sources get fused together and then it gives you a environment where you can go in and you can start analyzing that data and investigating in tearing apart the different components and building out cases, where you can track your threats and incidents, as well as track and think of an APT repository, where you can have an internal tracking of the different APT actors that you witnessed and seeing within your environment, which gives you also historical knowledge and historical tracking of all the cases and incidents that you’ve been involved on.
The purpose of behind doing everything that I just mentioned technically is bridging the divide that exists between teams. Teams can get siloed a lot, be it policy, data or whatever. Bringing back – so if you look at a Fortune 500 that has a very well-established SOC environment, being able to bridge that gap between their threat intelligence teams, they’re now reverse engineers, their networking ops guys, they’re SOC tier 1 through 4 guys saying, you all need to be on the same playing field when it comes to responding and actually investigating these events.
Instead of having your threat intelligence analysts collecting all the different threat intelligence, parsing it out and then saying, “Here malware analysts, here everybody, you take this data into your domain and look at it.” Then the malware guy gets that data and he’s forced to collate that against his, or to compare it against the data that he’s seeing when he’s going through a given piece of malware and then saying, “Hey, take this data back over here.” We’re wiping all that and saying they can all work on one unified platform in the manner that they need to with the tools that they need to.
The platform offers different tools. We have a malware tool that was specifically on the needs that they have. You had the link analysis tool that is great for your SOC guys, your malware reverse – sorry, your instant responders and others. Bringing that unified platform together for them to empower collaboration between the teams is the goal with one node.
Then from there, QuoLab takes it to the next step and says okay, so we got all this data fusion happen. We’ve got all these different data points coming in, all these tool interactions and we have all these teams networking and collaborating together in one big node, one big happy family now, saying okay, what happens now when you want to start creating communities of interest? What happens when you’re going to start crowdsourcing your cybersecurity? Say you have banks who are partnered together and they’re doing cybersecurity together? Those banks, say five different banks with five different QuoLab nodes all of a sudden start sharing data.
I’m not just talking about sharing a yard report or something like that. I’m talking about sharing cases. If I’m working on a case that I’m bank and I’m getting attacked. I have a case and I’m putting data in there and we’re tracking through it logs and all this other different data, and all our notes and everything, I say, “Okay, I need to be able to share this with my other three partners, B, C, D and D.” Well, I can just with one click of a button in QuoLab, if I have that or that network sharing agreement in place, I can send those cases over to them. As they work on them, it updates my case. You just crowdsource your cybersecurity.
That takes a mindset shift, by the way. As you probably know in this domain, people are very pro sharing and can also be very anti-sharing in a case. We took both of those into consideration when coming out and building this and said, “Okay, now we have to create what we called the grid,” is exchange mechanism with very constrained in limited capabilities, if needed, so you can put people that bought and say, “I’m only going to share this type of data with this individual. I’m going to share everything over here with this other individual,” and so forth. Being able to separate and control that data sharing arrangement is what we built in there. That’s QuoLab. It’s took me a lot, right? I mean, it’s complicated, but it’s a lot of fun.
Chris: In process. All right, so one last question, if listeners want to know more about Dan Young or QuoLab, where can they go online?
Chris: Easy peasy.
Dan: For sure.
Chris: Get the shirt.
Dan: E-mail me and I’ll send you a shirt. How about that?
Chris: Perfect. Thank you so much for your time today. This was super fun and super invaluable. Thank you. Thank you, man.
Dan: Thank you, Chris. I definitely appreciate your tattoo. Thank you.
Chris: All right. Thank you all for listening and watching. If you enjoyed today’s video, you can find many more on our YouTube page. Just go to youtube.com and type in Cyber Work with Infosec to check out our collection of tutorials, interviews and past webinars. If you’d rather have us in your ears during your work day, all of our videos are also available as audio podcasts. Just search Cyber Work with Infosec in your podcast catcher of choice.
For a free month of the Infosec skills platform discussed at the top of today’s show, just go to infosecinstitute.com/skills and sign up for an account. In the coupon code, type ‘cyberwork’, all one word, all small letters, no spaces for your free month.
Thank you once again to Dan Young and QuoLab and thank you all for watching and listening. We’ll speak to you next week.
Free team skill and certification training
Give your entire team (10 or more) access to hundreds of on-demand courses and hands-on labs — free for 30 days!
About Cyber Work
Knowledge is your best defense against cybercrime. Each week on Cyber Work, host Chris Sienko sits down with a new industry thought leader to discuss the latest cybersecurity trends — and how those trends are affecting the work of infosec professionals. Together we’ll empower everyone with the knowledge to stay one step ahead of the bad guys.