Working in ransomware response, investigation and recovery | John Price

[00:00:00] Today on cyber work, John Price of Sub Rosa joins me to talk about his work in digital forensics. His time with the UK Ministry of Defense counterintelligence, and how he and his team come in after the ransomware attack has happened, the ransom was not paid and the company must quickly move to prevent further downtime, which can be certain death for small businesses and damaging even to the largest organizations if forensic analysis.

[00:00:24] Evidence preparation and being able to help a struggling organization get back on its feet after a cyber attack. All sound like interesting jobs to you. Then tune in today for this episode of Cyber Work. 

[00:00:35] the IT and cybersecurity job market is thriving. The Bureau of Labor Statistics predicts 377, 500 new IT jobs annually. You need skill and hustle to obtain these jobs, of course, but the good news is that cybersecurity professionals can look forward to extremely competitive salaries. That's why InfoSec has leveraged 20 years of industry experience Drawing from multiple sources to give you, cyber work listeners, an analysis of the most popular and top paying industry certifications.

[00:01:02] You can use it to navigate your way to a good paying cyber security career. So to get your free copy of our cyber security salary guide ebook, just click the link in the description below. It's right there near the top, just below me. You can't miss it. click the link in the description and download our free cyber security salary guide ebook.

[00:01:19] Your cyber security journey starts here. Now let's get the show started.

[00:01:23] 

[00:01:29] Welcome to this week's episode of the Cyber work Podcast. I'm your host, chris Sanko. My guests are a cross section of cybersecurity industry thought leaders, and our goal is to help you learn about cybersecurity Trends, and how. Those trends affect the work of InfoSec professionals, as well as leave you with some tips and advice for breaking in or moving up the ladder in the cybersecurity industry. My guest today, John Price, is an experienced information security executive with a demonstrated history of working in the public and private sectors. John is skilled in counterintelligence risk and vendor risk management, information security, program management and project planning. Uh, John is highly business oriented with an affinity towards gaining an understanding of what the client needs and tackling the challenges of meeting those needs in a risk-based cost effective manner. Uh, so one of the things we are going to discuss today, uh, is also, uh, John's time, uh, working in digital forensics and uh, I'm really looking forward to that 'cause our listeners. Uh, pretty frequently request, uh, forensics episodes. So, uh, John, thank you for joining me today and welcome to

[00:02:33] Cyber Work. 

[00:02:34] Thank you. Thanks for having me on.

[00:02:36] My pleasure.

[00:02:36] So John, uh, let's start, uh, with a bit about your sort of early years as a, as a tech fanatic. Do you remember what the initial spark was that got you excited about computers and security? Was there an initial draw, maybe a teacher or a family computer or something like that?

[00:02:51] Uh, yeah. Really it was in my kind of late teen years, early twenties. Um, that was when I was. Definitely immersed in the cybersecurity intelligence side of things, counter intelligence. And I think the natural draw is just really from transitioning out of that world and, um, and always having an affinity towards, uh, computers and enjoying working with computers and exploring that.

[00:03:14] Uh, it, it was a natural transition from the one to the other, I would say. Yeah.

[00:03:19] Did, did you, so just to make sure I'm understanding, you said you were, you were involved in, or, or reading in, uh, counterintelligence when you were in your teens?

[00:03:27] Uh, late teens. So I, I, yeah, I entered that world and, um, through the military, uh, uh, 18 and, and continued on there kind of for the, for six years. Um, so

[00:03:37] it was, uh, something that we were always. Immersed in not always something we were directly involved with. Uh, intelligence kind of spans, um, many different domains, but, uh, I had enough exposure by the time I was kind of in my, in my early to mid twenties to know that this was something I was interested in and, and, and kind of enjoyed doing.

[00:03:56] so you started, you, you, you, you got involved with the military pretty early then, it sounds like, or the, or this aspect of things, like in your teams then, is that

[00:04:03] Yes. Yeah. 17. I was, uh, I was in signals and then quickly moved to, uh, to intelligence after kind of realizing that was more what I wanted to do. Yep.

[00:04:11] Okay. And so that was, that was a combination of you were already interested in that, plus you signed up and then they said, okay, you've got this natural affinity. Uh, is that, is that

[00:04:19] Yes. Yeah, that's pretty much what it is, that through aptitude testing and everything, it was, uh, something that they, they recognized and, and then they kind of push you down that, down that path from there.

[00:04:29] Okay. What, what aspects of, uh, uh, counterintelligence were you, were you doing in your, in your early military days then?

[00:04:35] Uh, so my focus was on security of all aspects. So, um, security of military bases, security of personnel that included cyber, um, but also included physical and, uh, and everything else kind of within that realm.

[00:04:48] Mm-hmm.

[00:04:49] Okay. Uh,

[00:04:50] so yeah.

[00:04:50] so like I say, some of our listeners use, uh, our podcast to look at, uh, the work that various IT and cybersecurity roles entail. And so, uh, you have a pretty interesting, um, career, uh, map. As I say, you've, uh, you, you, in the intro you said you, uh, have worked both in private and public sector as well as, uh, military and so forth.

[00:05:08] Can you talk about some of the key roles and key moments that got you where you are today as the founder of Sub Rosa?

[00:05:13] Yeah, absolutely. So, um. I, I would say for anyone looking to get into the industry, definitely don't rule out, um, you know, the, the military as an option. It is a very, uh, robust and quick way to get into, into the, the, the cybersecurity world obviously comes with I. Some, uh, sacrifices that you have to make, um, time and lifestyle.

[00:05:35] But that is really how I started. Um, my, my second role was in the private sector at PNC Bank, um, here in the States. That was kind of after I transitioned from the UK to the us. Um, and, and again, banking is a very good way, um, from a cybersecurity perspective to get exposure to, uh, you know. What really needs to be done, uh, on both the controls, technical, uh, non-technical, as well as the compliance side of things.

[00:06:02] Obviously a heavily regulated industry, so, um, you get a very good all round exposure to how that world might work. And traditionally banks have very big budgets for stuff like this. So you're gonna see, um, you, you're gonna have a, a good opportunity to. Uh, to move around a lot in there. Um, and that was really what led me to sub Rosa was, um, you know, in banking, in, I say in banking, in the cybersecurity side of banking.

[00:06:28] Um, and, and, uh, understanding what some of the challenges were for these big companies and looking at, you know, where they filled gaps with contractors, where they filled gaps with private, with, you know, vendors and things like that. And kind of thinking that was something I would like to, to do. And that's.

[00:06:43] Kind of what led me to, to founding the company. We didn't specifically target banking as an industry, you know, on founding. But just in general, having that understanding of where the need was, um, helped me to, uh, start the business. Yeah,

[00:06:57] it ki it kind of explained itself to you along the

[00:06:59] exactly. Yeah.

[00:07:00] So, uh, with within banking and finance, there's, there's a massive, uh, compliance drive. So everything we do, um, the regulators are aware of. And, uh, being in Cleveland, you know, there is a federal reserve. Here. So we're very, very physically close to them, as well as just kind of in touch every day on what we do.

[00:07:20] So that was something I hadn't experienced before. Um, a lot of the military is doctor doctrine driven, um, in just everything we do, but, um. And, and finance that, that took some getting used to in terms of the, the process around regulation, around what we can do, what we can't do. And then just in general, I was surprised at how much the regulators know day-to-day about what, um, what we do in, you know, in cybersecurity, in the bank and just in general across the whole organization.

[00:07:49] They, they, it felt like they were very in touch and very in tune. And that was a bit of a culture shock for me. Um. Uh, which might sound weird coming from the military, which is known to be, you know, pretty regimented and, and, uh, disciplined and, um.

[00:08:05] So you had

[00:08:05] Kind of feeling that

[00:08:06] someone

[00:08:07] kind of always,

[00:08:07] looking over your shoulder in terms of the procedures you were implementing or,

[00:08:11] Yeah. And not necessarily in a bad way, but,

[00:08:13] right?

[00:08:14] you know, especially around my role, which was vendor risk, uh, in, in, in the bank, um, it was a big, uh, became a big thing after the 2008 crash, um, managing vendors.

[00:08:25] So, um, there was a big drive it felt like behind that and, and something that the regulators, at least at the time, were paying very close attention to. Yeah.

[00:08:34] Nice. Uh,

[00:08:34] Okay, so

[00:08:35] uh,

[00:08:35] can you tell bit your role,

[00:08:37] as the head of subro, uh, uh, sub rosa?

[00:08:39] you know,

[00:08:40] I say, uh, uh, you know, a lot of people want to

[00:08:43] start

[00:08:43] their own

[00:08:44] business,

[00:08:44] eventually. What is, what does the actual, uh, job entail of being in charge of this, uh, this organization?

[00:08:51] Um, so I would say I, I definitely moved away from the day-to-day cyber risk cybersecurity side, um, founding it. And you definitely move more into a sales and marketing role, um, at least in the early days where you have to, you know, really get out there, promote the business network, um, to build that client, the clientele.

[00:09:12] Um, I, I think a lot of people who, who like to go into this wanna do both, and some are quite successful at that. I had more of an eye to try and scale the business. So, um, I hired where I could to actually, uh, folks to, to do the work, um, smarter people than me. Um, and then, so my, my focus day to day is on, um, well, number one, our existing customers, making sure they're happy, making sure they're taken care of, and then growing the business, um, with, with new, new customers.

[00:09:39] Um, and then keeping an eye out for new, um. New service offerings, new things that we can offer to add value, um, new skills, things like that, um, that, that maybe our customers haven't thought of or anticipating that demand.

[00:09:53] Yeah. It, it doesn't seem like that that's been, uh, much of a frustration. I know some people who go from the hands-on side to the managerial side, uh, really don't like it 'cause that's not kind of what they got into the game for. But it doesn't seem like that, that that bothers you too much.

[00:10:07] No, I think it, I looked at it as a case of, um, I, I guess march or die, for lack of a better phrase. You have to learn and you have to adapt, otherwise you fall by the wayside. Yeah,

[00:10:19] Wherever I'm needed as well, I suppose.

[00:10:20] exactly. Yeah.

[00:10:21] Yeah. Yeah. So, yeah, I mean, we have a lot of different directions we can travel, uh,

[00:10:25] This because your background is.

[00:10:27] so diverse and so varied. But, uh, one particular thing that I, I really wanted to ask you about that stood out was your experience leading digital forensics and breach response operations, both with Sub Rosen, with your work in the UK military.

[00:10:38] Uh, this is something that our listeners are always asking us. To talk more about because it is such a, a fun and, and sort of cool aspect of cybersecurity. So for starters, can you tell our listeners about some of the type of digital forensics operations you've overseen?

[00:10:51] Um, so yeah, from a, from a forensics perspective, uh, we have dealt mostly with ransomware attacks. Um, I think in, in our time, um, forensics. Uh, and that's in sub rosa. Different in the military, but in sub rosa. Yeah. The most of the, um, the forensics and investigation type of work that we do would be usually centered around ransomware attacks or, um.

[00:11:13] BEC, business, email compromise. Um, those are the two most common things that we see. Um, we have tools that are deployed in place with most of our customers on the email side, so we're able to catch and kind of mitigate that pretty quickly. Um, and, and then with the ransomware, it can become a little bit more, uh, tricky.

[00:11:30] But I would say in terms of attack types, um, those are the two that we deal the most with, um, with our customer base.

[00:11:38] Yeah. Yeah. So, um, what is your digital forensics team like? Are there, do you have multiple people on the team? Do they have certain specialties that they have? I know in, in past guests have talked about having, you know, if you're gonna have a team of, of forensics people that each should kind of have a specialty that, you know, can work across like multiple projects and sort of multiple types of, uh, uh, you know, evidence gathering and so forth.

[00:11:59] Yeah, absolutely. So we have, uh, three people on the team now for, um, forensics. Uh, they are multi rolled, so they, uh, they kind of work in a number of different domains. Um, and then the, the focus really with them is on, on, um. The investigation side and then kind of the chain of custody side of things as well.

[00:12:20] Um, for us, just with the nature of the sizes of our clients and things like that, we tend not, not to go down the chain of custody route too often. Um, with breaches, we, we are more focused and the demand on us is more on, um. Mitigating and, um, and, and kind of recovering after a breach and figuring out what to do next, uh, with our customers.

[00:12:44] If there then is a need to go down the legal route, um, we, we often will, will hand it off to, um, to their legal team or whoever they brought in to handle. You know, liaison with law enforcement and things like that. We are definitely acting more in the frontline of, uh, triage, helping clean up managing evidence and then handing it off to, um, to, to lawyers and folks who kind of handle the rest of that process.

[00:13:13] Is there any kind of standardizing of evidence that you need to do to make it sort of usable? Uh, are, are you, are you kind of basically like translating what you see to the sort of legal team who might, who might take this into a court situation?

[00:13:26] Yes, absolutely. Yeah. And we usually know pretty quickly if this is a situation where it's gonna end up like that. And again, with, with the budgets that our clients have and the sizes of them, we tend not to see it go that way. They're usually about, Hey, let's recover from this. Let's put things in place to prevent it from happening again.

[00:13:41] Um, but I, I mean, and unfortunately I think that's just the nature of, of, of cyber attacks on mid and small businesses is,

[00:13:49] Yeah.

[00:13:49] they're more focused on like getting back up and running as quickly as they can. Um, if an attack is in the six, seven figures of value, then we start to see interest from the FBI and law enforcement.

[00:14:02] Um, but in my experience, um, and, and, you know, take it for what it's worth. The law enforcement tend not to be interested on the smaller attacks. You know, they collect data on it, but you're not gonna see a lot of kind of proactiveness on these smaller cyber attacks. So most of the, of the customers just tend to be focused on like, let's get operations back up and running.

[00:14:22] Um, let's mitigate what we can and let's stop this happening in the future. And that's really where I think we, we add value to our customers.

[00:14:29] Okay. Yeah. Understandable. So, could you kind of walk through, uh, a hypothetical, uh, you get called in on a, on a ransomware attack and you're, and you're doing the mitigating and trying to sort of, uh, recover things and get things back running

[00:14:41] What

[00:14:41] What

[00:14:41] are, what are the steps?

[00:14:42] steps that you and your team do to make that happen for your client?

[00:14:46] Yeah, so, um, first off, with, with all of our clients who are in this capacity, we will have, we would have a, um, if we are doing any kind of incident response or detection work with them, we'd have a playbook in place for, for that type of cyber attack. So that's gonna be unique to the client in terms of who and who does what in a scenario like that.

[00:15:04] But usually there's some kind of incident response process that's kicked off where we are working with their. Responsible parties within their organization to figure out what happened. Um, triage the damage done, and then look at, um, backup and recovery procedures. So again, it depends on what, what technologies they have in place to handle something like this.

[00:15:24] Um, but usually we would look at. Um, restoration and getting us back to the, the closest point in time that we can from where things were operational for their, on their network, assuming if it's an endpoint or a network compromise, something like that. Um, as a matter of principle, we don't normally recommend, uh, communication with, uh, ransomware attackers, or, uh, you know, paying a ransom.

[00:15:47] But, uh, it depends again on the customer. If there's insurance involved. Sometimes, you know, they want to take a different course of action. Um, so. Um, that's something that we work with as well. And then we're bringing in the insurance folks, the finance folks and the legal folks in, on those conversations, um, to kind of hopefully work in harmony and, and come out with, uh, with a a a a next steps.

[00:16:11] That is, uh. Um, that's what works for the business. And again, usually the priority is let's get back up and running as quickly as we can. Uh, once we do that, then we're circling back. Um, we're looking at lessons learned. How can we improve the process? How can we improve the detection? How can we stop this from happening again?

[00:16:28] Um, that might involve a procedure change that might involve a change or an introduction of a different technology to detect or, or handle things like this. Um, I will say 95% of the cases we deal with, it comes in through an email, uh, or of some kind, uh, to an employee. So, uh, we usually, looking at the email side, we're usually looking at the training and awareness side and, and any vulnerable areas within the organization.

[00:16:54] 'cause you know, like I said, it's coming in through an employee. It's usually. Fairly targeted to, to an individual. Um, so that's where the focus is gonna be for stopping that happening in the future.

[00:17:05] So, uh, because you're, you're kind of acting as, as almost more of a consultant rather than being part of the company, I assume. Any recommendations you make in terms of. know, changes to be made that this doesn't happen again are more suggestions than you actually doing the implementation. Right.

[00:17:22] So we, yeah, we would make the recommendations to the company and then, um, and then if they said, yep, that sounds good.

[00:17:28] yeah.

[00:17:29] Usually we would execute on the implementation too. Yeah.

[00:17:32] That's what I

[00:17:33] Yeah.

[00:17:33] Okay.

[00:17:33] It's obviously, it's their decision whether or not. We do it, but most of the time we are that far ingrained in the process already that it's, it's us who would be, uh, would be helping them with that.

[00:17:43] Yeah.

[00:17:44] you're actively getting into their network and saying, okay, uh, we're, we're making all these changes to your email policy, to your access management, all that kind of thing. Uh, you're, you're, you're kind of making all those changes, uh, for them and then sort of showing them what you did, basically.

[00:17:57] Is that right?

[00:17:57] Yeah. Um, so usually if it's a client, especially if we've got detection technologies deployed already, we would have that. Um, capability and, and we would be able to make those changes for them. Yeah.

[00:18:09] Hmm. Okay. Um, so what kind of, uh, sort of skills or backgrounds were you looking for? You said you have three people on your team who do this sort of thing. Uh,

[00:18:18] What attracted you to

[00:18:20] uh, team, team

[00:18:21] members?

[00:18:21] I guess,

[00:18:21] What

[00:18:22] it you saw

[00:18:23] in their background?

[00:18:23] or their qualification? You said, oh yeah, this would, this would be a perfect person for my team.

[00:18:27] So we hire really based on experience. That's what I like to look for. Have they had experience with? Certain tool sets, potentially, or cer with certain other organizations. You know, there's a few. Pretty good ones out there that are bigger and, and better than, than we are at this. So if we can draw people from there, that's always a, a bonus for us.

[00:18:49] Um, and then just yet in general, looking at experience with, working with, um, certain frameworks, depending on the role or certain tool sets, depending on, um. Again, depending on the role, um, it is really where, where we would look and then after that degrees, certifications, things like that. Um, and that's just our style of hiring that's worked for us, um, so far.

[00:19:11] So, um, I can't say that about everybody, but uh, that's definitely kind of how we look, um, when we look for people. Yeah.

[00:19:19] Have you had any particularly unusual cases? I mean, it sounds like a lot of what you do is, uh, an email got in ransomware was installed. Uh, we're, you know, we're not going to pay the ransom. We're going to stand firm, and then once the damage is done, we're gonna mitigate and sort of. You know, repair it and make sure that doesn't happen again.

[00:19:39] But has, have there been any particularly unusual sort of breaches or compromises, either in your current roles or in the military that, uh, that you're like, oh, people should hear about, about how this happened?

[00:19:50] Um, a good question. I'm trying to think to one. I think, um, what springs to mind is probably, um, what we, we serve a lot of car dealers in the car dealer market, um, uh, 'cause of the FTC compliance stuff. And, uh, what we see on the emails quite commonly is, um. Uh, is, is employees or dealerships getting email bombed?

[00:20:13] So, um, essentially it's a very targeted but high volume, uh, email attack. Um, and it, it's, from my perspective, from what we see, it, it, I, I don't think it's anything new in terms of an attack style. Um, on that specific industry, uh, it's been interesting because we've not usually seen that type of attack used before, and it's, uh, it's that it's a shotgun approach.

[00:20:37] So they're casting the net wide, see who they can get, and then, and then go from there. And, and, you know, car dealers especially up until, up until recently have, have really not. Paid close attention to email security. So it's one that's very effective. Um, and, and something new that we haven't seen in that industry before a whole lot.

[00:20:56] But we keep seeing that one pop up, which is uh, which is interesting. Yeah.

[00:21:00] Yeah. Uh, is, is, is a, is the auto industry or the car dealership industry in kind of sound, the alarm mode in the, in regards to that, because I know certainly over here we talk about industrial control systems and, and just the sort of like

[00:21:14] Unbelievable swat

[00:21:15] swath of, of,

[00:21:16] you know,

[00:21:18] People that

[00:21:18] take care of our water supply and our

[00:21:20] our

[00:21:21] sewage, and all these things have absolutely

[00:21:23] security,

[00:21:23] you

[00:21:24] attached to their legacy systems and so forth.

[00:21:26] Is, is the, uh,

[00:21:27] dealer.

[00:21:28] industry feeling a similar, like, Hey guys, we need to do something about this right now. Or is it just gonna be, uh, you know, one attack after another until, you know, a snowball effects makes people sort of change on a fundamental level?

[00:21:39] I think it's gonna be more of the latter. Yeah, I think, um, yeah, I think it's, it's so far been pretty slow to adopt. Um, it is compliance driven, um, which helps, but, uh, we still, we're still reactive in security, uh, across the board. So, yeah. Um, that's, uh, that's I think, unfortunately the way it's gonna be.

[00:21:59] Do you think that point of friction is down more to time, money, or lack of knowledge about having to do it? You know, I, I I guess I'm curious if, if, if, if they knew, would they do it quicker or is it just Oh, that's a lot of work. I don't really wanna take the time. Or is it like, that cost us too much money, we can't, you know, we'll, we'll take our chances.

[00:22:20] I think it's a combination of all three. Yeah. Especially, um, and I'm, you know, not to single out that. One industry, but you know, car dealers, you get, you, you have the 30 plus dealership groups who have the budget. They, they have the resources to do this. But you know, I'm really looking at the one or two dealer groups who um, might not even have full-time IT staff and suddenly they're being told, you have to do all this stuff for cybersecurity and you gotta do it by this date.

[00:22:46] Go figure it out. And, and I understand these guys are like, I just wanna sell cars, you know, we wanna keep things going. And they're in an industry that is.

[00:22:54] didn't get into this to learn

[00:22:55] Yeah, exactly. Yeah.

[00:22:57] right,

[00:22:57] Yeah. Slim margins, very high turnover of people, you know? Um, exactly. And, and now all of a sudden they've got a hundred plus hours of work to do every year in, in it.

[00:23:11] And in security it's, it's a lot to ask. Yeah.

[00:23:14] Yeah. So, uh, you know, a a again, it sounds like your, you know, your aspect of sort of breach reporting and forensics is a little different from some of the other guests we've had. But, uh, with regards to obviously you're doing the mitigating, you're doing the recommendation. How much of what you do involves. Uh, writing and reporting and documentation. I know that, uh, past guests talking about digital forensics have said that like writing skills are really, really important to the job because you have to do the reports and so forth. Is that, is that similar here? Do you still have to kind of document everything you've done extensively?

[00:23:43] Mm-hmm.

[00:23:45] um, we have folks on the team who, who are dedicated, um. Most of their time to technical writing, I would say. Um, and, and the documentation part of it is, uh, I, I is critical and I think the biggest reports that we write are ones that involve breaches or incidents of some kind. Um, definitely because, uh, you not only for, um.

[00:24:08] For, for kind of, you know, lessons learned, but these, these reports sometimes need to be, uh, admissible, um, as, as expert opinions or as, um, as kind of, uh, you know, documentation as to what happens. So yeah, that's, that's one of the things I think that is, um, is fundamental in, in that process and in everything that we do.

[00:24:29] When you're looking for people who are gonna be very heavily in that sort of writing space, in terms of working for you, uh, do, do they need to have some

[00:24:39] Background

[00:24:39] in like. Court reporting language or tech writing language, or is that something they can kinda learn on the job if they're just a good writer across the board?

[00:24:49] Yeah. So we look more on the tech side than we do on the court writing side. Um, and, and I think the first place we start when, when looking for people like that is. Um, past, past writing, right? We all wanna look at, you know, what have you written before? Can we read it and see?

[00:25:04] Mm-hmm.

[00:25:05] um, that's kind of where we start.

[00:25:06] Um, report writing in any form, I think in cybersecurity is, um, the least favorite thing for anyone to do on, on the consulting side. So it's often the thing that's avoided the most.

[00:25:18] yeah. And startlingly large percentage of what you do, it sounds like. I know one, one guest said like writing the reports can be like 30% of the overall work in some cases.

[00:25:26] Yep, that's, that's about right. Yeah. Um, so, uh, time management is, is very important as well because you have to be able to do your job and document what you're doing while you're doing it. Um, the idea is, is that I. Um, we can learn from it or we can in some cases replicate what you're doing. Um, so documentation is, is very, very important in that.

[00:25:49] And I've seen all kinds of creative ways that folks have come up with, uh, automating that process or trying to, and, um,

[00:25:55] ask about

[00:25:56] yeah.

[00:25:57] yeah. I mean,

[00:25:57] Uh.

[00:25:57] What, what are your thoughts, I know that GRC professionals have been saying that ais and LLMs and and so forth have been incredibly helpful in, in streamlining the sort of sifting of big data or starting a report, even if you don't let it, like, kick your whole report out, like it's a good sort of beginning point.

[00:26:13] Is that, has that been a, a similar thing, uh, with, uh, with the forensics, uh, uh, roles?

[00:26:17] Uh, I first, I think so, yeah, I think, um, used in the right way and used securely LLMs can be hugely helpful for, um, you know, for helping streamline report writing and, and taking some of the burden off of that, which in the end helps the customer as well. Because if, you know, they're, they're paying for a report and if we can find a way to streamline the production of that report and make it so that it takes us.

[00:26:40] 50% of the time, I'm all for it as, as kind of the, the, the company leader. So, um, absolutely, but as long as they use securely, LLMs have a tendency to make things up and, um, be insecure in how they do it. So we have to be careful with what and how we use it. But yeah.

[00:26:57] Not to mention the fact that you're, you're putting all of this sort of like court data, uh, you know, admissible data into, you know, this open system that can be hacked or, you know, sort of sent out into the ether and so forth. So yeah, that's, that's a lot to worry about. So, uh, uh, one thing I, I, I keep thinking about you, you mentioned that when you're hiring, obviously you have, you have a fairly elite team, but when you're hiring, you were looking for. examples of using certain types of tools, past examples of writing, uh, for listeners who are trying to break into this type of digital forensics and breach response, how hard is it to do without experience if you don't have sort of a portfolio and it, do you have any sort of tips for sort of working around, uh, that eternal paradox?

[00:27:36] Yeah, I think, um. I think it's one of, it's certainly, in my opinion, one of the niche areas of cybersecurity to get into. Uh, it's one of the more in demand areas, but I think it's also one of the harder ones to get to break into. Um, so I, I would say it's kind of a, a word of advice is, you know, if that's the end goal, have a, maybe a backup plan or have a, have a path charted out that might not necessarily involve immediately going into that.

[00:28:03] Security operations is a good place to start, really for cybersecurity in general, and that will give exposure to the incident response and recovery side of things. Um, and then being able to kind of specialize from there. Yeah.

[00:28:15] Yeah, yeah. I was gonna say, I, that was gonna be my next question, is that it, it seems like maybe these kind of forensic roles might be the first sort of budget lines that a lot of companies are looking to slash when they're sort of like downsizing their security, uh, you know, security money and so forth. Is that, is that, is that what you're seeing as well?

[00:28:32] Um, yeah, I think so. And if, uh, and if they even invest in it in first place, is something that, um, you know, who is, is a big thing as well. Um. And there's a few really big names out there from consulting who, who handle this. And all they do is incident of response. And I think a lot of companies are kind of leaning more towards having it as an outsource capability rather than, um, something that's in-house, um, as well, uh, is kind of what we're seeing.

[00:28:58] But yeah, I would certainly agree with that.

[00:29:00] So you're ba So in terms of

[00:29:02] the, uh, you know how.

[00:29:03] get the role without the experience and get the experience without the role, it sounds like your recommendation, and you can correct me if I'm wrong, is to. Instead of look directly to sort of make your mark in the sort of forensics breach response side of things to start maybe in, in a sock and sort of learn incident response by sort of going up through that and then seeing if there's kind of like lateral movement, uh, from there.

[00:29:26] Is that right?

[00:29:27] Yeah, absolutely. I would say, uh, starting something frontline on security operations, that's gonna give you an exposure to the incident response team or that process, and then laterally move from there. And, and in my experience, I've, I've kind of worked in big and small companies, but uh, on the big company side, I certainly saw a lot of opportunity for folks to move laterally within cybersecurity.

[00:29:48] Um. And, and, and within those teams. So, um, yeah. Can't speak for every big company, obviously, but I certainly think that, um, at least in the banking world was, uh, there was a lot of, a lot of opportunity for that lateral movement

[00:30:02] Okay. So as, as we start to wrap up today, um, you know, as, as you were sort of telling me

[00:30:08] as you were.

[00:30:08] of the, uh, the types of, um. Attack, you know, attack, uh, attack scenarios that happens. It seems like it's an awful lot of email gets compromised,

[00:30:17] Uh, someone gets access.

[00:30:19] Ransomware is installed.

[00:30:20] So, you know,

[00:30:21] I mean

[00:30:22] there's every, every attack.

[00:30:24] is, is is subtly different or whatever, but it like looking five, 10 years down the road, do you see this still being the sort of like primary thing that we're fighting against?

[00:30:33] Do you see any kind of, um, um, tech that's happening now that might really like change the nature of. way email is, you know, compromised security awareness, endpoint protection, anything like that.

[00:30:46] Yeah, I think AI integration, um, is going to massively change the security landscape, I think, um, in, in a couple of different ways. Um, I. On the one hand, sorry, my dog is in the background. Um, on the one hand, I think, um,

[00:31:00] apologize for a dog in the background.

[00:31:02] um, on, on the one hand, I think, um, in, in detection and response, AI is gonna be, is going to potentially change the game.

[00:31:10] And we're already seeing it implemented in, in the big tools already. Um, but how we interpret that data and the speed at which we can interpret that data, I think is gonna be, um. Is gonna be changed by a ai. But then on the flip side of it, as as companies are injecting and wrapping, uh, software and product into large language models, um, there is, there is a huge area of exposure there, um, for sensitive data that they're overlooking right now.

[00:31:36] Um, we've. As a company, we've just started kind of paying attention to large language model security and what implications that has for our customers. Um, but that is a, an exposure area, especially if you're training models on sensitive data and customer data. Um, it's an area of exposure that is otherwise, has not been looked at, I don't think, pre 2025 arguably.

[00:31:58] Um, um, so AI on, on both sides, both on the defense and on the offense, is gonna, uh, change the game I think in the next 10 years. Is

[00:32:06] Are

[00:32:07] there any particular happening

[00:32:08] AI tools happening

[00:32:09] right now that you think

[00:32:10] like students really, really need to

[00:32:13] understand or AI processes,

[00:32:15] prompts,

[00:32:16] whatever?

[00:32:16] Uh, you know,

[00:32:17] Again,

[00:32:17] we're,

[00:32:18] we're mostly.

[00:32:18] talking at entry level people. And you know, I think there's a lot of, I. Tools and a lot of noise on the landscape.

[00:32:25] What do you, what do you like to cut through that? What, what do you think like, here's one thing that you absolutely need to know, uh, really well about AI to sort of future proof your skills.

[00:32:34] Uh, the oasp top 10, uh, LLM vulnerabilities is where I would look. That's a good baseline start. It was only released, I think the beginning of this year. So again, this is like tip of the spear type of stuff and, um, and is gonna evolve very quickly, um, in, in the next coming years. Um, yeah.

[00:32:53] Yeah, absolutely. So as, as we wrap up today, uh, tell our listeners more about sub rosa and the, and the, you,

[00:32:59] You talk a little bit about,

[00:33:00] what you do, but tell,

[00:33:01] give us, give us the whole deal here. Yeah, absolutely. We're a full suite, um, professional services firm. So, uh, our main focus is on, um, I, I is both on the proactive and the reactive side. So we do have a full 24 7 soc, um, that we monitor for our customers. And then, um, outside of that.

[00:33:18] The services focus is definitely on the penetration testing, um, and, uh, governance risk and compliance side of things. Um, we are, uh, as I just said, I mean, we are in a big push right now, um, for AI security. We are seeing AI being adopted across our customer base. We're seeing AI being adopted almost everywhere.

[00:33:38] Um, so the large language model security is a major focus for us, um, now and, and will be, uh, continuing into the future. Yep.

[00:33:47] Okay. One last request here. Tell our listeners where to

[00:33:49] Find

[00:33:49] out more about you, John Price or Sub Rosa, or

[00:33:52] anything?

[00:33:52] you want to promote online.

[00:33:54] Yeah, absolutely. I'm available, um, on, on LinkedIn, uh, on, and our website is, uh, I'm sure we can share that, but sub rosa cyber.com is the company website.

[00:34:04] Great.

[00:34:04] and then, yeah, I can, um, I don't know if you wanna provide my email address.

[00:34:08] We can do that as well. I'm, I'm always open to questions and communication from folks.

[00:34:12] sure. Yeah. Our listeners like to, uh, like to use LinkedIn and, and they'll, they'll hit you up with requests and so forth. So, yeah. J so it's, uh, sub rosa cyber.com. Is that

[00:34:20] Yep, that's right. Yeah. Perfect.

[00:34:22] perfect. All right, well, uh, yeah, John Price, thank you so much for, uh, for talking with me today. This is a lot of fun.

[00:34:27] Yeah. Thanks for having me on, Chris. Uh.

[00:34:29] and thank you to everyone who watches and listens and writes into the podcast, uh, with feedback about cyber work. If you have any topics you'd like us to cover or guests you'd like to see on the show. Uh, just comment below, make use of our community tab on YouTube, or go over to our TikTok channel and, and yell at us until we tell, we get the guests that you want. Uh, before we go, don't forget InfoSec institute.com/free. That's a page where you can get a whole bunch of free and exclusive stuff for cyber work listeners, including our free cybersecurity Talent Development Playbook, which contains in-depth training plans and strategies for the 12 most common security roles. Including SOC analyst, pen tester, cloud security engineer, information risk analyst, privacy manager, secure coder, ICS, professional and more. Uh, also you can look at our free cybersecurity salary guide for the latest data on popular certifications and their related roles. Uh, there's also security awareness posters, eBooks, and you can sign up for 100 plus free. Courses for a month on our InfoSec skills platform. Learn incident response, forensics, security architecture, and more. One more time. That is InfoSec institute.com/free. And yes, the link is in the description below. One last time. Thank you to John Price and sub rosa. And thank you for watching enlisting. This is Chris Sanko signing off. Until next time, make sure to learn something new every day. Keep one step ahead of the story and don't forget to have a little fun along the way. Bye for now.