@sroberts advanced persistent incident responder

Travel OpSec

Last year I was lucky enough to go to the FIRST2015 conference in Berlin. It was a great conference, good talks (including yours truly), and an even better hallway track. I’d never been to Berlin, or Germany in general, and I enjoyed seeing this amazing city a little bit as well.

Traveling to a new country as a security minded person is always a bit jarring. Even a country as friendly as Germany bares consideration when it comes to laptops, tablets, phones, etc. A conference like FIRST has people coming from all over the place, including people from countries at odds (US, China, Iran, Germany, etc). As a result those IT security concerns are even more heightened. As a result we ended up having some academic conversations about operational security while traveling internationally (or traveling generally).

The Challenges

Traveling internationally has some unique challenges compared to using IT resources at home.


Running around a new country one of the first things you might notice is powering your devices can be tricky. Plugs are different, voltages are different, and you may not have the right adapters. A good travel battery can help, but at some point you’ll be hunting for an outlet to grab a charge.


Home is where the wifi is, but when you’re traveling you have to take what you can get. You have to balance security with the need to connect. Random coffeeshop/airplane/hotel wifi are all viable pipes, but under who’s control?


You’re in an exotic (or maybe not so exotic) place and you want to get out and see it. Go out to dinner, site seeing, etc. You’ll want the freedom to do that, and you can limit yourself by how much you feel the need to carry.

The Threat

The first question for security should always be “What is the threat?”. If you’re basing your security stance on anything but practical threats then it’s just FUD. While people exaggerate threats often in this case their seems to be plenty of concerns.

Seizure at Checkpoints & Evil Maid Style Attacks

Depending on the country customs seizing devices at check points, either for minutes or days, may happen a little or may happen a lot. But it does happen. A close relative of checkpoint seizure is the evil maid attack, where someone with access (like a cloned keycard) enters your hotel and accesses your devices while you’re out of the room (Oh, and they might also have cameras + listening devices in your room as well, just in case you fall into a honeypot).

The basic formula of both of these attacks is physical access + time = compromise. Full Disk Encryption helps, but it’s not bulletproof given near infinite computing resources and near infinite time. If your computer leaves your site at a checkpoint assume the data is staying.

Dark Hotel Style Attacks

Moving past physical attacks there are other ways to steal data in hotels. The DarkHotel APT group targets victims by compromising the networks of common traveler destinations such as international hotels and uses their access to infect victims with trojans, pilfering data at their convenience.

Buckshot Yankee & Stuxtnet Style USB Attacks + Accidental Syncing

Power seems at most partially related to security, but USB based charging is common for tablets and phones even laptops. For certain advanced attack groups USB device attacks are a way to compromise offline devices. Plugging a device into a USB charging dock in an airport or into a new friends laptop is an easy way to get an extra 10% power, but risks picking up malware or syncing your mobile device and handing over all the data on it.

Theft & Loss

Simple and boring but no less real, IT resources get lost all the time. Cell phones get left in cabs, laptops get stolen in cafes, all happen, and all pose a risk. It’s hard to stay backed up on the go and it can be extra difficult to recover these devices on foreign soil.

Lastly… The Honeypot

I’m not going into this one, but it happens.

The Plan: Rules for International Travel OpSec

So now that we’re clear on the challenges & threats, at least the big ones, lets discuss the solutions.

International Travel Rule #1: LEAVE IT AT HOME!!!

I cannot emphasize this enough. If you don’t have it with you it cannot be compromised, the data cannot be stolen, and you don’t have to worry about it. Far and away leaving it at home is the lowest risk approach. For alternatives where you need to take your laptop see step #2 but prepare yourself: These things are a pain. They’re difficult. And they must be.

International Travel Rule #2: Prep It Before You Leave

You actually have to take a laptop? Are you sure? Well if I can’t convince you otherwise at least be cautious. An ounce of prevention is worth a pound of cure, so take some time to get things ready.

Loaners & Alternatives

Borrower laptops are a common approach and are certainly better than taking your usual laptop but I’m still not crazy about them. While they may limit exposure they have three failings:

  1. To make them useful they still get loaded up with some (if limited) data (the whole thing we want to avoid).
  2. They aren’t inherently harder to compromise than the users own laptop.
  3. Since they aren’t the users own system the user is often less careful with it, resulting in risk.

To this end the CrowdStrike team released some of their scripts for setting up an ArchLinux laptop for travel which looks like an solid solution for setting up loaner laptops.

I’m a far bigger fan of devices like an iPad or Chromebook for travel. They’re easy to wipe & reset, don’t store much data, designed to resist attack, and cheaper than a full laptop.


They’re also both super light and get great battery life. All but the most dedicated road warriors don’t need more than a browser for most travel use anyway.

Patch Everything

Everything… and then double check:

  • Operating System
  • Applications (Focus on the applications you use every day and common vector apps like Adobe Acrobat & Reader, Microsoft Office, Flash, your browser (or just switch to Chrome and update that))
  • Secondary tools (Like Browser plugins)

Don’t forget your “other” devices like phones, Kindles, etc.

Prepare 2FA


You already have two factor authentication turned on every where you can right? Well double check and make sure. TOTP based is great, but YubiKey is becoming even more attractive as services are beginning to support the FIDO/U2F standard. I’m also a big DuoSecurity fan for it’s great interface, easy integration, and reasonable prices.

Setup a VPN

Setting up your own VPN isn’t that hard and provides a lot of trust and flexibility, even if it comes with some extra effort. While you’re at it take the time to enable DuoSecurity as well.


You could also use a paid VPN provider. The downside is placing your trust in another service but the upside is it’s easy and often comes with more polish. I like Cloak for it’s clean design and multi-device support.

Privacy Screen Cover

3M makes some nice privacy screen covers. I have one and it’s great.


Pretty huh? That said I’m still mixed on them. While it does a great job of keeping your words from the person sitting next to you it also draws attention. People wonder what you’re trying to hide which makes it a double edged sword. Avoiding the gold side helps.

USB “Condom”

Charging USB devices off of random USB charging stations or someone elses laptop is convenient but runs the risk of exposing you to USB transmitted malware or accidental syncing.

USB Condom

A USB condom (sorry for the uncouth term Mom) protects you by breaking the data transfer connections of USB while leaving the power connections intact. That means you can charge your device without inadvertently syncing data or worse.

SyncStop makes a very nice device.

International Travel Rule #3: Be Aware of your Surroundings

I don’t know how to suggest how you do this, but you need to do it. That’s not super helpful, so I’m doing what anyone does, Googling it. I recommend reading this article from Psychology Today on Becoming Aware. If that isn’t ninja enough for you I suppose you may want to read the articles tagged “How To Become Aware of Your Surroundings” from the WayOfNinja but I don’t recommend it.

International Travel Rule #4: Carry Your Devices with you At All Times

I told you this would be a pain. This basically goes directly against the mobility concept we started out with, but it turns out it’s highly important. Two of the threat types we discussed require physical access and the way to be sure is to have them with you at all times.

That doesn’t mean except for dinner. That doesn’t mean unless you want to go for a walk. Always. I recommend getting a bag you find comfortable for long periods of time, the lightest devices possible (or, you know, just leave it at home like I suggested in the first place). Which devices do you need to carry? My rule of thumb: if it has a USB port or network access you can’t leave it.

Note: This doesn’t make physical attacks impossible, it just makes it impossible for you to not be aware. You’re not a SERE school grad (unless you are in which case good for you) and if someone wants to take your devices they will. At least you’ll be aware and able to tell your security team what happened.

International Travel Rule #5: Keep Things Turned Off & Logged Out

Once you rule out physical access the only attack vectors are Wifi, Bluetooth, etc. It’s inconvenient but it works wonders, otherwise you may find yourself randomly connecting to unknown Bluetooth devices or wireless networks. This goes double for borders.

Extreme Hardening

So lets say for some reason you really, actually, insistently must take a full on laptop to a foreign country. To make matters worse it’s one that’s passive aggressively hostile towards yours. Well in that case you’ll want to do some serious system hardening. Your goal is to remove as much attack surface as possible and beef up the things you must have exposed. I mostly use OSX, so here are a couple of the better hardening guidelines for Macbooks:

There’s also this lock-down tool by the always awesome Scott Piper:

I haven’t used Windows for years, but I know EMET is pretty great (I’d love to see an EMET like kit for OSX) and Microsoft has invested a lot into making Windows 8 & 10 hard targets. For anything else I’d take a look at DISA’s Security Technical Implementation Guidelines or the NSA/CSS Security Configuration Guides for Operating Systems.


This is far from a comprehensive guide to safe traveling. The world is a dangerous place. Hopefully though this gives you some ideas on how to level up your IT security while traveling. The world is an amazing place, I’ve been lucky to see as much of it as I have and I can’t way to see more, but a little consideration goes a long way.

And one last time: Just leave your laptop at home. You’ll be fine. And you might experience something amazing.

If you want to go further I recommend reading Jeffrey Carr’s A Traveler’s Guide to Cyber Security).

A Year Later - 2016 Goals


While not being much for New Years Resolutions (though I do love fireworks) last year I shared some professional goals. I even advocated accountability. I figure I should share how I did.

Professional Goals

# Goal ? Notes
1 Read one technical book a month I think I read about 6? We had a fun little reading group that lasted until summer.
2 Blog at least once a week I was doing well until June. I have an excuse, but I’ll share that another time.
3 Learn a System Programming Language Push? I spent a lot of time with Go and like it, but I never built anything. Not sure that counts.

Personal Goals

# Goal ? Notes
1 Read 12 Cooking Books I didn’t read 12. I read two (1 & 2) but both were great. I cook a lot more and I’m happier for it.
2 Complete C25k Push. I hate running. Still hate running. But I got a bike and I love that. Maybe more of a .
3 Get a dog No push. His name is Kilo. He’s a pain but he’s mine, so I love him. He gets me.


Not great. Not terrible… but not great. I accomplished a lot of what I was hoping for. I learned a ton, both expanding things I already knew and things I had no idea about. I’m healthier and I have a pretty awesome dog. Overall I’d count 2015 a win!

2016 Goals

I’m keeping it simpler, focusing on creating habits. These are things I want to do every day:

  • Chess: I’m not great at chess but I’d like to get better. Playing seems the best way.
  • Code: Pleasure or professional, either way. Since the first it’s been a lot of hacking on Brian Warehime’s excellent Threat_Note.
  • Cook: Cooking has been good for me and I want to keep it up. Blue Apron has been helpful (not to mention tasty).
  • Exercise: Biking or walking the dog.
  • Read: Pleasure or professional, either way (again!).
  • Write: Blog or another project but the more I write the better.

These goals for 2016 are a lot more flexible. They’re all things I do but not yet the habits I’d like them to be. I’ve been using the Momentum app to keep track and I find it’s a great balance. In the 10 days since I started I’ve written and coded for 10 days in a row, played chess for 9, read and exercised for 3, and cooking has been the hardest with 2 days.

Momentum Screenshot

My Momentum for Mac as of Jan 14

If you’re interested in suggesting things to read, write, cook, code or want to play some chess let me know. Now I’m going to go check off my writing for today!

Introduction to DFIR

One of my favorite things is talking to students and people new to the security field. It feels like yesterday I was wandering around the first Shmoocon as a student in awe of the people I met and the work they were doing. Now I’m 10 years into my career and have a whole different perspective (though still in awe with those folks). Starting a career in infosec isn’t easy and while there are better general introductions I wanted to add my perspective on getting started in Digital Forensics and Incident Response (DFIR).

What is DFIR anyway?

Digital Forensics & Incident Response is a multidisciplinary profession that focuses on identifying, investigating, and remediating computer network exploitation. This can take varied forms and involves a wide variety of skills, kinds of attackers, an kinds of targets. We’ll discuss those more below.

First though lets start with a core question: Do you want to do DFIR? You’ll need the following traits (not all, but at least a majority of them):

  • Curiosity: It’s always about what you don’t know.
  • Attention to Detail: You never know what bit of data makes the difference.
  • A Need for Variety: One day it’s logs, the next it’s packets, then memory.
  • Working with People: There’s always an attacker and a victim.
  • An Affinity for Stress: You don’t have to like it, but you must handle it.
  • The Taste for Blood: Great DFIR engineers want to win and hate to lose.

Want to know more about what DFIR looks like? I recommend reading The Cuckoo’s Egg by Clifford Stoll. If that gets you excited journey on!

DFIR is a broad field so here are some of the basic of the things you should know as an introduction to DFIR and where to learn more. Over the coming days I’m going to post about various topics in DFIR (more below) and people learn differently I will provide different types of resources. Each topic will have:

  • A video: For an easy broad introduction.
  • A link: To a site focused on that topic.
  • A tool: The if you’re going to know one tool this is the one.
  • A book: To go deep into a subject you’ll have a comprehensive resource.
  • A person: An expert in each subject who you’ll want to learn from.

Lets get started.

DFIR Skills

DFIR is a mix technical and soft (people & process) skills. DFIR is a skill unto itself we’ll start with some general resources then get into specifics.

Type Resource Notes
Video Threat Analysis of Complex Attacks From SANS DFIR Summit in 2015. Shows the variety of skills across IR analyzing an interesting attack.
Link Journey into Incident Response Corey is a veteran incident responder who shares tons of resources big and small on his blog.
Tool Redline & OSXCollector Live response tools. Windows and OSX respectively. Try them out on your own systems.
Book Digital Forensics and Incident Response 3rd Edition The name is a give away, but it’s a legitimately great book that covers the breath of IR.
Person @jackcr - Jack Crook Jack’s Twitter feed is a letter to new analysts. Easy things to learn and hard truths in the same breath. Every DFIR should read it. Honorable Mention to @hacks4pancakes.

Technical Skills

The first category of skills that I split DFIR into is technical skills. These are hands on keyboard skills focused on levels of an investigation.

File System Forensics

When people think of the DF in DFIR most think of filesystem forensics; ripping hard drives out of machines and analyzing them for compromise. This has evolved in the last 5 years to remote/enterprise forensics. Instead of removing hard drives analysts use software agents on every machine to analyze the file system.

Type Resource Notes
Video DFIR using SIFT Workstation SIFT Workstation is a forensics environment created by SANS is is a great place for both new and experienced analysts. The speaker is Rob Lee. Nuff said.
Link Hacking Exposed: Computer Forensics To call David Cowen prolific is an undersell. His blog, book, Twitter, & podcast are all can’t miss. Not to mention a darn nice guy.
Tool TSK/Autopsy The default mature, open source solution.
Book Digital Forensics with Open Source Tools I’m always partial to open source and this shows how much you can do without spending a dime on Encase.
Person @iamevltwin - Sarah Edwards If you’re looking for Mac forensics you want Sarah. Her Mac4n6 site is the go to source for Mac and her Twitter is full of great info.

Memory Forensics

Disk forensics is a mature capability and many organizations have gotten quite good at analyzing systems for compromise. As a result the attackers have moved, using techniques that emphasize using volatile storage, aka memory. Things like memory resident malware can’t be detected on disk, so DFIRs had to move to analyzing memory itself.

Type Resource Notes
Video Memory Forensics for Incident Response I’m not big into memory forensics, so I learned a lot from this SANS DFIR Webcast. I think it’s a solid starting resource.
Link Volatility Labs If you’re doing memory analysis with Volatility (and it’s where I’d start) you want the Volatility blog.
Tool Volatility The defacto standard. Also look at Google’s Rekall.
Book The Art Of Memory Forensics A 4.6 rating on GoodReads and the recommendation of all the memory analysis folks I know is enough for me.
Person @attrc - Andrew Case I hear he’s taken a course on Memory Forensics. And was a core Volatility dev. And wrote the Art of Memory Forensics.

Network Forensics

Between malware analysis and , memory & disk forensics we’ve got analyzing hosts covered, but almost all incidents involve considerable network activity as well. Infections start as email or web browsing, malware beacons home, then exfiltratates data, all of which require understanding how to analyze network captures.

Type Resource Notes
Video Network Forensics What Are Your Investigations Missing Phil Hagan wrote the book… er… course on advanced Network Forensics, but this introduction is pretty awesome. This is a great overview of what you can do with Network Forensics.
Link Pcapr The toughest thing with learning network forensics is having interesting pcaps to look at. This collection has some of everything, from DDoS to Malware. Just what the doctor ordered.
Tool Wireshark The defacto tool for ripping apart packets is Wireshark. Learn more about it here.
Book The Tao of Network Security Monitoring I think every Network Analysis type I know cut their teeth with Tao. Somewhat dated now, but the seminal work on the topic.
Person @Hectaman - Liam Randall Doing some amazing stuff with the Bro network intrusion detection system.

Addition: @Richard Bejtlich & @Chris Sanders both reached out to me suggesting I look at Richard’s newer book: The Practice of Network Security Monitoring: Understanding Incident Detection and Response. Chris also mentioned his book: Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems. I mentioned Tao since it was the book I cut my teeth on, but these gentlemen are correct; these are better modern options. Both are on my reading list now.

Note: This is becoming increasingly difficult as encryption becomes more widely deployed. Finding ways to handle/work around data you can’t always read is vital and one of the key reasons we also focus on the host.

Malware Triage

This is one where people will disagree with me. I don’t think every DFIR needs to be a knee deep in assembly reverse engineer. Reverse Engineering is hard, one of the hardest skillsets out there, and isn’t always 100% necessary (though often very useful). That said the ability to gather data from malware, at a high level, is incredibly essential and a set of skills every DFIR should have.

Type Resource Notes
Video Lenny Zeltser’s Introduction to Malware Analysis There are only a handful speakers I will always take the chance to hear. Lenny is one of them. I learn something every single time.
Link Malwr So this is actually a tool which analyzes malware by running it but it’s also a great place to experiment and learn.
Tool Yara It’s basically AV you control. Also check out this intro video.
Book Practical Malware Analysis Easily the best book I’ve read for getting stronger in RE, this takes a very real world approach.
Person @lennyzeltser - Lenny Zeltser There are tons of amazing malware analysts. Lenny is the best teacher of them all.

Log Analysis

Log analysis is actually the technical skill we talk about the least, but end up doing the most. SIEMs were supposed to keep us from needing to do this, but most of the better DFIRs I know still spend a considerable amount of their time dug into a logging console. Logs can be analyzed system by system, but the real power shows up when you search logs at enterprise scale. It’s tool driven, but the skills are the same for most of them.

Type Resource Notes
Video Incident Response Event Log Analysis There aren’t a lot of great log centric resources out there. This was the best video I could find. Someone should fix this.
Link Enterprise Detection & Response David’s blog is log centric, but focused on all of IR. It’s been the source of some of the bigger ideas in IR. A must read.
Tool ElasticSearch + Logstash + Kibana You could pay for Splunk, but how would you save for that mega yacht you’ve always wanted? ELK gives you most of the log hunting goodness with none of the price.
Book Logging and Log Management: The Authoritative Guide to Understanding the Concepts Surrounding Logging and Log Management I’ll be honest, I haven’t read this book, but it’s the first one I would read. In fact it’s on my list.
Person @DavidJBianco - David J. Bianco He coined the idea of Hunting. The Pyramid of Pain. And he’s a really nice guy.

Intelligence Analysis

I already talk a lot about Threat Intelligence (1, 2, 3, 4). It’s a complicated and nuanced subject but it’s impact is undeniable. Being able effectively use these structured approaches to enhancing data (no, that CSV file you downloaded isn’t intelligence) can make teams faster and more precise.

Type Resource Notes
Video Cyber Intelligence Concrete Analysis in a Fluid World I found this while researching this post. Good overview by Coleman Kane.
Link Christian: A Quick Look at A Likely NewPOSThings Sample Starting with a simple hash this intel analysis goes deep into the infrastructure of a POS malware tool.
Tool Maltego Intelligence isn’t about tools, but tools are really helpful. Having a graphing tool makes bringing multiple datasets really powerful. Given Palantir is $$$ my go to is Maltego.
Book Structured Analytic Techniques For Intelligence Analysis This is one of the heaviest books I recommend, and I’m only part way through, but it’s changed my approach.
Person @CYINT_dude - CYINT_dude I don’t honestly know who this is, but I love basically all their tweets. Does a really great job tying cyber actions to real life impacts.

Addition: @y0m reached out to recommend adding the Psychology of Intelligence by Richard J Heuer Jr. I couldn’t agree more. Actually the CIA Center for Intelligence Studies is full of great resources.

Attacker Methodology

Blah blah blah Sun-Tzu is over quoted but the guy had a few good points. Knowing what your enemy does and how they do it, even in broad generalities, is incredibly useful. It’s key to take the time to know what’s easy, what’s hard, and what’s impossible.

Type Resource Notes
Video Defcon 18: Kim Jong-il and Me How to Build a Cyber Army to Defeat the U.S. by Charlie Miller The best comprehensive introduction to what global exploitation looks like.
Link PassiveTotal Learn Passive total is an amazing malicious infrastructure analysis tools. Their Learn site is all about understanding attacker infrastructure.
Tool Metasploit Framework People are right when they say computer network attack isn’t like you see in movies, but MSF is as close as it gets.
Book Hacking: The Art of Exploitation 2nd Edition This formed the basis to me of understanding binary exploitation, though one book is only a start to this huge topic.
Person @RobertMLee - Robert M Lee I know, another Rob Lee right? But they’re both worth listening to. Rob tweets about attacker activity, especially around ISC. His cartoon is fun too.


One of the key things I believe in is the need for more security people of all stripes to be better developers. Technology changes quickly, the companies we defend move quickly, and if you’re waiting for a company or open source project to build the tool you need you’ll always be behind. The fact is the best DFIRs I’ve worked with are able to create their own solutions and even if it’s just basic scripting being able to code is a game changer.

Type Resource Notes
Video Write your own tools with python Nicolle’s high level introduction to Python is a whirlwind, but excellent for getting started, especially if you have some programming background.
Link CodeAcademy: Learn Python If you want hands on this is the place to learn Python. You’ll be writing real code in minutes.
Tool Python People will argue, but it’s my go to. Also look at Go.
Book Grey Hat Python I didn’t love this book, too penetration testing heavy for me, but it got the key points across.
Person @pidydx - Sean Gillespie A passionate DFIR+Developer and one of the major non-Google GRR developers.

Aside: I realize I’ve been incredibly Python heavy. I know (and in fact personally use) other languages that are useful for DFIR. Python is simply, in my opinion, the easiest to get started and be effective with. If you have experience with something else absolutely start there. Focus on text manipulation, basic networking, accessing APIs using REST, and basic system management.

Soft Skills

I think soft skills get overlooked in the DFIR world. We focus so deeply on esoteric system minutia we don’t realize we lack to the ability to make it relevant to others or in some cases even protect ourselves. These skills are important as they enable every one of the technical skills. The other fact is these are topics the DFIR world doesn’t talk a lot about. We focus on bits and bytes but we need to put more effort into the In Real Life aspects of DFIR. I’m going to discuss a little of these, but honestly they all deserve posts of their own.

Investigation Process & Analysis

My schooling with regard to investigative process came at the hands of a Marine counterintelligence sergeant and a former Atlanta police officer turned disk forensics manager. I wish I could bottle up all they taught me and sell it. The combination was incredible. I learned how to question my own biases, structure data, test theories, gather information from others, even a little about how to entice further information from the bad guys themselves. It was an amazing education.

Sadly I don’t have good resources yet to teach that. I’ll work on that.

Operational Security

Being a DFIR, or security researcher of any kind, is dangerous.

Yeah, literally dangerous. Like kidnapped, getting shot dangerous. If you live in a country like the US or somewhere in Western Europe those are a lot less common. Getting compromised yourself, by criminals or an intelligence agency, can still happen anywhere. Being able to protect yourself and operate securely is critical, even above and beyond what we recommend for those we protect. Patching and being smart about what you click and where you visit are just the start, especially when DFIRs often deliberately download malware and visit the sketchy parts of the Internet. Encryption, limiting your surface area, VPNs, etc are all necessary.


A good incident response leaves the IR team. Communication to victims. Communication to management. Communication to customers. Communication to 3rd party peers. Even communication with law enforcement. I’ve talked about this before but I think it could do with a more comprehensive treatment.

Working in a Team

DFIR is a team sport. We work in groups (more on that later) under very high stress situations where details matter and actions make a difference. Being able to delegate, be delegated to, sharing, coordinating, and doing so effectively in a time crunch is a big deal.

Gaining Experience

One of the most important pieces to being a great DFIR is experience. Learning is great, reading and studying teaches a lot, but nothing teaches quite as much as actually doing it. There are elements of incident response that can be done at home, malware analysis is a good example. But some things, anything at scale, can only be done in the real world, working actual incidents. For this growing DFIRs need to be places where there are incidents. There are two options: work for organizations actively under attack or work for a company that consults for companies under constant attack. I cut my teeth at Symantec and Mandiant, but I’d also recommend the Big 4 consulting firms or other IR boutiques like Optiv or Stroz Friedenberg. For companies under attack… well that’s almost everyone, but the Defense Industrial Base, financial, and the Fortune100 are good candidates.

T Shaped People

The last thing we’ll talk about is one way to think about understanding skills as a DFIR. The lists above cover the broad range of skills DFIRs have. Is everyone a master of all these skills? Not at all (Ok, I know one person who might be but that’s a total anomaly). Most DFIRs specialize in a few aspects and have less knowledge in others.

T-Shaped People

This makes most DFIRS T-Shaped People (see the T above now?), who have deep skills in specific areas and more limited in skills in others. I’ve talked before about how I’m confident in some of my skills and less so in other skills. One of the things that makes DFIR different than many other professions is most DFIRs are jack of all trade types. I’m not excellent at malware analysis, but I can do a little bit. At the same time I’m better at Network Forensics than most.

Why is this important? Two key reasons:

  • Not everyone needs to have the same skills. It’s ok to have an affinity for a one skill and struggle a bit more with another.
  • DFIR teams must focus on complimentary skills. If you have a team strong in memory forensics perhaps you want your next hire to be a strong malware analyst. No one person can be an expert in everything, but your team should have strength across the board.


Is that all? Not in the least. There are plenty of other aspects and skills a good DFIR analyst will need. The entire field is all about learning and constantly growing. Last years nation-state technique is in every exploit kit out there. The forensics tool that used to be the best way to do things is replaced by a brand new open source tool.

Honorable Mentions

Crisis Communications for IR (The Preso!)

In September I wrote about Crisis Communications in Incident Response and after some great feedback I expanded it and built a presentation. I gave this presentation in June at FIRST and today (July 8th) at SANS DFIR Summit. Both were great events and I highly recommend them.

My Slides

I’m going to actually do a post soon (I hope) on building security presentations. In case you’re curious I built this deck using Deckset. Here’s the Gist of my presentation markdown (with speaker notes).

This includes the important links and other references in the presentation, including the quotes. See above for speaker notes.

I may have more opportunities to give this in the future, but I hope the post, deck, and notes will help others improving their crisis communications plans.

FIRST 2015

I’m lucky enough to get to go to FIRST 2015 in Berlin. I’ll be speaking on Tuesday afternoon, but one of the best things about conferences like this is being able to attend other sessions. I’ve never been to FIRST before, and this year looks jam packed. Here are the talks I’m most excited about and you’ll be likely to find me in.

Monday June 15:

Time Talk Author My Thoughts
11:00 Building instantly exploitable protection for yourself and your partners against targeted cyber threats using MISP Mr. Andras IKLODY (CIRCL) MISP is one of the bigger open source threat intelligence platforms (along with CRITs). I’m pretty familiar with CRITs, but I’m curious to see what mature MISP can do.
13:00 3J4E - JIGSAW, JUMPSTART, JUNCTURE: Three Ways to Enhance Cyber-Exercise-Experience Mr. Stefan RITTER (National IT-Situation Centre and CERT-Bund, German Federal Office for Information Security BSI) I’m really interested in writing better table top exercises. This seems like a dramatically different approach.
14:00 So You Want a Threat Intelligence* Function (*But Were Afraid to Ask) Mr. Gavin REID (Lancope) So this sounds along the lines of a talk that Kyle Maxwell and I put together for BlackHat USA (but unfortunately didn’t get accepted). I’ve thought a lot about how to build useful directed Threat Intelligence, so this is super curious.
16:00 Incident Response Programming with R Mr. Eric ZIELINSKI (Nationwide) I don’t write R, not sure I ever would, but better data analysis is super important for better incident response. Also Nationwide is from my current hometown, so I’m happy to support the local guy.

This is going to be a full day, which is a great thing for me. Lots of great talks, a wide variety of topics. Should be fun.

Tuesday June 16:

Time Talk Author My Thoughts
:no_entry_sign: 12:45 When Business Process and Incident Response Collide: The Fine-Tuning of the IR Program Ms. Reneaue RAILTON (Duke Medicine) Far too often people forget that security is a business enabler and as such has to work to support the business, sometimes even at the expense of security. It’s great to see someone taking on this often overlooked topic.
:no_entry_sign: 12:45 Overview of South Korea Target Malwares Mrs. Dongeun LEE (KRCERT/CC, KISA) South Korea ends up having a similar threat profile (that’s a big generalization) to the US. I’m curious to hear Mrs. Lee’s experience.
:no_entry_sign: 15:45 DSMS: Automating Decision Support and Monitoring Workflow for Incident Response Mr. Chris HORSLEY (CSIRT Foundry), Mr. SC LEUNG (HKCERT) So this talk is a conflict with my own… but that doesn’t make me any less interested. Decision making systems are huge for many industries, and I like anything that brings a rigor to IR.
:no_entry_sign: 15:45 Crisis Communication for Incident Response Mr. Scott ROBERTS (GitHub) Yeah… this is my talk, so I’m partial, but honestly couldn’t blame anyone going to hear the DSMS talk. That said I think it’ll be a fun discussion.

Four talks and I can only make it to two of them…. and one of them not by choice. Oh well, it’ll leave me time for one last run through of my talk.

Wednesday June 17:

Time Talk Author My Thoughts
10:30 Maximizing value of your Threat Intelligence for Security Incident Response Mr. Allan THOMSON & Mr. Jonathan TOMEK (Lookingglass Cyber Solutions) I hate vendor talks. That said anything about discussing how to apply Threat Intelligence to IR, instead of pretending they’re unrelated, is worth going to see, providing it isn’t just a glorified sales pitch.
13:30 Data-Driven Threat Intelligence: Useful Methods and Measurements for Handling Indicators Mr. Alexandre PINTO (Niddel) & Mr. Alexandre SIEIRA (Niddel) I know the Niddel team personally, I’ve talked with them at length on their technologies and methodologies. They’re awesome.
15:00 How We Saved the Death Star and Impressed Darth Vader Mr. Matthew VALITES & Mr. Jeff BOLLINGER (Cisco CSIRT) I haven’t even read the description yet, but it’s Star Wars so I’m interested. Give me a second. Ok, could get vendory, but it sounds like a great topic and a fun tongue in cheek approach.
16:00 Validating and Improving Threat Intelligence Indicators Mr. Douglas WILSON (FireEye) I’ve never actually met him, but I know from reputation Doug Wilson is a smart smart dude. Super interested to hear what he has to say on this.

A very Threat Intelligence centric day, but with a lot of variety.

Thursday June 18:

Time Talk Author My Thoughts
:no_entry_sign: 10:30 Protecting Privacy through Incident Response Mr. Andrew CORMACK (Jisc) Doing incident response while respecting the privacy of those involved is hard. At GitHub it’s super important to us, both in terms of clients and our own employees. Anything to learn about this topic is interesting.
:no_entry_sign: 10:30 Building Community Playbooks for Malware Eradication Mr. Christian SEIFERT (Microsoft) Microsoft has shown the industry that big botnet takedowns is a team sport. They have a unique perspective on this problem, I bet it’ll be fascinating.
13:00 Effective Team Leadership and Process Improvement For Network Security Operators Mr. Jeremy SPARKS (United States Air Force) While I’m tired of stunt hacking and 0days (especially at conferences that claim they want to focus more on defense) understanding how operators think is hugely relevant to defenses, so I’ll likely be at this talk.
14:00 Unifying Incident Response Teams Via Multilateral Cyber Exercise for Mitigating Cross Border Incidents: Malaysia CERT Case Study Mrs. Sharifah Roziah MOHD KASSIM (MyCERT, CyberSecurity Malaysia) While I’ve focused on looking at how to build small incident response team sized exercises it’s interesting to think about how that scales. Even more to think about how it scales to multiple governments

One conflict, but a great IR focused day (just like Wednesday will be very Threat Intelligence focused). I expect I’ll be hitting conference lag a bit, but these talks (and a lot of coffee) will get me through the day.

Friday, June 19:

Time Talk Author My Thoughts
10:15 Sector Based Cyber Security Drills - Lessons Learnt Mr. Malagoda Pathiranage DILEEPA LATHSARA (TechCERT) Is there an echo in here? More approaches to scenario based exercises.
11:15 Discovering Patterns of Activity in Unstructured Incident Reports at Large Scale Dr. Bronwyn WOODS (CERT Program, SEI, CMU), THOMAS MILLAR (US-CERT), Mr. Sam J. PERL (CERT CC) Ok this one is fascinating. I have a ton of structured data around threats, and a ton of unstructured, but finding ways to tie that together is hard.

A nice way to round out the conference before heading home.

One of the things I always pa attention to when reviewing conference proceedings is to look out for big trends. This year I saw these three:

  • Machine Learning
  • Threat Intelligence & Sharing
  • Exercises

All of these make sense, and definitely fit the current themes of IR.

That’s my take on FIRST. Catch me in one of those talks, or find me around Berlin if you’ll be there. While talks are great the chance to meet and discuss is just as interesting to me as talks. Bis nachher!