Tuesday, April 18, 2023

Recovering Luddite?

Growing up Mennonite in Lancaster County with no computer, and no television, only to become a Digital Forensic Analyst and Incident Response Specialist living in New York City, has been quite a journey. My friends tell me the uniqueness of my life requires a blog, but I tell them, I haven't changed much, really.

Personal blog, nothing on here represents my employer.

Successful Threat Hunting


I received a very prestigious award this past week at work, arguably one of the biggest my company doles out. Since the fanfare and graphics were internal only and labeled as “Confidential”, I wanted to take a moment to share with you one of the big reasons why I believe, I received that award.


The title graphic used in this post is from an upcoming (and recurring) FREE class taught by Chris Brenton over at Active Counter Measures (a John Strand/Black Hills Information Security company). The first SANS class I ever took was back in 2007 and taught by Mr. Brenton, it was called “SANS SEC502 Perimeter Protection In-Depth"...back in the day, when I scanned the cert, I don’t even think I had a color scanner LOL! cert So how does all this tie into my award? On April 4, 2020 when so many of us were on lockdown due to COVID-19, Active Counter Measures offered their first free Threat Hunting course, taught by none other than Chris Brenton. Back then, it was a 4-hour class, which I took, and was blown away. Chris has since taught that course a total of 14 times, and I have taken it, as many. Several times after taking that class, I turned right around and used said new-found knowledge in my own threat hunting. I remember a couple of times after reviewing my notes the next day, I had a question which I put into the Active Counter Measures Discord server and Chris got right back to me. Folks, who does this, and for FREE?! Who consistently takes an entire Saturday to teach a 6-hour class for nothing! Seriously, what a gift to our community! I encourage everyone reading this to take the next class on Saturday, April 22nd, 2023 from 11 AM to 5 PM (ET). You won't regret it, and trust me, fun fact...you might just find yourself emerging from a rabbit hole, clutching a very, very real, and shiny object!

Sunday, January 29, 2023

Honoring Mentoring Month

If you are new to InfoSec or trying to break into CyberSecurity, this post is dedicated to you. I have revamped my DFIRLinks Website and added a whole new row of resources for newcomers or those seeking a new role. You may be wondering why, right next to “InfoSec101”, there’s a link to “Leadership” resources. Here’s why. Many of you are just trying to get your foot in the door, but if you study the materials listed in my blog, I’m confident that you will...and it might not be long until you find yourself with an opportunity to move up from your entry-level role. Additionally, I’m a firm believer that leadership skills can help you gain that chance to move ahead. Just because your job title doesn’t have, “Manager, Director, or Team Lead” in it, certainly doesn’t mean you can’t exhibit leadership qualities.

It’s never too soon to begin building “Servant Leadership” qualities. Those traits can help you with more than just your career, they can guide you to becoming a better parent, friend, spouse, sibling, child, and so much more. Being a servant leader is far more than being just a manager, so I’ve listed some resources that I hope will inspire you.

But building your character can be hard work. It can mean things like evaluating how we apologize to people. For example, there’s a way to say, “I’m sorry” which can completely absolve yourself of any responsibility for your deeds, and then there’s a way to take ownership of your words/actions, spell them out, and truly apologize in a very specific manner.

What I’m equally advocating for you, is that you land that first gig, and then once you do, you won’t want to stop learning and trying to better yourself. So, while this post is hitting the tail-end of Mentoring Month (January), I hope you will still find it useful.

Monday, October 3, 2022

Hedge Funds: A Unique CyberSecurity Posture


Hedge Funds: A Unique Cyber Security Landscape?

I was recently asked to join a Hedge Fund Association panel to discuss the unique Cyber Security challenges that keep Hedge Fund managers up at night. Although the Citrin Cooperman event had to be postponed, I put together the following article based on my research leading-up to my appearance at the event.

"Hedge Funds...they're so risky!" Have you ever heard that said? I sure have, but it was strictly meant in terms of ROI, like “Two and Twenty”, but not cyber security. In terms of cyber security, what is the risk for a hedge fund, and what does that threat landscape look like?

While I find myself every day at the coalface of real-time cyber security threats toward financial institutions, hedge funds are sort of their own unique snowflake. Similar to a wealth management firm, they don't have brick and mortar tellers, debit cards, ATMs, or even physical vaults. That being said, they still face the standard cyber related threats that a major financial institution has to mitigate, but what I believe is quite different, is the vector.

For example, Regulatory Compliance is super important to the financial sector, but for a Hedge Fund it’s arguably hard to track. Think about MNPI for a second, let’s say you run a small hedge fund and you overhear a conversation at a bar that Broadcom is planning to buy VMWare. The next day, you throw a ton of money into VMWare, but if you are questioned by FINRA or the SEC, you probably won’t have any background research or recent published reports about the two companies, and if you were to take a selfie at that point, you just might have some egg on your face. Which is a great segue into Regulatory Tech and monitoring traders.

Monitored trading at a hedge fund is important for a lot of reasons, such as the threat of intellectual property theft like trading algorithms or M&A information being stolen, however one of the misnomers around monitoring is the term “Insider Threat”. Often in cyber security that term is meant to refer to a trusted insider with a very high level of access whom has become disgruntled, however with regards to a hedge fund, it is equally important to monitor for reasons like an honest mistake such as forgetting about a political contribution. In Real Estate, it is often said, “Location, Location, Location” but in terms of a hedge fund, it’s “Monitor, Monitor, Monitor”.

BEC is everywhere, just ask Ronnie Tokazowski, but the stakes are much higher for a hedge fund. Hedge funds are often known for their rock-star leader(s), and so the risk against disruption or extortion is far greater, and VIP protection is likely top of mind. These leaders are highly targeted due to the perception that they’d pay to reduce any downtime. Spearfishing is very high on the list of threats against hedge funds.

Wire Fraud is another biggie - Account Takeover where stolen PII might be used to impersonate and commit fraud is much riskier for a hedge fund because the stakes are higher.

Hedge funds are also in a much higher risk category for supply chain attacks. Aside from the handful of exceptions, an average hedge fund’s technical staff is made up of a CTO and 1-3 sys-admins, max. So, let’s say at one of these smaller funds, you have a trader who relies on open-source software. They might have some knowledge of “R” or Python, but they aren’t necessarily trained in security. For example, do they understand what all of their libraries are doing within the code they’re writing? Are they aware which ones might be external-facing? And are they making sure their S3 buckets aren’t open?

In some of those smaller shops, who’s monitoring for patches and updates? It can sometimes be three months before a CVE gets published, but the delta on patch management can even be greater than that when you have just one person managing all of that. And what about Vulnerability management. Large financial firms have entire departments of people dedicated to mitigating their vulnerabilities, but again, many hedge funds don’t have that luxury. They also don’t always have enough staff to build-out a follow-the-sun model of 24/7 coverage, so who’s keeping watch while the lights are out? Often, they are operating in reactive mode and not able to be proactive.

So, what can we do to improve the cyber security landscape around hedge funds? I believe that Change Management can play a huge role in creating a more secure and resilient environment, one that is built upon a strong foundation of compliance, code of ethics, and cyber security awareness training. Also, know your assets (hardware and software - see the CIS Top 18 Critical Controls), make sure your network architecture diagrams are more up-to-date than the attacker’s architecture layout of your infrastructure (you’d be surprised how often this is not the case). In addition, start encrypting your back-ups (if you haven’t already), and run routine exercises to test the recovery from those back-ups. Make sure you have full EDR coverage across all flavors of your endpoints (Linux, Mac, Windows, other), and don’t forget your servers. Consider cyber security insurance, but keep those contracts hidden so that the contents cannot be used against you by the threat actors during negotiation. Lastly, know who to call. If you’re a larger sized organization, consider keeping a ransomware/extortion brokering-service on retainer.

I hope this information has been helpful. In closing, I would like to state that I could not have written this post without several friends who generously spent collective hours with me on the phone, entertaining my often-elementary questions. Each of them has asked to remain anonymous, as many of them are experts at their craft and spend their entire workday negotiating with ransomware criminals, or closely following them and aiding in bringing them down. I don’t pretend to be an expert on hedge funds by any means, I simply talked to several people who were much smarter than me, and I’ve tried to put together what I learned, in case it’s useful to anyone.

Tuesday, August 16, 2022

My People Are Hackers


As I reflect on my week in Vegas for Hacker Summer Camp 2022, I had several takeaways from Christopher Krebs' engaging keynote address. One which stood out was, "Find your people", nurture those relationships, mentor, and give back when you can (I’m paraphrasing).

Well, my people are hackers. We’re good people who break stuff, build stuff, and we leave things better than we found them, (a personal family motto that I have been telling my daughters for years).

I am overwhelmed with gratitude to have been able to gather this past week with so many of my people. Some of us only met in spirit as we passed like ships in the night due to insane schedules where (guilty as charged) we tried to make up for two years of not attending in-person. Additionally, there were others that I had never met before, who have become new friends. Regardless of which “bucket” you fit in, I thank you for your relationship with me. I hope I can live up to Chris’ words, and nurture you, encourage you, be an ear for you, and give back when I can.

I have some big plans for the near future, which I cannot yet divulge, but if you too are a hacker, stay tuned because you will NOT want to miss what I'm cooking up. It won’t happen for several more weeks, so enjoy the rest of your summer, then get ready to strap yourself in, very close to your computer, because we’re gonna have some fun together, and that’s all I can say for now!

To everyone I interfaced with this past week, in one way or another, including but not limited to the following, may we be sustained by our time together, until we meet again:

Tarik Abdel, Danny Akacki, Rui Ataide, Corey J. Ball, Paul Battista, Samantha Isabelle Beaumont, Jay Bhalodia, Jaime Blasco, Chris Camacho, Mickey Cecil, Patrick Chapman, Ray Davidson, PhD, Michael Francess, Bilal Green, Jeremiah Grossman, Juan Andres Guerrero-Saade, John Hammond, William Harris, Tom Hegel, Nick Hensley, CISSP, Dave Herrald, Christofer Hoff, Kyle Kephart, Sandy Lindsey, 🛡️Alyssa Miller, Albert Mimo, Kevin Perlow, Joseph Rivela, Lynn Schifano, 🤖 Shelby Shum, Michael Sinno, Ed Skoudis, Jack Smith, Jennifer Sunshine Steffens, John Stoner, Joshua Sutfin, Tristin Tharp, Ted Theisen, James Turner.

Wednesday, July 27, 2022

Finding Your Voice

“Miracles happen when you believe in yourself enough to let go.” -credit Debra Sperling.

Many of us in InfoSec and DFIR are content creators. Perhaps you aspire to have your own Information Security YouTube, Twitch, or podcast channel like John Hammond or Black Hills Information Security. Or, maybe you strive to hone your speaking skills in front of an audience.

Some of you may know that I had a whole other career as a television executive before I broke into tech. One of the many responsibilities I held in the entertainment world was receiving copy from local TV stations (and often tweaking it), then directing the stars of #1-rated shows, helping them to make that copy read like it was their own.

If you want to engage with your audience on a whole new level, Debra Sperling’s class is for you! “You are the only authentic YOU there will ever be” - Debra... so why wouldn’t you get to know that person a little bit better?!

I have had the privilege of attending two of Frank Verderosa's free, “Meet a Coach!” events with Debra Sperling - Authenticity in Voiceover. The concepts I learned from those brief sessions were invaluable, and far exceeded in worth, the cost of her full workshop. Debra is an absolute champion, in a highly competitive field, and I believe that a lot of that is due to her mindset. Don’t get me wrong, she’s got wicked talent, but I believe it's her attitude that sets her apart. A session with her is like spending time with your own personal motivational speaker!

CyberSecurity is a vast and expansive field. Some of us are team-leads or aspiring leaders, while others in our field find ourselves behind the curtain, and perhaps prefer that. If you're a manager, are you a leader? Do you raise-up those individuals whom report into you? And do you see each one of them individually as their own unique person, understanding that one style or approach might not fit everyone on the team? Do you take into consideration every challenge that makes each of us fearfully and wonderfully made? I felt like all of those concepts were unintended take-aways from my time spent with Debra (and Frank), just by observing how they treated (and coached) others during their Webcast. Each of them are at the top-tier in their field, yet truly care about sharing what they’ve learned about their craft with others. Debra shared skills which translated into any line of work. For example, she used a scenario from her world of how one can choose to complain about “mountains of auditions to get through” vs. “wow, look at how blessed I am to have all of these auditions while others are struggling just to get one”.

I encourage everyone who seeks to be a better speaker/creator, to take Debra's "Authenticity in Voiceover" class! It’s a 3-hour, affordable coaching class, in which you’ll learn a ton about yourself, and how to capture any audience.

Wednesday, December 8, 2021

IR A-Z

Earlier this year I updated my paper entitled, "IR A-Z" for a talk that I was giving at the Magnet Forensics Summit, so I wanted to put its new link here. Enjoy! https://bit.ly/31JHGoF