Monday, October 14, 2024

Recovering Luddite?

Growing up Mennonite in Lancaster County with no computer, and no television, only to become a Digital Forensic Analyst and Incident Response Specialist living in New York City, has been quite a journey. My friends tell me the uniqueness of my life requires a blog, but I tell them, I haven't changed much, really.

Personal blog, nothing on here represents my employer.

Sorry, Not Sorry

My first Wild West Hackin'​ Fest IRL is no longer just a bucket list item, and I have to say, we crushed it! That's right, "we". You see, once you have experienced that con, you are no longer alone. You kind of adopt a large family of good people who are really passionate about #CyberSecurity and helping others understand it...not with an ego centric approach, but instead with a deep love of the craft.

The other "we" I’m referring to, is the amazing 4-person CTF team of which I am honored to be a part of. We came in second in the #MetaCTF event, just behind the DSU team (congrats to them for snagging first place), and kudos to the “Safety 3rd" team who landed right on our tail! These team members really did the heavy lifting for us: Matt Pardo, Jibby Saetang, and Jon Thurston.

Speaking of IRL, I'm sure most of us are aware of the effects of social media and how so very much of what you read is the "wins" and the "slays" in our lives, and hey, I'll be the first to admit that that's mostly what I post about. But let's get real for a moment. There's a reason why most of my social media presence has been quiet this year. That's because this past year has been one of the darkest and most difficult years of my life. I'll respect the privacy around that, but I will say that it has made me even more grateful for my amazing family and friends. So yeah, I'm sorry, not sorry, that when I heard our team's name announced as the second-place winner, I leapt out of my seat, and screamed at the top of my lungs. The joy that I felt was off the charts and I just could not contain it.

Back in March of this year, when I felt like I was being put through a meat grinder and had gone a full week where I barely slept, I happened to get a surprise note from a long-time friend who was apologizing for not seeing a message I’d sent a few years prior just to catch up. His family sent me a BHIS hoodie, which I wore every day for the next 3 months straight (don't worry, it got washed regularly), and each morning, as I got ready to start my day, I would put on that hoodie and it literally felt like I was wrapping myself in a big hug.

So, to all of my Black Hills Information Security Active Countermeasures Antisyphon Training family, and to my #WWHF friends, thank you for all you have done for me this year. And thanks for making my sister feel so welcome during the family steak dinner and calf-roping night, she had such a great time and was impressed at how kind everyone was.

Calf-roping

Roman Bohuk - Your CTF’s are amazing!
Stephan Borosh - I looked for you and wanted to say hello, next year!
Jason Blanchard - Thank you for all you do.
Chris Brenton - Thank you for your friendship all these years!
Kathy Chambers - How did we miss one another?! Next year!
Aaron K. Clark (⠉⠗⠽⠏⠞⠕⠚⠕⠝⠑⠎) - It was great to finally meet you!
Ray Davidson, PhD - It's always lovely to sit down with you (and Jen the Librarian)!
Jon Gorenflo -Thank you for going above and beyond with the extra t-shirt for my sister!
Corey Ham - What a treat to meet you in person.
John Hammond - It's always nice to see you, congrats on your award!
David Kennedy - It was nice to bump into you.
Brian King - It was great to finally meet you.
Mishaal Khan - Next year!
Velda Lempka - What a pleasure to see you again after 15 years!
Kirt Lenz - I'm sorry we did not connect, next year!
Josh Mason 🍄 - It was nice to chat with you briefly.
Tim Medin - HA! So much fun!
Molly Murdoch - Thank you for all, I will be in touch!
Matthew Nelson - It was a pleasure to sit down with you. Denver or bust buddy!
Shelby Perry - It was lovely to finally meet you in person, thank you for everything!
Solomon - I'll see you on the range!
Stan Souza - Thank you for the badge exchange.
William Stearns - Looked for you! Next year!
Bryan Strand - I kept looking for you, next year!
John Strand - Thank you for all you do!
Nathan Vance - It was lovely to meet you.
Wade Wells - Can't wait to see you in December in San Diego!
Brittany White and Aiden - Thank you for your kindness and generosity. Thanks to Rania Rollin and you, I can say I have seen Mt. Rushmore! #KindnessOfStrangers


Deb Wigley - Finally we got to meet, yay!
🙅♂️Oliver (Jay) Wilson - We didn’t make it to Devil's Tower, but are already planning for it next year!
Douglas Young - How did we not connect?! I'm so sorry! Let’s make sure we do next year.
Ayub Yusuf - You are legend! Keep fighting the good fight!

A few more...to the gal from the BHIS Baltimore office (and her friend Kyle) whom I met at Starbucks and had a lovely interaction with, see you next year!  Also, John and Ben (if you see this, don't even know your last names), it was so special to sit next to you and share such a deep and meaningful conversation. The world is such a better place with both of you in it, don’t ever forget that!

Lastly, if you are curious about playing a #CTF but haven't yet checked out the MetaCTF range, I highly recommend it.

# The End...er...actually, this is just the beginning! #

Tuesday, April 18, 2023

Successful Threat Hunting


I received a very prestigious award this past week at work, arguably one of the biggest my company doles out. Since the fanfare and graphics were internal only and labeled as “Confidential”, I wanted to take a moment to share with you one of the big reasons why I believe, I received that award.


The title graphic used in this post is from an upcoming (and recurring) FREE class taught by Chris Brenton over at Active Counter Measures (a John Strand/Black Hills Information Security company). The first SANS class I ever took was back in 2007 and taught by Mr. Brenton, it was called “SANS SEC502 Perimeter Protection In-Depth"...back in the day, when I scanned the cert, I don’t even think I had a color scanner LOL! cert So how does all this tie into my award? On April 4, 2020 when so many of us were on lockdown due to COVID-19, Active Counter Measures offered their first free Threat Hunting course, taught by none other than Chris Brenton. Back then, it was a 4-hour class, which I took, and was blown away. Chris has since taught that course a total of 14 times, and I have taken it, as many. Several times after taking that class, I turned right around and used said new-found knowledge in my own threat hunting. I remember a couple of times after reviewing my notes the next day, I had a question which I put into the Active Counter Measures Discord server and Chris got right back to me. Folks, who does this, and for FREE?! Who consistently takes an entire Saturday to teach a 6-hour class for nothing! Seriously, what a gift to our community! I encourage everyone reading this to take the next class on Saturday, April 22nd, 2023 from 11 AM to 5 PM (ET). You won't regret it, and trust me, fun fact...you might just find yourself emerging from a rabbit hole, clutching a very, very real, and shiny object!

Sunday, January 29, 2023

Honoring Mentoring Month

If you are new to InfoSec or trying to break into CyberSecurity, this post is dedicated to you. I have revamped my DFIRLinks Website and added a whole new row of resources for newcomers or those seeking a new role. You may be wondering why, right next to “InfoSec101”, there’s a link to “Leadership” resources. Here’s why. Many of you are just trying to get your foot in the door, but if you study the materials listed in my blog, I’m confident that you will...and it might not be long until you find yourself with an opportunity to move up from your entry-level role. Additionally, I’m a firm believer that leadership skills can help you gain that chance to move ahead. Just because your job title doesn’t have, “Manager, Director, or Team Lead” in it, certainly doesn’t mean you can’t exhibit leadership qualities.

It’s never too soon to begin building “Servant Leadership” qualities. Those traits can help you with more than just your career, they can guide you to becoming a better parent, friend, spouse, sibling, child, and so much more. Being a servant leader is far more than being just a manager, so I’ve listed some resources that I hope will inspire you.

But building your character can be hard work. It can mean things like evaluating how we apologize to people. For example, there’s a way to say, “I’m sorry” which can completely absolve yourself of any responsibility for your deeds, and then there’s a way to take ownership of your words/actions, spell them out, and truly apologize in a very specific manner.

What I’m equally advocating for you, is that you land that first gig, and then once you do, you won’t want to stop learning and trying to better yourself. So, while this post is hitting the tail-end of Mentoring Month (January), I hope you will still find it useful.

Monday, October 3, 2022

Hedge Funds: A Unique CyberSecurity Posture


Hedge Funds: A Unique Cyber Security Landscape?

I was recently asked to join a Hedge Fund Association panel to discuss the unique Cyber Security challenges that keep Hedge Fund managers up at night. Although the Citrin Cooperman event had to be postponed, I put together the following article based on my research leading-up to my appearance at the event.

"Hedge Funds...they're so risky!" Have you ever heard that said? I sure have, but it was strictly meant in terms of ROI, like “Two and Twenty”, but not cyber security. In terms of cyber security, what is the risk for a hedge fund, and what does that threat landscape look like?

While I find myself every day at the coalface of real-time cyber security threats toward financial institutions, hedge funds are sort of their own unique snowflake. Similar to a wealth management firm, they don't have brick and mortar tellers, debit cards, ATMs, or even physical vaults. That being said, they still face the standard cyber related threats that a major financial institution has to mitigate, but what I believe is quite different, is the vector.

For example, Regulatory Compliance is super important to the financial sector, but for a Hedge Fund it’s arguably hard to track. Think about MNPI for a second, let’s say you run a small hedge fund and you overhear a conversation at a bar that Broadcom is planning to buy VMWare. The next day, you throw a ton of money into VMWare, but if you are questioned by FINRA or the SEC, you probably won’t have any background research or recent published reports about the two companies, and if you were to take a selfie at that point, you just might have some egg on your face. Which is a great segue into Regulatory Tech and monitoring traders.

Monitored trading at a hedge fund is important for a lot of reasons, such as the threat of intellectual property theft like trading algorithms or M&A information being stolen, however one of the misnomers around monitoring is the term “Insider Threat”. Often in cyber security that term is meant to refer to a trusted insider with a very high level of access whom has become disgruntled, however with regards to a hedge fund, it is equally important to monitor for reasons like an honest mistake such as forgetting about a political contribution. In Real Estate, it is often said, “Location, Location, Location” but in terms of a hedge fund, it’s “Monitor, Monitor, Monitor”.

BEC is everywhere, just ask Ronnie Tokazowski, but the stakes are much higher for a hedge fund. Hedge funds are often known for their rock-star leader(s), and so the risk against disruption or extortion is far greater, and VIP protection is likely top of mind. These leaders are highly targeted due to the perception that they’d pay to reduce any downtime. Spearfishing is very high on the list of threats against hedge funds.

Wire Fraud is another biggie - Account Takeover where stolen PII might be used to impersonate and commit fraud is much riskier for a hedge fund because the stakes are higher.

Hedge funds are also in a much higher risk category for supply chain attacks. Aside from the handful of exceptions, an average hedge fund’s technical staff is made up of a CTO and 1-3 sys-admins, max. So, let’s say at one of these smaller funds, you have a trader who relies on open-source software. They might have some knowledge of “R” or Python, but they aren’t necessarily trained in security. For example, do they understand what all of their libraries are doing within the code they’re writing? Are they aware which ones might be external-facing? And are they making sure their S3 buckets aren’t open?

In some of those smaller shops, who’s monitoring for patches and updates? It can sometimes be three months before a CVE gets published, but the delta on patch management can even be greater than that when you have just one person managing all of that. And what about Vulnerability management. Large financial firms have entire departments of people dedicated to mitigating their vulnerabilities, but again, many hedge funds don’t have that luxury. They also don’t always have enough staff to build-out a follow-the-sun model of 24/7 coverage, so who’s keeping watch while the lights are out? Often, they are operating in reactive mode and not able to be proactive.

So, what can we do to improve the cyber security landscape around hedge funds? I believe that Change Management can play a huge role in creating a more secure and resilient environment, one that is built upon a strong foundation of compliance, code of ethics, and cyber security awareness training. Also, know your assets (hardware and software - see the CIS Top 18 Critical Controls), make sure your network architecture diagrams are more up-to-date than the attacker’s architecture layout of your infrastructure (you’d be surprised how often this is not the case). In addition, start encrypting your back-ups (if you haven’t already), and run routine exercises to test the recovery from those back-ups. Make sure you have full EDR coverage across all flavors of your endpoints (Linux, Mac, Windows, other), and don’t forget your servers. Consider cyber security insurance, but keep those contracts hidden so that the contents cannot be used against you by the threat actors during negotiation. Lastly, know who to call. If you’re a larger sized organization, consider keeping a ransomware/extortion brokering-service on retainer.

I hope this information has been helpful. In closing, I would like to state that I could not have written this post without several friends who generously spent collective hours with me on the phone, entertaining my often-elementary questions. Each of them has asked to remain anonymous, as many of them are experts at their craft and spend their entire workday negotiating with ransomware criminals, or closely following them and aiding in bringing them down. I don’t pretend to be an expert on hedge funds by any means, I simply talked to several people who were much smarter than me, and I’ve tried to put together what I learned, in case it’s useful to anyone.

Tuesday, August 16, 2022

My People Are Hackers


As I reflect on my week in Vegas for Hacker Summer Camp 2022, I had several takeaways from Christopher Krebs' engaging keynote address. One which stood out was, "Find your people", nurture those relationships, mentor, and give back when you can (I’m paraphrasing).

Well, my people are hackers. We’re good people who break stuff, build stuff, and we leave things better than we found them, (a personal family motto that I have been telling my daughters for years).

I am overwhelmed with gratitude to have been able to gather this past week with so many of my people. Some of us only met in spirit as we passed like ships in the night due to insane schedules where (guilty as charged) we tried to make up for two years of not attending in-person. Additionally, there were others that I had never met before, who have become new friends. Regardless of which “bucket” you fit in, I thank you for your relationship with me. I hope I can live up to Chris’ words, and nurture you, encourage you, be an ear for you, and give back when I can.

I have some big plans for the near future, which I cannot yet divulge, but if you too are a hacker, stay tuned because you will NOT want to miss what I'm cooking up. It won’t happen for several more weeks, so enjoy the rest of your summer, then get ready to strap yourself in, very close to your computer, because we’re gonna have some fun together, and that’s all I can say for now!

To everyone I interfaced with this past week, in one way or another, including but not limited to the following, may we be sustained by our time together, until we meet again:

Tarik Abdel, Danny Akacki, Rui Ataide, Corey J. Ball, Paul Battista, Samantha Isabelle Beaumont, Jay Bhalodia, Jaime Blasco, Chris Camacho, Mickey Cecil, Patrick Chapman, Ray Davidson, PhD, Michael Francess, Bilal Green, Jeremiah Grossman, Juan Andres Guerrero-Saade, John Hammond, William Harris, Tom Hegel, Nick Hensley, CISSP, Dave Herrald, Christofer Hoff, Kyle Kephart, Sandy Lindsey, 🛡️Alyssa Miller, Albert Mimo, Kevin Perlow, Joseph Rivela, Lynn Schifano, 🤖 Shelby Shum, Michael Sinno, Ed Skoudis, Jack Smith, Jennifer Sunshine Steffens, John Stoner, Joshua Sutfin, Tristin Tharp, Ted Theisen, James Turner.

Wednesday, July 27, 2022

Finding Your Voice

“Miracles happen when you believe in yourself enough to let go.” -credit Debra Sperling.

Many of us in InfoSec and DFIR are content creators. Perhaps you aspire to have your own Information Security YouTube, Twitch, or podcast channel like John Hammond or Black Hills Information Security. Or, maybe you strive to hone your speaking skills in front of an audience.

Some of you may know that I had a whole other career as a television executive before I broke into tech. One of the many responsibilities I held in the entertainment world was receiving copy from local TV stations (and often tweaking it), then directing the stars of #1-rated shows, helping them to make that copy read like it was their own.

If you want to engage with your audience on a whole new level, Debra Sperling’s class is for you! “You are the only authentic YOU there will ever be” - Debra... so why wouldn’t you get to know that person a little bit better?!

I have had the privilege of attending two of Frank Verderosa's free, “Meet a Coach!” events with Debra Sperling - Authenticity in Voiceover. The concepts I learned from those brief sessions were invaluable, and far exceeded in worth, the cost of her full workshop. Debra is an absolute champion, in a highly competitive field, and I believe that a lot of that is due to her mindset. Don’t get me wrong, she’s got wicked talent, but I believe it's her attitude that sets her apart. A session with her is like spending time with your own personal motivational speaker!

CyberSecurity is a vast and expansive field. Some of us are team-leads or aspiring leaders, while others in our field find ourselves behind the curtain, and perhaps prefer that. If you're a manager, are you a leader? Do you raise-up those individuals whom report into you? And do you see each one of them individually as their own unique person, understanding that one style or approach might not fit everyone on the team? Do you take into consideration every challenge that makes each of us fearfully and wonderfully made? I felt like all of those concepts were unintended take-aways from my time spent with Debra (and Frank), just by observing how they treated (and coached) others during their Webcast. Each of them are at the top-tier in their field, yet truly care about sharing what they’ve learned about their craft with others. Debra shared skills which translated into any line of work. For example, she used a scenario from her world of how one can choose to complain about “mountains of auditions to get through” vs. “wow, look at how blessed I am to have all of these auditions while others are struggling just to get one”.

I encourage everyone who seeks to be a better speaker/creator, to take Debra's "Authenticity in Voiceover" class! It’s a 3-hour, affordable coaching class, in which you’ll learn a ton about yourself, and how to capture any audience.