All Things Entry Level Digital Forensics and Incident Response Engineer DFIR

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in this week's episode we're going to be looking at all things digital forensics and Incident Response role I'm interviewing Brandon Poole a very senior to digital forensics and Incident Response expert on what the job is what are the pros and cons and how you can get started in the field coming up [Music] hey everybody welcome back to the show continuing on the you know all things entry level series within the cybersecurity world this week we're talking to Brandon Poole about the DF ir digital forensics and incident response role now Brandon works at citerior which is local to Charleston cybersecurity company and if you remember on the pentesting episode of you know the all things entry-level we interviewed paul i me who also is a member of site area so you know thanks a lot to the local site area people so brandon is provided an amazing interview and he provides so many great tangible real-life examples and tools and tricks and softwares and books that you could get to get into the field even give some suggestions on how to interview for the field as an entry-level position now really quick before we get into the interview if you're new here this is simply cyber a youtube channel designed to help you take your cyber career further faster and if you're a regular subscriber thanks so much for being here I really appreciate it go ahead and hit subscribe hit the bell for notifications leave a comment thumbs up all the YouTube stuff I love engaging with you guys now digital forensics is an interesting part of the cyber security field that's very much Blue Team after an incident has happened the incident responders kind of like the sake analyst role they deal with triage and containing what the problem is the digital forensic side if it actually goes back and looks at you know the logs looks at forensics discs dead discs does all sorts of investigative work think FBI type stuff to really analyze and understand how the attack was perpetrated what was the you know scope and dimension of the attack and what artifacts were left behind so we can identify and attribute the attack to an individual or an individual group now I don't want to ruin any more I'll let Brandon talk because he was just such an interesting person with a wealth of experience so let's go on and get in the interview hope you enjoy it Brandon what would he I guess can you tell me a little bit about what digital forensics infinite response it really is yes I guess the best way to put it is to give you an example so someone out there gets like hit with an intrusion let's say they get ransomware you know a lot of times especially in small organizations they have no idea what to do their panic like all my stuff all the stuff it's just completely gone I can't access it so you know they panic and what what happen is if they have cyber insurance they'll call their cyber insurer or maybe they have a buddy who knows someone and they'll eventually come to an instant response digital forensic firm and what we do is we try to come in on a person's worst day when they're fearful that their business might absolutely go under you know hold their hand walk them through give them the confidence figure out what went what happened what went on pretty much how the intrusion actually happened but controls in place to contain it once that those controls are in place to contain it try to help them remediated and get their best the business back up and running as quickly as possible with a few hiccups as possible which often times tends to be like the difficult thing so I would say like digital forensics answer response really is kind of the cybersecurity or IP version of the ER doctor you're coming in when you know the business is bleeding and you're having to like do a quick triage plug the holes and pretty much pull them out yeah that that's interesting you know when you think of digital forensics you know I think obviously like a deep technical skill set I never really stopped to think you have to deal with some soft skills because if you're dealing with a person from their worst day that different than what you normal you know coffee talk fate I mean they're panicky or emotional or flipping out yeah yeah yeah I would say soft skills actually probably in a lot of cases are more important than the hard skills it is easy to find people with the hard skills to go out and actually do the job like this playing people who's super technical like you can treat you know trained someone how to go out and like read and cache you can train someone how to build that forensic story which you know if they come in and you know they're just completely like off-putting to the customer that customer is gonna have a bad experience you know a lot of times when you come in these insert response like a perfect example the first incident response I did with Soteria you know I've done them before I came in and I get there and the three top IT people are like you know what it's all my pharma quit quit putting in my notice and you know the CIO is like flipping out and so it's like emotions are high what you really got to do is like you can't sugarcoat the truth yeah there's probably someone to blame someone messed up somewhere but that's not the intent of that pretty much like deeper investigation the intent is to pretty much triage what's happening stop the bleeding recover you and then we talk about you know just like a doctor we can talk about all those things that led to this accident maybe you were overweight you should cut back on your sugar your diabetic something like that were you talking about that later the thing is the key is not to pass blame and also the kind of calm people down to ground them kind of like you know it's not as bad as what you think like you know all these other things could happen we could have called it early it could have you know you've got backups so yeah I would say soft skills actually paid place like a very important role now it also say kind of like depending on where you work some places break up kind of like instant response into its own thing and digital forensics into something so maybe a fire has a perfect example like they'll have like boots on the ground people that come in you know they do the data collection initial triage and they'll contain it kind of and then what happens is they have back in like digital forensics people that do like the heavy deep forensics you know the initial guys on the ground so it's kind of triaging and then putting you know band-aids on things and then what happens so you got your digital forensics folks in the background that's actually you know doing all the detailed report writing and then feeding that information back for you know future improvements but then they'll bring in like a whole nother thing which is like Incident Response consultants and it's their job to take you out of containment through remediation all the way to like recovery so it also depends on the business you know I would say that like your small midsize shops like our size and even some of your bigger ones a lot of people wear kind of like both those hats like digital forensics incident response you might have like some really deep like dead this guy's you know for FBI and you know if they don't really do need a whole lot of that soft skill because their back office guys but yeah I would say soft skills probably is like the most important one of the most important skills of the job Christine so what would you you know what would you say the pros and cons of you know this particular niche job within the field movie yes I would say uh start with a con and I would say one of the cons of the job especially if you have like a family is getting that phone call at two o'clock in the morning telling you that you need to be like on an airplane to fly halfway across the country in like three or four hours so you're like throwing stuff together again like a vacation you have to cancel your vacation you know you really have to be a lot flexible kind of like a running joke in the field is that no one has an incident until like 5:00 p.m. on a Friday so they that would definitely be probably like the biggest con of the job and my pain now that means said one of the biggest pros is like the thrill of it all now after a while things like ransomware you know it's pretty pretty prolific and you see quite a bit out there but a lot of like the TTP's are the same but there's always these interesting like variations there you know every customer is different they have different security controls in place and so you'll see that threat actor have to like just slightly theory or they'll do like some really funky things sometimes and you've got to try to figure out well why did they make this change why they do this funky thing was like security control in the way did they mess something up and then other times you just get really interesting calls another perfect example I ended up one customer site they got hit with like trick by ena Todd and ryuk and the ryu was very early on and uh for you know other reasons failed actually executing encrypt anything luckily but trick button note at was still like rampant in the environment it was like all right well i've got all these like c2 callbacks let's walk on the firewall they're like well we don't have a firewall so what do you mean we'll have a firewall and they're like okay too hard to put firewall rules in so we just took it out yes okay Wow so let's figure out another way to block this like situ communication stuff so there was a lot we couldn't yeah they're like well we couldn't afford firewall engineer so we just figured we'd save money by not getting a firewall problem solved yeah yeah yeah and so like the next thing it's like okay well you know we got host-based firewalls built in the windows I'll use the Windows Firewall and the problem is they had like three different sites but the sites weren't like connected via like a VPN or MPLS line so I there were like cool sections of computers that also were infected because you know someone like for the attachment the initial mal doc over to this other site they got infected to like they're not even connected to Active Directory so I can't even use like group also you know one of those firewall so it's like all right so this is really interesting like how am I gonna make this work so yeah really and truly like because no customers site or security controls are uniform you run into all these different things like you know there's a lot of people out there it's like all you just do this in the firewall you know block this hash well how are you gonna block a hash if you know they don't have an EDR tool and you could say well app block is built into Windows well what if it's Linux yeah exactly yeah so I mean this is obviously deeply technical and can be challenging but if you're seasoned it's a little bit easier so you know how would someone who's like kind of early in their career but interested in digital forensics and Incident Response kind of go about know well I guess what would you recommend someone younger or junior in a career on what to do if they if they want to get into it so as we said earlier like the key kind of is like soft skills like soft feel are really important because you can have all the technical skills and if you've never done like digital forensics before it's really hard to go from not doing it for and getting that entry-level job so the soft skills help you like sell yourself in the interview it helps you kind of let down the resume now as far as hard skills digital forensic Incident Response I'm gonna say probably is one of the easiest jobs to get into if you know how to spin it right going back to the soft skills if your network administrator you know let's talk about network forensics you know being able to get a packet capture use Wireshark being able to understand how to read that and you can even apply those skills to like your you know actual job as a network engineer you know maybe you want maybe there's a separate team doing like firewall stuff an IDs security but can you take a packet capture and can you look at that wire speed and determine whether or not like a lag or an issue in the applications the application itself or some physical piece of hardware looking at that wire speed in Wireshark or you know maybe you can actually volunteer to help like you know do some IDs stuff some firewall stuff build up some of that knowledge if your systems guy you know Windows servers Linux Linux servers they break all the time being able to get in and read those logs system ministrations weird thing it's almost like a lot sis admins just don't like to read logs for some reason if that was a skill I picked up very early on and really helped me kind of in my career both as a sysadmin in the sock and even now the digital friends against the response person like looking in the logs and understanding like what types of logs there are what's logged in those logs how you can go and turn on additional logging to get additional artifacts and stuff like that understanding that gives you kind of those hard skills that you can use for some of that dead disk forensic even some of that live forensics you know if you are a programmer I know most people think on you know programming how programming related but there's actually like very narrow disciplines on like database forensics understanding like what artifacts are like left behind whatever you query like databases now is that going to be very common stuff no probably not but if you're a programmer and you know you can pick up that kind of artifacts they're a big like fortune 50 companies that you know they've got like secrets stored in all these databases you know bunch of customer data insider threats are very much like a big deal and they're very interested in like some of these artifacts they're in these like database servers so you know database forensics or you know if you're a developer even picking up some things like you know a lot of things in androids all java-based being able to understand like the fundamentals of that Android like operating system or iOS get you kind of like the mobile forensics pace really truly like that that's the beautiful thing about digital forensics is you can go pick up a book that's pretty much what I did like Carlene Carvey big like Windows forensics guy tons of books out there probably like one of his latest ones investigating Windows really kind of like lays out he's like the registry windows guru you can pick up that kind of stuff a lot of the tools or open source so autopsy and sleuth kit you can start messing around like you can grab some you know sup your VM little malware sandbox go up and you know go to like now our traffic analysis pull down your thing blow it up in your VM power you know Paul's suspend that VM you know if you want to get into memory forensics grab that nvme or you know just shut down the Machine and grab that VMDK that VMDK can be loaded into autopsy as I like a dead disc for image and actually start like playing around with it see what kind of artifacts you can find what sleuth go through and like pull out things like jump lists and cache prefetch if you don't know what it is I mean it's easy enough to go and like read decent books or even google it and figure out these artifacts are what information are contained there mm-hmm that's like a ton of dude that's a ton I was thinking you might suggest a couple pieces of technology to bone up on but I mean those are all excellent excellent recommendations and yeah I feel like you really called out something interesting that you know no forensics no it's a niche of kind of blue team so cops it even further explodes out where you can do database forensics mobile forensics you know that just like you know like it's interesting was how niche you can really go into that particular field yeah even though it's just another thing like that's just like the forensics piece we're talking about the insert response piece like yeah that soft skills definitely really important there but also understanding like security architecture so you know if you've got something you know this network layer base like okay what my security architecture Kim blah can prevent this type of stuff you know some being able to understand you have a firewall is a layer seven firewall layer three firewall so being talked about like the security architecture intelligently kind of coached the customer like how to use a security architecture because there's tons of people with the layer seven firewall just doesn't understand you know how do you use some of these layer seven rules and whatnot or you know there's tons of people with like an e dr tool to just doesn't understand how to like optimize and kind of use all that functionality EDR cool so it sounds like okay a couple of tools couple books and then just time in the saddle is really what you need to kind of yeah I would even like how evens are on another one out there so uh dfi r dot training thread by like Brett shavers who's another big guy out there he's written a bunch of books on like X ways which is like a cheaper but definitely like more featured func feature version of autopsy and sleuth kit but yes dfi are training our dfi are training domain and you know he lists out things like sans and some other patron but he also indexes a lot of like Twitter posts a lot of YouTube videos on how to use like sleuth kit an autopsy or you know all kind of interesting things like blogs you can read so that's like a good place to even go and just kind of like uh I guess like an RSS feed or like a meta place a lot of stuff if people want to engage with you to get more information or learn more about dfi are stuff like that you know how could people get with you yes I would say LinkedIn probably is the best way to get in touch with me just because I remember that so just random pool and LinkedIn look for the one that works for Styria and feel free to kind of like message me there if you're not like in my network I guess first or second connection probably the next best way is Twitter I do have open DMS there and I believe you can find me ad at an outside so that's at pa in ooh PP cy on Twitter all right perfect well Brandon thank you so much for talking with me and sharing a wealth of information on digital forensics and incident response appreciate it no problem pleasure with home on again thank you so much to Brandon for giving us this time and really really providing that rich rich interview now I'll just let you know that after we stopped filming for this the recording kept going and Brandon and I talked for another 20 minutes and we actually got started talking about detection engineering and really a kind of I don't work all in a niche field but it's like a new kind of area within the incident response space around kind of chaining together a bunch of different alert types to weed out false positives and I'm gonna bundle that up and actually make it a whole other video because we were kind of just wrapping off the cuff and it was you know I thought it was very very interesting material so anyway thanks again to Brandon thanks again to Soteria until next week stay secure [Music]
Info
Channel: Gerald Auger - Simply Cyber
Views: 7,436
Rating: 4.9732442 out of 5
Keywords: cybersecurity, information security, career, cyber, security, infosec, cyber security, cybersec, career growth, get a job, cyber for beginners, blue team, red team, security operations, career development, college graduate, transitioning veteran, cyber job, cybersecurity jobs, entry level cybersecurity, entry level, no degree, cyber careers, simplycyber, simply cyber, DFIR, incident response, soc analyst, digital forensics, computer forensics, threat hunting, dfir training
Id: Cst8K64j5_Y
Channel Id: undefined
Length: 19min 16sec (1156 seconds)
Published: Mon Jun 22 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.