What does a military forensics and incident response expert do? | Cyber Work Podcast

What does a military forensics and incident response expert do? | Cyber Work Podcast

Show Video

We, recently hit yet another huge milestone, here at the cyber work podcast, 25,000. YouTube subscribers thanks. To all of you who watch and listen each week so those of you who watch the YouTube videos go live and chat with each other in comments and everyone. Who is helping us to grow this great community to give, back we're now giving you 30 days of team training, for teams of 10 or more your, InfoSec skills account will help you your entire team develop their skills and learn CPEs through hundreds of IT and security courses cloud, hosted cyber ranges, hands-on, projects, skills assessments, and certification. Practice exams plus, you can easily monitor assign, and track training progress with team admin and reporting features if, you have ten or more people who need skills training head over to InfoSec, institute comm, slash, cyber work or click, the link in the description to take advantage of the special offer for cyber work listeners, and thank. You once again for listening to and watching our podcast, we appreciate, each and every one of you coming back each week and. On that note I've got someone I'd like you to meet so let's begin the episode. Welcome. To this week's episode of the cyber work with InfoSec, podcast, each week I sit down with a different industry thought leader and we discussed the latest cybersecurity trends, how those trends are affecting the work of InfoSec professionals, while offering tips for those trying, to break in or move up the ladder in the cybersecurity industry. Daniel. Young is the managing partner and co-founder of quo labs Technologies a developer, of collaborative and threat driven security operations, platforms, his, career includes a stint with the US Department of Defense in the United States Air Force where he was involved with a variety of digital forensics analyst positions digital. Forensics is an interesting field but one that can also be a bit murky and especially one that's handled in different ways in the private sector versus military scenarios versus government applications so. We're going to talk today about large-scale. Cyber security, operations, across multiple teams and even across continents, as, well as the importance of comprehensive threat, information sharing, both internally, and externally as. Well as some of the different ways that forensics. Can be dealt with in different. Industries with. Nearly 15 years of experience in digital forensics and Incident Response, danyoung, helps drive, the overall direction, of his new company collab technologies, a developer, of a collaborative. And threat driven Security Operations platform. Prior. To collab Dan was involved with the US to defense in the United States Air Force in several digital forensics, analyst positions and, is very passionate about bridging, the gap between technological. Efficiency and, human ingenuity and firmly, believes that the best way forward as an industry is, to focus on collaboration, and data sharing at all levels and welcome to cyber work today thank. You very much Chris happy to be here, good. To have you so I want to talk to you first as we all do with our guests about your general, security, journey how did you first get interested in computers, and tech and cyber security was, this something you're, interested in before you got in the military did you pick it up in the line of duty. No. I picked. It up back when I was a young little you. Know warthog. As I would say picked. It up started out with a 8086. You know when I'm six with a big ol giant floppy drives you know for five hours oh, yeah so I put one in for your operating system one in for the program you're trying to run and load and cycle, way back to those days Doss you know 62 was my. Pride and joy I loved, working like that. From. There it migrated up through gaming, as you, know in the early ages of you know Warcraft is a big thing they're talking about the relaunch of different.

Things Like that oh yeah it's been talking the heyday of gaming, conversation--, and the slack channels around our job now I was working from home exactly. It's same here so you know that's one of my challenges, with our developers, and everything I like guys you know I. Understand. That you're at home and there's all this going on but right, works. Oh yeah. Yeah. So I got into gaming computer. And then from there building my own computers when I went to and. You, know building. Them and then look at working on on doing. Different things with them went to college and got taken. Out of the wing by a really, good man. There at M State College and he. Brought me into his he was the lab manager so he ran all the different labs for the Computer Sciences and, then the, engineering, teams and so forth as well as the general use labs and had. Me run in. Helping. Out in the lab environments, got a lot of experience there fell. Passionately in love with that, kind of operation, space, and then when I joined the Air Force it, just okay. Well that jumps, nicely, my next question here so could. You give me kind of a compressed version of the like the types of projects positions, or training that you had with Department. Of Defense in the air for we're some of the major steps along the way in terms of sort. Of becoming, someone who was you know went from you know basic programming and gaming into someone who you know really. Understood like forensics, and and you know what were some of the milestones that pushed your knowledge forward so. The. Biggest milestone for me initially was, a chance. Luck right okay. I initially, joined the Air Force right after 9/11, you know it's a heyday of, Counter. Combating, Islamic. Insurgencies. And so forth joined. And when actually to DLI for language. Goals so I was an Arabic linguist I got. To my first duty station and, they said okay so you have a background in computer science, very, strong as well as you speak Arabic you, want to go to this team that does digital forensics, that was actually my first time I've ever really heard of digital forensics outside of something, like CSI, type stuff right I never. Touched it so, when. In started, playing. Around in there got, a lot of training JT hands-on training so, they were using my linguistic, skills to, look, at the media that was so capture me battlefield, media is what it was so, cellphones laptops and, everything that come off of. Different. Individuals, that are captured in the battlefield so, looking, through that and finding the intelligence that we needed videos. Documents. You know contact, lists, all that good stuff and then passing. That information on, so. OJT. Started out and. Then there was several. Good courses that I went to both the DoD courses, that the so, dc-3. And some other institutions. Airforce, institutions, put, together these air. For suicide for example has a lot of digital forensics investigators, so I have different courses and recommended, paths and. Also through SANS Institute I. Heavily. Relied on their, forensics, 408 back, in the day and then 508 training. Which is the giac, certified, in it. Siddhant. See. It giac certified, forensic analysts, excuse me so, going, through those kind of courses and training is really what got my up. My game and got me at the professional level I needed okay. So I want to sort of pull, back and talk about the general concept of computer. And digital forensics for people who are you. Know just coming to this you know. They typed in what is digital forensics, or whatever so what are the. Most common types of forensics, cases you are asked to carry out with DoD and with the Air Force I mean obviously you can't reveal. Anything you know specific, but what word, you. Know some of the the types of things that you were you were working, on in these two positions and. Were. There any procedural, or technical differences between the way to two departments worked in this respect absolutely. Great questions so before, I answer that I've just got a caveat, that by saying that I am no longer affiliated with you the DoD or the Air Force I'm wearing, a koala be shirts oh right no of course just, once we got all that so, this is talked about my experiences, and my opinions on that on the. There. Was two major types that we worked with the the. Typical ones that you would think of you. Know counter, hackers right so working, on like, blue team activities, where you're. Going in and you're trying to you're doing hunt activities, throughout a network you're trying to find out how did the intrusion happen where to come, from and then looking, at the individual systems, laptop.

Server Whatever, it may be that was affected, by it into it conducting, a forensic examination. Of that device that's, the one type so that's more like cyber focused, the, other focus. That I had a lot of my career in as well is that counterterrorism. Tech focus and that's focused more on the individual, using the applet the the device versus. Its a persona approach right it's not looking, at software so, say, it's more like content on the device, I see similar applications, yeah you're still using the, same tools, across. Both to, acquire. The data it's, what you do with that data afterwards that matters right, okay and so yeah and you're looking for different clues you're, looking for you, know a turn of phrase or, you know something that could be a you. Know could mean two things or a key word or something right you're looking at his chat logs if he happened to archive and say Roth you know back in the hideous guy a lot, of people like to save their Skype logs or if, they had you. Know your cookies were where. You. Didn't know and I mean doing where we are taking advantage of that or, you're looking at the types of media that they're producing you know or watching. So, you know your browsing, history find, out okay usually not extremists, but you're incredibly. Active on all these different forums, you're looking at, all this violent, vile content. You. Know so that's the persona and then you build out that data and extract, not, build it out but you extract that data and build out your case based off of what you find in there and pass, that on up the chain were, you required to sort of watch all of the sort of horrendous horrendously, violent stuff or were you able to sort of delegate some of that or did you were, you able to say okay I get the point or well, there's, just. I could. Go on you've, seen some reason, why yeah, why I'm not doing it anymore I think, that so, that's it brings up a very good interesting point about the digital forensics fear especially from the military context, okay, I think, and, I believe in my colleagues, that I've talked to in the law enforcement sector go through the exact same thing sure, it's, the burnout right you you know you can only expect somebody to do so many hours. Years whatever it is of, watching. Child pornography, before everybody. Starts messing, with you right same thing with violent, extremist media um. So. You. Know you I think every professional, has to reach. That point and say okay I think I've had enough I need to step back permanently. Or step back for a few years or whatever, the time may be and then maybe come back so, mental health is a big component of that of that journey but. You're absolutely right that it's involves, hours. And hours and hours of looking at. Incredibly. Vile stuff, but. You do it knowing that you're you're, doing it for greater good and not, to sound too idealistic but, you truly are I mean at the end of the day, for. Law enforcement going. After child pornographers, they're, doing it for the altruistic reason of stopping, the people that are in that violent stuff right right for, my context, it, was stopping. Other, attacks, from happening, yes we're catching, the guys who are actively, plotting attacks. Against our troops right that's what the focus is so yeah that's your. Head in the game keeps you straight locked on and keeps you from freaking the hell out right, and also I think, that's worse I'm glad we brought that up because you. Know you, might be saying oh I want to get involved in in forensics in the military context but you don't really think about like that's what you're gonna actually be doing is you're gonna be yes you're gonna be sort of pushed to your limits in this regard and, that's I mean the. Technical side of the job is huge, or you have to turn you have to be passionate to be engaged in it and in wanting, to to, have an inquisitive mind right too after the data to go after and look for and seek but, you also have to be able to like you were just saying you have to be able to handle. That data and understand. That sure. I need to look at this video to, find out everything I can about what this guy was doing because I have to detail it for my. Counterparts, and in like. Your the the DA or whoever else is going to use that data to convict this individual, but. You have to counter that with can I actually spend, those hours looking at and watching this yeah. And yeah that's the challenge do you do. You find you, know now you so you've done it in these kinda military and government, context but also in private. Sector D is. There a sort of a level of difficulty. On the technical side on, one side for the other like use do you find that sort of you know, extremists.

Have. A better you know security posture, or is it you know I mean is it easier now is it harder now do you. Know you people sort of lock up their files more you, know I don't. Know if that's even something you can compare necessarily, so. Back, in the day when I mean, I'm talking back in like 2007-2008. Timeframe and. I. Know that people were doing this before that but, my experience, start roughly in that timeframe, it. Was much easier than it is today. People. Were passing stuff in the clear you know they were using. You'd, look at cases, child pornography, back then that the law enforcement that law enforcement was working on they, were doing, mailing. Drives back and forth and that kind of thing CDs and use nowadays. A lot of is, almost, all exclusively, online and it's not that the people's. You. Know their their technical ability has gone up or their, security awareness posture, has gone up it has. Thanks. To individuals, like Snowden and others that, have done. Certain things that were very damaging, to our country. But. If you look at it from the perspective of. What. Happened in the industry you have encryption that's huge right so you have Skype, claiming, to have Indian encryption or zoom claiming you have in the nation I'm and and everything is going through the encryption route right so that made it much more difficult when I get on a hard drive and the. Entire hard drive is encrypted at boot instead, of just files on it the Crypt, that's. A vastly different approach. Right and, so, yes that has changed but, I think it's more at the technical level okay, um versus. The people level okay. So from a sort. Of you. Know getting into the game, you, know perspective, what types of skills. Or interests or backgrounds, with, these branches of government be, looking for when adding new people's, their teams obviously I know you've been out of out, of the military frame, but you know based, on what you remember like and and I guess just universally. Speaking like what. Kind of things you know should you have in your background to make yourself desirable, to these type of positions obviously. A passion for technology and, a passion, for this for the the space right you have to have an inquisitive, mind if. You're, spending hours and and, I mean hours, and hours and hours digging, through, somebody's. Hard drive or a server. A mainframe whatever, it may be right looking, for those nuggets of information that. Takes perseverance, and dedication so, it's a mindset thing, you. Have to be able to handle the type if you're going down the law enforcement, military route you're going to have to be able to handle the, exposure. To objectionable, material, if. Your focus is more on the cybersecurity defense, side. That. Kind, of goes away. But. The flipside of that too is I think that you lose a little bit of the, tactical. Impact. Of your work mm-hmm. His. You, know countering, malware that's affecting a fortune, 500 is one thing and it's awesome. Taking. Down a child, pornography, ring or taking down a terrorist cell is a totally, different application, of course but. Looking, at the skills that you have to have the technical, background I, would highly encourage people, to I. Mean. The field changes and evolves all the time back in our day it was learning, how to I. Mean, reassembling. Platters on a hard drive right you don't do that when the SSD. Right. So going. Down the engine you know the software, engineering or the the, cyber security, training. Routes and then just starting to learn on your own and getting into if you have the money pay for a sans class to see if that's something that you want to do tons. Of resources out there. Dc-3s. Got a lot of resources on their website, in. Other areas but I, also. Pay for it's also I knew. Just. Dropping it so, yeah I wanted to talk a bit so, let's let's talk from from individual, because. You know you're talking about like yourself as an individual you. Know. Incident. You know a forensics, person but you know we we also mentioned in the intro that you've you've. Led multidisciplinary. Teams of cyber analysts, and developers and, linguists, in the exhibition of C's digital, media throughout Europe and Africa, and. Again I know this in your past but could you tell me a little bit about this experience what were some of the types of cases you were involved with is this more, or less what you're talking about before and, if so can you talk about like what it was what it's like to sort of manage. This team on these larger types of project so. I, could. Talk a little bit about that um obviously.

I'm Very limited. To what level but of course what I can say is that there's. The. The experience, of working. It was incredibly. Humbling. In many ways because, you're interacting and working with people with very. Vast, skillsets, and they're. Very, highly, specialized. In those skill sets I mean a network, operator, versus. A you. Know forensics individual, who is, expert. At taking data off of a heart for example, versus. Language, analyst who knows, and understands the culture and you're talking about all these different components have to play well together to, be able to generate that report at, your hand to the decision-maker this decides, what to do with that data. So. For, me I was juggling a, lot of different, types. Of communications. Being. Able to talk to the analyst the language analyst at the cultural level where they're at being aware of their needs, and requirements and what they're bringing to the table versus, the technical, requirements that are coming from our counterparts. One, of the biggest. Challenges. Was also a difference in technical, capability, of the partners you see. This in the private sector within the commercial sphere you have. Lar. Very large companies, organizations. That have a lot of money to put toward their sock teams and they so they might have a very, well-defined sock structure, which here one through four they might have the dedicated intelligence, team and dedicated. Forensics. Incident responders, and. Then, you can flip the coin in and be working with another client that does not have any of the above and they pretty, much look at you go what do I do and you say okay do you have a firewall at least okay what are the rules like what do you guys got going on do you have an MDR can I go through the logs and see that so, that that translates, extra, credibly well over to the government site as well in those activities it's. Being able to manage multiple, disciplinary. Teams, across. Different, focuses and being, able to be, able to consume and bring all that data together into one cohesive, format, that you can deliver it okay. We've, had we so we've had digital. Forensics mobile forensics experts, on the show before you know time up from private. Sector and court based forensics, work and I and I do kind. Of want to talk to you because you know obviously quill I was doing stuff more on on that side but can you, talk. A little more you'd mention that you know obviously you're, now you're sort of more protecting, enterprises. From from malware and stuff but can you sort of give, me some some differences, about you, know private-public. Sector forensics. Versus you, know military government, forensic scenario in. Terms of you know what your targets are what your methods, are, just. The sort of overall day-to-day, difference, you know you said you. Know with military stuff you have, more sort of, sharp. You know a mission. To be accomplished, whereas you know it. Might be served more financial, and a private, sector boy or some other examples, of differences, so. It's, a tech going back to what we said earlier the technical level it's pretty much the same right they're giving the same you're getting the same training and I think the DoD. Has done a really good job the, US government as a whole it's done a really good job of of saying. Ok we learned these capabilities, we learn these skill sets now let's push that down to private sector or push that out to corporate America, and say look you guys need to up your game in this area, like. NSA, release kitra, last. Year, stuff. Like that that keeps happening in this space is awesome. We love it, makes. Me you, know super, happy to see that happening so, the technical skills set is roughly. The same. What. Happens, is policy, and it's more at the procedure level, by. That if you're in a combat zone and you're doing digital forensics, for in support of X team or, X organization. Or unit whatever. The, rules of engagement on in that kind of an environment are vastly different than say if you're helping a corporation. In who, has a presence, in Europe deal, with insert a forensics case they've, got gdpr, requirements. They have data protection issues and stuff, what. You're actually allowed to look at are you loud look at the the, cookies. On the browser history, and all that other stuff because that's private data right am. I even allowed to share, that with the threat intelligence team because they haven't been read on so. There's all these different components that make it incredibly, hard to, to.

Migrate Between the two, but. Also a lot of fun because you get to learn, you. Know I when, I started my journey as a young four instigator. Doing. What. I did back then I never once, thought I would have to step outside of the technical, bubble because I was like okay I'm gonna technical I'm extracting. I'm doing I'm having, fun I'm using any case and all these other tools yeah got do the things right -. Nowadays you can't just do that when when you're an investigator. And you're going into a company you have to understand, clear-cut, at the top what you're allowed to do and what you're not allowed to do the same applies in the government sector right. If, it's us person data, if it's. Depends. On on the operational, control set, that are placed upon you who owns the data do you or do you not right, so those, are all fun things but it's. A vastly. Flexibility. So you asked earlier what it takes from to, be a good forensic, aider in this fear or. A forensics, operator it flexibility. Intellectual, flexibility, and technical. Flexibility, as well yeah, and it, seems like it's so many different types of problem-solving, that I imagine if you're the sort of person that you know used to like to play you, know the sort of point and click you know problem solver games or or just you know use that side of your brain like I'm sure it's a it's it's it's just perfect for you you're. Absolutely correct, that is absolutely, the the driver and the passion behind it that's why I love it and this way Mike, the colleagues of mine yeah, we we. Can click games and stuff like that carry on - yep, that's tons. Of similarities, there in driving, passion yeah, get lamp. I. Wanted, to talk to about, a thing that you mentioned in, our we mentioned in your ear bio you, you you talk about the importance of comprehensive threat, information, sharing, internally. And externally so, last week we had a guest on Cody, Cornell from swimlane who talked about the. Open exchange of security information between organizations. And I want to know sort of about how your specific mission works in this regard what are what are you aiming for in terms of threat. Sharing and collaboration how does it work practically, and what is the sort of stated goal of it so. That, brings up a great. Point in going, to our earlier conversations, too in the shift in forensics, right and the shift in, this field and how things. Back. In the day, you. You know if I was reporting, law enforcement, for our supporting military whatever you, go through a hard drive you're gonna rip out all the data that you care about you're gonna capsulate, throw it on a shared drive throw it on a hard drive whatever and you're just gonna pass it up and from, there little teams are gonna individual, components, are gonna take a look at that and do what they need to do and keep passing up the chain and. Then you might get something circling, back to you with like, a block list or a blacklist.

List Of, different. Things to look out for and. Flag immediately if you ever see them in. Today's. World data has I mean back. When I started it was normal. To have a hundred gigabyte, hard drive right, hard. Drive that's. Not the case anymore as we both know and not. Only is it not the. Case on the individual, devices it's. No longer localized, it's it's spread, out right so the vast amount, of data that you have to go through and curate it makes it impossible for you to just pick up an image. So you rip, out the image of a laptop let's, see it's a two territory two, terabyte, image. That you're taking a laptop that two terabyte image might compress down to I don't know 700, gigs right, 700. Gigs, try, and push that across the pipe how long is that gonna take you yeah yeah which is that right and then now you're talking real time when people want decisions, yesterday, when they you, have money, going out the door because it's, a hack related, or yeah people's, lives online because it's law enforcement or counterterrorism, related what, are you gonna do how are you doing right that. Breaks it down to the need to. Procedural. Eyes and split. Out the process, and determine, the individual points, that you need to be able to share and push out as quickly as possible between, organizations. And teams so. No longer can I just give you a huge bulk dump of everything say look my job is done go with it I have, to do the processing, and say okay you truly care about this mitre, attack framework is a great example of that the. We're. Using that heavily in our platform and we're using it because it's it's in. Exponentially. Increasing, the ability for us to communicate about different topics right if I'm talking about executable, I no longer have to sit there and give you a long explanation. Of what that executable, does or, if I'm tagging data how. I interpret, my tags for you right I can just say it's got this mitre attack reference number idea. Boom, oh yeah and they immediately know that executable. Can do this and it's it's like this or my have three or four different because, it has different capabilities like, if it's you know command control node whatever. So. You have that ability so that translates to you need to have a vector in a mechanism to be able to translate and share, that information so swimlanes do an awesome job very, familiar with them and love, those guys looking. Forward to partnering with them maybe. But. From what we're doing is we're focusing on the same area saying what are the commonly available. Communication. Vectors for threat intelligence artifacts, I also you have NISP you have you have sticks taxi otx and all those other different, frameworks, that are available in, transport, mechanisms, that are available to. Share. Threat information and, data you, also have vendor specific. Capabilities. Right so I don't. Want to start, name dropping a bunch of vendors out there but there's there's you know feel free to connect there's connectors, others one, of our partners until 471, you, know they all have their way of collecting mmm, categorizing, cataloging, their, threat information data and what we do what we're looking at doing is saying how is the easiest way that I can get from, the operator, the guy doing the forensics job from the network in. Satori sponder from, the threat intelligence team how can we get that data in a unified way and share it back and forth, obviously. Again we can't keep passing, back terabytes. Of data right, now to be at the level we're sharing truly, actionable, real, time live inference information. Okay, so that's not that's not just information sharing but also a. Sort, of standardizing, and and and, you.

Know. Streamlining. Of the way you sort of report the data like you say you're not gonna have to sit there and explain every. Single procedure if you have the the mitre attack you, know matrix to help you with that yep yeah. We was exactly right yeah we, love the mitre attack you love - yeah. We and, our InfoSec, resources blog we have dozens. Of articles that each one is sort, of a breakdown of a different you know fighter attack matrix. Means and stuff like that they're great fun when, they came out with that and released as a few years ago I was like where. The hell has this been I know, it. Obviously. It. Seems like it should have already been with us yeah correct, it's like wait a minute we already did this for for, you know networking protocols, right the exact same thing and, now everybody gets to have it yeah, everybody, gets to have those sure the wealth right, for us it's about being that that data aggregator. And okay, connector, it's, interesting too cuz yeah that I mean that's that's a sort, of related. But but different take. On and what Cody was talking about with regards to security. Sharing where he was talking about like sharing you. Know previous. Breaches, and hacks and best practices, of how things were dealt with and and that, would that seemed to be more like the way like you know police, departments. In separate, counties might share like criminal or catch a serial killer or something like that where is this this, is sort of like a standardizing. Of procedure, in order to sort. Of speed up like use up the process of the, the biggest of big data yeah. It's giving you a playbook right so I'm sorry a workspace so right our, focus is not on getting, down to procedures, and processes that. The individual, teams can do that right and they our, job is to be a morphic and be a look to to, let them within, our platform or, whatever. Platform they choose to use that we're connecting with in exchanging. Data with let. Them have the ability to have a unified, place, where they can come together and analyze and investigate data. In. Ways that make sense to their organization, and, to be able to do that you have to be a data integrator right you have to bring it a tool integrator and our. Focus is more on the, people workflow, the collaboration, between the individual teams and people you. Mentioned earlier what are some of the challenges that. I faced, when I was in. Working. For the government. US government in, Europe and running those teams and doing that kind of work data, exchange was a huge problem, it still is a huge problem and I don't think he, owes government, or NATO, or whatever.

You Want to throw, a label on I don't, think anybody, has it totally nailed down and that's what we're trying to our. Vision, our passion, is to nail down the best way to do data exchange, in collaboration. And, it, has to have that technical component, right so I had as a techie, back in the day is still applicable right so yeah, I shouldn't that love for what, that individual. Might attack. Mapping. Is to and say. Okay how can I best represent, that for somebody else over here that needs to work with it in a different context, and. From. There make. The world safe or a better place that's I mean that at the end of the day that's that's the goal here right right that, would be a great place to end that's real but I have more questions for you so. I. Wanted to talk about another point on your a near. Bio about and, and you're gonna have to explain this to be a little you know as, if a six-year-old we're, asking the question but tell, me about the use of graph, modelling in threat, analysis, is another thing that you said you're very, interested, in what aspect to thorough analysis, would would. This you know change and how it improve the practice of instant response. So, graph modeling in our context, is how. We can best. Display. The data interact. With the data on. The I'm talking behind the scenes in in the core the platform, core how the data is being manipulated interact with but. It also comes down to how that data is being visualized, and displayed in the frequency, the the live updating that is that's happening with analysts in practice. This means that when I put data into collab I want to know that it's immediately being collab. Does is, immediately. If, I input its a 50,000. Different IP addresses and a koala bus look at it from IP domain type, spacing. Collab. Is automatically, going through and it's going to be pulling, together all the different data points that it knows about that touch those IPS, and also substance of those IPS, so, if you have an Intel report that, came, in from your Intel provider. Your. Threat intelligence provider, that you have within the system you're immediately notified. To that the other thing I was going to notify you to is the. External. Tools that you have connected so if you're using domain tools. So. Or if you're using a showdown for example it's gonna automatically go through hey showdown tasks these fifty thousand go out there pull the data back bring it in and display textually, and that's all happening automatically, in the by the platform and where that becomes critical is that within.

The Link analysis, viewer within cool lab and, I'm not trying to get tool specific, here I'm just saying that's how he's doing it yeah you're. Able to visually. Track through okay, and just point here's, where I saw it here's where it's going and this, is why I care about it in a visual, way and that's bringing the human part to it and so the only way that we could truly do this there's a lot of databases out there that do really good bang-up job and, I'm not ragging on them. For. For their specific use case right the. Problem, is a lot of those are not human, centric, I love, Splunk been using splint forever let, elasticsearch, been using it forever but the truth, is that unless. You're, the guy writing the queries, and the guy that's looking at the data in the database all the time that, doesn't really translate very well to others mmm. To non splunk. Experts. Or non-elastic experts, that's why they have dashboards. But those dashboards can be really hard to configure, and. Every time you do and you change your back and you gotta update your dashboard so forth. Ellipses look will, be the visualizer for you of that and we're. Gonna bring all these other different data components, in that you didn't have access tools so if you're you're like me an, incident, responder or forensics. Investigator. If, I need to do dynamic. Analysis of, piece. Of malware I'm gonna send it to the Emory or I'm gonna send it to cuckoo right and, if I'm doing static analysis I'm gonna send it to key draw or binary ninja or whatever other tool that you're using to do your static analysis then, all those different data points that those tools produce bring, it back in and now, I can visualize it and look at it and I'm not just looking at a type, of view I'm seeing. The actual interactions, between those data trend data points and then you throw, in stuff we were talking about earlier like help, minor tack mapping right, and now all of a sudden the kill chains become. Blatantly. Obvious to everybody right yeah yeah, and I like this too because it sort of makes me think of the way you, know people say they're you know they're worried about you know AI or, whatever start taking away security, jobs but you're as, you're dealing with sort of like data. At this size like you, need these kind of like automation, methods and these types of things you, know they're still gonna need people to sort of understand, all this stuff like that's we haven't gotten to that point where you, can both you know hey I can both sort, of take the data and then say oh yeah here's a great solution for it. Exactly. Right you, still need that human intuition and you know it's, why you still need why the government, still has forensics, investigators, right and right analysts.

Because You, still need that human logic. And intuition to be able to look at all the different you know all, the different data points and say I'm, seeing a trend here that a computer just can't pick out or I'm seeing a pattern here that makes me, say I want to go look at that deeper whereas a computer just totally overlooked it because it didn't match a certain set of rules yeah, you're seeing human nature in there hey until Johnny Five comes alive you know we're not gonna be able to that could be a while we're, gonna be doing this ourselves for a bit oh, man. We are definitely the same age a. Lot. Of people watching this might not get that reverence anyway. YouTube, folks YouTube check it out. So. I want to talk you know the cyber work podcast. We won't talk about jobs. And careers and so forth so for. Listeners who are interested in in pursuing careers in you know digital forensics, or instance response or helium, things what are some skills experienced, certifications, they should be looking. Into now to get into the game like. If you were hiring, someone at colab for these type of positions like what, are some things you would absolutely want to see on that person's resume or here. In an interview or see in a cover letter that would make you say this, is this. Person has the right the right the bright background or whatever. So. I'm not a traditional. Interviewer. Primarily. Because of the opportunities, that I was given in my life and. In. My career like, I can I was a linguist I'd amp a formal training in computer, science I had, taken a lot of computer science classes had a lot of passion involvement, in it but I was given the opportunity to be to. Break into forensics, and become where I am so I like to see I'm, looking at it more from a personality type focus, and, I'm, not looking at check boxes on a, resume. But. The check boxes that I do like to see and. I think a lot of my colleagues would probably agree with me and liking to see is definitely. Some sort of computer, science background okay, not. Programmers specifically. Those. That, can be helpful but programmers, have a different mindset right they have a different they're, makers not breakers all, right right and. Can't. Fault them we need them right and, they're, the guys that I go to, to automate, XYZ, function, that I need right. But. I'm looking for that analytic mindset I'm looking for people who have taken a. Lot of courses probably, network forensics or network security so security plus and all the security type trainings okay and then taking it the next step and said okay I'm, interested in forensics, and I, want, to take courses on for. Example. Udemy. Has different, courses. Available to them for, for. Example acquiring. A hard drive how do you use basic. DD or whatever you're going to use to get. A forensics, image of a hard drive what does a forensic central area look like and there's, great training again. I go back to sans I'm. Again, not being paid sponsored, or affiliated, with them I just, happen to love their training and their products I've, used them for years both for myself the numbers my team and. I. Can't say enough how that. Is if. You can afford the couple thousand dollars for the course.

Take, That you, go into any pretty. Much any Police Department or the. US government you know and say hey, I have this that, starts the conversation that you need to have and then, you can back that up with those other things I was talking about so, the forensics and. The incident responder, courses, that sans offers, I definitely, would recommend people taking a look at or through their local university. Right if you have anything yeah. Same thing through your local university if they offer incident response courses, or. Cybersecurity. Courses, great, practical. Tactical application. Not the policy side mm-hmm. Okay, so, as we wrap up today we. Talked a little bit about collab but but sort of give give the the full pitch what's it what's it all about what are some exciting projects, you've got going. Right now and so, forth yeah, so we. Company. Just actually moved from we, were in Europe or Frankfurt. Germany and, we just actually launched. In relaunched, in in the US and we're. Headquartered, and and you. Know proud to be American rocking. And rolling here and, making, waves, as far as we anticipate. Or the way we see it in in. Our sphere we, have a data fusion analysis, investigation, platform and, what. That does is it fuses your internal, and external data. Feeds data, sources so, internally that could be your you're seeing your Splunk your, whatever. Your data like is that you have as. Well as your tools internally, so we talked about some of them for dynamic and static analysis, a malware could, be other types of tools that you have within your your ecosystem, that you want to use on a on a procedural, basis fuses. All that into one unified, platform along, with all the external threat intelligence data that you might want to have, brought. In whether you're paying for it whether, it's open source data and NIST like. A circle, or something like that all, those different data sources get fused together and then it gives you the platform a.

Environment. Where you can go in and you can start analyzing that data and, investigating. And tearing, apart the different components, in building out cases, where, you can track and your threats, and incidents, as well, as track and think, of like an apt, repository. Where you can have an internal, tracking. Of the different apt actors that you witnessed and seen within your environment. Which gives you also historical, knowledge and historical. Tracking, of all the cases in incidents that you've been involved on the. Purpose. Of behind doing everything that I just mentioned technically, is, bridging. The. Divide that exists between teams, teams. Gonna get siloed a lot be, it policy data or whatever here, but, bringing back so if you look at a fortune 500 has, a very well-established sauk, environment, being, able to bridge a gap between their threat intelligence teams, they're now reverse engineers, their networking ops. Saying, y'all need to be on the same playing field when. It comes to, responding. In. Actually. Investigating, these these, events. So, instead, of having your threat intelligence analysts, collecting, all the different threat intelligence parsing, it out and then saying here malware analysts here everybody you. Take this data into your domain and look at it and then the malware guy gets, bad. Data and he's forced to collect you know to to collate that against his or to compare it against the data that he's seeing when, he's going through different given piece of malware and, then saying hey take this data back over here we're, wiping all that and saying they can all work on one unified platform. In. The manner that they need to with the tools that they need to so the platform offers different tools so, we, have a malware tool that was specifically, on the, needs that they have you. Have the link analysis, tool that is great, for your. Sock guys your, your. Malware, reverse and sorry, your instant responders, and others so. Bringing that unified, platform together for them to, to, empower. Collaboration. Between the teams is the, goal. With one node and then. From there Claude takes it to the next step and says okay so we got all this data fusion happening we've got all these different data points coming in all these tool interactions, and, we have all these teams now working and collaborating together, in one big node one big happy family now saying. Okay what happens now when you want to start creating communities, of interest what happens when you don't start crowdsourcing, your cybersecurity say. You have, banks. Who are partnered together and they're doing cybersecurity together. Those. Banks say five different banks with five different collab, nodes could all the sudden start sharing data I'm, not just talking about sharing. Like. A yar a port or something like that right I'm, talking about sharing cases so if I'm working on a case that so, I'm Bank, a and I'm getting attacked and I have, a case and I'm putting data in there and we're tracking, through it logs and all this other different data. And all. Our notes and everything I say okay I need to be able to share this with my other three partners, PC, B and D well, I can just with, one click of a button quill AB if I have that or that Network sharing, agreement in place I can send those cases over to them and as they work on them and updates my case so.

You Just crowdsource, your cybersecurity right mm-hm, so that, takes a mindset shift by the way right. As. As, you probably know in this domain. People. Are. Very. Pro sharing and can also be very anti sharing yeah parfaits. So, we took both of those into consideration, when coming, out and building this and said okay now we have to create what we called the grid is exchange. Mechanism, with, very, constrained, in limited capabilities. If, if needed so you can you know put, people in a box say I'm only going to share this type of data with this individual, I'm gonna share everything over here with this other individual, and, so forth right being. Able to. Separate. In and control, that data sharing. Arrangement, is what we, built in there so. That's cool Evan it's took. Me a lot right I mean it's complicated, but it's a lot of finding process alright, so one last question if listeners want to know more about danyoung. Or cool lab where can they go online collab. Easy. Peasy Shan, thank you or. Get the shirt. You. Know send you sure how about that perfect, so, thank you so much, for your time today this was super, fun and super invaluable. Thank. You thank you Chris I definitely prettier your tattoo thank you alright and thank you all for, listening and watching if you enjoyed today's video you can find many more on our youtube page just go to youtube.com and type in cyber work with InfoSec, to, check out our collection of tutorials, interviews, and past webinars, if, you'd rather have us in your ears during your work day all of our videos are also available as audio podcasts, just search cyber work with InfoSec in, your podcast catcher of choice for. A free month of the InfoSec, skills platform, discussed at the top of today's show just go to InfoSec, institute comm slash, skills and sign, up for an account in the coupon code type cyber work all one word all small letters no spaces for your free month thank. You once again see dan young and co web and thank you all for watching and listening we'll, speak to you next week.

2020-05-07 02:38

Show Video

Other news