Subscribe
Share
Share
Embed
We explore the risks arising from the use and misuse of digital devices and electronic communication tools. We interview experts in the fields of cybersafety, cybersecurity, privacy, parenting, and technology and share the wisdom of these experts with you!
Welcome to the Cyber Traps podcast.
Today I'm excited to have Ryan Nelson with me from IBM's X-Force.
So first, Ryan, tell us a little bit about yourself and what is this X-Force?
Sure thing.
And appreciate you having me here today.
So IBM X-Force we're comprised of four different pillars of cybersecurity consulting services.
I'm personally incident response division, but also work closely with our threat intelligence red teaming, then cyber range, which specializes in more immersive tabletop
Okay.
Yeah.
So yeah, so personally on the incident response side of things, we do some proactive and reactive consulting, so helping our clients for cyber incidents, but then on the reactive side, when it actually does happen.
We'll be brought in to assist with the digital forensics and also consulting side of how contain it, how do we eradication, all that
stuff.
Yeah, that sounds super intense and I bet that people you work with are.
Very high stress at that point.
I mean, at this point, if you're in this sort of role long enough, you can't really let those emotions get to you very long.
Yeah.
You can't for sure.
Yeah,
No.
So, I think for the most part, when we deal with we work with our clients in response to these investigations we get a mixed group, right?
Some are really used to this sort of thing, and then some.
It's the worst day their lives.
And sort of navigating the emotions is just as important as navigating the technical response processes.
Yeah.
So, walk me through what you do when, 'cause somebody gets hacked, they call you and say, come help us out.
Right?
So, so what do you do in that situation?
I mean, there's a lot of different versions of somebody gets hacked, so take that however
Yeah.
so in our situation, we're often coming in cold.
Sometimes had previous relationships clients, so we have some familiarity with their environment, but for the most part, it's a brand new scenario, Even we've had that existing relationship.
So we'll hop on a triage call is the terminology we use to really just get an understanding of.
What they know so far.
And try to really synthesize the truth from the theory at that point in time.
And then what are the parameters of the investigation gonna be ensuing.
So, yeah, what do we know?
What's the indicator?
What are the indicators compromise?
What we, what led us to this position?
And then understanding, again, the scope of systems Accounts involved.
Who were the necessary application teams or the server owners, right?
Understanding, are they Windows hosts?
Are they Linux hosts?
Right?
Trying to get the grasp of understanding what was the, what was were the components of that were involved in the impact.
And then following that, what kind of visibility access do we have into that, right?
So then we start that conversation around, okay, can we get into the existing EDR technology the SIM solution?
We to do live response from forensics component?
Are we doing full image captures or can we do some things that are a little bit more efficient as people to get to the data that maybe not be captured in those security tools?
Yeah.
So fascinating.
And I'm sure with every situation, every, all those variables are different for everybody right?
Yeah we do our best to try to synthesize a process of regular dance steps that we tend to run it over again.
But it certainly takes a lot of flexibility and adaptability.
you know, every so often we'll get thrown into a situation where it's a random software vendor that we've never had to deal with before.
We have to get smart really fast third party service that maybe is a new right?
So we have to understand how does fit into the ecosystem?
Where does the evidence lie?
Do we even have the ability collect evidence because it might be proprietary, Every time it's different.
So again, we do our best to control what we can control but then have flexibility to adapt to uncharted waters.
/
Yeah.
And so I'm sure that you have a process that you do follow.
And you explained some of that.
When you get into these situations and the tensions are high and people are stressed how important is, I mean, you mentioned that you can't be affected by those.
How important is your calmness in and your levelheadedness when it comes to solving the problem
it's imperative.
It's imperative.
I think what.
At least from a personal perspective, and I think a lot of other folks that are in this field do this, is finding a foundation of confidence and understanding of, again, yes, we might not understand full breadth or scope of what we're dealing with, but we know
some critical truths that we want, that we can fall back on to say, okay, maybe this is uncharted water for us, but we've had a sort of similar situation and this is what we found be successful in that was a challenging, let's try to avoid those going forward.
So I, one of the adages we like to use is the four truths of malware, Where it either has to run, persist, hide, and communicate, And so depend depending on the we'll say like ferral ground of where that malware is, running, right?
That might ne might change how we get to the information, but we know that one of those things has true.
Right?
Yeah.
Yeah.
That's so interesting.
And it, it seems like in these situations you, there's so much that like the people on the ground may not have access to, and so you may not even be able to do anything with a specific piece of software or a server or whatever.
So what is your background?
What got you to this
Yeah.
So I was a computer science major was a software engineer guy.
But when I initially joined IBMI was brought into the cyber range actually.
And we were, I was working on building out some of the simulated threat scenarios.
So creating sandbox environments and then attack automations and how to create those signals and them visible within various security.
So then clients would come in with, bring their security teams, bring their executive teams in the best scenarios had both, So, then can have
the security folks the technical individuals practicing those muscle movements and then feeding their findings over to the leadership teams.
So then they can then make intelligent decisions on their follow on actions.
So
multiple pillars required for an effective response, not just
the technical side.
Yeah.
But pretty quickly.
I realized that while the simulation component was fun and interesting I kept finding myself rubbing elbows with the incident response folks that were doing the real stuff actually combating threat actors inclined environments.
And I just thought that sounded so cool.
So I quickly realized that's where I wanted to align and was fortunate enough to get opportunity to move to that team.
Yeah.
And then since then, started out as an analyst and now I'm, managing one of our North America teams, X-Force.
Very cool.
So when you go into a situation, part of your job is to get things functional, right?
But then there's also some mitigation for future issues, I'm sure.
And then there's also probably some work with law enforcement or coordinating there.
What does that look like from your perspective?
Sure,
Yeah.
So from the law enforcement component we definitely work with the clients on engagement with law enforcement.
Best situations is when they already have their local FBI contact
on speed-dail.
Right?
That's been great.
And they can really assist when it comes to the subpoena route things.
They'll have a little more reach into take down requests or maybe they're leveraging.
A VPN provider that we can't get identification into where the source came from, but maybe they can issue a subpoena to get some of that lower level detail that maybe we just don't have a direct visibility into.
And then the component of we're talking about insider threat investigations right?
where they might pursue a legal action following that, right?
So we help with sort of identifying what the avenues possibility are and then we can provide some of that past experience to help them navigate that.
Yeah.
And then it seems like to me there would be also some.
Coordination of identifying common patterns and things that you've seen and it's like, these look like they might be the same.
Initial group.
And is there anything you want to add about that
Threat vets I would categorize that under the threat intelligence component of what we do, and it's an absolutely essential pillar for an effective response.
Because again, context information is key.
When responding, especially to active threats.
So if we can identify or attribute with a certain level of confidence that threat actor that we're dealing been known to execute X, Y, and Z behavioral patterns, or these
they have X, Y, and Z indicators, we can then do broader threat hunt throughout the environment to hopefully identify things that maybe the initial team wasn't aware of.
Mm-hmm.
And then furthermore provide some confidence and context to more the leadership side of things, saying, Hey, this is a known threat group.
They have been known to execute ransomware and then maybe they have been paid in past and honored their agreement, right?
Having context when making like risk-based decisions.
Yeah.
Extremely helpful.
Yeah.
That's so fascinating.
Well, looking forward to your session on what what we learned from a breach later today.
And thank you again for being part of the Inch 360 Conference and part of the Cyber Trapps podcast.
Absolutely, happy to be here and thank you.