1 00:00:02,876 --> 00:00:04,586 Welcome to the Cyber Traps podcast. 2 00:00:04,586 --> 00:00:08,486 Today I'm excited to have Ryan Nelson with me from IBM's X-Force. 3 00:00:08,486 --> 00:00:12,386 So first, Ryan, tell us a little bit about yourself and what is this X-Force? 4 00:00:12,386 --> 00:00:12,896 Sure thing. 5 00:00:12,896 --> 00:00:14,426 And appreciate you having me here today. 6 00:00:14,476 --> 00:00:20,446 So IBM X-Force we're comprised of four different pillars of cybersecurity consulting services. 7 00:00:21,056 --> 00:00:29,436 I'm personally incident response division, but also work closely with our threat intelligence red teaming, then cyber range, which specializes in more immersive tabletop 8 00:00:29,961 --> 00:00:30,381 Okay. 9 00:00:30,456 --> 00:00:30,666 Yeah. 10 00:00:31,096 --> 00:00:42,146 So yeah, so personally on the incident response side of things, we do some proactive and reactive consulting, so helping our clients for cyber incidents, but then on the reactive side, when it actually does happen. 11 00:00:42,526 --> 00:00:49,336 We'll be brought in to assist with the digital forensics and also consulting side of how contain it, how do we eradication, all that 12 00:00:49,536 --> 00:00:49,776 stuff. 13 00:00:50,131 --> 00:00:54,751 Yeah, that sounds super intense and I bet that people you work with are. 14 00:00:55,351 --> 00:00:56,971 Very high stress at that point. 15 00:00:57,151 --> 00:01:02,196 I mean, at this point, if you're in this sort of role long enough, you can't really let those emotions get to you very long. 16 00:01:02,196 --> 00:01:02,316 Yeah. 17 00:01:02,316 --> 00:01:03,001 You can't for sure. 18 00:01:03,751 --> 00:01:03,991 Yeah, 19 00:01:04,051 --> 00:01:04,261 No. 20 00:01:04,261 --> 00:01:10,241 So, I think for the most part, when we deal with we work with our clients in response to these investigations we get a mixed group, right? 21 00:01:10,241 --> 00:01:12,851 Some are really used to this sort of thing, and then some. 22 00:01:13,166 --> 00:01:14,366 It's the worst day their lives. 23 00:01:14,616 --> 00:01:20,246 And sort of navigating the emotions is just as important as navigating the technical response processes. 24 00:01:20,351 --> 00:01:20,741 Yeah. 25 00:01:21,041 --> 00:01:27,371 So, walk me through what you do when, 'cause somebody gets hacked, they call you and say, come help us out. 26 00:01:27,371 --> 00:01:27,671 Right? 27 00:01:28,241 --> 00:01:30,251 So, so what do you do in that situation? 28 00:01:30,311 --> 00:01:34,571 I mean, there's a lot of different versions of somebody gets hacked, so take that however 29 00:01:34,706 --> 00:01:34,946 Yeah. 30 00:01:35,156 --> 00:01:37,256 so in our situation, we're often coming in cold. 31 00:01:37,306 --> 00:01:46,426 Sometimes had previous relationships clients, so we have some familiarity with their environment, but for the most part, it's a brand new scenario, Even we've had that existing relationship. 32 00:01:46,726 --> 00:01:51,736 So we'll hop on a triage call is the terminology we use to really just get an understanding of. 33 00:01:51,801 --> 00:01:53,241 What they know so far. 34 00:01:53,491 --> 00:01:57,556 And try to really synthesize the truth from the theory at that point in time. 35 00:01:57,556 --> 00:02:00,736 And then what are the parameters of the investigation gonna be ensuing. 36 00:02:01,151 --> 00:02:02,651 So, yeah, what do we know? 37 00:02:02,651 --> 00:02:03,461 What's the indicator? 38 00:02:03,461 --> 00:02:04,781 What are the indicators compromise? 39 00:02:04,781 --> 00:02:06,821 What we, what led us to this position? 40 00:02:07,171 --> 00:02:10,981 And then understanding, again, the scope of systems Accounts involved. 41 00:02:11,131 --> 00:02:14,871 Who were the necessary application teams or the server owners, right? 42 00:02:14,871 --> 00:02:16,731 Understanding, are they Windows hosts? 43 00:02:16,731 --> 00:02:17,511 Are they Linux hosts? 44 00:02:17,511 --> 00:02:17,661 Right? 45 00:02:17,661 --> 00:02:23,451 Trying to get the grasp of understanding what was the, what was were the components of that were involved in the impact. 46 00:02:23,871 --> 00:02:28,321 And then following that, what kind of visibility access do we have into that, right? 47 00:02:28,321 --> 00:02:34,831 So then we start that conversation around, okay, can we get into the existing EDR technology the SIM solution? 48 00:02:35,221 --> 00:02:38,131 We to do live response from forensics component? 49 00:02:38,131 --> 00:02:45,791 Are we doing full image captures or can we do some things that are a little bit more efficient as people to get to the data that maybe not be captured in those security tools? 50 00:02:46,006 --> 00:02:46,366 Yeah. 51 00:02:46,366 --> 00:02:47,326 So fascinating. 52 00:02:47,836 --> 00:02:54,766 And I'm sure with every situation, every, all those variables are different for everybody right? 53 00:02:54,796 --> 00:03:01,496 Yeah we do our best to try to synthesize a process of regular dance steps that we tend to run it over again. 54 00:03:01,766 --> 00:03:04,976 But it certainly takes a lot of flexibility and adaptability. 55 00:03:05,476 --> 00:03:11,616 you know, every so often we'll get thrown into a situation where it's a random software vendor that we've never had to deal with before. 56 00:03:11,766 --> 00:03:16,756 We have to get smart really fast third party service that maybe is a new right? 57 00:03:16,906 --> 00:03:19,906 So we have to understand how does fit into the ecosystem? 58 00:03:19,906 --> 00:03:21,166 Where does the evidence lie? 59 00:03:21,166 --> 00:03:25,906 Do we even have the ability collect evidence because it might be proprietary, Every time it's different. 60 00:03:25,966 --> 00:03:32,116 So again, we do our best to control what we can control but then have flexibility to adapt to uncharted waters. 61 00:03:32,641 --> 00:03:32,971 / Yeah. 62 00:03:33,361 --> 00:03:36,171 And so I'm sure that you have a process that you do follow. 63 00:03:36,521 --> 00:03:37,931 And you explained some of that. 64 00:03:38,241 --> 00:03:47,291 When you get into these situations and the tensions are high and people are stressed how important is, I mean, you mentioned that you can't be affected by those. 65 00:03:47,561 --> 00:03:53,771 How important is your calmness in and your levelheadedness when it comes to solving the problem 66 00:03:53,821 --> 00:03:54,511 it's imperative. 67 00:03:54,861 --> 00:03:55,471 It's imperative. 68 00:03:55,766 --> 00:03:56,666 I think what. 69 00:03:57,146 --> 00:04:23,616 At least from a personal perspective, and I think a lot of other folks that are in this field do this, is finding a foundation of confidence and understanding of, again, yes, we might not understand full breadth or scope of what we're dealing with, but we know some critical truths that we want, that we can fall back on to say, okay, maybe this is uncharted water for us, but we've had a sort of similar situation and this is what we found be successful in that was a challenging, let's try to avoid those going forward. 70 00:04:24,501 --> 00:04:40,661 So I, one of the adages we like to use is the four truths of malware, Where it either has to run, persist, hide, and communicate, And so depend depending on the we'll say like ferral ground of where that malware is, running, right? 71 00:04:40,721 --> 00:04:45,731 That might ne might change how we get to the information, but we know that one of those things has true. 72 00:04:46,151 --> 00:04:46,361 Right? 73 00:04:46,361 --> 00:04:46,421 Yeah. 74 00:04:46,976 --> 00:04:47,276 Yeah. 75 00:04:47,276 --> 00:04:48,206 That's so interesting. 76 00:04:48,206 --> 00:05:04,146 And it, it seems like in these situations you, there's so much that like the people on the ground may not have access to, and so you may not even be able to do anything with a specific piece of software or a server or whatever. 77 00:05:04,636 --> 00:05:06,676 So what is your background? 78 00:05:06,676 --> 00:05:08,356 What got you to this 79 00:05:08,656 --> 00:05:08,836 Yeah. 80 00:05:08,836 --> 00:05:12,456 So I was a computer science major was a software engineer guy. 81 00:05:12,456 --> 00:05:18,016 But when I initially joined IBMI was brought into the cyber range actually. 82 00:05:18,406 --> 00:05:21,856 And we were, I was working on building out some of the simulated threat scenarios. 83 00:05:22,206 --> 00:05:29,616 So creating sandbox environments and then attack automations and how to create those signals and them visible within various security. 84 00:05:30,576 --> 00:05:45,126 So then clients would come in with, bring their security teams, bring their executive teams in the best scenarios had both, So, then can have the security folks the technical individuals practicing those muscle movements and then feeding their findings over to the leadership teams. 85 00:05:45,406 --> 00:05:48,556 So then they can then make intelligent decisions on their follow on actions. 86 00:05:48,656 --> 00:05:48,746 So 87 00:05:48,746 --> 00:05:51,746 multiple pillars required for an effective response, not just 88 00:05:51,746 --> 00:05:52,526 the technical side. 89 00:05:52,526 --> 00:05:52,766 Yeah. 90 00:05:53,276 --> 00:05:54,116 But pretty quickly. 91 00:05:54,409 --> 00:06:06,289 I realized that while the simulation component was fun and interesting I kept finding myself rubbing elbows with the incident response folks that were doing the real stuff actually combating threat actors inclined environments. 92 00:06:06,289 --> 00:06:07,609 And I just thought that sounded so cool. 93 00:06:07,764 --> 00:06:13,224 So I quickly realized that's where I wanted to align and was fortunate enough to get opportunity to move to that team. 94 00:06:13,224 --> 00:06:13,434 Yeah. 95 00:06:13,854 --> 00:06:18,309 And then since then, started out as an analyst and now I'm, managing one of our North America teams, X-Force. 96 00:06:18,594 --> 00:06:19,164 Very cool. 97 00:06:19,624 --> 00:06:28,564 So when you go into a situation, part of your job is to get things functional, right? 98 00:06:28,934 --> 00:06:33,044 But then there's also some mitigation for future issues, I'm sure. 99 00:06:33,344 --> 00:06:38,234 And then there's also probably some work with law enforcement or coordinating there. 100 00:06:38,504 --> 00:06:40,274 What does that look like from your perspective? 101 00:06:40,274 --> 00:06:40,454 Sure, 102 00:06:40,529 --> 00:06:40,709 Yeah. 103 00:06:40,709 --> 00:06:46,594 So from the law enforcement component we definitely work with the clients on engagement with law enforcement. 104 00:06:46,984 --> 00:06:50,224 Best situations is when they already have their local FBI contact 105 00:06:50,254 --> 00:06:50,784 on speed-dail. 106 00:06:50,904 --> 00:06:51,104 Right? 107 00:06:51,164 --> 00:06:51,824 That's been great. 108 00:06:51,974 --> 00:06:55,664 And they can really assist when it comes to the subpoena route things. 109 00:06:55,914 --> 00:07:00,544 They'll have a little more reach into take down requests or maybe they're leveraging. 110 00:07:00,949 --> 00:07:10,989 A VPN provider that we can't get identification into where the source came from, but maybe they can issue a subpoena to get some of that lower level detail that maybe we just don't have a direct visibility into. 111 00:07:11,519 --> 00:07:15,204 And then the component of we're talking about insider threat investigations right? 112 00:07:15,234 --> 00:07:18,189 where they might pursue a legal action following that, right? 113 00:07:18,189 --> 00:07:25,439 So we help with sort of identifying what the avenues possibility are and then we can provide some of that past experience to help them navigate that. 114 00:07:25,794 --> 00:07:26,124 Yeah. 115 00:07:26,214 --> 00:07:29,979 And then it seems like to me there would be also some. 116 00:07:30,879 --> 00:07:36,819 Coordination of identifying common patterns and things that you've seen and it's like, these look like they might be the same. 117 00:07:37,269 --> 00:07:38,169 Initial group. 118 00:07:38,169 --> 00:07:40,199 And is there anything you want to add about that 119 00:07:40,344 --> 00:07:48,604 Threat vets I would categorize that under the threat intelligence component of what we do, and it's an absolutely essential pillar for an effective response. 120 00:07:48,914 --> 00:07:51,014 Because again, context information is key. 121 00:07:51,424 --> 00:07:53,374 When responding, especially to active threats. 122 00:07:53,434 --> 00:08:11,359 So if we can identify or attribute with a certain level of confidence that threat actor that we're dealing been known to execute X, Y, and Z behavioral patterns, or these they have X, Y, and Z indicators, we can then do broader threat hunt throughout the environment to hopefully identify things that maybe the initial team wasn't aware of. 123 00:08:11,359 --> 00:08:12,079 Mm-hmm. 124 00:08:12,149 --> 00:08:18,379 And then furthermore provide some confidence and context to more the leadership side of things, saying, Hey, this is a known threat group. 125 00:08:18,899 --> 00:08:25,464 They have been known to execute ransomware and then maybe they have been paid in past and honored their agreement, right? 126 00:08:25,464 --> 00:08:28,134 Having context when making like risk-based decisions. 127 00:08:28,164 --> 00:08:28,464 Yeah. 128 00:08:28,464 --> 00:08:29,334 Extremely helpful. 129 00:08:29,484 --> 00:08:29,844 Yeah. 130 00:08:29,934 --> 00:08:30,924 That's so fascinating. 131 00:08:30,924 --> 00:08:36,064 Well, looking forward to your session on what what we learned from a breach later today. 132 00:08:36,064 --> 00:08:41,044 And thank you again for being part of the Inch 360 Conference and part of the Cyber Trapps podcast. 133 00:08:41,044 --> 00:08:42,724 Absolutely, happy to be here and thank you.