ROUTE TO THE DFIR CAREER
For once in my life, I have dreamed of becoming an Incident Responder like the </Scorpion> group of the Homeland Security and Forensics like Phantom/Ghost from a Korean drama series that backtrack and solves cyber-crime. Until one day I got a call from an ex-colleague (and a friend of mine) an offer to join their global cybersecurity operation to help them build their IR program.
PREPARATION
15 days — this is the only time I have remaining after accepting the offer. Nervous and excited were the mixed emotions I have during that time. First, excited because the time has come for me to fulfill my dream in becoming a Digital Forensics and Incident Responder (DFIR). Nervous as great power comes with greater responsibility as the cliché.
So, the mindset was the very first fine-tuning that I needed to align during that time as I know that this job is not just a typical 8 hours office work from Monday to Friday where you are just waiting for an incident to happen.
- On-call after office hours.
- Standby support during weekends.
- Drop the spoon while having dinner with the family when an incident occurs to join the war room.
- Leave the theater during climax while having a date with your partner when a potential breach happens.
These were the things I have set in my mind while waiting for my board date.
Technically speaking I have done some few preparations which I know would be very useful when I will be starting to build the IR program.
- Playbooks (NIST FW)
- VM lab for Forensics investigation
- VM lab and Sandbox for Malware Analysis
- Open Source arsenals for IR
And finally during my first day, mentally and technically I was so prepared when I joined the global SecOps team and there were no single nervous and goosebumps ever placed in my head. I was ready to rock and roll to build the IR program.
In fact, I was aiming for the CERT maturity program. Ambitious but true.
FIRST 30 DAYS
This is very important and crucial for every new joiner in the team. Most are overwhelmed and over-hyped by their excitements and many tend to bring their shadows from their past organizations and impose or compare what they do in their previous jobs. This is good and bad — and I let you (the readers) decide or think about this.
- Global policies and procedures in-placed — so I would know what else needs to be created and integrate with the playbook.
- Playbooks — obviously I know there is none yet created since the IR program is also yet to build.
- Tools — what are the arsenals that the organization had acquired for the playbook creation.
- Threat Modeling — I find this beneficial to know what arsenal is missing and must to have and also scale what skillsets the team are able to handle and training needed.
- Building Relationships — this is very important as IR team usually communicate, coordinate, and cooperate with other teams like among the IR team itself, SOC, Network, HelpDesk, IT Support, Control Engineering (ICS/OT), Legal, HR, and Stakeholders at some point. Softskills is essential.
Listen first before talking gibberish things. Know thyself so you would know how to protect your organization. Remember that a DFIR is the defender of the whole organization. You are elite like the Marines — the few and the proud (but not boastful).
HONING THE CRAFT
Whether getting a certification in the field of DFIR or CSIRT (computer security and incident response team) nor taking a continuous education is a personal choice for everyone. But I chose to take a 6 months graduate diploma in Digital Forensics and Cyber Security (GrDip in DFCS) in one of the reputable management school instead. I preferred to take a longer path rather than a week of training plus a certification with only 3 to 5 years of an expiration date.
The course was not that easy as I thought as the 2 professors I had during that time where tough because they were active practitioners themselves in the law enforcement and private cyber-crime investigation firms. Making executive summary reports of my case studies are like presenting in the court of law whether the accused is inculpatory or exculpatory. The verdict is in my hands. Should I put a non-guilty man in jail or flee the criminal because of my malpractice of DFIR.
Also, as best practices, I have mandatory set a time at least once or twice a week to do e-learning in any field of cybersecurity that would help me mature my understanding in the field of CERT (computer emergency response team) and as a well-rounded Leader.
- Cyber Kill Chain, TTP’s, and APT’s
- MITRE ATT&CK Framework
- Threat Hunting Best Practices
- NIST Framework
- Threat Actors targeting ICS/SCADA
- OT Cybersecurity
- Cyber Threat Intelligence and OSINT
- VAPT
- Zero Days and Exploit Creation
- Defense-in-Depth Best Practices
- Risk Management and Compliance
- First 90 days of a CISO
Attending conferences and local meetup groups once a month were also part of my ritual to meet new friends and socialize in exchanging ideas in the cyber world.
SKILLS OF TRADE
In more than 10 years of experience as a Unix/Linux systems administration, a few in VAPT, and a year on PCI-DSS audit management before becoming a DFIR, I found that having a deep understanding of locking-down the Operating System, Computer Hardware Assemble/Disassemble, BASH/PERL Scripting, and Networking is essential. Then added little spices of Malware Forensics, Mobile Forensics, NIST Frameworks, and some best practices along the way covers almost if not the whole picture of the job.
Here are the additional books that I bought and read aside from the subscriptions I have with e-learning sites for sharpening the saw.
- Incident Response & Computer Forensics, Third Edition by Kevin Mandia, Jason Luttgens, and Matthew Pepe
- The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
— photo credit from book author signing ;)
CONCLUSION
Anyone can be a DFIR or CSIRT whether you are from different fields of IT. Passion — is the key success indicator.
At the end of the day, you are not just waiting for the big thing to happen but proactive that there is always something that is coming; nevertheless, you have not discovered yet that it did already happened — the breach 😊.
💡Note: Article originally posted in Peerlyst — January 20, 2020