After more than a decade - today is my last day @FireEye.
Taking a job @Mandiant was one of the best decision's I've ever made & I wanted to share some of the stories & experiences of what it was like as well as recognize some of the people that helped me learn and grow
Taking a job @Mandiant was one of the best decision's I've ever made & I wanted to share some of the stories & experiences of what it was like as well as recognize some of the people that helped me learn and grow
When I started @Mandiant in 2009 the infosec space (it was called information security and not cyber security for starters) was so different from today. It was fairly rare for companies to get breached and when they did there was an amazing amount of stigma associated with that.
I was employee 63 (not because there were 63 active employees but because I was the 63rd employee hired since the inception of the company in ~2005). There were offices in 3 cities (DC, NY, LA) & company split roughly 50/50 between consultants and software devs on MIR
Most breached orgs either compromised by a financial criminal or something uttered in hushed tones (I'm totally serious) the Advanced Persistent Threat (a moniker created by US military, but popularized by Mandiant because we were one of the few companies to discuss it publicly.
One thing that made Mandiant different was we were technology-enabled consultancy w/Mandiant Intelligent Response (MIR) & a custom network sensor. This enabled us to conduct investigation rapidly & w/significantly less analysts compared to other firms who used 50-100 consultants
I had a lot of offensive security experience and some incident response/forensics experience prior to Mandiant - but I got thrown right into the fire when I started. Fortunately I was able to learn firsthand from one of the best engagement leads I've worked with Marshall Heilman
I learned how juggle all the crazy competing demands in an investigation between coordinating tasks of the team, driving investigative direction, communicating status, developing remediation strategy & tailoring it to clients environment (as well as learning what to hold firm on)
When I first started, Mandiant was known for having a strict remediation methodology (primarily because our ability to move with attacker in real-time was limited). We recommended every company disconnect completely from Internet for weekend while remediation activities conducted
You try telling a CEO/CFO/CTO of a Fortune-X company to 1) Don't play whack-a-mole...let the attacker operate until we have scoped their activity [see my first blog fireeye.com/blog/threat-re…]
2) Disconnect the entire company from the Internet
...and not get laughed out of the room
2) Disconnect the entire company from the Internet
...and not get laughed out of the room
But we meant it - because it worked & we'd had an experience of an APT actor coming in during a remediation weekend & deploying new malware
It was beat into my head that my success was judged on whether my client successfully dealt w/their problem. If they didn't - we failed
It was beat into my head that my success was judged on whether my client successfully dealt w/their problem. If they didn't - we failed
I remember running APT11 investigation at Fortune 200 company & client refused to stop playing whack-a-mole (which was causing attacker to change their tactics & imperiling a successful remediation).
I told our VP consulting (Steve Surdu) that I wanted to fire the client.
I told our VP consulting (Steve Surdu) that I wanted to fire the client.
It was biggest consulting project at time, but he listened to my logic & he supported my decision
I told client that we're ending our engagement because we couldn't successfully help them remediate. They were incredulous, but took it to heart & changed course & we evicted APT11
I told client that we're ending our engagement because we couldn't successfully help them remediate. They were incredulous, but took it to heart & changed course & we evicted APT11
In my opinion, Steve Surdu is one of biggest reason's for Mandiant consulting's success. He instilled in every one of us the importance of hiring the best (& how to interview effectively), held us to standards that few people can reach (which pushed each of us to always improve)
My interview style was shaped by my initial Mandiant interview (it was terrifying b/c made me realize how much I didn't know).
I've interviewed dozens of candidates & my goal isn't to "stump the chump", but gain understanding of boundaries of their knowledge & interest to learn
I've interviewed dozens of candidates & my goal isn't to "stump the chump", but gain understanding of boundaries of their knowledge & interest to learn
We rarely found candidates who could slot right in & start executing immediately. Therefore we placed emphasis on people w/solid foundation in technology & hunger to learn & complemented that w/heavy dose of on-the job shadowing/mentoring/training (which got formalized over time)
I've really enjoyed training/mentoring people in #DFIR. It's probably area I will look back on most fondly. Whether it was spending dinner talking a junior analyst through attacker actions & what sources of evidence to analyze or discussing fastest way to find malware on a system
An effective #DFIR training technique: give analyst system analyzed by more senior person & use report as reference, when comfortable analyze another system w/o report. Compare both, review delta verbally & give feedback (focus on teaching analyst your process)
Wash/rinse/repeat
Wash/rinse/repeat
I remember starting & being intimidated by all the amazingly smart people around me
My first live response took ~40 hours (I had to research just about everything b/c I didn't know what was "normal" OS noise vs. attacker activity) & everyone else could do it in 1-2 hours
My first live response took ~40 hours (I had to research just about everything b/c I didn't know what was "normal" OS noise vs. attacker activity) & everyone else could do it in 1-2 hours
I was fortunate to teach #DFIR classes both for federal law enforcement & @BlackHatEvents w/an all-star crew (@ryankaz42 @krisharms & Chris Nutt) that helped me hone my teaching skills. There's nothing like hearing a great teacher explain a topic & then emulating it yourself
I'll be forever grateful for @_HelenaBD & @vasujakkal giving me opportunity to co-anchor a re-vamp of #StateOfTheHack as an unscripted series w/@ItsReallyNick. We had no idea what it would turn into when we started - but I'm proud of reception it's had in the community.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
