The best approach to security is a proactive one, but nobody is perfect. What happens when a determined attacker finds their way into your network? How do you know where they have been, what they have seen, when they got in, and how they gained access? How do you prioritize remediation and confirm that the bad guys are out of your network? Incident responders, like ProCircular's Aaron Heikkila, are at the ready to swoop down and stop the attackers in their tracks!
Aaron is one of the most recent additions to the ProCircular team. He spent four years serving the US military in a communications role before pursuing a career in cyber-defense. As part of our Defensive Cyber Operations group (Blue-Team), Aaron also manages some of our clients’ SIEM programs. He is based in Mankato, Minnesota, and travels all around the country to collect forensic data immediately after our clients report a security incident.
Companies who experience a breach tend to keep that information under wraps, so real-life incidents vastly outnumber those covered on the news. Today, the cybercriminals behind ransomware are becoming stronger and better organized. These groups are constantly researching new exploits, and their methods evolve faster than most industry experts are able to keep up. Unauthorized access to your network is more common and costly than ever before. Thankfully, experts like Aaron will help you navigate the high-pressure situation and minimize the negative impact on your organization.
I enjoyed talking with Aaron about his security background, his impression of today’s biggest cyber threats, and his advice to people worried about ransomware.
As one of the more recent additions to the ProCircular team, what aspects of the company have struck you as unusual?
We have really good rules of engagement for our red team. When I see our pen testers pen testing, they are doing real pen tests. They’re not wing-clipped. They are performing full, attack kill-chain activities. We are good at negotiating these contracts to get really good results. They are allowed to do what they need to do, so more cool stuff happens and the client gets more security.
Tell me about how you became involved in the Cybersecurity community.
As a veteran, I went back to school for computer networking. I met a large, important individual in the security community. I started attending conferences, get-togethers, meetings, and started taking security classes at school. I really dove into the small, but significant, security community. Once I started playing around with security, I realized how much more fun it was than regular networking stuff. I was really drawn to it and learned how to do some questionable things on the hacker-side: nothing bad-bad, just some trolling.
How did you come into contact with this important individual?
I was taking an introduction to security course that was really bad. On the last day of the class, this person visited as a guest speaker and explained security really well. He talked about how security crosses all the silos: there are networking people, database, and website people. You have to be more of a ‘jack of all trades.’ I took some of his classes. He taught a Red vs. Blue hacking class that I took as an elective and really enjoyed it.
Why do you prefer defensive work (blue-team) to offensive work (red-team)?
I see red-teaming as beating up on a strawman. The red-teamers are good at being sneaky, and they know the tricks to beat the defenders, but they do the same handful of moves to get in and do the same things to these guys that aren’t capable of defending themselves. I see the blue-team as the harder of the challenges. I think it’s harder to find a sneaky ninja than to be one!
Walk me through a day on the job for an IR Specialist?
It starts with that initial sales call. We figure out what the client actually needs and if we can provide what they need. If we can, then we create the statement of work, and I get on an airplane. When I arrive onsite, I get to have a really good day while the client has a really bad one. We level-set, do some additional querying to figure out what’s going on and make a plan for gathering the data. That’s the first thing, once you have the initial assessment, you make a plan of what data you want, where you will get it, and how you will get it. Then you form those collections, perform analysis, and repeat. You will find that you want to collect more data based on your analysis, and you keep refining that until you have the full picture.
What is your first priority during an Incident Response investigation?
Finding root-cause is the most important thing. If you don’t know where the bad guys got in, how do you know that you got them all the way out? It’s shocking when clients don’t care about root-cause, but I’m always eager to find it. There is power in the source! You can extrapolate that as far as you want, the source of a river, the source of power that lights your house. Knowing the source of something gives you more context and a stronger ability to deal with it.
When you are looking for root-cause, is it most important to find who, what, where, or when the attack originated?
Attribution is notoriously hard. Ransomware, however, is typically easier to attribute to an operational group because reputation and brand are important to this business model. If we know who the group is, we can derive intelligence around that. I am a big intel-driven responder because I don’t like to reinvent the wheel. If I know who it is, I can quickly pull up details on the ransomware they use. I can quickly confirm that I cannot reverse engineer the ransomware, so I won’t waste my time there. People in the cybersecurity community have already done that work for me.
Does the malicious actor tell you what data they have accessed?
They usually lie and tell you they have everything. In this most recent incident, they said they a lot, but I question whether or not that was true. You have to negotiate with the attacker for that information. Usually, we ask them to prove what they have during those initial negotiations.
Is it more important to know when or where they gained initial access?
It’s important to have that root-cause. You need to identify and remediate the vulnerability that allowed the attacker into the network. However, timeboxing is a huge thing. You want to tighten that time frame. When you’re dealing with that much data, narrowing it down speeds up the processing and makes it that much easier.
Finally, what is one piece of advice for anyone up at night, concerned about ransomware or security incidents?
Asset control. That’s a pretty loaded topic, but security almost always comes down to knowing what you have and what state it is in. When companies keep old, outdated systems online, it becomes a generic way for attackers to get inside. That would probably be maintained by an IT manager, but the order would come from some executive direction.
Incident Response specialists are the onsite experts in the event of a security breach in your network. They are your expert resource in directing forensic investigation and remediation. They constantly update their repertoire of exploits to keep pace with malicious actors.