The role of a Digital Forensics and Incident Response (DFIR) Consultant is varied and broad, though it usually involves offering calm, expert advice to leadership teams, IT staff, and legal departments during one of the most stressful work experiences they’ve ever had.
One morning I can be looking for process improvements in an organisation’s incident response plan, and the next I can be answering our incident response hotline to a company that’s experiencing a ransomware attack.
It isn’t just advice and document reviews, though. I’m often (alongside the rest of team) conducting detailed forensic analysis of compromised systems, cross-checking our findings with our Cyber Threat Intelligence Lead, and devising secure recovery strategies so that our clients are back to business-as-usual as safely and quickly as possible.
Early morning: No news is good news…
Our team takes turns at being on-call, and today the incident response hotline calls are coming directly through to me. This will be a busy shift – the sun is still struggling to make an appearance while I’m managing an ongoing incident.
So, first thing, I check if anything has been detected overnight by our 24/7 MDR partners. If it was urgent they would have woken me up to handle it for the client, but we filter out ‘low-level’ detections at the start of day.
I confirm there was nothing overnight, which is an especially good sign as the client is working through our secure recovery plan, and then review my notes for this client update call later in the morning. I prepare to share the latest system counts and lack of alerts with the client before grabbing a coffee.
… but let’s keep digging anyway
Coffee sorted, I’m ready for the morning update call with the client and their external counsel. A lot of my role involves working alongside specialist data breach counsel, because we gather the technical findings that enable counsel to provide clients with informed legal advice. More often than not, one of those critical findings is evidence of data exfiltration (theft).
I set out the investigation status, confirm that we have had no alerts overnight, and get an update from the client on where they are with the recovery plan (making good progress, as it happens).
As yet, and despite a thorough search, we’ve not identified any evidence to suggest that the client’s data has been exfiltrated. Perhaps that means the data hasn’t been stolen at all, or perhaps it means we need to keep looking.
In this case, we strongly suspect that the lack of evidence is more to do with the extent of the encryption and anti-forensic techniques deployed by the adversary.
So I make the case for further digging. I explain in detail where we’re at with our analysis of the evidence, what further avenues of investigation are left to us, and what we think we can say with certainty so far. The call ends with everyone agreeing that we need to pursue the investigation and see where it leads us.
A check-in with the incident team
I join the internal check-in call for this engagement with the rest of the team. I tidy up my scrappy notes (in the hope someone else might be able to understand them) and we review where we’re at.
We go through what remaining data we have to look at and reprioritise this based on the conversation with counsel. A couple of the team take an extra system to look at each, focusing on the data exfiltration angle, while I allocate another system to myself for review.
Happy everyone knows what the plan of action is, I quickly log into our Forensic Lab environment and grab the data I need to review the system I’ve elected to take. Thanks to our automations it’s already been processed, so I get it loaded up to review after my next call.
Mid-morning: Planning a fake incident
Let’s be honest – clients are not usually delighted to have need of my services. Because I work in incident response, when I onboard our retainer clients I often tell them, “It’s a good month when you don’t need to talk to me.”
However, much like a firefighter, I also do vital work designed to prevent emergency callouts. And that’s the focus of a call with a long-standing client, as its security team wants to put together a tabletop exercise that simulates an attack against a legacy application. It has recently been identified as key business risk because it is now difficult to keep patched and our threat simulation team managed to compromise it as part of a red teaming engagement.
We talk through the options, using our red team report as a starter-for-ten to devise a scenario that meets the client’s goals but is also realistic. We pencil in some dates that will suit everyone involved, as the client wants to get it done this quarter.
Lunch break: Brief respite
I head to the kitchen to make some lunch. Being fortunate enough to work from home most of the time means I can skip the supermarket meal deals, but it does mean I need to actually think about what to make myself.
While I’m waiting for the toaster to finish with my bagel, counsel from my ongoing incident rings; stands to reason as this is the time when they also get to step away from the desk! I answer some questions they’ve thought of throughout the morning and they ask me to give technical input on a draft regulatory notification. I add that to this afternoon’s to-do list and finish up the call just in time to sit down and eat lunch.
I try to do this away from my desk, as the nature of incident response means I can often spend many hours there.
Early afternoon: Data analysis and critical findings
I get back to the desk and pull up the data I loaded up this morning to begin reviewing it. I run through our standard set of things, looking at logins from known compromised accounts, reviewing outputs of our automated scans for anything that stands out and checking for our identified Indicators of Compromise.
We each have our own way of approaching analysis: some like to run searches in command line tools while others (me included) like tables of data to look at. What is important is that we all know what we’re looking for, where to find it, and what it means when we do.
Just as I’m getting into a flow, a message pings up from one of the other team members. They’ve found a data exfiltration tool on a system used as an administrative jump-box, along with at least partial evidence of the adversary staging files and evidence they accessed the HR department’s file-sharing system.
I load up our synchronised incident timeline, filtering for the system my colleague is working on and the timeframe they’ve mentioned. We review this together, making sure we’re confident about what we’ve found…before I make some more calls.
Late afternoon: Urgent calls
A few phone calls later to counsel and the client and we’re all now on an ad-hoc update call to discuss the findings from this afternoon. This is often the case with incident response: critical findings like this need to be communicated quickly and accurately so the client can take the necessary steps.
It’s at this point I bring our Cyber Threat Intelligence Lead onto the call. We’ve previously provided an overview of this adversary based on our experience and curated threat intelligence, but now the client has some specific questions on how the adversary typically handles the leaking of data.
“Thomas Murray cyber incident response hotline, how can I help?”
As we wrap that call up, I get a call on the incident response hotline.
It’s from a company that thinks it’s been the victim of a business email compromise (BEC) scam targeting its payroll manager. I ask some initial scoping questions, to understand what it knows so far.
Thankfully, it has managed to stop the payments, so we agree to organise a proper scoping call with the wider team.
End of the day: Notes and alerts
As we had the urgent call this afternoon and covered updates in that, the client decides to cancel this afternoon’s check-in. This is an unexpected chance to review the internal notes the team put together with the new findings and devise the to-do list for tomorrow.
Just as I think I’ve got everything done for the day I see a message from our 24/7 MDR Partner. They detected something potentially suspicious in the client’s environment and want us to check if it’s authorised. One of my teammates has already seen the same activity and dealt with it, though: a call to the client’s Head of IT confirms it was one of their own admins running a legitimate, but often nefariously used, scanning tool.
Evening: On-call status
As I’m on-call for the rest of evening (and the remainder of the week) I am never more than five feet from the work phone. I search every streaming service known to humanity for something to watch before giving up and calling it a day – ready to do it all again tomorrow.
Cyber Risk
We bring the best of our collective experience, energy and creative power to fiercely safeguard our clients and fortify their communities.
Thomas Murray cyber alerts
Subscribe to stay up to date with developing threats in the cyber landscape
Insights
The Digital Operational Resilience Act for private equity: All change for the relationship between firms and vendors
The EU’s Digital Operational Resilience Act (DORA) will apply from 17 January 2025.
Time for PE firms to focus on concentration risk
Ed Starkie and Ben Hawkins reveal why concentration risk poses a growing threat to PE portfolios – and why many firms are dangerously unprepared.
An overview of the TIBER-EU methodology
The TIBER-EU methodology is a comprehensive framework designed to enhance the cyber resilience of financial institutions.
Five minutes with the PE cyber experts
Ed Starkie and Ben Hawkins gave us five minutes of their time to run through the current state of cyber security for private equity.