The following is a post I wrote for Cisco. https://blogs.cisco.com/security/malware-analysis-for-the-incident-responder

Malware is one of the most prevalent and most insidious forms of cyber attack. Identifying and eliminating them are critical in minimizing the impact of a breach. As a cybersecurity incident responder, I always end up performing some level of malicious file analysis. In this blog, I’ll share some recommended approaches that have worked for our Incident Response team.

Time is rarely on our side to perform deep analysis of the potentially malicious file. Reverse engineering a file can take weeks or months to complete and takes a level of skill which few individuals maintain. We need to develop indicators of compromise to complete the identification phase of the incident response process with some degree of haste. …


As incident responders, we are directly responsible for advising business leaders on preparing for and recovering from the inevitable disruptions of critical information systems. An understanding of overall business practices assists us in making sound justifiable recommendations. In order to properly advise the business, we must at some level think like a business person.

When I am starting to learn a new topic, I try to find a keystone book, one which I can pivot further into a subject from. These books are high level, broad books, which cover a wide breadth of related disciplines. “The Personal MBA” by Josh Kaufman is one such book. It is a book which introduces the field of business administration. …


The following is a post I wrote for Cisco. https://blogs.cisco.com/security/customer-focused-incident-response-service

In our highly connected business environments, the need to respond to the inevitable security breach is on the minds of every CISO. An increasing number of organizations rely on the services of a Managed Detection and Response (MDR) provider. According to the Cisco 2016 Annual Security Report, 42 percent of surveyed companies outsourced incident response, compared with 35% the prior year.

Contracting with an MDR service is far different then contracting logistic or facility services. Responders will gain intimate knowledge of your business operation. …


Should you have your incident response team and security operations center on- premises or off-premises? Should they be contracted out, internal full-time employees, or some combination of the two? These are the types of questions that I would assume medium sized businesses have to deal with. In the highly connected world where even our hospitals are not safe from attack, how do you detect and respond to breaches?

The prospect of hiring a dedicated incident response team is both costly and difficult. Depending on your location, the salary cost for hiring a 24/7 monitoring team would likely amount to around $60,000 a year plus the cost of benefits. Full-time incident responders who are well trained could be between $80,000 and $100,000 plus benefits. Not accounting for the costs to recruit them which could amount to 10% of the salary per employee. This could be fine if the budget supported the cost, you could find qualified employees, and you could retain them. A shortage of qualified professionals has made those who are qualified highly marketable. …


I meant to write this post a long time ago, but life got crazy and my job got far less technical. I thought it would be a good idea to come back around now that I am transitioning back into a technical role. Also a great opportunity to work with the updated version of PE Studio as there have been some amazing changes to the program in the past 12 months. This tool is a must have in every Incident Reponder’s toolbox.

Windows binaries are packed in a format called Portable Executable, or PE. I wrote a short blog post about PE files in my first blog post last year [1]. Sometime in the future I will go through how I perform some basic surface and runtime analysis of PE files. Incident responders are often brought in to situations where some sort of portable executable was downloaded onto a host and executed. …


Just like any other science, digital forensics requires us to utilize this continuous process of making observations, formulate a hypothesis, test it, and alter our hypothesis as we test it. The scientific method maps perfectly to the six step incident response process. During the Identification phase of the incident response process, we make an observation about an event, develop a hypothesis as to what we believe actually occurred, then we design a method for testing our hypothesis and carry out the test. …


Anyone who has read some of my previous blog posts will quickly realize that I tend to focus on the non-technical. This is another one of those non-technical posts, but I genuinely believe that topics such as this need to be discussed. For the Marine Corps and the Navy, culture is easily one of the most important aspects that must be instilled in all members. Arguably it is more important then tactical training. As incident responders it is our responsibility to defend the networks we have been charged with defending. Whether our role is that of a sell-sword or that of a true patriot to our respective employers, we must always remember that we are the DFIR Warriors on the wall fighting to keep the adversary at bay. We must own the mission of those we have volunteered to protect. By understanding the goals of the organization and keeping those goals on our minds at all times, we can make decisions that are in support of that mission. If the mission of your organization is to manufacture and sell widgets, then as a DFIR Warrior your missions is to ensure that those widgets are made and that they can be sold. …


One of the most important questions an incident responder will need to answer when performing a malware investigation. Did the file execute? Given a scenario where a host’s anti-virus flagged a file either during a runtime scan or during a full system scan, the new incident responder may trust that the anti-virus successfully quarantined the file without need to further analyze. Unfortunately anti-virus is far from perfect. It is not entirely uncommon the ant-virus to quarantine the file after the damage has already been done. Or reasonably anti-virus could have quarantined the drop file rather than the file that caused the root infection. As incident responders we must be able to quickly assess whether the compromise was actually prevented. …


So earlier this week I reposted a post about developing good interview questions for incident response. I intentionally tried to stay away from highly technical questions simply because I feel that hands-on practical interviews are better for these anyway. Hiring for an incident response team can be very difficult. Individuals need to be highly technical while still having a strategic mindset. There are few people who are able to perform both tasks. In some industries, such as DoD contracting, incident responders may have a moderately high certification requirements due to DoD 8570.01-m. …


The following was a post I wrote for my blogger about a year ago. Not only do I think the concept of the post is very relevant, but I felt it needed an update before reposting.

Interviewing is a significant part of the life of a DFIR professional, whether you are performing the interview or being interviewed. There is a wide range of thought as to how an interview should be performed. Some teams do one-on-one interviews with the manager and the candidate. Other teams do a panel interview where anyone with some seniority on the team interviews the candidate. Then there are the types of questions. Should interviews be primarily technical or should they be cultural? …

About

Matthew Aubert

Marine, Husband and Father, Console Cowboy. #DFIR

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store