EP06: Incident responders, solving e-crime through digital forensics and cyber trends

Cyber security “blue teams” work to ensure computer networks are secured and protected against cyber attacks. A subset of blue teams are Digital Forensics and Incident Response (DFIR) teams which specialise in piecing together evidence to understand if and how a cyber attack has taken place.

In this episode, we’ll be exploring tales from the frontline of Digital Forensics and Incident Response. What lessons can we learn from DFIR war stories and what are the cyber trends being seen in the latest incidents.

To help you explore this topic, we are joined by Simon Lang, Head of Digital Forensics & Incident Response (DFIR) at Mazars. With over 14 years of experience serving clients globally with his DFIR expertise. He has experience managing, scoping, planning and delivering a wide range and scale of DFIR engagements. Simon is also an Assessor in Incident Response for CREST (The Council for Registered Ethical Security Testers).

Get in touch

If you would like to find out more about how we can help your business remain at the forefront with technology, please do not hesitate to get in touch by clicking the button below and a member of the team will contact you.

Get in touch

For urgent DFIR enquiries please email the team directly – dfir@mazars.co.uk

Episode Links

Guest Links

Simon Lang | LinkedIn

Digital Forensics – Mazars – United Kingdom

Incident Response – Mazars – United Kingdom

Mazars | LinkedIn

Mazars | Youtube

Mazars | Twitter


Alex Miller: Hello, everyone, and welcome to the Tech for Leaders podcast with Mazar. For our returning listener welcome back and for those of you who are new to the podcast, welcome also. I'm your host, Alex Miller. I'm an ethical hacker and red teamer, which means that I perform simulated cyber attacks to help customers better understand their cyber risk. In today's episode we will be exploring tales from the cyber front line of digital forensics and incident response. And I'm thrilled to be joined by Simon Lang, head of Incident response and digital forensics at Mazars. Welcome, Simon.

Simon Lang: Thank you for having me. I'm excited to be here.

Alex Miller: Fabulous. Simon has the best part of 15 years experience in the digital forensics and incident response field. And I'm also thrilled to announce that Simon has also been appointed and assessor for Crest in Digital. Sorry. An incident response, isn't it?

Simon Lang: That's great. Yeah.

Alex Miller: And for our listeners that aren't familiar with Crest, Crest are the Council of Registered Ethical Security Testers. It's a very prestigious role to be given. So, congratulations again.

Simon Lang: Well, thank you. Most definitely is. And I'm really excited to be supporting them as well.

Alex Miller: So fabulous. Welcome, Simon. Thank you for taking the time out to speak with us today. So, let's delve right in. For our listeners who are maybe less familiar with digital forensics and incident response, what are these terms? How do we describe them?

Simon Lang: Perfect. So, digital forensics is basically examination of devices and data stuff in the cloud as well and try and piece together pieces of evidence to present in court or to present to various stakeholders within organisations to show that a crime has been committed or the inverse of that, that a crime, actually hasn't been committed. On incident response, this is where we get called in, so an incident happens, a cyber incident happens. Ransomware, insider a threat along those lines. Well, we get called in during what we call the golden few hours as soon as the incidents happened, it’s best to get us on on board there so we can get in there crack on and try and contain whatever threat it is at that point in time.

Alex Miller: Exciting. And these are both blue team services, right? So, whereas I'm as a penetration tester and an ethical hacker, I'm a red teamer, so maybe we just explain briefly what we mean by blue team and then I'll, I'll pick up red team.

Simon Lang: Perfect. Yeah. So blue team and red teaming there from a high level military terms. So blue is the good, is the good side, red are the baddies. So, from the blue team we're the defenders we're trying to defend digital states protects individuals, etc. Protect their data however we can or if the worst has happened and they have been compromised to go in and find out like police officer what has happened, how has this happened, what we can do in the future to protect them, to make sure it doesn't happen again?

Alex Miller: Certainly. And I think Red team is also really value from understanding that mindset because Red Team is essentially, as you said, from that military background, is playing offensive, playing the baddies. So, I'm trying to break networks, penetrate them. I'm not necessarily yeah, break is probably the wrong word, but identify vulnerabilities, exploit vulnerabilities and identify weaknesses and networks, kind of what we call red team, right?

Simon Lang: Yeah, that's right. Yeah.

Alex Miller: And what about Purple? I know it just sounds like we're plucking colours out of the air now, but what do we mean by purple teaming?

Simon Lang: So Purple Team is a fairly new concept and something that we're working on at the minute. Their red and blue team combined, red and blue together make purple. So, combining those those mentalities, those techniques there. So as a blue team, if we understand how the red team is, how the attackers can gain access, we can better protect. And from the red team point of view, if you understand how we're protecting, you can better find other avenues of attack factors to get in there.

Alex Miller: Yeah. And obfuscations and the likes of obfuscation. Yeah, absolutely. And then kind of beyond DFIR; digital forensics, incident and response. You've also got lots of experience in PCI. I know we’re just saying acronyms now. So that's payment card industry. How does digital forensic investigations in the payment card world vary to other industries?

Simon Lang: Oh, good question. So, in my previous role, I was what's called PFI. And so PFI is a payment card industry forensic investigator. So, it's literally doing the same as what we’re doing in the digital forensics industry response world. But in the payment card industry that's highly regulated because obviously money is very important. People do want to lose money there. So, what happens is if a organisation who is accepting credit card payments is breached, be it in a shop with a point of sale terminal or a website, an e-commerce website we will get called in to investigate that following a certain methodology. So not only is investigating that important, but but containing it and providing remedial remediation advice as well is super important because they can't afford for it to happen again. So, for instance, websites getting hacked, credit card skimmers getting put on the website we would be called in to look through the code on the website to try and work out where that credit card skimmer is. We know it's there. We've got to figure out how it is. And it's hard to say this, but I respect the ingenuity of the hackers. Sometimes it's cat and mouse. They'll come up with new techniques. We have to figure out what they're doing, etc. But the ingenuity they come up with at times is absolutely amazing. So that's the only respect I can give them but respect nonetheless because they can do some very clever things, but then it keeps us busy trying to figure out exactly what they have done and stopping it from happening again.

Alex Miller: And it's yes, that purple teaming methodology. That's exactly what we are trying to emulate, that cat and mouse learning from each other to kind of beat the adversary. Interesting. And do you see a lot of common attack vectors in your incident response work? I mean, I'm thinking of the big ones. Our listeners might be familiar with ransomware, phishing and, you know, vulnerable software, unpatched software. Are those what you see an incident response?

Simon Lang: Most definitely. Right. So common attack vectors, probably the most common we see is insider threat.

Alex Miller: I wasn't expecting you to say that.

Simon Lang: Oh, no, no. And it's growing is growing immensely at the minute there. So, insider threat is basically an employee, be it a rogue employee or an employee who has a grudge to bear, obviously that's also a rogue employee, but also a user error can be a form of insider threat. So, what we see a lot of is rogue employees, disgruntled employees who are unhappy with the organisation. Or they are happy, but they're being offered money elsewhere by certain ransomware groups, certain threat actors to put malware on systems to steal data. We also see a lot of with people leaving their roles to go work elsewhere, they're taking data with them that they could be using that to leverage new positions elsewhere or just give them a head start when they get there. But all that is insider threat there so protecting against that, but also for us to come in and investigate that, to give the evidence needed to prosecute or to carry out legal actions that but phishing. So phishing is.

Alex Miller: Not going anywhere.

Simon Lang: No, no unfortunately not. No matter how many phishing exercises people do, phish and training it’s still going to be around unfortunately, and the techniques are going to improve and improve. When it came to my respect for their ingenuity, it’s constantly evolving, and we see a lot of emails coming through purporting to be from Microsoft or from somebody else. Click this link. They click on this link thinking they're logging into their online outlook. They are not instead they're logging onto the threat actors website and it looks exactly like it and enter their credentials. That's it. Their compromised at that point there they may have multi-factor authentication enabled there, but it's easy for the threat actors. I wouldn't say easy, but is possible for the threat actors to exploit that as well. One thing we're seeing at the minute with multi-factor is alert fatigue. So the threat actors will spam these multifactor alerts to try and log in. The user keeps getting notifications saying is this you, is this you, is this you? And their clicking no, no, no. But they're continuing to be persistent. Eventually the user has had enough and clicks yes because they want it to go away. And that’s it, they've got their the access needed at that point. So we've seen, unfortunately, an increase in that at the minutes as well.

Alex Miller: That's interesting about the alarm fatigue one, I've definitely heard of that. I've actually never used it on a red team myself, but certainly multi-factor authentication, bypasses, I've used. Yeah, not through that specific methodology of sending multiple codes, but it's technically much easier to bypass multi-factor authentication than I think you would hope not from a technical standpoint, but as you said, from a social engineering standpoint, asking somebody for the code in the same way you would also into their password and if they enter it, then I've still managed to get into the account. Yeah. So yeah, cat and mouse back to that.

Simon Lang: Yeah, unfortunately a lot of the attack vectors involve the user. Yeah, we find. Obviously you do get the outdated of rumble software that in an ideal world everybody would be patching and be up to date with the latest and greatest software. It's just not possible. Therefore, the one in the world, it just won't happen. So obviously that's got to be bared in mind as well. But user interact and negative user interaction on that is obviously a key topic and something that we see too much unfortunately.

Alex Miller: And just going back to the insider threat, what I'm interested in that and I know that in the dark web, you know, it's not uncommon for kind of bounties to be placed on people's heads for, as you said, in organisations, to reveal credentials, gain access, whatever it is. So you're saying that that's actually, people are taking that up now. Do you think that's related to kind of the current economic climate perhaps? You know, we are in a recession now. Is that something you think is going to affect that?

Simon Lang: Okay. Yeah, good question. And so basically, so earlier in the year there personally, I've never seen such an uptick in incidents, cyber incident, the situation in the Ukraine. But leading up to that, I've never seen so many cyber incidents being reported to us for us to investigate, etc., we weren't expecting the outcome after that to be what's happening in Ukraine at the minute that is there any correlation between the two, personally potentially. Obviously, I'm not an expert and cannot say that definitively that is the case but we did see that. Then obviously the roll on effect of that, the financial situation everyone's in at the minute. People, people want money there is a recession hitting etc. What we see during these financial hardships are people are more willing to do nefarious acts in order to get money. And for the simple fact of them installing an application on their system or giving their credentials to a threat, a threat group online, you could say, is easy money for them obviously is unethical, illegal, even better, even better illegal there. But yeah, we do see that, especially when financial times are quite a hard in the world.

Alex Miller: Interesting backdrop to that. Yeah, and I know most of our audience are probably aware of the kind of rise of true crime podcasts and documentary series. But I understand that you were involved in one of these from a kind of digital forensic standpoint. You have to tell us more about this.

Simon Lang: Okay. Okay. So I'll tell you a story about so I've been on a couple of documentaries. This interview itself is far easier than that so, thank you, thank you for that and taking the pressure off there. But with these documentaries, it was a a case, so it's quite a few years ago in the South Wales area there. Unfortunately, a man murdered his wife in a hotel room in a city. He killed her, went on the run, went to an airport to try to escape the country. So during that time, once the police had found the body, what they found was a mobile phone device, it was locked, they couldn't get access to it there, but they knew that I would be able to so I was tootling around in the office one Saturday, randomly a phone call saying, we've got this mobile phone here, we need access to it literally as soon as possible because the guys on the run, we need to catch him ASAP. So, all the way from South Wales I was driving up north, blues and twos on the police car to bring me this mobile phone. It turns out what happened is the man killed his wife, they both had identical phones. He left his phone at the scene but picked hers up by mistake there. So that's why get an access to that phone ASAP was actually imperative to see what been bought, what hadn't, etc. So, the phone was brought to the lab there and book it all in. So, it’s an older Samsung let’s say an S6, Samsung S6 from a few years ago. So, what I had to do because of the encryption, not the encryption, but because of the security on the phone, it wasn't possible using conventional digital forensic techniques to get the data off the phone. So, what I had to do, I had to dismantle the phone completely right down to the circuit board there, desolder the memory, chip off the phone where the data’s held, read that using specialist equipment there and piece all the data back together into a human readable format. So, all the internet history, text messages, WhatsApp, everything on the phone, I can read someone’s life on the phone by doing that.

Alex Miller: Scary.

Simon Lang: It really is that. And the problem with this technique can't guarantee 100% success because it's a destructive process. You only get one chance of doing it and remove mischief and reading it. I did read it on this occasion there have been occasions historically where the chip hasn't been readable after that, and there's nothing worse. There's no worse feeling in the world than that. It isn't your fault. But you do feel you do feel guilty about it nonetheless. So you have got all the data pieces all back together, sent straight back to the police, triage some of the information to work out what was happening and give them a head start. Unfortunately, he'd already got to the airport and jumped in to fly to believe to Dubai at that point in time. But they did manage to get him in another country and arrest him. He got sentenced successfully.

Alex Miller: Because of your, partly because of your hard work, amazing story.

Simon Lang: So yeah working in digital forensics field I’ve worked on a lot of high profile criminal cases across the UK and internationally as well. And there's no better feeling than actually providing evidence to the police that will support a conviction of somebody who is actually guilty of that. So one of the biggest cases I’ve probably worked, up in Manchester, the Dale Cregan and for people who don't know he is part of an organised crime group, he's the person who murdered two police women and had access to grenades, etc. up in Manchester. So he kills some people. Unfortunately there went on the run and his co-conspirators were hiding him in various places. One of his co-conspirators who was ferrying him around using a car, had a satnav in the car, as soon as you put the key in and turn the ignition the satnav turns on and starts recording. So they're driving around, the police get the vehicle so I’m called in to have a look at this satnav potentially TomTom device at that point in time prior to inbuilt satnav being the norm there. So I managed to piece the evidence back together from this satnav device to show exactly where and when they would go and what times where they were going and potentially where people were hiding, etc., shows them go to McDonald's and all sorts of things like that. But I worked and gave quite a lot of evidence on that investigation for the murders, on the co-conspirator aspects of it as well. Yeah, it's been an interesting life in, well, digital forensics,

Alex Miller: Certainly, goodness, that criminal aspect is what really brings it home as to the importance of what we're doing, what you're doing in particular. So yeah. And that's really interesting kind of digital forensic war stories. What about if we put the incident response hat on? You know, something really bad happened in a cyber on a computer network. More my kind of home, more familiar with what war stories have you got for incident response.

Simon Lang: From that aspect, being called into various organisations. So, be it school networks where clever students illegally, they've put crypto mining software on the servers. So, mining for…

Alex Miller: Bitcoin?

Simon Lang: …Monaro in this instance, they try and hide the traces, etc. So, we're obviously using a lot of resources there but because some of the infrastructure was based in the cloud in AWS It's building up new instances of computing power there. So, it's costing, it’s costing these schools a lot of money in compute power when it shouldn't be. So trying to work out that, put hands to keyboards at the time as to who did what with various logging credentials, etc. There are quite a few intellectual property from a very high level and worth a lot of money cases where employees have taken data, they've gone to set up their own businesses, etc., and leverage that data to promote themselves and to give them that edge in business. Obviously they know what the other organisations are doing. Hedge funds who have these clever algorithms that work out what to do in the markets, people taking those to their new employees, etc..

Alex Miller: The stakes are high in these roles.

Simon Lang: Yeah, yeah.

Alex Miller: I mean, the stakes were high in the digital forensic side, but in a different way. They're high on the incident response side.

Simon Lang: Yeah. Yeah. So, it's like unfortunate life and death in digital forensics on occasion but incident response, a lot of it's about money, reputation, things like that. Um, with that. So yeah, lots of cases there, ransomware. So, so ransomware has evolved quite a lot. People think of ransomware, they think of encrypted data on computers with that. What quite a lot of the threat groups now are doing is extortion, where so not only will they encrypt the data, they will exfiltrate that data, take that data off the network, host it somewhere. So they're saying to the organisation that has been breached, you pay some money, we'll give you the key to unlock it. We'll also delete the data we hold on you if you don't pay it within this timeframe, say three days, for instance, we will release it to the public and you don't want your data being released to the public. Yeah, reputational damage with that is immense. But yeah, with the incidents a common one again comes down to often the user error, insider threat but from the user error point of view, business email compromise, we see a lot of that. Fraud so when I mentioned before about the phishing and people clicking the links and inadvertently given access to the office 365 environment. So the email environments, what will happen then is the threat actor will gain access to that. Then they will intercept emails. So, an email will come in, they'll be monitoring it, they'll move it to a folder that no one will ever check and notes folder or something nested down in various folders. Work on it, change invoices, edit invoices, change the bank account details so when people are paying these invoices it’s going to the incorrect bank accounts and they're taking money that way, they'll create rules. So if people within this chain are communicating with each other, they'll create rules to mark as read and move to a folder. So it's all automatic at that point. So, the user isn't aware of an email coming in because these rules have been created. If an email comes in matching this criteria, so at Mazars etc. it will move it to this folder that so they can hide it. But yeah, it's we see a lot of it's so we get called in after the fact for those types of investigations show what's happening where it's gone, how it's happened more importantly make sure it doesn't happen again.

Alex Miller: Yeah, those business email compromises, and I think I see it in the red team perspective on people imitating suppliers and supply chain attacks. As you said, if you can kind of change invoices internally, but also if you can just mimic a supplier, pretend to be one and then adds urgency to that, I really need to be paid. This is the end of the month, please do it now.

Simon Lang: Yeah and so with the phishing when they're doing the targeted phishing and they're they want access to finance departments but lots of time we see it, you see the CEO, the MD getting mimicked and with the urgency of that, people panic when they see an email from someone important in organisation they think they might have to cut corners to get it done quickly for them. So yeah.

Alex Miller: Absolutely. So, let's pretend I'm in an organisation that hasn't started a journey with IR or DF, digital forensics or incident response. How should I approach that when, when, when do I know it's kind of right for my organisation? Is there a right time to get started?

Simon Lang: There's no perfect time like the present. Every organisation should have some sort of IR plan, IR contingency, incident response contingency to do with cyber because it's so common, it's doesn’t matter the businesses size you could become a target. What we offer there, incident response retainers, we can tailor these to various organisation sizes there whereby you can pay upfront and have reduced fees and various SLA. So and SLA in regards to how fast we can respond to that. We can also have small organisations and organisations who don't have that much financial support, a no charge, no fee retainer, where all the legal contract work is signed ahead of time with no need for fees at that point there, because a lot of time with these incident response cases, time is of the essence, wee need to literally start looking and trying to contain this straight away. And there's nothing worse than when we’re trying to support an organisation that it gets held up on the paperwork side of life. So having that done ahead of time is fantastic. And then having that number to ring or the email address to ring, that's tailored for them in that time of need and have that embedded within their system recovery, their incident response plan. Therefore that immediate support. But like I said, there is literally no time at the present time for that.

Alex Miller: Yeah, yeah. Because I think from that red team perspective I often test blue teams and, and the detection capabilities of blue teams, through yes simulating adversary threats, but actually that doesn't still in some ways prepare you for that moment when it really does happen and everything's kind of going wrong. There's that sense of urgency. There's a panic. I guess we kind of in crisis simulation at that point in preparing for that. What is crisis simulation and disaster recovery planning, we mentioned DLP. What is that and why should people take, listen to that.

Simon Lang: I have a military background and a lot of things

Alex Miller: I don’t think we have actually, I should have probably introduced this. So you were in the military police before your digital forensic incident response career, right?

Simon Lang: That's right.

Alex Miller: So yeah, sorry I should have introduced.

Simon Lang: That's okay. We just glossed over it with the red team, blue team analogy. Yes I served in the military police for six years in the regulars and probably same again six, seven years in the reserves once I, once I left the regular service there.

Alex Miller: Did that prepare you for your transition to industry? What was that like?

Simon Lang: Oh, yeah. Well, most definitely so. I mean, the regulars are well, I'd say it gave me that mindset. It didn't give me the technical aptitude or the technical knowledge to do what I do now that came through hands on experience within an industry there. But it gave me that mindset of what to look for, especially the police policing aspects of it, that investigative mindsets that one of the reasons I'm good at what I do is persistence, I won’t let something go on investigation I'll keep looking until I can find it, so I think it gave that mindset of.

Alex Miller: Solving the puzzle.

Simon Lang: Exactly and I like that. Yeah, I very much like that. So yeah, I did quite a couple of, quite a few operational tours, started off in Northern Ireland did two tours of Iraq whilst I served. And at that point then I wanted to do something different in my life and I went to university. So I went as a mature student, I wouldn’t have been able to go to university when I was younger because I didn't have that mindset or that educational aptitude to sit there, join lectures and listen very excitable when I was younger there. So, it helped me with that. So, I went to university a bit later in life at that point, that's what I served in the reserves at that point there to help fund me for university because yeah, so it's not cheap going to uni these days.

Alex Miller: Yeah, I guess that was a nice little detour. Yeah, and so that military mindset as well on the kind of disaster recovery and the keeping a cool head in case of emergency that that must help you do that day to day still.

Simon Lang: Yeah, most definitely so a good thing I won't read out the analogy there, the full one. So prepping for that is key, practicing is key. Standard operating procedures, we called them their practicing them over and over again until it's second nature. So should something happen you know what to do, muscle memory there you know exactly what to do. So having that ahead of time there. So, when you're doing what we call tabletop exercises or tabletop simulations that they're good to do something that we help organisations do because there's nothing better than actually them going through their processes of running through a a live mimic of an attack, that simulated attack there. So, we tailor, rather than it being a case of a generic or you've got a ransomware from five years ago in your system. What you do here, it will be tailored to that organisation, what are the common threats for that type of organisation, what infrastructure do they have, how can we tailor it there to make it more realistic and exciting. We're currently building something virtual reality metaverse type stuff there for the high level, for the c-suites, etc. because we want to get them involved. From a technical perspective, it's very rare for them to be involved. They'll be overseeing in the background, but to have them visualise in the virtual reality, see what's happening, and see what computers has been used where, what people are doing in various places. Having it that way gives them a better picture than a boring table top exercise, so to speak. And then we find that that helps a lot.

Alex Miller: Yeah.

Simon Lang: Yeah. And it excites people that way. Rather than being a mandatory yearly thing, they have to do something they look forward to.

Alex Miller: Yeah. Yeah. I can concur with that. I think a lot of cybersecurity training is quite dull. As much as I love cybersecurity as well.

Simon Lang: Yes, cybers the best but I know what you mean.

Alex Miller: But cyber training could do with some help sometimes. Virtual headsets are great, but what free resources can we point people towards in this space? You know what can people look up now? I mean, one thing that I've used before, and I know that you're also a fan of is exercise in a box. Which is the NCIC tool. And I don't know if you want go into that in more detail.

Simon Lang: Definitely, yeah. Happy to give them a shout out. So NCIC, National Cyber Security Centre, they're an offshoot of GCHQ sorry, here in the UK. So, with that the exercise in a box. So, it's an online tool box, but it allows simulated like we saw a simulated type of attack so people could understand how, what they would do in various scenarios. So much. Yeah, it's got, it's got the ransomware, it's got supply chain attacks which are covering a bit, it’s got insider threat. There's so many on the list, so many different exercises that you can perform to have your IT team running through it so they can understand what's happening and what they should be doing and how they should be doing it. And the best part is free. Yeah.

Alex Miller: Yeah. So I've, it's been a few years since I've used, I used it when it first came out and for free resources, as you said, there's so many options with it and it really does get you thinking.

Simon Lang: That's right. Yeah. So I have my first exposure to it is a few years ago now again. What happened was a laboratory in the in the UK was hit by ransomware and this laboratory supported the criminal justice system on various aspects but because there had been an intrusion to their network, there was a worry that that threat group could be targeting other laboratories, be it traditional forensic laboratories or be it digital forensic laboratories, if they could disrupt the criminal justice system in the UK by altering evidence or even given the risk that evidence could have been altered, it would have a significant impact on there. So NCSC called in various organisations to come in and try and look at that within that laboratory. So, I know really helpful.

Alex Miller: Interesting case. Yeah. I think it's going back to the threat actors piece again, it's about their motives. Right. And threat actors are so, it's easy to group them and we do through APT groups and the likes but yeah actually about getting down to the motives and you're saying disrupting the criminal justice system is quite a kind of large grandiose.

Simon Lang: Yeah, it's not all about money. The threat groups are money orientated they do go for money. Even some of the nation state ones will be going for money because sanctions imposed on them is an easy way for them to get money. We saw Sony hacks a few years ago and things like that for various countries attacking them and attacking other organisations there. So money is involved, but there's the other aspect to it as well. Even when these groups may not be successful, but they give that illusion of success that yeah, yeah. And get people worried potentially, has this happened? And it starts a lot of worry there but yeah, yeah.

Alex Miller: I've seen on the ransomware side as well some threat actors not necessarily holding the data ransom, just deleting. I mean there is kind of wiper malware as well which just deletes it, but actually threat actors, you know, deleting EC2 instances which are like elastic, it's a kind of server in AWS or deleting backups of things just purely because they can and to cause chaos, right?

Simon Lang: Well, yes. Exactly. Yeah. And some of the, let's say immature actors would definitely be doing things like that. So not nation states or anything on those lines, but they would just cause disruption and could even argue it’s a form of terrorism, obviously not physical terrorism as we know it there. But anything's to create terror and panic that works with that, especially a good example of that is NHS, where a few years ago were they the WannaCry attack. So a ransomware that hit the NHS there compromised so many systems and held it to ransom. There was financial motivation behind it, apparently. But could was that definitive? Was that just a cover? Was it just to cause destruction and panic especially because it’s the NHS that we rely on. That was an interesting one because the the NHS they got they got hit with this ransomware WannaCry. But there was a security researcher who looked through the code. He found a domain within the code. That domain wasn't registered as soon as you registered that domain, it slowed down the propagation of that ransomware because that was the thing the ransomware is looking for. It knew if that domain had been registered, it was to stop doing what it was doing because it.

Alex Miller: It was beckoning out.

Simon Lang: Yes, exactly that. Yeah. Yes.

Alex Miller: This is my language now back to my read teaming.

Simon Lang: So yeah, it's actually fantastic. Actually, amazing that. And so obviously now they the threat actors know not to put it in clear text, they can encrypt it. So a lot of time when we do in the PFI work and before because a lot of people install on their e-commerce websites, security scanning software especially on the Magento ones and WordPress that the threat actors had to obfuscate the code and for people to know who that what that word means, even though I had trouble pronouncing it times of there, it just means encoding it in a way it's fancy way of saying encoding it at the end of the day, they could use base64, which isn't human readable but is easy to convert or they could encrypt it, encode it via other methods and things like that. So the security and scanning tools aren't picking it up as easily. It will pick it up, but it's not as easily as if it was a URL or…

Alex Miller: The equivalent of a balaclava for code.

Simon Lang: Yes, Yeah.

Alex Miller: I wonder what, what does good look like in the DFIR space? We've talked about tabletop exercises, maybe exercise being a great free resource, retainers and preparedness. Do you have a number to call, have I painted a good picture?

Simon Lang: No, you most definitely have. If I could emphasise something enough, it would be retainers that because you do need it, you need that support that even if you have an IT team in-house, they're not subject matter experts in this type of thing. It's good to have that that number to call actually the subject matter experts who understand this, who live and breathe this, that because yeah, because you haven't got time to be Googling what to do when and where and how to do best practice during an incident, you need geeks like us to come in and know what they’re doing and who have been doing this for a number of years and get it sorted as quickly as possible because the longer it goes on for the potential for lateral movement within the network of systems getting compromised, further data getting exfiltrated, just further damage at the end of the day. So as soon as you can get that contained, the better the better. But what else? Even simple things, like even though I mentioned multifactor before that and it is possible through highly competent threat groups to bypass that or skew around it, so to speak. It’s imperative you get that, you need to get a multifactor on because it's just that extra, extra barrier for them to get in the way because they'll go for the low hanging fruit of the easy wins. And if they can see you've got various things in place, if you got endpoint detection and response tools, which hopefully people will people have, they will go on to easy targets.

Alex Miller: Agreed and it's like even though it's not a silver bullet, it's still a protection and it's still, as you say, just lifting that barrier a little bit, making that little bit harder.

Simon Lang: Exactly that. So even though we've been talking a lot about insider threat, ransomware and one thing I think is important to cover that I mentioned briefly before supply chain attacks. So as well as the insider threat, which is quite common and business email compromise. The one of the busiest I've ever been was during supply chain, a high supply chain attack. So a supply chain attack is when a supplier is targeted because if they can get malware on that supplier systems. So software for instance that’s rolled out on many organisations machines, it's so much easier for them rather than having to target 100 organisations, they can target this one supplier there put the ransomware, put the malware put whatever on their kind of control tools, remote access tools, credential stealing tools on there, and send it out to all these organisations cast that net wide and they've caught so many people off guard with that there. So doing your third party risk assessments on these on your supply chain itself is something you must be doing as per your signup procedures but regularly.

Alex Miller: Yeah, couldn't agree with that more. Yeah, because you get so much bang for your buck there. And also it doesn't have to be a technical person doing that job you know it's kind of a due diligence, corporate role and you can do that without kind of needing expertise from other people. And it's that trust piece, right, because suppliers are inherently trusted parts of your business. And you regularly communicate and liaise with them. It's not unusual when you receive an email from them. We talked about invoices, is it that unusual for an invoice, banking details to be changed. Not maybe that unusual that you would challenge it, right?

Simon Lang: Yeah. So, yeah, you're right. That is something that, yeah, people need to keep that in mind because it's such an easy, easy target to attack one person and in fact loads rather than we got what you call watering hole attacks and this something I found really interesting there and it follows a threat actor which I know they're doing. This would be something I very much doing regularly. So a watering hole attack is the name comes from, you have you have a watering hole where animals drink out of…

Alex Miller: Back in the savannah.

Simon Lang:…Exactly.

Alex Miller: Something like the.

Simon Lang: Poison that you're going to poison all these animals there. So in this instance, the actual watering hole is a website. So if it's, for this instance, imagine you want to target financial, no in fact we will go with a pharmaceutical institution. So during COVID, the COVID vaccines and anything to do with the coronavirus there speak money, people wanted that information and people the first market of these vaccines, what was going to make a lot of money with that other countries who may not have as sophisticated research laboratories doing that may want that as well so they could create their own. The watering hole attack would be pharmaceutical publications. So websites, magazines, the pharmaceutical world. So, you're targeting that because people in the pharmaceutical industry would be looking at that websites that they'd be going on that and they would be getting infected if it's on their work systems. Obviously, the work systems are getting infected, that that's how the watering hole attack works. So that's something you've got to be mindful of as well nowadays, it's not easy for people to keep protected, but yeah.

Alex Miller: Yeah. Innovative and creative attackers.

Simon Lang: Novel attacks. That’s what I like and that’s why I find this industry so interesting.

Alex Miller: Amazing. So we've covered so much here Simon. thank you so much. And I hope our listeners will replay and use lots of the things I'm sure they well, you've covered the interesting points today, but from your point of view, would that be one key takeaway you can point our listeners to from a digital forensics incident response space?

Simon Lang: One key thing. Oh, that's a good one. So, I won't give one because I won’t be able to give just one. So I've covered quite a lot up in regards to what they can do to protect themselves, but I just want people to be protected and any advice I can give to help them be protected so they don't actually need us that would make me happy. But people will need us unfortunately. But things like just making sure the IT estate is managed correctly, doing an audit of people's access rights, making sure accounts that shouldn't be active are deactivated. Like I said before multi-factor that's something I’m keen for people to use, robust log in and more importantly with a log in and the alerts from the endpoint session tools, is actually monitoring them. There's no point having all these logs and all these detection rules set up if people aren't actually looking at it. So I know you've had success historically in the Red team and were able to gain of access to organisations. They've had alerts to say, Oh, what's this? This shouldn't be happening, but they've ignored it.

Alex Miller: So very glossy, fancy, shiny tools in place on that specific network that were not being monitored or attended to. So, it's, all the Christmas tree lights were going off, but nobody was looking at them.

Simon Lang: As I said, it's unfortunate so monitor things like that. when employees, so insider threats, when employees leave, make sure their accounts are deactivated, their physical access and digital access. I know we talk a lot about the cyber incident response, but people can get physical access to an organisation of servers there's a lot of damage they can do with that or a lot of theft they can do along those lines as well.

Alex Miller: That's amazing. It's great to have that incident response digital forensic perspective on what's actually happening in the real world, what you're actually seeing and therefore what we should protect against. So, thank you so much Simon.

Simon Lang: Thank you, it’s been a pleasure.

Alex Miller: And that concludes this instalment of the Tech for Leaders podcast. We hope you join us again soon. But for now, farewell.