Insights from Forensics Experts

Posted by Mark Greisiger

We talked with some of the leading experts in data breach forensics. Here’s what they told us.

Winston Krone
Global Managing Director, Kivu

Winston Krone has handled the investigation and analysis of hundreds of cyber incidents in healthcare, high tech, professional services, education and financial institutions. Winston has specific expertise in both the technical and legal issues behind network intrusion and cyber extortion. An attorney qualified in the UK and California and a court-qualified computer forensics expert, Winston frequently testifies as a cyber expert in post-breach litigation and cyber insurance coverage disputes. In summer 2017, Winston transferred from California to Amsterdam and currently supervises Kivu’s EU operations, including international breach response and GDPR compliance. Winston’s clients include multinational corporations, governmental organizations and high net worth individuals. Cases have included investigating hacking, unauthorized access to data, theft of trade secrets and confidential data, corporate espionage, corruption and embezzlement. Winston is also an expert in the collection, preservation, use and production of digital data in criminal and civil litigation.

Frequent Speaker at NetDiligence Cyber Risk Summit

Junto Interviews
Ransomware v2: Facing the Latest Cyber Security Threats
Safeguarding Data: Encryption, Tokenization and Hashing

What are the leading cybersecurity threats facing large companies?
Their networks have become overly complicated, with multiple IT groups working in silos, leading to situations where no one person or team has complete visibility. Throw in a merger or acquisition of another network, and a damaging attack is almost inevitable.

And which ones are of greatest concern to small companies?
Ransomware and targeted malware: The attackers are more technically proficient and motivated than the defenders, and smaller companies are more likely to be running older networks which are highly vulnerable to fatal corruption by these attacks, regardless of whether a ransom is paid.

What cybersecurity safeguards do you often find missing or defeated in connection
with a breach event?
Failing to turn on the optional security settings at the end of the instruction manual.

What client mistake can impede your forensic investigation?
Searching Google to decide what to do when an incident strikes—especially since attackers post deliberately misleading advice on tech online forums and message boards.

What potential systemic risk keeps you up at night?
I now live in Amsterdam and my house is below sea level, with the ocean held back by an incredibly complex system of surge gates and pumps. The interdependence of thousands of internal and external complex cyber networks defies risk analysis.

What tip or advice will all of your clients hear from you?
“You have already purchased everything you need for a reasonably secure network. Now you just have to implement it properly.”

What got you into this field?
As a private investigator, it was either cyber forensics or dumpster diving. And kitty litter is really, really unpleasant.

What is your favorite cyber breach scene in a movie or on TV?
The James Bond film Skyfall, when Q plugs the laptop into MI6’s network and the building explodes.

What do you like to do when you’re not working? 
Work out how to make buildings explode by plugging in a laptop.


Steve Scarince
Associate Managing Director, Cyber Risk Practice, Kroll

Steve Scarince is an Associate Managing Director in Kroll’s Cyber Risk practice, based in the Los Angeles office. Steve joined Kroll after serving for more than 20 years in several prominent roles with the United States Secret Service. In addition to his experience serving a near-five year assignment in the Presidential Protective Division, Steve has significant expertise in crisis management, intelligence, and personal and physical security. Additionally, he is an authority in fraud investigations and cyber-related attacks on financial and payment systems, and has often served as an expert witness in court proceedings.

Frequent Speaker at NetDiligence Cyber Risk Summit

Junto Interview
Protecting Intellectual Property from Internal and External Theft

What are the leading cybersecurity threats facing large companies?
I think that it goes without saying that whether you are big or small, your client and employee data are very much at risk. Just this year, we heard of breaches in tech, food service, hospitality, airlines, healthcare, and the list goes on. What is most concerning about this, however, is that many of the “bad actors” penetrating large enterprises have been identified as nation states and that the data gathered is not necessarily used to wreak havoc on your credit card but rather for espionage, politics and the spread of disinformation. This is a trend that certainly will continue.

And which ones are of greatest concern to small companies?
I am seeing an incredible amount of phishing and business email compromise (BEC) fraud schemes attacking smaller companies. In fact, it’s currently the bulk of what I investigate. Companies working in the financial, legal and real estate sectors need to create policies around the verification of wire transfers and question last minute changes in the destination account. I encourage all companies to continue the cyber security education of their workforce and hopefully one day everyone will think before they click.

What cybersecurity safeguards do you often find missing or defeated in connection with a breach event?
Many attacks occur because of a lack or poor implementation of security policies. In my short time here at Kroll, I’ve been astounded at improper use of security tools that are available to IT and information security teams. Many of my engagements would never occur had companies just used two-factor authentication. Today, 2FA should be a given.

Misconfigured databases and FTP servers, employee errors, phishing attacks, ransomware, and the theft of unprotected laptops continue to plague companies big and small and drain the resources of IT. We all know that a good information security program starts at the top and until it is backed at the C-suite level, these breach notices will unfortunately continue to fill the front page. Information security is expensive and of course can’t and won’t stop every type of attack. But this is not a good reason nor the time to ignore the threats out there.

A NIST study referred to an event they called “security fatigue” which identified a “weariness or reluctance to deal with computer security” by the workforce. Companies need to be creative in the ways they work through this fatigue and consider taking more of the security decisions out of the hands of the employee.

What client mistake can impede your forensic investigation?
Listening to bad advice and assuming you have the situation under control has hampered many prior investigations. If your company has suffered a major security event, get help. The preservation of forensic evidence is extremely important and must be handled in very specific ways or it could be deemed tainted in a court of law. Prior to any type of incident, a custodian should be properly identified and that person should be able to show where and how the evidence was obtained, and where it was stored. Logs should also be preserved and retained for an extended period and if applicable, third parties should be notified and instructed to retain their logs as well.

Colleagues have shared stories of well-meaning IT employees destroying files that potentially could have pinpointed the exact cause of their situation. In-house counsel can also act rashly at times: I’ve seen some legal teams recommend the destruction of evidence or concern themselves with obtaining an employee’s laptop while forgetting about personal devices that allowed network access and personal email.

Companies must know their limitations. Attempting to solve a problem beyond your capabilities will only make the problem worse and possibly limit any investigation initiated afterwards.

What potential systemic risk keeps you up at night?
Easy. A critical infrastructure attack. A few years ago, we saw a power company get shut down using the malware called Industroyer. Industroyer was designed specifically for infrastructure and can be used to attack industrial control systems (ICS). So what happens when this is used against our chemical plants, reactors, water plants, railroads and other forms of transportation? The level of devastation, should this end up in the hands of terrorists, would be unparalleled. To me, there isn’t enough urgency surrounding the need for a rapid solution to tighten our infrastructure security systems.

What tip or advice will all of your clients hear from you?
Much of it is very basic. I find myself continuing to explain the benefits of anti-virus software and establishing a password policy within the company. There will always be a discussion regarding activating logging and enforcing 2FA. Unfortunately, the first conversation that many companies have about a cyber incident is the day it is discovered.

That being said, discussions about implementing some basic standards in the event they are in this position again seem to go a long way. The review of the company’s policies towards the use of personal devices, personal email rules and the use of USB flash drives also resonate well with smaller companies.

Getting ahead of these situations is the most crucial point to drive home.  When the event happens, take a moment before doing anything extreme and if you’re not sure about your next move, call someone who is.

What got you into this field?
After a 23-year career in the Secret Service, I just came to that point in my life where I thought I could have more of an impact in the private sector. I’m certainly seeing much more variety in my work and there is no shortage of learning opportunities.

What is your favorite cyber breach scene in a movie or on TV?
I’m probably dating myself a bit, but I’ve always been a huge fan of the Matrix series and of course, Mr. Robot.

What do you like to do when you’re not working?
I’m an avid runner and soccer fanatic. Both help to take the edge off!

Can you share a fun little-known fact about yourself?
While on the President’s detail assigned to the transportation section, I was the agent that drove President Bill Clinton to his Monica Lewinsky deposition.


Rob Driscoll
Senior Director, Crypsis Group

As a leader in the firm’s business development operation, Rob and his team work to build and strengthen client relationships based on exceptional service and results. Rob has primarily focused on increasing the company’s presence within the cyber insurance and legal communities to become a preferred forensics partner. Rob joined Crypsis in 2016 after two years as managing partner at the management consulting firm Alliance Strategies LLC in New York City, where he focused on generating sales opportunities for the firm’s clients in the healthcare, insurance, and technology areas. Previously, he was vice president at The Marwood Group, a healthcare advisory and financial services firm, where he led the business development group and promoted the firm’s diagnostic imaging offering to corporations, municipalities, and insurance brokers nationwide.

Frequent Speaker at NetDiligence Cyber Risk Summit

Junto Interview
Business Email Compromises in Office 365

What are the leading cybersecurity threats facing large companies? And which ones are of greatest concern to small companies?
Some of the most prevalent threats are the same for any size company. We continue to see ransomware and business email compromises (BECs) happening to businesses of all sizes, in all sectors. We’ve seen more targeted ransomware attacks with higher ransom demands hit larger or more lucrative organizations, while smaller businesses tend to get hit with smaller demands, but the initial entry points are still through phishing or remote desktop protocol (RDP). We’ve also seen more attacks leveraging multiple malware families, specifically self-propagating malware like Emotet or Trickbot infecting networks through phishing attacks, harvesting credentials and essentially conducting a lot of automated reconnaissance, and then providing an entry point for human attackers to come in and execute ransomware on critical systems. It’s important that organizations at any size are knowledgeable about their networks and systems, and can monitor for anomalous activity to stop infections before they take down the enterprise.

What cybersecurity safeguards do you often find missing or defeated in connectionwith a breach event?
Multi-factor authentication is a big one. Use it for anything and everything. Especially for remote access and email accounts—a majority of attacks we still see rely on brute-forcing passwords over remote desktop protocol to gain entry into a network. And business email compromises are almost always the result of phishing emails that trick the user into providing their password. Multi-factor authentication can greatly mitigate these types of attacks. Aside from that, another big one is backups. With the prevalence of ransomware attacks, it is critical to maintain a regular backup schedule and to store backups in a way that cannot easily be accessed by malware or attackers in the network. One of the first things that occurs in many ransomware attacks is the deletion of any available backups to ensure the attackers have the leverage they need to extort payment from their victims.

What client mistake can impede your forensic investigation?
Restoring or rebuilding systems without preserving copies in their infected state. Deleting user accounts that were created and leveraged by attackers instead of disabling them. Not having adequate logging enabled. A lot of our challenges come down to data preservation: If critical data is lost during restoration/recovery or if logs are not enabled and retained on devices and applications, it can be very challenging to determine the extent of what occurred during an incident.

What potential systemic risk keeps you up at night?
Critical infrastructure relying on outdated and highly vulnerable software.

What tip or advice will all of your clients hear from you?
Enable multi-factor authentication; backup critical data regularly and keep it in a secure location (offline/offsite/cloud, etc.); ensure RDP is not open to the Internet from any system on the network.

What got you into this field?
This is a growing industry I have always been interested in. I had the opportunity to join Crypsis at an early stage.

What is your favorite cyber breach movie?
Swordfish

What do you like to do when you’re not working?
Spend time with my wife Ali and 1-year-old son Liam.

Can you share a fun little-known fact about yourself?
I used to have hair!


Jeremy Koppen
Manager, FireEye Mandiant

Jeremy Koppen, a manager with FireEye’s Mandiant Consulting group, has led numerous incident response engagements and intrusion investigations involving several types of targeted threat actors and techniques. He has worked with clients in the technology, healthcare, energy, financial services, manufacturing, media, automotive industries, and for numerous Fortune 100 companies. Jeremy has experience in programming, computer hardware, cybercrime investigations, computer forensics, and information security. He earned a bachelor’s degree in computer science from the University of Iowa and later completed a graduate degree in computer science with an emphasis on digital forensics, an area he continues to focus on today in his work with FireEye.

Frequent Speaker at NetDiligence Cyber Risk Summit

Junto Interviews
Fighting Against IP Espionage
Mandiant’s Summers: Companies Mostly Ill-Prepared for Inevitable State-Sponsored Cyber Attacks
Forensics: Plan for Success

What are the leading cybersecurity threats facing large companies? And which ones are of greatest concern to small companies?
One of the leading threats to both large and small companies continues to be the reliance on single-factor authentication for external systems and applications and remote access solutions. Additionally, many companies lack the technology and processes necessary to monitor for suspicious email messages or suspicious email setting modifications.

What cybersecurity safeguards do you often find missing or defeated in connectionwith a breach event?
It is essential for companies to have an up-to-date asset management system as well as standardization for each system and protection component. For example, each system should be configured with a logging standard configured for that system, as well as a vulnerability and patch management program to proactively search the environment to identify potential issues. It is also important that companies have endpoint technology that allows them to investigate a security incident in a timely manner.

What client mistake can impede your forensic investigation?
One issue FireEye investigators often encounter is the lack of centralized event logging, and finding machines configured to store event logging information for a short time. This may leave a gap in the investigation, not accounting for a time when an attacker was present in the environment.

What potential systemic risk keeps you up at night?
A systemic risk FireEye investigators frequently see is single-factor access for external systems and remote access solutions. This exposes a client to brute force attacks or other techniques attackers use to obtain access to the environment. Another risk is the reuse of local credentials on systems across the environment. This can provide an attacker with the ability to move around the network after obtaining credentials from a single system.

What tip or advice will all of your clients hear from you?
We encourage all of our clients to enable multifactor authentication on externally facing business applications as well as remote access solutions. This also applies to cloud-based applications such as Office 365.

What got you into this field?
I completed an undergraduate degree in computer science and came across digital forensics while applying to graduate school. I found the field very intriguing due to the investigative aspects of the role and the challenge of solving complex problems on a daily basis.

What is your favorite cyber breach scene in a movie or on TV?
I am a big fan of Mr. Robot. That show was able to replicate cyber attacks in a somewhat realistic manner. I am also always a fan of any television show that includes two users operating one keyboard.

What do you like to do when you’re not working?
I am an avid sports fan, following the Iowa Hawkeyes, Denver Broncos, and Washington Wizards.

Can you share a fun little-known fact about yourself?
I am extremely unathletic and managed to partially tear my MCL and develop elbow tendonitis while playing dodgeball. I think I made the correct call to not pursue a career as a professional athlete.


Doug Howard
Vice President, Global Services RSA International

Doug Howard leads and supports RSA’s Global Services Organization, which includes the Professional Services, Customer Support, RSA University, and the RSA Risk and Cybersecurity Practice inclusive of the RSA Advanced Cyber Defense (ACD) Practice and the world’s leading Incident Response (IR) Practice. Doug also provides leadership support for RSA’s strategic vision and global operational execution across the business. Doug has more than 25 years of experience as a technology leader and innovator in security. He has held notable leadership roles in operations, engineering, business strategy development, marketing and sales, and other executive leadership positions such as COO at BT Counterpane, Chief Strategy Officer at Silversky/Perimeter eSecurity (now part of BAE), Vice President of Security and Business Continuity at AT&T, and CEO of SAVANTURE (now part of Blue Ally).

Frequent Speaker at NetDiligence Cyber Risk Summit

What are the leading cybersecurity threats facing large companies? And which ones are of greatest concern to small companies?
Large and small companies are faced with similar threats. Identity compromises continue to lead the pack in relative volume, success and impact. Malware, including ransomware, continues to be a formidable threat, often as the tool of hackers providing a landing point for exfiltration and further expansion within an organization’s infrastructure. Insider threats, advanced persistent threats by nation states, DOS/DDOS, and other threat vectors continue to grow in frequency and impact. In reality, most everything mentioned here comes down to the prioritization of resources and investments and basic security hygiene. Large companies continue to go after the next best tool, but rarely take the time to maximize the capabilities of the products they have purchased and thus, the operational value of their investments isn’t maximized. For larger organizations, the biggest threat is complexity. Prioritized planning with a methodical fact-based, risk-aware strategy can ensure greater success.

Small companies often lack the ability to prioritize their investments and rarely operationalize their security products or processes even when outsourced. For smaller companies, the largest threat is often doing nothing and being overwhelmed by all the fear, uncertainty and doubt in the marketplace. In these cases, security is not about perfection, but rather about reducing risk through small steps each and every day.

What cybersecurity safeguards do you often find missing or defeated in connectionwith a breach event?
Basic hygiene. Rarely, with the majority of breaches do you think wow, never seen that before. There are three major categories of typical flaws:

  • Compromise of identity credentials due to human error
  • Lack of patching in exposed systems
  • IT, network or security misconfiguration

What client mistake can impede your forensic investigation?
Most frequently, due to lack of storage or even lack of basic logging in the first place, the customer has minimal data that can easily and quickly be analyzed. When logs and equivalent registry information are not captured or are challenging to retrieve, incident response cannot be performed efficiently. In most cases, the technology investment that would help in proactive protection and analysis would be significantly offset by the savings of a reactive response. Furthermore, the ability to lower the probability of a breach, the dwell time of the compromise and the impact of the breach would all be significantly improved.

What potential systemic risk keeps you up at night?
Security failure of major OS vendors or even security vendors. There are have been few largescale impacts to the overall availability, confidentiality, and integrity of our IP-based infrastructure. There are few industry participants and experts that don’t see the perfect storm on the horizon. As we all say, it’s not if—it’s when. The question is how bad it will be and how long it will take us to recover.

What tip or advice will all of your clients hear from you?
Have a plan, prioritize, and improve on the basics of hygiene each and every day. It’s guaranteed that if you do nothing, your risk will increase. Given that identity compromise is the number one compromise in every major report, and that cloud and mobile expands that risk, it seems obvious this should be a primary focus.

What got you into this field?
Like many professionals in the industry, I came from the military (there are many from law enforcement as well). I saw the opportunity to do good on a broad scale (company, nation, global) as well as making a great career in risk management and cybersecurity. It does not come without frustrations, but the good days are great and keep me going during the average and stressful days.

What is your favorite cyber breach movie?
Firewall

What do you like to do when you’re not working?
Having three kids keeps me entertained and provides weekends of sports and high energy engagement. Eventually, I’d like to get to a couple classic car projects in the garage as well as get back to the fishing I did growing up.

Can you share a fun little-known fact about yourself?
I hit Vegas a couple times a year for auto racing (Radicals).


Chris Novak
Global Director, Threat Research Advisory Center
Verizon Enterprise Solutions

Christopher Novak is a co-founder and the Global Director of the Verizon Threat Research Advisory Center. He is an internationally recognized expert in the field of Incident Response and Computer Forensics. He has been involved with information security for over 15 years. Christopher has assisted corporations, government agencies, and attorneys with all matters involving computer forensics, fraud investigations and crisis management. He has testified as an expert witness in various matters and before such bodies as the Supreme Court of the State of New York. He has also briefed United States congressional committees such as Senate Banking, House Financial Services, Senate Commerce, House Energy & Commerce, House Homeland Security and Senate Homeland Security & Government Affairs.

Frequent Speaker at NetDiligence Cyber Risk Summit

Junto Interviews
Ransomware: What Can Go Wrong, Might
Protecting the Point of Sale
Heartbleed: Why Some Experts Are Ringing the Alarm
Crisis Data Breach Response: Computer Forensic Services

What are the leading cybersecurity threats facing large companies? And which ones are of greatest concern to small companies?
The increased volatility of the current geopolitical landscape is creating an increase in nation state-affiliated and sponsored cyber attacks against large companies. Smaller companies are facing more sophisticated broad-based phishing attacks and ransomware implants.

What cybersecurity safeguards do you often find missing or defeated in connectionwith a breach event?
The top three safeguards most often missing would be multi-factor authentication, egress traffic filtering and network segmentation. With most breaches starting from social engineering (and the most common of them being phishing attacks), one of the best mitigating controls is proper and comprehensive multi-factor authentication. Without it, we see many initial intrusions that look almost trivial in nature. Egress (or outbound) traffic filtering is another commonly overlooked safeguard as many organizations choose ease of operations (avoiding help desk calls and troubleshooting associated with this kind of filtering) over security. However, if egress traffic filtering is not in place, then it allows any malware or threat actor that gains a foothold in the environment to easily communicate to their external command-and-control infrastructure, pull down additional tools for expanding the breach, as well as being the easiest avenue for exfiltrating compromised data. Network segmentation can also dramatically mitigate breach events but is not often used. In concept, it’s like a submarine which has many different compartments that can all be sealed off from one another. If an attack breached the hull, the submarine could seal off the affected compartment and limit damage and flooding. The same technique is recommended for networking and for a similar reason—if a breach event were to occur, proper network segmentation would limit the breach event and damage to a specific segment as opposed to allowing it to spread and put the entire organization at risk.

What client mistake can impede your forensic investigation?
There are lots of mistakes that can impede a forensic investigation, but I would generally say the most harmful are when organizations attempt to “DIY” their own forensic investigation or start by hiring a relatively inexperienced forensic firm (often because they are less expensive). In today’s day and age, a breach event can be expensive and impactful, even if handled correctly. When you add poor or inexperienced handling to the mix, the consequences can rise exponentially. For example, many breach events result in litigation. Attempting to “DIY” or use an inexperienced firm can result in evidence spoliation, missed findings or worse—a breach recurrence—all of which will make for uncomfortable explanations on the witness stand. Many incident response and forensic firms are reviewed and rated by independent and third-party analyst firms. Consider reading their research and then select the best firm for you. And don’t be shy about reaching out and talking to multiple firms. Most will be happy to speak with you and walk you through their methodology so you can be sure that you are comfortable with all facets of a future engagement.

What potential systemic risk keeps you up at night?
IoT, IoT, IoT…. Have I mentioned IoT? The main concern that I have regarding Internet of Things is that most vendors and creators of such technology have not considered security in their product development lifecycle. And given that there are already billions of IoT devices operating across the globe, that is a sizable population of questionably secured endpoints. While many IoT devices themselves don’t contain sensitive data of concern, most of them are connected to home or office networks or even directly connected to other computing devices. This makes IoT environments a perfect place for attacks to originate from or be targeted as a conduit for pivoting into more sensitive assets and data (all of these scenarios have already occurred on small scales). Small and inexpensive, these devices are easily forgotten, and many people and organizations don’t have a solid understanding of what is connected to their environment. These concerns are compounded by the fact that vendors of IoT devices may not regularly (if ever) provide security patches and updates.

What tip or advice will all of your clients hear from you?
Know your assets. I tell all clients that they must have a complete and comprehensive understanding of their asset inventory and landscape. It is one of the most basic and fundamental elements of security, yet organizations often have thousands or even tens of thousands of “unknown assets.” Without a solid understanding of your asset inventory, you can’t operate a comprehensive vulnerability management plan or properly monitor for security threats.

What got you into this field?
I always had a fascination with everything electronic/cyber as well as an interest in healthcare. I see incident response and computer forensics as a mix of both—it’s like a being an ER doctor in a cyber emergency room. It’s a great feeling to be able to help organizations through tough times and not just survive a crisis but thrive thereafter.

What is your favorite cyber breach scene in a movie or on TV?
If we’re talking old-school, then I’d say WarGames (1983) when the protagonist is trying to interact with the WOPR. If we’re talking newer stuff today, then I’d say the TV series Mr. Robot. I know some of the technical advisors for Mr. Robot and much of the cyber activities shown are very true to life and some even patterned around real cases that me and my team have worked.

What do you like to do when you’re not working?
Spend time with my family. My kids are in elementary school and they are very into technology, so we spend quite a bit of time playing with various gadgets, coding, and other fun geeky stuff.

Can you share a fun little-known fact about yourself?
I have travelled to all 50 U.S. states and to over 50 countries.


Darin Bielby
Senior Managing Director, Ankura

Darin Bielby is a Senior Managing Director based in Philadelphia with 25 years’ experience helping clients across industry sectors to mitigate risk, address challenges, and take advantage of opportunities. Darin has assisted over 4,000 companies and government agencies to prevent and respond to cyber-attacks. Darin has significant healthcare expertise helping companies and their legal counsel respond to government investigations, whistleblower lawsuits, class actions, and commercial litigation. Darin is the first call for outside counsel looking to build the right consulting or expert team at Ankura.

Frequent Speaker at NetDiligence Cyber Risk Summit

Junto Interviews
Don’t Ring the (False) Alarm: When a Data Loss Event Isn’t a Breach
Breach Forensics: Preparing for an Investigation

What are the leading cybersecurity threats facing large companies? And which ones are of greatest concern to small companies?
The greatest threats to large companies include cloud outages, destructionware like NotPetya, ransomware like Ryuk and SamSam, spear phishing, and data extortion. Small companies are most impacted by phishing attacks that compromise email credentials and lead to wire fraud, payroll diversion, and invoicing scams. After that, the next biggest threat is ransomware, which can cripple a small business that typically has no backups.

What cybersecurity safeguards do you often find missing or defeated in connectionwith a breach event?
Multifactor authentication, event logging, and endpoint monitoring are often missing. Companies may have backups, but they are often not stored securely and get deleted or encrypted by criminals.

What client mistake can impede your forensic investigation?
Companies commonly have not enabled the free tools embedded in popular programs like Microsoft Office 365. In particular, they won’t have logging enabled or they overwrite their logfiles too quickly. When that evidence is not available it makes the forensic investigation lengthier, costlier and likely not as conclusive in eliminating systems and users from breach notification. Some clients, particularly government agencies, delay the start of the investigation, trying to negotiate contracts with no limitation of liability. All the while, the issue may be getting significantly worse and evidence may be getting overwritten. It would be irresponsible of vendors to agree to these terms—this is why more experienced firms like Ankura are unwilling to agree to them.

What potential systemic risk keeps you up at night?
Two of the largest systemic risks for businesses are:

  • Contagious malware like a WannaCry attack without a kill switch. We’ve seen how that impacts a far greater number of users worldwide and can cause a cloud system failure given the concentration of clients with a small number of large global vendors.
  • The potential for cyber issues with the global food supply, power grid, and military arsenals.

What tip or advice will all of your clients hear from you?
Buy cyber insurance. Enable two-factor authentication. Prepare for a cyber incident because your business will have one.

What got you into this field?
Ten years ago, our healthcare clients started having to respond to incidents to comply with HIPAA. This was an early risk indicator, rippling across the global pond, and I was fortunate enough to build a partnership with the global cyber insurance ecosystem which has led to Ankura (and its predecessor Navigant) having assisted over 4000 companies with cybersecurity.

What is your favorite cyber breach scene in a movie or on TV?
The concept of the Matrix is really thought-provoking—that human hackers fight a computer system that has tricked humans into thinking they’re enjoying their lives all the while serving as batteries for the machines. On the humorous side, I enjoyed the scene where Ferris Bueller hacks into the school computer and changes his grades.

What do you like to do when you’re not working?
I love to travel. I spent 16 months backpacking through Asia and am closing in on Travelers Century Club after a recent trip to Cuba.

Can you share a fun little-known fact about yourself?
I really enjoy nature, whether it’s working in the yard, gardening or mountain biking. Oh, and I have beehives.


Bryan York

Director, Professional Services, CrowdStrike

Bryan has experience in both government and private sectors helping organizations manage cyber risk and respond to targeted cyber threats. Bryan is currently a Director of Professional Services at CrowdStrike, where he leads the central region services practice and is responsible for delivering cyber incident response services as well as providing trusted advisory services for customers taking proactive measures to identify risks, detect threats and better secure their technology ecosystem. In addition to leading the central region services practice at CrowdStrike, Bryan regularly speaks to executive teams on cybersecurity threats and risks. He is a co-author of Responding to Targeted Cyberattacks as well as the Incident Response Reference Guide and has presented at many security conferences including ISACA, RSA, ISC2, GRRCon and more. Bryan has also been quoted in several news articles discussing recent trends and threats in cyber security and incident response by Dark Reading, SC Magazine, Motherboard and others.

Frequent Speaker at NetDiligence Cyber Risk Summit

Junto Interview
Forensics: Plan for Success

What are the leading cybersecurity threats facing large companies?
For large companies, it’s all about data theft right now. As trade war tensions have escalated, we’ve seen a rise in targeted attacks by nation states with sponsored actors looking to gain access to the IP of our corporations. That’s happening across the biotech, defense and pharma industries, not to mention universities and managed service companies. It’s not just IP, though—it’s customer data these hackers are after. So if you’re a big company and you get hacked, you’re looking at a huge investigation, unwanted media attention, reporting millions of lost records, credit monitoring, and the list goes on.

Which ones are of greatest concern to small companies?
In terms of smaller businesses, we’re concerned about ransomware. These issues are not isolated to smaller businesses by any means, but smaller businesses are less equipped with IT staff and resources to manage and get ahead of these attacks. A simple hole left open on a remote desktop with weak passwords can be a doorway for ransomware, and the ransom amounts are just getting bigger. Add to that the costs of business interruption and getting back to operations and it can be a huge threat for a smaller business. Many smaller businesses don’t have good response plans in place nor do they have the ability to respond quickly to an incident.

What cybersecurity safeguards do you often find missing or defeated in connectionwith a breach event?
The first key thing would be visibility, and the second would be mismanagement of credentials. If from a visibility standpoint you have the right tools, capabilities and staffing to assist you in tracking patterns you will be able to identify when an attacker breaches the system and you can react quickly, minimizing damage. However, if it takes longer than two hours to detect the threat and to respond to it they’ll have more time to carry out their objectives. In terms of credentials, threat actors are often getting into networks through compromised credentials and phishing. Without multifactor authentication or protected privileged accounts, this is much easier to pull off. Multifactor authentication is not a silver bullet—and we know that attackers are working on ways to intercept it—but it is highly effective and more organizations will be implementing it in 2019.

What client mistake can impede your forensic investigation?
One of the biggest challenges we find is insufficient deployment of technology to get the data needed to solve the investigation. We take an endpoint-based approach, which means that we might be deploying our software throughout the enterprise to 100,000 endpoints. Some organizations can do this in a weekend while others struggle to get 100 endpoints deployed in a month, setting back the investigation. Ultimately, it’s about basic IT hygiene and asset management. Many companies are simply not prepared for the inevitable breach—they don’t have an incident response plan or if they do, it’s sitting on the shelf or it’s not tailored to certain situations. Better-equipped companies are preparing thoroughly, conducting quarterly tabletop exercises for each type of threat. They’re getting C-suite executives in the room on at least an annual basis and talking through the issues.

What potential systemic risk keeps you up at night?
For me, it goes back to the IP and data theft. Our economy is heavily invested in research and development. If that IP can be stolen and quickly replicated by a competitor in the global economy that puts our country at huge economic risk. The other thing that concerns me greatly are disruptive attacks that could take down financial or critical infrastructure and the impact that could have on our nation’s safety and security.

What tip or advice will all of your clients hear from you?
Be proactive. It’s about building a plan, conducting exercises, creating visibility ahead of time. I tell customers that there’s no one single thing you can do that will prevent an attack from happening but there are a handful of things you can do to minimize risk, including staying abreast of the trends and threats and reacting accordingly in your own environment to change settings or introduce other security measures to lessen the potential damage.

What got you into this field?
I grew up with an interest in computers, starting with my uncle’s, on which I would play Sim City in the 1990s. In high school, I started programming my own websites. Later, I did an internship over two summers at Rome Research Labs in advanced engineering in cybersecurity, which exposed me both to programming for security and the threats that systems and networks face.

What is your favorite cyber breach scene in a movie or on TV?
I really appreciate the Mr. Robot series, which has gone to great lengths to be technically accurate, unlike other shows with impossible scenarios that might give viewers the wrong impression.

What do you like to do when you’re not working?
I like to hang out with family and we’re involved in our church and community group. I also like to spend down time with my fellow Crowdstrike team members. This can be a very stressful job and we try to play foosball or get lunch together to balance out what can sometimes feel like a fire-fighting atmosphere.

Can you share a fun little-known fact about yourself?
My big claim to fame is that I am an internationally renown flying Asian carp bow hunter. Several years ago, I was featured on the news when I went on a carp fishing outing on the Illinois River.


Jim Jaeger
Cyber Strategist, Arete Advisors

Jim Jaeger is Arete Advisors’ Cyber Strategist, and a member of the Board for Federal Guardian. Jaeger led cyber-forensics investigations into some of the largest network breaches impacting our industry for Fidelis Cybersecurity. He held leadership roles for cyber-programs, including General Dynamics’ support for the DoD Cyber Crime Center (DC3), the Defense Computer Forensic Lab and the Defense Cyber Crime Institute. He is a former Brigadier General in the USAF. His military service includes stints as the Director of Intelligence (J2) for the US Atlantic Command, Assistant Deputy Director of Operations at the National Security Agency, and Commander of the Air Force Technical Applications Center. He received a B.S. from the Air Force Academy and an M.A. from Central Michigan University.

Frequent Speaker at NetDiligence Cyber Risk Summit

What are the leading cybersecurity threats facing large companies? And which ones are of greatest concern to small companies?
Ransomware attacks are increasing rapidly for organizations of all sizes. Ransomware used to be a problem primarily for SMBs, but we are seeing increasing attacks against manufacturing facilities, hospitals and other large enterprises. Even multibillion-dollar enterprises like Maersk and Merck have fallen victim to encryption attacks. In some cases, firms are losing more than a $1M a day while their operations are being restored. Fortunately, there are a few good endpoint detection and response (EDR) tools on the market today that can immediately block ransomware attacks. Non-signature, behavioral-based tools augmented with machine learning and artificial intelligence (ML/AI) are particularly effective. SentinelOne is so confident of their performance that their tool comes with $1M in ransomware insurance, which they have never had to pay!

What cybersecurity safeguards do you often find missing or defeated in connectionwith a breach event?
Two-factor authentication would prevent the initial infection or limit the spread of many of the attacks we see. While we advocate for enterprise-wide implementation of two-factor authentication, it is especially critical for all remote users and systems administrators—anyone with elevated privileges.

What client mistake can impede your forensic investigation?
Lack of adequate logging is a recurring problem impacting our investigations. We see too many victims who have not enabled sufficient logging or are not retaining the logs that their systems generate. In fact, in many cases, the victim could have quickly contained or even prevented the breach though basic log analysis.

What potential systemic risk keeps you up at night?
Spear phishing is now the vector in 80 percent of the breaches we work. Sadly, most of the breaches are preventable with some very simple fixes. Most important is increased user security awareness. Fortunately, there are some effective spear phish awareness training tools and services available. The use of sandbox technology to detonate and screen all inbound executables is also very effective.

What tip or advice will all of your clients hear from you?
The breach “lesson learned” that we see over and over again is that network monitoring is the key to quickly detecting breaches and minimizing the damage that the attackers cause.  Unfortunately, we’ve worked a couple breaches where the attackers had been inside the network undetected for over a year. In these cases, the cost of investigation, containment, and remediation as well as the fines and lawsuits can be very high, typically over $100M. Today’s managed detection and response (MDR) solutions can be very effective in preventing breaches, or in quickly detecting breaches, containing them, and minimizing the damage, if any.

What got you into this field?
I was leading the General Dynamics program at the DoD Cyber Crime Center (DC3) and the Defense Computer Forensics Lab about 15 years ago. A savvy cyber attorney working large breaches realized that our cyber forensic skills were exactly what he needed. The expertise is the same whether you are working attacks on DoD, or banks and credit card companies. We’ve been working the toughest commercial breaches in the US and internationally ever since.

What is your favorite cyber breach scene in a movie or on TV?
I like all the TV shows like CSI, NCIS, Crime Scene Investigator, etc.  We call them “training films.” Of course, the problem with these shows is that too many people now think you can solve almost any case in an hour, including breaks for commercials. My partner, Joe Mann, goes a bit more esoteric. His favorite movie is The 300 Spartans.  He likens our cyber warriors to the 300 holding the pass against the invading hordes at the Battle of Thermopylae. That’s where the Greek name for our company, Arete, comes from.

What do you like to do when you’re not working?
When is an incident responder ever not working?  Most people would be amazed to find out that I actually like to play golf. It’s just been a year or two since I’ve had a chance…

Can you share a fun little-known fact about yourself?
One of the best stories is the breach that two other leading IR firms had been unable to contain in over a month. The client actually had a chartered jet sitting on the ramp at Dulles at 6:00 AM on a Saturday morning waiting for our team. In 36 hours, over the weekend, we found the breach and killed it.


Cindy Murphy
President, Gillware

Cindy Murphy worked in law enforcement for 31 years, starting her career in the US Army as an MP in 1985 and joining the Madison Police Department in 1991. She began investigating computer related crimes in 1998 before being promoted to detective in 2000. Since then, Cindy has become one of the most highly respected experts in the digital forensics field. Cindy has been teaching digital forensics since 2002. She helped develop a digital forensics certification curriculum for Madison Area Technical College and co-authored the SANS FOR585 Advanced Smartphone Forensics course. Both during her time in law enforcement and at Gillware, Cindy has provided expert testimony in court proceedings involving homicide, financial crimes, sexual assault, robberies, the possession and production of child pornography, money laundering, intellectual property theft, drug trafficking, computer crimes, aggravated battery, and more. Cindy is a certified forensic examiner and obtained her M.Sc. in Forensic Computing and Cyber Crime Investigation through University College, Dublin in 2011.

Frequent Speaker at NetDiligence Cyber Risk Summit

What are the leading cybersecurity threats facing large companies? And which ones are of greatest concern to small companies?
From our incident response work, we are finding that both large and small organizations are threatened by phishing or social engineering campaigns. Employees receive malicious emails with compromised hyperlinks or attachments, and often unknowingly forfeit some form of login credentials by clicking and downloading malicious attachments, or directly entering their credentials into a malicious lookalike form. Once the attackers obtain access to, for example, an Office 365 account, they can then manipulate the systems to deploy an attack. The threat of phishing and social engineering attacks should be a top concern for all companies, large and small.

For larger organizations, supply chain cybersecurity poses a threat due to the lack of regulation and due diligence with vendor agreements. Organizations need to assess their current list of vendors to gain understanding of who has access to their data, how is it handled, and what protections are in place. Unfortunately, this is a time-consuming task that will be added to an already long to-do list, so attackers are striking while the iron is hot.

Wire transfer fraud is also a growing threat to large organizations. We’re finding that malicious actors are stepping into email exchanges midstream and either requesting transfers or rerouting legitimate transfers to their accounts. The communications are often quite sophisticated and pick up right where the conversation thread left off. With the implementation of email forwarding and deletion rules, victims are often completely unaware that conversations have been compromised.

Ransomware continues to be a significant threat to all businesses, but specifically small organizations. Ransom amounts continue to rise, inflicting significant financial burdens and business interruption on smaller teams. Since smaller organizations often have limited resources for internal IT staff, risk management, and frequent secure backups, attackers are hijacking data and often putting small business leaders in the position of either paying the ransom or losing a significant (and potentially crippling) amount of revenue.

What cybersecurity safeguards do you often find missing or defeated in connectionwith a breach event?
As I mentioned earlier, phishing and social engineering are significant threats—but which can be controlled with the implementation of multi-factor authentication. At minimum, we strongly recommend that two-factor authentication is enabled for all admin-level devices and accounts. Enforcing two-factor authentication on all devices for all employees is considered best practice and would significantly reduce an organization’s risk of compromise.

Another way to reduce your level of vulnerability is to routinely update and patch your systems. When software manufacturers identify a new method of attack or vulnerability, they will deploy patches to address and combat the attacks. Failure to routinely patch systems is essentially the equivalent to finding a leaky pipe and letting it drip indefinitely.

Lastly, we see that some organizations leave themselves open to attack by keeping RDP access open on the internet. This makes them extremely vulnerable to brute force attacks by cybercriminals that can result in ransomware attacks or data compromise and exfiltration.

What client mistake can impede your forensic investigation?
When we are contacted to conduct a forensic investigation, our goal is to determine the who, what, when, where and why of the alleged attack or compromise. To find this information we conduct an in-depth analysis of the client’s systems, generally from a forensically sound image. Where we run into issues is if the organization has taken steps to recover their systems or investigate the incident before taking steps to preserve the evidence. If IT staff react to recover from an incident without taking steps to preserve the systems in their compromised state, they often destroy evidence that the attacker left behind, or cover the cyber criminal’s digital footprints with their own activities on the system. It can take a great deal of time and effort to separate the activities of the attacker from the activities of the responding IT professional.

We also commonly see that organizations have insufficient or nonexistent backups. We recommend routine backups that are fully encrypted and stored in a secure, off-site location. Not only does this best practice ensure forensic investigators can access the information from previous states of the system when they need to get answers, it also often allows you to restore after a ransomware attack without having to pay cybercriminals and reduces overall business interruption in the event of an attack.

Insufficient or nonexistent cyber insurance coverage can also impede a forensic investigation. In a best case scenario, when an organization falls under attack, it will have a cyber insurance policy in place that covers the expenses associated with responding to, investigating, and recovering from a data breach. If an organization does not have a sufficient policy in place, they may not be able to afford to respond to a breach. Without proper coverage, the organization may not be able to evaluate the full extent of the attack or identify if threats still exist.

What potential systemic risk keeps you up at night?
The systemic risks that nag at the back of my mind generally involve things like: 1) nation-state manipulation of public opinion that encourages further fragmentation of civility, 2) political polarization that interrupts otherwise stable systems and results in things like the longest government shutdown in history, 3) socioeconomic inequality and nationalism which lead to inherent imbalance and conflict in our society,  and 4) global warming. Because really, we can overcome just about any problem on the smaller scale, but without a stable government, a just and equitable society, and a planet to live on, none of the rest of it really makes much difference.

What tip or advice will all of your clients hear from you?
While we may sometimes feel like a broken record, these tips are vitally important. When you suspect an incident, immediately disconnect all systems from an internet connection. In many cases, the internet serves as the attacker’s portal into your systems so going offline will block or interrupt attackers from accessing or exfiltrating your information. Once the dust has settled after an incident, we always instruct clients to change as many passwords as possible to more complex, more secure combinations. And, as I mentioned earlier, implementation of two-factor authentication is something we urge clients to pursue. Doing so decreases the risk of another attack.

What got you into this field?
My pathway to incident response work may be different than most. I spent the majority of my career in law enforcement both in the military and with the Madison, Wisconsin Police Department. I always wanted to catch the “bad guys” and do my part to make sure justice was served when any wrongdoing took place. My innate curiosity and passion for solving difficult problems led to my interest in digital forensics and cybercrime. After nearly 20 years of investigating cybercrime for the police department, I decided to take a leap of faith into the private sector. At Gillware, I’m able to help businesses recover when they fall victim to a cybercrime, and then proactively work with them to avoid another attack in the future.

What is your favorite cyber breach scene in a movie or on TV?
While not strictly a “cyber breach” my favorite cyber-mishap related scene is from 2001: A Space Odyssey when Hal malfunctions. Hal has a serious meltdown after he is ordered to lie to the crew of Discovery. He basically has an existential crisis over deceiving the crew about the fact that the success of the mission is prioritized over human life, while also being programmed to process information accurately “without distortion or concealment.” This conflict made him as human as any of the other characters in the story. I think part of the reason this is my favorite scene is that any of our own technology systems which we rely upon heavily and which are designed to be helpful to us can work against us in ways we don’t anticipate.

What do you like to do when you’re not working?
If I’m not at work, it’s highly likely that I’m playing a gig with my friends in the Hoot’n Annie String Band. Depending on the day (or mood), you can find me playing a tenor banjo, 5 string banjo, cello, viola, tenor guitar, mandolin, or ukulele. If I’m not on stage, I’m probably hanging out with my Brittany Spaniels and spending quality time with family and friends.

Can you share a fun little-known fact about yourself?
Most people don’t know that I have been a knot-tying enthusiast for many years. There is something fascinating about the complexity and simplicity of tying a knot—it serves as a great reminder that even the most complex problems can be solved and the most difficult issues can be deconstructed.


James Arnold,

Principal, KPMG Cyber

A principal in KPMG LLP’s Cyber Services group, Jim helps lead KPMG’s Cyber Response practice, the Cyber Due Diligence Channel and the Cyber Insurance Sector. Jim has over 30 years of practical business and legal experience, including over 20 years of private practice, in-house legal, forensic, and cyber consulting experience. Jim has in-depth experience providing and/or supporting proactive assessment, design, and implementation of cyber security programs and cyber due diligence activities; reactive assistance in complying with cyber breach, internal, court and agency issued investigations, document preservation, and discovery orders; and project management of cyber breach investigations, cyber due diligence activities, computer forensic, neutral and expert witness and data identification matters.

The views and opinions expressed herein are those of the interviewees/survey respondents/authors* and do not necessarily represent the views and opinions of KPMG LLP. © 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. [Printed in the US].
The KPMG name and logo are registered trademarks or trademarks of KPMG International.

KPMG Frequently Speaks at NetDiligence Cyber Risk Summit

What are the leading cybersecurity threats facing large companies? And which ones are of greatest concern to small companies?
There are a lot of different threats targeting both large and small companies, and the number of threats is growing year after year. The types of threats are highly dependent on the nature of business (and not always dependent on the size of a company). For example, credit-card-scraping campaigns may target a small local chain of restaurants as well as large multinational hotel networks. However, keep in mind that a large-scale campaign is generally conducted by “professional” groups of attackers—often criminal enterprises, but may also be affiliated with so-called Advanced Persistent Threat (APT) groups. Such groups may have different “departments” responsible for various stages of attack, and have enough “employees” in order to execute effective intrusion and evasion techniques. Ransomware attacks still remain a major threat for both large and small companies. Ransomware is also used by APT groups at the end of intrusion (or in case of detection) in order to wipe out their traces and the important evidence required to complete a proper investigation. One of the largest threats of the recent years are business email compromise (BEC) intrusions, when employees’ email accounts are used to perform fraudulent actions, such as rerouting financial transactions to bank accounts controlled by attackers. We’re also concerned about third-party risks, exploitation of poor security practices and system vulnerabilities and cryptomining.

What cybersecurity safeguards do you often find missing or defeated in connection with a breach event?
In terms of the human factor, the lack of cybersecurity awareness programs looms large. Companies need to train employees to avoid clicking links in emails, entering network passwords to web forms, and opening malicious attachments. We tend to see poor security mechanisms, such as single factor sign-ins. Two-factor authentication wards off a large percentage of attacks. Poor or misconfigured password policy, flat network topology, unprotected Crown Jewels and unpatched systems are other telltale causes for breaches. Finally, we see network and security engineers who are not completely aware of their organization’s network architecture and security. Often, when KPMG’s Cyber Response team arrives to a client’s site, the client’s security team is learning their architecture (and detecting network misconfigurations) while KPMG performs an investigation, which is much too late.

What client mistake can impede your forensic investigation?
A few major things can significantly affect forensic investigation:

  • Lack of evidence due to misconfigured log retention policies. Log data is critical for a network intrusion investigation. If not collected/stored properly or for sufficient periods of time, this can significantly affect the investigation.
  • Important evidence tampering. If a client’s cyber security personnel are not properly trained or perform triage investigation improperly, there is a high chance of altering/removing critical evidence.
  • Client does not know their network. As I stated earlier, this affects the effectiveness of the investigation.

What potential systemic risk keeps you up at night?
I’m most concerned about compromise of critical infrastructure.

What tip or advice will all of your clients hear from you?
Be proactive. Invest in your security personnel and defensive measures. This will include proper employee awareness and education as well as board awareness, tabletop exercises and other tasks to be prepared for a cyber incident before it happens.

What got you into this field?
Over 10 years ago, I got into the field of forensic technology and cyber security services when a high-level executive of one of my clients who had operations in China perpetrated an FCPA violation. This investigation gave me the opportunity to lead a multi-year investigation in 13 countries and I was hooked. Working with clients, outside counsel and KPMG’s global resources to investigate both internal and external threats is an awesome way to make a living. I never know when the next investigation will start or what it will entail or where in the world it will take me. I have traveled to five continents to lead investigations—I still need to get to Africa and Antarctica.

What is your favorite cyber breach scene in a movie or on TV?
While it may show my age, one of the first hacking scenes I ever saw was when Ferris Bueller hacked into the school’s computer system to change his grades and attendance records while Principal Rooney was looking them up online.

What do you like to do when you’re not working?
I enjoy skiing, hiking and fishing. My wife and I recently purchased a 170-acre ranch just outside St. Louis and we spend most of our free time there.

Can you share a fun little-known fact about yourself?
I am a huge St. Louis Cardinal Baseball fan. For the past 10 years I have been leading KPMG’s team in Chicago, but I live in St. Louis. I have a two-sided business card with my Chicago and St. Louis offices. I do this so I can make it clear to everyone that I only work in Chicago and am NOT and will NEVER be a Chicago Cubs fan.