Incident management is about so much more than emergency response, something Kevin Strickland knows all about. In this episode, the Secureworks™ Director of Emergency Incident Response lays bare the scope and intricacies of effective incident management. You’ll hear how Secureworks anticipates, prevents, handles, and contains incidents – proactively and holistically – and how experience and lessons learned from client engagements are ultimately the best teacher. Get insight into the software and “cyber detectives” that root out and repel threats – plus, hear Kevin’s top tips for choosing the right provider.
What We'll Cover
Secureworks Interview with Kevin Strickland
Sally: Hey everyone, a warm welcome to our latest episode, focusing in on incident response. And I'm delighted to be joined today by Kevin Strickland, who is Director of North America Emergency Incident Response. Welcome, Kevin.
Kevin: Thank you for having me. Glad to be here.
Sally: Absolute pleasure. And it brings me back to my background actually, in change management, problem management, and incident management as well.
It's lovely to be drilling into this. So, for our viewers and watcherswho may not be fully aware,could you unpack a little exactly what “incident response” really means?
Kevin: Great question. I think we actually conflate incident response a little bit with a couple of different things.
So here at Secureworks, we do a lot more of what we call incident management, which is a component of incident response. So, incident response – most people think of that as just kind of driving to the solution or root cause of an incident, and the incident being an adverse effect in the environment. Butit's really much more than that. It's management of the entire incident itself, which includes things like the root cause analysis, figuring out how a system was either infected with malware, or how it was compromised, or how a threat actor got into the environment.
But there's even more to it than that. There's managing the assignment of tasks, having someone make sure we're taking appropriate notes. Someone taking the time to figure out lessons learned when the incident's all said and done. How do we make sure we follow up and make sure it doesn't happen again? Is there any sort of communication that needs to go out? Is that communication internal? Is it external? Are there notifications? Are we under any laws or regulations that say that we need to inform any customers of this? So, when we talk about incident response, we’re talking about more of a holistic incident management perspective, rather than simply what I think a lot of folks dig down to which is just responding to how something got infected or compromised. From that perspective, it's a much, much more holistic approach.
Sally: So, all the way through from things like ransomware to say business email compromise, cyber extortion, different insider threats, and also adverse persistent threats I would imagine as well. So, it's that whole range that's in scope, isn't it. And through that process, I’m sure for yourself and also Secureworks generally, so much learning is taking place through managing these types of different engagements. Can we share a little bit more about that for the audience too? Some of the stories of engagements you've been involved in when you've seen the need for more detailed protection and response, going beyond MFA (multi-factor authentication), for example.
Kevin: So, there's three things I'm going to present as a high-level overview. One of the first things that we noticed on a lot of these occasions is that there isn't a proper service overhead going on. In other words, who's managing the alerts? Who's watching the alerts? Is it an internal security operations center or is it an external partner and what is the extent of what that partner is doing?
We were working on an engagement just this past week actually and as we were doing the analysis, we found that the threat actor got in there and was able to compromise a public-facing system, exploit it, and then deploy ransomware – all in less than four hours. And as we were doing the analysis, we actually found out that there were several alerts that were being triggered, but the question was – we’re notified, but who was looking at the alerts? The customer wasn't quite sure who was doing it, if they were supposed to be doing it, or if it was a third party doing it.
There was a lot of confusion. So, one thing we always want to focus on is, do you have a good MDR service (a managed detection response service) on top of it and understand exactly what they're looking at, what data's being fed to them, and what capabilities you’ve given them to respond for you. Because that four-hour timeframe from infection to ransomware deployment is quite fast.
The second component we'll talk about is visibility gaps. What systems do you have? What tools do you have? Do you have EDR, which is endpoint detection response? What firewalls do you have? Are they all integrated to a single pane of glass that we can see? The answer is always yes, yes, yes. And then you dig into it and find out actually no. We didn't have visibility of this environment over here, or we didn't know about this account over there. Or we didn't have it all in one system. It's in six separate systems, as an example.
So, one thing we really focus on, and one of the lessons that we have, is visibility and having everything all in one spot, having it in a central location. Making sure that the tools are deployed as widely as we can and implemented correctly.
The third element is improper security controls. You mentioned MFA, for example. A lot of the incidents we work on for business email compromise do have MFA, or multifactor authentication, in place. But what we find is that it's not implemented correctly. As an example, what we see is just push notifications. Well, a push notification is when youenter your credentials, your username, and password. You’ll get a request on your phone to either answer it and hit a number, or you’ll get a text message and you just reply, “Yes, this is me." Well, if a threat actor gets your credentials, your username and password, it's relatively easy to send you that push notification or to answer a phone call. And at two o'clock in the morning, you're going to be sitting there like, yeah, yeah, yeah, I got it. If you want to configure that correctly and have something much better than just push notifications, as an example.
I would say those are the top three lessons that we’ve learned from engagements.
Sally: Great story there. That time gap from infection to the full yard, so to speak, of four hours. I mean, it really brings to the fore, the impact here and also divides it into those three pillars, as I like to call it, and really makes it accessible too. I also think, just thinking about what you were saying there about the types of challenges in incident response, I think it echoes what we're seeing in technology more broadly around integration and visibility, you know, as well as role responsibility and accountability. And also the ecosystem coming together and sharing about these types of threats, and working together more collaboratively as well.
Really, really interesting. And I know we can't go into specifics around certain customers, but drawing back on that example, the four hours one. I wonder if you've got any other stories that bring to life the power of incident management or response done right, but also where things go wrong. Something really memorable from an engagement like that, that we can all learn from?
Kevin: We work a lot of engagements, you know, in the Security and Response team - over 1000 each year. And this, actually, I think, moved into my ninth year at Secureworks. So, we've been involved in a couple of different ways, over 9000 incidents in nine years, give or take. Don’t quote me on the number.
One of the things to remember is that when there is an incident, it's not a good time for anybody. It's not a good time for the customer, right? They’re suffering. There is an impact that most people probably don't think about. Take a bank, for example, a financial institution and they have ransomware. Well, that's not just that business, but it's the people that are part of that business, right?
I mean, we all have our money in the bank and so think about when that goes down. Can I get my money out today? You know, I need to take out a hundred dollars to go buy food for my family, or something along those lines. It has a bigger impact than we think about. So, I just want to make sure I caveat, when we talk about engagements that there is a larger impact than simply a company going down.
At the same time, as practitioners, responding to an engagement is fun, right? It's detective work. We're deducing, we're trying to put the puzzle pieces together. We're trying to figure out what the threat actor did. Did they change anything that they're doing? We just want to make sure that we recognize it is a struggle. There is a downside to it, but at the same time, it's an art. It's a science and detective work that we go through.
So, there’s been a couple of memorable engagements for me, there has been a couple, but one that sticks out for the detective work, is when we were pulled into a global manufacturing organization that was at a global scale and had different sites across the globe: the US, Mexico, Australia, all over the place really. When we got in, the FBI had actually reached out to them to let them know they had been compromised and we started digging into it. And it wasn't just one compromise, it was four or five different compromises.
There were opportunistic threat actors inside the environment. What I mean by that is that they just kind of got access and you could tell they were playing around and maybe they were going to sell it. And we actually found two different nation-state threat actors in the environment with two different objectives, trying to steal very significant intellectual property from the environment. To be able to go to the customers and say, "Hey, you have a bigger issue than what the FBI has told you. There's actually a lot of impact within your environment that we need to dig into and start separating – and help get you to a better place.”
So, that was one example that has stuck close to my mind over the past couple years, because it was a very serious implication. There was a lot going on. There was data theft from intellectual property. There was potential for ransomware deployment to bring manufacturing plants down. There was just a lot going on and we were able to work together with that customer to put them in a much better place and ultimately not have ransomware deployed, and also limit the intellectual property that was taken.
Sally: I love the fact you brought different elements to the fore there. A: the complexity, all the different bits that fall together, you know the different flows there. The non-linear elements to this as well. Really interesting. But also, you've explained the enterprise or corporate impact of this, as well as the personal one – the individuals, the families. It’s really important to bring those two things together.
Also, as a side note, the dynamism of this space, what you’re dealing with and how it's ever changing, the detective work, as you described it as. For anyone listening or watching now who may be interested in this as a career, what a place to be with the agency to make a difference in something like this.
We do a lot around inclusion, and I just want to make a shout out, because I think what you said there is really powerful to show what you can be involved in – and the intricacy, art, and science involved in dealing with that. I think it’s a really good, advert for that as a career, to be completely honest with you, getting involved and really making a difference there. So, thank you for sharing that too.
Kevin: Absolutely.
Sally: Another area I'd love to drill into, the final part of our discussion today is for people out there at the moment, organizations of all sizes, when they're looking at this and making decisions around incident response and different providers, what would you say are some of the key considerations for them to look at to help make that informed choice?
Kevin: Yes, I always kind of pick the top three, top five, but there's three that I go to. One of them is going to be the experience level of the team, right? When you're going to get a house built, for example, or a car, you want really experienced people. That's the place where you're going to live, a car’s something you're going to drive. You want it to be safe, you want it to be reliable. Same thing with incident response. You want to have the right experience. And what I mean by experience is actually a couple of different components.
What's the skillset of the team? Are they, for example, former law enforcement? How long have they been doing it? Has it been six months? Has it been 10 years? What do they specialize in? Mobile forensics? Do they do MAC forensics, Linux Forensics? Do they have backgrounds in SQL? Do they have backgrounds in Microsoft directory, for example?
You want to have a team that has a plethora of experience in different domains of expertise across the board, because when you get involved in an incident, it's not always going to be just Windows devices. It could be Linux, it could be Windows, it could be Mac. It could be a combination of things. You want to have a very good experience level there.
One thing we actually sought after in our practice at Secureworks Incident Response is having more developers and coders, bringing them into the fold, because they’re able to help automate and make us more efficient at finding things that stick out from the normal when we're doing some of our forensics overall. And that's a different paradigm that I’ve seen with other companies, kind of focusing on being able to apply machine learning to actual forensics and incident response to help get you to a better place.
The second part is threat intelligence. I mean, you want to have threat intelligence as part of the incident response team. We have a great relationship with threat intel, we call it our threat research team, and they specialize in doing attribution and the nation-state coverage, but at the same time helping us understand what the threat is actually doing, the TTPs or tactics, techniques, and procedures, the behavior of the threat actor. And so, when we get a new engagement, for example, we'll take a look and say, well that's Basta ransomware. What leads to Basta Ransomware? Well, that's Qakbot malware. Well, here's exactly what Qakbot malware looks like.
And so, you can go to a customer and very quickly say, we know exactly what it looks like. We know exactly what we're going to look for. We know how they behave. We know how they come in. We know how they infect systems. And you're much faster and a lot more efficient. And ultimately what that means to a customer is reduced risk. It means your business gets back up and running much faster and gets to really what you want as business, to operate efficiently and effectively.
The third part is going be monitoring. We kind of mentioned this earlier with the incident management piece. Response is a part of it, finding that root cause,but what if the threat actor hasn't been kicked out yet? What if you haven't uncovered all those nooks and crannies? What if you haven't seen everything so far?
You want to be able to have a team that's not just your IR team, but a whole team that can actually monitor for any alerts that pop up, monitor for the threat actor coming back in. A good example of this is when we often see threat actors that come in and will be there for a long time. There was a recent one where we actually saw that they'd been in there since March of the last year and didn't do anything until December this previous year, so March 2022 to December 2022, they actually didn't do anything. They were in there for that long, but they weren't doing much. But they will come back in about every 90 days. And why they come in every 90 days is because the password reset policies for most orgs are 90 days.
Being able to have a monitoring team that sits there and watches new alerts or any recurrence of activity or new IOCs (indicators of compromise) is imperative. You want to be able to have that, you want that level of comfort. Again, kind of reducing that risk and knowing that someone's there watching instead of just, doing dead disc forensics at night, for example. You want someone to be able to watch it and say yes, we feel safe, we feel comfortable. Again, like our Secureworks managed XDR service, it’s having someone be able to watch that for you or the customer.
Sally: I think that's really, really helpful. What a great example of a slow bleed attack that you were talking about there. The one that dated from March. Wow,that's staggering. I think my only final point on that is also to look at the accreditation. You know, for example, from NSA and NCSC, which I know Secureworks definitely has as well. Really important again for people to look at outside accreditation. I saw your white paper as well about nine questions to ask. I thought that was excellent. Again, it just helps you step by step personalize it to your organization and where you are.
Kevin, I could talk to you for much longer, but I know I have to close. Thank you so much for joining me.
Kevin: Thanks everyone!
Sally: And thank you all for watching and listening as well. It's been another episode of Let's Talk SoC and we'll be back soon with another feature, another aspect that's key to your cybersecurity protection and defense. Thank you so much for joining us.