Part 1 of 3: exclusive perspectives with Ryan McLaren and Shanna Daly
Vaughan Shanks: Hello and welcome to CydShow. I'm Vaughan Shanks, the Co-Founder and CEO of Cydarm Technologies. Today, I'm joined by Shana Daly, Principal Consultant at Cosive, and Ryan McLaren, Co-Founder at Retrospect Labs. Welcome.
Shanna Daly: Thanks, Vaughan.
Ryan McLaren: Thanks, Vaughan.
Vaughan: Today, we'll delve into the recent AWSN incident response competition, flawlessly orchestrated by Retrospect Labs. And Shanna, as a judge in the competition, we're eager to hear your insights. So to kick off, the competition encourages teams with diverse skill sets, not solely focused on technical prowess. Ryan, could you share how the integration of various skills within the teams contributed to the overall incident response strategy?
Ryan: Absolutely. This marks the third year of the AWSN incident response competition, and from the outset, our emphasis has been on championing diversity in cybersecurity. This isn't confined to gender diversity; it's about assembling a team with a spectrum of skills crucial for effective incident response.
Each year, we craft scenarios encompassing technical, communication, senior executive, legal, and regulatory aspects. These elements form the criteria for evaluating teams. We firmly believe that a well-rounded team, blending diverse skills, is more potent than the sum of its individual parts. In the realm of cybersecurity, particularly incident response, a broad skill base is essential for success.
I believe it's crucial not to limit our perception of cyber or incident response to merely a technical realm, and that's precisely why we've structured the competition this way. It serves as a compelling invitation for individuals who may not identify themselves as deeply technical to step forward, take part, and revel in the experience, all while gaining valuable insights.
From our standpoint, it's imperative to recognize the diverse roles within the cybersecurity landscape. By leveraging platforms like the AWSN incident response competition, we play a small yet significant role in advocating for this message and nurturing these essential skills across the industry.
Vaughan: Absolutely. Shanna, given your role as a judge and your day-to-day involvement in the field, how did you observe the contestants or teams integrating these varied skill sets?
Shanna: This marks my second year evaluating the competition, primarily focusing on the technical aspects. However, participants were also tasked with handling legal matters and orchestrating diverse communication channels. So I want to echo Ryan's emphasis on the necessity of diverse skill sets within a team. It's not just about consolidating technical details; it's about effective communication, both internally and externally. In scenarios where external PR isn't feasible, understanding how to articulate messages becomes pivotal—knowing how to extract information during interviews, such as with someone who discovered an anomalous incident on their laptop.
These often overlooked skills, seemingly unrelated to incident response, are seamlessly brought together in this challenge. It's a refreshing departure from the more technical emphasis of capture the flag events or the high-level approach of traditional tabletop exercises. What truly impresses me about this competition is the meticulous attention to both technical scenarios and the subsequent communication demands, reaching legal teams, executives, and the board, transcending the purely technical realm.
Vaughan: Shanna, would you say this competition offers a fairly authentic portrayal of how these incidents unfold in the real world?
Shanna: Absolutely. The scenarios, even from last year, are grounded in real-world occurrences. While names and locations are altered for confidentiality, they undeniably mirror situations that companies have faced or are currently dealing with. It's a true reflection of what one might encounter during a significant incident in an organization. And, of course, Ryan, with your extensive career, these scenarios likely resonate with your experiences.
Ryan: Indeed. I hope it doesn't trigger too much for those of us in incident response, but Shanna is spot on! Our focus is on creating an experience that closely mirrors the reality of cyber incidents, encompassing the potential harm, the investigative time investment, and the frustrations inherent in the process. It's not uncommon to spend hours at a keyboard grappling with challenges, but that's the essence of incident response.
All the scenarios we've crafted for previous competitions draw inspiration from real-world tradecraft observed in the wild. They employ current tactics, techniques, and procedures that threat actors deploy to target victim organizations. Our goal is for participants to emerge from the competition feeling like they've engaged in a genuine incident response operation—building confidence and a nuanced understanding of what the field entails.
Vaughan: It's indeed a valuable simulation for real-world scenarios. Shifting focus to the competition itself, the scenario's attacker utilized a range of TTPs. Ryan, what analytic techniques did you observe participants employing against the attacker?
Ryan: Certainly, there's quite a bit to unpack there. As we highlighted earlier, authenticity is paramount. In this year's competition, we equipped participants with a virtual analysis environment, complete with several open-source but commonly used tools for incident response.
Again, participants had the invaluable opportunity to gain hands-on experience using actual tools, delving into the analysis of real data such as disk images, memory dumps, and log files—forensic artifacts integral to a comprehensive response operation.
The competition integrated this hands-on element seamlessly, offering access to an environment that facilitated these tasks. Beyond the technical toolset, our focus extends to participants' ability to ponder the questions at hand. We encourage them to consider industry standards, frameworks, and guidelines, especially within the incident response lifecycle.
From the initial triage, understanding the extent of compromise, to tracing the initial vector used to infiltrate the victim network, and ultimately exploring containment and remediation options—each stage demands a nuanced approach. We seek participants to engage in critical thinking, identifying the relevant guides and recognizing the norms of incident response.
Our commitment to providing tools supports participants in these endeavors. Establishing a robust analysis process, as emphasized with tools like Cydarm, ensures a structured and methodical approach. A rigorous technical analysis process is paramount for obtaining an accurate understanding of the incident.
Vaughan: Shanna, as a competition judge, how did you perceive the technical analysis, and how did it align with your typical approach to handling incidents?
Shanna: In the judging process, we didn't assess the method of arriving at answers, but rather focused on the ability to analyze components like Windows event logs and delve into the Master File Table to track file activity on systems—essential technical aspects. Teams were challenged to locate specific artifacts within systems, analyzing them to formulate answers. Interestingly, this year posed several questions that proved challenging for numerous teams, adding an intriguing dimension to the competition.
One piece of feedback I gathered from this year revolves around refining the phrasing of questions. It appears that nuances in wording sometimes led participants slightly astray when seeking answers. Learning the art of extracting information and subsequently analyzing it seems to be a key takeaway.
In seeking more general feedback, I inquired about tools or insights participants wished they had known before undertaking the competition. Interestingly, both responses revolved around Windows event logs—one suggesting the use of Hayabusa, while the other leaned on the reliability of Excel. As an incident responder, the love-hate relationship with Excel is somewhat of an industry inside joke. It's often said that when asked about the best incident response or digital forensics tool, the answer invariably includes Notepad or Excel.
The ability to manipulate and interpret data correctly in these tools becomes crucial. While most teams adeptly gathered and analyzed information using various tools, extracting precise answers posed a consistent challenge. Our focus in evaluating teams delves into this technical aspect—not merely the route they take but their ability to interpret the analysis.
Ryan: Yes, Shanna has hit on a vital point about interpretation, emphasizing the need to comprehend not just how to use a tool and formulate queries but also to articulate the significance of the output. And that's one of the things that I guess we'd love to see people demonstrating is this is critical because of XYZ reasons and of course, having access to tooling like Cydarm so that they can store, catalog, and share within their teams all of their findings was also a really critical part of this year's competition.
Vaughan: I guess once you've meticulously cataloged those findings, the subsequent challenge lies in effectively communicating them to diverse stakeholders. Let’s take a short break and be back to discuss effective communication.
Continued in Part 2…