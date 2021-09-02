Open communication — Oftentimes within an organization, decision-makers are on one end of a spectrum while IT resources are on the other. As cyber-infrastructure becomes only more critical, technical requirements need to be better incorporated into an overall organization and prioritized appropriately.

As a part of our series about “5 Things You Need to Know to Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Nathan Little from Tetra Defense.

Nathan Little is the Vice President of Digital Forensics and Incident Response and Partner at Tetra Defense. He leads the incident response and data breach investigation team.

Nathan and his team specialize in remediating ongoing cyber incidents, finding the root cause of them, determining the exact actions of malware and attackers, and getting businesses back up and running safely after an incident. Some of the most common cases Nathan’s team encounters are related to ransomware, business email compromise, wire transfer fraud, and more. Nathan’s unique experience writing digital forensics and data recovery software allows him to find and recover data and forensic artifacts that may otherwise go unfound. Nathan graduated from the University of Wisconsin College of Engineering with a B.S. in Computer Engineering in 2013.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I’ve always been a math and science person — I’d even go as far as to say “nerd.” I participated in my 3rd grade Lego robotics team where we had to drag and drop little blocks of code to make the robot do things, and I’ve been interested in computer science since.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

It wasn’t until high school where I was able to more formally learn to program in computer science classes, and I was able to establish a background in it. As I went onto college at the University of Wisconsin — Madison, I originally pursued Mechanical Engineering (in an attempt to not be an ultra-nerd). I was interested in this field as well, but after a few years, I realized I wanted something more fast-paced. As opposed to a year or two-long design phase, I preferred hour or two-long design phases allowed by the computer science world. I switched to computer engineering, and it was a great decision for me.

Can you share the most interesting story that happened to you since you began this fascinating career?

Learning about the behavior behind the threat actors, or the bad guys, holds a lot of interest for me. Despite how technical our line of work is, the motivations behind each attack we investigate are human to the core. Ransomware in particular operates as an organized business, complete with forums on the dark web for recruitment, franchising malware samples, and negotiating “commission” when an organization pays a ransom to them. One recent ransomware attack had a unique twist — video screen captures recorded the event, revealing that the threat actors accessed a live feed throughout the attack, and enabled them to actively monitor their victim’s response when the ransomware was triggered.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

We’ve been really adamant at Tetra Defense to trust and respect our teammates enough to encourage them to take the time they need to thrive. Cybersecurity is notorious for long hours, high stakes, and little to no downtime, so we combat that through our unlimited paid time off policy, team structures, and a non-9–5 schedule. Being sure to take care of the humans behind the screens is not only the decent thing to do, but it also strengthens our team and keeps everyone in a state of mind to learn new skills, work with our clients, and collaborate with everyone here.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

Something that has always interested me in cybersecurity is the “minute-by-minute” pace. This is a good description of how my day goes usually. Things change very quickly in the incident response industry, starting with whenever incidents occur. We never know when our team is going to receive a call, but we’re always ready to answer it. Most of what I do is design response plans for the incoming cases and make sure that our team executes them. I’m also known to occasionally get into the weeds as far as the specifics of each case, and that contributes to our training here at Tetra.

Training is another area of cybersecurity that’s fascinating to watch and be a part of. Since everything changes so quickly, it’s always a team effort to find the best solutions. It’s very common for our most senior people to jump into supporting roles for our junior teammates so they can lead the way on forensics and investigations. We believe the more information and hands-on experience, the better, so we always encourage our team to take both leading and supporting roles, no matter their years of experience. It’s in this same vein that we’re creating TetraU, our in-house training and professional development domain in Tetra for helping our teammates grow and lower the barrier to entry for newcomers to cybersecurity.

The last area of cybersecurity that I find fascinating is how closely connected it is to other industries, especially considering now that cyber is part of critical infrastructure. By better educating and protecting our clients, we also teach cyber insurance and privacy counsel how to raise their own cyber hygiene. The cybersecurity industry shouldn’t and can’t be alone in the fight to strengthen defenses, and it’s been great to watch how other industries are learning how to join in on that fight as well.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

During COVID19, securing work-from-home access was a must. A lot of lessons were learned as far as how to keep companies protected with a scattered team, but now that offices are reopening and more hybrid models are on the rise, our focus can now be more on our cloud environments. We always recommend addressing security and data by starting inward — if proper configurations are put in place within an organization, far fewer problems arise when expanding outward to cloud environments. Cloud providers offer security services and tools to secure an organization’s workloads, but it’s the administrator of that organization who actually needs to implement the necessary defenses. It doesn’t matter what kind of security defenses the cloud provider offers if you don’t protect your own networks, users, and applications. Securing the cloud will better protect an organization’s data should a threat actor ever target a cloud conglomerate.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

Speaking to the safety of accounts and 3rd party clouds, a recent investigation revealed that one attacker actually used several victim organizations’ logins to carry out one ransomware attack. This ransomware attack was against a healthcare system, and it was brought to our attention in late 2020. Our investigation began with the healthcare system in question, but we quickly discovered two separate organizations that were connected, compromised, and leveraged as well. These separate organizations happened to be universities in Hungary and Mexico that were meant to stage data. University login credentials are valuable to attackers for several reasons. In this case, the attacker was able to leverage two universities’ vast storage to archive data from a separate victim. Universities also can provide attackers with unauthorized access to databases, new research, intellectual property, student information, and a plethora of other information that can be leveraged in a potential ransom. The main takeaways from this story are how there’s no such thing as an isolated incident, how attackers will use and re-use the tools they have on hand in ongoing attacks, and how accounts across several industries can be compromised.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

We run into a lot of tools to carry out the work we do, and we regularly vet and audit them to make sure they are as optimized as possible. One tool that has been particularly useful to us is SentinelOne, an Endpoint Detection and Response tool. It basically works as an Anti-Virus, but it goes beyond simple detection by incorporating AI technology, user behavior, and robust alerting. Our incident response team rolls out SentinelOne as quickly as possible when responding to an incident. During the engagement, the Tetra incident response team monitors alerts from the tool to ensure threats are eradicated and it is safe to bring systems back online. We go even further after an incident with our Cyber Defense Operations team that leverages SentinelOne for ongoing protection, threat hunting, and alert triaging to offer clients the most accessible, accurate glimpse into the security of their environment.

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

We always articulate the following: Based on what we’re seeing day in and day out, every company could be a target for ransomware. Threat actors exploit known vulnerabilities in old software, apps, browsers, you name it, and only after they’ve been able to compromise a network do they know who they’ve broken into. Specifically targeting a company is much less of a focus for attackers these days, so companies are no longer “too small” or “too inconspicuous” to get away with insufficient security. In order to ensure sufficient security, we recommend Managed Detection and Response services. Cybersecurity doesn’t just happen overnight, and it requires the work of robust tools and knowledgeable teammates to customize them. That’s been our best approach at Tetra with our Cyber Defense operations, and MDR services are usually the best route for raising the cyber hygiene of an organization since they come with tools and teammates that watch over you at a reduced cost, and with more effectiveness than an out-of-the-box solution.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?

Unfortunately, the most common case of ransomware we see daily starts with “this happened out of nowhere!” — and that’s by design. Ransomware operators often go undetected in a network, especially considering the common point of entry they use, externally-facing systems. If a ransomware operator exploits a system that faces the public internet, chances are the organization may not notice them (since they left a public-facing service there in the first place). An indicator that something might be amiss comes in the more tangible form of email messages and social engineering. If a message is too urgent or seems too good to be true, it probably is. This can also indicate a business email compromise attack or a simple phishing campaign that could later lead to a more serious attack.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

One of the biggest misconceptions in cybersecurity is that lightning doesn’t strike twice. If an organization faces a ransomware attack, remediates it, but does nothing to stop it from happening again (i.e., doesn’t close a public-facing port to their network, doesn’t implement MFA to protect accounts, doesn’t follow the advice of cybersecurity professionals), chances are it will happen again. Protecting themselves further comes from arming themselves with tools and teammates (or outsourcing both through Managed Detection and Response services) that are dedicated to combating the latest threats and providing the latest security measures.

What are the most common data security and cybersecurity mistakes you have seen companies make?

The most common “mistakes” we see are too many services and systems open on the public-facing internet. Leaving Remote Desktop Protocol (RDP), a common method for work-from-home access, open to the public internet is still among one of the main ways attackers enter into a network. Keeping work-from-home access in mind, protecting accounts with Multi-Factor Authentication is also a safeguard many organizations don’t implement, which is mistake #2. Finally, the third mistake is the lack of email security gateways — the technical implementations that read emails, attachments, alert to external senders, quarantine messages, etc., to keep malicious emails from entering an inbox in the first place.

Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

The biggest errors we’ve seen are those that don’t protect employee accounts when working from home. Especially as threat actors continue to exploit RDP and even known Virtual Private Network (VPN) access.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs to Know to Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)

Understand the enemy — Threat actors are opportunistic — they are looking for a quick payday and exploit anyone they can to ensure one. While major corporations remain a big target for threat actors, many attacks happen to small to medium-sized businesses as well. Cybercriminals often use scanning tools to find any computer in a certain area that has a vulnerability that they know how to exploit. After performing this scan, they may have a list of hundreds, or thousands, of computers that have this vulnerability. Then, one by one, they’ll exploit those vulnerabilities. Only after they’ve exploited that vulnerability and gained access to the network will they find out whose network they’ve actually compromised. Understand cybersecurity landscapes — Cybersecurity is an industry that always has opposite and often stronger forces fighting against it. Threats evolve faster than remedies, so when attackers change course, organizations struggle to identify vulnerabilities, patch systems, or reconfigure security tools before a crisis strikes. Considering the ever-changing nature of these threats, cybersecurity cannot be “set and forget.” No matter how advanced a security technology or documentation, its value decays rapidly if not actively managed and utilized to its fullest potential. Despite the attention this requires, security within organizations is quickly overburdened and deprioritized. Tools & team — Cybersecurity changes minute-by-minute, and it requires a team of passionate people who can continuously find new solutions, informed by the latest threat actor behavior. No matter how robust an anti-virus or vulnerability scanning tool is, there comes the danger of alert fatigue or a lack of knowledge transfer to properly translate what issues require attention. Follow the recommended frameworks — There’s been a huge push lately from Federal agencies to finally remedy the challenges that organizations have had with their cybersecurity. This is a long-overdue recommendation, and it will help organizations approach their cybersecurity as a priority that can no longer be ignored. A good place to start with cybersecurity and framework compliance is the Center for Internet Security’s Controls. Open communication — Oftentimes within an organization, decision-makers are on one end of a spectrum while IT resources are on the other. As cyber-infrastructure becomes only more critical, technical requirements need to be better incorporated into an overall organization and prioritized appropriately.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)

There’s nothing better than real-world experience in cybersecurity, but we all understand that internships and valuable in-person opportunities can be in short supply. My best advice to students or others wanting to work in cybersecurity is to seek out hands-on experience as much as possible on your own. Formal Digital Forensics degrees have become only more advanced and more popular over the years, but students and non-students alike can practice “investigation” processes at home. I can suggest an exercise:

Take a personal or a “test” computer, record three days of actions on it (log into it, log out of it, log into it remotely, access files, copy files, upload non-sensitive data, etc.). Be sure to keep track of what actions you made and when they were taken for your own records. After three days, go back in and see if you can find evidence of every action that was taken. This way, you already know the answers to the test, and you’ll be amazed by how much evidence probably isn’t there. You’ll see first-hand how deep you may have to dig to find evidence of each action and to reach proper conclusions. You’ll also easily see gaps — if you only look at one piece of evidence, you may miss entire windows of time. This is something that anybody can do with just their own computer, open-source tools, and maybe a little bit of equipment, but not much. If you’re anything like us, you’ll immediately be hooked and eager to learn more.

How can our readers further follow your work online?

Our website, www.tetradefense.com, as well as our Ransomware Stress Test, will be a great way to follow our work while keeping an eye on other security safeguards we recommend.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!