THEOS Cybernova

Nathan Reid: Inside the High-Stakes World of Digital Forensics & Incident Response

Theos CyberNova Season 2 Episode 1

Share episode

Nathan Reid: Inside the High-Stakes World of Digital Forensics & Incident Response

When a cyber incident strikes, every second counts. In the high-stakes world of Digital Forensics and Incident Response (DFIR), elite professionals like Nathan Reed work against the clock to uncover the truth, contain the damage, and get businesses back on their feet - often with millions on the line. 

In the Season 2 opener of THEOS Cybernova, Nathan joins Paul Jackson to unpack what happens during a major incident response, why digital forensics and incident response require distinct mindsets and how speed, grit and teamwork can make or break a breach investigation.

From military signals to global cyber investigations, Nathan's path to becoming THEOS Cyber Head of DFIR is anything but ordinary.

A must-listen for anyone driving cyber resilience across the APAC region.

Production Credits:

Presented by: Paul Jackson
Studio Engineer & Editor: Roy D'Monte
Executive Producers: Paul Jackson and Ian Carless
Co-produced by: Theos Cyber and W4 Podcast Studio

Intro:

This week on the Theo's Cybernova podcast...

Intro:

t enjoy both having a puzzle to do in a very short time frame and high stress. Ir IR very fast paced. We're kind of like cowboys almost with the way we stampede through evidence. A little bit of cockiness helps really well, because you're going to tell a multi-million dollar business to turn off like their servers for a day or two. That's going to cost hundreds of thousands of dollars. We're really good at finding what malware or an external threat actor has done, how they move through the network in a very short period of time and we gather just the evidence needed to determine what occurred and also answer any questions the client has.

Intro:

The Theos Cybernova podcast hosted by Paul Jackson.

Paul Jackson:

Welcome to Season 2 of the Theos Cybernova Podcast. Yes, we're back and we're here with Episode 1 of the new season. I'm delighted to be joined today by Nathan Reed, who is the Theos Head of Digital Forensics and Incident Response, and I can tell you right now it's going to be a fascinating discussion, talking about some of the adventures in DFIR. I truly wish we could talk about some of the interesting, sensitive cases that Nathan has handled down the years, but obviously client confidentiality precludes that. But nonetheless, you're about to take a dive into some of the complexities and the intricacies of digital forensics and incident response and how we help clients in crisis. So, nathan, welcome to the show, and I know you go by Nate, so we'll call you Nate from now on. And, nate, could you just start by introducing yourself a little bit and telling us your career story and how you got to be where you are now?

Nathan Reid:

Yeah, thanks, paul, great to be here. Happy to go back in time to when I first started off on my career path, initially with the Air Force down in New Zealand. Being quite a small country as a small Air Force, they trained us up pretty well. So we did everything from our radios we would bounce signals off the atmosphere to get to different aircraft around the pacific, through to satellite communications, setting up antennas, taking messaging, the whole lot of it whilst doing it, dressing up, running through the bush at the same time, which is always good fun.

Paul Jackson:

So wait, wait, you, you dealt with the technology and you're running through bush in uniform.

Nathan Reid:

More, yeah, exactly, um, that was the whole goal and because an air force guy can do radios and satellites and computers, we were quite useful around the different places. So I've worked on Navy ships, I've gone out on patrols and I've also done just messaging for days on end listening to static through the air. It can be quite fun. Wow, it's good to be multipurpose.

Paul Jackson:

Yeah, fantastic. Where did you go to from there then? What made you leave government?

Nathan Reid:

So from that I actually ended up joining one of my sergeants when he went out to work for a local almost a telco called Datacom. They're quite large now in Australia and New Zealand and I was one of the first people there with their security operations center, and so as one of the first analysts I got to be the wildcard, and so whilst they had their core set of technologies that they're rolling out for most of the customers, some customers wanted to bring their own technologies in, and so they'll send me out to go learn how to operate it, how to push it to the cutting edge and then document it and run it from there, and so I got about a year and a half experience there, which was good fun after the five and a half years with the Air Force. And so doing that, and after about a year and a half I wanted to kind of upskill a little bit, specialize in a different way, and so I went and joined government doing cyber defense for critical industries, and so that's, I got to use some very unique tools and data sets, hunting different threat actors a lot of interesting projects there before ultimately, um, moving out to deloitte in australia, as most kiwis do once you get to a similar skill level, you jump across to aussie and the weather was better, that's for sure and got to hang out in sydney, uh, with a few of my good friends there. Now we're still in touch years later and that's when we got some interesting cases and it was kind of cool to go from new zealand to. It was a bit of a step up going to australia because we got to work with some pretty talented it teams when we did our incident responses there.

Nathan Reid:

Some unique cases, a variety of different industries too, which was pretty exciting. A few different trade actors there targeting certain regions, which was quite interesting because I had the ones that usually target government. Now we have the ones that target different industries and particularly some strong industries over there, and so that was enlightening and a lot of good experience there.

Nathan Reid:

That's very diplomatic of you the way you navigated those geopolitics there. Carry on Try to being New there.

Nathan Reid:

Carry on try to being new zealand, we try to stay on the good side of as many people as we can because being quite small again.

Nathan Reid:

But the challenge that I had was usually, like, you have the high stress of dfir, of these cases that come in and you have to provide answers within hours, and so one of the ways I used to de-stress was I'll go for a nice hike, and if you start hiking in australia, there's snakes, spiders in the outback, and my local friends they said I was particularly lucky because the amount of snakes I saw as I was out hiking was much more than they saw in their lifetime.

Nathan Reid:

And so, after a few interesting encounters, I had actually lined up to head to Deloitte Netherlands, which part of my ancestry is Dutch as well, and so it'd be quite cool to go to Europe explore around. But then COVID decided to shake things up there and got a call from a mutual friend of ours to go join a little startup out of Singapore and Hong Kong, and once he heard what I like to do, he said maybe Singapore is not quite the activity bound area for you. You should come up to Hong Kong and have a play around here. And yeah, that's how I ended up in Hong Kong and stayed here for the last five plus years.

Paul Jackson:

So tell me? I mean because you, honestly, you're in a stressful job and yet you look like you've just stepped out of university. How do you look so young, mate Jeans? I think Very lucky. You used to look a lot younger. Joking aside, let's talk a bit more about DFIR than digital forensics. Incident response. What is it that really fuels your passion? I mean because it takes a special kind of person to get involved in this rather niche subject.

Nathan Reid:

That's a diplomatic way to put it.

Paul Jackson:

Yes, yeah, very special, as my parents used to say. Yeah, you've got to enjoy both having a puzzle to do in a very short timeframe, in high stress, and you've got to have a lot of grit and determination to just keep pushing until you get the answer. If you give up too soon or you're just there for a day-to-day job, it's not going to be the one for you and you won't enjoy it too much, nor you get the answers that you're looking for. You've got to have that drive to solve an issue.

Paul Jackson:

The other benefit that I have is, whilst it's not a day-to-day grind that's the exciting part of it is you get individual projects that are high stress for a short period of time and you can just tick it off. You get that completion kind of satisfaction at the end of it and then you can move on to the next one. Having an ir that goes for months is really draining, uh, to myself and a lot of my teammates. And so, yeah, having those those short even if they're massive jobs where you're working 18 plus hours a day, yeah, love it. Yeah, that's awesome, as long as you don't have them back to back.

Nathan Reid:

a little bit of break in between is always nice, and I know we can't talk about it, unfortunately, but last week I noticed you were on a high because you'd solved a brilliant case for a company that saved them potentially millions of dollars. That was fun and I just wish we could talk about it in more depth, but I saw how excited you were and how it really fueled your passion in this field.

Nathan Reid:

And it was kind of great to see. So I do understand where you're coming from because obviously it's been my background as well for the last 25 years or so, working investigations and crisis management and just helping clients and, obviously in law enforcement, helping victims when they need us most. Really to DFIR, because it's often misunderstood, right, and it's a hot topic. I see it often discussed on LinkedIn posts et cetera. But DFIR should it be grouped together? Or is DF digital forensics and incident response really two separate fields?

Paul Jackson:

Yeah, I've had this discussion with quite a few different professionals along the way. It's two different mindsets but the skills overlap, yes and so traditional digital forensics is a key component for certain cases, like if you're going to go, for example, the volkswagen case. It's going to go for years, you're going to have to make sure every piece of evidence is collected perfectly, all the checklists are done, everything is absolutely spot on and hosting all the data etc. That's a df mindset and that usually goes into the insider cases or the different human-led cases and legal ones.

Paul Jackson:

Ir is very fast paced for, kind of like cowboys, almost with the way we stampede through evidence. We still collect it to an evidential standard for court, but we're really good at finding what malware or an external threat actor has done, how they move through the network in a very short period of time and we gather just the evidence needed to determine what occurred and also answer any questions the client has. So we're not taking full machine images like you would for DF, but we are grabbing all the forensic artifacts that DF would use and we can take a full machine image. But it's not our usual day-to-day job and so you have some people that are kind of DF leaning, which is absolutely great, and you want to use them when you have those kinds of cases and you have some people that are IR leaning, and so you can play with those two different skill sets as needed.

Nathan Reid:

That's a fantastic way of explaining it, and let's elaborate a little bit, because let's talk about a hypothetical scenario, right? So you're there at the office and a client or a law firm or an insurance company with an insured reaches out to us and says hey, we've got an issue, we've just been hit by ransomware and our systems are being shut down. Help, what can you do? How do you approach this? First, what's the starting point here?

Paul Jackson:

Yeah, so it gets case quite a lot, as you'd understand, first we make sure, if it's case quite a lot, as you'd understand, yes, uh, first we make sure, uh, if it's for insurance or similar, uh, if we're going to get engaged, that it's under the lawyer, so we're privileged and confidential. Your report's not going to go into the public, as a certain company in australia found out when they did it the incorrect way. So we make sure we do the contracting correct and the scoping. We ask certain questions such as how many endpoints you have, what, what is the size of the area impacted, these kind of details so we can figure out how far we need to deploy our tool set and that also give us an idea of how much time it was going to take, and that that leads to the cost as well. Back two years ago, when Fortinet remote code execution was very popular, we might ask what kind of VPNs or firewall are you using? And when that was the first answer, it became pretty clear who we're playing with, and so we could work quite quickly. For us, the difference between 100 computers and 10,000 computers actually isn't that much. If your IT team can deploy our EDR quite quickly, that's not too much impact for us, and so, once that's done, contracting will sign off.

Paul Jackson:

We deploy our EDR, with support from the local team, to 100 endpoints, 10, 000 endpoints or two endpoints, and from there we can remotely gather what we call triage acquisition of our forensic artifacts. So we remotely execute a little bit of code on the machine that grabs about 100 or 200 different pieces of information amcash, mft, etc. That all comes back into our cloud environment. From there we automatically parse it out into a spreadsheet. Then I do a few espresso shots and just start scrolling through the information. We usually ask which servers have your key information on it that the regulators might be interested in or has customer information, and which computers did you see some dodgy activity occurring on?

Paul Jackson:

Those are the ones I look at first. I then find out how the ransomware was executed on these endpoints and we start building that timeline working back, and it takes about three to seven hops to find out where the root cause was, where the infiltration came from, and so it's like cool, we found the trail coming in. We then work to find out where did the threat actor merge out into and what did they touch, and from there we can usually, depending on the level of logs that are provided. I provide here's a list of all the files they accessed, here's a list of all the computers they touched that we can immediately see and here's what the data at risk is, and then that might merge into e-discovery where they in detail tell exactly what the client name is, email address, phone numbers, etc. Et cetera. But yeah, it's usually all. This occurs within 24 to 48 hours Right.

Paul Jackson:

And so you have your answers for the regulators in a short period of time, and it gets them off your back quickly.

Nathan Reid:

Probably the listeners going, geez, how the hell do you manage all that Coffee? Lots of coffee, yes, lots of coffee. But it's also, you know, I think it's a team game as well and you just touched on, for example, getting support. You know, if they don't have an endpoint detection and response tool, edr tool, already on the system which allows us that visibility into their broader network, you know you can get support from, because obviously theos has the offense, defense, response and customer success teams which can all play a role in a successful investigation. So perhaps you can elaborate a little bit, because obviously the the defense side, you know are there to have your back, I guess, during a, during an incident, right?

Paul Jackson:

yeah, that's a good point. And so there have been cases, especially in asia, where sometimes the endpoint fleet isn't so secured, where we roll out edr and you start finding lots of different pieces of malware. You got potentially unwanted applications, you got actual bits of malicious code, spyware, etc. But that's not what the ir team is engaged to do. They're engaged to find out what the root cause of this one breach is, and so you need a team of people actually actually watching your back, cleaning up all these, um, these low notifications, but also letting you know hey, we just found the threat actor over on this endpoint now using this new tool, or we're seeing an interactive breach over on this way. And so there have been cases uh, one back in australia where we had two or three different threat actors on the same network. The network was actually nicknamed the wild west because it was so uncontrolled and they knew it.

Paul Jackson:

Um so yeah and so we have that where we're working proactively with the sock and they're also feeding into it, to the point where we both had the instant response report and sharepoint editing at the same time so we could fill out the details as both our teams were finding stuff yeah, and then, of course, we got a brilliant offense team.

Nathan Reid:

You know the uh, the um offensive security, the pen testers, the red teamers who are there, and I I do recall a case where they were um instrumental in helping you, oh yeah, to identify the techniques used by the hackers.

Paul Jackson:

Right, yeah, the amount of times where logging is not enabled or it's I've been overwritten or expired or similar is immense. The first ir case I got had logs going back two years. I was like, if life's going to be like this, it'll be amazing. That was the first and last case where I had two years of logs, that's for sure.

Paul Jackson:

Um and so, yeah, this was a case where they were running sql and we're pretty sure a sql mapper was used, and so we turned to the off-stack operator, who's with us at theos, and I was like, hey, can you fire this tool at this IP address this way? Seconds later came back with a result. We matched it with what the ThreadActor was extorting the client with, and they matched line for line. And it was great because we could go back to the technical team and say that this is impossible and go so what's this? And then actually detail them, say you're blocking based on a URL. The ThreadActor is using your IP address, that's why they're getting through the list you're using. And so, yeah, it worked out pretty well.

Nathan Reid:

Fantastic. And then, of course, you've got a very important role, which is the customer success side of things, chris. Ultimately, as you mentioned, a lot of these investigations can go on for weeks, if not months, if they're really complex, and you need somebody who's project managing it. Really, you're there to do the hard yards in terms of the investigation and analysis, but you need a steady hand to be comforting the client, to be providing them assurance, to be giving them updates, etc. And I guess that's where the customer success team project manage these kind of incidents.

Paul Jackson:

Yeah, you're right. Imagine if, as an analyst, I have to keep stopping every 30 minutes to write an update for that hour. You only get 10 to 20 minutes of actually creating an update, whereas customer success they can be with you along the way. You're either talking to them or they check your notes and go okay, we understand how many endpoints you have, how many analyzed and the current findings at this point in time, and they start pumping those updates out Because a client usually in the first few hours they want hourly updates and then like, okay, it's in hand, we can relax a little bit. And then you get to six hours and daily updates after that, which is quite good yeah.

Nathan Reid:

So I think the summary of all that is that it takes a team really to handle major investigations, and having those different skill sets and support is super important. Obviously, you're the lead and you're the most important component of that in terms of you know telling a story, identifying what happened and helping the client. But there really is a need for a whole infrastructure of capabilities during an incident. So, yeah, very interesting, you know when a client comes, you know looking for help in a crisis. How are they supposed to know whether the vendor or consultant, whoever it might be, is actually capable, is actually a quality TFIR person or company?

Paul Jackson:

Yeah, good point. That's why it can be handy, if you have a retainer in advance, to actually vet them. Ask for other people that have used their service, not just ones that have a retainer with them but have actually used it. But that can be hard often because then they have to admit that they had a breach or similar and try them out. You could give them a small job or similar, see how they handle it. We have had many cases where we've been called in to clean up another IR provider's mess at least two that I can remember and that's just been where they haven't deployed the tool far enough or they couldn't find the root cause we did yes we found about five different types of ransomware and ghost infrastructure that wasn't supposed to be online anymore and it's.

Paul Jackson:

We have a basic checklist that we go through to find these kind of things. Another one was a business email compromise, where they didn't think that their client or their provider had pivoted enough or found all the points of entry and yeah, the cleanup wasn't complete and the threat threat actor was still getting copies of all the emails. Yeah it's unfortunate, but it happens.

Nathan Reid:

It is, and do you know what this is all part of resilience, isn't it really? And that's a buzzword, of course, in the cybersecurity world building resilience and we'll probably touch on the things like tabletops, et cetera in a moment but retainers, right, these are critical nowadays and you know, look, there's no expectation that companies should have their own elite DFIR teams in-house. They should have somebody on retainer who is, you know who is an extension of their team. Who extends the capabilities of their teams? Right? So can you talk us through some of the?

Paul Jackson:

you know the advantages that we would provide uh uh for from a retainer point of view for clients oh for sure, uh, timing, timing, so paperwork, uh, trying to go through your procurement during an incident or similar. It adds minutes and every minute for me counts, uh, because I do move quite fast, and so we've seen delays of over a month sometimes and by then the logs are gone. Yeah, naturally I'll provide guidance on how to save the logs, but if if that's not done, then the evidence provided to find that root cause is no longer there. One example where a retainer was pretty handy was I was already logged into the edr tool because we're providing an msp service to them and they just send a message saying hey, we're seeing multi-factor alerts on my phone. Can you investigate? Seven minutes for us to quickly look in, see the command lines going through. Oh yeah, it's this script here.

Paul Jackson:

And then the programmer went ah yep, I think I missed up on that one. And so within seven minutes they had an answer, and minus seven minutes from the retainer, not bad. But imagine if you had to do the normal, engaging an IR provider, doing the MSA, the SOW, have the scoping meetings. That's a lot more than seven minutes, and so not only is it faster to get an answer, but it's a little bit more cost, efficient in my mind at least and you can use it for other services. So if you're already going to use a certain amount on red teaming, why not just call that a retainer?

Nathan Reid:

and then you get IR bundled in there, yeah, so the big difference there as well is, yeah, it does provide access to all of the services that we provide the advanced testing, security testing, tabletop exercises which we'll talk about in a moment board briefings, any of these kind of services, and threat hunting. It really is advantageous, because you think about cyber insurance, which is a must in this day and age. Well, if you don't have any incident, you don't make a claim. Well, the money's spent and it's gone and it's there to manage risk, right, it's a well-established risk management tool. The difference with the retainer is your money isn't lost, right? Because, assuming you don't have a major incident, well, use that money for, um, as you say, the other services, pentest, red teams, whatever it might be. So it is an absolute value add.

Nathan Reid:

And the last thing to your point you want to be doing during a crisis is, uh, arguing about limits of liability and indemnity clauses in a contract. So, um, yeah, it took a long time. It takes an awful long time, as we know, yeah, but the other thing is, you know, I know because you work with a lot of clients on retainers and over time, you get familiarity with them and they also realize that, hang on, we've got an expert team here and I'll beckon call whenever we need them. So anything suspicious pops up, instead of trying to unravel it themselves, they just jump on the phone and say hey, nate, you know we've got this thing going on here. We're not quite sure what it is. Could you take a look and could you help us identify Right? And? And isn't that nice to have that kind of extension of expertise and it's great for us in our relationships. So there, if, if there is a major incident, right, we're there and we jump in. We know the people, we know their systems and we're ready to roll, so to speak.

Paul Jackson:

And as you say, time is everything exactly, and I think the team you're chatting about, um, they, they learn from every time we do ir, because we're not exactly secret about how we do it or what we do right, and so we've never had the same incident twice from them. They always give us unique ones, and usually on a friday afternoon. Yes, hey, it's, it's fun to work with them. They're a nice, they're a nice group the friday fire drills.

Nathan Reid:

Yes, they know we're talking about them, don't? They yeah, they every friday and every company event? Yes, absolutely. Just a few more things. Right. So tabletop exercises, right being resilient, crisis you know, clients reach out to us and I think often they they don't know what they want. Right? They say, well, we ought to be doing these crisis exercises to test whether we're ready or not, what actually happens in reality when we run these kind of exercises. Yeah, that's.

Paul Jackson:

That's a good point. You can often get similarities between, um, your usual first-line responders like firefighters, ambulance drivers, etc. Where they train for the likeliest marries they're going to face, and so when it happens, it's muscle memory, they know how to communicate with each other, who actually provides different direction and answers, et cetera. And that's the same for a company. We see it with companies that do just a tick in the box exercise scenario and then they pass. When an incident happens, they freeze, yes. And then there's arguments about who's responsible, accountable, who needs to go to, where there's often unrealistic times on how long something will take, because when we're in a room and we say, oh yeah, we'll go get an image, they're like okay, I get that in five minutes, I'm impressed, join my team. If you can get a full image in five minutes, I'll have you any day of the week. It's unlikely.

Paul Jackson:

And the other thing is communication. So when these drills happen, they're always in a room, everyone's always there and available, they're offline and they're all chatting and communicating and already they've got their coffees, they're calm, relaxed. Doesn't happen in real life. And so when we do our tabletops, we have kind of like a degree of experience, and so it starts off with those kind because it's great to get introduced into what threats you might face, who does what, what information they can provide, and it's kind of like an escape room where you bring all the bits of information together, you project, manage it and then you can solve that and make a decision and then keep moving. If you don't make a decision you're kind of frozen and nothing happens.

Paul Jackson:

But then you can challenge it even more, get people outside the room to be engaged in it, give an email to one of the participants and then they got to tell the information to everyone else like it would happen in a real scenario. And then you get the kind of whispers going on of how misinformation slowly spreads and the pitch becomes a little less clear. And once they realize this, you get the good project managers stepping up, which I had once in Australia. The actual security guy kind of shut down, but a project manager stepped in and it was incredible to watch. He just pulled the information correct, bullet pointed, pointed it down fully or jotted out they had an attack map. Uh, the next year we actually had to make it really challenging because regular scenarios they just they found it too easy and so it was cool to see that progression over time interesting, but how do you see the difference in maturity, say, between you know, your experience in australia, new zealand, versus asia, in terms of, you know, having these, uh, much better?

Nathan Reid:

um, how do we say readiness or capabilities, resilience capabilities?

Paul Jackson:

It is intriguing because there's a technical aspect and a people aspect and who can say what to who, and in New Zealand it's a very flat kind of the person at the bottom speaks very directly to the person at the top. That doesn't fly too well in multi-national companies, and also who's responsible for what and do they want to be responsible and kind of worrying about making sure their job's secure, and so it can be more challenging passing information here, and sometimes we've found that we have to become the facilitator in it, and so we receive the information and start passing it around, which would happen in an IR, but ideally they should be able to do that internally.

Nathan Reid:

Right, yeah, because obviously communication is probably the most important thing during a crisis and unless they're testing their own internal abilities to communicate what the risks are, you know what the action should be, etc. Um, relying on the facilitator to do that defeats the purpose, because in a real incident we wouldn't be there. Well, we would be there, coming later, but you know, the initial internal communications and decisions at the onset would be, would be, would be this exactly right.

Paul Jackson:

And the amount of languages we have here in asia oh yes, in new zealand we almost have one. Um, oh, we have two or three officially, but uh yeah, over here it's there's lot and the cultural implications between Japanese, for example, and Singaporean.

Nathan Reid:

Yes, I mean yeah, you touch on a really good point because obviously, we work throughout the Asia Pacific region and the difference in cultures is, you know, you really have to have an understanding because you know there's different ways of approaching crisis. There's, you know, there's cultural sensitivities that we have to be aware of and that makes it even more challenging, on top of all the technical components of a crisis, of course. Absolutely yeah, okay, so let's switch gears slightly as we move on in this conversation, because DFIR right as we, you know, at the beginning we mentioned that it's very niche, it's a very special kind of field. We mentioned that it's very niche, it's a very special kind of field and if you compare it to cybersecurity, obviously it's just a tiny fraction of the professionals, but it's an interesting one, and a lot of people come to us, including our own staff in the SOC, et cetera, saying or really wants to be a DFIR professional in your, in your mold, so to speak yeah, good question.

Paul Jackson:

There's a lot of free resources out there. Just to get started, it Masters has a few DFIR courses. There's a couple of tools you can use, like Velociraptor to collect images from your computer, wiskus to timeline it, getting an understanding of what artifacts tell you what, and looking at the different articles to timeline so you get an understanding of how that activity occurs. If you're in the SOC, that's a great place to start and that's where most people start their career and specialize out after two to three years because you get to see those incidents occurring, those alerts. It's the inquisitive mindset I think that usually sets apart is you got to want to know how it got there, what capabilities it has, and when you have 500 alerts a day it's hard to actually pin down one.

Paul Jackson:

But if you do get the chance on any of the interesting ones, especially the interactive threats, trying to get through and timeline what that threat actor does, the other thing is um, don't be too nervous. A little bit of cockiness helps really well, because you're going to tell a multi-million dollar business to turn off, like their servers, for a day or two. That's going to cost hundreds of thousands of dollars, but you know that's how the ThreatActor is going to get removed. You've got to make that call and understand as well. To take a good diary is that you're going to be making calls with information available at that point in time and hindsight's 20-20. So a little bit of bravery there too. You might make mistakes, but that's how you learn.

Paul Jackson:

But, yeah, study up, get some practice. There's malware labs out there where you can have a look at what they do and how to have a look at them. And yeah, there's DFIR. There's DF. So taking images, IR, finding out how to timeline and see how a threat actor moves around, If you want to dabble in a bit of threat intelligence, that always sounds pretty cool. Getting an idea of the capabilities and capacity of different threat actors can be good fun. Yeah, just go for it, Just try. Yeah.

Nathan Reid:

All right, that's some great advice and I love this because, as you know, I used to, back in the day, I ran lots of training programs for um dfir back here 20 going back 20 years ago and um working with interpol etc. Building capacity building and I always said that you know no dfir professional if you want to be spoon fed, you're in the wrong business, you're in the wrong job and it's really about demonstrating passion, initiative and going out there because there are, as you say, there are plenty of resources out there, plenty of free. Don't expect somebody to spoon feed it to you. Go out and do it yourself and learn from experience. And, as you say, those in the SOC have plenty of opportunity to see and to improve their skill sets.

Nathan Reid:

So it's definitely something we encourage and we'd love to see more professionals because, quite honestly, there's a dearth in this region, isn't there of dearth in this region, isn't there? I mean, you know you've obviously seen there's plenty in Australia, new Zealand, in the UK, in the US, et cetera, in the Western countries. But why do you think it is that we just don't have a big pool of really? I mean, you're one of sort of maybe five or six really elite DFIR professionals in the region and that's kind of a sorry state of affairs really.

Paul Jackson:

Yeah, it really is. I'm not too sure. I do know. For the first year going into DFR I got imposter syndrome where you're like, do I really need to belong to be here? And yeah, as long as you're inquisitive enough, a bit brave, and have a good team around you, you'll do fine and so just go for it.

Nathan Reid:

Well, I guess so. Yeah, but I think a lot of it as well. I don't know what your feeling is. Is that I think the regulatory legal environment here in Southeast Asia certainly hasn't compelled companies or corporate in the corporate world, anyway it hasn't compelled them to take investigative steps. Historically, I know that's improving and there are more and more requirements, especially in regulated industries like financial sector etc. Where they now have to actually do a proper root cause analysis to provide proper investigative findings, and so I'm optimistic that we will start to probably grow the industry better here in Asia. But does that mesh with your feelings as well?

Paul Jackson:

Yeah, I think so. We've seen a massive improvement in maturity of regulations over the last few years. It's nowhere near where it should be, but yeah, almost all our cases are driven because legal told them to. Yes, because if you can just run an AV sweep and then sweep it under the carpet, it's a lot easier than having to engage someone. So that was what people tended to do in the past.

Nathan Reid:

Absolutely yeah. So look to those who are listening and have you made it this far? You're hopefully enjoying this conversation because there's been. You know it's a unique insight. So I think we're hearing from Nate and if you're enjoying the podcast, please help us out by clicking the like, subscribe buttons preferably both and you know it helps us to grow the audience reach. You know more folks in our region so that they have a better understanding of the need for resilience, the need for effective incident response and what it means to manage crisis. So please help us out here. Click that like and follow buttons on whatever platform you're listening on.

Nathan Reid:

So, nate, as we wrap up our conversation, it's been fascinating, by the way, and I'm looking forward. Perhaps we ought to have one or two more podcasts with you, because I think you've got a lot more stories up your sleeve. But before we go, I always ask my guests on these podcasts because my way of unwinding I don't climb mountains. My knees are a bit short for that. Yeah, mine too at the moment. But you know we do operate, obviously, in a stressful world and environment and I unwind by, you know, listening to music with a good book, and that's my kind of hobby. I do. I'm a music lover, so I always ask my guests what what they're listening to. I always like to be surprised man?

Paul Jackson:

tough question. I usually pick the music depending on what activity I'm doing. So if you're doing running, a nice 120 beats per minute is a good one, right, and so that's your idiom, or dance. Um, sometimes, if going through work there might be a sabaton or the like pirate metal, which is always good fun. L-storm had some really good songs out there. Yeah, there's quite a variety. When Spotify last told me the genres, there was over 160 different ones that went through there.

Nathan Reid:

Fair enough.

Paul Jackson:

Yeah, a little bit of everything really.

Nathan Reid:

So eclectic, yeah, eclectic. I like to hear that.

Paul Jackson:

Yeah.

Nathan Reid:

All right, good stuff us on this episode and, uh, you know, your insights I'm sure will be appreciated by all the listeners. It's it's been a fascinating discussion and, uh, I look forward to, uh, perhaps you know, setting up a few more episodes in the future yeah, more stories with nathan yep, I hope everybody's enjoyed this, this episode and, nathan, once again, thank you very much for joining us today.

Nathan Reid:

Yeah, thanks for having me. Leo cybernova was presented by myself, paul Jackson, the studio engineer and editor was Roy DeMonte, the executive producer was myself and Ian Carlos, and this podcast is a co-production between Theos Cyber and W4 Podcast Studio in Dubai.

People on this episode