Digital Forensics: Great Need, New Careers - Rob Lee, SANS Institute
Rob Lee, a director with Mandiant and curriculum lead for digital forensic training at SANS Institute, discusses:
Lee has more than 13 years experience in computer forensics, vulnerability and exploit discovery, intrusion detection/prevention, and incident response. Rob graduated from the U.S. Air Force Academy and served in the U.S. Air Force as a founding member of the 609th Information Warfare Squadron, the first U.S. military operational unit focused on Information Operations. Later, he was a member of the Air Force Office of Special Investigations where he conducted computer crime investigations, incident response, and computer forensics. Prior to joining MANDIANT, he directly worked with a variety of government agencies in the law enforcement, Dept. of Defense, and intelligence communities where he was the technical lead for a vulnerability discovery and exploit development team, lead for a cyber forensics branch, and led a computer forensic and security software development team. Rob also coauthored the bestselling book, Know Your Enemy, 2nd Edition. Rob earned his MBA from Georgetown University. Finally, Rob was awarded the "Digital Forensic Examiner of the Year" from the Forensic 4Cast 2009 Awards.
TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. We are talking today about digital forensics and we are talking with Rob Lee, who works both with MANDIANT and with SANS Institute.
Rob, thanks so much for joining me.
ROB LEE: Thank you for having me.
FIELD: Hey Rob, start out: I know you are wearing a number of hats; maybe you could tell us a little bit about yourself please, the work that you do and then your experience in digital forensics.
LEE: Certainly. I am former Air Force. I have worked both in information security, and I also work in investigations for the Air Force Office of Special Investigations for the early part of my career, and then like a lot of individuals who are faced with kind of a career challenge in terms of there is really no career path for someone with my background, I ended up becoming a government contractor for the better part of six years, working for the intelligence community as well as law enforcement community at the same time. During that time I also started working on the sides for the SANS Institute, providing digital forensics and instruction, which initially began with a single course. But I just recently graduated from Georgetown University, getting my MBA, and now I am working full time for MANDIANT, which we do data breach intrusion investigations in addition to a wide scope of digital forensics investigation offerings.
FIELD: Rob, what do you find to be the biggest digital forensics issues that organizations are challenged by today?
LEE: Well, one of the things I definitely found is that there are three fields within the digital forensics arena that have an interest or a direct buy-in to performing digital forensics, so it depends on what your priority is.
For example, you have the law enforcement intelligence communities. Their goal in doing digital forensics is to suppress the bad guys, or suppress evil. Then in the information security communities, the reason that we do digital forensics is usually to find out how did someone break in, how did an internal employee do something that they should not have been able to do, and how do we prevent it from happening again? And there could be some civil or criminal litigation ties, so it could flip over the wall back into the law enforcement community if someone ends up being prosecuted.
But then the third area that we find is that we also have a strong litigation support. We have a lot of cases that are currently going through the court system that are digital forensics-related, and you also have the term ediscovery, in which they are doing forensics to be able to recover documents and emails, but you also have a lot of individuals filing civil cases or criminal cases, depending upon who is doing the case, that involves media that has to digital artifacts on it that need to be displayed and be able to be presented in the courtroom.
So depending on where you are at right now, in basically each one of those fields, between litigation support, information security and law enforcement, we tend to have a very, very wide array of need out there for doing digital forensics. So as a result, depending on which organization you are out of, it is trying to define why you need specific digital forensics experts helping you out to be able to solve your specific incident, case or to be able to help suppress the bad guys that are out there.
FIELD: So, Rob, in your experience in both business and in government, how are organizations tackling these challenges for the better or for the worse? I have got to think it is challenging enough just to keep up on case law on these issues.
LEE: No, you hit one of the nails right on the head. It is so moving so fast right now that overall in the digital forensics profession it is hard to tell. Specifically, one of the challenges is what is preparedness; how would an organization be prepared for an incident that would involve either civil or criminal litigation? Is their information security response team able to react to a data breach investigation or an intrusion that involves financial or payment card industry losses?
So, the challenges that the organizations are having right now are trying to say, are we prepared? What we are typically seeing right now that overall if we are going to measure between like good and bad, where organizations are rating right now, they are typically on more of the 'We are not prepared' side when we are entering into these cases, but we are seeing it get better. They are starting to hire more smartly, and the way they are doing that is they are hiring individuals who are professionals that already have certifications behind their name, that they have experience out there that they have done multiple different case type work from litigation support, from information security, or even they have a law enforcement background.
So it is basically: Do you have the right staff, and are you prepared to handle these issues? You could always try to be prepared, but in the end, until an incident happens, that is when you really know whether or not you have the right team working for you.
FIELD: You know, I am curious, Rob. Are organizations tending to bring in these skills in house and develop the competencies, or are they opting more to outsource and contract with people who have got these competencies?
LEE: Well, it is very similar, you know, like what we are seeing right now even out in California. There are people combating these fires, and you have usually staff onsite that says we can handle small things, small fires and be able to pot them out, but let's say something major happens, you know, what we have out in California with these major fires going on. You have to bring in outsiders to be able to be help out. You cannot support and have that much of a staff just in case something happens.
And so it will always be a combination; you have to have the internal people that you trust to be help to guide and lead the process, but at the same time have strong ties to potential industry groups and law enforcement to be able to say, 'Hey we need help, here is what we hope to be able to get from you,' and potentially even hire additional experts to come in and help support and augment, and even surge into the organization to be able to say we have some additional five bodies we parachuted in who are experts to be able to help us out and deal with this incident.
So, normal fires are put out by internal staff, but if it is a major issue, major investigation, massive ediscovery case, or even a data breach, then you tend to have to bring in outsiders, including law enforcement, into the mix.
FIELD: Well, given that you likely see a lot of different fires and lot of different public and private sector organizations, what would you say that these organizations need most as they tackle some of these digital forensics issues?
LEE: Your question is a brilliant one. When you really boil it down to it -- because organizations are asking themselves the same question. What do we need to be prepared? What is the core essence of what we are looking at here and what would help guide us, and then it comes down to they need potentially very strong yet flexible policy regarding what types of incidents are we going to be investigating, what types of incidents would be considered that we need to really investigate -- you know, an ediscovery case that comes in civil litigation could never predict that, but at the same time, if you are hit with one of these, in addition to having the right personnel, it is how do we handle and guide that process internally?
Typically what we see is part of the lack of preparedness in a lot of these organizations it is usually just like what happens during a fire. It is that everyone is running very, very fast, but it is very loose guidance and no one--who is in charge? Even inside the same organization between different business units, there is very little coordination in some cases. Both business units could be specifically defending against these attacks, but they are not even sharing the details between the different business units.
So I think one of the biggest things that is needed in the organization, to say the number one thing, is to really think through the planning and say we will be hit with one of these major issues, one of the major incidents that is out there. So as a result of that, are we specifically prepared, and have we essentially tested ourselves (like red-teamed it) and gone through an exercise that will basically flex our muscle and say yeah we think we could probably handle this? Now you could never predict everything, but at least you would have the right steps in motion, but also you need to be flexible enough to react to the unpredictable.
FIELD: Well it sounds like organizations are learning these lessons more in the line of fire than in desktop exercises.
LEE: True. And it is just like everything else. If you are the CFO and you don't have a million dollars to spend on technology and moving it to the next level, will you be buying iPhones for your business, or are you going to hire security staff and buy more tools to be able to react to incidents? Typically one is fun dollars, and the other is not fun dollars.
So prior to an incident occurring, you tend to err toward the "I think this will end up creating more sales and more revenue," whereas with security and forensic investigations, you really can't calculate the return on investment. You know the ROI -- they always say 'What is the ROI for us spending this money and investing this capital?', and you really can't--it is incalculable, and that it is really a struggle for these organizations to be able to put their finger on it and say, "well that was worth it."
FIELD: Now just to shift gears a bit here, Rob, tell us a little bit about your work at SANS. What is the type of training that you are offering now and for whom are you offering it?
LEE: Well again, that is a great question. Our target where we are offering the training is again, anyone in any of those three fields, information security, law enforcement, intelligence community, as well as litigation support.
SANS' background has primarily been in the information security professional training organization. We are very robust there, and that is essentially where even I grew up in doing and choosing investigations, but where we are now moving the curriculum forward is up until about a year ago we only had a single course.
This year we have seven courses in total. We have two core courses, just like you would find at a normal university -- a curriculum that you would follow the core courses. We have Computer Forensics Essentials that essentially teaches someone how to combat and investigate traditional crimes, from intellectual property theft to fraud, to private information being stolen and those types of cases.
But then the second course, the following course is a Computer Investigation and Response course, which is more centered on defeating data breach investigations. Or as people are becoming more intelligent on the technology, we are starting to see a trend for individuals that are becoming more technically savvy. Like for example, I would make a guess that you would know how to clear your browser history. What we are seeing more people know how to do a simply activity like that, or be thinking about doing that, you know, wiping files, deleting their history, that does require a step up in the game for doing the investigation.
And finally, in addition we have electives. We have Mobile Device Forensics. We have a course that teaches an individual how to fix hard drives doing platter swaps. You know, if your hard drive breaks, you usually have to spend a lot of money to send it to another organization to get it fixed, so we actually teach people how to do that in-house so they don't have to spend that extra revenue to do the recovery of the files. We have Network Forensics. And finally we also have Memory Forensics. We actually take people through how to do memory forensics from collecting data from the RAM of a computer system and be able to put pieces back together and examining that type of residue.
So we have a full range of forensics courses that we are aiming for all three fields to basically increase their level of specificity as we are seeing the large amounts of devices out now that contain potential evidence on them; from mobile devices to your DVR, to you next generation computers like Windows 7 that is out there.
FIELD: Well, there really sounds like the possibilities are endless. Given what you see and what you are offering, what types of careers do you envision down the road for people that can develop these digital forensic skills?
LEE: Well, it is interesting that you ask that questions because SANS, earlier this year, we did a poll and we asked individuals in the profession as well as outside the profession to see what are the Top20 coolest careers in the IT field, and the actual three out of the Top 19 were forensics related.
In fact, the number one coolest career for individuals ended up being information security crime investigator. What that career is defined as is: This is the individual that is handling the data breach investigations that is doing the reverse engineering of malware, that they are tracking down hackers that basically could be coming from foreign nations inside organizations both inside the government as well as inside commercial organizations where economic espionage might be found. So as a result, that career of course would be number one because it requires the most skills, but it also looks, you know, to be the that one stands apart that you are really going to be towing the front line of not only the site but doing the investigation of and defending of these networks.
We also have in the Top 10 standard forensic analysts in which we have law enforcement, litigation support and information security taking part in, which this is your investigator that is handling more of the traditional crimes. They are basically looking at cases that might be used in civil or criminal litigation, intellectual property theft, ediscovery, disgruntled employees causing damage, inappropriate use of the internet. That career is still on a daily basis you are solving problems so it is still exciting for an individual to be able to do that type of work inside an organization. And typically the organizations, because they are dealing with private information of its employees, they do not like outsourcing that because of potential liabilities or other issues that might arise so we might see more individuals being hired internally, full time, to be that individual.
And then, of course, we have the incident responder who has forensic skills, but their primary task is to figure out how an individual got in and how to mitigate the incidents so the organization can continue running its operations on a daily basis. So not only are they trying to figure out how the individual got in; they are basically trying to stop the attack and also start the healing of the network so that the organization can go back to normal operations.
So when you start looking at the industries that are involved here, like we said, we have three industries primarily that require all three between information security, litigation support and law enforcement. So you could be sitting in any of these fields, from FBI to Virginia State Police, to working at a major law firm and still be doing forensics. So it is a very, very broad field as a result.
FIELD: Good possibilities then. It sounds like in a way what you are saying is security has become sexy.
LEE: Yes. I mean, it is one of the most interesting because of the breadth, and because you can also say, 'Hey I'm done with information security; I will go support law enforcement or I am going to go work for a law firm now.' You can see a lot and do a lot, but the perspective would completely change depending on which side of the fence you are sitting on.
FIELD: Well, what you have outlined for us are a lot of options and a lot of prospects for someone that wants to develop these skills. Given that, and I am sure you get asked this frequently. What single piece of advice would you offer to somebody that is seeking a career in digital forensics today?
LEE: The major issue for someone starting a career in computer forensics or digital forensics today is the fact that our profession -- because of the legal challenges and there is a lot of courtroom interactivity -- is currently going through a lot of internal and external questions of how do we--you know, how is an individual to be assured, or how is the organization that hires an individual to be comforted that this individual actually has the skills? That if you are putting someone on the stand as an expert, they truly do have an expertise sitting behind them in both the professional organization that says this individual is good, but in addition to that the organizational and personal one?
As a result, since we are still in our infancy, we do not have like the hundreds of years of development such as doctors, lawyers and CPA and others have had to form a professional organization that stands behind us. Also, in addition, if you have someone who is ethically not doing the work correctly, or is not doing the work correctly at all in terms of skill, you have a way to potentially bar those individuals.
So long story short here, what ends up happening since we do not have that yet, but we are working toward it, what I highly recommend individuals do at a minimum is become certified in one of the digital forensic certifications that are out there. It at least will show you are taking a step forward to saying 'Yes, I agree that there is a profession here, and I need to be able to demonstrate that I have proven the skills to my employer, the courtroom, or anyone else that might be asking that question.'
As a result there are many really well done digital forensic certifications out there. It doesn't matter which one you get, as long as you get certified in one of them and start helping the professional community form what essentially will become an ABA or a medical AMA for our profession. But we don't have that yet, and it will be several years before we get there, but because of the scrutiny we are now undergoing, we are definitely moving fast to trying to get that. So if you are just beginning, become certified; it would you and it would help the profession.
FIELD: Rob, that is great advice. I appreciate your time and your insight today.
LEE: Thank you. I really appreciate you inviting me on.
FIELD: We have been talking with Rob Lee about digital forensics. For Information Security Media Group, I'm Tom Field. Thank you very much.