Risk Management

Digital Forensics - Careers Tips from Rob Lee of SANS Institute
Increasingly, digital forensics is an important element of an information security program for organizations of all types and sizes.

But where can security leaders find qualified forensics professionals? How can these professionals obtain the skills and expertise they need to be successful?

Rob Lee of Mandiant and SANS Institute discusses forensics careers, focusing on:

Hot trends of 2010;
Questions hiring managers must ask;
Growth opportunities for qualified pros.

Lee, a director with Mandiant and curriculum lead for digital forensic training at SANS Institute, has more than 13 years experience in computer forensics, vulnerability and exploit discovery, intrusion detection/prevention, and incident response. Rob graduated from the U.S. Air Force Academy and served in the U.S. Air Force as a founding member of the 609th Information Warfare Squadron, the first U.S. military operational unit focused on Information Operations. Later, he was a member of the Air Force Office of Special Investigations where he conducted computer crime investigations, incident response, and computer forensics. Prior to joining

MANDIANT, he directly worked with a variety of government agencies in the law enforcement, Dept. of Defense, and intelligence communities where he was the technical lead for a vulnerability discovery and exploit development team, lead for a cyber forensics branch, and led a computer forensic and security software development team. Rob also coauthored the bestselling book, Know Your Enemy, 2nd Edition. Rob earned his MBA from Georgetown University. Finally, Rob was awarded the "Digital Forensic Examiner of the Year" from the Forensic 4Cast 2009 Awards.

TOM FIELD: What are the career opportunities for forensics professionals in 2010? Hi, this is Tom Field, Editorial Director with Information Security Media Group. I'm catching up with one of our old friends today, Rob Lee. He's a director with Mandiant. He's a faculty fellow with the SANS Institute. Rob, good to talk to you again.

ROB LEE: Hey, thanks for having me on here again.

FIELD: Rob, why don't you just give people an update on what you're doing these days. As you've told me, you sort of have two hats that you wear.

LEE: Yes, I'm working at Mandiant. I'm one of the directors there, and we've been quite busy over the past six months, especially considering some of the things that are currently going on that are really relevant to current events. We just released a report -- I was one of the authors of this report - called M-Trends. It really details some of the more sophisticated attacks and threats that are coming from overseas from Asia, specifically China, hitting law firms, hitting commercial companies, and since then, industrial branch and other organizations. It's a really -- I had a really fascinating time putting that report together, but it really details at a technical level how these attacks are successful and what we're seeing on the ground when responding to them.

FIELD: Well, Rob, we talked about forensics back in September. A lot has happened since then. What are some of the trends that you're specifically looking at now in 2010?

LEE: Well, one of the things that we're definitely seeing when it comes to the average forensics professional, what they need to know, is the complexity of the cases is growing exponentially. We're no longer just relying on recovering pictures, recovering email in order to solve a case. The cases that we're now experiencing require forensic professionals to be able to be comfortable with doing forensics across multiple machines, across different environments and give different case types all the way up to where you could be investigating advanced hackers that are moving within your organization. Many companies today are caught in situations where they do not have trained professionals working on their staff that are able to respond specifically to a variety of threats.

FIELD: Well, Rob, we've hammered it home to organizations that, they need to have a forensics competency. So, for someone looking to hire forensics professionals, what do they have to be looking for?

LEE: Well, it honestly boils down to one key thing, at least from my perspective, is that when we're looking to work with someone, or we're looking to bring someone on our team, we're specifically looking for a depth of experience. Now, depth of experience does not mean that an individual has been working on forensics their entire life; we're probably looking for someone that's been multi-hatted across their entire careers, so that they have some exposure to computer security; that they have exposure to potentially working on incident response-type situations; having clear training in their background too, where they've gone through official courses; where they've gone through some of the newest and greatest technology that is out there, so they're familiar with it, so that when they're exposed to it in an environment, either A)they already know about it, or B) that they're comfortable enough about their own capabilities that they can self-train themselves in order to be able to deal with that piece of technology.

FIELD: Well, just to follow up on that a little bit, Rob, what then are the couple of questions that people really ought to be asking about someone's resume when they've got them in talking to them?

LEE: Well, moving beyond just the laundry list of skills or, you know, exposure to tools and techniques and technology that someone has, that someone should really be asking questions, `Which of these are you a master of?` `Which of these do you probably need additional training to move beyond?` When we're initially doing a lot of interviews, even just being able to ask them specific questions. For example, if someone's interviewing with me, I would potentially put up a scenario, and I would like them to white-board how someone would focus on that case. You know, I will say an employee is suspecting of stealing data from a computer system.

He was fired on a Monday. The last day he was at work was the only day that he might have been capable of doing this. Can you please list for me the only ways data can potentially leave his computer system and where you might begin to look for the evidence that of the inner logs for property theft? And ,again, the individual would have to step through, and they have enough knowledge about the computer system to be able to identify the key points of where data would be able to be [taken] from the machine, whether it's an email, USB devices, printing it for example, someone could even take a picture of the screen. And, again, having someone think through and be creative enough in the problem-solving side to be able to identify what is the most likely link to the least likely area of data [extraction] in that specific case. That's an example of the way that you would be able to really show, 'Does this person have the problem-solving skills and the expertise to be able to solve this problem?'

FIELD: Well, that's a great example. Now, flip this around, Rob. For someone that is looking to be a forensic professional, what are the skills and experience they really need to seek out before they go out looking for that first job?

LEE: Well, first they need to ask themselves, 'What is their own personality?' There are two factors in the personality side that I personally look for when I'm talking to an individual. Number one is a passion for computer forensics and incident response. The second one is a massive capacity to learn -- that this individual realizes that everything is consistently changing and that they're always seeking opportunities to educate themselves, that they're never really satisfied. You know, they'll always be chomping at the bit to get that additional experience so they're moving forward. Now, that's from the personality side. On their experience side, you know, what skills and experience and skills do you need? I would definitely recommend that someone become expert at Windows -- just how Windows works, the memory between 32 bit, 64 bit, from Windows XP all the way through Windows 7 to their server side, you know, being familiar where evidence might sit; the file systems ... and then as niche areas start to expand, they would slowly move into these areas such as mobile device forensics; being familiar with the iPhone, the Blackberries that are out there; moving into network forensics, being extremely versatile in being able to pull long-file data across from firewalls, proxies, intrusion detection systems ... Since 90% of the systems we're investigating are Windows-based, everyone in the field kind of has to have that core. Kind of like in the Army, you need to know how to shoot a rifle, that's the rifle of computer forensics. You need to be able to understand the core technology that's surrounding Windows systems and where the forensic artifact tool exists.

FIELD: Well, for someone who can shoot a rifle, so to speak, as you look across the different industrial sectors, where do you find the best opportunities for someone with forensic skills today?

LEE: Well, honestly, it comes down to location right now. We're still in the early stages of people being able to work a lot more remotely. However, if I was a professional and saying, `I want to get into this field; I want to be able to get a good job with experience to help grow my experience,' then the major cities from Washington, D.C. would probably be the first one. New York City, LA, San Francisco, Chicago, any of the major technical hubs, anywhere there is the financial sector as well as a concentration of law firms. Those are usually found in the major cities. As we're expanding, you're going to start seeing the smaller cities, the smaller law firms, local law enforcement, also need computer forensic skills; we're just not at the point where they can afford the salaries and potentially the benefits of an individual wanting to work in the field in the smaller city. But as we're moving forward, this is going to become a key part of many of these local law enforcements, local law firms, that they're going to have to hire someone full-time to do this, so it's not without all hope. However, I would definitely recommend while we're heading that direction, get skilled and experienced with one of the larger firms in larger cities first, and then if you want to, move out to some more remote location, that you could do so, and you'd probably be very billable and even start your own business at that point.

FIELD: Where do you see some of the growth opportunities in forensics?

LEE: From my perspective, there're two. Every firm out there is kind of watching the headlines in the news right now, especially the commercial firms, and they're seeing that they need the key incident response in computer forensics capability internal to their own company; that they need to potentially self-grow that own team. So, one of the biggest growth areas is that instead of having this be a secondary duty, that someone within these companies, they're going to start hiring individuals directly for doing computer forensics and incident response, even like team managers. The second area where I see the largest future growth is actually in e-discovery. E-discovery has traditionally focused on message traffic, whether it's in email; whether it's in documents, but now we're starting to see e-discovery start asking questions of chat sessions, things that are going on in social networks from Tweets all the way down to Facebook. It is moving beyond that - the data is too difficult to obtain. It is theoretically possible with technology today in an enterprise environment, you could ask a forensic individual in that environment to say which machine across the entire enterprise or additional machines across the entire enterprise did that USB device also touch? That is a legitimate question that law firms and the lawyers could potentially ask, and it's moving from e-discovery more into the forensics world, and it's going to be easier for them to do as the growth of enterprise tools start to become more of a consistent upbeat as across all the different corporations that are out there.

FIELD: Well, we've talked about becoming a forensics professional, we talked about finding one, in each of those areas whether to become one or find one. What do you see as the biggest challenges in the market place right now?

LEE: This is a very great question. I'm asked this all the time. When you take a look at the other forensic sciences, for example DNA analysis, that science is never changing. You do not need to worry about from day-to-day things consistently changing. However, with computer forensics, you do. Just a simple service pack update to a machine could change everything that you used to know about it. The forensic artifacts would change, and if you go through Windows XP to Windows Vista to Windows 7, all the way up into the server side, it is consistently changing. You can never assume that there's going to be constant. It's one of the reasons that a forensic professional needs to have this desire to consistently learn, because the playing field -- the rules are changing on a daily basis as the technology is improving, and the additional devices that are being developed. You know, take the example of mobile devices, huge area of growth out there. Mobile devices have so much personal and professional data on then that it is becoming one of the key areas that companies are going to need to ask themselves: '

What is sitting on that device? Do we need to worry about data that's on that device? Should we do forensic analysis against it?' Well, every device is different and has its own proprietary operating system. It's a very, very difficult field to become an expert in and especially in mobile device forensics. So, in going back to recap what I just said, the fact that technology and the operating systems are constantly changing makes computer forensics a very difficult field to become an expert in.

FIELD: Rob, one last question for you. You've been deep into the material for some time now; you just released your new report. From what you see right now, what's going to be the forensic story we're all talking about in 2010?

LEE: Putting the crystal ball on, I really think that the forensic story is that the United States government as a whole is going to have a much greater concentration on the after-effects of intrusions that have occurred in the commercial sector. We're already seeing this now, especially over the headlines over the past two months, where we start seeing Secretary Clinton as well as the Director of National Intelligence make some pretty firm comments about what's going on in the commercial sector regarding data breaches and data loss to foreign-based intrusions. I think as a result of this, that this is going to push the emphasis for additional companies to really have this discussion at board meetings and at the C-level executives for them to sit down and think, `Are we prepared? And if not, what do we need to put in place to be prepared?` So as a result, I think that when we're going to ask the same questions next year at this point, I think the situational awareness is going to increase greatly across the entire commercial organizations of how much data that they currently have exposed and what they potentially need to potentially protect themselves from both the cybersecurity and reactionary, when it comes down to investigating how did it happen, who did it, when did it happen, and what was taken.

FIELD: Rob, it's an interesting year already, and I look forward to talking with you again later on to see what unfolded.

LEE: I appreciate that. Thank you.

FIELD: We've been talking about digital forensics. We've been talking with Rob Lee of Mandiant and SANS Institute. For Information Security Media Group, I'm Tom Field. Thank you very much.




Around the Network