We Hack Purple Podcast

We Hack Purple Podcast 17 with Shelly Giesbrecht

December 11, 2020 We Hack Purple! Season 1 Episode 17
We Hack Purple Podcast
We Hack Purple Podcast 17 with Shelly Giesbrecht
Show Notes Transcript

Host Tanya Janca learns what it's like to be a Principal Consultant doing Incident Response, with Shelly Giesbrecht! A long-time admirer of smart people, PowerShelly works hard to surround herself in people she can learn from. This is particularly easy to do in her day job as a Principal Consultant (IR) for CrowdStrike. She is frequently found wearing a bow-tie and some for reason!

 https://twitter.com/nerdiosity

https://www.nerdiosity.com

This episode sponsored by Thread Fix!

Buy Tanya's new book on Application Security: Alice and Bob learn Application Security https://www.amazon.com/Alice-Bob-Learn-Application-Security/dp/1119687357

Don’t forget to check out #WeHackPurple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/

Join our Cyber Security community: https://community.wehackpurple.com/
A Safe place to learn and share your knowledge with other professionals in the field. 

Subscribe to our newsletter and/or contact us for more info!  

 welcome to the we hack purple podcast 

 where each week we meet with different 

 members of the information security 

 industry to talk to them 

 about all their different types of jobs 

 if you are looking for career in 

 information security 

 and you aren't quite sure what you want 

 to do this is the podcast for you 

 i am your host tanya janca also known as 

 she hacks purple 

 and i am from we hack purple an academy 

 and online community that teaches 

 everyone about how to create secure 

 software 

 this week i have shelly giesbrecht 

 i definitely said that wrong but she is 

 going to correct me 

 and i know what you're thinking tanya we 

 want to get to the guest but first 

 our sponsor this week is threadfix 

 powered by denim group 

 and with that let's talk to shelly 

 hi shelly hi how are you 

 good did i say your name correctly you 

 actually did 

 it was perfect i was i gave you the 

 thumbs up 

 oh my gosh absolutely thank you because 

 i was 

 actually meant to ask you about that so 

 i could get it right so that's awesome 

 sauce 

 totally perfect so people might notice 

 today 

 um that there is a bunch of canadian 

 accents happening because we are both 

 in canada and are you canadian shelly 

 i am indeed i am indeed i was born and 

 raised 

 while i was born in calgary raised in 

 victoria uh and and then came back to 

 calgary so i'm 

 based out of calgary alberta awesome so 

 you might hear us say things like 

 abudz we might say the words giver 

 or the expression fill your boots and 

 we'll just translate as we go 

 for our american and international 

 listeners 

 oh my gosh shelly this is going to be so 

 good 

 shelly could you please tell us your 

 name 

 and your handle and your job title 

 uh my name is shelly giesbrecht 

 on twitter you can find me as nuriocity 

 my colleagues call me powershelly 

 and let's see 

 i am a manager with the crowdstrike 

 services team 

 i mainly focus on incident response but 

 i do a lot of proactive work 

 on uh the security development side as 

 well 

 i love power shelly i'm not sure i'm 

 gonna be able to call you shelley 

 anymore 

 i might have to call you power shelly 

 because that's so awesome 

 can you can you tell us about your job 

 and maybe 

 like tell us about it but actually and 

 then after tell us 

 kind of like what is a day in the life 

 like doing that job 

 yeah absolutely so most of my work is 

 reactive incident response and what that 

 means is 

 is we get a phone call uh from 

 an organization or perhaps the lawyers 

 that represent them uh to say 

 they've had some sort of incident cyber 

 incident in in their environment 

 uh whether that be you know hackers if 

 you will 

 or they've been breached or they've got 

 a malware incident there's lots of good 

 hackers by the way um 

 it's not a bad word um and so they've 

 been 

 they've been they've been breached in 

 some way uh and 

 so i like to say that we meet people on 

 the worst day of their business lives 

 um and so my job 

 as a manager is um i help one help the 

 customer scope the incident and 

 understand 

 what we can do best for them how do we 

 get them from where they are on their 

 worst business day 

 to uh back to business as usual or 

 usually better 

 really because this is usually what got 

 them into the the 

 issue to start with uh so we want to get 

 them somewhere 

 better than where they were before um i 

 like to think that 

 actually somebody asked me this the 

 other day i like to think that um 

 my job anyways as kind of managing 

 incidents and and working with customers 

 is probably about 70 percent um 

 counselor psychologist um 

 friend hand holder um and 

 and about 30 technical that said i have 

 an amazing team 

 of really technical people behind me and 

 we not only investigate the incident for 

 the customer but we also help them 

 um and recommend things to to make sure 

 that their 

 environment can be remediated and get it 

 back to where it needs to be 

 so day in the life uh yeah i don't know 

 that we have 

 a day in the life um our days are 

 different 

 every day um that's one of the things i 

 love about it um 

 you know the best part about infosec is 

 um the best answer for any question in 

 infosec is it depends um 

 so what's the day like it depends 

 um you know my wife says to me all the 

 time 

 how's your day today and i go oh it 

 doesn't look too bad right now and then 

 she'll say to me later you seemed really 

 busy today and i said well 

 you know so and so called and then i got 

 into this meeting and then we had to 

 meet with a new client and they had a 

 new incident and 

 yeah that's how my day usually goes so 

 um 

 it's uh that's what i love about it is 

 there's there's never 

 there's never a usual day for us i 

 agree wholeheartedly would you say that 

 um would you say that sometimes your 

 days are very long and sometimes your 

 days are very short 

 yeah absolutely absolutely um we 

 i think what i'm interviewing for this 

 position particularly people 

 who are coming into it new have never 

 been an incident responder before 

 one of the things i like to make clear 

 to them is this is not your monday to 

 friday eight to five job 

 um you know we deal in what we call 

 friday afternoon specials so 4 pm 

 on a friday afternoon is when the phone 

 rings because 

 some customer has been 

 dealing with something all week maybe 

 two weeks and they've decided on friday 

 afternoon 

 that that's when they need help 

 so um yeah 

 some days are some days really long um 

 some days don't end you know 

 um at all i've definitely even 

 you know recently you know worked until 

 three or four in the morning 

 but that's you know i wouldn't say 

 that's an everyday thing but certainly 

 some days are 

 are shorter and some days are longer so 

 yeah absolutely and and weekends 

 weekends are 

 kind of an ephemeral concept 

 oh my gosh i could not agree more 

 if if some of our listeners are 

 less familiar with what instant response 

 is could you kind of like lay it out for 

 someone who maybe 

 doesn't know very much about it yeah 

 absolutely because i think a lot of 

 people have heard of 

 forensics or digital forensics and and 

 doing 

 investigations into what's happened on a 

 computer 

 um and there's kind of two schools of 

 um we call it the digital forensics 

 incident response or dfir you'll see 

 that a lot 

 so digital forensics is really the 

 traditional what we think of 

 of collecting information uh and and 

 doing forensics on that so 

 doing an investigation into the bits and 

 bytes of what happened either on a 

 network 

 or a particular computer and then you 

 know providing those findings to the 

 customer based on 

 uh based on what we see incident 

 response 

 is a little bit more of a reactive 

 science if you will 

 um we are uh usually get called in 

 when there is actually a live threat 

 actor an unauthorized party 

 on on a network yep exactly uh that is 

 still 

 that is still doing bad things and so 

 part of our job 

 is to help the customer um figure out 

 where that's happening uh and contain it 

 stop that bleeding and make sure that 

 um that there's nothing there's no more 

 money leaving the environment that 

 that their their data is no longer 

 leaving the environment that's a big one 

 these days obviously with ransomware is 

 is 

 we're seeing a lot of data exfiltration 

 happening data leaving the environment 

 being stolen 

 damaged et cetera so um we have that 

 piece where we help them contain it 

 um we also do the investigation piece we 

 have a whole team 

 uh that does digital forensics so we try 

 to figure out what has happened if we 

 can 

 uh and and then help them out with that 

 uh and then obviously 

 the eradication piece which is helping 

 them get rid of 

 all that stuff that's in their 

 environment so 

 that's awesome that's a lot that is a 

 lot 

 what type of personality do you think 

 would be 

 best suited to do how about like 

 digital forensics and instant response 

 because 

 yeah um i think for me 

 like when i'm hiring for instance and i 

 think myself 

 is an absolute sense of curiosity that's 

 kind of where the nerdiosity name came 

 from which is 

 um a passion for all things and 

 curiosity for all things nerdy 

 um so nerdy hosting um but i think you 

 have to have that 

 that that um drive to know 

 and to figure out puzzles um that's 

 really what everything is is 

 it's a puzzle um so um 

 having that that innate sense of 

 curiosity and passion for what we do is 

 is is such a huge piece 

 i could not agree more would you also 

 say that 

 to do incident management perhaps 

 um you would need leadership or 

 the ability to be cool when uh 

 everything around you 

 is on fire yes 

 absolutely and that's definitely a 

 learned skill i mean honestly it is 

 um you know we um 

 i've had situations where um i've had a 

 cecil cry 

 on the phone because everything is 

 figuratively anyways burning down around 

 them they don't know whether they're 

 going to be able to 

 employ people make payroll have their 

 company continue in business 

 wow and um and and so 

 you know the ability to as i said part 

 of this is counselor um 

 and and and being able to um 

 you know be there for those folks and 

 you know in in their time of need 

 essentially the worst days of their 

 business lives so 

 um there's a lot of one of the things 

 interestingly i think 

 there's also the project manager piece 

 as well there's a leadership piece 

 there's a project manager piece 

 um i like to make sure the thing i 

 always tell my new consultants is no 

 surprises 

 there's no surprises to the customer we 

 want to anticipate everything that they 

 need 

 uh in real time uh and because we are 

 always dealing with 

 with it moves very fast incident 

 response is constantly evolving and 

 moving fast the incident 

 can change on a dime so having that 

 anticipation that sense of urgency 

 is is huge um and then being able to 

 manage those pieces 

 and organizational whether that's my 

 team and what they need to be doing or 

 whether we have customer tasks what need 

 to be doing so 

 um there's yeah there's a few different 

 pieces but yeah the leadership piece i 

 think 

 you know as you as you grow up as a 

 consultant um 

 i think it's something you pick up and 

 you go and it's been a 

 it's been a real learning curve for me 

 in the last five years as i 

 kind of moved into a leadership role but 

 a lot of fun 

 um so and i get lucky to work with the 

 best people so 

 it's ins i briefly worked in incident 

 response 

 uh and it was very exciting i i would 

 definitely use the word exciting to 

 describe 

 a lot of it and rarely horrifying 

 yes i i mean i think i always think of 

 that and i i don't even 

 i wondered recently if this is actually 

 the people call it the the old 

 people we referred as the old chinese 

 proverb may live in 

 interesting times i don't even know if 

 that's actually true if it's actually a 

 thing or we just is that something that 

 we just say 

 uh but i think ir is kind of like that 

 it's always 

 interesting whether that's interesting 

 good or interesting bad 

 it is a totally different thing but it's 

 always 

 yes we have a question in the chat from 

 way what is the heart of the 

 investigation 

 in instant response um 

 i'm not sure i'm not sure i 100 

 understand the question 

 but there's another um like follow-up to 

 it is there a chance that an 

 investigation goes wrong and the 

 responders can go 

 kind of into a black hole and how do you 

 tackle this 

 oh yeah okay so um i think 

 i mean the heart i would say the heart 

 of an investigation 

 is um is artifacts um 

 so having actual um artifacts and 

 evidence 

 to be able to produce findings um 

 and from a perspective of investigations 

 going wrong 

 i think that um not necessarily going 

 wrong but 

 um a lot of organizations still aren't 

 logging the things that they should 

 they aren't keeping the logs that they 

 have 

 um and uh and there's 

 or there's an assumption that it was 

 being kept but they never practiced or 

 tested those things 

 um so uh when we go and try to 

 investigate something and we say 

 do you have firewall logs for two weeks 

 ago and they go 

 oh those roll over right in about 24 

 hours 

 what do you have 

 you know so and so logs 

 oh no we don't keep those um so 

 certainly um that makes our job much 

 more difficult um 

 but i'm lucky enough that um i work for 

 a company that 

 um has produced um some really great 

 things um and so we 

 i think we do a really good job at that 

 but certainly lack of logging lack of 

 evidence 

 um is a huge um 

 interrupter to a good investigation 

 let's put it that way 

 yes i 100 have experienced 

 this and so i told you that at some 

 point i needed to find 

 um a reason to mention my book so i'm 

 just gonna bring the book up on the 

 screen that i just wrote alice and bob 

 learn application security 

 and i drone on and on about how your 

 apps 

 absolutely need to log things because 

 otherwise 

 shelly and i who you can see right now 

 on the screen 

 get new gray hairs because we can't 

 investigate properly because like see 

 shelly has great blonde hair so you 

 can't see but 

 my hair's dark it's very obvious when 

 there are gray in it 

 and i can name the incidents for each 

 one of them where there were no 

 vlogs so listen to shelley 

 there are more patients are interesting 

 because you know we deal with a lot of 

 legacy applications 

 and those are always the most critical 

 in an organization yeah 

 and and they were never written for 

 security 

 so you go in and there's there's there's 

 no username there's no timestamp there's 

 no ip address 

 there's just some random line that 

 doesn't you know 

 doesn't doesn't mean anything to anybody 

 except the guy who developed it 

 oh yeah error 431 come on shelly 

 that's enough information to solve the 

 entire incident 

 with no documentation 

 oh my gosh i'm grateful for folks like 

 you who are actually teaching 

 application security and and 

 good development i'm trying vlogs are 

 vlogs are everything vlogs are 

 everything yes we have another question 

 in the chat 

 and oh it's a good one what is more 

 difficult 

 containment or eradication 

 oh interesting um 

 i think i'm gonna i'm gonna ask your 

 answer with the best answer ever which 

 is it depends 

 um so 

 containment can be difficult if you 

 don't know of the organization that 

 we're working with doesn't know 

 what they can contain so um 

 i always recommend one of the things 

 that i always talk about is when you're 

 prepping for an incident response which 

 we should always be doing 

 um you should be understanding 

 of the things that you could do so in a 

 ransomware incident for instance 

 what are the things that you might need 

 to do um and understand whether you can 

 or can't do them 

 um and understand that uh whether you 

 would 

 you know if you need to ask for help for 

 instance from an outside vendor or 

 incident response firm 

 how they can help and make sure all 

 those things are 

 in line because containment can be 

 incredibly difficult 

 if you don't know what you can and 

 change control too that's a huge piece 

 right like 

 in the middle of an incident um if you 

 don't have the capability to step past 

 your 

 very entrenched and change control is 

 good i'm a big fan of change control 

 but if in the middle of an emergency you 

 can't take a you know a 10 second 

 downtime 

 to do one thing you're 

 you you haven't you haven't built your 

 change management process properly 

 um so there's a lot of words eradication 

 can be difficult 

 if um identification isn't done properly 

 i think 

 because if we don't know what we need to 

 eradicate 

 then actually that we start playing 

 guacamole 

 with with everything so i think 

 containment is probably 

 i'm going to say containment but um 

 eradication can be difficult if the 

 identification isn't done 

 properly as well i could not agree more 

 and the person in the chat says thank 

 you and basically your answers are 

 completely awesome 

 um i want to encourage anyone that is 

 listening right now to 

 write an awesome review and or subscribe 

 to our podcast 

 and if you are watching this on youtube 

 please click that 

 really nice yellow thumbs up button it 

 lets me 

 and shelly know that um well 

 that you like this episode that we are 

 quite funny 

 also um that you just think instant 

 response is cool 

 because quite frankly when you're 

 choosing topics for 

 a podcast i choose what i think is 

 awesome and i'm like oh i want to talk 

 to shelly 

 and i want to talk about instant 

 response this is excellent but it's nice 

 to know when other people also think 

 it's a good topic um 

 i wanna i have as you might have guessed 

 like dozens more questions 

 so first of all so 

 um what types of aptitudes do you think 

 a person could need in order to be 

 awesome at incident response and or 

 investigation so like you can say 

 incident management 

 response investigation however you want 

 to blend that but like 

 attention to detail hyper focus like 

 what types of things do you think makes 

 someone good 

 yeah i think um i will tell you that i 

 think almost everybody that i work with 

 is 

 a little bit adhd 

 we we move very quickly uh our minds 

 move very quickly 

 uh but um i think obviously there's a 

 technical aptitude 

 um but uh and i don't see a technical 

 skill technical aptitude um 

 and and also the ability to learn 

 quickly just like anything else in the 

 technical world 

 uh what we do moves very quickly we have 

 new artifacts new attacks 

 um and so we move very quickly in into 

 how to how to contain those uh and and 

 deal with those 

 um i think again that innate 

 curiosity um passion for learning um 

 is a huge thing um uh 

 active listening uh we do a lot of 

 listening to what our customers are 

 saying 

 uh i started out my first job in tech 

 was on a help desk 

 um and this is uh back a little farther 

 that i'd like to admit 

 and we didn't have remote control 

 software when i first started 

 we had the telephone and what the 

 clients told us and we had to tell them 

 to click on something and type in 

 something 

 wow and and so i consider that one of my 

 best learning experiences 

 because i learned how to listen to what 

 the customer was saying 

 interpret what they were saying and then 

 actually give them the answers that they 

 needed 

 because you know not everybody's 

 technical and that's okay 

 um i uh one of my first jobs my second 

 job i guess in tech was 

 with westjet airlines i was a help desk 

 i actually started my security job there 

 as well but i started out as a help desk 

 person at western airlines and i had a 

 pilot call in one day 

 and he said i forgot my password again 

 i'm so 

 terrible at this i'm so flat i'm so 

 computer illiterate you just i just need 

 help every time 

 and pilots only use at the time anyways 

 only used their passwords every so often 

 they didn't need to log in all the time 

 they weren't at a computer all the time 

 obviously um and so 

 you know they only use their their 

 computers or their their logins every 

 maybe 

 a month or so uh so 

 this poor gentleman is i'm so computer 

 illiterate and he's so down on himself 

 on the call and i said here's the thing 

 i can't fly a 737. so 

 i am flight illiterate you do what you 

 do i'll do what i do 

 um and i think that's an important thing 

 as well is um you know 

 we go into customers all the time that 

 are in like are having a really bad day 

 and it's easy to go in there and be 

 condescending about 

 um the level of security that they have 

 the budget that they have you know all 

 of the things that they aren't doing 

 properly 

 but at the end of the day again we're 

 meeting these people on their their 

 worst 

 business day of their lives and so going 

 in there sort of humble no 

 no ego and and that we're there to help 

 um so 

 um you know i think like any other 

 customer service 

 which you know i absolutely believe i am 

 um 

 having you know having the ability to 

 empathize and and 

 to really um go in there with with the 

 the desire to help um is a huge piece 

 oh my gosh i can imagine um 

 oh someone's giving me feedback that the 

 my mic is very sensitive and the muting 

 and unmuting is really unpleasant 

 sorry i'll stop doing that then uh i've 

 been told that my typing is loud too 

 but i'm gonna give it my best shot thank 

 you for the feedback yaddy 

 um if every single person in tech 

 could adopt that attitude shelly 

 wouldn't life be 

 fantastic it would be not only not only 

 to the customers but also to each other 

 a lot of gatekeeping goes on yeah 

 yeah and i think we learned from 

 everybody um 

 i i think i was telling you just before 

 we started i 

 was really honored to be asked 

 to lead the interim program at my 

 job this year for the 2021 intern class 

 and we have these great interns that 

 come in every year and then a lot of 

 them 

 turn into our associate consultants we 

 hire them on 

 and those guys are so smart they're 

 coming out of university they've got 

 again that passion that drive the 

 curiosity and 

 i learned something from those guys you 

 know nearly every day and 

 and i think that's really the 

 the way to look at for me the way to 

 look at life is there's always something 

 to learn 

 from somebody whether whatever level 

 that they are 

 so i could not agree more 

 i could not agree more shelly i wanted 

 to mention two things before 

 i go to more awesome questions in the 

 chat 

 so uh first of all i want to mention 

 or thank our sponsor threadfix they are 

 the 

 most stupendous vulnerability management 

 system 

 on this side of the galaxy and 

 we hack purple are really happy to have 

 them as our podcast 

 sponsor of many many many weeks now i 

 also wanted to mention 

 besides calgary which you happen to be a 

 big part of and i'm going to share 

 the link on the screen underneath you 

 besides 

 calgary.org do you want to tell us 

 briefly 

 i know it's a bit off topic but do you 

 want to tell us briefly what is b-sides 

 and anything cool about besides calgary 

 yeah b-sides is a sort of 

 grassroots community conferences 

 and they've been happening all over the 

 world now 

 and and in canada we've had them for a 

 number of years some of the larger 

 cities have had them for longer 

 calgary's is uh 

 three or four years old i think i want 

 to say i think we started in 2017 maybe 

 and i might be might be wrong on that 

 um and it just happened actually we just 

 we just finished it about a month ago 

 and and i i spoke at that as well um 

 what i love about the b-sides format 

 is anybody can submit and anybody should 

 submit 

 it's a very welcoming um i've spoken it 

 besides vancouver as well 

 um very very welcoming conferences um 

 great for first-time speakers 

 particularly 

 uh and just a great way to 

 build the infosec community within your 

 own community 

 that's a huge thing i think in canada 

 still we have a long way to go 

 with building security maturity within 

 organizations 

 um and so helping build and grow 

 relationships within our communities for 

 that 

 you know for the security professionals 

 for the new uh folks trying to break in 

 et cetera and on the students that come 

 as well um it is fantastic i was able to 

 actually make some contacts 

 at the university of calgary um in their 

 infosec 

 club and so i'm hoping to keep that 

 relationship up as well so that i can 

 hopefully eventually get some some 

 interns from the canadian side coming 

 into our our practice 

 at my work awesome i might um 

 i may end up sending you people because 

 people are constantly asking me if i 

 need 

 interns at wehack purple and i explain 

 to them 

 yes but more like digital marketing and 

 like web design and just the things that 

 a regular startup needs and they're like 

 don't you need an absec person and like 

 we sort of have 

 someone that pretty much is pretty good 

 at absec 

 yeah and she uh she handles that so we 

 need someone that's good at all the 

 things that she's bad at 

 do you know marketing 

 um we have some questions in the chat 

 and but then i'm like torn about asking 

 you more about b-sides 

 b-sides was the first conference i spoke 

 at and 

 i can't say i i it's hard to explain 

 just how supportive that besides has 

 been in my speaking career 

 we have b-sides in let's go 

 let's go uh west to east so we have one 

 in 

 victoria we have one in vancouver we 

 have one 

 in edmonton and in calgary do we have 

 any in saskatoon 

 saskatchewan i don't 

 know actually i i'm pretty sure winnipeg 

 yeah winnipeg and then we have ottawa 

 is there is there a toronto one i don't 

 think there is i think there's a devops 

 day 

 i don't know because they have tasks and 

 they have uh sector 

 but then there is one um there's one in 

 st 

 john's there was one this year in 

 halifax 

 um isn't there another one out east that 

 i'm missing 

 st john's halifax there are there's 

 quite a few 

 all over but i think that that might be 

 all of them but that's just in canada 

 yes and then i think i love for instance 

 um 

 besides las vegas for instance is done 

 in tandem with uh 

 black hat or defcon one of the two um 

 it's 

 done sort of it's overlapping it's 

 overlapping 

 that is the best best yeah it's 

 basically like during the same time as 

 black hat so the idea is is that it 

 it offsets so people that can't afford 

 to go to black hat i.e me and 

 you and most the people i've ever met um 

 especially because the canadian dollar 

 versus the american dollar yes 

 um yeah so then we can go to b 

 sides because it's somewhere between 

 free and 25 

 generally to get in one of my actually 

 one of my team 

 um who is in montreal is one of the help 

 is one of the organizers for um besides 

 las vegas 

 so from montreal though he goes down 

 there every year and 

 except obviously this year uh and helps 

 organize the whole event 

 so it it it's not even just you know 

 just the people in las vegas or just the 

 people 

 you know it's very much a infosec 

 community event 

 oh yeah very i'm i'm on the b sides 

 vancouver island 

 board and we have someone from the 

 mainland on our board and someone on our 

 board on the mainland 

 vancouver and victoria are very close we 

 do a lot of things 

 same with the oas chapters like their 

 chapter is always helping us 

 and uh the wilson chapters etc 

 okay but now let's talk more about you 

 so there are some 

 uh there's some questions in the chat 

 that i thought were really good 

 um most of them from way thank you way 

 okay so when you're hiring an incident 

 analyst level one 

 what do you look for um do you have 

 certain 

 certifications that you're looking for 

 that are best or that you can recommend 

 or like what else could someone do to 

 try to get noticed or 

 hired as a level one 

 yeah okay so um 

 for me i love uh 

 one that people have gone out and done a 

 little bit of research 

 so when you come to an interview on 

 instagram response 

 please know what incident response is at 

 least at some level 

 there's lots of resources out there um 

 and 

 and and so you know things like the 

 attack miter framework 

 uh i don't expect you to memorize it but 

 but understanding that you know what it 

 is is fantastic 

 uh uh the uh lucky martin kill chain 

 uh and and i'm just throwing us some 

 stuff out there but you're having a 

 basic understanding of 

 what it is and and what we do is is a 

 fantastic thing 

 um i i also love it when people have 

 you know base um 

 i.t skills i and that's that's a 

 personal bias i will admit i came out of 

 help desk 

 so by the time i got into security um 

 you know 

 i i had a good understanding of what 

 normal looked like um 

 what does what is what are normal 

 protocols uh 

 what is that what is a sort of normal 

 operating on a computer 

 look like uh and and with and so you're 

 able to if you know what normal looks 

 like you're able to see what 

 abnormal and my my job is all about what 

 the abnormal is picking the abnormal out 

 um from that haystack you know when they 

 talk about a needle in a haystack we're 

 frequently 

 picking out needles out of needle stacks 

 and you need to be able to pick out that 

 one needle 

 that is slightly different from the 

 others and that's by knowing what normal 

 looks like 

 so um you know coming with a sort of a 

 set of 

 um a base idea 

 of what operating systems are what what 

 a network is 

 uh are fantastic things to have 

 there's a lot of discussion around 

 whether you should have certifications 

 or not 

 and some people will tell you that 

 certifications don't mean anything 

 um i i personally and so i'm gonna 

 i have eight sans certifications 

 wow i know i know um 

 sans is a for those who don't know is an 

 organization 

 that does specifically um infosec 

 forensics 

 uh uh management leadership training uh 

 and um they've been a big part of me 

 growing up as a 

 as a as an analyst so i'm very very 

 grateful to them as an organization 

 um and and what i will say is having 

 eight certifications doesn't make me 

 better or worse 

 uh than um anybody else who's doing the 

 same job 

 but what it's afforded me to do is to 

 learn a lot that said 

 training can cost money and not 

 everybody has that and so i think that's 

 an important thing to note 

 that but there are i think there's a lot 

 of resources out there that we can 

 build on for free i always recommend 

 that people 

 build their network for instance 

 on social media social media can be not 

 a great place but it can also be a 

 really great place 

 place to to build your network meet 

 people 

 and and you know get to know 

 people in the in the industry research i 

 get a lot of 

 you know some of my best and interesting 

 research 

 from from reading articles that 

 somebody's posted on twitter because 

 sort of the latest and greatest gets 

 gets posted so most of probably 90 of 

 the people i follow on twitter are all 

 in the industry 

 um i mostly post about my puppies um so 

 i'm sorry for any of my followers 

 out there um but uh 

 they are cute so there it is um 

 but yeah i think um i always say though 

 with with um you know 

 juniors coming in that i can teach you 

 the technical skills 

 it's coming in with with that drive and 

 that passion that curiosity to learn 

 um and so i kind of gauge that with if 

 somebody shows up to the interview and i 

 say tell me what you know about instant 

 response 

 and even if it's not technically correct 

 if they if they've gone out and they've 

 learned something 

 um and they can you can tell me a few 

 different things 

 i feel like i can that's somebody that i 

 can teach that i can 

 that i can teach them the technical side 

 as long as they're willing to go out and 

 put the work in 

 so that that's a really that for me is 

 probably 

 the biggest thing um if i was gonna say 

 based notifications i apologize i'm 

 gonna keep talking 

 um that's a canadian thing though we 

 apologize for everything 

 um uh certifications wise 

 um from a forensics and incident 

 response perspective 

 um there are some again some great 

 courses with sans 

 um with regards to um there's a basic 

 uh forensics class i think it's 300 um 

 that's a great place to start to learn 

 um why we do forensics um and what some 

 of the artifacts are um 

 one of the courses i took uh early on 

 was from the carnegie millions 

 carnegie mellon software institute and 

 it was an incident handling class and it 

 taught me how to 

 manage an incident that was really 

 interesting as well 

 so there's there's a lot out there um 

 and there's some free stuff as well 

 um it's just a matter of finding you 

 know that that first half but 

 uploads yes i actually just started 

 following someone on twitter called dfir 

 diva and she has been sharing 

 yeah she's been sharing tons of free 

 resources on forensics and i'm like 

 you're 

 a totally awesome lady yeah she's she's 

 she's wicked um for people who are 

 listening 

 and who are wondering how to spell 

 shelly's handle 

 it's nerd so n-e-r-d and then it's i 

 o so nerdy as in nerd with an 

 i at the end so i o s i 

 t y so there's no y like th 

 because i was thinking nerdy like n e r 

 d y but so it's 

 n e r d i o c 

 i t y yes spelling for the win 

 [Laughter] 

 and there's a bit of conversation in the 

 chat about 

 why is sans so expensive and it's 

 probably because they 

 can because they're like the highest on 

 the market like i 

 i run a training company and if i could 

 afford to go to sans to learn the things 

 i don't know 

 i would probably want to go when i was 

 in the government though my 

 entire training budget for the year was 

 around 2000 

 to maybe 2500 canadian dollars and sam's 

 courses 

 range from like six to nine thousand 

 canadian dollars with the exchange 

 and then you add certification it 

 becomes around 10 000 canadian dollars 

 and we get taxed at a very different 

 rate than americans 

 so we actually pay a much much much 

 larger amount in tax and i remember 

 working it out one year and then after 

 tax it was 20 of my income for the 

 entire year 

 if i wanted to take one sans course and 

 i was like 

 in my brain i cannot find a way where i 

 find this acceptable and not just 

 irresponsible spending on my part and my 

 boss 

 just laughed at me but i actually 

 recently wrote an article of how to 

 justify training to your boss because 

 i've learned a lot 

 because i get turned down and turned 

 down and turned down and then i got like 

 better at asking 

 so i can share that in the chat an 

 article of like 

 how to show that the value of what 

 you're getting for your org will be 

 higher than what they're paying 

 yeah math it's it's tough 

 i mean honestly um so i i will tell you 

 that 

 um one of the big fan of sands um 

 two um i just literally last 

 week finished uh my masters of science 

 information security engineering from 

 the sense technology institute 

 um so uh and i'm about to embark 

 on um becoming a teaching assistant uh 

 for 

 sans so as as outside in my copious 

 amounts of free time 

 so so i i have some bias and i will i 

 will absolutely admit to that 

 there is some there's some bias inherent 

 in this uh how 

 i um was able to um 

 afford if you will a lot of the training 

 that i did um and and how i was able to 

 con my boss i want to say khan 

 um get my boss to agree to send me to 

 training um one of the programs that 

 sans runs and this is a big 

 up for this is they have a work study 

 program or a facilitator program 

 if you look on their website um it's 

 there 

 and if you get accepted into the work 

 study program 

 um the tuition is uh a fraction 

 of of what of what it is full price 

 um and and you get to what i love about 

 the program other than 

 the tuition part is i really got to then 

 be able to spend some time 

 um with the instructor who um you know 

 is just 

 like brilliant uh and so you get to kind 

 of get to know these people a little bit 

 more than just sitting in the back of 

 the class and maybe being a little shy 

 to 

 to talk but you kind of get to to 

 interact with people a lot more and i 

 think at a conference 

 uh particularly you tend to unless 

 you're really really 

 an extrovert you don't always meet 

 people if you're afraid to kind of stick 

 it stick your hand out there and say 

 hello 

 um but as a facilitator it kind of 

 you're kind of forced into it 

 so it's a that's a great way i did that 

 i think i think i've facilitated uh 

 three or four times 

 um and that's a great way to save your 

 boss 

 um i i'm doing this for way less than it 

 normally costs and you should send me 

 so that's awesome it's still tough um 

 let's face it especially in the times 

 that we're in 

 um getting budget for training is always 

 the last thing so 

 yeah but really i mean people doing 

 fishing and all sorts of other attacks 

 have certainly 

 upped their efforts unfortunately 

 they aren't out of work but anyway i'm 

 not going to complain about 

 heartless people doing ransomware 

 attacks during covet 

 anyway thumbs down on them 

 i haven't there's another awesome 

 question in the chat wait 

 way is on a roll so thank you 

 as you are a man are you the as you are 

 managing the team 

 what are the qualities of the best 

 incident responders 

 in your team um you mentioned active 

 listener and attention to detail 

 but how do you quantify that or 

 basically how could someone try to 

 be awesome at those things 

 uh i think those are really practice um 

 i so the other piece that is is a really 

 big one 

 is being able to explain the technical 

 to anyone 

 so we deal with very technical things uh 

 and 

 the customers that we deal with 

 sometimes we're sitting on a call with 

 the executive team 

 and they are not technical they know how 

 to log into their computer they don't 

 know how that works 

 and so when you tell them things like um 

 we found a persistence mechanism in a 

 registry key that's used to blah blah 

 blah what they hear us 

 want so 

 my job is usually to translate that so 

 my 

 my uh particularly younger analysts are 

 very technical 

 but don't always know how to translate 

 that into customaries 

 so i throw my associates and my 

 consultants in off the deep end and say 

 ethan would you like to explain what you 

 found and i 

 actually make them do it because 

 there's no better way to learn how to 

 actively listen 

 explain things to an executive uh 

 or uh you know even the you know 

 provide empathy um then practice it over 

 and over again 

 so like any good thing in life 

 it requires practice yeah 

 i just so people who are listening you 

 can't see me 

 nodding vigorously and also when shelley 

 makes jokes me trying to cover my mouth 

 before 

 i start laughing really loudly because i 

 usually mute myself when i get the 

 giggles 

 um but shelly has been cracking me up 

 with some of her answers but not this 

 one 

 um this is this is very good 

 so i have another question so when 

 people are trying to decide 

 you know their career for a lot of 

 people how much money you make 

 is an important decision 

 um or important deciding factor so does 

 incident response pay well is it you 

 know where would it rank on 

 the scale of you know software developer 

 versus 

 help desk versus executive 

 um i think we get paid well um 

 part of that is of course um we don't 

 we don't work on monday to friday eight 

 to five job so i think part of our pay 

 scale 

 has to do with the fact that we work 

 holidays and weekends and 

 middle of the night and um i've had 

 i when i so previous to crowdstrike i 

 worked at cisco i managed the team there 

 for three and a half years 

 uh uh with uh with another lead and 

 um i actually had one of my guys miss 

 his son's kindergarten graduation 

 because we had a customer that we needed 

 him to be at 

 um and i will tell you that i try to 

 avoid 

 that at if we can avoid and get somebody 

 else to do or go i will absolutely try 

 to do that in 

 in every time but sometimes 

 that's that's what we do and and that's 

 what we kind of sign up for 

 so i think part of our 

 our pay scale reflects that um 

 so compared to say someone who is 

 um you know doesn't have those first 

 rates as sort of a monday to friday may 

 have a 

 similar skill set but it's sort of 

 monday to friday eight to five 

 i think our pay scale reflects the fact 

 that we um 

 you know sort of have a an unusual 

 schedule 

 yes i recall um my 37th birthday 

 having 30 people in my living room while 

 i was upstairs 

 attempting to pass over management an 

 incident that i was managing and i'd 

 already been managing it 12 straight 

 hours 

 and i was like i have balls of champagne 

 and like 300 

 worth of raw oysters downstairs and my 

 friends are not eating and drinking 

 all of them i am getting some of them i 

 am turning 37 today 

 and this is happening and i have another 

 way more senior than me incident manager 

 that i'm handing this off to i'm like 

 dude i'm exhausted you don't even want 

 me anymore and he's 

 very upset he's like no i only want you 

 and i was like 

 no no this guy's way better and it took 

 me like an hour to get him off the phone 

 i was like 

 just calm down it's not even a really 

 big deal 

 yeah my probably my recent experience 

 isn't as isn't as dramatic as that that 

 is 

 that is but i was actually she's angry 

 yeah my wife and i brought a 

 trailer camping trailer this summer 

 because we wanted to 

 um obviously with the whole coveted 

 situation we haven't been able to travel 

 the way we like 

 uh so we we bought a a travel trailer 

 and we were taking it out for our first 

 weekend out in it 

 we were out in canmore in the canadian 

 rockies she isn't far from home for us 

 it's about an 

 hour but it's amazing we're all set up 

 ready to ready to to get some dinner on 

 and i got a phone call so i'm standing 

 in the middle of a campground 

 with my wife and she's already got a 

 drink in her hand and our dogs 

 and i'm on the phone with a customer who 

 is having a crisis 

 in the middle of a campground and thank 

 god i actually had had the signal but 

 um yeah it happens right so yeah um 

 yeah but i i'm i i would always say 

 you don't have to love what you do as 

 long as you get paid well 

 but um you can't hate it so 

 i'm i think i'm blessed that i also love 

 what i do 

 and and then i also get paid pretty well 

 to do it so 

 it's a good deal it really is if you 

 think about it 

 incident responders are sort of like 

 that emergency room at the hospital 

 person where it's like you're triaging 

 and like fixing everyone and just 

 you know what i mean and you're that 

 cool as a cucumber like don't worry i 

 got this you there you there 

 you must have amazing stress management 

 skills like 

 you must have all these things that you 

 do to relieve stress that are just 

 incredible you're like yoga ing and 

 everything do you do you have like a 

 whole thing 

 that you do to so that you can handle 

 like or calm down after an incident 

 you know what i actually got off a call 

 uh one time with one of my colleagues 

 and and he said to me and on the call um 

 the cso of the company had actually 

 yelled at me 

 um nothing that was our fault but he was 

 stressed and he decided he was going to 

 yell at someone and it was going to be 

 me 

 um and we got off the call and my 

 colleague 

 called me he said i can't believe how 

 calm you were 

 he said i would have i would have lost 

 lost it at him i can't believe how calm 

 you were and i said 

 you noticed that my camera wasn't off 

 you're like good 

 the voice was super calm 

 oh wow the face was not so calm but 

 uh you know i think it's a little bit of 

 sometimes it's that uh 

 that uh swan thing where you're all 

 screen on the top of the water but your 

 legs are going like this underneath 

 i i used to work at a computer repair 

 store like 20 years ago 

 and if we had a customer come in and 

 yell at us 

 i would bring whoever got yelled at into 

 the warehouse 

 and we were a warranty shop for apple so 

 we would have all these keyboards and 

 mice lying around because 

 unlike like the parts inside a computer 

 with a mouse and a keyboard they would 

 just replace them and my boss kept 

 keeping them and i didn't know why 

 so then i would just say keep smashing 

 keyboards 

 and throw them off the roof do whatever 

 you need to until you feel better and 

 they're like what i'm like like this 

 smash and then i just get them to like 

 i'm gonna climb up the ladder 

 just throw it and they're and i just 

 keep doing it so you feel better 

 sweep the stuff into the garbage and 

 come on back you've got 15 minutes just 

 smash 

 things and it works so well that's 

 amazing 

 it's amazing and we're supposed to throw 

 them out anyway so i was like 

 might as well make them messy it's fine 

 that's amazing that's amazing i feel 

 like i could talk to you for at least 

 one more hour 

 but we are actually like right near the 

 end so there's 

 there's one more question in the chat 

 and then um 

 and then i'm i'm gonna do the wrap up e 

 questions 

 okay okay so have you ever mentioned 

 someone in your team 

 uh that that has ever gone above and 

 beyond and 

 what made you and if yes what made you 

 do that so 

 has someone ever gone like way above and 

 beyond on your team 

 i guess and what what was it that they 

 did that you felt was so amazing 

 oh my gosh um you did it 

 yeah again i'm super blessed to work 

 with just just amazingly dedicated and 

 smart people so 

 um i think for us i'm 

 i'm working with you know a particular 

 team with a client right now and 

 so we work on a statement of work that 

 has a number of hours 

 associated with it for instance and we 

 finished an incident with a customer 

 um and um they were supposed to 

 implement a recommendation that we gave 

 them and it has not been done yet and 

 somewhere in the middle of that 

 unfortunately they got breached again 

 and 

 they came back to us and this is 

 literally a short period of time and 

 they came back to us 

 yeah it's terrible and and we had a very 

 small amount of hours left on this slw 

 and in the project manager that i'm 

 working with who's one of one of 

 the folks on my team um just jumped 

 right in um 

 and and we've put in a number of hours 

 there that are probably going to go 

 on you know unbilled um to make sure 

 that they had what they need um 

 but um i think one of the things we do 

 at crowdstrike did kind of help that you 

 know and and make that a culture 

 of recognition is we do awards every 

 year 

 um and i was lucky enough to give out 

 an above and beyond reward this year 

 actually too to one of our 

 one of our consultants and i think um 

 having that kind of culture of 

 recognition is huge but 

 um you know i think everything that we 

 do um is 

 is about getting that customer to where 

 they need to be so as i said 

 i'm super blessed to just to work with 

 folks that do that and 

 um my job as a manager is to make sure 

 that those folks get the recognition for 

 the work that they do 

 so whether it's on a customer call and 

 saying you know tony did this amazing 

 job finding this artifact 

 and i'm going to let her tell you about 

 it as opposed to me 

 you know being the one that's the 

 talking head all the time or um you know 

 getting on a call with 

 with my leadership or with the whole we 

 have all hands 

 meetings all the time and saying by the 

 way great job on this you know from this 

 person and making sure that they get 

 recognition for the work that they did 

 is 

 is a huge thing absolutely awesome 

 awesome way thank you thank you 

 so much so much are you hearing that 

 echo 

 nope no echo okay great then if you're 

 not hearing it i'm sure it's fine 

 um thank you i want to thank 

 um the people in the chat for all their 

 great questions especially way 

 with so many awesome questions thank you 

 shelley for being 

 on the show i have one last question 

 and where can people find more about you 

 because i know that you do 

 to speak at conferences and stuff so 

 let's say someone wants to 

 follow you or there's like a website 

 uh so um i am on twitter that's probably 

 the easiest place to find me is 

 uh is at nerdiocity um 

 i have a website uh nerdocity.com which 

 i don't 

 uh update nearly as much as i should um 

 i have a couple of research papers on 

 sans if you're interested in in my work 

 uh dns is a big is a big um 

 flavor of love for me and uh and so 

 there i have a paper 

 on sands i don't have any upcoming talks 

 um but um i'm hoping to 

 to do some speaking again next year last 

 year was the magnet user summit 

 um as well as besides calgary uh falcon 

 for crowdstrike 

 um i'm usually uh applying to most of 

 those conferences plus 

 a stanza conference or two um since dfir 

 conference is amazing this 

 and and oh plug again i apologize for 

 this but the sans 

 the sans uh the sand summits are all 

 free next year in 2021 they would be 

 virtual 

 they will all be free all of the summits 

 all of 

 so so thread hunting intel uh 

 dfir i'm not going to get any of all of 

 them right but ics they've got so many 

 and they're all free next year 

 virtual um which i think is is a lot of 

 companies doing that magnet did that 

 last year for their user summit as well 

 it was amazing 

 um and so look for those look for those 

 events 

 i think 2021 is going to be another year 

 for a lot of virtual stuff 

 um and and so um i hope to be at some of 

 those as well at least virtually 

 um and and so hopefully we'll see spokes 

 there 

 cool there is a question in the chat of 

 are you 

 on linkedin i am i am on linkedin 

 shelley geestrox linkedin 

 um so you see the picture with the bow 

 tie i think i'm actually wearing the 

 same 

 shirt in that picture um i love the bow 

 tie by the way i think it looks hot 

 especially i actually really like your 

 whole look 

 okay so i'm gonna stop complimenting you 

 on your fashion and 

 thank you so much for being on the shows 

 shelly you are the first person to talk 

 about instant response 

 and especially talking about incident 

 management this is super 

 duper helpful thank you very much for 

 being on the show 

 thank you for having me it's been 

 fantastic awesome 

 and with that that was the weehack 

 purple podcast 

 and i am still your host tanya janka 

 and that was shelley geez 

 breck damn it i hope i got that right 

 because she was such an amazing host 

 her her wealth of knowledge was 

 well basically i wanted to ask her 

 questions for at least four more hours 

 but i know that's inappropriate and 

 people don't like that 

 i want to thank our sponsor thread fix 

 for being 

 not only with us this week but for so 

 many weeks in a row 

 i want to let all of you know that 

 tonight at midnight basically 

 um the last course in the application 

 security foundations program 

 from wehack purple is coming out yes 

 that's right as soon as this podcast is 

 over that's exactly what i am working on 

 and so the entire program including the 

 certification is going to be 

 ready and available as of tomorrow so i 

 hope that you go over to the wehack 

 purple academy and check that out 

 while i have you on the call i want to 

 talk about the next couple weeks who we 

 have coming up 

 next week so december 17th right before 

 the holidays we have 

 majida afrin and she's going to talk 

 about being a bug bounty hunter 

 and then if you liked this episode about 

 instant response you definitely want to 

 show up for january 7th 

 with nashua lindsay and she's going to 

 talk about specifically 

 forensic investigation after that we're 

 going to have brian 

 anderson who's going to talk about 

 basically being an 

 operations manager and in charge of 

 security service delivery 

 and then after that we have sasha 

 rosenbaum and 

 if you follow me on twitter you've 

 probably seen a lot of sasha lately 

 because she has been tweeting 

 a lot about my book and gosh 

 i just couldn't even dream of having 

 such 

 great support of a wonderful friend like 

 that so with that 

 i am she hacks purple and this was the 

 we hack purple podcast 

 thank you and i can't wait to see you 

 next week