We Hack Purple Podcast

We Hack Purple​ Podcast Episode 30 with Guest Veronica Schmitt

March 26, 2021 Tanya Janca / Veronica Schmitt Season 1 Episode 30
We Hack Purple Podcast
We Hack Purple​ Podcast Episode 30 with Guest Veronica Schmitt
Show Notes Transcript

 Host Tanya Janca  Learns what it's like to be a Assistant Professor and #SecurityResearch​ who specializes in medical devices, with Veronica Schmitthttps://veronica-schmitt.com/

Thank you to our sponsor Thread Fix!

Buy Tanya's new book on #ApplicationSecurity: Alice and Bob learn Application Security.

Don’t forget to check out #WeHackPurple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/

Join our Cyber Security community: https://community.wehackpurple.com/
A fun and safe place to learn and share your knowledge with other professionals in the field. 

Subscribe to our newsletter! Sponsorship info: info@wehackpurple.com

#TanyaJanca #SheHacksPurple #DevOps #CyberTraining

Find us on Apple Podcast, Overcast + Pod 

[Music] [Music] welcome to the we hack purple podcast where each week we interview a different person who works in information security to learn about their job to learn about their career path to learn about the cool stuff they get to do every day to help protect everyday citizens like you and me i am tanya janka and i am your host this week we are going to be talking to veronica schmidt and she has a very interesting career she's also rather well known as v so if you've seen v online it's definitely her i would like to thank thread fix powered by denim group who is the sponsor of this podcast today but let's cut with the formality and get right to it and let's meet v hi hi welcome to the weehack purple podcast v i am so excited to be here it's been a long time coming i know i know thank you so much for people who have not seen you seriously our guest from last week was like oh my gosh you know v yeah i've had a lot of people have been looking forward to you being on the show not just me it turns out it is super weird hearing that because for me i'm just a small town girl from a town in south africa that just wants to make a world a little bit better so it's very strange thinking that people are excited to meet me seriously when i went to south africa in 2019 every single person said you really need to meet v and then for some reason you were not available you're out of town or something and then the day of everyone's like is v coming and and then we met via email and i was like yes it's working out in the long run um i was wondering if you could introduce yourself and tell everyone just a little bit about you so i am a digital forensics and incident responder by trade um recently fell in love with application security the last year um i'm also someone that believes and i know this might be controversial so tonya don't shout at me um we should all be wearing all the hats and not just i don't associate with a specific color i kind of believe that for me to be the best incident responder i can be i need to understand everyone's perspective and any everyone's roles to understand how i need to investigate systems or breaches so that's me i'm not currently an academic i yeah also i'm told i'm i'm an assistant professor at north university i'm teaching digital forensics incident response cyber warfare and criminality that's so cool i wish i could take your class students my students would say it's to quote it's like drinking from a fire hydrant yeah there's a lot to learn it is um but also i i i love it i'm very i tell jokes i tell funny things because i am a little weird don't don't ask me my jokes they're terrible they're dad jokes that go wrong [Music] but yeah i love it i love working with the students the last year has been absolutely amazing dealing with teaching people what i love to do it's i'm the fortunate one i don't think they are because i get to see their journeys unfold oh my gosh that's the ideal teacher attitude definitely so when i booked you for the show you had two jobs and now you still have both jobs right but a slightly different job now you're not in school now you're the teacher is this true so i i kind of have three jobs i still have well i think count them being a mom is a job so that would be four jobs um but that that that's more of a passion project i love my goals um i i still have i am part ownership in a digital forensics company in south africa with my ex-law enforcement partner and friend jason jordan um that's still running even though i am more of a hands-off director at the moment because i want to further my research i still do some consulting work for medtronic that is a u.s based company that builds medical devices and i have one of the devices in my chest that's what's keeping me alive so it's it again very close to my heart and then i'm an assistant professor at norov so that's kind of what i do it's literally close to your heart literally and and the cool thing is some of the things i might be working on now in three to four years might be in a new device of mine so i think that's like kind of awesome oh my gosh that's amazing but yeah i kind of since 19 i got my first device it was kind of touch and go for a while um i i literally prepared to go home at 19 and die to be quite honest with you because we couldn't afford the pacemaker we didn't have the funds it's super expensive um and medtronic effectively without me knowing donated the device to me and the doctors put it in for free so i've always had this drive to give back um so the reason i'm here is because my doctor advocated for me to be here um and since then many years ago i'm on device three um and i must say it's awesome when you see the technology that goes into the devices i'm gonna absolutely say that's the coolest thing i've got is in my body it's just the way that it keeps me alive in episode six we had mary moe or marie moe depending upon how you pronounce it and she talked about her pacemaker and how she had hacked it while it was inside of her and i was just like you are so much more brave than i am so i am mary moe is awesome she's also from norway she's a professor yeah uh it's someone that i look up to uh so the two main people that i look after with this research is obviously barnaby jack and he was the first one that made me think about hey wait a minute let me think about but my research is from a different perspective my research is well yeah we know the devices are hackable but how are we gonna detect that a device is hacked or can we even look and determine if we have enough evidence for that um you know so i'm coming from the forensic perspective and i'm kind of saying everything will be vulnerable i think it's mikko hyphenand that says any smart device that goes on the internet is vulnerable and for me i i'm on the internet if you want to think about it my heart is on the internet there's more complexities around it but um i also stink with covet now the ability to home monitor and self-monitor has been something that i was very very glad about so yeah it's a double h blade but in the end of the day um if i can go on a site i'm sorry like a year ago i had to make the decision to go back to an older device that was working because the new one even though i had good security wasn't doing what it needed to do for me clinically so as a security practitioner i'm now weighing up the option do i only go to something that i know has some security flaws that gives me quality of life or am i gonna you know stick it out with security and i realized that there's a compromise and as a patient i wanted quality of life um so yeah i went back to the older device and it is doing an amazing job i i think that's a thing that a lot of security people don't talk about about compromising so that the user actually gets what they came for right and in your case it's quality of life but in in some cases it's like i'm an employee and i need to get through this stupid gate so i can go to work and you're making me lay you a bunch of jerks and it's like it's it's difficult i mean i went to i when i sat down with one of the developers and i tell the story often because it was a wake up call um rob um said to me well so tell me what do you want well what he is a firmware designer says so tell me what are your requirements that you want me to build in and i give him my list and he's like so you're getting a device every three years and i'm like ah no wait we're gonna have to have a different discussion now i i don't think i want to go for surgery every three years because here's the thing security forgets in these devices are limited cpu cycles limited battery life so the more complexity and you know cpu cycles we use the patient pays for it so the patient pays for security um that means that you need to go more regularly to have a device explanted and here's something no one knows it's not a battery change they yeah they take the device out because it's encapsulated it's a closed device so that gets taken out and replaced it's surgery so we can't build these devices to be super secure uh it's just not possible and we have to compromise on you know what i always say so what are the requirements why are these devices built they're not built to be a secure security device they're built to be a health device so that's what its requirements is that's the functionalities it should have um obviously we wanted to be more secure well its availability and integrity in your case is absolutely mandatory but maybe you're willing to compromise a little bit on confidentiality if you can have it always working perhaps so confidentiality is an interesting thing um when it comes to and how the data is used um but i kind of uh i i would compromise on that i i would say um i made a joke once and i said to a doctor i said so you know let's put usernames and passwords on it any in any spring fashion he said to me okay so you're gonna be lying there grabbing your chest in pain and you're gonna give me your authentication he says there's a reason that there's a universal token that we use it's so that anyone anywhere can get into your device easily and it's kind of things we forget that i mean i was resuscitated in december a year ago december um because my device wasn't functioning properly and it was two seconds that they two to three seconds that they had to make a decision what they were going to do um so it's literally these devices are life or death you can't you can't wait for a link so you can reset the password there's no time no so uh but also there's there's lots of complexities into actually accessing these devices and protected memory addresses they're pretty damn cool i mean i have a couple that's exploited that i've taken apart to look at how they look and it's beautiful i mean i just love them do you think that the average person that's designing these things has not gone through the process of having something added and then removed from their body because like i personally have a device in my ankle and in 2012 it moved and so they had to remove it and then add a new one and it took two and a half hours of them trying because my bone was like you know what i'm gonna do i'm gonna grow onto it yeah that's a great idea i'm never gonna let it go and so they spent over two hours removing it and then like 10 minutes putting the new one in and then of course like i had to learn how to walk again and do all the stuff and like and i was fine but like it moved 1.5 millimeters and they're just like nope we have to take it and that was like grinding on the and you know what i mean and that's not my heart changing something in your heart sounds like a hundred times more serious and delicate like he had like a hammer and i'm just like and i was awake during the surgery i'm just like oh no this all seems like a very bad idea but they gave me volume so i was like who cares because otherwise otherwise i'm sure i would have been like the whole time um but like having like it's not like you know when people say oh just patch it that's not it's not the same yeah so tonya the thing that freaks me out is when people say oh no we should make these devices so that we can patch them from anywhere and i'm like saying have you ever updated firmware it's like it ha it's like a a heating mist it's either going to work it's either going to fail um i'd rather that be done in a controlled environment um where if it breaks or if it fails the doctor can do what's necessary so yeah patching is great but now i'm going to ask a question does all vulnerabilities necessarily need to be fixed i know security is going to show it has to but i mean if it's really not an impact on exploitability yeah aren't we perhaps gonna break something by fixing something or introduce a potential vulnerability where there wasn't one um i actually agree with you i feel that like application security is a lot about compromising with what your client actually needs and what they're trying to achieve versus what your dumb tools say right and so sometimes it's like okay so we have these seven old apps that all depend on this really old framework that can only run on windows xp and obviously that's awful but we're decommissioning all of them in a year because we're building like this new app that's going to replace them so why don't we just do a ton of harm reduction and like stick like 25 band-aids on it which you would not do for a permanent solution that would be inappropriate you would never build a new app that way but it's like listen they're actually coding the replacement now they're they're going to be done in a year but even if it's a year and a half or two years i'd rather have like a waff on this and then network segmentation and like a crap ton of monitoring and maybe a kazmi and then i'm like okay so it still sucks it's kind of garbagey but it you know it's way way more secure because you're not going to patch something that's 15 years old you're going to replace it exactly and then that's the thing is i'm advocating for basically we need to look at vulnerabilities not in a negative light we should look at it as an opportunity to fix something or to find a solution because i find when anyone says vulnerability organizations start jumping up and down well i'm i'm going to shock everyone that that you have probably been hacked you didn't know about it because you didn't have the necessary logs or the necessary intelligence or the texture mechanisms especially the smaller organizations and the only way that you generally find out that you've been bridged is when your data's you know been dumped on the internet or you're being held extorted for bitcoin um or a client says hey i received it you know have you received my payment and you go well no um and then it got paid into another account because there was a business email compromise and this is why i love my job because i get to come into organizations at their most vulnerable point and i usually say to them you know we're all gonna calm down to a mild panic right just a mild panic if i run you run but such a point we're just gonna assess the situation i also like to watch i like to isolate machines and observe what the attacker is doing because psychology of human beings are so awesome even in automated attacks you see the underlying behavior and and this is what i think my law enforcement career taught me is that that human psyche i mean if if we look in forensics what's awesome foreign is i can look at your computer and i see your personality and based on how you name your files how you organize your folders those kind of naming conventions are unique to a person so i can anticipate if i'm looking for a specific document based on your profile what the document name might be your computer tells us all your secrets and and it'll tell you tanya's not super organized and she's kind of stressed hard running a startup is hard it's not easy work right i've been there done i got the t-shirt and the endless sleep was nice i sleep really well but i sometimes i'm like if i could just cut out a few hours per night imagine how much i could get done well we're not going to sleep tonight i'm going to be working on research papers well wow yeah i am actually meeting with someone from india tonight so i have to stay up kind of late but that it's worth it i have i have questions like how did you so you told us how you got interested in medical devices like it totally makes sense considering your health history but how did you get interested into forensics and how did you kind of like get introduced to that that's a funny story my whole career is a funny story so i i started as an administrative officer at special investigating unit um i was good at it was interested in nineteen my dad works for telecommunications company so i grew up around it and i kind of like always loved doing it so i started helping them out in the local office um and became the iq content person now unfortunately with a great access comes equal responsibility i was young i may or may not have access some documents that i should not have and i was flagged on a radar and it was kindly suggested that i should speak to jason who was my mentor and now my business partner to facilitate a career change [Applause] wow so [Applause] he basically sent me a crapload of documents and research papers and put me through the ringer for about a month and i realized like holy crap this is something that i really like because it's puzzle solving i love solving puzzles and i want to know the why the who the when you know and what so i actually got my first case and he was not around because he was doing his bad you know his postgrad so i kind of had to find my way around limewire just to give you an idea of how old i am it was a copyright infringement dealing with wire um and i and and i did my research by experimentation and i realized like i like this and that was my law enforcement career um i did inevitably leave because i had kids and it became a little bit too high danger for me dealing with organized crime and nasty other things and i and i wanted a slower pace so we decided to start our private practice um but i kind of started with no experience no degree um i didn't have the money to go study after school um and work my butt off and and here's the thing you don't need a degree to do a master's i did my master's without a degree i just motivated my way into the door and then i had to prove that i deserved to be there you're amazing you so are v you're just like i motivated them to and i i can totally see it because i know you i'm good with convincing people yes the other thing people say i don't qualify for this job well i haven't qualified for a single job that i got because i went in there and i said to them i am willing to learn none of your other candidates are as hungry as i am because i know what i don't know so i know what i need to learn and i was honest i was brutally honest they would ask me can you do this i'm like no but give me 24 hours and i'll learn how to do it um and that's kind of been my whole life if if a door closes well i'm gonna i'm gonna go through the window if the window's not there i'm gonna climb through the roof and if anything else fails i'm gonna kick down the door i don't believe in barriers i don't believe in a no no it's just an indication for me i need to find an alternate way to get to what i want that's awesome someone in the chat andrea says yes that's amazing and i completely agree with her can you describe what a day is like in the life of someone that does forensics and you can say it starts with a call at two in the morning if that is what is correct so it is but i'm going to sketch this way criminals are very selfish right they always pick christmas and new year's right or holidays yeah so i last year was the first christmas i had that i didn't work that was awesome but it was also strange because i was like is this what it feels like to be normal but if you like the adrenaline and pace life of dealing with beaches and getting phone calls at two o'clock in the morning um it sounds scary but it's actually quite fun i i must say when i get a call for a breach my i go into the mode of okay i need to call my client down because we need to understand um that a client when preached is vulnerable it's almost like they have been violated they have been attacked um yeah and equally the security people working on the network you know you have to have a soft touch to it i always feel that we all focus on the technical technical technical but we forget about the softer human skills the the communication the calm voice um the non-finger pointing you take on a mothering role take charge and just get things going um a breach is big but my granny always had a saying that how do you eat an elephant it's like one bite at a time so break your things down to small achievable things and start ticking them off but what is it like it's fast paced it's rewarding because when you have solved a breach you've remediated you've recovered people's jobs are saved in that a company could sink or you know survive based on the work that you do you get that reward when you solve it successfully and you can tell them where they need to mitigate or do better but i see so many people come in and start pointing fingers we all have been breached this is the reality whether you want to admit it or not it has happened or it will happen uh and i think we need to stop shaming companies that have been breached um because that's why people are afraid to share that they've been preached so we can't really collect intelligence and become organized security practitioners i mean organized crime exists for a reason they share intel which is something we don't do actually i agree with you completely many times i have thought like why don't more companies share information around this like uh one of the government departments i worked i did incident response and i did a bit of like absec related forensics for them and then i wrote a report about all the different incidents we'd had and how we could prevent some of them and i was saying like we should share this with other departments and then we had a really big terrifying incident and it was it was an attack by an organization and i was like we should share this with the other departments and they're just like no why would we do that and i was like why do i work here i need to work in a new place but that's something where you know you could tell the rest of the industry and your can uh in your country like that that's happening and i i agree with you they're sharing oh i did this attack and it worked really well and then we're like we did this defense and we'll never tell anyone but that's the thing we had a incident in essay right a client of us got hit we were look so when i'm working a case you won't know i'm working a case because my focus is on that or not anywhere else and and and had we we disclosed it to the newspaper that this is what happened to warn other companies but for them it wasn't clickbaity enough or sensationalized enough right so they never published it two weeks later while we were mediating a massive municipality in our teen got hit by the same actors now my opinion is had this been disclosed we would have had police on the on the scene right ahead of the time but in that instance as soon as that happened dfir labs contacted the police authorities and we started working together and we were quickly narrowing down to where the attackers were but you know attribution is hard um yes but yeah the tactics were very similar and it wasn't i wouldn't say it was advanced it was sloppy but i think attackers generally underestimate the amount of forensic information they leave behind and that's the same for pen testers right i've uncovered a few you know sanctioned and unsanctioned painters in my career based on just the link file in windows that has been left behind or prefetch um you know people forget that windows is like the ultimate keylogger it keeps traces of everything i'm going to get to i i i it is it keeps a wealth of information if if you know where to find it yes i would like to take a brief pause and i want to thank our sponsor threadfix they make the most stupendous vulnerability management system this side of the galaxy and i want to thank them for their continuing support of the wehack purple podcast rate from week two or week three maybe it was all the way until now i also want to ask everyone that's watching to give us a thumbs up and if you're not subscribed to our our youtube channel please subscribe to it if you're listening please subscribe to our podcast if you're listening later and also i want you to follow v on twitter she actually tweets a lot of really cool stuff i follow her a lot of people i respect follow her shares a lot of really cool research and this brings me to the next thing which is i want to ask about your research so you do a lot of medical iot security research but lately um i believe you've been looking at some malware and that are ransomware specifically do you want to tell us anything kind of interesting about that yeah so i love i i absolutely love ransomware i think it's absolutely one of the most beautiful things that occur on a windows machine because of the way that it knows windows and exploits windows so my master's thesis was on how do we find the secret source for ransomware using forensic techniques so the hypothesis is or the idea was that if we start analyzing these threads and comparing them it's much like baking a cake you know you need eggs you need milky neat water you need you know certain ingredients and everything else is just additions on and i started to find commonalities between various strains and you know there's a big ransom where there's a service going on so i'm hoping that you know that we no i kid you not no no i don't i don't think you're kidding it's that i can't believe that there's ransomware as a service it's just so like not like ah serber does it riot does it um ragna locker does it maze i believe is doing exactly the same so for an additional percentage they will produce your campaign um and they will run the technical side for you and i mean the the guys are making good money on it but for me what's important is finding the things they do the same so that we can build in detection capabilities and some interesting things that the strains do is they will read the keyboard you know information within the windows registry and if it contains any ukrainian or russian languages it would cease to encrypt now for me there's a there's a kind of intelligence portion to that because why would we do that is that potentially something we can look at some of the strains would overwrite the master boot record of the file system you know taking away the capability for the user to boot into windows however we know that the master boot record on an ntfs file system has a backup at the end of the drive so could we potentially fix that so i'm kind of applying my forensic techniques to see if we can deal with mitigating and coming back from ransomware but i want to understand the behavior behind it i want to observe it pre um just add infection uh add encryption and then i monitor the network traffic for an extended period of time post encryption because there's a lot of exfiltration happening as well so yeah i'm kind of obsessed with it because i think it is pretty damn awesome okay so how can someone get into the type of work that you're doing like is there training that they could take or is there like a a career progression that they could try to follow if they want to get into this type of work so yeah you can i i am very big on sans and i know everyone's gonna say it's expensive but they have a work study program meaning if you go moderate and facilitate for them you get a huge discount on wait wait so you have to work for them and then you it does not count it's not really work though so it's moderating a class so in terms of that it's not really i think the benefit that you gain from that specifically their forensic training is of a high standard the caliber of training you know instructors they have on the forensic faculty is amazing but i just started reading a lot i think one of the the things that probably helped me in my career is my inquisitive nature i wanted to know more um and i was interested in it so if you read a lot don't watch csi cyber they're lying to you it's not how it works i have a big red button that says find evidence however in my 12 years it's never worked i kid you not i 3d printed one just to prove a point we gave them out as a as a guy gift um but there's this dfir diva she has a lot of information um there are it is magnets offering um precedes to their training but basically i started from the bottom and i worked my way up it's the best place to learn but in you know learning computer science at the beginning is a good place for forensics because everything we do is in computer science but i also realized that just doing forensics i was actually doing a disservice to my clients and to myself because i never understood how applications were bold i never understood the defense side of things i never understood the attack side of things so i started branching out and learning different things so that i could almost come full circle um i'm not quite there with green i'm still afraid to build things i'm i'm scared they're gonna explode um i don't think my code's that good it's okay if you build something and it explodes as long as it's not for a client so magnet has got their conference with amazing speakers that um i think is free um as far as i know i'm presenting so like shameful like ah it's in april april what is it where's the conference called magnet axioms um digital forensics conference i will find a link and i will tag you in it um okay yeah but that's quite that's quite off awesome sans also offers a lot of their conferences free at the moment so grab a seat those are awesome if you want to do far contact me i'm always looking for people to inspire into this line um because there isn't a lot i mean i started when we were five in the country i was the only female and you know i kind of want to see more kick-ass people doing dfir and specifically i want to see more developers moving over to dfir if i'm quite honest with you because i think if you know how to build applications you're going to be able to know how to investigate breaches on them yes yes that's actually how i ended up with my first incident investigation i was like oh oh yeah that's sql injection i could just like read the code right i'm like oh yeah i see what happened there and they all just looked at me like what and i'm like oh yeah they're doing this and then this and then this i'm like okay and then this and they're just like uh you're on the instant response team now it's like it's like go with it and shoot my mouth off it was so exciting developers have this unique ability to look at logs and and figure out what's happened right and a big portion of dfi or is locks okay i'm obsessed with logging um so that's kind of like i want developers to become forensicators because i think they were gonna have like also green add numbers blue and purple by a lot i don't know the statistics but it's quite a lot so i'm always saying like well we don't have it so why don't we build it that's kind of my motto for the last year if you don't have it we should build it and that's kind of what i'm talking about at the magnet axiom conference is building these capabilities in from the start that's awesome i uh so i remember we're talking a little bit before the show started and we were talking about like the idea of building the ideal logs for forensics and um you know we hack purple actually has like a logging error handling and logging and like what you should do as a developer and i'm wondering if like you would share some of the things that like you wish that you could see in that again so i i generally one of the things that i've noticed is that we deal with sometimes with a lot of unstructured data so i feel like i'm writing passes you know that it comes at my ears because it feels like a lot of my dfir work is writing custom passes i kind of also have found that we over log on system performance and debugging because logs are designed for developers by developers um i kind of want us to look at logs and be kind to your future foreign decades so we have to read your logs um and i started watching and delving into things and then i came across uncle bob that talks about clean code and i'm like thinking well i wonder if clean code produces clean logs and then i realized that a lot of the log date that i've seen the verbose logging comes from legacy code that people have forgotten about like sensitive data disclosure we've now done updates and something's been deprecated but oh goodness the console's still printing the body text into the logs and within that there's app secrets and keys and guess who finds it the hacker that studies your logs or the pre-indicator that has to analyze them so so many times in my life i have found some naughty naughty things and logs that should not be there so consider your logs as public i always say even if it's on a mobile phone that means it's not on something you can control meaning people can have access to it so don't put things in your log that you don't consider public so preferably not your dirty laundry should not be in there um i think credit cards credit card numbers what about syn numbers no or end points or no you know jwt tokens you know seeing as we're just putting like the kitchen sink in and these are things i've seen so a good question is to look at the when it's happened what has happened where that originates from and that's and that's kind of where i'm going with that but it's also about context right i can tell you i got up this morning i had coffee two sugars milk i had a green shirt purple pants uh i combed my hand a side port and i went to work well that's too verbose i mean no one wants to know that information or i could just have said i got up this morning that also doesn't tell you anything so you need to be you need to think of your logs in design based on what do i want this message to tell someone when they look at it it's not just about printing a whole body of text and saying well okay i've done my part uh you need to go read the logs and see if you can actually correlate the timeline yes do you okay so a thing that so i i feel like it's okay that we just nerd out on logs for a bit so do you so i'm a big proponent for the devs not only logging you know things that seem like security issues like it seems like this is a brute force uh or someone logged in or someone tried to log in and they did end etc but if it seems like a security event is happening that we could send an alert to the sim and i almost never see it happening and one of my clients the other day i was like can we you know are there error logs from the apps and we're investigating an incident and i was like can i see those and they said oh the devs have splunk and they have all of their errors going to splunk i'm like we're the infosec team and we don't have access to splunk they're like oh we have cyber arc like excuse me wait what you have two sims at the same org and okay so when can we splunk and they're like oh we'll have to meet and negotiate access to that and i just like what are you talking about we're trying to investigate an incident and and there's an application sim essentially right monitoring all their apps and we are and we're so i'm like you know been consulted by the appszect team i'm like and you don't have access and they're just like well we'll talk about that later and i was like okay so let's go become their best friends right but do you agree that like sending so so obviously i'm very biased but i think sending it to a sim assuming it's a message that actually makes sense seems like a good idea for devs i i'm so for centralized logging and standardizing that like you should have the full picture i mean but this is a problem you've raised within organizations as we function in silos development is different from ops and and i think one of the books that changed my mind on this was the unicorn and the phoenix project that was kind of life-changing for me and that's when i realized like i need to infiltrate development i need to learn their ways i need to learn their lingos so that we can start working together and that's when stuff started to change because a lot of the time it's development systems that get attacked and and then developers cringe when security walks you know ir walks in because now someone's going to lose a job right someone's head's on a block and then i normally say no no let's deal with it we've no we have to make peace with the fact that this has happened first step is acceptance right that's the same with anything um i take on that role and and we fix the problem and often the person that comes up with the remediation option is the devs because they have some creative their whole thing is like this is my problem it's a non-favorable outcome so i'm like how do we fix this but now i've i've looked at cornucopia and i decided well can't beat my cornucopia with logging like so i play these games in terms with with my my dads and say okay this has occurred how would we put this capability in to detect this in our logging um or say to them these are some of the logs we have generated can you find some logs that we should clean up and then present your solution to cleaning them up and so we've been introducing dealing with log debt in terms of an easter egg hunt and doing them within sprints and then getting them onto must-haves and actually fixing the problems and i mean it started regretting to the log starting to look ping which makes me excited because now i can do analytics now i can build dashboards now i can gather intelligence but when it's look i cringe at the amount of jwt tokens i've seen in logs or you know like encryption keys or you know app secrets and and i'm like all your end points i'm like why don't you just you know publish stuff on the internet i mean we're already putting it in our logs because the first place that i go when i want to hack something is i find application logs why find information i do reconnaissance attackers do reconnaissance very well i mean if we put these things in our logs well we asking for it at some point we we have a bunch of questions in the chat so everyone is really down for all the things you're saying um and so there's there's two really good questions so um let's start with the first one so what is the best way to get your first um dfir job from secops like how how do you get that first chance you are persistent you you don't you just go for it you find a way you find the solution if you see this and i are going on shadow the people make friends it's a people game but also don't be put off when a job application says hey you have to have three years experience like i said that's not a thing but go volunteer your time like if you're in an organization and they've got a cert team go volunteer your time it's the best way for you to learn is by doing i would say go study but again i'm a big supporter of this theory and practical and they need to merge and they need to be theory doesn't always meet up with what happens in practice like we have the six steps in incident response i've yet to see a company during a breach where everyone's heads on fire at this point follow these six steps um or an incident commander shouting you know we're on phase one no everyone splits up and does what they need to do but your first job is going to be basically one you're probably not ready to do your first incident you are going to freak the hell out you're going to go i went to the bathroom i cried a little i got my mind straight fixed my makeup and walked out of there and faked it i faked my confidence and in that i learned how to do the job it's so true it's so true it sounds ridiculous but it's literally i i i didn't know anything about digital forensics or instant response i didn't know it's a career line by accident i got exposed to it but a lot of the people that we've hired has been someone that has shown an interest in in what we were doing and volunteering their time internships are great so i mean i i've done a couple myself where i've just said i want to learn what you've done and it's the same with the development teams i sat with them and i didn't charge them for anything i said i want to just observe i just want to watch i want to see what you do i want to see how you function because i didn't want to introduce something that breaks an application's development cycle because that's costly so i wanted to know that if i suggest the remediation on an application i need to understand where it fits in i need to understand what the cost the time you know that goes into it because i think i hate it when people now like come to my developers and say to them hey we need to make the security change because there's a vulnerability and we we just like going about to release um and we're already over time yeah so so how about it do you want to explain to them why we're late can we point you in the meeting yeah but yeah just volunteer honestly and talk twitter is amazing there's an amazing community out of there um ask questions um read up and and through the industry someone will not be looking for someone i retweet some posts um for positions but i would go to the person that's in the organization that runs the department say hey i wanted like volunteers some hours because i want to learn and most of them will say yes because they are grossly understaffed oh yeah okay so we have another we have another comment but first i have to do my awkward marketing so um we have t-shirts um so we have really cute hoodies [Music] it's very pink so we have femme hoodies and by that i mean they fit lady figures and you can buy them at shop.wehackpurple.org we also have magnets t-shirts um we have baby onesies we have all of the things including cute mugs and so i have done some marketing and i can check that box now good job tanya um oh and our community is now open so if you want to join the online community we have it's at community.wehackpurple.com um but i feel like that's lots of marketing for now okay so there's the very very most important question which is the cheese question so way back in the day when i was a dev and i knew i'd finally made it it was when i went to the grocery store and so i really love cheese like a lot and no android we don't have dog t-shirts yet um we should get pet swag okay anyway sorry back on topic so i felt like i i'm looking at the two types of cheese and then i realized i make enough money i can just buy both and for the first time i realized my grocery bill could be larger and i could get you know more things that i wanted and not scrimp so much and i was like gosh i've really made it i'm a professional deaf now right like it was a few years before i reached that point but um and so that was like oh i get paid well does that make sense and so yeah a thing that people really want to know that watch this show especially like when you're deciding which career that you're gonna have like does dfir pay well or um you know does it not pay well or uh does it pay so much you're just like yeah you know i have to adjust my camera so you don't just see like the wads of cash all over i'm just kidding well so it depends i i think uh initially i was paid good because i was in a government institution working for a law enforcement agency and then i went out and did my own thing and i kind of started the startup and for five years honestly i didn't get an increase but i survived but but looking back now i i finally at a place where i feel like i'm comfortable but it doesn't pay bad compared to some other jobs but you need to be able you need to be prepared to work from the bottom up there's no no middle intersection into dfir because it's the thing that you need to start at the bottom so that you'd learn the foundational skills um i i'm not i think the u.s fairly pays well in dfir um the uk as well um it's a it's a consultancy company a pretty penny for it um law enforcement i public sector doesn't get paid paid badly but that's more a passion job you need to have the passion for for being in law enforcement you need to also have the grid to deal with the ugly nasty stuff that you will inevitably deal with um and just for the record you still deal with that nasty stuff on occasion in the private sector it's not that you immune from it um but it is rewarding and after 12 years of doing it if i had to go back i will bloody will do it again yes i love it okay so i have two super tough questions and then we have to wrap up because literally i look at the clock i'm like what how could it possibly been 52 minutes this is my clock's wrong my computer's broken um okay so most difficult questions what do you like best about your your job and what do you like the least so the yeah that is a hard so the payoff is the best um for helping people um firstly and secondly i get to learn every day because technology changes attack has changed so i i love the fact that i'm pushed out of my comfort zone on a daily basis because i if my brain doesn't hurt it hasn't been exercised and i feel like i've wasted my time um so kind of like that is what i like i like being busy with i like solving things i kind of have this urge to solve things so the ability to constantly learn what i like least is probably that um that's a tough one at the time that's spent on incidents versus you work late hours you're gonna you're gonna put in the hours in the beginning because as a junior person you do the work and the missing out on family time or family moments that kind of was the negative for me in my career and dealing with the ugly real like human elements of crime it's quite sad when someone loses their whole life savings through a business email compromise it it touches your soul or dealing with um child exploitation which i've dealt with in my career those are the things that are bad but again there's the equal good you can't have the good without the bad but i'd like i said i would do it over again but there are things that i wish if there's one thing that i wish someone told me was that you need to have some sort of a shield or someone like a lightning rod that you can go to and just debrief off the cases because we keep it in and it just builds up yeah you need to have the protection layer that yeah you need to be soft you need to be open to the clients but you don't you don't open yourself up to what's happened to them and take that on board because that's all crashing in the end of the day my first security job was counter terrorism and i remember having to make a powerpoint presentation of dead bodies and it was just like i didn't know this when i signed up for this job you don't i mean i didn't know i was six months pregnant when i did my first child exploitation case and that and i said to my husband i'm like like i'm not giving birth i don't care this child's not coming out he's staying and we successfully solved the case and then i had the feeling of what if i wasn't here if not me then who it's so i kind of like played a game i'm like at least i was there to solve the case you know so i had an impact in one child's life so yeah it's rewarding it's an awesome line of job and there's some awesome kick-ass people that do this job that i look up to and not just because i'm short i look up to a lot of people because i'm fight with nothing but generally there are some awesome people that i look up to and and go follow them on twitter and ping me on twitter and tell me why you want to get into forensics and we can have a conversation we can have a virtual coffee um i'm more i want more people in this line and specifically developers or developer backgrounds yeah i'm collecting them all now so i'm collecting all the developers to turn them into forensic ninjas so that we can build better capabilities for the future thank you so much for the work you do because honestly i'm i'm not tough enough to do it and i'm so grateful that there are people like you who have a shield who have a lightning rod and who have the fierceness to go protect like the people the people that really need it the most so thank you v thank you thank you to you ever you're an amazing mentor i see you as a mentor to me because since i've met you i've been putting myself out there a lot because someone kicked my behind over twitter um and that will be tanya yes um but you know what we all play our role and i think it's time that we break down the silos and we just take hands and start like working together and not have like double scenes i have never heard of that like just centralized standardized observability is key that's the thing i think take away if you want to protect your organization you have to have observability yes i'm actually starting to see a bunch of security observability tools coming out and i went to an observability observability summit in october and it was my first one and i was like oh my god my brain's exploding with possibilities um straight intelligence is amazing if you haven't looked at the mitre attack framework shameless plug go look at it it is phenomenal katie nichols did an amazing job on it i use it every day um and now there's just i'll i'll pop some resources in tomorrow morning when my brain starts working again on twitter okay yeah we'll put them in the show notes and also like we had another guest earlier shelly um great breach gosh i'm saying her name wrong she's nerdyosity on twitter she's really great there's dfir diva like you said there's you there's um sarah edwards she's she's like the mac queen like apple queen there are so many amazing people that are and i know we just named a bunch of women but i guess like i just follow a lot of women and there's just like so many different people sharing these really awesome amazing secrets and things online and yeah definitely oh this is so good v you're great thank you so much for coming on and and and if you're ever interested in some like i don't know i wear two watches don't laugh i have two fitness watches because i correlate the data between my pacemaker and the two devices to see which one's more accurate um i do forensics on myself we went to bletchley park and sarah edwards right and that chased me around with her apple watch on so that she could you know gather my weird heartbeats and do the ekgs so that's what parade indicators do we drag dead bodies or chase people around bletchley park that's how we keep fit exactly thank you for having me on the show i really love being here i always like talking to you um you're as nerdy and weird as i am and that i say that in the most loving way possible oh yeah it's the best compliment i could hope for thank you so much v or veronica schmidt for those that want to be a bit more formal please follow her on twitter um so let's do the wave goodbye and then i will do some outro announcements thank you v thank you tanya bye bye and with that that ends an absolutely outstandingly amazing episode of the we hack purple podcast i am personally so ridiculously curious about dfir and i've only ever seen the app side and the database side of things and veronica gets to see all of it and also her research in regard to like medical devices and how to make sure they're safe like she just does so much more than she even mentioned there's just an hour's not enough to learn everything about v um so thank you so much to her being on the show thank you to threadfix again i am so happy to have you as our sponsor and as a friend of wehack purple next week we have well we have a lot of surprises for you on the podcast coming up so we are planning so many amazing things and i know that i'm probably supposed to have all of this like live and up on the screen but we have a whole bunch of other guests coming on they're going to be amazing i want to thank everyone that tuned in live thank you so much if you missed us live you can always listen to us later but if you are for instance watching this later somewhere you know on a computer chilling out or you're listening to this audio you can tune in every thursday from 6 p.m to 7 p.m ish pacific standard time at youtube.com we hack purple also every fourth saturday so starting the previous saturday i'm doing streams of my book so i wrote a book called alice and bob learn application security and if you go to aliceandboblearn.com you will be able to sign up for reminders and we are discussing each different chapter and i'm having a whole bunch of amazing guests on and that is free um we hack purple plans to be releasing a bunch of new courses this year including secure coding and dev sec ops i'm super excited i'm tanya janka i'm your host and thank you for hacking purple [Music] you