Defender Spotlight Aaron Shelmire

The next incident was at a stock exchange. Back then, we didn’t have the capability to image disks remotely and save the image to the Cloud. We were analyzing log files, identifying compromised hosts, imaging those, and then identifying more hosts to image. We’d have to go buy physical hard drives. We were imaging so many disks, we had to take taxi tides all around New York City to stores like Best Buy, photography stores, etc. to buy hard drives!

An external group came to help, and they were able to remotely monitor and investigate endpoints with a tool. That helped inspire a tool called Host Indicator Grep. It became the endpoint agent we used at Dell SecureWorks.

There was also an incident where we had an actor taunt us. Host Indicator Grep evolved and became Red Cloak. A customer engaged us for an active breach, and we deployed our Red Cloak agent. The agent worked as designed, frustrating the actor. At one point, the attacker emailed the customer/victim saying “The Red Clothed ones can’t help you”. Spelling mistakes aside, this is when we knew we were causing them pain!

One last incident: We had a long-term APT engagement that had a slow, methodical tempo. Another IR firm had the lead here and used an approach called “Rolling Eviction” – every week the customer would reimage and reset the credentials that the adversary had compromised. The adversary caught on, so every Wednesday the adversary would create new implants and access methods. We came in to say “Stop. We need to understand the full scope of the intrusion, and kick out the attacker completely in one fell swoop”.

I really enjoy the high pressure, and high tempo of incidents. It really helps narrow my focus.  I have most enjoyed the kind of hand-to-hand combat with a live adversary, working to prevent them from stealing Intellectual Property. A lot of the above stories were a bit longer term and APT focused. Ransomware really changed the game again. You can’t be slow to respond, taking the time to understand the full scope of the incident. The adversary’s breakout time is extremely fast. You need to kick the attacker out now.

That leads to a key lesson I’ve learned – which is that so long as you stay engaged with the adversary, you will learn how to best defend.

Interviewer: You straddle Incident Response and Cyber Intelligence. This is pretty unique. Why?

Aaron: When I was first introduced to Cyber Intelligence, it was being performed by former Three-Letter-Acronym intelligence analysts using classic intelligence techniques. The outcome was predictably more strategic (policy and business strategy influencing) in nature and very few organizations could benefit from. Cyber Intelligence was divorced from applied computer security, not producing tangible benefits to improve the organization’s network security posture or reducing the attack surface.

Having mostly worked in small groups where everyone had to wear different hats, I had to take into consideration how to detect and respond to the adversaries, forcing us to apply threat intelligence in a tactical, hands-on manner. Without this, we wouldn’t have built effective defensive tools. The Incident Response and detection tooling work was necessary for me to understand what is effective from Threat Intelligence work.

Interviewer: Many Incident Responders I talk to have a love/hate relationship with Cyber Threat Intelligence. What are your thoughts?

Aaron: In an effective organization, I think of there being three main teams in charge of combating the org’s adversaries: Incident Response, Cyber Threat Intelligence and Integration Developers. Integration Developers are in charge of getting telemetry from other systems. Healthy tension should exist between the groups. That healthy competition helps each group be better. Threat Researchers and IR are customers of the Integration Developers. IR is a customer of the CTI because they need to know if they’re getting enough information to detect the activity. CTI is a customer of IR because CTI needs to know how the adversary is working on-the-ground, and can’t rely solely on 3rd party reporting.

Interviewer: What is your experience with the maturation of cybersecurity in the Cloud?

Aaron: I see two buckets of folks: 

• Orgs that have had a recent intrusion beyond the endpoint, specifically in their Cloud/SaaS environment(s)
• Orgs that haven’t experienced a breach in their Cloud environment(s)

Orgs that have experienced a breach in their Cloud posture know the data/log sources they need, but still need help with best practices as they don’t know what specific criteria to build in those cloud systems. For example, the organization will have cloud trail logging enabled, but often it’s enabled in each AWS account and is separate from each other AWS account. Or they’ve missed enabling it in a single account. The accounts without visibility and/or governance are the accounts that get popped.

Orgs that haven’t experienced a breach in their Cloud environments often wonder what data/log sources they need to enable in their Cloud. We often start by introducing them to CloudTrail, GuardDuty, and Gold EC2 images.

Interviewer: What advice would you offer to other incident responders and CTI analysts based on your experience?

Aaron: There is always more to learn. Stay curious and learn to learn.

Interviewer: Are there any specific tools, resources, or training programs that you found particularly valuable?

Aaron: I’m a book person. My favorite two books to recommend are: Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks by Michal Zalewski, The Art of Doing Science and Engineering: Learning to Learn by Richard W. Hamming. 

The Art of Science and Engineering is a book that’s 30 years old and discusses AI topics that are relevant today! It also explores how to stay curious and how to Learn to Learn.

If you’re lucky enough to afford training, the two biggest recommendations are:

• Malware and Memory Forensics Training by the Volatility Team: Andrew Case, Jamie Levy, and Michael Ligh
• SANS 508: Advanced Incident Response, Threat Hunting, and Digital Forensics

Interviewer: What would you like to see infosec vendors do?

Aaron: Stay engaged with their customers. Make sure that they’re continuing to work with their customers to be effective and help combat the adversaries. I’m currently going through our SOC2. It has minimal value to the organization. In my opinion, it doesn’t address two of the biggest impact activities: reducing your attack surface, and ensuring you have telemetry where you can’t remove the attack surface.