A 30 year infosec veteran, prolific when it comes to the field of Digital Forensics and Incident Response (DFIR), Harlan Carvey recently joined the Digital Guardian team as a Sr Threat Hunter. We took a moment to sit down with Harlan to discuss how he got into security, what drew him to Digital Guardian, how he approaches DFIR, what he sees as some of the biggest challenges facing infosec today, and so on.

How did you get into security?

I got started in security, in general, in 1989 during my initial military training following my commissioning.  From there, I attended the Basic Communication Officer Course for specialty training, and became more directly engaged in communications security, encryption, etc. During my graduate studies in the mid-‘90s, I was attending the Naval Postgraduate School, which isn’t far from Silicon Valley, and became very interested in computer security.  This was largely due to the fact that whenever I had a question about something related to information security, I couldn’t get an answer. At one point, I asked the senior system administrator for the department about the security issue related to the “finger” program on *nix systems; she smiled and walked away without answering. That just made me want to learn more.

When I left the military, I gravitated toward work related to information security. In fact, one of my first jobs involved performing security assessments by “war dialing," sort of like port scanning for computer modems. I found that so interesting, on a number of different levels, that I kept with it, and here I am today!

What drew you to Digital Guardian?

What drew me to DG was the fact that the analysts performing incident response have access to both EDR telemetry and forensic “triage” data and that incident response is not a separate, disparate business unit based on a utilization model. Both of these aspects are significant in my mind and something I’ve been looking for in the industry for the past four or five years.  Digital Guardian is the first organization I’ve seen in my 22+ years in the industry that has access to the data, combined with seamlessness of service, and value to the customer.

Broad question - there are many different ways - but how do you approach threat hunting?

Threat hunting is about finding a thread to pull, and unraveling the data to build the story. As such, threat hunting can be about digging deeper into some of the alerts or alarms we see, and it can also be about looking for something not encapsulated by a current rule. For example, I spend time every week not just digging deeply into publicly available threat information but also applying that to the data to which we have access. There may be something very recently published that we can then leverage, apply against our data pool, and see if this activity, or something similar, has occurred with a customer’s environment.

A great place to find threads to pull is recent investigations. During a recent investigation by our team, there were a number of interesting artifacts within the forensic data that lined up nicely with EDR metadata, providing something of a cause-and-effect relationship (i.e., the actor takes this action, the system logs this event…). This allows to not only see the actors' tactics, techniques and procedures (TTPs) but it lets us see them with a level of granularity and context that we can then use that information to inform future hunts.

Can you explain the difference between threat intelligence and DFIR and how they complement one another?

Threat intelligence can/should be a product of DFIR work. Some of the best threat intelligence comes from actual incidents. These two complement each other because they’re cyclical in nature, feeding and informing the other in an iterative fashion.

What would you say is the most overlooked aspect of incident response?

Developing and documenting threat intelligence from the IR data and findings.

In most cases, incident response teams are built on a utilization business model, and the development of threat intelligence from IR engagements is usually isolated to the individual analyst or responder. The utilization business model obviates the ability of the IR team to learn and grow by combining their experiences.

Ransomware just doesn't seem to be going away. What trends have you observed of late?

If what we’re seeing in the media is to be believed, the ransomware trend is getting worse, and is going to continue to rise.

One of the trends observed of late via the media is the role insurance providers play not just in cybersecurity in general but specifically with respect to ransomware cases.  What I’ve read in the media seems to indicate that even if an organization hit by ransomware has backups available, they are still ‘encouraged’ to pay the ransom or to work with a broker to pay some level of ransom in order to expedite recovery and continue business operations sooner. Often it seems that the time required to restore from backups is thought to be much greater than recovering using a key to decrypt files, and insurance providers do not want to address additional claims based on downtime. I’m sure, though, that this was an unintended consequence.

Your book Investigating Windows Systems has been named by many in the industry as a must read infosec book. What books on the subject would you recommend?

All of the books I’ve written, including “Investigating Windows Systems”, were written because I could not find the types of books I wanted to read, or recommend to others. Each of the individual sections or “stories” in IWS are modeled loosely on one of my favorite books, “The Cuckoo’s Egg”, by Clifford Stoll. Some of the things I really liked about that book, things that inspired me, included Clifford’s tenacity, imagination, and grasp of what the data was telling him. I think that this really serves as an excellent model for modern day responders.

Have you observed any particularly clever forms of data exfiltration of late?

What struck me about the question was “observed”; with post-mortem analysis, and in many cases where the responder has access to EDR data, data exfiltration is, at best, assumed.

One of the things I like about the Digital Guardian agent is that it can track data movement, like when an actor drags an archive of files into Outlook, attaches it to an email, and clicks the ‘send’ button. All of these are different events tracked by the DG agent. There more than a few EDR tools that I’ve worked with that won’t “see” this, and as such, data exfiltration… something that is very important to the customer because it helps them determine risk… is left to speculation and assumption. The DG agent gives you definitive information.

The fact that I can go into a folder on my desktop, create a compressed archive from a bunch of files, drag that archive into an email, send it to my manager, and have ALL of those actions “observed” by the DG agent is HUGE! Not only does this help investigate insider threat incidents, but it also allows an analyst to ‘see’ then an advanced threat actor exfiltrates data, as well.

What do you think is the biggest challenge facing the infosec community today?

Keeping up.  A lot of what I’ve learned over the years, as an incident responder, has naturally been the result of the response work I’ve done.  As such, I learn something new after an actor has used it. Most recently, I learned a couple of things that were very interesting. One is what artifacts “look like” on a system when an actor sends a message to the user via the computer’s speakers, such as when a ransom note is displayed and read to the user. Something else I learned is that while some popular security applications may implement tamper resistance through the use of an installation password, that application may also have a hardcoded means for removing the application if you forgot that password.

As a responder, I never know what’s next around the corner. I can think deeply about my most recent incident, and I can perform independent research, but I’m very likely going to see something soon that I’ve never seen before. The best way for analysts to keep up is to actively engage with each other; you can learn much more through the experiences of others than you can through just your own personal experiences.

We're nearing the end of another decade - do you have a favorite information security story from the last 10 years?

Working in this field just naturally leads to stories, and when I’ve met with fellow responders and analysts and started sharing stories, a lot of the humor from the events comes out.  As such, I’ve thought for some time now that a DFIR conference would do very well to have one evening that included an “open mic” comedy night. Provide snacks and refreshments, a room, and a mic. I honestly believe that once something like that gets started, it will run into the wee hours of the morning!