Episode 12 - You're forced to decide: Cyber Generalist or Cyber Specialist?

Show Notes

Quotes:

• “In the fast-paced world of DFIR, you are a mission critical system. Your job isn’t just to uncover what happened during an incident, but to do so in a way that gets results fast.”
• “Specialists bring expertise that pushes the entire industry forward, while generalists offer versatility and adaptability in the ever-changing landscape of cybersecurity.”
• “The choice between specializing and generalizing doesn’t always need to be a conscious decision. Often, you just fall into one or the other depending on the work you do day to day.”

Resources Mentioned:

• LinkedIn - Follow TLP Podcast: Follow us on Linked in, and share your thoughts on this episode. Follow TLP Podcast on LinkedIn
• B-Sides Brisbane Presentation by Ben Gittins: A shout-out was given to Ben Gittins for his presentation on the topic of generalists vs. specialists at B-Sides Brisbane. More about B-Sides Brisbane
• Volatility - Memory Forensics Tool: Developed by Andrew Case, Volatility is highlighted as an essential tool for memory forensics. Download Volatility

Action Points:

• Reflect on Your Career Path: Consider whether you are currently on the path of specialization or generalization in DFIR. Reflect on how this aligns with your career goals and the needs of your organization.
• Engage with the Community: The host invites listeners to share their thoughts on the specialist vs. generalist debate on LinkedIn. Join the discussion to see how others in the field are navigating their careers.
• Stay Updated: Follow the TLP podcast on LinkedIn for more discussions and updates on digital forensics and incident response topics.

Transcript

(0:00 - 3:42)
Welcome to another episode of Traffic Light Protocol, where we dive deep into the world of digital forensics and incident response. If you're constantly sifting through what feels like a metric ton of logs, battling the latest vulnerability disclosures on a Friday afternoon, working with limited resources and learning forensics on the fly with complex investigations, this episode is for you. Today we're going to tackle a critical question that can shape your career in this field. 

Is it better to be a specialist or a generalist as a forensic analyst? Whether you're on the path to becoming a LinkedIn top voice, looking to get better at investigations and outsmart attackers, if you understand where you stand on this platform, it can make all the difference. So let's break it down together. In the fast-paced world of DFIR, you are a mission critical system, and your job isn't just to uncover what happened during an incident, but it's to do so in a way that gets results fast, so you can stop future attacks, and then work out how they got in, what they accessed, what was stolen, and the big one, are they still there? And so from the rapid identification of IOCs, or indicators of compromise, to dealing with phishing and ransomware, your role is a combination of needing speed and precision. 

There's no guesswork. So you've got to be quick in responding to the incident, because the longer time that the attacker has in the environment gives them more opportunity to achieve their action on objectives, and with precision we need to know exactly what we're doing, what tools we need to use, the artifacts that we need to get, how to analyze them, and we can't guess anything, because if we make assumptions, one, the reports are going to be wrong, and two, we misjudge the entire incident, and that can lead to an inability to actually respond to the incident in an effective way. So if I talk about assuming that the most recent password data breach isn't affecting our users, or if we get threat intelligence that says that our users might be affected, if we don't take the opportunity to ensure that those users have MFA enabled, but here's the thing. 

No two days are going to be alike, and one day you might be investigating a company-wide phishing attack and responding to users, and next you're responding to an insider threat, and as you develop your career and you want to skill up in that career, this key question will keep recurring. Should you focus your energy on mastering one specific area, or is it going to be more valuable to maintain a broad skill set across different disciplines? And a few months ago Ben Gittins presented at B-Sides Brisbane in Australia exactly about this topic, and I just want to give a shout out to Ben as he provided the inspiration for this episode. Specialists are the go-to experts in their field, as we know, and they've dedicated years to mastering a specific domain of their craft. 

Is it network forensics, memory analysis, mobile device forensics, Windows forensics, Linux forensics, etc. So by following red teamers, blue teamers, and security researchers, we know that there's always new techniques for different attacks. It's cat and mouse, and they've got some serious momentum behind them.

(3:43 - 5:01)
As we're catching up, new attack paths are being created, and the researchers both on the red and the blue team are the people who create these tools, and they create those methodologies that we're all using. And to be good at this, most of the people who are creating these methodologies or tools are known for specialisation. It takes a long time to get the skills to perform this groundbreaking research, and also to discover better ways of doing forensics and incident response to then reverse engineer the software to identify vulnerabilities, if you're a red teamer. 

But I don't want to exclude the generalists, which is where a lot of people sit, myself included, and we bring something equally valuable to the table, which is versatility. So as generalists, we are the ones who can jump from task to task. We can adapt to whatever comes our way. 

And in a field as fast paced as ours, cybersecurity, when new problems are landing in our inbox all the time, we've got to get comfortable context switching from one task to another. We're like those multi-tools that have about 40 different functions. You've got a bottle opener, a set of pliers, a box cutter, a saw, everything.

(5:02 - 5:17)
We're like those multi-tools of the forensic world. We're able to handle everything from live incident response all the way through to report writing. But which one is best? Generalisation or specialisation? That's what we're going to explore today.

(5:18 - 6:19)
Let's look at some specialists who've made a significant impact in the field. Take Cindy Murphy, for example. Cindy's an instructor for SANS. 

She's just co-founded a company called Gilware Digital Forensics and lead examiner in mobile device forensics. And what makes Cindy special is that she's developed some groundbreaking methods for extracting and analysing data from smartphones. As time has gone on, that has become even more complex as mobile phone manufacturers are constantly upping their game. 

Apple is notoriously good at creating excellent security for their phones. It's been widely publicised that even the FBI have had to go to Apple and request that Apple provide a backdoor or some method of getting access to devices from suspects' phones. And Apple have decided to not provide that and the FBI has needed to rely upon using other providers like Cellebrite to get access to suspects' phones.

(6:19 - 10:22)
So Cindy's specialisation has really made her a standout in the industry, but it's pushed the entire industry forward. And she's been teaching digital forensics for over 20 years and she's seen it all. Another specialist is Andrew Case. 

And if that name sounds familiar, it's probably because he's one of the core developers for Volatility, the memory forensics tool. Volatility, if you've not used it, it's a brilliant tool. It's one of my favourites for memory forensics. 

And the learning curve isn't too steep either, which is one of the best things about it. You can just get in with a memory dump and get processing relatively quickly. So if you're not doing memory captures, if you're not taking memory captures in your forensic investigations, you are slowing yourself down and you're leaving evidence on the table. 

I say you're slowing yourself down because there's so much extra information that can be grabbed from the live memory on the system that can just help you investigate an incident so much more quickly. I've worked on a few jobs where a memory capture has been instrumental in figuring out the root cause of how they got in. There was one time where there was a public-facing domain controller, it was a long time ago when crypto mining was kind of in its infancy. 

The system also had a lot of personal information on it. And what had happened is someone had compromised a web server, which was actually an Oracle web server. And then they leveraged that vulnerability to deploy a web shell by extension, deploy some crypto mining software. 

It was pretty funny at the time because they didn't know, as in the attacker didn't know exactly what was available to them on that system. This was a gold mine of PII, had so much on there in addition to what they could have done with compromising account credentials and dumping the contents of the ntds.dip to compromise the entire domain. But all this attacker cared about was crypto mining. 

And it was so bleedingly obvious that it was detected really quickly. And we got in there and did forensics and got out. But the way that I discovered how they compromised Oracle and dropped a web shell and then used a download cradle through PowerShell to pull down additional code and run it from GitHub was because of memory forensics. 

They didn't have sysmon enabled, so that was going to be a bust. That's how we got it. But you don't need to specialize to do great work. 

So let's talk about some generalists who have thrived in the space, the forensic space as well. Have you heard of Rob T. Lee? He's known as the godfather of IR, of incident response. So not to be confused with Rob M. Lee from Dragos. 

But Rob T. Lee, I'll just refer to him as Rob Lee, he's built his career on his broad knowledge base, which is spent on everything from incident response to forensic tool development. He started out his career in the Air Force. He has some amazing stories back then of what they were doing when they had an adversary on the network to slow down and disrupt the adversary. 

I think they were also intercepting the exfil package and they were just corrupting a couple of bits. So the attacker would spend a day or a couple of days trying to exfil this data low and slow and they'd get it and it'd be corrupted because they just changed a few bits. So there was also some beyond the scope of today, but there was also some really cool techniques that they were doing. 

They detected the adversary, they knew they had a problem, and instead of seeking to boot them out immediately, all they did was just mess with them a little bit, observe their TTPs, grab those tactics, techniques and procedures, roll that into their future playbooks as well. And I thought that was pretty cool. We've also got Harlan Carvey, who's another example of a successful generalist.

(10:23 - 16:04)
And Harlan's a successful published author in Windows Forensics. But during his career, he's worked in threat intelligence, security research and threat hunting too. And Harlan's generalist approach has allowed him to move between different roles and different organizations over his career of spanning almost 30 years. 

So if you're dealing with a constant stream of new incidents and you have a need for quick and effective responses, which we all do, we all answer to someone, being a generalist might just give you the edge that you need. But why specialize? Well, it's one word, expertise. So as a specialist, you'll become known in your cyber community, in your organization, as a subject matter expert. 

So this makes you the go-to person within your organization, and also the cyber community, as you become known as an SME. So using this knowledge, you're then able to train people in your organization, which is great because that can expand the team. So in times of major incidents, you've got a broader team who can assist in doing digital forensics, doing incident response, which is great because we want to uplift everyone as we go. 

It's also a bit of succession planning. And over time, you're also able to contribute specialized knowledge to the cyber community, which is a huge part of just what we do. But like everything, there's a flip side to this. 

So being a specialist can lead to a bit of a narrow focus. And that kind of makes it a little challenging to adapt when the job market or the technology shifts. So the good thing is that you will see this coming. 

And it's like when AWS started to take off as a cloud provider. It doesn't happen over the course of a year. So many organizations are at different stages of their cloud adoption strategy in this particular example. 

And the same happens with cyber. You can see the change happening. And it's like watching a battleship move. 

It takes time. You'll see the change happening. And that will give you a chance to pivot. 

So there's an old software developer that I know, who used to be exclusively focused on developing Lotus Notes. So Lotus Notes was an email client created by IBM, revolutionary at the time, competitive to Microsoft Outlook, had a lot of features that were just different to how Outlook operates. And this particular developer saw the change coming, saw that Lotus Notes was falling out of favor. 

And he ended up pivoting into Salesforce software development as he saw the change coming down the river. Now, let's consider the benefits of generalization. As a generalist, your broad skill set will enable you to say, yep, I can do that when you're asked. 

And if you don't know how to do something, well, you're more likely to take the task on anyway. And well, it makes you more interesting at conferences. So instead of just saying, I don't know anything about that, when someone talks of something that you haven't heard about before, you'll actually be able to engage in conversation. 

And yeah, that actually happened to me once at a conference. And they said, yeah, I don't know anything about that. And then that was kind of where the conversation stopped. 

So couldn't wait to get out of there. Anyway, when a new type of incident comes in, something that you haven't experienced before, you're not going to be caught off guard by being a generalist. You will know, and you'll expect that you're going to need to get up to speed by researching, talking to colleagues, going through your books, training manuals to figure out the answer. 

So if you're managing multiple incidents, or if you're working in a team that's small, generalization could be your only option. You might not have the luxury of becoming a specialist at this time. So you'll wear a few hats. 

And that's not being a black hat or a white hat. It's technical hats. So that makes you more adaptable and you'll learn heaps along the way. 

Where does this leave us though? You've got two paths, specialists, generalists. Both paths have their unique advantages. And the choice between specializing and generalizing doesn't always need to be a conscious decision. 

A lot of the time, you just fall into one or the other, depending on the type of work that you're getting, the type of incidents that are coming in day to day. And over a period of time, you might choose to spend a little bit of your time specializing on a particular application or a particular type of incident, and you become known as the SME. And that's a great time to be documenting your findings, be documenting those processes, build it into a system so that that can be shared with the rest of the team. 

But the best way to do it is to be intentional and consider what aligns best with your career goals. Do you want to be known as a subject matter expert, an SME, or do you enjoy the variety and getting access to all the tools and solving all the issues on the fly? At the end of the day, there's no right or wrong decision. Just know that both specialists and generalists make up the cyber security industry. 

You get to choose. So it's about finding the right balance that suits your skills now and your future skills that you intend on getting trained up on and the needs of your organization that you work for at the moment. I want to thank you for joining us on this episode of Traffic Light Protocol.

(16:05 - 16:26)
We'd love to hear your thoughts. Are you more of a specialist or more of a generalist? And how has that shaped your approach to incident response and digital forensics? Let's keep the conversation going. Let's take it to LinkedIn, follow TLP, the digital forensics podcast on LinkedIn, and feel free to comment. 

I'll see you next week. Thanks for listening. Take care.