Posts

About Burnout in Cybersecurity

Image
Earlier this year, Johan Berggren and I presented at Black Hat EU on the topic of responder burnout. I had a wonderful time presenting and there is a recording of our talk available, but for those who prefer to consume things like this in writing, I wanted to follow it up with this blog post. Neither Johan nor I are psychologists or trained in therapy, so please don’t take this as clinical advice. Our observations about burnout and its causes come from long careers in response and an enduring, intense focus on the issue within our own teams. Additionally, Johan draws on many conversations with his wife (an emergency response (ER) Nurse) and I draw on my almost 30-year history as a volunteer Fire & Rescue responder. In the Cyber Security industry, if you pay attention to the social spaces you will find many references to happy dumpster fires and the “this is fine” dog. People often talk of dropping out of tech to start farming, or of living in the wilderness. These memes and the n

Operational Professionalizing vs Proceduralizing

  As a Security Operations team grows and matures, repeatable outcomes and standards become increasingly important over time. It’s natural that many kinds of work which were once ad-hoc begin to need defined procedures. Perhaps the company becomes covered by a regulation which requires these specific procedures to exist, or perhaps management has aligned itself to a framework which recommends them. Whatever the reason, as a result, the team begins writing playbooks, processes, and holding themselves to account for following those. But what happens when this effort goes too far past professionalizing the team and becomes proceduralizing? As a long-time volunteer Fire & Rescue responder I have been in close contact with professional responders for decades. Years ago I heard from peers about a pilot experiment to improve patient outcomes for Emergency Medical responses. Each medic was given an iPad with patient-tracking software on it. The idea was that, on scene and en-route to the h

Searching SQLite databases using GRR and osquery

Image
  Introduction There are billions of billions of SQLite instances in the world (ref: https://www.sqlite.org/mostdeployed.html ), and many examples can be found on virtually every active phone, laptop or workstation. In this blog post we will discuss a method by which investigators can perform a search of SQLite database files using GRR Rapid Response (GRR), osquery and dfTimewolf.  We assume the reader has an understanding of these tools. What is GRR? GRR is an incident response framework focused on remote live digital forensic analysis. GRR was built to run at scale so that analysts are capable of effectively collecting and processing data from large numbers of machines concurrently. It achieves this through flows (asynchronous calls to execute client code and retrieve results from a single machine) and hunts (flows scheduled to run on many machines).  What is Osquery? Osquery is an open source tool that exposes an operating system as a query-able interface like SQL for a relational d