An Investigative Career Where the Human Element is Key
On Tuesday, January 11, 2022, we sat down with Sean Cordes, our Associate Director of Digital Forensics & Incident Response. Sean’s active involvement in cyber threat intelligence and the dark web enables him to be a trusted advisor on the activity and behavior of a wide variety of threat actors globally. We wanted to learn more about him and where he sees the cyber security industry going in 2022.
What is your role at BreachQuest?
I am the Associate Director of Digital Forensics & Incident Response at BreachQuest, responsible for handling cyber security incidents, from the first notice that something has gone wrong to the reporting and recommendations, right through to implementing those recommendations.
How did you first get involved in Data Forensics?
I think I have always enjoyed problem-solving and investigative efforts. My Dad and both of his brothers were detectives and cops in the NYPD, so the investigative streak is just something I have grown up with. My entire career has been in the investigative space: fraud investigations, litigation, spending time overseas work doing offshore fraud investigation work. I have moved into doing IR(incident response) full-time and running IR teams in the last few years.
What I always felt was the most interesting was the human element. Whether it was with the clients, who were often having the worst day or experience of their professional lives, or negotiating with a ransomware actor halfway across the world, it is a human on both sides of the equation. I keep that in mind: the humans who are the victims and the humans who are criminals that perpetrated this.
What type of industries have you handled cases for?
I have been involved in cases with organizations of all shapes and sizes, worked with trucking companies, hospitals, medical offices, manufacturers, schools, universities, housebuilders, software developers (that one really surprised me). I would be hard-pressed to find an industry that I haven’t handled a case for. It is pervasive. No one is safe. Statistics say that specific industries report it more, but I don’t think anyone is immune to these attacks. It has been so interesting because I have been able to work with people from all different walks of life, different company sizes, and different maturity levels in regard to security tech. I enjoy bridging that gap, talking “techy” details with the technical people but then turning that into English for people who are not as technical.
As a ransomware specialist, what was your most unique case?
It’s hard because every case has its idiosyncrasies. I had a case where two ransomware groups attacked the same company on the same day, unbeknownst to each other. One was a major player in the space, and the other was relatively small. We went through negotiating with the bigger player. We had an inkling that there were two different types of encryption, but we were not certain. So we went through negotiation, and in this case, paid a ransom, got a decryption tool, and it only worked on certain files.
So, we went back to them. The major player was really upset because there are certain boundaries and guidelines in the ransomware world. We told them what we knew, and they went to this other group and got the encryption key for the other group. That was interesting because it gave a glimpse into the inner workings of and organizational structure of the ransomware world.
What has been the most significant change in the industry when you think back over your career?
Working smarter instead of harder. It used to be that we had to get images for everything. The thought was that we needed to get full disk images of every computer. We would go on-site and collect data from 150 workstations, 140 of them had nothing to do with the investigation, but it was data; we didn’t want to leave anything behind. Didn’t want to “go back to the well”: that was the big phrase at the time. But with the industry’s steady growth, that approach has pretty much become impossible.
Now we focus on targeted approaches to collection and analysis, more intelligent, more considerate with what we are collecting and what we have to analyze. Try to cut through the noise quickly. We have developed approaches with a bit of intelligence—trying to be more considerate in the early stages and scope things more accurately. To find where the most important information will lie instead of pulling everything and trying to find a needle in a haystack.
How do you see ransomware changing looking ahead to 2022?
No predictions. I don’t see any surprises. We will continue to see more and bigger ransomware attacks. We have seen groups recently doing more on the exfiltration side without actually encrypting anything. They come in quietly, stealing data and sending ransom notes via email or leaving a note behind. Maybe we will see more of that. I don’t think that has the same impact as encryption and ransomware. So I think that will be a niche for some of these players. It’s unclear why they are doing it because they are not getting the same visceral reaction as someone who comes into work on Monday having all their computers encrypted, putting the business out of commission.
Ransomware is continuing to thrive. Not much has changed even after major incidents, and government action. I think the prediction is business as usual.
What about in Incident Response? Do you see any changes?
Incident Response will continue to evolve. We will always be one step behind the attacker. It is the nature of the business. It is reactive. We will see continued efforts to work smarter. There is a lot of ongoing work on tools and methods that will continue to automate processes and bring added value.
What I would like to see is more organizations focusing on the fundamentals of security: asset management, user education, patching, off-line backups, multi-factor authentication, developing incident response plans. A lot of organizations do not have a plan for when everything goes wrong. The fundamentals go a long way in starting to build better practices around security and building layers of defense.