DFIR Expert Interview: Mike Behrmann

Introduce yourself. Tell us what you do and what your company does.

My name is Mike Behrmann. I am the Director of Digital Forensics and Incident Response at Antigen Security. We are a DFIR-led consulting firm that specializes in incident response, recovery engineering, managed detection & response (MDR) and training. My job there is to oversee the DFIR practice itself: the people, the processes, the tooling, the cases and the customers. I'm an incident commander one minute, diving in like an analyst the next and even doing some business development. My role runs the gamut from technical to non-technical.

I was looking at your LinkedIn and you definitely have an interesting history. Can you tell me what your initial vision for your career was and how you ended up in cybersecurity?

I have always been very passionate about learning world history and so I went to college with the intention of studying that. Along the way I stumbled into international relations which is sort of political science, international relations theory and how it all matches together. When people would ask me what I wanted to do with my career, they asked me if I either wanted to be a teacher or a lawyer although neither of those things occurred to me based on my degree. So hearing the advice that was built into that question I started looking into the intelligence community and military affairs. I went on to get an advanced degree in international affairs but while I was in graduate school at the University of Pittsburgh I got involved with an intelligence fusion center led by the FBI, along with some other state-level law enforcement and academic connections all around cybersecurity.

This is circa 2000 or so. I came into it thinking I was going to be an intelligence analyst for the CIA or something like that, right? But what happened is I found I have an aptitude for the technology as well as the intelligence analysis itself. It is through that I became completely enamored with cyber warfare and started writing about it in my coursework. I started writing about it for the NCFTA. I was aspiring to be an expert on China so East Asian history became my main interest in college and graduate school with Chinese security studies being my focus. 

At some point you started working for the NSA, can you talk about that at all?

I applied to the NSA and got hired in 2008. At that point in my career I was thrilled to be thrown into the deep end of the pool. I showed a penchant for cybersecurity and intelligence analysis and started to become a bit of a specialist for one particular country. I went to the offensive side of the house and got to learn from the best which was an amazing privilege. I got to serve as a CNE digital network exploitation analyst. I also got to travel overseas a bit and was ultimately deployed to the FBI Cyber Task Force in Detroit where I got my first professional experience in defensive security.

What was it like going from an offensive to defensive mindset?

The offensive experiences I had were incredibly informative but over time I became enamoured with the sheer difficulty of defensive security. I felt like all the strengths, all the ease was on the offensive side given that such powerful tooling was publicly available.

You would have been at the NSA when Stuxnet came out, right? Did that change your thinking about what cyberwarfare was or could be?

I am familiar with Stuxnet from the media but I can’t directly speak to anything about it.

What do you think the biggest challenges for people practicing DFIR are right now?

I wish I could point to some super technical subject and be like this, “Why isn’t everybody doing X?” I don’t think our challenges are technical. I mean, there are plenty of obstacles but we are constantly working through them as the technology moves forward. We go from on-premise technology to cloud technology to serverless technology. It is a race but you know what sticks out to me is working with people. Making sure that the victims, particularly on the ransomware side, know how to handle a security incident. Many of them don’t, even if they have help from an outside MSP, they really struggle. They don’t have an internal organization. They don’t have the asset inventory. They don’t understand the incident response cycle itself, right? And so they come in and they’re freaked out. Half the time they are hard down, especially if they are in a historically under budgeted vertical or something like that. The operating systems may be functional but all the files on there are encrypted so they can’t access the data they need. So ultimately the challenge is to calm people down and advise what and how to make good decisions to overcome that crisis. Essentially, to have a levelhead yourself and be that calm person in the room. Being empathetic with the person you are working with. Those soft skills are probably what we need more than anything else as an industry.

Do you think it is a more holistic or specialized approach that we need? Do we need more specialists? Or do we need people to embrace cybersecurity practices in a broader way?

That is a good question. So, I am biased. I had this weird journey where I came in through liberal arts and pivoted directly into offensive security. Then I started exploring different aspects of defensive security including security analysis, security engineering, incident response, digital forensics and so forth. I love being well-rounded. I find there is a natural tendency and natural gravity towards being a specialist in this industry. But man, as I get older, having generalized experience has been super beneficial. Just being able to call on different skills. I think hyper-specialising in any one thing can inadvertently become a detriment to someone’s career.

I guess if the technology you specialise in becomes obsolete you might find yourself out of a job? Or is it something else?

As an incident commander right now, I need to be able to relate to security engineers. I need to be able to relate to incident response consultants. I need to be able to relate to security analysts that might be performing a SOC-like service. If I can’t speak the language I am not going to be effective. It is not on that client to know it all in an instant. It is my charge to know how to speak with fluency in all those events and I can because I have direct experience in several cybersecurity disciplines. I think having professional experience in multiple areas gives you an advantage.

What are your thoughts on the current cybersecurity vendor market?

I am going to have to step on my soapbox here. I have a lot to say about it. I think that the vendor market, while I recognize it’s well-meaning, tends to be oriented towards business goals. I think it tends to dupe the average consumer into what an actual product or service does. Individual security technologies are held up in super high esteem by this marketing jargon one minute and then this the next. You can’t help but notice there is a self-aggrandizing piece to all of that.

To say it is broken is kind of trite, but I feel like the average IT consumer who doesn’t specialize in security is going to have a hell of time filtering through all of the marketing junk to find the truth. Trying to find the technologies that work well trying to find the technologies that even do what they say they are going to do. Like how many technologies this past couple of weeks, on LinkedIn or Twitter, have claimed to be a solution for log4j? So I think the cybersecurity marketing piece has really gotten carried away, but I think there are also plenty of good people involved that mean well. It is the practitioners who usually recognize how to deliver security value, rather than just hopes and dreams.

If you were going to write a book about cybersecurity, what would the title be?

I was joking about this on Twitter a couple of days ago. I would call it ‘Shitstorm Smokejumper’ and then the subheading would be ‘An Incredible Journey’ or something like that. 

Any thoughts about the cybersecurity community in general?

I really do think that we as a community need to know how to not only handle technology, use it fluidly and deliver value but also speak to executive management and be more inclusive as a culture. I think there is a lot we could do better, and I included that because it is top of mind. I wish we could all stand tall as Andrew Thompson from Mandiant put it just this week. You know what I mean? Log4j is daunting. The pressure from the executives in the corporate sector is going to be huge. Everybody’s trying to find out what their exposure is, which is completely understandable but let’s take a step back. Let’s find confidence in our own experiences. Defense in depth is not a new concept. If you don’t have that you are already at an unacceptable risk long before log4j ever showed up. We really need to handle emergencies in a level-headed way upfront and resist the urge to buy into some hysteria. And I don’t mean any of that in a judgmental way but I want to put it on our corporate leaders to set the tone. That kind of calm at the top tends to trickle down. But, when it is this frantic, everyone on deck, fire drill there tends to be fewer successful outcomes. Not only is the enterprise not necessarily more secure but you burn people out on a human level. We are grappling with burnout and mental health as an industry right now. I see it with my friends in the security operations world specifically and I come from that so I feel for them. I want better leadership out in that space. Software vulnerabilities are not a new thing. Let’s make managing them more routine and not such an emergency.

Is there anything that keeps you up at night?

Right now?  GDPR. It is daunting. There is a very steep learning curve for those that have not been exposed to it. It is hard to describe but there are basically just a lot of regulations that come with it. The truth is that it is not just a European issue because American companies, and companies all over the world, have assets in places like Europe where these rules apply and so it is incumbent on almost all leaders to have some background on it. I feel like it is a second language. I have some exposure to compliance and things. I am sensitive to what’s needed and how it can be used. How it can be helpful to further a security program, particularly from a budget standpoint, but man GDPR and the importance of it to American interests is very very real.

Do you have any advice for people early in their careers or that are considering going into cybersecurity?

Don’t be afraid to make your own journey. You know what I mean? I have a pretty unconventional path into cybersecurity but I feel I have been pretty successful on that journey as well. I have nothing but respect for the people that come up working that help desk role, and so on and so forth up the ladder, there are lots of different ways to come at it. We can’t all come from the same background. There’s huge value in having a diverse set of opinions on how to handle an issue and I think cybersecurity as a whole is doing a good job at embracing that. Trying to better itself and be more inclusive and more effective in the process. So don’t feel bad, take pride in wherever you come from. There are a lot of ways to get into cybersecurity and be successful.

The other thing I would add, is that you don’t have to go to college or something like that. I have worked for plenty of executives that don’t have a college degree. Doesn’t mean anything. Some of the best interactive operators I worked with at the NSA were military guys. You know, college didn’t work out for them for one reason or another and they found themselves in the military and there they absolutely blossomed into ultra talented operators. 

There is something really beautiful about how egalitarian we are as an industry in that regard. It doesn’t matter where you come from. You don’t need to have gone to Harvard to be really good at this job. It’s more of a meritocracy than just about any other industry that I can think of. By virtue of being egalitarian, there’s so many incredible resources out there. Self-study is an incredibly important but maybe underrated trait these days. If you get a $50 a month library subscription from Cybrary or buy some Humble Bundles you can teach yourself as much as an undergraduate degree. It is nice to work in an industry that has few barriers to entry in that regard.

Any parting words?

I think it is really healthy to talk about all of these things and make people feel included. I love how self-aware we have gotten as an industry about mental health. Awareness about burnout and some of our tendencies, you know? Where we have a hard time relating to our end users sometimes, who are our customers and trying to work on that bedside manner. The self examination that comes with being a member of this industry is really special. It is one of things that keeps me motivated in a way. There are so many good and incredible people that are calling out these issues. Being honest about these issues and helping so many people along the way. I am thinking of Infosystir, hacks4pancakes, mzbat and the list goes on. They are not just friends, or people I am associated with, they’re actually helping to further our industry and bettering people in the process and I think that is really powerful.