April 7th, 2022
DFIR Expert Interview: Simon Eklund
Christopher Luft
Can you introduce yourself and tell us what you do and what your company does?
I'm Simon Eklund and I work for Cparta Cyber Defense as the lead for DFIR. DFIR is quite self-explanatory, but the company itself is quite new. The focus for the company is Swedish infrastructure and IP(Intellectual Property) and it is quite an interesting company to work with since it's quite different from other start-ups or new companies. This is a long-term investment so we're not constrained as other new start-ups are necessary, so we can focus on quality and on the most advanced adversaries.
And of course, we do normal MSSP stuff like red teaming, pen-testing, and managed detection and response, stuff like that.
I'm always interested in how people got into cybersecurity. It seems like nobody I've talked to started out wanting to do cybersecurity. So I'm just wondering how you decided that this was a field you wanted to spend your career in.
In Sweden, at least a few years back, there wasn't really a big space to work in cybersecurity. So it wasn't obvious to anyone starting out that cybersecurity was even a thing to work in. It was a couple of years into working in IT that I even discovered cybersecurity was something that you could work in.
I started working in IT, in support, beginning in on-site support stuff, and then I wanted more in troubleshooting and problem solving. So I went on to the service desk; first line, second line, then went to the IT operations and then IT security. From there on to information security as the acting chief cybersecurity officer from the cyber security side, but it became mostly just information security. After that, I went on to incident response and now I’m the lead for digital forensics and incident response.
That's a classic, ‘I started in the mailroom and worked my way up the ladder’ kind of path.
Yeah. But I do appreciate the different experiences that I have from other positions and once again, when I started in IT and then later on in cybersecurity, there wasn't really any immediate path from University or any other place to start off in cybersecurity directly. So everyone that worked in cyber security had other experiences as well. One thing that you do notice now is that when people come from either high school or university directly into cybersecurity, there is a lack of experience from other parts of what usually was some sort of IT; either operations, development or something like that if not penetration-testing.
All the little things you learn along the way.
The soft skills that you learn or the understanding of how IR actually works or the problems and the reasons for why people click on the weird stuff.
Interesting. So it sounds like cybersecurity is kind of emerging as a profession in Sweden. What are the biggest changes in the threat landscape you've seen there in the last five or ten years that's made this come more to the forefront?
Well, of course, the threat actors have become much more in your face and starting with the ransomware spring when WannaCry came, and the following epidemic of ransomware, that became a pivot point in how people view the threat landscape, especially those that weren't already aware of the threats. To some degree, most people know there are threats out there, but if you don't have a SOC or anything to allow you to detect something sure, this and the fact most people don't even detect threats themselves. Statistically, most organizations are told they are compromised by an outside party. Even with that, a lot of organizations weren't really investing heavily in that area, especially on the operational side, like a SOC or digital forensics & incident response. But with ransomware or ransomware as a service, that has become much more in your face to the stakeholders of the organization and thus there have been some shifts in the market in the last few years. My subjective interpretation is that after that big ransomware year. After WannaCry things changed quite quickly.
But it changes more from the top. I mean first, you need to have the upper management aware of a problem, then they need to contextualize that somehow, and then it becomes something that the organization can shift towards.
What would you say is low-hanging fruit for enterprises that they could do to improve their security posture? Short of getting an MSSP or a SOC, what's the easiest thing they could do to get 20% or 50% more security?
A SOC or IR retainers for sure are good but you can't look away from the tactics used by most threat actors, and that's password reuse/insecure credentials along with exploiting known vulnerabilities if we don’t lose ourselves in the trenches of phishing. So multifactor authentication on any external login exposure and patch management. We’ve had IT departments and organizations for such a long time you figure that part shouldn't be as hard as it is, but it's still an issue. But to be fair, a lot of organizations that have IPs exposed on the Internet, don't even have an IT department.
So, a lot of small organizations or even bigger organizations for that matter, either by lack of inventory or lack of processes or procedures, they don’t patch, at least not in time.
What do you think the biggest challenges for people practicing DFIR are right now as a profession?
I can’t speak for everyone, but I think that a lot of challenges are IT-related and not necessarily only DFIR related. I mean, if you leave the forensics aside and focus on the incident response, it's a lot of administrative parts As an example the interface with the IT department and the leadership of an organization. So with that said, it boils down to the problems the organization already had and they now need to expedite. Like If it's recovery or reinstallation of a lot of services, If you're not built or practiced in doing that, that can be really hard and take a long time. So even if you can contain an incident fast, it might be hard to rebuild and secure that place again for normal operations.
What are your thoughts on the current cybersecurity vendor market?
There are a lot of good tools. But the tool is only as good as its user and the hardest thing to get a proper hold on is those really good people. So in a lot of sense tools are good, but good people are even better than tools. Because they can solve problems on the fly. But to be fair and to give a proper comment on the vendors as well, I think that a lot of especially salespeople have ruined the trust for tools.
I got to say that was the most diplomatic answer to that question I've heard.
I didn’t want to be rude, but yeah.
Have you always had an understanding of how serious the implications of cyber warfare are or did you have like a holy s*** moment when you realized it was more than just, lulz or financial crime? I remember, I think it was when I read about Stuxnet and how advanced that was, how it was literally ripping machines apart and that really changed the way I thought about cybersecurity.
That's a really good story with Stuxnet. That's very interesting, but I think that to me WannaCry opened my eyes more on a scale level than the following Petya and NotPetya. Those were eye-openers to me in terms of impacts on a global sense. And then after that, I could see a lot of other organizations open their eyes to the impact and risk of cyber threats.
But I don’t think that anyone really understands the Global Cyberwar threat at the moment. It's still quite an untouched area in my opinion. Well sure, we know that one threat actor or one source of threat actors has a playground in a current war zone and prior to this war zone had that as a playground. But the actual analysis of how a country or a developed country or multiple developed countries can be affected in a global cyberwar with destructive impact, that’s sort of speculative. We've seen some things, but I think it can get much, much worse. And I assume that there are planned operations, procedures, and plans to do much worse in countries that haven't experienced it yet and it's extremely hard to foresee how that would impact the daily life of normal people, locally and also internationally given how it would affect the stock market and stuff like that. Too many variables.
Yeah. I think there are probably different governments sitting on different zero-days and have plans to, if they ever really need to turn it up, there'll be some stuff we've never seen before. Take place, I think.
Yeah, I mean, we've known that for multiple years there has been a global espionage war between countries or those countries that are capable of doing it, and to paraphrase the head of TAO of the NSA a couple of years back in the RSA conference, the statement to his leaders was that if someone said that we want to be in this organization and steal data from here, he wanted to respond, ‘We're already there, what do you want?’ So that gives some sort of insight to how larger organizations or intelligence organizations that do offensive work or their mantra is to the global world, or especially their enemies, or targeted countries of interest. So if you apply offensive or destructive operations to that in the military sense, it becomes… It escalates fast. I mean it's one thing to get in and just sit there and siphon information and another when you apply destructive impact on the systems.
If you're gonna write a book about cybersecurity, what would the title be?
I don't know about the title, the only picture that comes to mind for me is, maybe I can send you a picture of it because it's a meme. And if I quote it immediately, I think I’ll ruin the fun part of it.
I sent it. So some title that matches with that image. I think it's quite funny. And it's quite true as well because a lot of organizations get their wake-up call when they're compromised the first time.
We hear that so much from the different people we work with.
I mean if you haven't done it before, it becomes a panic mode, that's kind of normal.
Another person I spoke with said he saw one of the biggest parts of his job as a DFIR professional was just bringing that sense of calm. When you go into a place and everything's on fire, their production stopped and it's just being able to come in and bring that sense of calm. We have a process, there are steps to go through.
And having the experience to handle that sort of situation of course. To be fair, it's not strange if you haven't experienced an intrusion before especially if you haven't had some sort of detection mechanism to detect intrusions.
That's also often when it's quite gratifying to step in and help, as you oftentimes can sense a calm relative to the situation when panicked people can rely or put their trust on someone else.
Do you have any thoughts about the cybersecurity community in general? I don't know how active you are in that, but there's the Twittersphere and all that stuff. What do you think about what you see out there?
I think it's strange that the best social media to follow for news in the Infosec community is Twitter for some reason, that's kind of strange. But I mean, I haven't met everyone in the InfoSec community but there are a lot of great people. There are a lot of toxic people as well
and I think that we have a responsibility not to scare away new people but to include people more and not gate-keep. And there are some people who are great to include, and some people and personas or profiles are not good to include as well or even scare away newcomers. But I follow both DFIR and OffSec. So my bag of the Infosec community is quite mixed in profiles that I follow.
Yeah, they tend to be a little bit different, don't they? Like, the kind of person attracted to each one? It's interesting.
Yeah and also there are some different mantras as well. If you, for example, follow the profiles in the OffSec community back to the old-school Defcon days. Those people are quite different from those coming out of university today.
Right. Somebody will have to break that down one day because I do see a generational thing, even over my career. The attitudes have changed and it’s much more inclusive than it was, which I think is great. When I was younger, it was much more of a club and you needed to have a secret password before they let you in kind of thing.
It's going in the right direction. Don't get me wrong, but there's still some toxicity left that we need to get rid of.
Are there any particular leaders or community members that you follow or look to as inspiration or mentors?
I think that Eric Zimmerman of course is a great example of creating tools to enable others to reproduce what he researches. That's a great skill set.
I also look up to John Strand at Black Hills. I like his way of including newcomers to the industry. He’s done a good job there.
Is there anything that keeps you up at night?
No.
I enjoy my job and someone else’s bad day might be, not a good day for me, but I enjoy the problem.
Do you have any advice for people that are early in their careers or thinking about getting into cybersecurity, things that you wish you knew or things you did wrong and would do differently?
I think the best advice I can give is not to try to take shortcuts and rush them. I've seen quite a few that try to get a shortcut to a lot of complex and wide domains of competence, maybe even skip it altogether, but the devil is in the details and you gain a lot of competence working in various areas such as IT infrastructure. It's a very important part. But if you skip it altogether, and only focus on the cool security related stuff, you might lose the context of why that security stuff is even relevant.
Right, very much like mathematics that way. Do you have any predictions for the future?
It will get worse.
That's my favorite answer to that question so far.
I have no reason to think otherwise.
By that, do you mean cybersecurity or just the geopolitical problems of the planet in general? Or both.
Well, multiple variables cooking it down to the one cocktail of a new landscape, let's put it that way. But there's the increased digitalization and increased moving of assets into the cloud or in technologies that you or maybe even the vendors don't understand. And the entire community is reliant upon those assets along with the global interconnection and the increased instability. A lot of different variables cook down into a great cocktail for the future.