THEOS Cybernova: The Cybersecurity Podcast for APAC Leaders

Paul Jackson: Welcome to season two of the THEOS Cybernova podcast. Yes, we’re back and we’re here with episode one of the new season. I’m delighted to be joined today by Nathan Reid, who is the THEOS  Head of Digital Forensics and Incident Response. And I can tell you right now, it’s going to be a fascinating discussion talking about some of the adventures in fire.

I truly wish we could talk about some of the interesting, sensitive cases that Nathan has handled down the years, but obviously client confidentiality precludes that. But nonetheless, you’re about to take a dive into some of the complexities and the intricacies of digital forensics and incident response and how we help clients in in crisis. So, Nathan, welcome to the show.

And I know you go by Nate. So we’ll call you Nate from now on. And Nate, could you just start by introducing yourself a little bit and telling us your career story and how you got to be where you are now.

Nathan Reid: Yeah. Thanks, Paul. Great to be here. Happy to go back in time to when I first started off on my career path, initially, with the Air Force down in New Zealand being quite a small country as a small air force. They trained us up pretty well. So we did everything from our radios. We would bat signals off the atmosphere to get to different aircraft around the Pacific through to satellite communications, setting up antennas, taking messaging. The whole lot of it was doing it, dressing up, running through the bush at the same time, which is always good fun.
Paul Jackson: So wait, you have , you dealt with the technology and you’re running through your bush in uniform?

Nathan Reid: Yeah, exactly. That was the whole goal. And because an air force  guy can do radios and satellites and computers, we were quite useful around the different places. So I’ve worked on navy ships, I’ve gone out on patrols, and I’ve also done just messaging, for days on end, listening to static through the air. Yeah, it can be quite fun.

Paul Jackson:Wow.

Nathan Reid: It’s good to be, multi-purpose. Yeah.

Paul Jackson: Fantastic. Where did you go to from there? And what made you leave government?

Nathan Reid:Aside from that, I actually end up joining one of my sergeants. When you went out to work for a local, almost a telco called Datacom. They’re quite large now in Australia and New Zealand. And I was one of the first people there with this security operation center. And so as one of the first analysts, I got to be the wildcard. And so whilst they had their core set of technologies that they’re rolling out for most of the customers, some customers wanted to bring their own technologies and, and so they’ll send me out to go learn how to operate it, how to push it to the cutting edge.

And then I documented and run it from there. And so I got about a year and a half experienced there, which was good fun after the five and a half years with the air force. And so, doing that and after about a year and a half, I wanted to kind of upskill a little bit, specialize in a different way.

And so I went and joined government, doing cyber defense for critical industries. And so that I got to use some very unique tools and data sets, had different threat actors, a lot of interesting projects there before ultimately, moving out to Deloitte in Australia, as most Kiwis do. Once you get to us in a skill level, you jump across to the Aussie and the weather was better, that’s for sure, and got to hang out in Sydney, with a few of my good friends there now. We’re still in touch years later. And that’s when we got some interesting cases, and it was kind of cool to go from a New Zealand, to it was a bit of a step up going to Australia, because we got to work with some pretty talented IT teams when we did our incident responses there. Some unique cases, a variety of different industries too, which is pretty, pretty exciting.

A few different threat actors there targeting certain regions, which is quite interesting because had the previous ones that usually target government, now we have the ones that target different industries and particularly, some strong industries over there. And so that was enlightening and a lot of a good experience there.

Paul Jackson: That’s very diplomatic of you, the way you navigated those geopolitics there.

Nathan Reid: Yeah.
Paul Jackson: Carry on.

Nathan Reid:Try to think New Zealand, we try to stay on the good side of as many people as we can because being quite small again. But the challenge that I had was usually like, you have the high stress of DFIR all of these cases that come in and you have to provide answers within hours. And so one of the ways I used to de-stress was I’ll go for a nice hike. And if you start hiking in Australia, there’s snakes, spiders in the outback. And my local friends said I was particularly lucky because the amount of snakes I saw as I was out hiking was much more than they saw in their lifetime.

Paul Jackson: Wow.

Nathan Reid: And so, after a few interesting encounters, I had actually lined up to head to Deloitte Netherlands, which part of my ancestry is Dutch as well. And so it’d be quite cool to go to Europe, explore around. But then Covid decided to shake things up there, and I got a call from a mutual friend of ours to go join a little startup out of Singapore and Hong Kong.

And once he heard what I like to do, he said, maybe Singapore is not quite the activity bound area for you. You should come up to Hong Kong and have a play around here. And yeah, that’s how I ended up in Hong Kong and stayed here for the last five plus years.

Paul Jackson: So yeah, totally. I mean, because you honestly, you’re in a stressful job and yet you look like you’ve just stepped out of university. How do you look so young, mate?

Nathan Reid: Genes. I think I’m very lucky, but I used to look a lot younger.

Paul Jackson: All joking aside, let’s talk a bit more about DFIR then, digital forensics and incident response. What is it that really fuels your passion? I mean, because it takes a special kind of person to get involved in this rather niche subject that’s a diplomatic way to put it.

Nathan Reid: Yes. Yeah. Very special, as my parents used to say. Yeah, it’s, you got to enjoy both having a puzzle to do in a very short time frame in high stress, and you got to have a lot of, grit and determination to just keep pushing until you get the answer. If you give up too soon or you’re just there for a day to day job, it’s  not going to be the one for you. And you won’t enjoy it too much. No. You get the answers that you’re looking for. You’ve got to have that drive to  solve an issue.

The other benefit that I have is whilst it’s not a day to day grind, that’s the exciting part of it, is you get individual projects that are high stress for a short period of time, and you can just take it off. You get that completion kind of satisfaction at the end of it, and then you can move on to the next one. Having an IR that goes for months is really draining, to myself and a lot of my team mates. And so, yeah, having those, those short, even if they’re massive jobs where you’re working 18 plus hours a day.

Paul Jackson: Yeah.

Nathan Reid: Love it. Yeah. That’s awesome. As long as you don’t have them back to back, a little bit of break in between is always nice.

Paul Jackson: And I know we can’t talk about it unfortunately. But last week I noticed you were on a high because you’d solved a brilliant case for, for a company that saved them potentially millions of dollars.

Nathan Reid: That was fun.

Paul Jackson: And I just wish we could talk about it in more depth. But, I saw how excited you were and how, you know, how it really fueled you.

Nathan Reid: Oh, exactly. Right.

Paul Jackson: You know, your passion in this field. And, it was kind of great to see. So I do understand where you’re coming from, because obviously that’s been my background as well for the, for the last 25 years or so, working investigations and crisis management and just helping clients and obviously in law enforcement, helping victims when, you know, when they need it most.

Really. So yeah, kudos to you on that one. So let’s  talk a little bit about to DFIR because it’s often misunderstood. Right. And it’s a hot topic I see it often discussed on LinkedIn posts etc. But DF/IR are should it be grouped together or is DF digital forensics and incident response really two separate fields?

Nathan Reid: Yeah, I’ve had this discussion with quite a few different professionals along the way. It’s two different mindsets, but the skills overlap.

Paul Jackson: Yes.

Nathan Reid: And so traditional digital forensics is a key component for certain cases, like if you’re going to go, for example, the Volkswagen case, it’s going to go for years, you’re going to have to make sure every piece of evidence is collected perfectly.

All the checklists are done, everything is absolutely spot on. And hosting all the data, etc. that’s a DF  (digital forensics) mindset. And that’s usually goes into the insider cases or the different human led cases and legal ones. IR (incident response) is very fast paced. We’re kind of like cowboys almost. With the way we stampede through evidence, we still collect it to an evidential standard for court, but we’re really good at finding what malware or an external threat actor has done, how they move through the network in a very short period of time, and we gather just the evidence needed to determine, what occurred and also answer any questions the client has.

So we’re not taking full machine images like you would for DF, but we are grabbing all the forensic artifacts that DF would use, and we can take a full machine image, but it’s not our usual day to day job. And so you have some people that are kind of DF leaning, which is absolutely great, and you want to use them when you have those kind of cases and you have some people that are IR  leaning. And so you can play with those two different skill sets as needed.

Paul Jackson: That’s a fantastic way of explaining it. And let’s elaborate a little bit because, let’s talk about a hypothetical scenario. Right? So you’re there at THEOS and a client or a law firm or an insurance company,  with an insured, reaches out to us and says, “Hey, we’ve got an issue. We’ve just been hit by ransomware, and our systems are being shut down. Help!”  What can you do? How do you how do you approach this versus what do you what’s the starting point here?

Nathan Reid: Yeah. So gets case quite a lot easier to understand. Yes. First we make sure, if it’s for insurance or similar, if we’re going to get engaged, that is under the lawyer. So we’re privileged and confidential. Your report’s not going to go into the public as a certain company in Australia found out when they did it the incorrect way. So we make sure we do the contracting correct and the scoping. We are certain questions such as how many endpoints you have? What is the size of the area, impacted? These kind of details so we can figure out how far we need to deploy our toolset.

And that’ll also give us an idea of how much time it was going to take in that. That leads to the cost as well. But two years ago, when Fortinet remote code execution was very popular, we might ask, what kind of VPN or firewall are you using? And when that was the first answer, it became pretty clear who we’re playing with, and so we could work quite quickly for us, the difference between 100 computers and 10,000 computers actually isn’t that much.

If your IT team can deploy our EDR quite quickly, that’s not too much impact for us. And so once that so was it done contracting or sign off. We deploy our EDR with support from the local team to 100 endpoints, 10,000 endpoints or two endpoints. And from there we can remotely get, what we call triage, acquisition of our forensic artifacts.

So we remotely execute a little bit of code on the machine, that grabs about 100 or 200 different pieces of information and cache, MFT, etc. that all comes back into our cloud environment. From there, we automatically parse it down to a spreadsheet. Then I do a few espresso shots and just start scrolling through, the information we usually ask, which, service have your key information on it that might the regulators might be interested in or has customer information and which computers did you see some dodgy activity occurring on?

Those are the ones I look at first. I then find out how the ransomware was executed on these endpoints, and we start building that timeline, working back. And it takes about 3 to 7 hops to find out where the root cause was, where the infiltration came from. And so it’s like, cool, we found the trail coming in. We then work to find out where did the threat actor emerge out into and what did they touch and from there we can usually, depending on the level of logs that are provided, provide. Here’s a list of all the files they exist. Here’s a list of all the computers they touched that we can immediately see. And here’s what the data at risk is. And then that might merge into e-discovery, where they in detail tell exactly what the name is, email, just phone numbers, etc.. But yeah, it’s usually all this occurs within 24 to 48 hours.

Paul Jackson: Right.

Nathan Reid: And so you have your answers for the regulators in a short period of time. And it gets them off your back quickly.

Paul Jackson: Probably the list is going, geez, how the hell do you manage all that coffee?

Nathan Reid: Lots of coffee.

Paul Jackson: Yes, lots of coffee.  But it’s also, you know, I think it’s a team game as well. And you just touched on, for example, getting support. You know, if they don’t have an endpoint detection and response tool, EDR tool already on the system, which allows us that visibility into their into their broader network, you know, you can get support from because obviously THEOS has the offense, defense response and customer success teams, which can all play a role in a successful investigation. So perhaps you could elaborate a little bit because obviously the defense side, you know, there to have your back, I guess during a, during an incident.

Nathan Reid: Right. Yeah, that’s a good point. And so there have been cases, especially in Asia, where sometimes the endpoint fleet isn’t so secured, where we roll out EDR and you start finding lots of different pieces of malware, you’ve got potentially unwanted applications, you got actual bits of malicious code, spyware, etc. but that’s not what the IR team is engaged to do. They’re engaged to find out what the root cause of this one breaches. And so you need a team of people actually watching your back, cleaning up all these, these low notifications, but also letting you know, “hey, we just found the threat actor over on this endpoint. Now using this new tool or we’re seeing an interactive, breach over on this way.”

And so there have been cases, one back in Australia where we had 2 or 3 different straight actors on the same network. The network was actually nicknamed the Wild West because it was so uncontrolled and they knew it. So yeah. And so we have that we’re, we’re working proactively with the SOC and they’re also feeding into it to the point where we both had the instant response report and SharePoint editing at the same time.

So you could fill out the details as both our teams were finding stuff.

Paul Jackson: Yeah. And then of course, we’ve got, a brilliant often team, you know, the, the offensive security, the pen testers, the red teamers who are there. And I do recall a case where they were, instrumental in helping you.

Nathan Reid: Oh, yeah.
Paul Jackson: To identify the techniques used by the hackers.

Nathan Reid: Right. Yeah. The amount of times where logging is not enabled or it’s been overwritten or expired or similar is immense. The first case I got had logs going back two years, so I was like, life’s going to be like this. It’ll be amazing. That was the first and last case where I had two years of logs, that’s for sure.

And so, yeah, this was a case where they were running SQL and we’re pretty sure as a SQL mapper was used. And so we turned to offsec, the operator who’s with us at the US. And I was like, hey, can you fire this tool at this IP address? This way. Seconds later, it, came back with a result. We matched up with what the threat actor was extorting the client with, and they matched line for line. And it was great because we could go back to the technical team who said this is impossible and go, so what’s this? And then actually detail them. Say you’re blocking based on a URL. The threat actor is using your IP address. That’s why they’re getting through the list you’re using. And so yeah worked out pretty well.

Paul Jackson: Fantastic. And then of course, you know you’ve got a very important role which is the customer success side of things. Ultimately, as you mentioned, a lot of these investigations could go on for weeks if not months. If they’re really complex and you need somebody who’s managing who’s project managing it, really, you know, you’re there to do the hard yards in terms of the investigation and analysis, but you need a steady hand to be, comforting the client to be providing them assurance, to be giving them updates, etc..

And I guess that’s where the Customer Success team, project manager, these kind of incidents.

Nathan Reid: Yeah. You’re right. Imagine if, as an analyst, I have to keep stopping every 30 minutes to write an update for that hour, you only get 10 to 20 minutes of actually creating an update, whereas customer success, they can be with you along the way. You’re either talking to them or they check your notes, and go, okay, we understand how many endpoints you have, how many analyzed, and the current findings at this point in time. And they stop pumping those updates out. Because a client, usually in the first few hours, they want hourly updates and then like, okay, it’s in hand, we can relax a little bit and then you get six hours and daily updates after that, which is quite good.

Paul Jackson: Yeah. So I think the, the, the, the summary of all that is that, you know, it takes a team really to, to handle major investigations and, and having those different skill sets and support is super important. You know, obviously you’re the lead and you’re the most important component of that in terms of, you know, telling a story, identifying what happened and helping the client. But, there really is a need for a whole infrastructure of, of capabilities during an incident. So, yeah, very interesting. You know, when it, when a client comes, you know, looking for help in a crisis, how are they supposed to know whether the vendor or consultant, whoever it might be, is actually capable is actually, a quality data file person or company?

Nathan Reid: Yeah. Good point. That’s why it can be handy if you have a retainer in advance to actually vet them. Ask for other people that have used the service, not just once they have a retainer with them, but have actually used it. But that can be hard often to because in their to admit that they had a breach or similar of the and try them out, you could give them a small job or similar, see how they handle it. We have had many cases where we’ve been called in to clean up another IR provider’s mess, at least two that I can remember and that’s just been where they haven’t deployed the tool far enough, or they couldn’t find the root cause. We did.

Paul Jackson: Yes.

Nathan Reid: We found about five different types of ransomware and ghost infrastructure that wasn’t supposed to be online anymore. And we have a basic checklist that we go through to find these kind of things. And another one was a business email compromise, where they didn’t think that the client or the provider had pivoted enough or found all the points of entry. And yeah, the cleanup wasn’t complete and the threat actor was still ahead getting copies of all the emails.

Paul Jackson: Right?

Nathan Reid: Yeah, it’s unfortunate, but it happens.

Paul Jackson: It is, do you know what? This is all part of resilience, isn’t it really. You know, and that’s a buzzword of course, in the cyber security world, you know, building resilience. And we’ll probably touch on things like tabletops etc. at the moment but retain this right. These are critical nowadays. And you know, look, there’s no expectation that that companies should have their own elite DFIR our teams in-house. They should have somebody on retainer who is, you know, who is an extension of their team, who extends the capabilities of their teams. Right. So can you talk us through some of the, you know, the advantages of, that we would provide, you know, for from a retainer point of view for clients?

Nathan Reid: Oh, for sure. Timing. So paperwork, trying to go through your procurement during an instant or similar. It’s minutes and every minute for me counts because I do move quite fast. And so we’ve seen delays of over a month sometimes. And by then the logs are gone. Yeah. Naturally, I’ll provide guidance on how to save the logs. But if that’s not done, then the evidence provided to find the root cause is no longer there. One example where a retainer was pretty handy was I was already logged into the EDR tool because we were providing an MSSP service to them, and they just send a message saying, “hey, we’re seeing multi-factor alerts on my phone. Can you investigate seven minutes for us to quickly look in, see the command lines going through?” IR it’s this script here. And then the program went, yeah, I think I messed up on that one. And so within seven minutes they had an answer and -seven minutes on the retainer. Not bad. But imagine if you had to do the normal engaging an IR provider doing the MSA. The you have the scoping meetings. That’s a lot more than seven minutes.

And so not only is it faster to get an answer, but it’s a little bit more cost efficient in my mind at least, and you can use it for other services. So if you’re really going to use a set amount on red teaming, why not just call that a retainer and then you get, IR bundled in there? Yeah.

Paul Jackson: So the big difference there as well is, yeah, just provide access to all of, you know, the services that we provide, the, you know, the advanced, testing, security testing, tabletop exercises, which we’ll talk about in a moment, you know, board briefings, you know, and any of these kind of services and, threat hunting and, it really is advantageous because you think about cyber insurance, which is a must in this day and age. Well, if you don’t have any incident, you don’t make a claim. Well, the money spent and it’s gone and it’s there to manage risk, right. It’s a well-established, risk management tool. The difference with the retainer is your money isn’t lost, right. Because assuming you don’t have a major incident, well, use that money for, but as you say, the other services, pen test,  red teams, whatever it might be. So it is, an absolute value add. And the last thing to your point, you want to be doing during a crisis is, arguing about limits of liability and indemnity clauses in a contract.

Nathan Reid: So, yeah, that took a long time.

Paul Jackson: It takes an awful long time, as we know. Yeah. But the other thing is as well, you know, I know because you work with a lot of clients, on retainers and over time, you get familiarity with them. And they also realize that. Hang on, we’ve got an expert team here at our beck and call whenever we need them. So anything suspicious pops up instead of trying to unravel it themselves, they just jump on the phone and say, hey, Nate, you know, we got this thing going on here. We’re not quite sure what it is. Could you take a look? Yeah. And could you help us identify. Right. And isn’t that nice to have that kind of extension of expertise and, and it’s great for us in our relationship. So  if there if there is a major incident right. We’re there. We jump in. We know the people, we know their systems. And, we’re ready to roll, so to speak. And as you say, time is everything.

Nathan Reid: Exactly. And I think the team you’re chatting about, they, they learn from every time we do IR  because we’re not exactly secretive about how we do it or what we do. And so we’ve never had the same incident twice from them. They always give us unique ones. And usually on a Friday afternoon. It’s fun to work with them. They’re nice. They’re nice. group

Paul Jackson: the Friday fire drills. Yes they know we’re talking about them. Yeah.

Nathan Reid: Every Friday and every company event.

Paul Jackson: Yes absolutely. Just a few more things. Right. So tabletop exercises right. Being resilient crisis. You know clients reach out to us and I think often they, they don’t know what they want. They say, well, we ought to be doing these crisis exercises to test whether we’re ready or not. What actually happens is reality. When we run these kind of exercises.

Nathan Reid: Yeah, that’s a good point. You can often get to similarities between, you know, usual first line responders like firefighters, ambulance drivers, etc., where they train for the likely scenario they’re going to face and so when it happens, it’s muscle memory. They know how to communicate with each other, who actually provides different direction and answers, etc.. And it’s the same for a company. We see it with companies that do just ticking the box exercise scenario, and then they pass.  When an incident happens, they freeze. And then there’s arguments about who’s responsible, accountable, who needs to go to where. There’s often unrealistic times on how long something will take. Because in it, when we’re in a room and we say, I will go get an image, they’re like, okay, I get that in five minutes. I’m impressed. Join my team. If you can get a full image in five minutes, I’ll have you any day of the week. It’s unlikely.

And the other thing is communication. So when these drills happen, they’re always in a room. Everyone’s always there and available. They’re offline and they’re all chatting and communicating and they’re already there. We’ve got the coffee is the calm, relaxed. It doesn’t happen in real life. And so, when we do our tabletops, we have kind of like, a degree of experience. And so it starts off with those kind because it’s great to get introduced into what threats you might face, who does what, what information they can provide. And it’s kind of like an escape room where you bring all the bits of information together, you project, manage it, and then you can solve that and make a decision and then keep moving.

If you don’t make a decision, you’re kind of frozen and nothing happens, but then you can challenge it even more. Get people outside the room to be engaged in it, give an email to one of the participants, and then they go to tell the information to everyone else like it would happen in a real scenario. And then you get the kind of whispers going on of how misinformation slowly spreads and the pitch becomes a little less clear.

And once they realize this, you get the good project manager stepping up, which I had once in Australia, the actual, security guy kind of shut down, but a program manager stepped in and it was incredible to watch. He just pulled the information, correct bullet pointed it down fully, or jotted out the hidden attack map. The next year, we actually had to make it really challenging because regular scenarios, they just they found it too easy.

And so it was cool to see that progression over time.

Paul Jackson: Interesting. But how do you see the difference in maturity, say, between, you know, your experience in Australia, New Zealand versus Asia in terms of, you know, having these much better? How do we say readiness or capabilities? Resilience capabilities?

Nathan Reid: It is intriguing because there’s a technical aspect and a people aspect and who can say what to who. And in New Zealand, it’s a very flat kind of the person at the bottom speaks very directly to the person at the top. That doesn’t fly too well in multi, national companies. And so and also who’s responsible for what. And do they want, want to be responsible and kind of worrying about making sure their job secure. And so it can be more challenging passing information here. And sometimes we’ve found that we have to become the facilitator in it. And so we receive the information. Is that passing it around which would happen in IR  but ideally they should be able to do that internally.

Paul Jackson: Right. Yeah. Because, because obviously communication is probably the most important thing during a crisis. And unless they’re testing their own internal abilities to communicate what the risks are, you know, what the actions should be, etcetera.

Relying on the facilitator to do that defeats the purpose, because in a real incident, we wouldn’t be that well, we would be there, can be later. But, you know, the initial internal communications and decisions, at the onset would be, would be, would be this.

Nathan Reid: Exactly right. And the amount of languages we have here in Asia. Oh, yes. In New Zealand, we almost have one. Oh, we have 2 or 3 officially. Yeah. Over here it’s there’s a lot. And the cultural implications between, Japanese, for example, and Singaporean.

Paul Jackson: Yes. I mean, you touched on a really good point because obviously we work throughout the Asia-Pacific region and the difference in cultures is, you know, we you really have to have an understanding because, you know, there’s different ways of approaching crisis. There’s, you know, there’s cultural sensitivities that we have to be aware of. And, it that makes it even more challenging on top of all the technical components of a crisis, of course.

Nathan Reid: Absolutely.

Paul Jackson: Yeah. Okay. So let’s switch gears slightly as we as we move on in this conversation, because DFIR are right, as we you know, at the beginning we mentioned that it’s very niche. It’s very special kind of field. And if you compare it to cyber security, obviously it’s just a tiny fraction of the professionals. But it’s an interesting one. And a lot of people come to us, including our own staff in the SOC, etc., saying, I want to be a DFIR legend, like Nate. And what advice would you have for somebody who really aspires or really wants to be DFIR professionally in your, in your mold, so to speak?

Nathan Reid: Yeah. Good question. There’s a lot of free resources out there just to get started. IT Masters has a few DFIR courses. There’s a couple of tools you can use, like Velociraptor to collect images from your computer. Wiskess to timeline it. Getting an understanding of what artifacts tell you what. And, looking at the different articles to timeline so you get an understanding of how that activity occurs. If you’re in the SOC, that’s a great place to start. And that’s where most people start their career and specialize out after 2 to 3 years, because you get to see those incidents occurring, those alerts, it’s the inquisitive mindset, I think, that usually sets apart is you got to want to know how it got there, what capabilities it has. And when you have 500 alerts a day, it’s hard to actually, pin down one. But if you do get the chance on any of the interesting ones, especially the interactive threats trying to get through and timeline what that threat actor does.

The other thing is, don’t be too nervous. A little bit of cockiness helps really well, because you’re going to tell a multi-million dollar business to turn off like their servers for a day or two. That’s going to cost hundreds of thousands of dollars. But, you know, that’s how the threat actors are gonna get removed. You got to make that call. And understand as well to take a good diary. Is that, you’re going to be making calls with information available at that point in time, and hindsight’s 2020. So, a little bit of bravery there, too.

You might make mistakes, but that’s how you learn. But, yeah, study up, get some practice. There’s malware labs out there where you can have a look at what they do and how to have a look at them. And yeah, there’s DFIR, there’s DF, so taking images, IR,  finding how to timeline and see how threat actors moves around.

If you want to dabble in a bit of threat intelligence that always sounds pretty cool. Getting an idea of the capabilities and capacity of different threat actors can be good fun. Yeah, yeah, just go for it. Just try. Yeah.

Paul Jackson: All right. That’s a great advice. And I love this because, you know, as you know, I used to, back in the day, I ran lots of training programs for, DFIR are back, you know, going back 20 years ago and, working with Interpol, etc., building capacity building. And I always said that, you know, no, DFIR are professional. If you want to be spoon fed, you’re in the wrong business, you’re in the wrong job. And it’s really about demonstrating passion, initiative and going out there. Because as you say, there are plenty of resources out there, plenty of free resources. Don’t expect somebody to spoon feed it to you. Go out and do it yourself and, you know, and learn from experience. And as you say, those in the SOC have plenty of opportunity to see, to improve their skill sets. So it’s definitely something we encourage. And we’d love to see more professionals because quite honestly, there’s a dearth in this region, isn’t there? I mean, you know, you’ve obviously seen this. There’s plenty in the, in the, in Australia, New Zealand, in the UK, in the US, etc., in Western countries. But why do you think it is that we just don’t have a big pool of really, really I mean, you’re one of maybe 5 or 6, you know, really elite in the DFIR professionals in the region. And that’s, kind of a sorry state of affairs. Really.

Nathan Reid: Yeah, it really is. I’m not too sure. I do know for the first year going into DFIR, I got it, imposter syndrome, where you’re like, do I really need to be belong to be here? And. Yeah, as long as you’re inquisitive enough, but brave and have a good team around you, you’ll define. And so just go for it.

Paul Jackson: Well, I guess so, yeah. But, I think a lot of it as well. I don’t know what you’re feeling is, is that, I think the regulatory legal environment here in, in the Southeast Asia certainly hasn’t compelled companies or corporate in the corporate world anyway. It hasn’t compelled them to take investigative steps historically. I know that’s improving. And there are more and more requirements, you know, especially in regulated industries like financial sector, etc., where they now have to actually, do a proper root cause analysis to, to provide proper investigative findings. And so I’m, I’m optimistic that we will start to, probably grow the industry better here in Asia. But does that, you know, mesh with your feelings as well?

Nathan Reid: Yeah, I think so. Have we seen a massive improvement in maturity of regulations over the last few years? It’s nowhere near where it should be. But yeah, most almost all the cases are driven because legal told them to. Because if you can just run an AV sweep and then sweep it under the carpet, it’s a lot easier than having to engage someone. So that was what people tended to do in the past.

Paul Jackson: Absolutely. Yeah. So look, to those who are listening, and if you’ve made it this far, if you were hopefully enjoying this conversation because there’s been, you know, it’s  a unique insights I think we’re hearing from Nate. And if you’re enjoying the podcast, please help us out by clicking the like, subscribe buttons, preferably both. And, you know, it helps us to grow the audience, reach more folks in our region. So that they have a better understanding of the need for resilience, the need for effective, incident response and what it means to manage crisis. So please help us out here. Click that like, and follow buttons on whatever platform you’re listening on.

So Nate, as we wrap up our conversation, it’s been fascinating, by the way. And I’m, you know, looking forward, perhaps we, we ought to have 1 or 2 more of a podcast with you, because I think you’ve got a lot more stories up your sleeve. But before we go, I always ask my guests on these podcast because I’m my way of unwinding. I don’t climb mountains. My knees are a bit short for that.

Nathan Reid: So, they’re mine too at the moment.

Paul Jackson: But, you know, we do operate obviously in a stressful, world and environment, and, I unwind by you know, listening to music with a good book. And, that’s my kind of hobby I do my music lover. So I always ask my guess. What? What they’re listening to. I always like to be surprised.

Nathan Reid: That’s a  tough question. I usually pick the music depending on what activity I’m doing. So if you’re doing running a nice 120 beats per minute is a good one, right? And so that’s your EDM or dance. Sometimes if going through work, they might be, Sabaton or the like Pirate metal, which is always good fun. Halestorm has some really good songs out there. Yeah, there’s quite a variety. When Spotify last told me the genres, it was over 160 different ones. It went through their.

Paul Jackson: Fair enough.

Nathan Reid: Yeah, a little bit of everything really.

Paul Jackson: So eclectic. Eclectic. I’d like to hear that. Yeah. All right. Good stuff right now. Thanks so much for joining us on this episode. And, you know, your insights, I’m sure, would be appreciated by all the listeners. It’s been a fascinating discussion. And, look forward to, perhaps, you know, setting up a few more episodes in the future.

Nathan Reid: Yeah, more stories with Nathan.

Paul Jackson:  Yeah. I hope everybody’s enjoyed this, this episode. And once again, thank you very much for joining us today.

Nathan Reid:  Yeah, thanks for having me.