InSecurity Podcast – Ryan Chapman and John Wood: Anatomy of a Breach
“Anatomy is to physiology as geography is to history; it describes the theatre of events.”
~ Jean Fernel; Legendary French physician
“Those who cannot remember the past are condemned to repeat it.”
~ George Santayana; The Life of Reason: The Phases of Human Progress, 1905
“Reports that say that something hasn't happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say, we know there are some things we do not know. But there are also unknown unknowns—the ones we don't know we don't know. And if one looks throughout the history of our country and other free countries, it is the latter category that tend to be the difficult ones.”
~ Donald Rumsfeld; U.S. Secretary of Defense, 2002
CyberSecurity: Learning from the Past
This podcast starts with an apparently simple question: what can we learn from data breaches to prevent the next one from happening?
More questions swiftly follow: when is a breach a breach, and when is it a data leak? When is it simply a server left exposed?
In this edition of the InSecurity Podcast, host Matt Stephenson has a chat with veteran BlackBerry Incident Response (IR) consultants John Wood and Ryan Chapman about what happens once the bad guys break in, and what the good guys can and must do when dealing with the results of a cyber-attack.
Ryan Chapman is the Principal Forensics Consultant at BlackBerry, and an Information Security professional with over 18 years of experience in the IT realm. John Wood is a former FBI special agent with 23 years of field experience. He leads teams of Incident Responders in large-scale and small-scale breaches across a variety of industries.
Anatomy of a Data Breach
In this episode, we take a forensic, anatomical approach to dissecting recent data breaches, and see what we learn from them. 2021 is both a strange and crucial time to be doing this kind of dissection. In a recent report, the World Economic Forum considered a massive incident of data fraud or theft to be the fourth biggest risk facing mankind, just a hair behind major natural disasters and a step ahead of man-made environmental damage including massive oil spills or radiation leaks.
Besides the wildfires, the election, and the pandemic, in 2020 we saw some of the biggest security incidents ever to affect corporate America. In one incident, the Wisconsin Republican Party was attacked by bad actors and suffered the theft of $2.3 million in payments that were due to various vendors of their organization.
How did the bad guys get in? Through the most basic, tried-and-true way of ingress: basic run-of-the-mill email phishing. Was the motivation to damage national and statewide election campaigns? Was it to sow more discord in an already tumultuous election season? What simply cannot be disputed is that bad guys came into their system with bad intent and left with a lot of other people's money.
How to Prevent a Breach
This podcast conducts a forensic examination of the average data breach and how to prevent it. For business owners, this knowledge is crucial as nearly a quarter of all businesses lack a simple incident response plan for restoring data that is compromised by bad actors via phishing or malware. For many security professionals, getting back to the basics will provide a refreshing and effective way of rethinking security in the age of state-sponsored cyberattacks, and the increasingly diverse risk landscape that the new work-from-home business model presents.
This is precisely why Ryan and John’s thoughts will be invaluable for those of us struggling to deal with this new world. In this episode, they help to correct some of the misconceptions that persist around data security events – such as the differences between data breaches and data theft, between targeted and non-targeted attacks, and the thorny issue of what, exactly, constitutes an advanced persistent threat (APT).
By taking a truly forensic approach to cybersecurity incidents, we can more easily separate the merely annoying from the potentially disastrous – and isolate exactly where systems and processes are vulnerable. Given the slew of new attacks that have already happened in 2021, this approach is more vital than ever.
John Wood leads teams of Incident Responders in large- and small-scale breaches across a variety of industries.
John worked as an FBI special Agent for 23 years. During that time, he served in six field offices where he was a computer forensic examiner and cybercrime investigator. He was involved in several high-profile cases, including being the lead forensic examiner on the Edward Snowden espionage case, the Ardit Ferizi terrorism case, the “Russian voter hacking,” and several advanced persistent threat cases.
During his distinguished career John was also a SWAT operator, a bomb tech, a firearms instructor, and testified as an expert witness in the United States Southern District of Texas, The Eastern District of Missouri, The Eastern District of Virginia, and The Northern District of Florida.
Ryan Chapman (@rj_chap) is a Principal Forensics Consultant at BlackBerry. An information security professional with over 18 years of experience in the IT realm, Ryan sees the security industry as an ever-evolving creature where nothing is stale and there is always something new to learn.
Ryan has worked in SOC and CIRT roles that handled incidents from inception through remediation. Reviewing log traffic, researching domains and IPs, hunting through log aggregation utilities, sifting through PCAPs, analyzing malware, and performing host and network forensics are his passions. One of his primary interests is the exciting world of reverse engineering. Malware has become pervasive, so he relishes the ability to dissect, understand, and protect against evolving threats. He is always on the lookout for the new tricks that malware authors use to circumvent security appliances. Ryan has presented at DefCon, SANS Summits, BSides Las Vegas and San Francisco, CactusCon, Splunk.conf and Splunk Live!
InSecurity Podcast host Matt Stephenson
) is a host of the InSecurity Podcast
and video series
at events around the globe. Twenty years of work with the world’s largest security, storage, and recovery companies has introduced Stephenson to some of the most fascinating people in the industry. He wants to get those stories told so that others can learn from what has come before.