Matt Presser spent the better part of 2000 like any college junior would have whose study abroad program was in the Mexican resort town of Mazatlán.
He partied and soaked in the sun and waves.
"I sort of considered it my lost semester because not a lot of studying got done," said a laughing Presser, now 42, who was attending New Mexico State University in Las Cruces at the time, about 15 hours away from Mazatlán by car. "Most of my time was spent hanging out and surfing."
But it didn't end up all play for Presser. He decided to get more serious in his second semester abroad, accepting an internship at a family-run computer company.
The job included basic troubleshooting during the early days of the internet. Presser had no previous experience working with PCs – he only passed an introductory to computing class his sophomore year because his friend was the proctor – but as the internship wore on, he started getting good at what he did. He eventually extended his services to private consulting for expats living in Mazatlán who wanted to build web pages or couldn't get their internet to work.
Matt Presser, 42, began his IT security career in academia, eventually landing a job as an assistant professor at New Mexico State University. But eventually his longing for action became too much to bear, and he left to join Trustwave as an incident responder.
Nowadays, as a senior security consultant for Trustwave SpiderLabs, Presser is still helping people figure stuff out in a connected world – except the stakes are much, much higher. He is part of a team of Trustwave experts who help businesses, from Fortune 100 companies to the mom-and-pop shop around the corner, prepare for and resolve security incidents.
The First Cut is the Deepest
Typically, the companies with whom Presser works fall into one of two groups.
The first is a medium-to-large business that Trustwave already has a customer relationship with through its Digital Forensics and Incident Response (DFIR) program. The business has recently experienced an event requiring escalation or forensic investigation, and Trustwave is brought in to help.
In the other camp sit merchants, which can range in size from a single car wash to a major hotel chain, that are believed to have experienced a compromise resulting in real-world fraud.
For the incidents involving existing customers, they usually have some idea that something has gone amiss and can offer background information before Presser or one of his colleagues arrives. Once on scene, he typically starts by scoping the environment to determine what type of data may have been targeted. He then looks for anything strange going on: perhaps a weird network connection or data flowing through unexpected locations.
"Once you've identified some weirdness, then you track down how they got in," Presser said. "You can then start containing and stopping the bleeding." The bandaging process also means helping ensure that wound won't re-open and that the containment is holding.
But ask any incident responder what scares them the most and they'll tell you it's the bleeding they may not be seeing. There is no more sinking feeling than being outsmarted, unable to fully gauge or discover the extent of an incident.
"You might find one bad thing," he said. "But it could be there are 10 other bad things going on."
Sometimes the investigation devolves into a game of whack-a-mole where the incident responder is trying to match wits with the adversary, said Brian Hussey, vice president of cyber threat detection and response who leads the DFIR team at Trustwave. "The attacker may know we are there responding, and they may be trying to change up their tactics and planting more back doors," he said.
The phone rang, and the CISO answered, placing the call on speakerphone. It was the attacker, carrying a thick Eastern European accent. "I just wanted you to know," he said through the phone, "good job, but we will be seeing you again."
In some emergency cases, depending on how quickly a compromise is ballooning, Presser and the team only receive a few hours' notice to hop on a flight. The urgency to control an intensifying breach could also mean working nights, weekends or even holidays. It's not uncommon for attackers to strike during off hours, with the knowledge they may catch their targets off guard and understaffed.
"Hours can be extremely long for an active incident," Presser said "You're working until things are contained. You might get a few hours of sleep here and there."
Presser recently scurried off from his home in Las Cruces – he still resides in the desert city of 100,000 since he arrived there to attend college – to a large U.S. restaurant chain. The company had been hit by the stealthy and insidious Carbanak cybercrime gang, which infests endpoints with difficult-to-flag malware delivered through advanced social engineering methodologies. Ironically, the business had recently read a threat report on Carbanak that Trustwave issued in the winter of 2017 and thought it had shored everything up that would have prevented such an attack from happening there.
It turned out the chain had not battened down its corporate endpoints as well as it should have, and this necessitated a call to Trustwave incident responders to come in and handle the dirty work. Once the outbreak was identified, contained and eradicated, Presser gathered in the CISO's office for a post-mortem discussion.
Something brazen then occurred. The phone rang, and the CISO answered, placing the call on speakerphone. It was the attacker, carrying a thick Eastern European accent. "I just wanted you to know," he said through the phone, "good job, but we will be seeing you again."
Presser couldn't believe his ears. "Holy cow, the gall," he thought.
Not only does DFIR Managing Consultant Shawn Kanady play detective and investigator on incident response engagements, he also occasionally assumes the role of quasi-psychologist, counseling victims through the “five stages of grief” following a data breach.
Sure enough, the crooks made good on their word, as well-resourced and determined attackers tend to do. Another wave of malicious phishing attacks soon hit the hotel group. Presser and his comrades returned, again containing the situation within a few days.
Making life easier in this case – and others like it – was that the victim company was an existing customer, having first engaged with Trustwave on an incident response retainer. These agreements typically include incident readiness training, a vital component of a security strategy given how commonplace breaches have become.
Readiness work includes training and tabletop exercises on policy writing, first response, handling client downtime and most importantly of all, identifying incidents. (Businesses that self-detect compromises can typically contain them far quicker than organizations that rely on outside parties to detect compromises, and the 2018 Trustwave Global Security Report showed solid improvement in this area).
Readiness training also helps compromised businesses avoid contaminating the crime scene, which limits the chances of a controlled forensic response.
"Inevitably what ends up happening is they're wrecking evidence because they immediately go into containment mode," said Shawn Kanady, an incident response consultant and Presser's manager. "That information would have helped us determine an initial infection vector."