‍The following is an interview we recently had with Sylvain Hirsch. Sylvain Hirsch is a Swiss cyber security professional with extensive experience in incident response, digital forensics, malware analysis, and cyber threat intelligence. He is actively involved in several cyber communities and is currently based in Singapore where he works for Mandiant. In this interview, Sylvain touches upon building an incident response strategy and challenges that prevent organisations from making timely data breach notification decisions. Now, enjoy the full interview below.

1. Firstly, thank you for taking part in this campaign. Can you tell us about your professional background and areas of interest, Sylvain?

Thank you for inviting me to participate.

My journey in cyber security started with a Bachelor’s in Forensic Science, I went on to do my Master’s degree in Forensic Science with a specialisation in Cyber Investigation at the University of Lausanne. After an additional semester of research in DigitalFIRE at the University College of Dublin, I worked as an intern in the Cyber Security Incident Response Team (CSIRT) of Credit Suisse while I was writing my Master’s thesis.

I worked for the CSIRT in Zurich before moving to Singapore to support the APAC team and after over three years at Credit Suisse, I joined the Incident Response team at Mandiant Consulting which is a leader in Incident Response. I am excited to be part of this ground-breaking organisation as it provides me with the opportunities to manage sophisticated cyber-attacks that will enable me to continue to learn and grow. 

I am also co-leading a cyber security community named Cyber French Tech based out of Singapore whose objective it is to provide a platform for networking to cyber security professionals from all sectors (public, private and academic), to discover new cyber challenges and solutions and to help entrepreneurs grow. By reviewing papers for the Forensic Science International Journal, and academic dissertations as well as giving presentations, I keep my link to the scholastic community active, in which I would like to be more involved in the future.

2. You are currently holding the position of an Incident Responder. Is there a typical workday for an incident responder and more specifically, what are some of your primary concerns on a daily basis?

Is there a typical workday for an incident responder? Excellent question!

I would have to say yes and no, there is a lot of diversity and potential unpredictability in any given day which does keep the role exciting, which is something I thoroughly enjoy.

Depending on the dynamics and structure of the organisation and the team therein, an incident responder can have varying duties. These can be summarised into three main categories.

Firstly, the core role of an incident responder is to respond to any given cyber incident. This consists of anything from technical tasks to a range of managerial responsibilities. To be able to contain and eradicate a cyber threat, the identification of all the tactics and techniques used by the threat actors have to be understood, consequently, an incident responder performs digital forensics and malware analysis to identify all the malicious actions performed and all Indicators of Compromise (IOCs). Once the scope and the impact of the attack are established, we can move on to the mitigation and eradication phases to ensure that the threat actors are removed from the environment and all resulting in potential impacts are mitigated.

Secondly, an incident responder supervises threat detection and performs pro-active threat detection also known as threat hunting.

The third role is to improve the detection and response capabilities of the organisation and team overall, as such, incident responders often work on enhancing threat detection mechanisms. They also develop and automate processes to accelerate future responses. Time is critical during an investigation so everything that can be automated should be. 

3. Incident response plans used to be an optional safeguard, but now they are quickly becoming a necessary feature of a well-rounded security plan. Is it still worth building an incident response strategy if standards do not require one’s company to implement one? If yes, why?

Yes, it is essential to implement an incident response strategy for the simple reason that every organisation could face a cyber incident at any given time. It’s often stated that organisations need to think more in terms of when they will face a cyber incident as opposed to if an incident will impact them. Cyber security should be viewed and integrated as a business challenge as opposed to an IT issue.

Regulators across various sectors (e.g. FINMA[1], PCI DSS[2], HIPAA[3]) require companies to have an incident response plan (IRP) in place and/or to notify of cyber security incidents. Regardless of whether it is mandatory to have an incident response strategy one should be implemented.

The main benefit of having a plan in place before the occurrence of a cyber-attack is the acceleration of detection and response, which in turn will reduce the duration and impact (e.g. reputation, financial, legal etc.).

If you do not currently have an IR strategy in place, the ongoing surge of ransomware attacks should emphasise the importance of one. If the organisation is not prepared and does not have any offline backups the resulting impact could be catastrophic. For example, last week’s REvil ransomware took out hundreds potentially thousands of businesses at once and it forced the closure of half of Sweden’s COOP grocery stores for a lengthy period of time.

It can be a complex task especially for small and medium-sized enterprises (SMEs) to have a full IRP, however, every company should have at least a strategy that defines the main steps – roles and responsibilities, defined procedures, line of communication, and so forth –  to take in the event of an incident. There are several ways to define an IR plan, if you do not know where to start I will recommend the NIST framework (NIST SP 800-61). If you have one, you should ensure that it is up-to-date and aligned with your Business Impact Analysis (BIA) and risk assessment.           

In a nutshell, if you do not have an IR strategy it is a critical time to define one.

4. What are some challenges preventing organisations from making timely data breach notification decisions?

Detection is one of the main challenges. Based on the M-Trends 2021 report, in 2020 it took an average of 24-days to detect a cyber incident. Ransomware is detected in an average of five days, however Non-Ransomware incidents takes an average of 45 days, meaning with the rapid evolution and sophistication of the threat landscape detection is becoming exponentially more difficult.

In the past, organisations detecting major cyber incidents or data breaches wouldn’t always publicly announce it for fear of the potential reputational and fiscal repercussions, to counter balance that new regulations were implemented to force data breach notification and cyber incidents. The new regulations have increased transparency in relation to the frequency and nature of cyber-attacks, resulting in an overall advance of the regulated sectors in general, and improvements to organisational response systems specifically. However, in my opinion, being overregulated could potentially have a negative outcome by forcing organisations to be more regulation-driven as opposed to being governed by potential threats.

5. What risks are involved with improper risk assessment in incident response?

Before discussing the impact of an improper risk assessment it is essential to define it. (ISC)² defines cyber risk assessment as the process of “assessing threats, vulnerabilities and assets of information systems to determine the likelihood threats will exploit these vulnerabilities and weaknesses to cause adverse effects”.

The purpose of risk assessment is to support an organisation and decision-makers to identify cyber risks to ensure that they are addressed and managed adequately. It helps to define the cyber security strategy and optimise risk reduction.

Consequently, an improper risk assessment could negatively impact both the organisation in question and its global cyber security strategy. It is impossible to accurately mitigate all cyber risks due to the amount and variety of the aforementioned ever-evolving threat landscape, however good risk management can reduce the likelihood of cyber incidents and their impact in the unfortunate case of an occurrence. In summary, improper risks assessment can lead to large-scale negative impacts on the business, such as operational interruption, financial damage, data loss, and reputational repercussions.

6. How do you stay up to date with industry news and updates regarding cyber security? Feel free to share the sources/websites with us.

There are three main sources of news that I rely on in order to stay up-to-date. On a daily basis, I like websites like The Hacker News and others security blogs to be aware of new daily threats and vulnerabilities. I enjoy reading technical reports and watching webcasts to improve my knowledge on specific threats, technology, and to provide me with inspiration to tackle new challenges. I would recommend FireEye Blog, DarkReading, SANS Webcoast, and the new SANS BluePrint Podcast.

Lastly, to stay informed about the global threat landscape I read the yearly cyber threat report M-Trends issued by Mandiant, which contains the main techniques and tactics used by threat actors. If you have the luxury of having an internal cyber threat intelligence team, reading their daily, weekly, or monthly reports could be invaluable.

7. Last question: what is the most important piece of career advice you would like to give to people who are just getting out of university and are interested in a career in Digital Forensic and Incident Response (DFIR)?

This question does come up rather frequently, if you decide to start your career in cyber security you should be willing to continuously keep learning, cyber security evolves at a high pace and if you want to stay up-to-date you have to endeavour and dedicate yourself to learning every day.

I would also recommend staying up-to-date with all cyber security domains (e.g. risk management, Cloud, IAM, etc.), as this will permit you to have a big picture view and to be able to solve bigger and more intricate challenges.

A final piece of advice would be to embrace a bit of humility and accept that there will be situations where you do not know something, applying a little bit of creative, lateral thinking will greatly assist in solving the unknown. Build a strong network that will provide you with the ability to get new, fresh ideas, to be challenged and learn, as well as to advance in your career.

---

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.