Interview with Bex Nitert – Managing Consultant of Digital Forensics and Incident Response

60

Bex Nitert works at Paraflare cyber security in the Greater Perth Area, Australia. We asked her about her job, her career path, and her experiences as a woman in the STEM field.

Can you explain what your job entails and what tasks you perform on a daily basis?

No day is the same when you work in digital forensics and incident response (DFIR), but in general terms, the role involves helping an organization investigate and recover from a cyber security incident. This requires identifying, acquiring, and analyzing digital evidence to construct a timeline of events and determine what has happened as well as how so that the organization can make informed decisions about how to respond.

I work in a consulting team providing DFIR services to a range of clients. There probably isn’t an industry sector we haven’t worked with, and they all come with different quirks and technology. We have clients in government, mining, transportation and logistics, healthcare, agriculture, information and communication technology, financial services, and the list goes on. Other DFIR professionals may work in an organization’s internal security team, so they undertake similar work solely for their employer rather than clients.

The cyber security incidents we respond to differ in scale, impact, and complexity. This includes relatively low impact events such as credential theft whereby the usernames and passwords of employees are obtained via deception in phishing attacks. Our job in this instance involves gaining an understanding of how the phishing attack has occurred and using this information to identify potentially impacted accounts by analyzing available logs, conducting targeted searches across user mailboxes, and in some instances finding the list of stolen usernames and passwords on the phishing website used in the attack. We then provide advice to clients about how to secure their environment and user accounts. We will also look for evidence of any further malicious activity such as data theft.

Most of the cyber security incidents we investigate are high-impact ransomware attacks. Ransomware is malicious software that is used to encrypt files on the victim’s computers and servers, making these files inaccessible. A ransom fee is demanded by the threat actor in exchange for restoring access to these files. In some circumstances information may be stolen during the attack and the threat actor threatens to sell or publicly disclose this information if the victim does not pay the ransom fee. Ransomware can cause significant disruption and financial damage and impact the health and safety of individuals when the targeted organization is involved in critical infrastructure, essential supply chains, and healthcare services. In many cases, the operations of an organization are brought to a standstill due to the reliance on technology or electronic files that cannot be accessed. I think that’s the toughest moment for clients because they’re dealing with not only the breach of security but also the fact that they can’t operate. In those circumstances, our interpersonal skills are critical as we need to support the client’s leadership and employees through that stressful period while ensuring all necessary actions are undertaken to investigate how the threat actor gained access to their systems, what the threat actor did, and provide recommendations about how to get back to business as usual and avoid repeat attacks by improving security.

The most complex cyber security incidents we investigate are generally related to cyber espionage. In these cases, the objective of the threat actor is to steal information for geopolitical or competitive advantage rather than direct financial gain. These actors tend to be a bit more discrete in the way they operate to avoid detection and so we’re likely dealing with less evidentiary data than desirable, especially if they have been active in the organization’s IT environment for a long time (which is often the case). In these investigations, we have to paste together a lot of little bits of information to try and create a timeline of events and understand what has happened.

Regardless of the type of cyber security incident, we apply a scientific method to our analytical work and ensure it is repeatable and reliable. We often commence our work with a hypothesis of what has occurred and how, but it is important to consider alternative hypotheses and constantly challenge assumptions and ensure evidence is being interpreted correctly. This requires a lot of ongoing research. It is also important you are communicating in a way that expresses your level of certainty in the findings of your investigation especially when you are dealing with a lack of data or data that may be unreliable or ambiguous.

When did you first learn about digital forensics and cyber security? How were you made aware of this field (i.e. did you learn about it in a course in school, hear about it through a friend or family that works in the field, etc.)?

It took me a lot longer than I wish it did to learn about cyber security and digital forensics being a career option. It’s been something that I’ve been dabbling in since I was a teenager, but nobody ever told me “Hey, you can actually do this for a living”. When I was in junior high school, I got the impression that working in IT was limited to being a typist where your value was judged in words per minute because that was all we were taught. Towards the end of high school, I became exposed to the IT industry through my friends, but the computer science degrees sounded really boring to me [laughs].

After high school I began working with my Mom, essentially running my own business with her support, and provided IT, graphic design, and computer training services to clients. It was through this work that I became more exposed to cyber security issues, particularly vulnerabilities with websites and insider threats. Cyber security was also more openly discussed in mainstream media. Seeing bad things happen in my clients’ environments got me really interested in cybercrime and white-collar crime.

As I was beginning to mature as a person and researching online about different careers, I finally came across a university course that didn’t sound boring and combined all of these technical, legal, and research aspects that were of interest to me. I initially started a Bachelor of Science degree in Security with a major in Business Law. Unfortunately, that course got cancelled a semester in, so I then had to make the choice of “where do I go from here?”.

I ended up taking a Bachelor of Counterterrorism, Security and Intelligence with a major in Criminology, and that was a really good move for me. I didn’t take the computer security major because I felt confident in the content it covered and saw more value in expanding my knowledge. The criminology major sounded really interesting—it had justice and forensic science and organized crime course units which I thought would be really valuable to my career, and they were, and I loved them. I think the intelligence analysis and counterintelligence units were also really beneficial especially when communicating the uncertainty in what we’re analyzing and applying critical thinking skills to try and minimize the bias in how you’re interpreting things, rather than just jumping into the first conclusion. I think about multiple scenarios, and I am often the devil’s advocate in the room. Sometimes people are really quick to say “an attacker wouldn’t be so dumb as to do that, they would rename that file because that file so obvious” or “oh no that’s definitely an attacker because of XYZ” and if you take that narrow approach, allow your bias to cloud your judgement, and fail to consider alternatives you can get it wrong.  

So, it was through my own research and personal discovery that I came to learn about the career. I started working in forensics as a mature student in my late 20s, but I think that everything I did leading up to that has assisted in my career, so I don’t regret anything.

A recent talk by Bex at BSides Perth

What made you interested in a career in science and specifically digital forensics? Was it clear to you from a young age that that was what you wanted to do or else what or who inspired you to follow this path?

It’s an interesting story. I have always been interested in science, questioning things, wanting to know how things have worked. My mother joked that my middle name should be “how come?” because I was constantly asking questions: How come? Why? What’s this? Mom started studying engineering when she was young and she was quite interested in science. She didn’t complete the degree and told me when I was older that she felt a bit ostracized being the only woman in the room, which is something I think a lot of us have experienced, but it was a lot worse back then.

I really enjoyed science in primary school, more so environmental science. Then in high school I got into chemistry and physics which were my two best subjects. When I said that I was interested in going into engineering, my career advisor in year 10 said “I don’t know why you’d bother, you’ll never make anything of yourself”. It made me feel like I was no hope, even though I was getting good grades in school. I didn’t end up pursuing engineering but I was determined to prove her wrong.

It was through my work with technology, not necessarily science, but building computers and understanding how they work and assisting people with their computer issues where I started heading off in that direction. My first memory of doing anything cybersecurity-related was when the outbreak of the blaster worm occurred, way back in the floppy disk days when I was in high school. With this particular worm, as soon as you connected to the Internet your computer would, within 30 seconds, shut down, so you couldn’t really do anything let alone download the security patch in order to fix it. I managed to download the patch to floppy disk from a computer that wasn’t impacted and then, because I was too young to drive, my mom drove me around to the houses of friends and relatives so that I could patch everyone’s computers.

Overall, it was really the investigation aspect of science that I was drawn to. Not only wanting to investigate the technology side but also the people side, as I’m really interested in how people tick and why they do the things that they do, as well as bringing people to justice. Justice is one of my core values and being able to apply the work that I do to achieve that for people is really important to me. I’ve been undertaking a private research project for the last year tracking a cybercriminal and hope that some of the information I’ve uncovered will enable authorities to obtain justice for victims.

Do you feel like you were always supported to pursue this career or if you weren’t how did you deal with that?

By the time I was an adult embarking on the path to this career, I did feel supported. I think if I went in as my younger self I probably wouldn’t have been so resilient. In the cyber security field, 10 to 20% of the workforce is female and the percentage of women in leadership positions is much lower. It can feel really intimidating attending a course where there are very few girls in the room or at work when you are the only girl in the team. It wasn’t so noticeable at University, but then entering the workforce has been quite interesting. You get polar extremes where you have people that are really supportive of what you do and want to help you develop, but then you also have the other side where your technical capabilities are completely ignored and you’re shut down. Even clients can behave this way. For example, I had a meeting scheduled with a new client to discuss their issues and how we could potentially assist them, but when I went up to introduce myself they shooed me away, as if I wasn’t the person that they were meant to be meeting. Some leaders at organizations have also been disrespectful of women in the team, only wanting to discuss the job with a man, even if it is women leading the job. So that has been a bit of a challenge.

Still, there have been so many champions out there, women and men, who are trying to improve diversity and inclusion within the industry. At the current place I’m working, ParaFlare, our DFIR team is 75% female which is well above the industry average and the team is also female-led, so that’s really awesome. I don’t feel like I’m an outsider and feel empowered to be the best I can be.  It’s just amazing how different organizations are. ParaFlare is young and small so I think it’s easier to understand the culture and values of the company, but with larger global mammoths it’s a bit more difficult to get that sense until you’re in there, so it can be a bit of trial and error [in your perfect job search].

In general, do you feel like the field of cyber security and digital forensics is welcoming to women?

I think there’s been a lot of focus on making the cyber security industry more welcoming for women, but there’s still a lot of work to do as well, and I think it’s the same across all male-dominated industries. In general, I think digital forensics and incident response as a niche area in cyber security is welcoming to women but can be let down by the wider industry or organization you work for. That said, the positive experiences definitely outweigh the bad.

I think having that sense of belonging and from the outset is really important, so improved representation and visibility of women in the field can help newcomers not feel like outsiders. The way that we role-model certain careers can influence the number of women seeking to work in cyber security. If you don’t see it how do you know about it? How do you imagine yourself in that position? If you don’t know anyone working in the field, you’re probably less likely to pursue a career in that area. Some initiatives in Western Australia that are seeking to increase the visibility of STEM role models to high school students include the Girls’ Programming Network, hosted by Edith Cowan University, and the Techtrails STEM and Future Skills Program run by Women in Technology WA.

Beyond high school, we have an organization here called the Australian Women in Security Network (AWSN) whose mission is to support and inspire women who are currently working in or seeking to work in the security sector (this includes areas outside cyber security, including physical security). I’m a chapter lead of AWSN here in Western Australia and have been a member of the Perth AWSN chapter since it was established—more than 5 years ago now. I’ve found that my involvement in AWSN has been very beneficial. I’ve gained a lot of confidence, have a solid support and peer group, and really get a sense of joy watching people achieve their career goals from graduating university, to obtaining their first job, speaking in public for the first time at an industry conference, or winning awards.

Can you describe the culture of a cyber security company (the social aspect, hierarchy, perspectives on time off, etc.)?

From the security industry perspective, it is an absolutely fantastic community Australia-wide. We have regular social events where even if we’re competitors we catch up like friends. I think the community is quite strong and we’re very willing to help each other. Often security professionals will stay at a company for a few years and then move on, it’s kind of like musical chairs, so maintaining positive relationships in the security community is important. In general, the community is very welcoming and friendly. Of course, every community has its own problematic people but for the most part, we’re all friends and we have a good time every month catching up when we can. If you’re lucky you’ll then work with some of those people as well.

The type of work that you’re involved in can really impact your work-life balance and how much you’re expected to work each week. On average, most contracts for full-time workers specify that you are expected to work 38 hours per week but I can guarantee you most people, especially in DFIR, are working far more than that. Some companies are more flexible than others as far as working conditions and start and finish times and whether you can compress your day or spread it out, etc. The amount of hours I work per week is really dependent on the type of security incidents we’re dealing with. If we get really high-impact jobs like ransomware attacks where a business just can’t operate, we will have long days and work weekends. It can be really intense and we probably work double the hours we normally would. But then we can make up for that later by having some downtime, which is good. Not all companies are like that. There’s still often an expectation that you’ll do a 90-hour week and then continue on with your 40 hours as usual. So, you do see a lot of burnout in the industry.

What is the learning curve like for a career in digital forensics – do you feel like you learned everything pretty quickly or did you have to work really hard for a long time to get your foothold? Is the learning ongoing?

Always learning! We’re faced with so many different types of technology in our line of work that I think it’s impossible to get experience with everything that is out there. Quite often you will go on a job and there is something you have never dealt with before so you have to get up to speed really quickly on how this thing works, how to obtain data from it and how to interpret that data so that it’s reliable. There’s that constant voice in your head saying “oh my god, I have no idea what I’m doing”, but that feeling is mutual throughout the industry. Being able to learn and learn quickly I think is one of the most important aspects of the job.

There are constantly new methods of attack and new security vulnerabilities and they all have different evidence sources and different signatures and patterns you might need to look for. Some attack methods are variations of what you’ve seen in the past but some are completely new so you have to keep up to speed with what is happening in the industry. If, inevitably, a job comes along in which it is suspected that a new security vulnerability has been exploited you can at least have a rough idea of how you can approach your analysis. So, it is constant learning, constant research, as well as keeping up with your daily job. In the hiring processes, I tend to care more about a person’s desire and ability to learn and think, rather than what they’ve studied in the past, because of this reality.

What are the transferrable skills you may have gained from other jobs that you were able to apply to digital forensics (i.e. organization, leadership, reading, writing, attention to detail, etc.)?

Oh gosh, so many. I deal with people a lot, and especially stressed clients so being able to communicate effectively is critical. Certainly being able to write technical reports really well in a cohesive manner that can accommodate a range of audiences, because a single report might need to appeal to both the executive level of a company and also the more technical people in the company. Having an idea of the fundamentals of technology as well. I use Excel a lot, so if you’re a whiz in Excel and are capable of using a lot of different formulas that goes a long way. I think people underestimate the amount of work that we do in Excel as sometimes it’s just the most reliable and straightforward way to combine and document observations from our investigations. I learned a lot about Excel through working with forensic accountants, and that was completely fantastic for me. If I didn’t work with them I probably wouldn’t have learned all of those valuables skills.  

Another thing to remember is that criminals are people too, so having an understanding of human psychology and behavior can be beneficial. At the end of the day, there’s somebody behind the computer on the other side and they’re doing this for a reason, so I think knowing that and thinking about the issue from a human rather than technical perspective can help guide you when you’re undertaking an investigation.

Any kind of STEM career is going to be useful as far as being able to follow particular processes, think critically, test hypotheses, etc. Occupational health and safety can be directly translatable into looking at the governance and risk side of security. I think we’ll start to see security within organizations start to be treated more like occupational health and safety just from the way that it’s embedded into workplace practices. It just goes on, I think there’s a place for anyone from any career to transition to cyber security, the field is so broad.

What is your favourite thing about your job?

I like it when you discover something new and you just go “that’s really cool I haven’t seen that before”. Working with a really awesome team as well. It kind of sounds bad describing it this way, but it feels like the Borg from Star Trek. When you have a really well-functioning team where you can complement and support each other and undertake tasks in a synchronized way, you don’t necessarily need to communicate your needs because people just know what they need to do to step in and support your work, that is really fantastic. You can operate as if your minds are one, like the Borg.

I also really enjoy looking at the quirks of different actors. They do tend to have a particular pattern in the way that they undertake their work and being able to identify that pattern can be pretty rewarding because through that pattern you can then identify a broader range of their activity. In my spare time, I also track and research a few threat groups and it’s through their repetitive means of behavior that makes it easier to establish how they operate and the exact scale of their operation. How they phrase things or spell words in things such as their website domain or URL, it can be so predictable that you come across it and you go “I know who that is and I know what they do” so when you have a client that has been impacted by that particular threat actor you can say “this is what they typically do so this is how we will prioritize our work”. Of course, you also go broader than that because you don’t want to have that narrow range of thinking, but developing that insight into the people behind the activity I really quite enjoy as well.

What is the hardest thing about your job?

The constant need to learn is challenging, as well as being exciting and rewarding. It does increase the stress of your job, especially when you have businesses that can’t operate. I think the thing that we all hate the most is a lack of data, but then also too much. That that is a common struggle for everyone working in STEM as well. The lack of data is probably worse than having too much because it impacts your ability to create that timeline of events and understand what happened. This can be quite difficult because clients want answers and you can’t necessarily provide those answers all the time. Not being able to answer the question really sucks, which is why one of our common recommendations is to always have backups and retain your logs and have a sufficient amount of logging in place so that if an incident does occur we can go back in time and actually create that timeline.

It’s like if you have a murderer and there’s no DNA evidence leftover, you’ve got no witnesses, no CCTV… it’s just a body with nothing there – what do you do? You hope that there’s something left behind but you also have to work within a budget so you can’t spend an endless amount of time trying to identify that needle in the haystack. You have to balance that which can be a bit frustrating but that’s the reality of the job really.

Looking back, is there anything you would have done differently to get where you are now?

It’s taken me a while to get here. I’ve certainly had a lot of challenges which I learned from, but I like to think that everything you experience in life makes you the person that you are. If everyone was the same and had this perfect pathway to their career we’d all just be really boring and probably think the same. You need that diversity in perspectives and thoughts and experiences to really have an effective workforce. So my answer would be nothing! Sure, there are things I wish I didn’t go through, but I love my life and my job and that’s what matters at the end of the day.

What would you say to other women who might be interested in a career in digital forensics if they aren’t sure if they’ll be able to succeed or where to start?

Definitely seek out people working in the field. As somebody that isn’t working in the industry, it might seem like a daunting task actually trying to find people. In Australia, we have the Australian Women in Security Network and there are similar organizations all across the world working together to help support women entering this workforce. It’s not a female-only network, men contribute to it as well. I definitely think trying to connect with those networks is important. A lot of high caliber digital forensics and incident response professionals are also on Twitter, so that can be a good platform for chatting to new people and keeping up to date with what is happening in the industry.

Also, get a broad range of perspectives. People typically think that digital forensics is only performed by law enforcement and intelligence agencies, but it exists in the private sector too. Digital forensic professionals working in the corporate space often come from a law enforcement background, but there are many who don’t. Getting the perspective of a forensic practitioner who is currently working for the government may be difficult, but someone who has moved from government into the private sector may be more open to talking about what their job is like and whether there are differences between government and private sector work. Their perspectives are likely to be different from other digital forensic or cyber security professionals who have taken a different career path. Seek out different opinions and try to find where you might fit.

Digital forensics and incident response is quite a niche area, there aren’t as many jobs available compared to other cyber security areas, particularly entry-level roles. If you are struggling to find a job it is worth gaining some experience in another discipline of cyber security or investigations. Building your professional network can also help get your foot in the door. If you like the idea of digital forensics and incident response, but the high tempo environment isn’t appealing you may consider a role like threat hunting as it utilises many of the same knowledge and skills sets. This is more of a proactive approach of using the same processes to identify threats in the environment before they’ve been detected as problems.

If you have a passion for it, don’t let anyone stop you. Some people think they don’t know enough about everything, but neither do I. We’re constantly learning and dealing with new things. I think a lot of women hold themselves back because they think they don’t have enough knowledge or experience in certain areas, but the reality is that everyone working in the field will lack skills and knowledge in certain areas because we never get to deal with everything on a daily basis. So don’t let that self-doubt hold you back!