Information Technology, Amsterdam University of Applied Sciences
I’m responsible for collecting and organising all cyber threat intelligence that RedSocks Security works with.
Aside from that I also work as an incident responder. So, whenever a company has been hacked my team and I will try to remove the hacker from the network environment and get the company up and running again.
The data we collect comes from different sources. Some information comes from open-sources other info is retrieved using paid services. The information we collect is organised in a way that makes it informative and actionable enough to be useful. We build our own labs to test malware but also search the internet for binaries, executables or exploits that are useful. We collect this data and based on various analyses draw conclusions from it. Every day new phishing, spam and other viruses are being released, all sorts of potential threats emerge from this malicious software. We collect information to counter these new threats.
We look at how malware behaves when it infects a network. Based on these observations we try to find out whether the malware is detectable. Every malware has its own ‘config’. A config contains the way a program executes itself. We build config extractors that enable us to retrieve the config from the malware. Usually a config is encrypted. We use specific techniques to bypass the encryption and are able to extract it anyway. That can become quite technical.
Essentially, what we do is diagnosing whether a patient is ill. The patient being a disk located in a network. If this is the case, our clients make decisions on the further actions they want to take based on our intelligence reports. We do not remove the malware ourselves. We detect it within the network and advise on the best possible next steps.
Antivirus software sometimes tries to delete malware – this is not always successful. For example: when the antivirus software deletes only a part of the malware. The user might think the system is ‘clean’ at that moment, while it’s really not. The malware itself then proceeds to generate more traffic which enables us to better understand how it works and how to deal with it.
It’s my hobby. I’ve always been working and playing with computers, trying new things. I dream about computers. When I was still in school I was trying different things, and experimented a lot. One of those experiments resulted in me getting arrested for hacking. I wasn’t really doing my best to cover my tracks because I wasn’t stealing data or damaging systems. I was just curious to see what I could do and how far I could get. Getting arrested and sentenced means that I can’t work at many organisations nowadays. Some organisations require you to be free of a criminal record if you want to work in this industry. Especially the bigger corporations. Fortunately, there are a lot of other companies, start-ups and scale-ups for example, who recognise that this is just another form of experience and don’t dwell too much on juvenile mistakes. Some of the best professionals in the industry have at some point been in touch with the authorities in this line of work (either positively or negatively).
Unfortunately, I’m not permitted to talk about my biggest professional milestones. Confidentiality is essential in our industry. Something I can mention though, of which I’m very proud, is that I dismantled the Pobelka botnet in 2012. This botnet infected the majority of The Netherlands, from governments to businesses, and a lot of confidential information was compromised. After dismantling the botnet, we notified as many victims as we possibly could.
Another thing is that I’m frequently asked to participate in interviews. For example, to provide background information in the news or for newspaper articles on the subject of cyber security. Being considered a reliable source on this subject is a very big compliment.
The most important thing is that there is such a vast amount of data available, we hardly know how to deal with it all. How to process all of the information and what to filter from it. In the future, we will need, and will probably have, better and more powerful systems to extract useful intelligence from these large amounts of data. Having more powerful systems will contribute to a safer Internet.
Also, malware is becoming increasingly sophisticated. Back in the days you could take over computers relatively easy. Now, it’s becoming more and more advanced mathematics. More layers of encryption are added to software and hardware, but also to malware. Extracting the details from malware is becoming increasingly time consuming, time we simply don’t have. There probably will always be some malware that keeps very deep and dark secrets.
I keep up by trying new things at home and always be open to new technology, net programming languages, new infrastructure, and new operating systems. If you don’t keep up, your value as an engineer will decrease rapidly.
I knew I wanted to become a digital forensic investigator. So, I went looking for contacts that could help me start a career in this industry. It’s relatively easy to find people with similar interests on internet forums, LinkedIn and other social media channels where you find people with the same interests as you. Eventually, I found a job thanks to one of my contacts. He introduced me to someone who had an opportunity and that got the ball rolling.
That’s it really. I knew what I wanted to do, looked for the right contacts and landed into this job eventually.
Make sure that you have diverse knowledge of both penetration testing, digital forensics and network monitoring. Only if you are able to understand these three, and know how they relate to each other you’ll be able to feel confident within the cyber security industry. This is very important! A lot of people get this wrong. They focus on only one element of cyber security which consequentially causes ‘blank spaces’ in their knowledge. It’s important to see the whole bigger picture and understand how things are interrelated.