‘What I like is that I can do the investigation and research an incident and then come back with concrete results

’

Mandy Mak

Incident Handler at KPN-CERT

Opleiding

Tried HBO Media & Entertainment for a while before deciding it was not a good match

Incident handler, what does that mean?

The core business of the KPN-CERT (https://www.kpn.com/kpn-cert.htm) is responding to security incidents. Digital security incidents to be precise. We get notifications of incidents from a variety of sources. These notifications can be about pretty much anything. We look into the incident and investigate what triggered the alarm. We try to figure out what exactly happened or what is going on. What the impact of the incident is and what the potential risks are. These investigations are very different from one another depending on who or what kind of protocols are involved in the incident. For example, it can be about unauthorised actions that are detected on a certain machine. We look at what kind of connections the machine makes. Are there any things out of the ordinary? It’s essentially forensic research to find out whether the system that is suspected to be compromised is actually compromised. The strategy we follow really depends on the incident and what leads we have to start with. One thing we do for example is reverse engineering malware.

KPN-CERT is part of KPN’s CISO department. There’s also a REDteam that is actively engaged in hacking and pentesting KPN products before they are shipped to customers. The KPN-CERT is more on the responsive side of the security business. The core activities of the teams are very different but we do work together a lot. Together with all the CISO teams we also publish the KPN Security Policy (KSP), which is open source, with best practices (https://github.com/KPN-CISO/kpn-security-policy). On top of that we also do threat intelligence. We look at what’s going on in the outside world in terms of potential risk developments that might affect us or be relevant in other ways. A more proactive role when compared to the regular CERT activities.

What kind of projects are you involved with?

Mostly investigation projects. What I like is that I can withdraw myself to do the investigation and research into an incident and then come back with concrete results. Often I have to work with colleagues to get to the bottom of something. That combination of teamwork and solo investigating is really nice.

Why did you pursue this career?

By coincidence. I was studying something I didn’t like when one day while going to school I read an advertisement that was written in such a way that I recognised myself in it. I just thought, ‘I have to apply for this’. It was a secondment agency specialised in IT. I got hired and my first placement was at a Security Operations Centre (SOC). In a SOC you keep track of network traffic, looking if you can detect patterns in traffic flows. I liked it so much that when a permanent position opened up I decided to apply. So I did apply and got hired. That was in 2013 and turned out to be the start of my career in security. Later while working for the SOC still, I was asked if I wanted to join the KPN-CERT team.

It’s a relatively new profession. There weren’t that many specific security study programmes before. In my team there are people with all sorts of different background, chemistry for example. So in a way I’m not really the odd one out. Job wise I didn’t have a lot of experience in security. But I didn’t experience that to be a serious issue. The domain is so wide that you can never know everything on all subjects. You really need to work with your colleagues and help each other. You’re behind a computer most of the time, but because you need to work together you still have a lot of contact with colleagues within and outside of your organisation. Both digitally and in person. This collaborative dynamic is something I really enjoy.

Can you name a milestone in your career?

I really like my job in general. When I was working in the SOC my manager at the time asked me if I wanted to apply for the permanent position that opened up. I did, but my interview went horrible. I thought it wouldn’t work out. But my manager hired me anyway because he knew how I worked. That was really motivating. Also when I was approached to join the KPN-CERT team was a highlight. Working in such open and coherent teams are an important aspect of why I like my job so much.

How will your industry or job in particular change over the next few years?

It will change on different levels but I don’t think it’ll happen overnight. Because several incidents make headlines in news media people get familiar with some of the risk. This is in itself a positive thing. But it also means more people with bad intentions are getting familiar with the possibilities. We see that more and more incidents are exposed in which bigger actors are involved. That’s really interesting. It doesn’t necessarily make it more complex but we have to respond quicker, for example with shadow brokers dumping new exploits, making them available to everyone. Because more people have access to (nation state grade) malware, quick response is becoming more important. Companies are paying more attention to this. Which is a positive thing. You can also show it is important to get back on your feet if you get attacked. And you for sure will be attacked. It’s not a question of if, but when.

How do you stay up to date on these developments?

Some of my colleagues are working entirely dedicated to threat intel. They dive deeper into what is going on and we receive info from them. There are also meetings in which CERT-teams get together to share information. Both with government and businesses. What you see there is that companies who are actually competitors in the same business come together to share information relating to security despite being competitors.

I follow specific training on subjects that are relevant and get certifications. I did some SANS courses  and got my GIAC certification in addition to that. For example, I did certified forensic analysis and network forensics last year and this year I’m starting with malware reverse engineering. There’s a lot of attention in the media lately with some bigger malware incidents. We don’t notice a rise in incidents though as malware has always been part of our work. But it’s good to keep on top of developments.

Do you have any tips for up-and-coming talent?

Something I notice all the time, is that the field is so broad. I keep asking a lot and because of that I learn a lot. You cannot know everything all the time. If you go and ask colleagues for help you’ll see that they have just that bit of expertise that you’re missing and you learn from them. There is so much information and knowledge around you. That really makes it a nice place to work and learn. In regards to how things get together or how generic stuff works I think that if you didn’t google it before you ask someone, you didn’t try hard enough.