I received my first computer forensic training at the Federal Law Enforcement Training Center’s (FLETC) Seized Computer Evidence Recovery Specialist (SCERS) course in Glynco, GA; while a Special Agent for the US Army Criminal Investigation Command. It was the start of my new career in computer forensics, cybercrime investigation, electronic evidence discovery, cybersecurity and, eventually, malware analysis & threat intelligence. My journey to Threat Grid and Cisco Security started at FLETC, and it will always hold a special place in my life and heart.
I was very happy to hear from my former CID Special Agent colleagues that FLETC was building a new course, called Cyber Incident Response and Analysis (CIRA). The mission is to empower law enforcement investigators with the skills and tools to respond to increasingly sophisticated cyber-attacks; and then to be able to analyze the evidence for eventual attribution and criminal prosecution.
Reflecting back to my SCERS experience, I recalled how we spent many days to learn how computers operated, the fundamentals of file systems, operating system artifacts and how to properly acquire, authenticate and analyze digital evidence; using white boards and command line tools. We learned the basics, before we were given the state-of-the-art computer forensic software package, with a Windows graphical user interface, that sped up the analysis and made reports that were much easier to read and understand in court. The software package was provided to FLETC at a discount, to arm SCERS students with the tools needed apply what they had learned; and I went on in my career to work full-time for that company for 13 years, always remembering my law enforcement roots.
Talking to the course developers of CIRA, I learned more about their vision for the instruction: following the time tested pattern of learning the fundamentals and then moving into efficiency. I inquired about the malware analysis platform they were using in the course. They confirmed my supposition, they were using an open-source platform to aid in the understanding of suspicious samples, collected from compromised computers. The obvious benefit was cost: it was free. The drawbacks included: the platform required technical expertise in virtual machines (VM) to both utilize and maintain the environment, the software had to inject a .dll (small computer program) into the VM to conduct the analysis and the reporting was very difficult to read. The primary issue with the .dll injection methodology is that it easy to detect by malware that is using anti-analysis / anti-sandboxing functions; in order to try to hide the true behavior, or maliciousness, of the code.
Three years ago, Cisco leadership approved my creation of the Threat Grid for Law Enforcement (TG4LE) program, where we equip state and local law enforcement investigators with a no-cost Threat Grid account, two per agency, for those organizations with less than 1,000 sworn officers. We also implemented a major discount program for federal agencies and the largest police forces. I asked for, and received, permission to expand the TG4LE program to the FLETC courses, starting with the CIRA in development.
Earlier this year, I flew to FLETC, travel expenses covered by Cisco, to show the course developers the latest Threat Grid dashboard, dynamic analysis functions and behavioral indicators. After a brief orientation on the fundamental philosophy of Threat Grid (no presence inside the VM – outside looking in, the ease of use, analysis speed, API driven, etc.) and the navigation of the upgraded dashboard; I turned the instructors loose to upload their malware samples into Threat Grid.
With the Glovebox feature, they were able to interact with the malware samples in real time, without risk of infection. In less than 10 minutes, they had comprehensive and easy to read reports on each malware sample, focused on the behavior, command and control communications, artifacts, changes to the file system and registry; with a downloadable video, process tree and full report. It was so much fun to sit back and listen to the exclamations of amazement and excitement, as they called attention to each other, to look at particular behavior or analysis results of the samples they were using to teach critical skills. Threat Grid supports collaboration from anywhere in the globe, and they all spontaneously joined in Glovebox to work with a particularly nasty sample.
I offered all of the Threat Grid user documentation for use in the course material development, so they did not have to rewrite the basics. In a few hours, we transformed the final exam and takeaways from the course: every student will be leaving with his or hers own Threat Grid account, to submit up to five samples per day at no cost, and unlimited threat intelligence searches.
It was a good day; making a difference in the fight to make our Cyber world safer. The inaugural CIRA course started this week, and I wish the students and instructors the best. I look forward to welcoming the newly trained law enforcement investigators into the Threat Grid community. Qualified law enforcement officers around the globe are invited to apply to join the Threat Grid for Law Enforcement program.