Welcome to the first of our blue team interview series.
This series aims to bring you stories from the folks at the coal-face of cybersecurity – the blue team.
Ryan is one of our favourite blue teamers, and our first incident responder featured in our blue team interviews.
He is also kicking off his entrepreneurial career at Retrospect Labs, having gone through the CyRise Cybersecurity Accelerator program.
We hope you enjoy the series.
Vaughan and Ben
Tell us a bit about yourself.
I spent 6 years at the Australian Cyber Security Centre working in the Incident Response team, before heading up the Joint Cyber Security Centre program briefly as its inaugural National Director.
I then jumped across to private industry for a bit, as the Lead for Threat Intelligence and Incident Response at AGL Energy, a major Australian energy provider.
Currently, I’m the co-founder and Chief Operating Officer at Retrospect Labs, a cyber security startup that specialises in cyber security exercises.
What’s the most interesting incident or event you’ve worked on (that you can talk about)?
That’s an easy one! It was definitely the first major incident response case I ever worked. The year was 2014, and it was a really significant compromise involving tradecraft that was new and incredibly unique back then.
Multiple victims, victims compromised purely for infrastructure purposes, new malware that had never been seen before. It was a really complex case that took over four months to investigate and remediate, but it was still one of the best IR ops I’ve ever been involved in.
What tips do you have for incident responders who are working from home now?
I guess the good thing about incident response is if you have data, you can pretty much work from anywhere! But I would say one really important thing that incident responders who are working from home still need to keep in mind is open and regular communication with clients or stakeholders.
You may not be on site, but you need to make sure your stakeholders are getting regular and as frequent as possible updates from you.
Communication is key to building trust and keeping people calm (and confident) that you’re resolving the incident thoroughly and as quickly as possible.
What’s your pro-tip for your fellow incident responders?
Anyone who knows me knows that I am all about diverse skills in incident response. Technical skills are essential, but so are other skills like communication and relationship management.
So don’t neglect the ‘soft skills’ part of incident response.
Also, keeping on top of your skills development is really important. It will help you be ready for an incident so you know how to respond to it effectively.
What are you working on now?
I recently co-founded a startup, Retrospect Labs, that specialises in cyber security exercises.
I think after so many years in the reactive incident response space, I saw how often organisation failed to respond effectively to an incident, the incident got out of hand (or wasn’t stopped as quickly as it should have been), and all of a sudden organisations were dealing with a massive incident, at a significant cost to the organisation.
I think exercises are a great way to help you prepare for an incident and make you more ready for when it inevitably happens. You don’t really want to be in a situation where the first time you’re trying to figure out how to respond to something is when it’s the real thing – the stakes are too high.
First responders (like Firefighters) train constantly, and so should we. Exercises prepare you, and make for better incident response.
How has the transition been from running Incident Response to running your own business?
There is so much to learn and get my head around. One of the things i’ve always loved about incident response is its frenetic, fast paced nature and the diversity of work you get to do. And running a small startup is no different.
How has coronavirus/COVID-19 impacted you?
We are really lucky in that my co-founder and I are both used to running teams that are spread out all over the country, so we’ve got the remote working part covered.
Understandably people are less inclined to take meetings with us at the moment (the absence of the lure of coffee perhaps), but we know that it is a difficult time for everyone and that once the dust settles, we will be ready to get back to it.
We are staying positive about the future.