ESI Survival Guide INTERVIEW (Part 2) with Kevin Treuberg – Digital Forensics and Investigations SME

Categories:   Brass Techs, Expert's Edge, Featured, The eDiscovery Trenches, Tools of the Trade, Video
Article By:  
Tags:  , , , , , , , , ,

This is Part 2 of our extended discussion with Kevin Treuberg, one of the cybersecurity industry’s leading computer forensics and investigations SMEs with over 28 years of experience in both the public and private sectors and across a broad array of industries.  He is the Manager of the Digital Forensics and eDiscovery Group at The Home Depot, but that just scratches the surface of this multifaceted Renaissance man. 

As Kevin and I continue our march through the electronic wilderness, we talk about changes in the cyber threat landscape (and even the lack thereof), COVID fatigue and cybercrime, the investigator’s toolkit, the reality of Minority Report, CSPs and incident response, how phone bills are the bane of drug dealers, thumb drives in parking lots and phone chargers in airports, how a smoking habit can be a cybersecurity vulnerability, IoT and the cyber investigator, how Fitbits can sink ships, nation-states as bad actors, quantum computing in the wrong hands and more.  

Below are the highlights of the various topics of our conversation, along with various Survival Tips and insights. 

The conversation is broken into my questions and comments in bold, Kevin’s answers and insights in italics, and any editorial and other additions in plain text labeled “ESI-SG.”

And if you are a wary reader, there are video timestamps for our talk with Kevin on the YouTube Channel – there is no shame or judgement in that at all my friends, I am more of an audiobook guy myself.  Check out the chapter links on the ESI Survival Guide YouTube Channel (the one with the logo), and support us by sharing, commenting, liking or, better yet, subscribing!       

Obviously, ransomware has been top of mind across all industry sectors.  It’s always in the papers, if you just search for “ransomware” in Google News you’re going to see all sorts of articles from just hours ago extending back for years.  But outside of the ransomware threat, how else has the threat landscape changed in recent memory?  Are there new avenues of fraud and misconduct?  We’ve heard all these stories about social engineering and people having their debit and credit card information, their ATM pins stolen and all sorts of different threats in the cyber world.  What are some of the newer threats that we’re facing moving into 2021?

Kevin: Well, all of those things are still occurring.  All those different types of fraud and social engineering, phishing emails and spear phishing emails are alive and well.  They are either used in an effort to compromise one person and get that person’s data, or compromise that person and then drill deep into the networks and the computers to which they’re attached.  I think the danger that we have right now is that everyone’s getting COVID fatigue.  Everyone is really, really looking for some outside connections and to do something different than have Zoom meetings all day, right, and sit in your guest room office not having human interactions anymore.  I think you’re going to see a lot more folks, unfortunately, falling prey to some of these phishing emails, or just letting their guard down, and not practicing good cybersecurity hygiene as you see with some of the larger incidents that have occurred recently.  You have more and more folks working from home so you may have more and more avenues or vectors for attackers to get into those corporate networks.  Folks aren’t being as diligent, and maybe the necessary protections aren’t going to be on every end user’s systems appropriately.  This creates lots of new vulnerability.

Matt: It sounds like, in a strange way, that’s almost good news.  What I mean by that is that it sounds like what you’re saying is that although the threat landscape is evolving, the primary way in which it’s evolving, is that there are a lot more of the same types of threats with which people are familiar.  It’s just more of the phishing, spear phishing, spoofing and distributed denial-of-service (DDoS) attacks on a larger scale.  And because we are all online and there is more important data out there, the stakes are higher.  But again, the reason why I say that that may be a good thing is that many of us are already aware of these existing threats at some level, we have had some type of education, we have read about such attacks in the news.  Many of the same preventative mechanisms are things we have been talking about for years, and they are just as important today as they’ve ever been, as opposed to having to learn a whole new set of preventative measures for brand new types of threats. 

Now, we want to provide folks with practical tips and tactics on The Survival Guide. This is the ESI “Survival” Guide, not the ESI “Scare the Living Crap Out of You” Guide, so let’s focus on some tools and tactics.  When most folks hear about digital forensics, you already know they’re thinking about various TV shows and crime shows, Law & Order, movies like Hackers or Enemy of the State, The Girl in the Spider’s Web, these types of movies.  And cybercrime and related topics seems to be appearing in movies more and more, so everyone always just assumes that every in-house team, every law enforcement agency has access to all these amazing high-tech gadgets and software.  In terms of what you use, the forensic investigator’s toolkit in the corporate investigations’ context, what are the main tools that are in that toolkit, and what are they used for?

Kevin: A lot of the tools haven’t necessarily changed all that much over the years; they’re used for the same reasons.  We want to be able to investigate an endpoint system, either to determine if data has been compromised, or if there has been an intrusion, to see if there’s any lateral movement off of that piece of equipment to another system within the organization. So, a lot of those same types of computer forensic applications are applicable.  There are open-source applications and then there’s commercial applications.  Commercial suites will cost a lot of money, but they’re very effective. They are tested and they can be approved in court already.  Using these types of applications puts you a leg up, so to speak, when you’re trying to conduct an investigation.  Using open-source tools, we often use these hand in hand with commercial forensics tools.  Depending on what we’re actually investigating, there could be several open-source tools that make our job a little easier and get us the data quicker.  At the end of the day, what you’re doing as a forensic investigator, is you are reporting on your findings based on your technical expertise and your investigative steps.  So as long as you’re documenting all of your steps during the investigation, and you’re using the tools appropriately, and you have folks that are trained appropriately in the use of these tools, you can get to your end, hopefully, relatively quickly.

Matt: How does this all change in the context of the current trend that’s been growing for many, many years – the move to the cloud?  Does that shift the responsibility for these types of investigations to a multi-faceted team involving the cloud service provider and the investigative team?  Or does the cloud just cause you to change your tactics, and now you have to conduct an investigation differently if a corporation is hosting all of their data in the Azure Cloud or AWS, as opposed to an on-premise environment, like many corporations have done traditionally?

Kevin: Note that it can be a mix of both.  There are times where you must engage the cloud service provider.  And even when you and I were doing some of these forensic investigations and consulting for CDS, and our clients have a lot of these cloud infrastructures, sometimes the end client won’t have all the answers.  You have to go to the CSP because they are the owners of those systems.  They don’t necessarily own the data, but they own the systems.  You’re going to have to go to them to get proper logs and the evidence of the activity and actions on that cloud infrastructure.  When you move more towards an internal investigation on the corporate side, there’s going to be a myriad of different types of logs and other information that you’re going to look at that aren’t solely owned by the CSP.  There could be internal connections from your organization to that cloud service provider, and then you might need to talk to the CSP to see who externally, from your organization, attempted to access that data.

Matt: It sounds like one of the most important things, and still harping on that theme of prevention, is that as your IT ecosystem grows, you really need to have a cross-functional team of people that understands how data moves around the organization, how you interact with a CSP, where data resides, how data is deleted, so that when a threat does actually infiltrate your systems, you can react very quickly with your Incident Response Team.

Kevin: And generally, the larger organizations are going to have that infrastructure that can support all of that.  When you get into smaller organizations, their IT folks might also be their cybersecurity folks, their email folks might also be their cybersecurity team.  The larger the organization, the larger the amount of resources available that can be applied towards those investigative efforts and prevention.  Smaller organizations may be leaning on too many internal assets, or they’re relying on an outsourced third party to support their security efforts.

Matt: As I said at the outset of our talk, you’ve had a myriad of different experiences when it comes to forensic investigations work.  What are some of the common mistakes or pitfalls you’ve seen over your years of experience?  Are they different from the government sector to the private sector?  Are there differences among the types of industries in which you’ve worked?  Or do you see a lot of similarities across the common mistakes and pitfalls that organizations fall prey to with regards to cybersecurity?

Kevin: Generally, the more sophisticated an organization is, if they really buy into cybersecurity, if they really buy into having this security mechanism that involves the entire enterprise, the more successful they’re going to be.  You run into some of these organizations where they’re not necessarily putting up the funding or the personnel training necessary to support these types of programs.  And that’s where they can run into trouble because they’re going to fall short.  That may happen when they’re trying to do some of these investigations or just in general with regards to being protected from cyber threats.

Matt: It sounds like the biggest threat, or the biggest pitfall, involves a combination of outside actors and insiders.  And with insider threats, there’s a big distinction between somebody stealing information, or doing something bad from the inside, and someone just screwing up (as you said before, picking up the thumb drive in the parking lot and sticking it into the network).  So, again, one of the Survival Guide tips that is clear, is the need for preventative education, and we will provide some educational resources as links in this piece.  

ESI-SG: Below are some additional resources on cybersecurity and the cyber treat landscape that Kevin recommends to the ESI Survival Guide community:

Matt: Now some of your investigations were recently included in a book by Tyler Maroney, The Modern Detective: How Corporate Intelligence is Reshaping the World.  That book was just published this past September if I’m not mistaken.  Before getting into some juicy details, first, if you will, how many investigations do you think you’ve been involved with over the years?  And without giving any specifics, can you give our listeners and readers the broad strokes of one of the more bizarre investigations you’ve ever worked on, or some of the more bizarre behavior you’ve ever witnessed when conducting an investigation? 

Kevin:  So how many investigations have I been involved with?  I don’t even know – hundreds.  I mean, an investigation can be something that takes a couple hours and other investigations can span months.  I think one of one of my favorite investigations that I did, and this is when I separated from the military and first went into the corporate sector, was where we received some phone bills that indicated somebody had stolen some corporate cell phones, and they’re using them to call their buddies.  It was like a $1,600 cell phone bill.  This was close to 20 years ago so that’s a lot of money for a cell phone bill.  In tracking down all the numbers and everything, during that investigation I uncovered an internal drug ring, and we were able to identify the outside dealers.

Matt: Wait wait!  This all began simply as someone using corporate cell phones?

Kevin: Yeah, yeah.  There were hundreds and hundreds of numbers that were called, but only two or three internal numbers to the company.  I had no control over trying to do anything with those outside numbers, I couldn’t exert my will on those external numbers, but I could on the internal numbers.  As internal investigators, we could track down who owned those numbers within the organization, start looking through their email, start looking on their systems, and it turned out, the investigation was a few months long, that we were able to identify the external dealer.  He was not an employee of our organization, and we identified two internal dealers who dealt to about 20 people inside the organization.  We were able to identify all those folks, when they were buying, what they were buying and certain things that they were trading for drugs, which, when questioned about they were highly embarrassed.  This was an investigation where there was a very, very small investigation beginning with just a bunch of cell phone numbers and telephone calls, and it exploded into this, where I involved some DEA friends of mine to make some arrests and ultimately prosecute one of the dealers.  But we never found out who took the cell phones.  To this day, I have no idea who took those phones.

Matt: Were you able to get the content of those messages back and forth, not just kind of the pinging between sender and recipient of the texts?  You’re getting content?

Kevin: The cell phones had absolutely nothing to do with the drug deals.  The cell phones led me down a path where I was able to identify somebody that was selling drugs.  The cell phones were totally out of the picture.  I mean, I we never caught who stole the cell phones, but we’re able to identify 20 plus drug users and buyers within the organization.

Matt: Because I was going to ask, if somebody you know, not me of course, wanted to ghost company cell phones to send various messages – how would somebody do that exactly?

Kevin: I’ll send you an email, just click on the link!    

Matt: That leads me to this question – Do you have a dark web password?  Having been privy to some law enforcement investigations and how you can quickly go down the rabbit hole, those things are really interesting, especially how different, often unexpected results, can emerge.

Kevin: Well, one of the strangest things, I shouldn’t say one of the strangest things, but a strange thing that always kept happening was when I was, and coming from a counterintelligence background, an intelligence field, when I was in consulting, it would happen all the time where we would go to a client site, we would have to collect data, maybe from a server in their data center, and your IT contact would walk you into the data center, identify a server and say, “Yep, that’s the server that we need to collect data from,” either for an investigation or litigation, something like that, eDiscovery, and then they would leave.  So, they’re leaving me alone in their data center, which, you know, I always found incredibly troubling.  I mean, I would never ever recommend you do that – always have a chaperone.  Sure, it may be an inconvenience to the email person, or the IT professional that has 100,000 other things to do.  But I don’t know if you really want somebody that’s not a part of your organization just hanging out in your data center plugging in thumb drives and collecting data.

SURVIVAL TIP!  No matter what, even if they are the service provider you hired, or your outside contractor, do not leave anyone from outside your organization unsupervised when collecting data from your environment.

Matt: Well maybe that’s a way to get new business, right?  You find those people that would leave you unsupervised and you can go back to their boss and say, “You know what, we have to do some education here.”  I remember this one situation that I was in, where I was inside of a data center, not a CDS data center, but a client site, and literally, there was an armed guard there, they had all these controls in the front area.  And then when we went back to where the cages were, while we were there investigating where data could be stored and having various physical repositories pointed out to us, somebody was smoking a cigarette and there was an open exit door to the parking lot!  This was a pretty significant failure in the physical security controls with regards to how they set up this facility! 

Kevin: Propped open with a garbage can!

Matt: Yeah!  It wasn’t a commercial data center.  It was kind of, they repurposed an area, but it’s just funny how you walk through Fort Knox to get to the servers, and then when you get there, there’s just some guy hanging out in the parking lot, you know, with his foot in the door by the exit sign!

Kevin: And actually Matt, that’s a perfect example right there of the need for education and having those proper controls.  I mean, you have security guards, you have a man trap, you have all these different controls going into that data center, but then you have some knucklehead wanting to spark up his vape pen and opening up the backdoor to the data center.  That’s a true backdoor!

Matt: Right.  Well, that’s the thing, I mean, your security controls and all the technology controls in the world are only as good as the people that you have that are managing them and making sure that they actually work.

Kevin, we’ve been talking a lot about the threats that individuals can pose, how education is important and also the security controls that you would look at as an investigator to help determine what might have happened.  But what about developments with the devices themselves?  One thing I’d like to ask you about is the Internet of Things (IoT), or the Internet of Everything (IoE).  I recently had a conversation with an expert in this area, Debbie Reynolds, and we spoke about wearables, smart speakers, and all the different sensors and devices out there that collect information, whether we know it or not.  How does this change in the landscape with regards to the Internet of Things impact how you investigate a cyberattack?  Has it changed your tactics as a cyber investigator?

Kevin: Well, the main thing you have to do is be able to wrap your arms around what are all the devices that may be part of investigation.  You mentioned Internet of Things – Fitbit watches, Alexa devices, Google Plays.  We had some investigations several years ago where rogue wireless access points that we’re not easily detected were within scope.  We needed to connect to those and get the logs off them to do our investigation.  One of the main obstacles now I believe, is the speed at which these IoT devices are coming to market.  There’s not a very forensic manner in which you can get data from some of these things that are just so brand new.  The tools have to catch up to the tech.  How does that affect our investigations?  Again, we must make sure that we fully understand these devices and can work with them effectively.  For example, Alexa in the case of law enforcement, can you retrieve the voice recordings?  If you’re looking at an insurance claims issue and a Fitbit is within scope, are you able to defensibly work with any route data?  There were cases years ago where the military would pretty much say to folks, “No, you cannot wear a Fitbit, when you’re in a certain country during certain deployments.”  The reason being that they were publishing their Fitbit workouts to a publicly viewable space.  And then when somebody looks at the geolocation of this data, and it’s in the middle of the desert, these six guys running in a square in the middle of the desert. 

Matt: Identifying Area 51 with a Fitbit! 

Kevin: The point being that you really must understand the devices themselves, the data generated and maintained, and how this data can be relevant to an investigation.

Matt: You wonder how much people really know when they buy these devices.  Are they opening themselves up to more threats and more avenues of attack?  When Debbie Reynolds and I spoke, the case came up where some bad actors hacked a casino through a fish tank thermostat and stole a bunch of high roller information.  It is readily apparent that these types of devices do open you up to more threats, which just means that as an investigator, the landscape of devices for which you have to account is just exploding.

Kevin: That can be a good thing too. More devices can lead you to more evidence.  They can lead you down avenues that you might not have thought of before.

Matt: That’s a good point.  As the devices proliferate, there might be more avenues for threats, but there are also less places for threat actors to hide. 

Kevin, if I could, let’s move from IoT to another trending technology topic, which is artificial intelligence.  AI is advancing at a mind-boggling pace.  It’s hard to really understand just how transformative artificial intelligence is currently in our lives, but it’s even harder to predict how much it will impact our future.  Layer on top of that, a very interesting topic – quantum computing – which is something that we won’t really get into here.  I’ve been studying a lot about quantum computing recently, and the sheer amount of computing power that has emerged on the horizon in absolutely insane.  Back in 2019, Google declared quantum supremacy, stating that their Sycamore processor could perform a calculation in 200 seconds that would take the world’s most powerful supercomputer, at the time, 10,000 years to complete.  And now you see this whole quantum supremacy war going back and forth between IBM, Honeywell, Google and these different companies.  It is troubling to consider what could happen if bad actors gained access to this type of technology.  What this could pose to the average individual, to corporate America, the corporate world, if you will, with regards to a hacker’s ability to engage in brute force attacks, and just increase their ability to hack systems, is scary to even contemplate.  So just a few questions on AI.  How can an investigative team leverage AI to conduct an internal investigation?  Have you seen artificial intelligence being used to engage in an investigative effort?

Kevin: For some of the internal investigations, companies that have a mature insider threat capability and cybersecurity capability, they can use some of the behavioral analytics internally on traffic and then aggregate all of these logs to almost paint a picture of the threat before it even happens.  So internally at some organizations there is AI being used where simply based on a user’s activity, be it within or outside the normal scope of their job, or the normal times that they work, they can identify folks that could potentially be a risk.

Matt: Like Minority Report!

ESI-SG: Thought it should be noted that we are probably a bit further off than we might like to be from having a Department of PreCrime!

Kevin: Yeah.  Looking at the flip side, like you mentioned, with an adversary having access to these types of powerful systems, you’re talking nation states, who’s not to say that some foreign country isn’t already using or planning to use some of this type of technology to initiate a brute force attack, or to try to break encryption, or to just otherwise gain access to other networks?

Matt: We could easily spend an entire hour each on the topics of Internet of Things and artificial intelligence in the context of investigations.  But Kevin, as our discussion comes to a close, could you give me your top two survival tips that are not education, because I know that we’ve touched on that a lot and it’s probably the most important one.  That’s the banner survival tip, and we will include some materials in the piece, but give me your top two survival tips related to corporate internal investigations.  And then, could you offer up two tips related to an individual addressing cyber threats?  We like to get really granular here on The Guide, so feel free to be as hyperspecific as possible, even if your tips are very focused and not necessarily generally applicable.

https://www.hornetsecurity.com/en/knowledge-base/ransomware/ https://digitalguardian.com/blog/ransomware-protection-attacks https://www.pcgamer.com/windows-10-has-a-built-in-ransomware-block-you-just-need-to-enable-it/

Kevin: Sure.  I would say the top two things for internal investigations are:

First, you want to have relationships with your legal department, your PR and communications folks, and also with all of your IT systems personnel and administrators.  You need to have that Rolodex, so to speak, where you can engage your whole team at any time.  This will help you get the proper logs and access in order for you to investigate an incident properly. 

SURVIVAL TIP!  Build relationships across your organization internally. 

Second, hire good people and ensure that they’ve got the proper training.  Then instill in your team a work ethic centered around protecting the organization and that these types of investigations are important.  That’s paramount as well.

SURIVAL TIP!  Hire good people, train them well and create a company culture of wanting to protect the organization.

Matt: What about your top two tips for an individual who might be facing this blackhole of cyber threats.  What can I do as an individual, practically, to try and protect myself against some of these threats?

Kevin: I would say click on every link that I send! 

Matt: Only use public Wi-Fi! 

Kevin: Basically, it is important to keep up on the trends, keeping up with the current topics and being incredibly mindful of what you’re doing and where you are.  The issues related to using public Wi-Fi are huge.  Don’t go thinking that every power station where you plug in your phone is there to just charge your phone and that they’re trying to be nice.

SURVIVAL TIP!  Be wary of charging your phone at public charging stations.  “Juice jacking” is a type of cyberattack where hackers use a USB port to install malware on a device or steal data.  When out in public, especially at the airport, bring a portable charger or use your laptop to charge your device.

Matt: I’ve never used a public charging port at the airport.  But a long time ago, in a galaxy far, far away…I have used one of those public charging lockers.  It was actually a club in NYC, so same thing, but yes, that hits close to home for me.

To pivot, where do you get information to stay on top of the trends and current topics?  I read Wired Magazine, I’m on CNET.com a lot.  Do you have any places you can recommend for us to go and get educated?   

Kevin: Wired, CNET.com are good.  I read The Hacker News (https://thehackernews.com/). There are different websites that generally talk about ransomware and maybe some of the different companies that are getting hit.  Many of the major news outlets will have their own tech sections, though they’ll be watered down a little bit.  There are so many great resources out there.  I can certainly send you some that you can post that I follow.

Matt: There are a couple of podcasts that I found in doing research for our discussion that are good, including The Shared Security Podcast and Darknet Diaries, among others (such as Doug Brush’s podcast mentioned below), but yes, any resources that you have Kevin, that you could give us to post for our readers/viewers would be most helpful! 

ESI-SG: Below are the resources that Kevin recommended to the ESI Survival Guide community during our discussion:

https://www.dni.gov/index.php/ncsc-newsroom [dni.gov]
https://www.cdse.edu/resources/case-studies/cases.html [cdse.edu]
https://thehackernews.com/ [thehackernews.com]
https://www.infosecurity-magazine.com/news/ [infosecurity-magazine.com]
https://www.scmagazine.com/home/security-news/ [scmagazine.com]
https://threatpost.com/ [threatpost.com]
https://www.forensicfocus.com/ [forensicfocus.com]
https://www.wired.com/tag/cybersecurity/ [wired.com]
 

ESI-SG: Kevin and I then go into a bit of a light-hearted shout-out to our friend Doug Brush.  Doug is the Global Security Leadership Advisor for Splunk and the founder and host of the Cyber Security Interviews podcast.  Douglas is an information security executive with over 30 years of entrepreneurship and professional technology experience, he had conducted hundreds of investigations and is truly a cyber security missionary and CISO whisperer.  We also like to bust his chops every once in a while (or at least whenever we have the chance!).  In all seriousness, Doug Brush is someone to have on your radar in the cybersecurity space.  You can connect with him on LinkedIn here – https://www.linkedin.com/in/douglasabrush/.

Kevin: There’s this guy…ummm…his name is Doug Birch, or…I don’t know – Doug…uhhh…one in the hand, two in the Brush…I don’t know.

Matt: Shout out to our friend Doug Brush.  And that reminds me, I should probably have Doug on The Guide for an interview.  There are a lot of topics that we could talk about on the other side of this issue.  Maybe how to actually hack into a particular system! 

But Kevin, I’m sure at this point both of us have to get back to Dad Duty.  Are there any final thoughts that you’d like to give The ESI Survival Guide readers/viewers?

Kevin: Everyone just keep tuning into The Survival Guide.  I’m sure there’s going to be a lot of great content and a lot of folks that Matt knows that he’s gonna have on his podcast here to interview.  I think there’s a lot of great stuff coming up.

Matt: Thanks again for joining us, Kevin.  And again, if you like the content, please let us know.  Send us a comment, like, share or subscribe.

ESI-SG:  We cannot thank Kevin Treuberg enough for joining us in this discussion and look forward to having him back on for a future episode!  If you missed Part 1, you can check it out here.    

Whether you watched the full video, viewed the snippets or read the blog, we cannot thank you enough for your support and interest!

This is Matt from ESI Survival Guide telling you to please…Stay safe out there in the electronic wilderness.  See you next time!

Written by Matthew Knouff

Matthew F. Knouff, Esq., CIPP/US, CEDS, RCSP, Sr. Solutions Consultant, Legility LLC Matthew has been navigating the ESI and data law wilderness for over fifteen years as an attorney, consultant and academic. He currently serves as a Sr. Solutions Consultant with Legility LLC., an award-winning global provider of eDiscovery and data management services and technology. He is an expert in eDiscovery law and process, global data privacy and the movement of data across borders. In addition to contributing to and holding leadership positions with several organizations dedicated to supporting the legal profession, he has developed numerous CLE programs and assessment tools, and frequently speaks and writes on various topics related to the intersection of data, law and technology. He holds the CIPP/US, CEDS and RCSP certifications, is an avid distance runner, an active board member with Education Through Music, a Tarheel through and through, a life-long musician and an obsessive autodidact. Matthew lives with his son in New York City.

All author posts   |   LinkedIn