A Day in the Life of a Security Incident Response Expert

Listen to this podcast on
iTunes, Spotify or wherever you find your favorite audio content.
In this edition of the Beyond the Perimeter Podcast, we discussed the NorthShore data breach and interviewed Reut Menashe of Tetrisponse about security incident responding. 

Breach of the Month: NorthShore Foundation

On July 22nd, NorthShore University HealthSystem announced they were part of a data security breach which potentially had affected over 348,000 people. They were informed about the breach from a company named Blackbaud, a software services provider to thousands of nonprofit fundraising entities worldwide, including NorthShore Foundation. According to Blackbaud, the breach occurred due to a ransomware attack on its systems between February 7 and May 20, during which time unauthorized individuals accessed and extracted some of Blackbaud’s client files.

NorthShore determined that patients’ full name, date of birth, contact information, admission and discharge dates and more information were accessible by the attackers. This incident was not a breach of NorthShore’s internal applications or systems; that means no patient medical records were accessed. 
In this episode, I talked to Reut Menashe to learn more about her experience as an incident response expert and how she helps companies when they experience a cyberattack.

Interest in Computers Cemented Her Career 

Like many security experts, Reut’s interest in computers started when she was young. “I loved computers when I was little. I remember playing with a computer that my parents bought me and because I was the only one who understood computers really at the time, I taught myself how to use them. This was the start and from year to year I quickly understood that I’m a self-learner. I learned a lot online over the internet with friends and when I joined the Israeli Army of course, it gave me a lot of knowledge and this is where I learned my roots.”

Despite being an early adopter for computers, she isn’t a fan of programming. “I never liked really programming, but I did learn it when I was in high school. My first computer was 386. This was the model of the processor, the CPU. We are talking about the middle of the ‘90s, maybe a little bit before the start of the ‘90s when the internet was beeping and making weird noises before you connected to the world wide web. In school, we learned assembly. This is a very hard language. It’s like a very low level. Basically, I remember I developed the calculator in this language. It’s a very basic program but it was very challenging at that time.” 

Like many security experts in Israel, Reut gained interest in cybersecurity due to her time in the Israel Defense Forces. “My service was actually the start of the era of understanding that information security is also not physical. It’s very much related to computers. So the defense methodology started to heat up in the army and I think I was one of the first to be part of information security in the defense of the Israeli Forces Army.” 

Many security experts take their knowledge from their army service and use it in their professional careers. In Reut’s case, it built her career. “I finished my service and just started to work in the industry here in Israel. I worked as an information security consultant in one of the local companies. It was a very global company named GRC and because of my skill of exploration and curiosity, I think this is something that helped me a lot to develop and to make a new skill set during these years. I love to learn. So everything that I don’t understand or I feel a little bit uncomfortable with, I have the need to go and research and to understand it. So this is one of the most important skillsets for hackers I think, curiosity. So you can’t be a good one without it.”

Life As a Security Incident Responder 

One of the more interesting jobs in the security field is being an incident responder. For Reut, her expanded skill set has helped her thrive in her job. “To work in incident response you need to collect a lot of skill sets in the tech world. You need to understand how networks work and what kind of infrastructure organizations are using and how the technology of the infrastructure is being deployed and you need to understand the operating system. Your familiarity with specific databases needs to be specific with specific technological SOC  and how developers are working. So you need to have vast experience in a lot of technological topics in order to be good incident responders. Over the years I have collected a lot of information. I gain a lot of knowledge within the technological world from the security perspective of course.”

Unlike many jobs in the tech world where you are more or less doing the same task every day, Reut’s day looks completely different every day. “Basically we will get a phone call from a company that has an issue and they don’t know how to solve it because most of the companies are not familiar with information security. They don’t know how to approach it and possibly they have like maybe a ransomware attack or maybe someone who tries to manipulate them or one of their assets is being leaked or such. There are a lot of scenarios.

When I meet with a company that I have no familiarity with, I don’t know how they’re working. I don’t know what kind of technology they have. I have to learn this very fast and to understand how I’m going to contain the incident and to make the attacker go away and mitigate and minimize the reason that the attacker put into this company’s life. You need to be very experienced in order to tackle and to handle an attacker that knows exactly what they are doing most of the time.”

To understand the attacker’s mindset, Reut uses her love for security and expertise to understand how a company was attacked. “I bring my expertise and my passion together in order to help those companies to go back to their day-to-day job and this is the main goal.”

No One is Truly Secure

When asked what steps businesses should take to be more prepared for attacks, Reut recommends that businesses need to know they are never completely secure. “You need to understand that you need to do something before the attack is happening. There isn’t a company that is always safe, there is no such thing. Everyone is hackable, if you understand this, this is a good approach. You can say to yourself, “Oh, I don’t have anything interesting. Why are the hackers going to come to me? It’s not true. Hackers have a lot of scenarios that they can exploit in order to make them grow and make them prosper. So it doesn’t matter if you are dealing with highly classified information or with money or with the information that it’s not classified at all. Hackers are going to come everywhere where they can make benefit from. So this is the first thing to understand.”

Reut highlights the importance of security posture can be another layer of defense versus attackers. “Second thing to understand and when you know that you need to be prepared, you need to understand what your security posture is. What are the threats that your company is going to deal with? Not every company has the same threat, of course. You need to analyze the threats and think about what I am protecting from. What I’m protecting inside the company. What do I want to gain in order to protect the company? When you start thinking like this, this is already a step forward into more mature information security because you engage within a company, internally and externally. You start initiating the process and you start making things happen.”

Importance of Security Communities 

Security experts love to share their expertise for the better good, according to the Reut security communities is a great place to learn more. “I’m part of two communities, BSides TLV and Leading Cyber Ladies. I think communities especially in the COVID-19 era are something that we should very much try to be part of our life. If you join a community, it doesn’t matter which community. We’re talking about information security and cyber communities of course. It’s a place where you can gain knowledge. It’s a place where you can meet new people and you can listen to new approaches to understand what’s going on in other people’s industries and cyber worlds. So this is a good place where you can start in order to gain more knowledge and to be more familiar with the – what’s going on in the cyber world community.” 

Other than being part of a security community, Reut has co-founded different communities. “Maybe you can run your own communities if you find something that you feel very passionate about, and this is what happened to me with BSidesTLV, which is the biggest hackers community in Israel and Leading Cyber Ladies, which is a community that started in 2015 and that established the community here in Tel Aviv and I joined two years later and we start to be global. Sivan Tehila opened a New York chapter of Leading Cyber Ladies. We’re willing to open more communities, more in other locations in the world. 

So this is something I’m very passionate about, to bring more women into the industry and help them to be – to stay in the community, right? It’s not only to start in the community. You need to keep yourself in the community as well. So this is something I’m really passionate about and I learn a lot because I meet a lot of new people that teach me all the time.”

To hear the entire interview with Reut please listen to the full podcast here. You can follow Reut on Twitter@Reutooo. If you’re in need of incident response, you can reach out to Reut by email at [email protected]
If you enjoyed listening, don’t forget to subscribe so you never miss a new episode. Please also consider rating the podcast or leaving your feedback on iTunes or wherever you listen.