If your organization has ever faced a serious cybersecurity incident, you know how important it is to be in expert hands in that moment. When fearing the worst, you need to be sure that the people handling your investigation have the experience and training to know exactly what to look for–and exactly what steps to take. In many cases, it’s a high-stakes race to uncover information, using digital fingerprints left behind by bad actors to determine where they came in, how far-reaching the incident was, how much was compromised, and any other damages you stand to incur as a result. You need someone who has not only engineered their way through countless technical scenarios and is intimately familiar with a wide variety of environment types, but also knows how to find and follow the trail of a criminal. It’s a special person who can hunt for and put together cyber clues to understand what has transpired based on what’s left behind. Kerry McQuarrie has become one such expert at True Digital Security, joining a team of renowned IR veterans, including the likes of Scott Williamson and Michael Oglesby.
Joining TRUE nearly a year ago, already set apart by her 20 years’ industry experience in senior level information technology engineering and directorship roles, Kerry has continued to pursue new levels of expertise in becoming an Incident Response specialist. Recently (pre-quarantine), she attended a 6-day SANS FOR500 Windows Forensic Analysis training. For this course, would-be investigators are walked through a series of hands-on laboratory exercises that give them in-depth digital forensics knowledge of Windows Operating Systems, the most widely used desktop and laptop OS in the world, to learn all the hidden ways and places Windows records artifacts across its technologies, apps, and platforms. In fact, nothing is left out in teaching analysts criminal techniques and how to find them through media exploitation, artifact and evidence location, application executions, file access, data theft, external device usage, geolocation, file download, detailed system usage, and even anti-forensic tools attackers may leverage. So basically, if it happened on any device that has a Windows OS, Kerry can find it.
The first five days of the course explored an insider trading scenario, where analysts had to identify and track clues this person left behind, following the digital breadcrumbs to build a solid case for exactly what happened. Situations like this one are excellent training scenarios, where an insider has become the threat, because not only do they happen often, but they can be devastating and legally cumbersome to a company. Every detail matters. For this exercise, analysts were given only a laptop to uncover the entirety of the crime, including any co-conspirators, and they learned all the hidden places to look–even finding which information had been deleted. They leveraged the employee’s browser history, registry settings, history of a USB that had plugged in, learned who he was talking to in chats and logs, what kinds of information he accessed on the network, found evidence of file encryption, identified and de-crypted it, found files he had attempted to wipe out, evidence of exfiltrated data, and the historical presence of USB, which was correlated with which files he accessed on the corporate SharePoint. They even found which coffee shop he’d gone to, in an effort to hide his location from the network during a file and machine cleanup session– as well as the RDP session he was able to execute from another machine after being let go.
Once the class had solved this particular crime and gained all the skills necessary to perform a thorough forensics investigation, they were the final challenge–a missing teenager and possible victim of a kidnapping. Thank goodness this scenario was not real, but it certainly is a reminder how very serious cybercrime can be, how important it is to gather evidence as quickly and thoroughly as possible, and the importance of being able to expertly find and successfully correlate all evidence left behind.
For this case, analysts were broken into teams and asked to track down a missing teenager simply through access to her school laptop–all within just 4 hours. Using the laptop, all teams were able to compile a timeline of what happened, determining where the teen had gone, who she was with, her reason for leaving, and key events leading up to the kidnapping. However, only one team–McQuarrie’s– was able to find enough evidence to charge an adult perpetrator with kidnapping. So how does one win the competition?
Kerry was able to find password cracking utilities that the teen’s hypothetical teacher had installed on her machine when she met him for help on an assignment. With that malware, he had been able to track her whereabouts through the laptop, since it was synced to her phone–giving the police enough evidence to charge him with the crime.
In the end, McQuarrie walked away as the forensics winner of the entire course, having been voted champion by all of her peer analysts. This is no surprise to us at TRUE, because from the moment she came on board, we have known her to be not only a superior critical thinker and doer, but a thought leader. Kerry is indicative of the caliber of people we hire at TRUE, and the investment we put into our teams. TRUE is not only supportive of, but dedicated to individual success– because ultimately, it is the TRUE mindshare that drives our clients’ success.
In the words of Dominic Shulte, President of True Digital Security, “We are incredibly proud of (though admittedly unsurprised by) Kerry’s accomplishments, as they represent what we have come to expect from her and the rest of our team. With the pace of change in our industry, we consider training like what Kerry just completed as non-negotiable for all of our consultants, analysts, and engineers. We celebrate Kerry's success and are excited to see her growth spread across our team through knowledge sharing that will ultimately benefit our clients and ensure they receive the cutting-edge service that led them to us in the first place.”
Know that when you come to TRUE for help, you’re in good hands. Our deep bench of experts become an extension of your team– they are in your court and have the specialized knowledge to help solve your problems.
Learn more about TRUE’s Security Operations Center and Incident Response Services.