Meet Neumann Lim, Director of Digital Forensics and Incident Response at ISA Cybersecurity.
In this in-depth interview, we hear about his real-life insights from the front lines of the fight against malware, key parts of a cybersecurity home lab, important business insights, indispensable tips for improving your cyber skills, and much more.
This is the first in a series of in-depth interviews with key personnel at ISA Cybersecurity and our cybersecurity ecosystem of partners. Check out the sneak peak below.
Thanks for taking your time out of your busy schedule today. Could you tell us a bit about who Neumann Lim is? And about your role at ISA Cybersecurity?
Certainly. I am the Director of Digital Forensics and Incident Response at ISA. I lead the practice, and I work closely with our clients, especially during times of crisis. My team and I help them to deal with some very, very painful incidents. And hopefully, with the help of my team, we can solve their problems and bring them back to normal operations.
You’ve really had a fascinating career with a variety of different firms. As you now approach your first anniversary with ISA, tell us what makes this so such an interesting part of your journey.
Cybersecurity itself is a very interesting field and, as we all know, it’s also a very wide field. That’s one of things that makes ISA a fantastic company for me. It offers many, many services that cover almost every cybersecurity discipline. So, for me, this is an interesting part of my journey because I’m not just dealing with one specific field. The company allows me to take a look at all of the different aspects of cybersecurity. If you look at my employment history, you’ll see that I started out with a background in programming. Then I went into hardware engineering at one point, working with networking devices, and then I moved into the digital forensics field. It really is, like you said, a journey. As I have transitioned into this director role, I have been able to broaden my skill set. I think to be a successful incident responder, you need to have knowledge in a lot of different parts of cybersecurity, to be able to know what is normal, and to know when things are bad.
You highlighted your background in programming. How has that in particular helped you in your role with incident response and forensics?
When you look at the key areas for incident response, speed is the key. Many times we’ve seen malware spreading incredibly quickly, so the faster you respond to things, the faster you can contain the problem. With my programming background, I find that I am better equipped to script and automate a lot of the detection and containment aspects of an incident response event. It’s really, really helpful. So 100%, my programming background has helped me become a better incident responder, and a better forensics person when it comes to dealing with the more advanced threats out there in the field.
So tell us a little bit more about you. What kind of resources do you use personally to stay ahead of the game? I assume you have some kind of computer lab at home to experiment and try different things?
Oh, yeah, absolutely. I have a computer lab at home. The amount of equipment here just keeps growing every year. It definitely takes up quite a lot of space in my home office [laughs]. There are a number of key technologies here to help me learn and practice, all 100% segregated away from the rest of the home internet services that I have. It mimics a very small portion of an enterprise network. The key technologies tend to be focused around things like the ELK stack or other open source endpoint detection technologies. I use a number of others, such as Osquery for that type of endpoint protection. From a threat intelligence perspective, I have a number of technologies such as MISP for mapping and I use The Hive as a cyber security incident response platform. And then I have others that basically help with the intelligence aspect. I use YARA and Sigma rules, and I use KAPE to do the malware analysis. These are just examples of the different types of technologies that exist in my home lab.
I would say it is time-consuming to maintain all of these, though. You know you have your nine-to-five job and then after that you spend another half day on your home technology.
I think a lot of people still have those cyber movie images of flashing lights and flickering screens, with a sweat-soaked team defending against some shadowy hacker in a hoodie working late at night. Can you tell us a little bit about what it’s like in real life working on your team?
Yes, the cyber imagery of the shadowy hacker is scary, but it’s very Hollywood. You have to understand that from our own research and from real world experience, we know that the APTs [advanced persistent threat actors] and the criminal groups are very much like us. They wear suits. They drive fancy cars. That hoodie – if they do wear one – is only because it’s convenient and comfortable. I think it’s important to debunk that lone wolf Hollywood imagery, because I want to help people understand that we’re up against like-minded professionals in our field. It is an adversarial game. It is us versus them. They have probably similar backgrounds, similar education as us. A lot of the APT groups that we deal with have members with degrees in computer science from national universities from wherever they’re from. So, like I said, it’s an adversarial game: they’re knowledgeable; we’re knowledgeable – they attack us; we defend against them.
From an operational perspective for my team, we typically run with two different types of concepts. The first we call our “blue sky” concept, which is the preparedness phase. Second, of course, is the emergency phase where we’re dealing with emergency or crisis situations.
I read a report recently that that said that over half of all cyber attacks are focused on small to medium businesses. Do you see a difference in attitude towards cybersecurity between smaller businesses and larger enterprises?
I don’t think there’s a difference in attitude; I think that SMBs are at an existing disadvantage which has been exacerbated a little bit by the COVID situation. I call it a resource disadvantage, because it’s a really a “people, technology, and process” resourcing challenge for the SMBs. They’re naturally at a disadvantage because they may not have a lot of those resources available… and they’re competing with large enterprises for a lot of those resources. It’s often easier for the enterprise or large organizations to defend themselves and change their security operations. In a pandemic situation, SMBs may not have those resources, and they can’t change at a moment’s notice. It takes a little bit longer for them to adapt in this particular case. So yes, there are a lot of attacks that happen at the SMB level that you don’t see at the enterprise level, and it’s mostly because of this resource disparity.
So it isn’t your perception that it’s a case of SMBs not taking cybersecurity as seriously. It’s more the size disadvantage and dearth of resources that make them disproportionately susceptible to attack.
Yes. There’s a more serious attitude, I think, because of legislation and regulatory changes in the last two years. SMBs are catching onto the fact that they are legally responsible for cyber security. Their paradigm has shifted to now understanding that cyber security is a concern overall. I see this when I engage with an SMB for an emergency. They know what they have to protect, they know where their crown jewels are, the problem is they just don’t have the resources to protect it or they don’t know that they’re not protecting it to the level that a larger enterprise can. Look at, for example, the CIS 20 framework [Centre for Internet Security Top 20 security controls]: a lot of SMBs are at the foundation or the basic level of controls and defenses and processes, versus an enterprise that may have a budget for cybersecurity in the millions. Those bigger companies have the latest and greatest, next generation security controls; they have all of the security processes on paper, practiced and optimized to a certain extent. In contrast, the SMBs are struggling to find the time and resources to be able to get all of those together. So I think that’s really where we’re seeing sort of the difference. Otherwise, the attitude has shifted for pretty much everyone because of legislation.