Bringing Government Experience to Financial Services Security

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 82 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

Joining us today is Derrick Pendleton. He’s a senior digital forensic incident response analyst at Legg Mason in Baltimore. He shares his experience cutting his teeth on security within the federal government, the specific benefits he believes that environment provided, and how he’s brought those skills to his work protecting the employees, partners, and customers of Legg Mason, one of the largest asset management firms in the world.

We’ll get his take on threat intelligence and incident response, as well as his words of wisdom for folks looking to get a start in the security business. Stay with us.

Derrick Pendleton:

It all boiled down to my experience within the government. Before the government, I had information technology jobs where I would do network support, but I would say the foundational piece came from the government. Being able to learn from leadership there was just an experience in itself. It was all security, and the best thing about the government is that they’re actually receiving all different types of attacks, which I think is a bit different from other organizations. That’s where it all began for me.

Dave Bittner:

And where, specifically, were you within the government?

Derrick Pendleton:

At the National Computer Center for the Social Security Administration.

Dave Bittner:

So, can you take us through some of the tasks that you dealt with there, working with social security?

Derrick Pendleton:

My first role was as a intrusion analyst, in a learning role — entry level — where it’s basically eyes on glass and just getting used to threats and attacks taking place, and being able to visualize it and understand what’s taking place in regards to that attack. From there, I think the curiosity is spawning, whereas you become interested in how these attacks are actually taking place. So not only looking at it from an eyes-on-glass perspective, but being able to understand the attacks, as you go through so many attacks, and seeing the different techniques that are actually being executed within the network. And then, just working with senior analysts as well. Being able to go back and forth with them, because I think that also plays a big role in security.

Just having fresh eyes and being able to forecast the attack together in a way that makes sense from different perspectives, but also collaborating. Collaborating is huge, working with and learning from others, as well. Coming from an intrusion analyst role and then going into a mediation role, as another part of an incident response process where you’re eradicating, but also a more in-depth analysis on the actual attack. Getting more into the weeds of things, I would say.

Dave Bittner:

Can you tell us who is coming after the data that the Social Security Administration holds?

Derrick Pendleton:

As far as attribution goes, I think, for the most part, it was nation-state, but also threat actors or adversaries who are financially motivated in regards to government-sensitive data. Social security was huge, or is still huge, just in regards to identity theft. So social security and personally identifiable information is huge in regards to certain account takeovers, as well as identity thefts, which happen every single day.

Dave Bittner:

Now, you mentioned that this was a good place for you to learn and come up through the ranks. What was the environment like there? What sort of leadership style do they have in place?

Derrick Pendleton:

I would say, from my perspective, from entry level, it was intense. Very scary. Not wanting to make any types of mistakes in my first week. The process and their actual framework for spinning up an analyst in the right way was definitely the best way I’ve ever seen it, which I’ve heard about government agencies and the way they do things. So, very good in regards to execution and just taking it step by step in a way that is more digestible. So the very first day, we would just work on, maybe, denial-of-service attacks. Being able to see the differences between denial-of-service attacks, but then also being able to work with the firewall team and to see what they see, and then being able to give the information that is needed in order to implement certain blocks.

And then also, throughout that whole training process, just going through different attacks and going through different playbooks in regards to being able to identify those attacks. And seeing — going by those playbooks and by that actual framework — what are the next steps. So it became a repetitive process in a way that if you see a certain attack, you already are able to identify what’s going on and what needs to be done in order to eradicate the actual issue.

Dave Bittner:

It’s interesting to me because it strikes me that a government agency like Social Security, they have a different mandate than someone in the private sector. They’re not profit driven. Obviously, they have an important mission to society. And so, I wonder, does that make it so that working there, there’s a different pace? Do they have the time to take you down a path without that pressure of having a profit motive?

Derrick Pendleton:

Yeah, it’s interesting that you say that because that’s so very true. I worked in a place where things are being quantified in regards to the events that you are under investigation for and what you actually produce in a certain amount of time. So within the government, it is focused on execution and making sure that our write-ups for those investigations, and our analysis within those investigations, are the best that they possibly can be because those write-ups, at the end of the day, when we leave work, we leave that for the next analyst to interpret. And then, that goes up the chain in regards to the remediation team, as well as to the engineers so that they can implement whatever different blocks within the security controls. So I think it’s imperative that those write-ups are of a certain quality. I think the government definitely has a great framework in regards to spinning up analysts, for sure.

Dave Bittner:

So you decide to move on, to take an opportunity at Legg Mason. What prompted you to make that move?

Derrick Pendleton:

Just new challenges. And for me, to be in security was, I would say, a dream. Just being able to be in security was something that I never thought of. I thought that that would be the ultimate end goal for me. Just to be in information technology was a huge step, just because there’s so many different aspects of information technology that one should know in regards to the networking, down to the server-level type of maintenance that needs to go on, and system administration that takes place. And I just felt like security was the “end-all, be-all,” so just to be within the government and being able to take on different challenges. I felt that it was time for a change, but also new challenges and working in different infrastructures and different environments.

Because being in the government, you do see a lot, but then also being out in the private sector, you’re going to see different things. So in the financial sector, you’re definitely going to see different types of attacks — more prone to financial data, in regards to those malicious payloads, like malware for commodity purposes. Just being able to take on those types of new challenges was huge for me, and then just knowing that the government had a lot of tools within their arsenal. Some private companies don’t always have that, so a lot of ingenuity comes into play, which makes for a great challenge for me.

Dave Bittner:

Was there a bit of a culture shift going from government to the private sector, for you?

Derrick Pendleton:

Sure, yeah. Just seeing windows was something for me. Coming from security operation SCIFs, and those types of environments where you don’t get to see the sun or what’s going on outside … When I came to Mason, there’s windows there. And of course, that changed, but just to see windows was a different aspect. But then also, just the process as well. Within the government, there’s tons of policies and guidelines that makes a little bit of certain changes take longer than most, but within the private sector, you can see the landscape of the business and you’re more exposed to different departments easily. And so, I think that’s one of the differences as well.

Dave Bittner:

So, let’s dig into what your day to day is like. You are a senior digital forensic incident response analyst. That’s a lot of words strung together. What does it mean? What are you actually up to, day to day?

Derrick Pendleton:

Yeah, so, I have the pleasure to be a part of investigations from initial access, all the way down to post-activity for lessons learned. Being within the government, there were so many different realms of incident response, but when you come into the private sector, there’s sometimes not as much staff within the cyber team. So it calls for more duties to take upon yourself. So, of course, my day to day is indicative of what is being thrown at me at that time. Just being a part of different investigations, different phishing, all phishing attempts toward the actual enterprise. But then also, working with cyber threat intelligence, making sure that we are focusing our areas of interest in the right type of way instead of looking at it in a bigger picture, or a much broader picture. We’re scoping that and parsing it into a more digestible piece of information relative to our technology stack that we have in house. The things that are important to us.

Dave Bittner:

So how do you handle threat intelligence? How do you ingest it, and how do you make it actionable?

Derrick Pendleton:

Within our threat intelligence platform, we focus on our specific areas of interest. Because as a whole, I guess, in the beginning of our threat intelligence, we were focused on a lot of threat feeds and just filtering those though our SIEM and making those actionable. Correlating that data along with the data that we have coming in from other controls within our SIEM. But then, also making it actionable, making it a more rapid response so that our leadership can make a better-informed decision … I think that is the key in regards to any investigation that we do, is that we deliver the best possible information with the highest quality so that our leadership can make informed decisions in a much better pace of time. Just because we are always against time in regards to certain compromises or different types of breaches.

So, focusing on that is huge and in scoping it down to a point where we are only focused on what we actually need to be focused on. Before, we were very focused on all of our Twitter feeds and focused on a lot of different security researchers out there. Vulnerability researchers, malware researchers, and just taking all of that information in and making sure that we comb all through it. But by having Recorded Future as our platform, we are actually able to parse out all the noise a little bit and make it more sound, into where we’ll focus more on the areas of interest that we have.

Dave Bittner:

You mentioned being able to communicate with other people in your organization, and I’m curious if you can take us through what that journey has been like for you. I mean, I can think you must have gone through learning all the technical sides of things, but your communication skills must have improved along the way as well.

Derrick Pendleton:

They have. And that’s not by choice, but yeah. Being exposed to more of the users. I mean, even this year, I’ve realized the connection in a great way that, for our users in regards to phishing attempts, and how we can better that effort in regards to educating our users and making sure that somehow, some way, we develop an intuition when they do reply to emails or even open up their inbox into phishing attempts. And so, even with those types of efforts, making sure we reach out to those users and talk to them in a way that they can actually understand. That’s where I have grown — where I would talk a lot of tech, but then, I would need to dial it down so that it would make sense for the user in a way that they were actually able to understand.

So this year, we created a new website within our company so that we are gamifying the actual effort for users to inform us of phishing attempts. Because, in regards to email gateways, there’s no tool that will protect against all phishing attempts, right? We want to drive home the gamification of that effort so that users become interested. This year, I’ve focused a lot on studying or realizing the different brain activities for users and how, from within the holiday months, all the way to summer months, how the brain works. How, within the holidays, a lot of users are very joyful and want to help and want to assist, when sometimes they might not feel like it.

But during the holiday months, they are more inclined to. They are focused on their family members. They are focused on seeing their family, but they are also focused on getting out of the office early. The sun goes down a little earlier in Baltimore. And the within the summer months, you have users who are focused on their PTO, their vacations. You know, the sun stays out longer, so they’re trying to get out before the sun goes down and enjoy that.

Dave Bittner:

They’re looking out all those windows that you have.

Derrick Pendleton:

Right? And that beautiful view. So, just understanding, from a user’s perspective, what they’re going through. And then, like I said, gamifying it to where they can enjoy it and give feedback, and say thank you for submitting that. As a cyber informer, we appreciate that, because that attack was geared toward carving out your user credentials, or maybe your financial data, or your browser data. So just making them a part of it is huge for us. And then, just being in those realms and talking to users. Because before, in a lot of my IT roles, I didn’t have to do so much user interaction. Now, we’re branching out a little bit more so that we can protect the company at a better level.

Dave Bittner:

What are your recommendations for folks who are coming up into the cybersecurity world? Someone who’s in school, who’s looking to start a career. Do you have any words of wisdom?

Derrick Pendleton:

Yeah, yeah. I would just say, read. I would just say, read as much as you can. I would say get into as many meetup groups as you can. And just because you don’t understand it now doesn’t mean you won’t understand it later. When I was in the government, one of my supervisors told me — demanded — that I get a Twitter account. I don’t have any type of social media accounts, so getting a Twitter was huge for me. And just focusing. She mentioned to focus. And then, I’ve learned so much just through all the people and all the leaders and what they’re giving out to the community. Because — and that’s another thing — this is just one community, and I feel like the sharing of it is huge and there’s so much to gain from it, you know?

There’s so many conferences to go to. And I feel that, when I was younger, it was very intimidating and just because you don’t understand something, you didn’t want to take part. But I feel as if, if you don’t know something about, that should make you spring up a little bit more into wanting to know. So, just following researchers are great and reading different write-ups on different attacks and different techniques is huge, And that’s the thing. I would say, within the government, I was reading articles that I didn’t understand everything within the article, but later on in time, the dots do connect. And I feel like that happens as long as you stay consistent with it. So I think that’s huge to just keep reading.

Dave Bittner:

Our thanks to Derrick Pendleton from Legg Mason for joining us.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show, and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.