Could you share your role at Ernst & Young ShinNihon LLC and its importance?
I have two main roles, leader of Forensic Technology and leader of Cyber Assurance. The former is in Forensic & Integrity Services, an organization that primarily handles fraud investigations and compliance risk response and oversees a team that uses digital forensics and other technologies for fraud investigations and other purposes.
This team has three functions:
- eDiscovery: Utilize digital forensics for fraud investigations and litigation response
- Cybersecurity: Respond to cyber incidents and analyzes threat intelligence
- Forensics Data Analytics: Handle data analysis within an organization for fraud investigation and compliance monitoring
Each of these functions play a role in enhancing operations by using technology for prevention before an incident and contingency response after an incident.
Cyber Assurance is a slightly different and unique role. The auditing firm’s main focus area is conducting accounting audits for listed companies and audits to prevent misstated financial statements from the auditee.
Traditionally, an account audit has dealt with the risk of misstatement due to fraud such as embezzlement and round-tripping. However, there has been a recent increase of ransomware incidents where the data is damaged and lawsuits due to large-scale information breaches potentially affecting the financial reporting, so we consider cyber risks as an important risk in auditing. I am involved in assessing the sufficiency of forensic investigations, risks of misstatements, and assessing the security risks of the company being audited before a cyber incident occurs.
What do you and your team do to keep up with the ever-changing threats? What are the challenges you face in upskilling?
When I first started learning about digital forensics and incident response, I read blogs of prominent analysts and books about the field. Despite my strong will to succeed, reading articles, books, and blogs, while very helpful, was extremely inefficient. It wasn’t realistic for me to force my style of learning on my fellow team members, so it was important for me to find an effective and efficient way to upskill my team.
In terms of effectiveness, I wanted to implement upskill methods that involve a more practical approach that is similar to real-world experiences. As I considered upskilling methods and my experience, I concluded that SANS training was the best option, and currently I encourage my team to take the SANS courses. I also encourage the team to take the GIAC certifications whenever possible after taking a SANS course. I have two main reasons for this. One is to ensure knowledge retention. The other is, in the process of renewing the GIAC certification, continued learning is imperative and having access to the latest textbook allows individuals to continue learning and update/improve their skills.
As a forensic analyst, which courses do you recommend at SANS?
I think it depends on the scope of work in your organization. If you conduct fraud investigations or support litigation, I recommend courses such as FOR500: Windows Forensic Analysis and FOR585: Smartphone Forensic Analysis In-Depth. They focus on artifact analysis and preservation, which are necessary for digital forensic investigations.
If your main focus is on responding to cyber incidents, I recommend taking an analysis course such as FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics or FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques as a starting point. If possible, I’d follow up with SEC504: Hacker Tools, Techniques, and Incident Handling or FOR578: Cyber Threat Intelligence to learn about attackers when responding to incidents.
What is your next goal/courses you would like to take?
Since I have been dealing with many ransomware incidents recently, I would like to take FOR528: Ransomware for Incident Responders, which covers the threat actors and tactics behind ransomware as well as how to deal with them in a forensic incident response practice.
Since I do a lot of analysis on Apple devices, I am also considering getting the GIAC iOS and macOS Examiner (GIME) certification. It’s a new GIAC certification they didn’t have when I took the course.