With a keen interest in both computers and investigative work and a passion for teaching those around him, Josh Lemon is perfectly fit for his cybersecurity and incident response job and his role as a SANS instructor. In the years before cybersecurity roles were the norm, Josh started out building, managing, and securing large, complex computer networks and software systems. He worked in various fields providing incident response, digital forensics, and penetration testing services to government, law enforcement, and the commercial sector before eventually taking on a full-time incident response role. "I took the chance and never looked back," he says.
Before his current role, Josh was a Managing Director at Ankura, leading Ankura's APAC Digital Forensics and Incident Response practice where he assisted government and commercial clients with investigating sophisticated compromises, maturing their cyber defence and response programs and threat hunting for malicious adversaries. Josh has also been a Director at Salesforce.com in their international Salesforce Security Response Centre (SSRC). He led the Strategic Response and Research Unit responsible for looking at new cutting-edge techniques for incident response at scale. He was also the CSIRT Manager for the Commonwealth Bank of Australia, where he built a team of advanced responders that investigated malicious security incidents for local and international operations. Before that, he worked as a Managing Consultant for BAE Systems Applied Intelligence, where he was responsible for all technical cybersecurity services for the Asia Pacific region, including overseeing large and complex incident response and offensive security engagements.
Josh stays busy co-authoring two SANS courses: FOR509: Enterprise Cloud Forensics and Incident Response course, and the SANS DFIR NetWars content. When he’s not busy writing content, he also teaches both the classes he has co-author for, along with the FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics and FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response classes. He also currently serves as an Advisory Board Member to Cydarm Technologies, a young Australian company making collaboration for incident response easier.
Josh says that even with all the different roles he's held, every job has included a component of teaching others. Josh's teaching skills are so evident that a former manager and SANS principal instructor encouraged him to explore an instructor role after observing Josh teaching his clients during his time as a consultant.
The SANS curriculum is a perfect fit from Josh's perspective. "One of the reasons I enjoy teaching for SANS is their DFIR courses are continually updated and tuned to include the most current techniques seen in the wild," says Josh. "I always want to make sure my students are armed with the most up-to-date information to uncover attacks and be able to investigate them efficiently." When it comes to developing and authoring classes, Josh says “having spent time teaching for SANS, I’m incredibly excited to be able to author content and have input into the skills that students learn”, Josh goes on to say, “being able to share what I’ve learnt in the field and know that students can take those techniques to catch threat actors is incredibly rewarding”.
In the classroom, Josh sees the extensive amount of highly technical information students must consume over the span of only six days as the biggest challenge for his students. "It can be overwhelming for new students and seasoned professionals alike", he says. To address this, Josh keeps students focused on the elements they can start using as soon as class ends. "I always leave students with more information to read in the future and encourage them to start keeping a file of 'interesting things to read about later,'" he says.
In addition to his work with students, a highlight of Josh's career has been seeing his cases in court. "While the results of court cases are always different, being able to find enough evidence to successfully determine who the malicious actor is behind the keyboard and see law enforcement carry out their work has been a huge highlight for me," says Josh. "It's rare that DFIR professionals ever get to put a face to someone conducting malicious activity, however, finally seeing a criminal in court or law enforcement carry out a warrant brings a large sense of closure to an investigation you've worked hard on."
Josh also has a deep interest in operational efficiency for teams and is continually working to understand how to improve the work environment for DFIR professionals. "The challenges and stresses of doing DFIR work are fairly unique, and that's usually why we see DFIR professionals only spend approximately two years at the cold face of chasing malicious actors around networks," he says. "Understanding how to make that environment better for our industry has been an interest of mine ever since I started managing teams of people."
Josh's current work on tools, technologies, techniques, and automating IR processes has allowed him to see IR and SOC teams become more efficient, motivated, and focused on their operational IR work, rather than trying to struggle with tools that aren't well suited to DFIR work.
Josh maintains an infosec blog, https://blog.joshlemon.com.au/, and holds several certifications, including GCFA, GCIH, GNFA, GPEN, GDAT, GPYC, and GREM.
When he's not helping his clients, students, or chasing malicious actors around a computer network, Josh stays busy in his role as Dad, spending time with his son and close family.
- Director of Managed Detection and Response for Uptycs
- Independent Digital Forensics and Incident Response Expert
- Advisory Board Member to Cydarm Technologies
- Advisor to BSides Sydney
- Co-Author for FOR509: Enterprise Cloud Forensics and Incident Response course
- Co-Author for SANS DFIR NetWars
- Instructor for FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
- Instructor for FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response
- GIAC Certified Forensic Analyst (GCFA)
- GIAC Certified Incident Handler (GCIH)
- GIAC Certified Network Forensic Analyst (GNFA)
- GIAC Certified Penetration Tester (GPEN)
- GIAC Defending Advanced Threats (GDAT)
- GIAC Python Coder (GPYC)
- GIAC Reverse Engineering Malware (GREM)
ADDITIONAL CONTRIBUTIONS BY JOSH LEMON:
Read Josh's infosec ramblings here.