With a keen interest in both computers and investigative work, and a passion for teaching those around him, Josh Lemon is perfectly fit for his job in cybersecurity and incident response and his role as a SANS instructor. In the years before cybersecurity roles were the norm, Josh started out building, managing, and securing large, complex computer networks and software systems. He worked in a variety of fields providing incident response, digital forensics, and penetration testing services to government, law enforcement, and the commercial sector before eventually taking on a full-time incident response role. "I took the chance and never looked back," he says.
Before his current role at Ankura, Josh was a Director at Salesforce.com in their international Salesforce Security Response Centre (SSRC), he led the Strategic Response and Research Unit that was responsible for looking at new cutting edge ways to approach incident response at scale. He was also the CSIRT Manager for the Commonwealth Bank of Australia, where he built a team of advanced responders that investigated malicious security incidents for local and international operations. Before that, he worked as a Managing Consult for BAE Systems Applied Intelligence, where he was responsible for all technical cybersecurity services for the Asia Pacific region, including overseeing large and complex incident response and offensive security engagements.
In addition to his role at Ankura, Josh stays busy teaching two SANS courses: FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics and FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response.
Josh says that even with all the different roles he's held, every job has included a component of teaching others. Josh's teaching skills are so evident that a former manager and SANS principal instructor encouraged him to explore an instructor role after observing Josh teaching his clients during his time as a consultant.
And the SANS curriculum is a perfect fit from Josh's perspective. "One of the reasons I enjoy teaching for SANS is their DFIR courses are continually updated and tuned to include the most current techniques seen in the wild," says Josh. "I always want to make sure my students are armed with the most up-to-date information to uncover attacks and be able to investigate them efficiently."
In the classroom, Josh sees the extensive amount of highly technical information students must consume over the span of only six days as the biggest challenge for his students. "It can be overwhelming for new students and seasoned professional alike", he says. To address this, Josh keeps students focused on the elements they can start using as soon as class ends. "I always leave students with more information to read in the future and encourage them to start keeping a file of 'interesting things to read about later,'" he says.
In addition to his work with students, a highlight of Josh's career has been seeing his cases in court. "While the results of court cases are always different, being able to find enough evidence to successfully determine who the malicious actor is behind the keyboard and see law enforcement carry out their work, has been a huge highlight for me," says Josh. "It's rare that DFIR professionals ever get to put a face to someone conducting malicious activity, however, finally seeing a criminal in court, or law enforcement carry out a warrant, brings a large sense of closure to an investigation you've worked hard on."
Josh also has a deep interest in operational efficiency for teams and is continually working to understand how to improve the work environment for DFIR professionals. "The challenges and stresses of doing DFIR work are fairly unique, and that's usually why we see DFIR professionals only spend approximately two years at the cold face of chasing malicious actors around networks," he says. "Understanding how to make that environment better for our industry has been an interest of mine ever since I started managing teams of people."
Josh's current work on tools, technologies, techniques, and automating IR processes has allowed him to see IR and SOC teams become more efficient, more motivated, and more focused on their operational IR work, rather than trying to struggle with tools that aren't really suited to DFIR work.
Josh maintains an infosec blog, https://blog.joshlemon.com.au/, and holds several certifications including GCFA, GCIH, GNFA, GPEN, GDAT, GPYC, and GREM.
When he's not helping his team or students, or chasing the malicious actors around a computer network, Josh stays busy in his role as Dad, spending time with his son and close family.
- Cybersecurity managing director at Ankura
- Advisory to BSides Sydney
- Instructor for FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics and FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response
- GIAC Certified Forensic Analyst (GCFA)
- GIAC Certified Incident Handler (GCIH)
- GIAC Certified Network Forensic Analyst (GNFA)
- GIAC Certified Penetration Tester (GPEN)
- GIAC Defending Advanced Threats (GDAT)
- GIAC Python Coder (GPYC)
- GIAC Reverse Engineering Malware (GREM)
ADDITIONAL CONTRIBUTIONS BY JOSH LEMON:
Read Josh's infosec ramblings here.