>Hi, I'm Rachel!

Welcome to my portfolio, with all things related to...

Based out of Chicago, IL, I lead teams in response to cybersecurity incidents, ranging from minor anomalies to significant data breaches and privacy incidents.

With a keen interest in cloud forensics, particularly within Microsoft's Azure ecosystem, I specialize in managing complex incidents and navigating high-stake environments within cloud platforms. I'm fascinated by the intricacies and complexities emerging within cloud forensics and the evolving challenges posed by such emerging threats.

> About Me

I'm a Digital Forensics + Incident Response Manager at Stroz Friedberg, an Aon company. Here's a bit about my path to how I got here today, as well as my interests both inside and outside of cybersecurity.

My journey in in this field began as a junior cyber associate, and through dedication and passion over the last five years, I've advanced to a DFIR manager.

I graduated from Middlebury College in 2019 with a B.A. in Computer Science and Political Science. This interdisciplinary background laid the foundation for my career, providing me with a deep understanding of both technical intricacies and the broader socio-political landscape in which they operate.

At Stroz Friedberg, I'm on the frontline of the cyber battlefield, leading responses to complex security incidents, conducting forensics investigations, and implementing proactive risk mitigation measures. When I’m not actively fending off the bad guys, I also specialize in preserving, collecting, and analyzing digital evidence.

Outside of the office, you can find me indulging in my other passions that keep me energized and inspired. Whether building the latest LEGO set, training my Aussie companion Archer, or coding very amateur things, a balanced lifestyle fuels both my personal and professional success.

I'm constantly seeking to deepen my understanding of the ever-evolving cybersecurity landscape and eager to connect with like-minded individuals who share my interests. Whether it's delving into the latest cybersecurity trends or swapping LEGO-building tips, connect with me to chat more!

Who Am I
Chicago, IL
26
6+ Certifications
5+ YOE
In-Person + Hybrid
Soft Skills
High-Stress Adaptability
Cross-Functional Collaboration
Creativity + Innovation
Continuous Learning + Training
Problem-Solving + Analytics
High-Level Interests
Microsoft Azure Investigations
Cloud Platform Forensics
Identify + Access Management
Operating System Security
Vulnerability Assessment
Data Privacy + Compliance

> My Experience

In my investigations, I often encounter fascinating concepts that spark my curiosity. Here, you'll find a rolling collection of my written and verbal insights as a subject matter expert, and several certifications I've pursued to deepen my expertise in areas of cybersecurity.

Publications

The Evolution of Phishing Campaigns

Aon Cyber Labs

Explores emering trends observed in 2023 phishing campaigns, including advanced social engineering tactics across email platforms, a rise in 'phishing-as-a-service' (PhaaS), and shifts from attacks on email platforms to mobile phones.

MicrosoftPhishingBEC

Microsoft 365: Identifying Mailbox Access

Aon Cyber Labs

Discusses various metholodies to accurately quantify mailbox data accessed by malicious actors in the event of a business email compromise.

MicrosoftBEC

Speaking Engagements

Phishing 2.0: The Rise of Artificial Intelligence

WiCyS 2024 - Nashville, TN

Discusses the evolution of phishing attacks as threat actors weaponize artificial intelligence capabilities to broaden the reaches of their phishing campaigns.

MicrosoftPhishingAI

Certifications

Certification Name: GIAC Certified Intrusion Analyst (GCIA)
Issuing Organization: GIAC Certifications
Dates Active: In Progress

Certification Name: Azure Fundamentals (AZ-900)
Issuing Organization: Microsoft
Dates Active: Feb 2024 — ∞

Certification Name: GIAC Cloud Forensics Responder (GCFR)
Issuing Organization: GIAC Certifications
Dates Active: Apr 2023 — 2027

Certification Name: Azure Management Tools + Security Solutions
Issuing Organization: Microsoft + Coursera
Dates Active: Jan 2023 — 2027

Certification Name: GIAC Certified Forensic Analyst (GCFA)
Issuing Organization: GIAC Certifications
Dates Active: Mar 2021 — 2029

Certification Name: GIAC Certified Forensic Examiner (GCFE)
Issuing Organization: GIAC Certifications
Dates Active: Jun 2020 — 2028

Certification Name: Splunk Certified User
Issuing Organization: Splunk
Dates Active: Aug 2018 — 2023

Download Resume

> Blog Posts

Dive into my ongoing collection of reflections and narratives, where I share real-world experiences, lessons learned from various cases, and my evolving thoughts on the dynamic field of incident response. This section serves as a living diary of my journey and discoveries in the realm of DFIR.

Cloud Case Studies

May 1, 2024

Case studies for real-world investigations for cloud platform compromises across AWS, Azure, and GCP. Includes unauthorized accesses to cloud storage buckets and kubernetes clusters, as well as cryptomining incidents.

AWSMicrosoftGCP

May 1, 2024

DFIR Case Studies

May 15, 2024

Case studies for real-world incident response investigations, including third-party supply-chain attacks, ransomware incidents, business email compromises, and insider threat investigations.

BECPhishingRWThird PartyInsider Threat

May 15, 2024

> Fundamentals

I frequently get asked what it takes to get into incident response, or the typical activities involved in this role. I've compiled a thorough introduction to DFIR, highlighting the types of incidents typically encountered, the strategic approaches to managing these incidents, the essential tools utilized by professionals.

DF vs IR

Digital Forensics and Incident Response (DFIR) is a specialized branch of cybersecurity that combines the investigative and analytical aspects of digital forensics with the reactive measures of incident response. It aims to provide a comprehensive approach to incident response, enabling organizations to effectively detect, investigate, and respond to cyber threats and incidents. Both DF and IR play crucial roles in cybersecurity, complementing each other to ensure effective incident management and response.

Digital Forensics (DF):

Digital forensics involves the collection, preservation, analysis, and presentation of digital evidence to investigate cybercrimes or security incidents.
It focuses on uncovering and understanding past events by examining digital artifacts such as files, logs, metadata, and network traffic.
Digital forensics techniques are used to identify evidence of malicious activity, track the actions of threat actors, and support legal proceedings or internal investigations.

Incident Response (IR):

Incident response is the process of detecting, analyzing, and responding to cybersecurity incidents in real-time to minimize their impact and restore normal operations.
It involves the coordinated effort of identifying security breaches, containing the incident, eradicating threats, and recovering affected systems or data.
Incident response teams follow predefined procedures and use tools and technologies to effectively manage security incidents, mitigate risks, and prevent future incidents.

Although they might be referred to as separate practices, DF and IR work together to help answer the following questions after a security incident:

Who caused this incident?
What is the full scope and impact of the compromise?
How did the attacker get in?
How did the attacker escalate their operation? (ex. Credential theft, lateral movement, etc.)
Did the attacker obtain access to any sensitive data/PII/PHI? (ex. Data exfiltration)
How do we ensure a similar incident won’t happen again?
How do we remediate and restore the business back to operation?

IR Frameworks

On a day-to-day basis, I lead the response to a security incident or data breach, coordinating and overseeing all facets of the incident response effort. But of course, no two responses will be the same. Each investigation entails a unique and tailored approach in the IR plan, depending on the scope and severity of the incident. Below is a popular 6-step IR framework developed by SANS that I use often in my investigations:

Another popular framework is offered by National Institute of Standards and Technology (NIST), which entails a shorter, but nearly identical process. Additionally, huge shoutout to MITRE ATT&CK. This curated knowledge base and model for cyber adversary behavior reflects the various phases of an adversary's lifecycle and the platforms they're known to target.

Considerations for IR work

Proliferation of cyberattacks and data breaches make DFIR more essential than ever. While success in cybersecurity requires a certain level of technical prowess, the strongest incident responders possess a diverse skill set that goes beyond textbook knowledge. Below are some soft skills I've developed throughout my journey that's helped me in my role today.

Navigating High-Stress Environments: I operate in a high-stress environment characterized by time-sensitive and critical situations. Managing multiple incidents simultaneously and making quick decisions under pressure are challenges I encounter daily. Additionally, conducting risk assessments to proioritize incident response efforts based on potential impact is a critical first step to navigate an active situation.
Leadership in Incident Response: Leading a team of skilled professionals is crucial for orchestrating an effective response to security incidents. From identifying and containing threats to implementing remediation measures, I orchestrate the response with precision and efficiency, ensuring that every incident is comprehensively addressed to minimize damage and maintain operational continuity.
Fostering Cross-Functional Collaboration: A comprehensive response to an incident requires collaborating closely with cross-functional teams, including IT, legal, and law enforcement. Additionally, providing regular updates to executive leadership, board members, and external stakeholders is necessary. By fostering collaboration and information sharing, I ensure seamless coordination and communication throughout the incident response process.
Continuous Learning and Improvement Initiatives: In a constantly evolving threat landscape, staying vigilant and proactive is essential. I invest in ongoing training (SANS, Cloud Provider certifications, etc.), adopt emerging technologies, and implement best practices to stay ahead of cyber adversaries and maintain a resilient security posture.

Incident Types

While I have experience tackling a broad spectrum of cases, recently I've focused on leading intricate IR cases, particularly those involving a cloud platform compromise. Here's an overview of the types of incidents I've responded to. To read more about real-world case studies, see my blog post here!

Types of Digital Forensics Cases

Data Breach Investigation: Investigating unauthorized access to sensitive data, such as customer records or financial information, to determine the extent of the breach and identify the responsible party, if possible.
Intellectual Property Theft: Analyzing digital evidence to uncover instances of intellectual property theft, such as trade secrets, patents, or proprietary information stolen by insider or external threats.
Employee Misconduct: Examining digital devices and communications to gather evidence of employee misconduct, including unauthorized access to company resources, data theft, or policy violations. Also includes departed employees
Fraud Investigations: Investigating digital evidence related to financial fraud, identity theft, or online scams to identify perpetrators, trace fraudulent transactions, and compile evidence for legal proceedings.

Types of Incident Response Cases

Advanced Persistent Threat (APT): Sophisticated, often long-term cyberattack orchestrated by well-funded and highly skilled threat actors, such as nation-states (China, Russia, North Korea) or organized cybercriminal groups. APT attacks are characterized by their stealthy, long-term nature, where attackers gain unauthorized access to target networks or systems, remain undetected for extended periods, and exfiltrate sensitive information or disrupt operations.
Ransomwares: Designed to encrypt files or block access to computer systems until a ransom is paid by the victim. Ransomware attacks often involve threat actors encrypting critical data on infected devices and demanding payment, usually in cryptocurrency, in exchange for a decryption key to restore access. Some groups operate shame sites to leak exfiltrated data for victims who don't pay within an allotted timeframe. Ransomwares can affect industries and companies of all shapes and sizes, ranging from enterprise organizations to even local mom-and-pop shops.
Business Email Compromise (BEC): Cyberattack where threat actors gain unauthorized access to a business email account, typically through phishing or social engineering tactics, and use it to conduct fraudulent activities. BEC attacks can take various forms, including email spoofing, invoice fraud, and CEO impersonation, with the goal of tricking employees into transferring funds, disclosing sensitive information, or initiating unauthorized transactions.
Supply chain attack: Cyberattack where attackers compromise or gain unauthorized access to a company's system/network by targeting vulnerabilities in the supply chain of an organization. Also known as “value-chain” or “third-party” attacks. Supply chain attacks often involve exploiting weaknesses in third-party vendors, contractors, or service providers to infiltrate the target organization's infrastructure and carry out malicious activities, such as data theft, espionage, or sabotage.
Insider threat: Refers to the risk posed to an organization's security and data integrity by individuals within the organization who misuse their access privileges or intentionally engage in malicious activities. Insider threats can include current or former employees, contractors, or business partners who exploit their insider knowledge and access to commit fraud, data theft, sabotage, or espionage against the organization. Insider threats can be unintentional, such as negligence or accidental data breaches, or deliberate, involving malicious intent.

Cloud IR

Cloud Incident Response is an emerging and booming subset of IR that refers to responding to security incidents that occur within cloud environments, such as across cloud infrastructure or services across platforms such as Microsoft's Azure, Amazon Web Services (AWS), or Google Cloud Platform (GCP). See my blog post here for examples of real-world cloud compromises across major cloud provider platforms.

What's new in Cloud IR?

Cloud-based incidents are reshaping traditional DFIR work with a shift in commonly accepted investigative practices, tools, and expertise to effectively address the complexities of cloud environments. Incident responders should adapt and evolve their approaches to keep pace with the changing landscape of cybersecurity in the cloud. A few of major changes I've noticed:

Shift in Data Sources: In 2024, around 87% of Fortune 500 companies have adopted at least one public cloud platform. Incident responders typically collected data from on-premises systems, such as servers, workstations, and network (firewall) logs - the physical access parameters. As more organizations utilize services from a variety of cloud platforms, working with the access parameters of each cloud provider requires a deeper level of expertise - such as taking logical storage snapshots, understanding log retention, etc.
Complexity of Investigations: Cloud-based incidents introduce additional complexity to DFIR investigations because of its efficient, but distributed nature, including shared responsibility models and multi-tenant architectures. Investigating incidents involving cloud services requires coordination and collaboration between the cloud customer, CSPs, and potentially other third-party service providers. In my experience,
Challenges in Data Collection and Preservation: Collecting and preserving digital evidence in cloud environments presents unique challenges compared to collecting from on-premises systems. Cloud-based data may be dispersed across multiple geographic regions, stored in shared storage systems, or subject to automated data lifecycle management by CSPs. Ensuring the integrity and admissibility of digital evidence collected from cloud environments requires specialized techniques and tools tailored to cloud forensics. Also requires expertise in a variety of cloud platforms.
Adaptation of Investigative Techniques: Investigators should adapt their techniques and methodologies to address cloud-specific artifacts, including logging mechanisms, encryption practices, and access controls implemented by CSPs. Traditional DFIR methodologies may need to be modified or supplemented with cloud-specific approaches to effectively investigate incidents in cloud environments (i.e., lateral movement across cloud resources, data exfiltration from cloud storage, etc.)
Integration with Cloud Security Tools: Cloud-based incidents necessitate the integration of traditional DFIR workflows with cloud-native security tools and technologies. This includes leveraging CSP-provided security services, such as cloud monitoring, threat detection, and incident response automation. Integrating these tools into DFIR workflows enables faster detection, analysis, and response to cloud-based threats and security incidents. See DFIR Toolkit tab for several cloud-native tools across major cloud providers.

Cloud IR requires a deep understanding of cloud computing architectures, security controls, and compliance requirements, along with proficiency in traditional DFIR methodologies adapted to the cloud environment. Effective cloud IR strategies prioritize proactive threat detection, rapid incident triage, and coordinated response efforts between cloud customers, cloud service providers (CSPs), and other stakeholders.

DFIR Toolkit

DFIR is a massive industry with new tools and platforms emerging as the needs change and evolve. While there are many out there, here’s some that I use regularly through my investigations. My preferred tools are marked with a .

Forensic Preservation Tools

Logicube Forensic Falcon – A standalone forensics device offering various functions such as data acquisition, secure encryption, data verification, and disk formatting tailored for forensic applications.
AccessData FTK Imager – A free forensic tool used for capturing live data and creating forensic images of files, folders, and disk images, while supporting live memory acquisition on both 32-bit and 64-bit systems.
Guymager – Free Linux-based imager for forensic acquisition of media drives, optimized for full-drive data captures.
Magnet ACQUIRE – Acquires forensic images from a variety of platforms including Windows, macOS, Linux, and mobile devices.
Cellebrite – Cellebrite's Digital Collector (MacQuisition) supports imaging of Intel + Apple Silicon (M1, M2) as well as Ventura OSes (as of mid-2023). Cellebrite's UFED is a tool used to extract data from mobile devices, SIM cards, removable media (USBs), and even drones!
F-Response – Enables remote, secure, and read-only access to target systems for real-time data analysis and incident response, ensuring data integrity.
PSRecon – Utilizes PowerShell (v2+) to remotely collect and organize data from Windows systems, ensuring data integrity through comprehensive hashing.
bulk_extractor – Scans digital media to extract critical information quickly without requiring file system parsing, enhancing the efficiency of forensic examinations.
X1 Social Discovery – Specializes in collecting data from social media and websites, particularly for digital investigations and legal discovery

Memory Tools

Belkasoft RAM Capturer – Forensic tool that reliably acquires volatile memory of a running computer. Designed to be fail-safe and easy to use, it captures system RAM with minimal risk of data corruption.
Live Response Collection – Automates the collection of volatile data from Windows, OS, and *nix based operating systems.
Volatility 3 - Specializes in extracting artifacts from volatile memory, providing crucial insights into the runtime state of systems.
ReKall - Open-source tool + library for extraction of digital artifacts from volatile memory (RAM) samples.

All-In-One Tools

X-Ways Forensics - A versatile tool for disk cloning, imaging, file recovery, and detailed analysis of data, serving as a cornerstone for forensic investigations.
OSquery - Open-source endpoint visibility tool developed by Meta, transforming device states into queryable databases, enabling real-time visibility and analysis across multiple operating systems.
Velociraptor - An advanced tool providing deep endpoint visibility and data collection capabilities to enhance investigative and monitoring activities. Uses Velocidex Query Language (VQL).

Host-Based Analysis

Hayabusa - Quickly parses and generates timelines from Windows event logs.
RegRipper - Open source tool written in Perl for extracting/parsing (keys, values, data) from registry hives for values of interest.
Event Log Explorer - Viewing, analyzing, and monitoring events recorded in Microsoft Windows event logs. It provides powerful features to aggregate, analyze, and export logs.
Loki - Python-based scanner leveraging indicators of compromise and YARA rules for comprehensive endpoint scanning
Thor Lite - Extensive IOC and YARA scanning capabilities, equipped with advanced modules and signature sets for detailed threat detection. Built upon Loki.
Intella Pro - Focuses on email investigation and eDiscovery, offering powerful tools for processing and analyzing email data.
Eric Zimmerman Tools - A suite of open-source forensic tools that provide deep insights and cross-validation capabilities in digital investigations.
Magnet AXIOM - Integrates evidence from mobile, cloud, and computer sources into a single case file, streamlining the investigation process.
Exiftool - A powerful tool for manipulating metadata in a wide array of file types, critical for forensic and investigative purposes.
John the Ripper - Fast password cracker, widely used for its ability to automatically detect password hash types and support numerous cracking modes.

Log Analysis Platforms + Tools

Splunk Enterprise - A robust platform that captures, indexes, and correlates real-time data in a searchable repository, enabling complex querying, analysis, visualization, and monitoring.
Elastic’s ELK Stack - Combines Elasticsearch, Logstash, and Kibana to process, search, and visualize large volumes of data in real time, providing an integrated solution for log and time-series analytics
LogRhythm - Security information and event management (SIEM) solution that combines log management, machine learning, and advanced analytics to help identify and respond to threats quickly.
Sumo Logic - A cloud-based log management and analytics service that transforms big data into sources for security and operational intelligence. It is designed to help with real-time forensics and incident response.
IBM Security QRadar - SIEM solution that consolidates log events and network flow data from thousands of devices, endpoints, and applications across a network.
Other great tools for loose log analysis

Jupyter Notebook - Provides an interactive computing environment where you can combine code execution, rich text, mathematics, plots, and rich media.
PostgreSQL’s pgAdmin - A comprehensive administration tool for PostgreSQL, offering GUI for database management, query tooling, and monitoring
Cygwin - A POSIX-compatible environment that runs natively on Microsoft Windows, allowing the running of Linux-based applications and tools. An essential tool in my opinion.

Shoutout to Microsoft's Excel and Notepad++ for all the support through my journey here.

Network Analysis

NetWitness Investigator - Facilitates advanced network forensics with real-time visibility into network traffic, aiding in the detection and investigation of security threats.
NetworkMiner - An open-source network forensics tool for extracting artifacts from captured network traffic.
WireShark - Network protocol analyzer for deep inspection of network protocols and payload content.
TCPDump - Command-line packet analyzer used for network diagnostics and network traffic monitoring by capturing packet data. Isolate packets, sessions, and events of interest for deeper review.

Open Source Intelligence (OSINT) Tools

Shodan.io - A specialized search engine for finding specific types of internet-connected devices and systems.
MaxMind - Provides IP geolocation and online fraud prevention tools.
DomainTools - Offers domain profile information and history.
CyberChef - Versatile web application for encoding, decoding, ciphering, hashing, and data analysis, with numerous operations and chainable tools
OpenPhish - Repository of active phishing sites, offering free phishing intelligence feeds.
VirusTotal - Analyzes suspicious files and URLs to detect malware and other threats using multiple antivirus engines and website scanners
JOE Security - A sandboxing solution that analyzes suspicious files, malware, and URLs across multiple operating systems, providing detailed security reports.
AlientVault OTX (Open Threat Exchange) - Global open threat intelligence community that shares in real-time, aiding in the response to emerging threats, promoting faster incident response.
SpiderFoot - Open-source intelligence automation tool, automating the process of gathering intelligence about a given target (ex. IP address, domain name, hostname, network subnet, etc.)

Visualization Software

Timesketch - An open-source collaborative forensic timeline analysis tool designed to help teams work together on digital investigations.
Plaso - Python-based backend that extracts timestamps from various files found on a system and aggregates them into a single timeline.
Maltego by Paterva - A powerful visualization tool for understanding and displaying the relationships and real-world links between digital entities.
XMind - A full-featured mind-mapping and brainstorming tool, enabling the structuring of thoughts, complex information, and ideas for projects and research.
Metabase - Interface for creating visualizations and dashboards from various databases without requiring extensive technical knowledge

Cloud Platform tools

Unlike traditional DFIR tools, which focus on on-premises infrastructure, cloud-native tools are tailored for the scalable, dynamic nature of cloud environments. The tools range from real-time monitoring to automated security for cloud architectures like serverless and containers.

Amazon Web Services AWS

AWS CloudTrail - Provides governance, compliance, operational auditing, and risk auditing of your AWS account by logging all account activity.
Amazon GuardDuty - Offers intelligent threat detection that monitors your AWS environment for malicious activity and unauthorized behavior.
AWS Security Hub - Aggregates security alerts and findings from various AWS services and third-party tools to provide a comprehensive view of your security posture.
Amazon Inspector - Automatically assesses applications for vulnerabilities or deviations from best practices, including those deployed on EC2 instances.
Splunk - Integrating Splunk with AWS services can provide deeper insights into the data and more advanced analytics capabilities for threat detection and response.

Microsoft's Azure Microsoft

Azure Security Center - Provides unified security management and advanced threat protection across hybrid cloud workloads. It includes continuous monitoring and policy enforcement.
Azure Sentinel - This is Microsoft’s cloud-native SIEM that provides intelligent security analytics at cloud scale for enterprises of all sizes and workloads.
Azure AD Identity Protection - Helps detect potential vulnerabilities affecting your organization’s identities, configure automated responses, and investigate incidents.
Microsoft Defender for Cloud - Offers tools for navigating to the root cause of a breach or verifying that alerts are false positives.

Google Cloud Platform GCP

Google Chronicle - As part of Google Cloud, Chronicle provides a powerful analytics engine to help enterprises manage their security data at scale, including threat hunting and incident investigation.
Google Cloud Security Command Center - Provides risk assessment and threat identification across your Google Cloud data, assets, and services.
Google Cloud’s operations suite (formerly Stackdriver) - Monitors, logs, and diagnoses cloud applications’ issues on GCP in real time
Sysdig Secure - Used for securing containerized environments and can be integrated with GCP for monitoring, security, and forensics in a Kubernetes environment.

Additional Cloud Security Tools (EDR, SIEMs)

Orca Security - Provides agentless cloud security for AWS, Azure, and GCP, utilizing SideScanning technology to assess vulnerabilities, malware, misconfigurations, and compliance risks in cloud assets without the use of agents.
CrowdStrike Falcon Insight XDR - Delivers endpoint protection through advanced analysis of threat data, offering real-time visibility and proactive threat hunting capabilities.
Palo Alto Networks Prisma Cloud - Offers visibility and control over data across all cloud environments, providing continuous threat detection, compliance monitoring, secure access, and data protection.
VMWare Carbon Black EDR - Provides advanced threat detection and response by analyzing endpoint data and offering tools for incident response and defense.
SentinelOne Singularity - A unified, AI-powered platform providing prevention, detection, response, and hunting across endpoints, containers, cloud workloads, and IoT devices.
Sophos Intercept X - Offers next-gen endpoint protection using deep learning technology to block malware, exploits, and ransomware attacks.

Who Am I

Soft Skills

High-Level Interests