>Hi, I'm Rachel!

Welcome to my portfolio, with all things related to...

Based out of Chicago, IL, I lead teams in response to cybersecurity incidents, ranging from minor anomalies to significant data breaches and privacy incidents.

With a keen interest in cloud forensics, particularly within Microsoft's Azure ecosystem, I specialize in managing complex incidents and navigating high-stake environments within cloud platforms. I'm fascinated by the intricacies and complexities emerging within cloud forensics and the evolving challenges posed by such emerging threats.

> About Me

I'm a Digital Forensics + Incident Response Manager at Stroz Friedberg, an Aon company. Here's a bit about my path to how I got here today, as well as my interests both inside and outside of cybersecurity.

My journey in in this field began as a junior cyber associate, and through dedication and passion over the last five years, I've advanced to a DFIR manager.

I graduated from Middlebury College in 2019 with a B.A. in Computer Science and Political Science. This interdisciplinary background laid the foundation for my career, providing me with a deep understanding of both technical intricacies and the broader socio-political landscape in which they operate.

At Stroz Friedberg, I'm on the frontline of the cyber battlefield, leading responses to complex security incidents, conducting forensics investigations, and implementing proactive risk mitigation measures. When I’m not actively fending off the bad guys, I also specialize in preserving, collecting, and analyzing digital evidence.

Outside of the office, you can find me indulging in my other passions that keep me energized and inspired. Whether building the latest LEGO set, training my Aussie companion Archer, or coding very amateur things, a balanced lifestyle fuels both my personal and professional success.

I'm constantly seeking to deepen my understanding of the ever-evolving cybersecurity landscape and eager to connect with like-minded individuals who share my interests. Whether it's delving into the latest cybersecurity trends or swapping LEGO-building tips, connect with me to chat more!

  1. Who Am I

    Chicago, IL
    26
    6+ Certifications
    5+ YOE
    In-Person + Hybrid
  2. Soft Skills

    High-Stress Adaptability
    Cross-Functional Collaboration
    Creativity + Innovation
    Continuous Learning + Training
    Problem-Solving + Analytics
  3. High-Level Interests

    Microsoft Azure Investigations
    Cloud Platform Forensics
    Identify + Access Management
    Operating System Security
    Vulnerability Assessment
    Data Privacy + Compliance

> My Experience

In my investigations, I often encounter fascinating concepts that spark my curiosity. Here, you'll find a rolling collection of my written and verbal insights as a subject matter expert, and several certifications I've pursued to deepen my expertise in areas of cybersecurity.

Publications

The Evolution of Phishing Campaigns

Aon Cyber Labs

Explores emering trends observed in 2023 phishing campaigns, including advanced social engineering tactics across email platforms, a rise in 'phishing-as-a-service' (PhaaS), and shifts from attacks on email platforms to mobile phones.

MicrosoftPhishingBEC

Microsoft 365: Identifying Mailbox Access

Aon Cyber Labs

Discusses various metholodies to accurately quantify mailbox data accessed by malicious actors in the event of a business email compromise.

MicrosoftBEC

Speaking Engagements

Phishing 2.0: The Rise of Artificial Intelligence

WiCyS 2024 - Nashville, TN

Discusses the evolution of phishing attacks as threat actors weaponize artificial intelligence capabilities to broaden the reaches of their phishing campaigns.

MicrosoftPhishingAI

> Blog Posts

Dive into my ongoing collection of reflections and narratives, where I share real-world experiences, lessons learned from various cases, and my evolving thoughts on the dynamic field of incident response. This section serves as a living diary of my journey and discoveries in the realm of DFIR.

Cloud Case Studies

Case studies for real-world investigations for cloud platform compromises across AWS, Azure, and GCP. Includes unauthorized accesses to cloud storage buckets and kubernetes clusters, as well as cryptomining incidents.

AWSMicrosoftGCP

DFIR Case Studies

Case studies for real-world incident response investigations, including third-party supply-chain attacks, ransomware incidents, business email compromises, and insider threat investigations.

BECPhishingRWThird PartyInsider Threat

> Fundamentals

I frequently get asked what it takes to get into incident response, or the typical activities involved in this role. I've compiled a thorough introduction to DFIR, highlighting the types of incidents typically encountered, the strategic approaches to managing these incidents, the essential tools utilized by professionals.

DF vs IR

Digital Forensics and Incident Response (DFIR) is a specialized branch of cybersecurity that combines the investigative and analytical aspects of digital forensics with the reactive measures of incident response. It aims to provide a comprehensive approach to incident response, enabling organizations to effectively detect, investigate, and respond to cyber threats and incidents. Both DF and IR play crucial roles in cybersecurity, complementing each other to ensure effective incident management and response.

Digital Forensics (DF):
  • Digital forensics involves the collection, preservation, analysis, and presentation of digital evidence to investigate cybercrimes or security incidents.
  • It focuses on uncovering and understanding past events by examining digital artifacts such as files, logs, metadata, and network traffic.
  • Digital forensics techniques are used to identify evidence of malicious activity, track the actions of threat actors, and support legal proceedings or internal investigations.
Incident Response (IR):
  • Incident response is the process of detecting, analyzing, and responding to cybersecurity incidents in real-time to minimize their impact and restore normal operations.
  • It involves the coordinated effort of identifying security breaches, containing the incident, eradicating threats, and recovering affected systems or data.
  • Incident response teams follow predefined procedures and use tools and technologies to effectively manage security incidents, mitigate risks, and prevent future incidents.

Although they might be referred to as separate practices, DF and IR work together to help answer the following questions after a security incident:

  1. Who caused this incident?
  2. What is the full scope and impact of the compromise?
  3. How did the attacker get in?
  4. How did the attacker escalate their operation? (ex. Credential theft, lateral movement, etc.)
  5. Did the attacker obtain access to any sensitive data/PII/PHI? (ex. Data exfiltration)
  6. How do we ensure a similar incident won’t happen again?
  7. How do we remediate and restore the business back to operation?

IR Frameworks

On a day-to-day basis, I lead the response to a security incident or data breach, coordinating and overseeing all facets of the incident response effort. But of course, no two responses will be the same. Each investigation entails a unique and tailored approach in the IR plan, depending on the scope and severity of the incident. Below is a popular 6-step IR framework developed by SANS that I use often in my investigations:

Another popular framework is offered by National Institute of Standards and Technology (NIST), which entails a shorter, but nearly identical process. Additionally, huge shoutout to MITRE ATT&CK. This curated knowledge base and model for cyber adversary behavior reflects the various phases of an adversary's lifecycle and the platforms they're known to target.

Considerations for IR work

Proliferation of cyberattacks and data breaches make DFIR more essential than ever. While success in cybersecurity requires a certain level of technical prowess, the strongest incident responders possess a diverse skill set that goes beyond textbook knowledge. Below are some soft skills I've developed throughout my journey that's helped me in my role today.

  • Navigating High-Stress Environments: I operate in a high-stress environment characterized by time-sensitive and critical situations. Managing multiple incidents simultaneously and making quick decisions under pressure are challenges I encounter daily. Additionally, conducting risk assessments to proioritize incident response efforts based on potential impact is a critical first step to navigate an active situation.
  • Leadership in Incident Response: Leading a team of skilled professionals is crucial for orchestrating an effective response to security incidents. From identifying and containing threats to implementing remediation measures, I orchestrate the response with precision and efficiency, ensuring that every incident is comprehensively addressed to minimize damage and maintain operational continuity.
  • Fostering Cross-Functional Collaboration: A comprehensive response to an incident requires collaborating closely with cross-functional teams, including IT, legal, and law enforcement. Additionally, providing regular updates to executive leadership, board members, and external stakeholders is necessary. By fostering collaboration and information sharing, I ensure seamless coordination and communication throughout the incident response process.
  • Continuous Learning and Improvement Initiatives: In a constantly evolving threat landscape, staying vigilant and proactive is essential. I invest in ongoing training (SANS, Cloud Provider certifications, etc.), adopt emerging technologies, and implement best practices to stay ahead of cyber adversaries and maintain a resilient security posture.