Indiana Jones told us: “X never, ever marks the spot.” In cybersecurity, how do we figure out where to dig and go deeper?
In episode two of Security Sandbox, host Amanda Fennell, a former archeology major, delves deep into the brain of 2020’s Archaeologist of the Year, Dr. Alison Sheridan. Alongside Yvan Foonde, Relativity’s incident response manager, these fearless adventurers exhume the joints between excavations, curation, and digital investigations.
Give it a listen to learn why archeologists and security teams alike must always seek the unexpected; understand the best tools, processes, and people for every investigation; and really embrace the “aha!” moment.
Listening to earn RCE credits? Complete this survey to claim your credits.
Amanda Fennell: Welcome to Security Sandbox! I'm Amanda Fennell, chief security officer at Relativity, where we help the legal and compliance world solve complex data problems securely. And that takes a lot of creativity! One of the best things about a sandbox is that you can try anything. This season, let's explore how curiosity and personal passions inspire stronger security. Grab your shovel, and let's dig in!
In today's episode, we'll be transforming our sandbox into an archeological site. We'll excavate a series of tools and terminology to put a fresh perspective on digital forensics and maybe discover some buried treasure along the way. Joining us from across the pond is Dr. Alison Sheridan, voted the 2020 Archeologist of the Year. This literal rock-star specializes in the Neolithic, Coccolithophores, and early Bronze Ages of Britain and Ireland. We also have Yvan Foonde, Relativity security team's incident response manager. He brings the cyber perspective to our excavation.
Today's episode was really the catalyst for this entire series, and I'm so excited about it. This was what I really sat down and first thought of whenever I said, "What can I meld together of my personal passions?" Archeology was my first true love and what I got my undergrad undergraduate degree in, before I moved into my master's doing digital investigations.
And yet, I still do the same thing. I'm really actually still digging to find things out about people. So, Alison, I'm so glad you joined us today. We're going to jump right into one of the most important topics in archeology: how we approach the dig. There are three phases. I think phase one is identification for both of us. That is where we come together, but maybe we're a little different on phase two.
Alison Sheridan: Phase two is definitely the forensic-type work. And then phase three is this sort of dissemination and presentation, because that is a very, very important element. It's great fun to get to do this research, but if you don't then let the whole world know about it, it’s a loss. So I would say dissemination is phase three.
AF: Alison, that's a great point. Yvan, this probably sounds a little familiar to you, doesn't it?
Yvan Foonde: There are definitely a lot of overlays and overlap in terms of identification, forensic analysis, and dissemination in terms of what’s similar in cyber digital forensics. You're going through identification triage, where you're doing the forensic analysis and putting together a digital forensic action report of next steps. Whether you're excavating a site or you're going through a registry on a server or workstation, there's a lot of similarities in terms of the forensic processing, or the fact that you're looking for things that point you to bigger signs as you're going through the forensic analysis. From someone coming in from the cyber world, the digital forensic world, seeing so many overlays—it's the same thing. It's the same processes.
AF: Yvan, one question I think every cyber investigator has to ask themselves is where to dig. Archeologists ask this, too. We'll ask Alison. But really, this is a question for you: Where do you know where to look? How do you decide?
YF: The security culture and digital forensics, a lot of it is based on threat intelligence that you have priorhand. Being a new site, new threat actor, new malware, you have cyber threat intelligence that gives you indicators that you should look for to begin to start excavating for the malware.
AF: Alison, it doesn't feel super far off from where you are in archeology. You have the same question: How are you going to decide where you're going to do a dig?
AS: That's absolutely right. And in fact, what we do is predictive modeling. If we want to try and work out where you're likely to find a Neolithic settlement, you take the pattern of where all of the known Neolithic settlements were found. But you also have to be a bit smart—not half as smart as you guys, and I take my hat off to you. There's a danger of, if you just look in the places where you know these sites have been found in the past, then sure, you're going to find some new sites. But you're never going to expand your horizons. You also have to be able to think in a little bit of an agile way and take advantage of chances as they come up. This is where development-funded archeology is so very useful. That's driven by, if somebody is putting in a road, then that road has a specific trajectory, and they're just going to excavate everything in the course of that road. And you'll find, quite often, surprises—new kinds of sites that you’d never heard of or places that you wouldn't have expected. So that's very helpful. It's to do with pattern recognition and being smarter than your foe.
YF: To your point, there is predictive modeling, right? Similarly, from a digital forensics standpoint, there's IOCs (indicators of compromise) that you use. But you also follow TTPs—tactics, techniques, and procedures—that the adversary likes to use. Again, the adversary is learning. We're learning as well. It's a constant evolution battle.
AF: Just like any battle, you're going to have to take a tool in with you. Something to arm yourself with. That's really a great question. What are the tools that you're going to use for this investigation?
AS: We're very lucky because archeology is kind of networked into a whole family of hard-science sciences. We would get the DNA specialists to do the DNA analysis, the isotope specialists to do that, and a whole army of other specialists. The trick for the curator is, I'm not a scientist! I don't understand. I couldn't explain to you DNA beyond a nonsense level. But you have to learn just about enough to understand what these guys are saying to you and to be able to argue your corner with them.
The most important lesson that everybody's learned is that you have to respect each other's points of view and try to understand each other's points of view and what they're actually saying. That way, you get to advance. Otherwise, there have been examples where geneticists don't know anything about the archeology, and they'll come up with something, and the archeologists will say, "Well, that's just nonsense," and vice versa. We just have to try and understand each other and move on that way.
AF: Yvan, I know you get asked this probably pretty often, but when people hear cyber, they get excited. It's a cool term. What is your most interesting find when you look back on your years of investigation? Something that really just stands out to you?
YF: I have couple of stories, but I'll pick the one that you're familiar with. In a previous company that we were at, there was a case where I was looking for a piece of malware just across the network. Came across this individual in Germany that had been on their laptop visiting these sites. I remember—even in the circumstances around this, especially German privacy laws and all that fun stuff—I remember him coming to me: "How did this come about again?" I was like, "No, no, no. I was looking for malware."
AF: Yvan, I remember that exactly. That moment, whenever that first came into my email inbox, and it was like, "We found something through the logs." I remember having a moment of saying, panicky, "Oh my gosh, privacy! This is a big concern. Where did you get this?" But it's funny because you look back, and I think that was probably the time that you really stood out to me as a great investigator, because you were just playing around looking for just anomalies. You were looking for something that seemed different than the norm. I love that you found this, and it was a really great investigation that went through all these processes we've been talking about. We identified something, we evaluated it, and then we had to do that data recovery to really understand what was going on and rebuild that timeline.
Alison, when you look back, it's probably not finding some logs for some suspicious activity. Is there something that maybe jumps out to you in your career that you're like, this was a great find?
AS: Yes, though it's very hard to single it down. As part of a road scheme, people excavated a couple of early Bronze Age graves, and these produced beautiful necklaces made of jet from Whitby in Yorkshire, which is quite a long way away. It's a little bit like a 3D jigsaw because, as the body had decomposed within the grave, obviously the necklace would have collapsed and the organic thread would have broken. It will have decomposed pretty quickly. The excavators took lots of photographs and everything, but it was then down to me to work out which bits belonged. And it was not just a necklace. There was a bracelet with one of them. And so, again, you have to do this forensic thing. You use your prior knowledge of the finished shape of these necklaces, because they made them according to a formula, and you're then able to match it up: that bit must go there because it fits precisely. It's a little bit like you going into your logs and then you think, "Yeah, that belongs there." And the satisfaction of then restringing them and taking that photograph and again showing it to the people who excavated it—this is the kind of tears-of-joy situation that is so great.
AF: So I guess, is the resolution your favorite time and part of archeology, or is it curation? Is there just another moment in particular where you love the phase?
AS: Yeah, I mean, there's lots to enjoy about every stage. I think the first happy point is when you have worked out your narrative. We actually did a whole series of galleries about prehistoric Scotland, and we started literally with blank sheets of paper, and we were told what story we're going to tell with these artifacts and these remains, and how are you going to tell it? Then thereafter, obsessively going down to see who's looking at it and are they enjoying themselves. And then taking tours, I really enjoyed that with students. We're able to show them the oldest bow in Britain and Ireland and tell all the little stories that you don't get told when you're on the official tour of the museum, the behind-the-scenes type stories. I enjoy telling those.
YF: If I could quickly follow up, is there an emotional story that you want someone to get as they're going through and as they walk away from the exhibit?
AS: We try and share the love, because to us, this stuff is absolutely fascinating. It's a big challenge to convey what you want, just using artifacts and a very small number of words, because obviously you're putting a book on the wall. People don't have that kind of patience. So it's a bit like a haiku poem.
AF: It's interesting because, objectively, you just want to stick with the facts. Subjectively, you have some kind of emotion involved. It was an area I always struggled with. With archeology and cultural anthropology, there's some people who just report the facts and just the data, and there's some people who do have some kind of an interpretation that takes place. It's what separates a lot of different people in anthropology, which one you are. Are you trying to put forth some kind of feeling involved? Are you trying to extrapolate what happens?
AS: My undergraduate degree was joint archeology and anthropology at the University of Cambridge. And yes, as archeologists, we're trying to get as close as we can to what made people tick. Get to their belief systems and their norms and their practices. Of course, it's far harder to do this when all you have is physical remains and artifacts. For an anthropologist, you can go in and visit people, and you might get what they wish to tell you—so you might not get a completely accurate sense of how they live, but at least you're able to talk to people and ask them. Whereas with archeology, it's a much more challenging thing.
Again, it's back to this pattern recognition, and one example is fantastic: jade axe heads from the Alps, which have been found all over Europe. People did really weird things to them and with them. For example, they might deliberately break them or burn them or both, and then they would deposit them somewhere special. The way to crack this, to understand their belief system is to say: "Where did the rock come from?" It came from the highest mountains in Europe. You have to go right the way up and make this really dangerous journey to find this amazing green material. You have to know how to extract it, how to work it. By doing ethnoarcheology. There's this wonderful couple who had worked for 25 years in New Guinea with the last people to make stone axe heads. They said, "Yes, of course we go up to the highest mountain because that's where the gods live and the ancestors lived, so the rock from there is divine. It's a living substance in its own right. And you have to treat it with great respect." Ethnoarcheology and drawing analogies and doing it in a skillful way—that is the relationship between archeology and anthropology.
YF: Do you often find yourself doing forensic work on a culture to help you better understand the artifacts that you're going to find? Would you say that's accurate?
AS: Oh, absolutely. In fact, the whole concept of a culture is something which is hotly disputed, because what you can do is describe sets of objects that look the same, and you can call that a culture. But would that necessarily correspond to people's ethnic identity? A racial identity? A cultural identity? A linguistic identity? The actuality is, it's a heck of a lot more complicated than that. An archeologist in the past have made this mistake of saying, "Okay, these pots look similar. So therefore we can talk about the people." And other archeologists say, "Pots are not people." But ironically, having done the DNA and the forensics, we're able to say, the people who use these specific parts were probably immigrants from the continents. And on we go.
AF: Yvan, do you use subjective thinking in your reports? Do you put some feeling in there?
YF: No, you want to remove as much subjectivity from the report as possible. It has to be very timeline driven, very cut and dry, to the bone. Alison, you mentioned trying to bring emotion for an exhibit. I was removing all emotion out of the report. It's not like a walk into one of your wonderful exhibits and going, "Wow, that piece really moved me."
AS: So you're not allowed to write, "Dang, that hacking was good!"
YF: I don't think Amanda would allow me to do that.
AF: It's true. I don't want you to write your feelings in the report, but we do acknowledge whenever somebody is a good hacker. We do talk about this. We say amongst each other, "Wow, that was pretty good how they got in there!" So it's super true. It's there. We just don't put it in the report.
AS: Do you ever meet the hackers? And what happens to them? Do they get prosecuted or something?
YF: It's hard to ever truly attribute the piece of malware, an actual attack, to a specific individual or group. You try using those TTPs and IOCs to do so, but as the world gets more connected, it's becoming harder and harder every day.
AS: I think what's so funny is that, you're talking in terms of enemies, and we're thinking in terms of the people in the past, they're our friends, although actually they did a pretty good job of killing each other. Sometimes we find things like arrowheads buried in people's backs. If I could go back into the past, they would probably say, "Who are you, and why are you asking all these questions about it?" I mean, it's wonderful to hear. It's the joy of finding things out, and the joy of suddenly realizing, "Ah, that's it," that I think unites us very much.
AF: Alison, it's the perfect segue of those three things I want to look back on. I always do things in threes, people know this, but that first one being that we should always enjoy the "aha" moment. It's so true. It's almost visceral that I have the same experience in an investigation today that we had at an archeology site 20 years ago. It's the "Aha—I found something of importance here, and it's going to tell that story." That's definitely the first thing I think people should walk away today with.
The second one is probably: have a good grasp of tools, process, and people. This is something I think we have much more similarity in than people realize. We use very similar tools. We use similar processes, like this threat modeling we talked about. And people have to have the passion to look for things here in both of our fields. I think that's tools, process, people. That's the second one.
The last one—you discussed this, and I love it—seek to find things unexpectedly. That was such a cool idea. When you do all the threat modeling, you think you're going to find something. In cyber, we do this, and we think we know where something might be. Where there's smoke, there's fire. But at the end, it's really about finding the unexpected in moments when you least expect it. I love it.
I think that's what we want to make sure people walk away and think about with their own program. What are you not finding because you haven't looked a little further? Finding things unexpectedly: that'll be the theme for today. It's awesome.
Let's end on my quote. This one's not some famous, famous one, but I do think it captures the energy of both of these fields together. "The greatest discoveries all start with the question 'why'?" That might be a cyber investigation, it might be some malware that you have to find on a machine, and it might be the beads to a necklace that you found in Scotland. But in the end, it's where it all starts. Why?
Alison, you lived exactly up to my expectations. Thank you so much for doing this. And Yvan, it's always a pleasure to get to hang out with you. So appreciative. Thank you so much for joining us.
YF: Thank you. Thank you, Dr. Sheridan.
AS: Oh, thank you so much. It was such a privilege to meet you all, and it's just fantastic. I wish we could now go to a pub and have a beer.
AF: Thanks for digging into these topics with us today. We hope you got some valuable insights from the episode. Please share your comments or give us a rating—we'd love to hear from you!