Interview : Thomas Chopitea, Société Générale CERT

URL of the Thomas Chopitea talk about FIR : lien.

Hello Thomas

May you introduce yourself to our readers in order to know you a little more ?

I am an Incident Handler at CERT Société Générale since 2012. I hunt hackers during the day and by night I develop tools that I share (it’s not interesting if I am the only one using them!) like Malcom (https://github.com/tomchop/malcom). I try to bring my contribution to the forensic community which may sometimes lack tools.

Has Security always been your favorite topic or have you been interested by others IT topics like development or adminsys ?

I have been interested in security far before being at CERT SG but I really discovered incident handling, forensics and malware analysis after working there. These topics quickly became passions for me. I have done some adminsys tasks (every geek has done a LAMP installation once in his life, no?), I have coded a lot during my years in college and during interships. I was "the network guy" for my fellows at college. I also had my entrepreneurship period but I missed security quite a bit. Who knows, maybe one day I’ll get to combine the two... ;-)

What is a typical day of a CERT or CSIRT analyst ?

There is no typical day and that’s precisely why it’s exciting! I can be pulled out of a log analysis session on obscure network equipments to dig into a hard drive that has just been delivered, in which I’ll find some malware that will have to be reversed to establish appropriate counter measures. It is an extremely dynamic environment, we never do the same thing from one week to another. We have to manage to adapt quickly and scheduling is a real challenge! We’re always working on different things and we never get bored... We also face human opponents who think and sometimes make mistakes, which may be lazy or surprise us with their innovation... and that’s extremely exciting!

In your opinion, what are the profiles that must be present in a CERT to ensure its efficiency ?

You have to be versatile, while having the ability to dig deeply into a particular subject. You have to be able to code a bit, know your way around networks, filesystems, attacks methods, the cyber-criminal ecosystem, advanced attacker tactics, operating systems, have an analytical mind, be pragmatic... it varies greatly. Obviously, each team member ends up specializing in certain disciplines, so the ability to interact and work as a team becomes paramount. There will always be a member of the team that will be more familiar with the underground cybercriminal ecosystem, a converted pentester, a great developer, a wannabe reverser... and someone to manage all these crazy people. We rely heavily on each other to carry out our activities. On top of that, we must have as complete a picture as possible of the Information System in which we evolve; of course, the latter skill is acquired over time on the job. And finally, given the cases that we sometimes face, you better also have a very good sense of humor ;-)

According to your experience with the CERT SocGen, have you got a vision on the evolution of threats against organizations, but also individuals: the APT, myth or reality? We manage to defeat targeted attacks but will we manage (even if it is not made public) to know who is behind these attacks (crime, others companies, state agencies ...) ?

A major part of our work is to be aware of trends in threats and attacks techniques. If points of view about APT may differ on its definition, I think everyone agrees on the fact that it is far from a myth. As for attack attribution... extensive troll^Wdebate. If it’s possible to trace the infrastructure of a group of attackers, and thus get a good idea of ​​who they are and where they come from, we are never free from "false flags" - operations mounted in a such way they seem to have been organized by someone else than the true organizer. As soon as we start asking ourselves the question "who benefits from the crime?", we gradually slide into a less and less "cyber" domain into one which has more to do with classic intelligence or "good old police work".

And at the other end of the chain, according to you, is the user doomed to see their terminals hacked on the net or making good safety choices can save their terminal ?

It is easier and less risky to steal a wallet than to rob a bank. The same goes for IT: customer postures are much less secure than the Information System of a bank. It is therefore natural that customers are the first target for cybercriminals; and due to the scale of the Internet, they can make big profits with little risks.

Of course, a good set of security measures can minimize exposure to these kinds of threats. Unfortunately, the amount of people with the good safety habits is not enough to discourage the attackers...

Let’s be back to your conference at LSM : Why has the SocGen CERT created FIR ? What is the main requirement covered by FIR ?

We just wanted a tool that allows us to easilty manage and monitor the incidents we handle every day. After exploring the market and the existing free software solutions a bit and asking our counterparts to find out what they were using, developing our own tool, specifically tailored to our needs, seemed obvious.

Publishing FIR under free software license was an obvious choice inside your SocGen CERT team ? For what reason do you publish it that way ?

FIR was designed to closely match the way we work. That was the main reason why we asked ourselves if it was useful to open it or not : what interest is there in publishing something that nobody can use? Finally, we took a little time to make it as "agnostic" as possible before publishing it. We decided to publish FIR especially to help incident response teams that were in the same position as we were two years ago, when the first lines of FIR began to be written. At worst, it allows them to have at least a skeleton application to manage all their incidents, and at best a powerful tool with plugins shaped according to their needs.

Last personal question: do you use every day an environment consisting mainly of Free Software or closed source Software ? During your studies, which are not very far, how much of the software environment was under free software license ?

I mainly run on Mac OS X, and I’m doing just fine! :-) That said, the tools I use every day are in their great majority Free Software. Whenever I start a new script or particular development, I will always favor free software environments / frameworks / languages. Unfortunately, I do not recall having used a lot of free software during my studies, except a couple of hours dedicated to Linux and some courses in PHP...

Thank you for your answers and go to all to attend your presentation on FIR at LSM, Tuesday, July 7, 2015 in Beauvais!