Keisuke Tanaka, Principal Incident Response Consultant at TrendMicro, spoke with The SANS Institute about why he chose SANS to train his cybersecurity team. In this Q&A, Tanaka also shares the challenges he and his team face as well as the courses he recommends for those facing the same or similar challenges.
SANS: Could you share your role at TrendMicro and its importance?
TrendMicro primarily engages in selling security products and services to both corporations and individuals. However, it's worth noting that we have offered incident response services to corporations for approximately 10 years. In my role, I am responsible for proposing, delivering, maintaining, and enhancing the quality of our incident response service, as well as leading the team members involved in its delivery.
Our team specializes in incident containment, eradication, and implementing permanent countermeasures for customers who have fallen victim to cyber-attacks. We achieve this by effectively utilizing our products. Additionally, we collaborate with clients to determine whether our products can identify the specific tactics, techniques, and procedures (TTPs) employed by attackers during the incident. We then work on creating rules for attack methods that may have gone undetected.
Given our position as a vendor developing security countermeasure products, it is crucial for us to respond proactively to real-time threats in the field. This daily engagement allows us to continually refine and enhance our products based on the insights and experiences gained from these responses.
SANS: What challenges are you currently facing as an incident response consultant?
While several of our younger members aspire to join the Incident Response Team, we recognize the importance of a diverse skill set beyond the security expertise acquired through SANS. This includes a solid understanding of IT fundamentals and customer environments, hands-on experience in maintaining and building environments, effective internal and external communication, negotiation skills, and other essential prerequisites. We constantly contemplate the ideal career paths for our members and consider the skills and experiences that will best prepare them for success.
Additionally, we are actively exploring strategies to expand our staff and enhance operational efficiency. This effort is aimed at ensuring our ability to deliver stable services when consulted, reinforcing our commitment to providing reliable and effective support.
SANS: What do you and your team do to keep up with the ever-changing threats? What are the challenges you face in upskilling?
Essentially, we enhance our skills by incorporating the practical experience gained in real-world service, aligning with each individual's areas of expertise and interest. We firmly believe in the value of alternating between hands-on work experience and structured learning. As part of this approach, we consistently participate in SANS courses, where we acquire new knowledge. Subsequently, we share our experiences and insights in internal study sessions, facilitating the organization of information and deepening our collective understanding.
SANS: As an incident response consultant, which SANS courses do you recommend?
We mandate that all our incident response team members undergo the FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics course, which has emerged as a widely favored gateway course at SANS. Recently, I personally enrolled in courses like SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses and SEC699: Advanced Purple Teaming - Adversary Emulation & Detection Engineering. I highly recommended these courses due to their effective coverage of the attacker's perspective, command and control tools, as well as perspectives and tools for detection and defense.
The exercises in these courses involve implementing countermeasures like App Locker and LAPS, commonly utilized in corporate settings. Additionally, there are practical exercises involving attack tools such as BloodHound against Active Directory, which are challenging to validate independently. Creating a realistic environment for such verification is often a complex task, requiring considerable time and effort.
SANS: What is your next goal? Which courses you would like to take next?
LDR514: Security Strategic Planning, Policy, and Leadership
I am interested in enrolling in a management course, a domain I haven't explored previously, to acquire the perspective of a corporate security leader. This perspective is valuable for someone in a position to engage in contracts and issue orders for incident response services.
Summit Presentation:
Tanaka presented at the 2023 Ransomware Summit, addressing the topic "Analysis on Legitimate Tools Abused in Human-Operated Ransomware." The presentation involved a comprehensive analysis of legitimate commercial tools exploited by ransomware attackers. The talk provided insights into the specifications of these tools, the artifacts utilized in the investigation, and essential measures needed to prevent such attacks. I encourage you to review the presentation for a detailed understanding of the subject matter.
Completed SANS Courses
- SEC497: Practical Open-Source Intelligence (OSINT)
- FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
- SEC560: Enterprise Penetration Testing Course
- SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses
- SEC699: Purple Team Tactics - Adversary Emulation for Breach Prevention & Detection
- FOR518: Mac and iOS Forensic Analysis and Incident Response
GIAC Certifications:
- SANS GIAC Open Source Intelligence (GOSI)
- SANS GIAC Certified Defending Advanced Threats (GDAT)
- SANS GIAC Certified Forensic Analyst (GCFA)