7 minute read

‘We help each other, no matter where or who you work for’

Olaf Haalstra

Senior Consultant Incident Response Team

‘It’s a game of cat and mouse. They are on one side of the computer, we’re on the other side. The question is: who is going to win?’ Olaf Haalstra (27) is a Senior Consultant in the Deloitte Incident Response Team, fighting cyber criminals who are attacking large organisations. More than most people he is aware that knowledge is power. ‘As a cyber security expert, you can’t afford not to be informed about the most recent developments. I need to know what new tactics attackers will use, so I can help clients defend their organisation. Or even better: be a step ahead of the hackers and pro-actively create smart solutions. The cyber community on Twitter plays an important role in this. We help each other, no matter where or who you work for.’

Just as extensive as his knowledge, is Olaf’s passion for his job, which is increasing every day. Or rather: with every hack and every challenge. ‘For me and most cyber security experts, it all started at high school. Experimenting with computers, building your own hardware or website, and continuously improving yourself bit by bit. I was good at programming, so Information Technology seemed the right option for the future. Did I know what I wanted to do with it? Not at all. But you learn along the way. Just before I graduated, cyber security drew my attention. Because of an invitation for Capture The Flag (CTF), fondness became focus. I wanted to do more in this field.’ ‘In case you don’t know: CTF consists of team challenges to attack a system and get in. It’s hacking as a game. I started in the university team of Universiteit Twente. The very first time we entered the competition we weren’t a big hit, but cyber security is first and foremost about learning by doing. Currently I’m playing with people from Challenge the Cyber. Challenges are key for my job, and the other way around. The more I play, the bigger my mental library. What can I use in which case? What are the shortcuts and what risks are involved? Everything I try and learn during a challenge, I bring to client cases. And everything I learn on the job during a project for a client, I use to conquer that flag.’

"Even without the challenges, there is a real teamspirit within the community."

Olaf Haalstra | Senior Consultant Incident Response Team

Twitter and morning coffee

‘Even without the challenges, there’s a real team spirit within the community. We all fight for the same cause, against the same criminals. We share the knowledge that we gain in our discipline. Every day I log in on Twitter to look for crucial information – new hacks, new tricks. At Deloitte, we use open source tooling for our analyses and solutions. If I’ve built something, I offer it to others. To help them, but also because I’m proud of what I do.’

Blue team, red team, one team

Within Deloitte, Olaf works in the so-called “blue team”, or “team vigilant”. This is the defending team, which exists next to the “red team” which is responsible for attacking. This is army jargon. During Red Team testing military units test each other for weaknesses and vulnerabilities. The Red Team attacks the Blue Team. ‘We work in five teams: strategy (how can companies become more resilient?), offense (ethical hackers who expose vulnerabilities), digital ethics and privacy (what is the impact of digital technology such as machine learning), identity and access management (how can we make the login process as safe as possible), and team vigilant – my team. We focus on monitoring, security engineering and instant response: acting on an incident. Sometimes it’s a small-scale incident, with a virus alert on one laptop, so we need to limit the risk of more damage. And sometimes it’s a large-scale incident – with ransomware.’

Back to the source

‘Just imagine there’s a ransomware attack. In that case, we need all login information as soon as possible. Preferably, the client uses SIEM (Security Information and Event Management). That means all crucial logs are in one central location and hopefully we are able to find the source of infection there. If there is no central recording location, we use forensic copies of as many servers and laptops as we can find. In case we’re in a bigger hurry, we use triage scripts – only the logs and artifacts of servers and laptops that are required for the investigation. Our goal is to retrieve where attackers have been – and where not – and to which systems they had access or no access.’ Containment, eradication, recovery ‘Solving the security breach consists of three stages. Stage one is containment: preventing the hack from spreading further. Stage two is eradication: cutting the hacker’s access off so they can’t be in control again. Sometimes that’s just a matter of literally unplugging from the internet. Eventually, what is the most practical and sustainable solution depends on the situation. Stage three is recovery: operation “cleaning” and starting up again. In case of malware, the first step is to delete the malware and change all passwords. If necessary, we can install a better firewall. The sooner the better. As soon as an infection has been detected in one part of the company, it’s a matter of hours before the attackers can also infect other parts. So it’s key to isolate these parts. If everything is locked and it’s a large company, it could take weeks before you’re up and running again. So in case of a large infection, we always assess which parts can start up again before there’s a reinfection.’

Serious, professional crime

‘This is large-scale cybercrime. Companies are being blackmailed to pay millions. These are serious operations. Just like we have a red, blue and strategic team, they have a service desk, designers, strategists. This is a professional business with a huge impact. In general, these criminals use a phishing mail to try and get access on a large scale. It only takes one employee to click on a link, and they’re in. Then they assess which company it is and what the value could be. This type of information and the access are a business model in itself. Hackers collect information and sell it to other parties that expand their foothold within the company to the extent that they can eventually lock it - ransomware operators. Finally, another party steps in to do the negotiations. For instance, last Christmas we feared that Log4J was vulnerable. Through this logging module in software packages, it was relatively easily to get remote code execution for the system that uses this vulnerable software. If this access had been bought and used by ransomware operators, the Christmas holidays would have been entirely different. Fortunately, that wasn’t the case, but we’re not sure what’s next. In this case, too, I found all risks, incidents and successfully applied solutions around Log4J on Twitter. That’s how I prepare for what might happen to our clients.’

The golden triangle of effective security

Almost all cybercrime experts share this passion, but it’s not always the technological component, Olaf explains. ’Cyber security consists of three components: Human, Technology and Process. Your technology is as good as the people who work with it. Maybe you have developed a wonderful security tool, but your employees think it’s too much trouble. In that case, they won’t use it, and all your good work is in vain, with all kinds of consequences. You need the right processes to convince people of the how and why. That’s why it takes so many different people, passions and disciplines. In our department alone, there are more than 250 professionals, each with their own discipline to which they are fully dedicated. Only by using that diversity we will be able to win the game of cat and mouse.’

7 minute read

NextGen Takes Charge: The New Generation of Leaders Transforming the Food Chain

Brenda Bosma & Rick Heger

Connect your future to deloitte

View related vacancies