Cyber incident? Get Help
Log In

Coalition | The Coalition Blog.

Q&A with Shelley: How Coalition’s Incident Response team mitigates cyber risk with digital forensics
Stephanie Mangold

We are a technology (and data) company at heart but an insurance company by trade. Because our business is unique, we search high and low for experienced individuals who are experts in their field to help us on our mission to solve cyber risk. In this series, we speak with the people who make Coalition special and successful — a face to the email, so to speak.

Meet Shelley Ma, Incident Response Lead at Coalition. She faces the unique challenge of thwarting bad actors intent on wreaking havoc inside our policyholder's networks. She has a natural curiosity and attention to detail that makes her an excellent sleuth in the digital world, when she isn’t bicycling around Toronto. Find out why Shelley is so passionate about helping mitigate cyber risk and catching attackers before they commit a cyber crime.

What’s your story? Tell us about your life outside of Coalition.

I was born in Shanghai, where I was raised until the first grade. People often ask me about my accent. So if you were wondering about that too, that is because I grew up in South Africa; I am South African. Cape Town is where I planted my roots. As a kid, being a child of an immigrant family, I was home alone a lot while my parents were at work, and so naturally, I developed an addiction to television. My favorite shows were always in the true crime genre, and that fascination evolved into a career in forensic science as I neared my college years.

The other hobby that I spent a lot of time doing as a kid was messing around on computers. I don't know if you're familiar with this website called Neopets, but I used to spend a lot of time on there tinkering with the code, attempting to level up without really leveling up, if you get what I mean. But that aside, what this did do for me was develop a real love of technology and computers. So when I found out that there was this merging of forensic science and technology, aka digital forensics and incident response, it was just a clear-as-day moment. I found my calling!

I studied digital forensics and incident response (DFIR) in Washington, DC. Now I live in Toronto, Canada, where I've been for the last four years. I am absolutely crazy about the city with the exception of today; it's actually snowing outside, even though it's at the end of May. With life outside of Coalition, I try to jam pack as much in there as possible. I really enjoy socializing with my friends and family. I'm a huge foodie, so one of my favorite things to do is just to roam around Toronto looking for new foods to try. And because Toronto is so multicultural and diverse, you will always come across something you've never had before.

I'm also an avid traveler, but of course, COVID has tested our patience on that front. I love swimming and hiking. Rollerblading is a new hobby that I started this summer, but my absolute favorite sport is cycling. I have a challenge in August where I'm committing to a five hundred-kilometer mileage to fundraise for the Children's Cancer Foundation. August is usually known to be hot and humid, so wish me luck.

You’ve been working in digital forensics for several years now. What led you to join Coalition?

One of my team members at CIR, Leeann Nicolo, and I used to work together at a previous firm, and we became fast friends. Around that time, she had just adopted a Frenchie, and I had just adopted a pug named Vegas. We bonded over our smoosh-faced fur babies and ransomware. She had then subsequently made the move to Coalition and introduced me to the company.

The more I discovered about Coalition, the more alignment I felt in terms of culture, values, and outlook. I believed in the bottom line.

I saw so much potential in CIR and Coalition and so much opportunity for positive growth that I wanted to be a part of. Rarely do I come across a company in this space wherein the strive is to authentically move the needle on solving cyber risk and in such an intelligent and forceful way. I wanted to not just be somebody that applied band-aids. I wanted the opportunity to be able to work alongside and collaborate with insurance counterparts and be on the cutting edge of technology. And I'm so grateful to have that Coalition.

What is a day-in-the-life at Coalition like for you?

That is certainly a tough question because every day is different. Sometimes every hour is different. What I can say confidently, though, is that it's seriously a good time. So as an incident response lead, on a daily basis, I assist in the handling of cases that arise from claims experienced by our policyholders. That ranges from ransomware to business email compromises to all of the rogue and strange breaches and incidents in between. I also assist the claims team with what we call instant response, which are cases that are not quite fully fledged claims, but the organization has experienced some type of security anomaly that requires expert guidance or advice.

My favorite part of the day-to-day goes back to my foundation, where I can dive into forensic investigations. I still see myself as an analyst at heart. I love sleuthing and I love combing through logs. I can do it for hours and hours. Sometimes I forget to eat. Coalition encourages employees to pursue personal development, so I dedicate portions of my work schedule to training and keeping up with the latest and greatest in digital forensics. I really enjoy involving myself in business development engagements as well as marketing engagements, which are often scattered throughout my work week. That includes conducting presentations, speaking with brokers, and meeting with clients. And a large portion of my day involves collaborating with my peers.

I have a phenomenal team here at Coalition with whom I can bounce ideas off of and celebrate successes. We have a great time.

How do Coalition’s products assist with alerting and tipping?

I think the best way that I can answer that is with a real-life example of a success story. Part of what we do at Coalition is monitor attacker traffic on attacker infrastructure and domains, and sometimes we receive external indications, which we call signals that may allude to an active malware infection within our policyholders’ networks. Should we positively identify one of these malicious signals, we would notify our policyholders and advise them on containment and next steps and whether an investigation would be necessary.

In this specific case, we had identified a malware signal that showed traffic going to an attacker's infrastructure coming from within an insured's environment. The signal identified the exact computer that was the source of the malicious traffic. And the malware in this instance was identified as the Dridex banking trojan, which is often a precursor to ransomware. To prevent a full-fledged ransomware attack, we wanted to get a handle on this infection as quickly as possible, especially because Dridex is commonly affiliated with what we call "big game" ransomware variants that typically result in ransoms that are upwards of six figures or seven figures and are also linked with data theft and data exfiltration. So we definitely wanted to get our hands on that as quickly as possible. CIR connected with the insured's IT personnel right away.

Our immediate next steps were to deploy an advanced endpoint protection solution that would allow us to monitor the threat status of the devices. You can look at it like an antivirus on steroids. It uses behavioral-based detection techniques to stop advanced forms of malware like banking trojans and ransomware. We also collected the computer that was identified in the signal to be the source of the malicious traffic so that we could forensically analyze that system.

During forensic analysis, we found that the system was indeed compromised with the Dridex banking trojan. There was even evidence to suggest that the attacker had already remoted into that system, manually tunneled in, and did a bunch of stuff. One of the things we did was perform what we call reconnaissance. This is usually a step in the ransomware attack pattern where the attacker sets the stage for enterprise-wide deployment. Our analyst jumped on the examination very quickly and was able to turn the findings around within a day. And then, we were able to isolate that system from the network, thereby air gapping it to prevent further spreading. Once we started monitoring the infrastructure, we found that the attacker had attempted to reinfect the network multiple times via phishing emails and tried to push through that ransomware and that banking trojan once again. Fortunately, we were able to stop those processes before anything happened.

But here's the twist.

About a week later, our threat intel team who monitors attacker communications on the Dark Web, received additional intelligence. The attackers had posted messages on their panels revealing information about our insured’s company as well as their revenue. They said they were about to flip the switch on the ransomware. So we probably dodged the ransom by literally a strand of hair. We likely got to it hours or days before the bad guys deployed the ransomware.

So this was a close call for us and a really big win for the insured; it didn't cost them a dime. And this case really highlighted the strength of Coalition's proactive efforts to prevent a potentially catastrophic claim.

Cybercriminals are becoming more stealthy; what can companies do to protect themselves against an ever-evolving cyber landscape?

I love this question. I'm going to try to condense the answer so I don't go on for forty minutes.

It's always good to have the fundamentals in place — have Multi-factor Authentication (MFA) on critical infrastructure, have backups, have EDR solutions, and have strong passwords. These are all great security implementations and they are very important. However, as you said, attackers are becoming stealthier, and they're becoming more professional. I always like to encourage my clients to operate with the mindset that all of your security products will fail to work. Working in incident response, I see attackers evading and dancing around security products all the time because the one thing that attackers have that is a rare commodity for us is time. Attackers have all the time in the world. They can go slow; they can fly under the radar; they can evade detection. So with that in mind, there's a security concept called cyber deception. And what it is, in a nutshell, is implementing multiple different points of deception in the environment that will act as bait for the adversary.

An attacker will break into a computer that's on your network. From there, they will move laterally to central or critical infrastructure in order to inflict maximum damage. Attackers will always pivot inside of a network, and they will always look for very specific things during their reconnaissance in order to successfully execute an attack. Cyber deception takes advantage of this pivoting technique by giving attackers bait, like using a document that's named passwords.doc. Attackers will search across the network for the word “passwords,” so why not give it to them. You can also set up an administrator account that serves as bait that will trigger if anyone tries to log into it.

And when the attacker bites, which they will bite, you will get notified, and you can shut it down instantly. Plus, you can implement utilities around the bait that will track them and grab their information like IP address and other types of details around attribution. And you know what? These features are so incredibly easy and completely free to set up. It takes one hour at most.

Can you discuss working with the Canadian Coalition team and our growth in Canada?

The Canadian team has a private Slack channel where we talk about really important topics like hockey and Tim Hortons. But that aside, we have a fantastic team in Canada. Our team has grown a lot over the last few months. We're now at five members in business development, two in underwriting, and two forensic investigators supporting Canadian brokers and policyholders. We are also now licensed from coast to coast, but not quite yet in Quebec.

Canadian brokers have been looking for a streamlined way to quote and bind cyber. We're delivering on our promise by making the cyber purchasing process as easy as possible. And we've found that the Canadian market has truly embraced our approach of pairing cyber insurance with risk management.

What advice would you give someone interested in incident response?

Capture the Flag competitions (CTFs) are a great way to get your feet wet in incident response. Plus, it's an excellent way to meet folks in the community and broaden your network at all experience levels. There are a variety of excellent CTF resources on the web. My personal favorites are OverTheWire, and CyberDefenders. Also, start learning and getting familiar with forensic investigations and tools. There are a lot of low-cost or no-cost online courses and podcasts that have excellent content. Start playing around with as many forensic tools as you can get your hands on, many of which are open source and don't cost a penny — Autopsy, Velociraptor... heck, get acquainted with PowerShell.

Of course, if you do have the resources, the SANS FOR500 course is a good start. I would also advise learning more than just Windows forensics. Having a firm grasp on investigating operating systems besides Windows like cloud platforms, Mac, Linux, and mobile will definitely broaden your scope and skillset and give you a leg up. Memorize those SANS posters.

But probably the most valuable advice that I have ever received and will continue to give out is to be curious. Go into the world with a learner mindset and always ask questions.

If you enjoyed getting to know Shelley and you’d like to learn more about opportunities with Coalition, visit our careers page for more information and open opportunities.

Why not meet other standout members of the Coalition team? Product Lead Ketan builds products that bridge the gap between technology and insurance.  JT leads our Customer Success team, while Emily supports our Business Development team. They spend time building great relationships with our broker partners and policyholders every day.

Coalition’s products are offered with the financial security of Swiss Re Corporate Solutions* legal entities (A.M. Best A+ rating), Lloyd’s of London (A.M. Best A rating), Arch Specialty Insurance Company (A.M. Best A+ rating), and Argo Pro US** (A.M. Best A- rating).
WHAT WE DO
© 2021 Coalition, Inc. | Licensed in all 50 states and D.C. | CA License # 0L76155
*Insurance products may be underwritten by North American Capacity Insurance Company, North American Specialty Insurance Company, or an affiliated company, which are members of Swiss Re Corporate Solutions. **Insurance products may be underwritten by Peleus Insurance Company, Colony Specialty Insurance Company, or an affiliated company, which are members of Argo Group US, Inc.