The Nisos Dogpile
As co-founders, Justin and I have had thousands of conversations about Nisos with prospects, clients, investors, and peers in the cybersecurity and investigations industry. The question always comes up, “How are you different?” One of the challenges with differentiation, especially as a services business, is so much of what we deliver is tied to intangibles like talent and process in people. “You know how many times vendors walk into my office and say they were former members of the US Intelligence Community?” was a popular response from prospective clients in the early days.
In our five years at Nisos since starting the company, one piece of our company culture has really stood out and is a great source of pride for everyone that works here, so I wanted to share some thoughts. This may not be an answer for a sales pitch, but it’s something that makes Nisos a special place to work and a great partner to our clients.
When we took on our first clients we would gather around a large table in a small, crowded room, run cords in every direction, order pizza or bad Thai food, and try to get monitors big enough for people to shoulder surf from each other. Some were full-time teammates; some were contractors taking breaks from their day jobs. Some of the teammates didn’t even fully trust the other teammates because of previous work experience feuds, but all deeply respected the intellect that each brought to the table.
Together we all fed off the energy and collective brain power from one another to solve very complex security problems and drive a “team of knowledge” environment. Our intended outcome was always the same: a desired mission to advise our clients against bad actors targeting the private sector and more importantly, transfer that same knowledge and prowess to our clients. Over the initial months, a team of three turned into a team of ten. They told their friends, it turned into a team of twenty, and from there, the Nisos Dogpile was born as we grew the company. When observing the actions and passion of the Dogpile, Justin and I grew increasingly certain that bringing full transparency of our methodologies and adversarial mindset to our clients was one of those differentiators other companies in our industry lacked.
While the Dogpile sounds very startup-esque, we quickly realized that the Dogpile is still an essential part of what we do to make our clients successful even as we grow and scale. It is how we operate. Our ability to bring operators with talent from offensive and defensive cybersecurity; open source, geospatial, signals, and human intelligence; data science, devops; and language and geopolitical SME’s is what enables us to solve hard problems for our clients. (As an aside, it’s also what we hear from our team about why Nisos is such a great place to work.)
The Dogpile In Practice
Strategically, the Dogpile is our ability to acquire, aggregate, and action customized intelligence to allow any customer the ability to contextualize cyber threat intelligence across their organizations within their security operations center, legal, fraud, risk management, and human resources.
Tactically, the Dogpile is our ability to collectively blend technical expertise in threat intelligence, offensive tradecraft and approach, threat hunting for context, online investigation or attribution, and data engineering to provide world class anticipatory content and curation.
Practically, the Dogpile is a virtual room of technical cyber experts, online investigations operators, project managers, and business leaders solving problems and countering threats on the digital plane, usually fueled by long nights, Monster energy drinks, adrenaline, and endless curiosity.
What starts out with one or two operators turns into a group collaboration by many by the end of the investigation because one of the first few needed to leverage the knowledge of the remaining team. When the action starts getting interesting and findings become significant, it’s better than any Netflix binge watch. Operators take a break only to come back 30 minutes later, when they’ve missed 200 chat messages and someone found a lead that opened up the investigation. Even for those business leaders or project managers that are writing the reports, they are along for the ride as we leverage multiple layers of skillsets to uncover the layers of adversarial behavior.
Often, an engagement manager will need at least 5-6 different skill sets to interact directly with the client to not only build relationships but spread the knowledge to many levels of the organization we are helping: executive leadership, technical leadership, security practitioners, general counsel, human resources, security leadership, outside counsel, etc.
A few stories to illustrate the Dogpile:
Question: “We have malicious insiders who are taking over the network and monitoring our chat logs. Can you control the network in less than 24 hours, cancel their access, and take forensic images of their devices for future legal efforts after termination?”
Response: Yes. Please have someone witting of our efforts, plug in this device into an ethernet port in the office and we will take it from there. We had 18 hours to get this done during which the entire network was turned back over and accesses restored to the proper company personnel with no lost, defaced, stolen, or tampered data. Forensic copies of devices were delivered as requested. We made numerous recommendations to properly secure the environment going forward including their hybrid cloud/on-prem infrastructure. Twenty teammates assisted using all skillsets: Online investigators, offensive specialists, defensive threat hunters, developers, IT personnel, and data engineers.
Question: “Can you attribute this social media handle to find out who is conducting a disinformation campaign against our company?”
Response: Yes. Using some advanced OSINT techniques and the breached password correlation technique enabled by the Nisos Intelligence Database, the investigation took us 30 minutes when they’d been looking at this actor for months. One of the actor’s malicious email addresses was mistakenly used to register the real identity of the actor to a foreign university. A picture of his hand on his malicious accounts had a unique and matching ring to an open source photo of the real identity’s account. Ten teammates assisted of all skillsets: Online investigators, offensive specialists, defensive threat hunters, developers, IT personnel, and data engineers.
Question: “We previously had personnel attacked in a foreign country. Can you monitor the internet to provide indicators and warnings if this is going to happen again?”
Response: Not only can we do that, we will inform you of local sentiment about your operations across the country and provide you with information that enables your operations as well. To do this well, we built tools, pulled in data scientists, and reviewed collection options to find more threat data, then monitor it more effectively, specific to the unique environment and languages we were asked to monitor. Eight teammates assisted from all skillsets: Online investigators, offensive specialists , defensive threat hunters, developers, IT personnel, and data engineers.
Question: “Can you not only provide threat intelligence on how our application is being abused, but also tell us how it’s being used for fraud, attribute some of the major actors, and find new methods for how it can be abused?”
Response: Yes. Determining what APT groups are using your application? No problem. Further, determining what other malicious domains, hashes, and strings for indicators of compromise around this application are used for spearphishing? No problem; this is commoditized threat intelligence. Querying data from the internet to determine when someone is denigrating the brand? No problem. Using global netflow analysis, mobile data, and our internal credential database to inform the “how” and “why” behind various attacks in addition to the “who?” Got it. Providing context behind certain behaviors that are not IOCs yet? Yes. In addition we use our own red team techniques to find new CVEs, attack paths, and techniques on how the platform can be abused. This type of request is a 20 person dogpile.
So market differentiation may be one thing, but for anyone who works at Nisos in the Dogpile, the spirit is always the same between peers: “You won’t believe the unique nature of client engagements that come across our desk.” We love the challenges our clients put in front of us. By leveraging skill-sets and collaboratively pushing through barriers, we are able to provide our clients with results others cannot. So what are the real differentiators with Nisos? It’s the pride we take in solving the difficult problems our clients present us with, ‘dogpiling’ on to stop bad actors and harden up defenses, but also the camaraderie we build together and the lessons we learn along the way – both as a team, and with our clients – while the work is being done.