23 April 2014

Moving On to New Career Opportunities

In the next few days I will be moving on from my current work and into a new and exciting opportunity. As I work through this effort, while writing a book and preparing con talks, I started to think of the practical and emotional tasks needed to ensure that my current employer and clients are taken care of while I prepare for the future.

In this effort, I wanted to pass on a few ideas that may help others.

Personal Side

To begin with, let's discuss the personal side to the move. I've been working with the Defense Cyber Crime Center (DC3) for almost 14 years. I've been with them since before they were even named DC3, and were just the Defense Computer Forensics Lab (DCFL) and the Defense Cyber Investigations Training Program (DCITP a.k.a. The 'TIP). Also, since we had "Cyber" in our agency name since the late 90's, I'm fully allowed to use it in regular conversation without drinks.

I've said goodbye to DC3 once before, temporarily, as I moved on from being the Deputy Technical Lead of the Training Academy. I left with the weight of a serious case of burnout and needed a break. Getting into the down and dirty of regular forensic work was the fix.

I joined my good friends Eoghan Casey, Terrance Maguire, and Chris Daywalt in their venture, cmdLabs. We worked out awesome incident response cases together and delved into research projects and code development. At about this time, cmdLabs was acquired by Newberry Group, run by a CEO and VP that I had known for over a decade. Life was good and, after a cool-down period, I went back into DC3 on a separate contract to work on their Intrusions team.

However, all good things do come to an end. The opportunity arose from an old friend to work on the RSA NetWitness team. This is an excellent chance to do my favorite things: incident response, forensics, malware analysis, and threat intel, in a very challenging environment with coworkers I respect as my technical seniors. I was getting too long in the tooth at DCFL and wanted to be back in an environment where I'm struggling everyday to keep up.

Deciding to leave was not easy; it was extremely stressful and nerve wracking. I love Newberry Group and their family-like environment, and greatly enjoyed the casework that I was exposed to at DCFL. There will always be that shred of regret when you leave something you love, but new opportunities beckon. Even after parting, I will continue to assist my peers at Newberry and DCFL; their teams are just that amazing.

Technical Side

Let's discuss some of the efforts and decisions that go into making a move such as this. Some are my personal opinions as to leaving a job, and some are good advice for others to consider.


First, are you sure you want to quit? Most issues in a disgruntled resignation can be easily resolved simply by communication. If you reach the point where you want to leave your job, talk to someone before you accept any hard offer.

It's definitely worthwhile to interview elsewhere, to see other opportunities and where you stand. This can help you go back to your management to demonstrate what other companies are doing, and what they're paying for talent. In my own recent travels, I encountered a grueling 6-hour on-site technical interview and a 12-hour at-home technical interview. These were especially helpful in pinpointing my weaknesses and strengths, making me realize that there were some jobs I loved but wasn't ready for. Additionally, that these were skills my current job could train me for if I give it a chance.

Is it salary? Or a bad work environment? Those things can likely be solved, but only if they are brought to the attention of management. Many organizations will quickly fork over bonuses and increased salary to keep a star employee around, especially in contract work. Some work environments can be resolved by allowing you to work from home twice a week, shifting your work hours, or moving personnel around. Again, it's only possible if it's communicated.

The best thing you can do is request a meeting and simply say "I'm thinking about leaving, and here are my reasons why."

A few years ago, I was commuting an hour each way for many years. The stress of this was slowly taking a toll on my physical and mental state. I would dread my drive every day, and ended up listing my house for sale to move closer. However, after months I resigned from selling it with a bad market. I raised the issue to my boss: "I just can't do it anymore. I'm stuck, I'm miserable, and I don't see a way out." They saw a way out and offered a creative compromise that allowed me to finally move closer from my job.

I raised an issue, they felt it worth keeping me around, and we worked out a solution together.


Do you need to quit right now? There are sometimes extenuating circumstances that require that, other times it's your choice. Maintain a good relationship with your employer and clients and monitor the workload. If you leave during a critical incident, or a heavy period of assignments, you place a heavy burden on your coworkers. They may never forget that.

My advice: Tell your boss that you're leaving but that you're worried about what would happen in your wake. Agree to work through a crunch period, or a period for them to retrain another employee, before leaving.

And, most controversially, don't give two weeks notice. That's completely unrealistic in our industry. The current trend in most of the working world is to give zero notice, but that is generally directed to employees with little skill.

The more responsibility you have, the greater your notice should be. And the digital forensics and incident response field is a buyer's market. There are not enough candidates to fill the jobs, and it's extremely likely that a candidate would not be found within two weeks. Additionally, if you are contracted to a client site, your company may face the permanent loss of work or positions if they are unable to back-fill your position quickly after your departure.

If you've been in the industry long enough, you realize just how small it is. I still occasionally interact professionally with people I've worked for over a decade ago. In forensics, your work is based upon your character. The adage of burned bridges is definitely true and will haunt you.

Additionally, the work we do doesn't lend itself to just walking away. If you're in the middle of a large-scale incident response, you need to properly fill in your replacement with the client's details, current state of the operation, and what should be focused upon. Likewise with a criminal or forensic examination, where you may be asked to testify one day (even after you quit). If you walk out too quick, you risk your organization having to redo the entire investigation from scratch which will not make anyone happy.

Four weeks notice should be the standard for our industry, in my opinion. In doubt, in which you should be, have a conversation with your management about what an appropriate time would be. If they prefer to have you leave within the hour, then know that they were looking to get rid of you for awhile... Again, communication is the key.

Brain Dump


In your final days, you're finishing up your examinations and preparing for the end. If you're lucky, you'll be placed in a state where you're not given more forensic examinations to perform. However, expect to be working up to the bitter end. 

In a good environment, instead of giving you new and difficult work, management will assign it to others and have you mentor that person through the process. This will afford you time to work on the truly important tasks: information sharing.

The single most important thing to accomplish before leaving is to encompass any knowledge you have for another to use. Each person on a team has their own specializations, and it may be impossible to hire a direct replacement that can perform the same tasks as you. Therefore, being able to identify and document these tasks will help keep your old team performing even in your absence.

YARA rules are one direct way of transferring knowledge. Once you've been in the industry long enough, you acquire a second-sense about malicious indicators; seeing specific domain names, file names, or registry keys will instantly set off a red flag of where you should look next to find indicators of the attack. For example, part of my leaving has me correlating and documenting six years of webshells into YARA rules. It's taking my own personal passion, tying it into a larger effort, and helping future examiners receive instant correlation. Also, it only took 4 hours of concerted effort, so there's not many excuses NOT to do this.

Additionally, if your team has an internal wiki, make sure that everything you've done has been documented in great detail. If you've presented any internal Technical Exchanges make sure that the pages are updated with step-by-step procedures and with the latest software.

Examine any half-written scripts that you've been tinkering with. Spend an hour cleaning them up, documenting them, and adding basic usage text to help others months down the road. There is nothing worse, as a user, than running a script and receiving:

Traceback (most recent call last):
  File "Z:\Malware\Scripts\Baskin\AwesomeCoolDecoder.py", line 202, in <module>
    filename = sys.argv[1]
IndexError: list index out of range

Identify any key task that you've taken upon yourself and notify others of it. We all have hidden jobs that no one knows about. These could include cleaning up certain network shares, maintaining naming structures in the internal Wiki, escorting visitors through an area, sitting in on an annual meeting, or updating the software available to the team. These are the little things that will cause mass confusion in the weeks ahead, often because no one realized that you were doing the work in the first place, and will be surprised that it's not just magically done Monday morning. This is also one last bit of performance measurement that you can provide to strengthen the bridge for any future professional work.

I admit that this may be viewed as giving up your competitive edge, your job security: disclosing private, technical solutions to coworkers. I would counter with the fact that you are more than just a laundry list of technical items. Your value lies in the ability to function without a list provided from others, to do so quickly and efficiency, and to document your actions for others. In other words, being a technical leader and not a follower. Even if you consider yourself a mere follower, the steps laid here can help mold you to become a leader to those around you.


  1. Well written and solid advice. Thanks for sharing. I especially like the note about the information vacuum that is a SCIF :)

  2. Well said. A job is a relationship. I'm not sure why more people don't treat it as such, and I've never understood people that walk out of either with zero notice. Unless they're already ushering you out or the separation is mutual, it's a direct reflection of how much respect you had for what you were doing, and with whom you were doing it.