| cert

Carrière & Cybermenaces actuelles…Découvrez Adrien, Analyste CERT

A Synetisan for a year now, Adrien Gand, CERT analyst, shares with you his professional background, his expertise in incident response and his advice on how to best secure your IT environments.

Can you introduce yourself in a few lines? Can you tell us more about your role at Synetis?

Norman passionate about sports but also about computer science, I chose to direct my studies post baccalaureate towards this field. My appetite turned very quickly to the network and security.

After my degree in Saint Malo, I put my first foot in the professional world by joining an integrated SOC. After 4 great years in this team, I wanted to put a second foot in cybersecurity and I had the chance to integrate the CERT (Computer Emergency Response Team) of Synetis.

I had already had the opportunity to work with Synetis in 2017 on an IAM project in collaboration with my former company; this collaboration had gone well, which left me with good memories of the Synetis teams. Today, within the CERT, I work with my team on various incident responses, from a simple question mark to a proven incident.

Moreover, I always wanted to continue my studies but also seize the opportunity to enter the professional world and learn on the job. That's why I started a course with the CNAM school in September 2019 - aspiring to an engineering degree (soon in pocket).

Can you describe what an incident response is?

We talk about incident response when an organization is the victim of an Information System (IS) compromise. At CERT, responding to an incident consists first of all of accompanying the victim during his crisis management. In a second step, several artifacts are collected (Windows logs, registry, MFT, etc.). These data will allow us to reconstruct the attacker's modus operandi and therefore to understand the different means used by the cybercriminal to infiltrate and compromise the IS. Finally, a detailed report of the chronology and analysis of the events will be provided to the victim with a list of recommendations for better protection in the future.

Why did you choose this career? What is your daily life as a consultant at Synetis?

I chose this career because I like to feel useful and to be, as I like to say, an "IS fireman". What I like about Synetis is that CERT is not a routine job, no two interventions are the same and you are constantly learning new skills.

As a CERT consultant, my daily job is to respond to various incidents. At times, I don't intervene as much, so I take the opportunity to perfect my analysis methods and tools - by writing procedures to detect a particular attack technique such as Kerberoasting or Golden Ticket generation.


Need advice on securing your business?

For you, what are the top 3 tips to give a company to avoid a cyber attack?

To secure its environments as much as possible from today's cyber threats, I will advise companies and organizations to:

  • Know their IS to better protect it: its exposure to the Internet, its human/technical flaws, etc. For example, during an intervention, it is common to realize with the victim that one of his servers is exposed on the RDP port when it should not be. A good knowledge of your IS allows you to avoid this situation;
  • Test their IS to identify its weaknesses: auditing their entire internal/external and human IS is important as it is an effective way to evaluate the protection of their IT infrastructure;
  • Keep the IS up to date: updates correct (among other things) the security flaws exploited by attackers to infiltrate or extend the compromise of your IS.

These recommendations are only a top 3, the cybermalveillance.gouv website lists a number of good practices to follow in order to ensure a good level of security for a company.

What attack or cybercriminal group surprised you this year with its modus operandi?

I remember an attack carried out by the Blackcat group with an atypical modus operandi against the IS of a company with a very large IT infrastructure - in the middle of the Christmas season. The cybercriminal group used network shares (a mechanism to share folders on the network to access them from multiple machines) to execute the encryption, and thus leave little trace on the machines. In addition, during this cyber attack, the hackers took care to reboot the various servers in safe mode - again to leave a minimum of information on the IS. These two techniques used, among others, have elevated it to the rank of the most impressive and most elaborate ransomware attack that I have had to investigate with the CERT Synetis team.

  • Post published:28 October 2022
  • Author/publisher :

Eva Allavena

Head of Communications and Press Relations.