In this special employee spotlight, we are thrilled to introduce Nick Chalard, a detection engineer on our Threat Intelligence team at InQuest. Nick’s journey with us began as an intern, and he has since become a full-time team member, known for his dedication, expertise, and accountability. In this exclusive interview, Nick shares his background, insights on detection engineering, and thoughts on the use of YARA for threat detection. Read on to learn more about his valuable contributions and experiences in the ever-evolving field of cybersecurity.
Q1: Can you tell us a little about your background and what led you to join InQuest?
A1: I developed an interest in cybersecurity early in my computer science studies. While bartending at a restaurant, I overheard a discussion among attendees of A Conference on Defense (ACoD). I joined the conversation, asked a few questions, and was eventually introduced to Pedram Amini, who offered me an opportunity to break into the field.
Q2: You started at InQuest as an intern. What was your experience like during your internship, and how did it prepare you for your current role as a detection engineer?
A2: It was a trial by fire. I had to quickly fill gaps in my knowledge about information security and get up to speed with the threat landscape. It was a rewarding experience, allowing me to learn something new every day and create detections that defend against real-world threats.
Q3: As a detection engineer on the threat intelligence team, what are your primary responsibilities? Can you walk us through a typical day in your role?
A3: With the help of the TI team, I write signature-based detections using YARA, augmented by Deep File Inspection (DFI), to cover high-fidelity threats and establish a foothold on novel and developing threats. We focus mainly on initial access content, with most of our detection efforts targeting malicious document lures, obfuscation methods, and malware delivery via various file formats. Threat actors frequently pivot and change tactics, so staying on top of updates and new campaigns is an ongoing challenge. Over the years, we developed internal processes that created a feedback loop between the signatures we developed and what they detect in the field.
Q4: What do you find most rewarding and most challenging about your work in threat intelligence and detection engineering?
A4: Every day presents new challenges and learning opportunities. This field requires both a broad knowledge base and deep expertise in specific areas. Interacting with knowledgeable individuals in the community reminds me that there’s always something new to learn. Applying that knowledge and effort towards the greater good and being surrounded by like-minded people is incredibly rewarding.
Q5: You’ve been described as providing great value and being very accountable. What motivates you to maintain such high standards in your work?
A5: Unlike other jobs, I can see how my work directly affects the company and our customers. Our company culture and overall philosophy enable me and the rest of the team to take swift and meaningful action where it’s needed most. The adage of attackers outnumbering defenders is a constant reminder that we need to do everything we can to empower ourselves and the community to combat the growing number of adversaries.
Q6: How has your approach to detection engineering evolved since you first started? Are there any key lessons or insights you’ve gained?
A6: It was a steep learning curve at first and continues to be with the obscure file formats leveraged by cybercriminals. Learning how certain file types are commonly used to figure out how they can be abused is an almost daily struggle. Over time, you develop habits and workflows that become second nature. This is especially important in detection engineering, where attacker tactics may vary, but their overall goal is typically consistent. Having the flexibility to pivot as they do helps forecast their next move.
Q7: YARA is a tool frequently used in detection engineering. What are your thoughts on the use of YARA for threat detection? Do you have any tips or best practices for using YARA effectively?
A7: YARA is a great tool I use daily and falls under the category of “easy to learn, difficult to master.” When I was learning YARA and cyber threat intelligence during my internship, I focused on attribution and making “tight” rules to eliminate false positives as much as possible. Positive and high-confidence attribution is important when sharing rules through reporting or various channels. It can be a balancing act depending on one’s goals with signature-based detection. In working environments, being able to track even the most mundane characteristics and patterns of a file enhances detection capability. Threat actors are people too; they make mistakes like anyone else, and we can capitalize on those to reinforce security posture and add to tracking cases.
Q8: Can you share a particular project or accomplishment at InQuest that you are especially proud of?
A8: Back in 2019, when Emotet was rampant, our team was well-positioned to stay on top of detecting new variants of the malicious document macros. Decoding the obfuscated macro code was a challenge compared to other commodity malware campaigns. Writing the detection logic was demanding, especially while learning the constraints of YARA and ensuring signatures weren’t slow. We did all of this at a higher tempo compared to other active campaigns at the time.
Q9: In your opinion, what sets InQuest apart from other companies in the cybersecurity field?
A9: Having only worked at InQuest, I’m not sure how true this rings at other companies, but we use our product extensively for our day-to-day workflow. I’m fairly certain that the workflow for my role at a different company would look quite different and yield different outputs.
Q10: How do you stay current with the latest trends and developments in cybersecurity, and what resources do you find most valuable?
A10: I stay up to date with blogs and reports by other researchers in the field, especially those tracking similar or related threats. Trust groups and shared channels help by providing means to contact and interact with community members.
Q11: Outside of work, what are some of your hobbies or interests? How do you like to spend your free time?
A11: I’m trying to travel more and keep up with international news and geopolitics that may influence my travel plans. I also want to start learning another language. I’ve been studying Russian for the past few years, enough to read Cyrillic and keep up with reporting and discussions. DJing at home has been a hobby of mine for a while, and the process of finding obscure music over the years is similar to open-source intelligence (OSINT) gathering.
Q12: Finally, what advice would you give to someone aspiring to enter the field of threat intelligence and detection engineering?
A12: Don’t be afraid to ask questions, but also practice asking the right questions at the right time. I’ve had numerous encounters at meetups and events where a well-thought-out question led to positive, unexpected results. It got me to where I am today. Also, be open to expanding your horizons. In a field where people constantly challenge how computer software and hardware operate, getting hung up on things working outside of designed or intended use becomes a roadblock. People from all walks of life engage in this field, and recognizing this helps minimize bias when handling subjects that may challenge your worldview and beliefs.
Nick’s Bio:
Nick is a cybersecurity practitioner focused on cyber threat intelligence, malware analysis, threat research, and detection engineering. He broke into the information security field in 2019, interning at InQuest where he trained alongside industry veterans. He honed his skills and applied them towards combating novel and commodity threats in the wild. Always looking to contribute to community efforts, he can routinely be found analyzing and disseminating malicious content delivery samples and pivots used to deliver payloads. He particularly enjoys connecting cyber threat activity to geopolitical events and associated entities.