Chris Doman, Co-Founder & CTO, Cado Security

FF: Chris, how did your background in security operations and threat research lead to the founding of Cado Security?

The US Department of Defense used to run a fantastic forensics competition, open to people the world over. Sadly, that’s no longer operating, but it got myself and plenty of other people into DFIR. That led to an opportunity to work in the DFIR team at PwC UK. When you’re in your 20s, flying around to acquire hard disks and help clients is pretty exciting. It was a fantastic place to learn, but as many people on Forensic Focus know, incident response is pretty tiring after a while.

I then moved to cybersecurity vendors headquartered in the US and got to work more on the threat intelligence side of things. The UK cyber-security industry is strong, but I was keen to learn from fast growing US companies how start-ups work. There’s a great community for sharing information in threat intelligence, particularly on the more targeted attacks, and that’s invaluable to both the industry and personally if you want to start your own company one day.

James Campbell (my co-founder) and I worked together at PwC. We found that investigating and responding to threats, particularly in the cloud, was a slow and manual process. A few years later, James and I reunited to build a platform that could automate a lot of the work we were doing, and that’s how Cado Security was born.

FF: Tell us more about the Cado Platform. Who is it for and what does it do?

Cado started out as a platform for security teams to collect forensic data, whether it be in the cloud or on-prem, and also to centrally investigate in a single cloud platform. We found our customers were increasingly asking for more automated capture and analysis, often building that themselves using our API. That resulted in what is really a second iteration that has evolved over the last two years – where most data is now captured automatically, either following a trigger from a detection product like Crowdstrike or from another platform such as ServiceNow.

FF: Cado integrates with tools like AWS, Azure, and Google Cloud. How do these integrations improve the forensic and incident response process?

Part of the opportunity here is speed – we’ve spent years iterating how we capture data from these platforms, and we can now do it in a way that is both fast and reliable. Certainly much faster than the manual methods that many teams were using previously. The other part is just being able to capture data before it disappears. We’ve filed plenty of patents on how we can capture data from Kubernetes environments for example, as that required a lot of research to work out. The other part is that we can unify data from multiple sources, so that security teams can work seamlessly in multi-cloud environments. We can also analyse SaaS, cloud, container, serverless, and on-prem assets in a single platform, which is a big
win for security teams.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


FF: Our recent review highlighted Cado’s ability to quickly acquire evidence and identify threats like webshells. How do these strengths support real-world investigations?

The most common investigations we see are around cloud security incidents. These can be anything from a crypto-mining worm in a container to a webshell on a server. The Cado platform automates forensic-level data capture and processing, which can help security teams respond faster. We’ve also built in a lot of threat intelligence, machine learning, and YARA rules to help teams quickly identify malicious activity and potential risks.

FF: Your recent research covers threats like Selenium Grid and Mac malware. What are the key findings, and how should security teams respond?

The key finding for me from the Selenium Grid crypto mining malware is that pretty much any exposed build platform is going to have problems eventually. We’ve previously published reports on attacks against Jenkins build servers, exposed Kubernetes APIs and Redis databases, etc. Preventing those issues is often the basic hygiene of limiting what services are internet accessible, and the built in cloud firewalls do a pretty good job of making fixing that easy. But in a large estate there are often either exceptions or outliers, and that’s when you need to be prepared to be able to quickly investigate. Mac malware is always a bit more interesting to see, given it’s historically been less common, but absolutely exists.

FF: Cado Security recently launched a product focused on SOC automation. How does it help SOC teams streamline their workflows?

It fits into a wider trend we’ve seen with SOC teams being increasingly responsible for not only triaging incidents, but also investigating and resolving them. I think that’s a credit to the wider industry, both in terms of training and tooling, beyond just what we’re up to at Cado. Our SOC automation features work by automatically consuming detections from platforms like Wiz or Microsoft Defender to capture data. The key part we’ve managed to get right recently is then providing a more assisted investigation.

As a forensic tool, we’re lucky to have a really large set of data to look at during an investigation, and we have a machine learning model that identifies things such as “this user logged on just before the malware was executed, let’s raise that to the analyst”. That’s a simple example, but it’s the kind of thing that can really speed up an investigation. In a sense, what we are doing is “SOC Augmentation”, as it’s not about replacing the analyst, but about making them more effective.

FF: How has the demand for cloud-specific forensic tools evolved, and what challenges does cloud forensics present compared to traditional on-premise investigations?

It’s an interesting question, as sometimes cloud forensics feels 90% like on-prem, and sometimes it feels 10% like it. For example, if you’re investigating a virtual machine in the cloud, you’re probably going to be looking at a disk image, and much of the investigation will be similar to on-prem. Albeit collecting the data, and associated cloud level logs and meta-data, is quite different from on-prem. If you’re looking at a compromise of a managed container service like ECS Fargate in AWS, things start to look very different, and the data may not live where you would expect in the on-prem world.

FF: With the rapid evolution of cloud services and new attack surfaces, where do you see the future of cloud-based digital forensics heading?

I think the majority of attacks will remain the same – opportunistic, wide-spread threats, primarily against misconfigurations. But the cloud providers are making some good steps to make misconfigurations harder and default security easier, so I’m optimistic on a downward trend there. More targeted threats will always follow wherever the most interesting data lives, and that’s increasingly in the cloud. There’s starting to be some more public reporting of those incidents, but overall the threat there is likely underreported due to the typical sensitivity around those kinds of incidents.

When we started the company in 2020, there were a few great resources on cloud forensics, but there weren’t many. Jonathon Poling published some great resources on cloud forensics nearly a decade ago, but there wasn’t much else. Now we have excellent training (e.g. SANS 509), and there is much more mature tooling, so teams don’t have to tape together a bunch of scripts to get the job done. So again, I’m optimistic both on the growing market and the growing maturity of the tools available here.

FF: Finally, what do you enjoy doing in your spare time?

I plan to clean out my shed this weekend. Hopefully this time I’ll finally get around to it ;).

Leave a Comment