Inside Look: Adobe Incident Response Team Players

By Lauren Park, Director, Security Coordination Center at Adobe
Thursday, June 1st, 2023

Adobe has long focused on establishing a strong foundation of cybersecurity, built on a culture of collaboration, multiple capabilities, and deep engineering prowess. We aim to take a proactive approach to defending against security threats and issues and continuously monitor the threat landscape, learn from, and share our learnings with security experts around the world, and feed information back to our development teams to strengthen our products.

We are part of the trust network and since 2010 have been members of the Forum of Incident Response and Security Teams (FIRST), a global incident response community that helps enable our teams to more effectively respond to security incidents - reactive as well as proactive.

FIRST brings together a variety of computer security incident response teams from government, commercial, and educational organizations with the mission to foster cooperation and coordination in incident prevention, stimulate rapid reaction to incidents, and promote information sharing among members and the community at large.

In the spirit of collaboration, I wanted to take the time to share a few interesting projects and highlight members of our team, who work to reinforce our defenses every day.

Incident Response Key Players

Our security team comes from different backgrounds and experiences, as part of the FIRST conference, we want to take the time to recognize and show our thanks for all they do.

A key part of our incident response program is our Security Coordination Center (SCC). I am honored to lead the Adobe SCC team, comprised of experts who manage centralized security monitoring, threat intelligence, threat hunting and incident response for Adobe. Our team operates 24/7 and is dedicated to information security and privacy with a mission to continuously monitor and improve Adobe’s security protections while preventing, detecting, analyzing, and responding to cybersecurity incidents.

Threat Hunting and Cyber Threat Intelligence – Joseph Davidson

The SCC consists of a variety of functions, the SCC’s Threat Hunting and Cyber Threat Intelligence teams, led by Joseph Davidson, are two critical functions in our efforts to build and maintain a resilient program.

Building and managing a Threat Hunting program requires a comprehensive approach with proactive manual detection, constant communication between teams, and an investment in the right people to bring the process to life. Joseph and his team leverage automation, AI, and ML to model potential threat vectors and train our systems to help detect emerging threats. They have developed multiple UEBA (user and entity behavior analytics) models using machine learning and advanced data analytics to review large volumes of log data and help spot anomalies that indicate a user's or entity's behavior change. These anomalies are turned into hunt leads (or alerts) after further enrichment and correlation for human review and escalation when needed.

Cyber Threat Intelligence is key to understanding what adversaries’ motives are. Curated intelligence generates hunt leads and new ideas for AI/ML models to assist in identifying these types of activities. Our team and efforts cannot be successful without collaboration across multiple teams including security operations center (SOC), Incident Response, Adobe Product Intelligence, our Red Team and of course community involvement.

Incident Response and Digital Forensics– Todd Harper

The Incident Response Team is led by Todd Harper who has held a variety of positions at Adobe over the years. In his current role he oversees Incident Responders and Incident Commanders. Their primary responsibility is to lead, investigate, respond, and resolve incidents that could impact Adobe. Using real-world scenarios, the Incident Response team constantly hones their skills through tabletop exercises, capture-the-flag (CTF) contests, incident simulations, peer-to-peer knowledge sharing including attending and presenting at conferences.

Digital Forensics and Automation – Tim Ip

Digital Forensics is another key part of our Incident Response program. Tim Ip is part of Todd’s Incident Response team focusing on DFIR, Automation and Purple Teaming. One project their team worked on was a Living off the Land (LotL) classifier project.

Classic LotL detection mechanisms can be noisy and somewhat unreliable, generating a high number of false positives, and because typical rules grow organically, it can become easier to retire and rewrite the rules rather than maintain and update them. The security intelligence team at Adobe set out to help fix this problem – using open source and other representative incident data, we developed a dynamic and high-confidence program, called LotL Classifier, and open sourced it to the broader community.

The LotL Classifier is unique because it uses a supervised learning approach — this means it maps an input to an output based on example input-output pairs. Check it out and let us know what you think.

You can catch Tim speaking at the FIRST conference, June 8 at 16:35-17:10 on Automating Cloud Forensics Lab Provisioning. This talk will provide insights into our (Forensics VM) project leveraging Infrastructure as Code (IaC) to help automate cloud forensics lab provisioning. The project enables dynamic deployment of labs in different geographic regions across different cloud service providers such as AWS, Azure and GCP. He will discuss how this project streamlines and simplifies our forensics process, to benefit the company.

Joining Forces to Share Intelligence

Cross-team collaboration is key to success for any cybersecurity program. Within our incident response organization, we also work closely with the Adobe Product and Software Security (PASS) team. The PASS team encompasses several functions including, Vulnerability Management, Application Security, and Security Testing. Our Product Security Incident Response Team (PSIRT) is part of PASS and manages our response to vulnerabilities found within Adobe products, discovered by third parties and security researchers.

Product Incident Response – Daniel Ventura

Leveraging PSIRT capabilities, we can assess vulnerabilities from a variety of sources (Bug Bounty programs, penetration tests, Red Team, etc.) and triage them to determine impact and scope. Daniel Ventura manages our PSIRT, a global team of skill security engineers that drive expedited remediation with product teams in an incident response scenario. During his time at Adobe, he’s scaled our bug bounty program and continually engages with researchers to strengthen our products. His team also participates in the Microsoft Active Protections Program (MAPP), where they share information on security vulnerabilities in our products with the wider security community.

Industry Collaboration

In addition, we collaborate with other software vendors and technology companies to share knowledge and security threat information. Adobe participates in industry organizations, including FIRST, MAPP and MAAWG (Messaging, Malware, and Mobile Anti-Abuse Working Group), as well as other private, inter-company incident response working groups.

We look forward to building upon existing relationships and making new ones to help FIRST and the industry bring together incident response and security teams from across the world to create a safe internet for all. We’ll be attending the FIRST Conference in Montreal this year and invite you to reach out to one of our teams if you are, too!

Let’s continue the discussion to become stronger together and make the digital world a better place.