5 questions with Alissa Torres, SANS Instructor and Incident Handler at Mandiant

Alissa Torres was first exposed to the mission of security while serving in the United States Marine Corps as a Communications Officer. Torres was responsible for troop welfare, and eventually, national security. 

These days, the certified SANS Instructor and Incident Handler at Mandiant, draws upon her military experience daily on the job.  Torres answered some questions for Leading Edge about how her time in the military prepared her for her current work in the digital trenches as an incident handler and forensic investigator.

First off, I know you spend time in the US Marine Corp as a Communications Officer. Tell me about your service.

As a graduate of the University of Virginia, I was commissioned in the Marine Corps from the Navy ROTC program.  My undergraduate degree is in Nursing and I obtained a NROTC scholarship to become a Navy Nurse.  After a year in Nursing School, I realize it was not what I wanted to do and I applied to switch to the Marine Option program.  The Marine Corps offered the challenges I was looking for, physically, emotionally and mentally.  My package was approved and immediately after completing Officer Candidate School in Quantico, I was commissioned as a Second Lieutenant.  My first duty station, after completing 6 months of the Basic School and 6 months of Electronic Communications Training, was with the 9th Communication Battalion, I MEF in Camp Pendleton, California. 

[Related: Ten tweets with database security expert David Litchfield]

My first billet as an electronic communications junior officer was that of wire and radio platoon commander. I was in charge of the training, readiness and well being of twenty Marines whose specialties involved switchboard, radio and wired communications.  Though I did learn a tremendous amount about how to ensure reliable data communications in large-scale operations, the most valuable life lessons were gained from my interactions with my platoon. The guidance provided by my senior enlisted Marines kept me out of trouble and allowed me the opportunity to work with technical experts who were passionate about their work, something I have continued to enjoy today in my role as a SANS instructor.  As a platoon commander, I also focused on inspiring and motivating my younger enlisted Marines and helping them formulate a plan for achieving what they wanted out of life beyond their time in the Marine Corps.

How did you segue into security as a full-time profession following your time in the military?

While in the Marine Corps, I obtained specialized training on system and network administration.  My first job after leaving the service was as a helpdesk technician which was very humbling.  Leaving the position of platoon commander to assume the new role of answering phones and troubleshooting Windows issues gave me a much needed paradigm shift and it makes for a funny story now about military career transitions.  As part of an information technology team for a standardized testing company, we had to address many issues with security, so I would say my focus on information security started there, just after leaving the Marine Corps in 2000, while my husband and I lived in Monterey, CA. 

Their war stories were enticing, the intrigue of hunting down evil in the form of digital evidence. Even in those early days, I was drawn to network intrusion cases.  There is a similar mission in protecting US corporate data from theft as there was in defending the nation as a Marine.  Like most of the professionals working in the digital forensics/incident response (DFIR) field, I believe that this work is important and it makes a difference. 

Tell me about your role with SANS.

As a certified SANS instructor, I teach 5 & 6-day courses in our digital forensics track, to include FOR408:  Computer Forensic Investigations – Windows In-Depth, FOR508: Advanced Computer Forensic Analysis and Incident Response and FOR526: Windows Memory Analysis In-Depth.

My first SANS class as a student was FOR508: Advanced Computer Forensic Analysis and Incident Response, which I attended as a work-study facilitator.  Since my company had denied additional training for me, the reduced rate work-study program was the only way I had to attend this advanced forensics course. This course and the skills I obtained while attending have had a huge impact on me and my career.  When given the opportunity to teach for SANS, FOR508 was the first course I chose because I believe it addresses the current knowledge gap that exists in most of today’s security teams – the ability to retrace and mitigate the activities of an intruder on the network.  

How do you draw upon your military experience for your current role?

In the Marine Corps, I experienced first-hand that an individual’s success is determined by her passion, commitment and drive.  These three things are required in bucketfuls in order to be an effective forensic examiner.  Due to its rapidly evolving nature, in order to stay current in the field of digital forensics, one must be dedicated to lifelong learning.  Savvy criminals and attackers continue to exhibit greater sophistication and technical skills in their exploit and evasion techniques. This raises the bar for DFIR professionals, requiring that they possess the passion and commitment to devote much time and energy to sharpening their skill sets.  As in the Marine Corps, believing in the mission and the purpose behind your work can fuel you to put forth the effort required.

What is the biggest challenge in your job today?

I currently have two professional roles about which I am extremely passionate.  As a certified SANS instructor, I find the biggest demand on my time is keeping up-to-date on current threats in information security.  As the face of organizations’ digital surfaces morph and expand to encompass additional devices, cloud services and software implementations, uncovering the forensics implications of each new factor is an enormous task.  Understanding how these factors impact my students and their operational jobs and giving them the skills they need to address these changes is the largest challenge as an instructor.  In addition to my role at SANS, I work as an Incident Handler at Mandiant, on their MCIRT (Mandiant Computer Incident Response Team), handling host-based analysis of compromised systems on customers’ networks.  I have a unique opportunity to both- work in the “trenches” at Mandiant, seeing in real-time the techniques used in today’s intrusions and interact with other professionals in the field at SANS training events – imparting knowledge surrounding the latest security threats. Though it makes for a busy schedule, both roles complement each other well, keeping me in touch with like-minded individuals and today’s current threats.