Book Review – ReWork

On a long car drive back from Boston after watching the Buffalo Sabres lose to the Bruins…I had an opportunity to read Jason Fried and David Hansson’s book ReWork.

This won’t be a spoiler review, more so a reflection of how the books topics could be applied to the Digital Forensic / Incident Response (DFIR) industry.

Before I get into my review, I will share with you why I decided to read the book. Mike Wilkinson sent me a link to Jason Fried’s TED talk which is focused on workplace productivity and suggestions on how to avoid distractions.

I will break my review into sections to make it easier. Please note that these reflections are based on the book and how I feel it applies to the digital forensic / incident response (DFIR) industry.

1. Having a solid management team is critical
• If your organization doesn’t have a good balance of a technical/business management team (which could be a single person if the team is small enough) you’re not in a position for success. It’s important that DFIR teams are given the opportunity to engage in both professional duties as well as development/research into their area of expertise. Google does this. The concept sounds elementary, management 101, but to actually implement and sustain the environment where this is actually happening could be difficult. Having a productive and capable DFIR team is both cultural and systemic and requires a management team that fosters innovation and knows what is necessary to be ready to respond to events. 
2. Stop interrupting/disrupting your day
• Sometimes we are wired and “plugged in” far too much. Let’s think about this scenario, you’re conducting a highly technical analysis into a malware investigation. You’ve started looking into the initial infection vector (IIV) and you find that an executable file was created seconds after the user visited a website, then that executable quickly deleted, two files were then created and then several registry entr… “[co-worker walks into your office screaming] HEY DID YOU SEE THAT EMAIL FROM THE CLIENT ABOUT HOW [insert distracting topic here]”. This is somewhat of an exaggerated scenario, but compare this to sleep – there are multiple cycles in ones sleep – the most important being REM.. When you actually get into REM, you are really sleeping/dreaming. This is where you are getting the most rest. Same is true and you can draw parallels to analysis or investigations. If you start digging into a case and you get disrupted by Meetings, Chat, Facebook, Twitter, Email, Text, Youtube, Co-Workers (or D all of the above) you could fall into the trap of being victimized of your productive work time. To bring this back to context with reality, I’ve been guilty of “walking around the office” after an Analysis REM session. Or sometimes randomly checking social media while working on a project. THIS IS NORMAL. This keeps people productive. I think we’re all been there, you worked for X straight hours on something and you need a break. Personally I need to disengage from the machine/project, and then at a point, re-engage with the analysis. These deliberate breaks from the mental focus on a project is healthy and keeps us sharp.. But if someone disrupts/interrupts the productive “Analysis REM session”, examiners can fall into a non-productive cycle and have difficulties getting back on track. This is starting to tie back to what was mentioned in the above “management” section where it’s cultural and systemic in the DFIR industry. DFIR groups that are structured and tasked in dealing with threat analysis/mitigation/remediation need to be given time to do work. Now, don’t get me wrong, all of the disruptions or interruptions mentioned above have their place in the business place, but they need to be properly used in a non-disruptive way. 
3. Fire the workaholics
• This was an interesting section in the book which stemmed from talking about “never having enough time to do work” and “always being at work before everyone and after the last person leaves for the day”.  This creates a sense of “needing to work all the time” which in affect creates stress for everyone. I’m a firm believer in hard work and completing what needs to be done on a project in a timely manner. I also believe in working smarter. There are lots of DFIR professionals out there but the really good ones know how to do things smarter/faster. For example this was an interesting blog post where Corey mentioned doing things in parallel to speed up analysis. Another perspective is working to remove obstacles that are hindering your team’s productivity. Why should your team work 15 hour days when they could be working 8 if you (as a manager) were to get them the proper access or workflow approved? Also how many mistakes occur from a tired employee over a rested one? (no citation but we’ve all been there). Or if the company should hire another team member – how is the company tracking metrics to be able to justify it to upper management? Now I know reality always comes into play, and there are “crunch time” circumstances where we need to work 15 hour days – but I don’t like to see teams spinning their wheels trying to get up the hill of getting the job done. Having a culture that understands what systems / processes are necessary for DFIR success is important. 
4. Personalities
• As members of a rapidly changing industry, that literally changes daily as technology is ever-changing it’s important for everyone to try to keep things into context and be what I like to call “realists/optimists”.  As being members of an industry that is commonly called upon in situations that are bleak, we must be ready to have conversations with management/clients that are realistic: “this is what we are seeing” “this is how long it will take” “this is what is possible/impossible” “I don’t know” “this is the impact on company” and optimistic “We are here to help” “There is a problem here, and we’re working on it””we will help remove obstacles”. To change perspective, let’s visit the medical doctor. When one visits the doctor for an annual physical, they are going to hear how things are going with there body. Do you as a patient just want to hear lies or negative things relating to your cholesterol? Or would you rather hear the reality – you have high cholesterol and this is how to fix it? DFIR has a lot of “big-ego” personalities which is the last thing a team should be dealing with during an event. I feel that DFIR teams that “check egos at the door” and understands the strengths of team members and uses the realistic/optimistic approach will stay productive.