Attack surface managers and the state of attack surfaces
Dave Monnier of Team Cymru talks about the state of attack surfaces, the strengths and shortcomings of attack surface managers and why something we refer to as a “soft” skill might be the hardest skill of all! Plus, we touch on shadow IT.
– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
0:00 - Attack surfaces
2:55 - Dave Monnier's first interest in cybersecurity
7:30 - Instinctual cybersecurity learning
9:20 - Monnier's work as a chief evangelist
14:00 - Cybersecurity soft skills
16:30 - What are attack surface managers?
28:25 - ASM 1.0 to ASM 2.0
32:22 - State of attack surfaces
34:58 - Asset infrastructure in your business
40:00 - Key skills cybersecurity novices need
43:07 - Learning in cybersecurity
45:42 - Learn more about Team Cymru
47:19 - Outro
[00:00:00] Chris Sienko: Every week on Cyber Work, listeners ask us the same question. What cyber security skills should I learn? Well, try this. Go to infosecinstitute.com/free to get your free cybersecurity talent development e-book. It's got in-depth training plans for the 12 most common roles, including SOC analyst, penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder, and more. We took notes from employees and a team of subject matter experts to build training plans that align with the most in-demand skills. You can use the plans as is or customize them to create a unique training plan that aligns with your own unique career goals. One more time, just go to infosecinstitute.com/free or click the link in the description to get your free training plans, plus many more free resources for Cyber Work listeners. Do it, infosecinstitute.com/free. Now, on with the show.
Today on Cyber Work, Dave Monnier of Team Cymru joins me to talk about the state of attack surfaces, the strengths and shortcomings of attack surface managers, and why something we refer to as a soft skill might, in fact, be the hardest skill of all. All that and a little bit of talk about shadow IT today on Cyber Work.
Welcome to this week's episode of the Cyber Work with InfoSec podcast. Each week, we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of InfoSec professionals, while offering tips for breaking in or moving up the ladder in the cybersecurity industry.
David Monnier was invited to join Team Cymru in 2007. Prior to Team Cymru, he served in the US Marine Corps as a noncommissioned officer, then went to work at Indiana University, helping to build some of the most powerful computational systems of their day. He then transitioned to cybersecurity, serving as lead network security engineer at the University, and later helped to launch the Research and Education Network, ISAC.
At Team Cymru, he has been systems engineer, a member of the community service outreach team, and a security analyst. David led efforts to standardize and secure the firm's threat intelligence infrastructure, and he served as team lead of engineering, establishing foundational processes that the firm relies on today. With over 20 years of experience in a wide range of technologies, David brings a wealth of knowledge and understanding to threat analysis, system hardening, network defense, incident response, and policy.
So for today's episode, we're going to be talking a little bit about DevSecOps, as well as attack surfaces and attack surface managers, about the move to ASM 2.0, and Team Cymru’s state of the attack surfaces report. Lots to get to, so let's get to it. Dave, thanks for joining me today. Welcome to Cyber Work.
[00:02:53] Dave Monnier: Thanks for having us, Chris.
[00:02:55] CS: So to start with, I like to get to know our guests a little by tracing your interests and background. So what first got you excited about computers and tech, and how far back did that go, and where did the interest in cybersecurity go from there?
[00:03:08] DM: Sure. Yeah. I maybe a little bit of an anomaly in the industry. I grew up very, very, very poor, I guess, for lack of better word, and didn't really have access to computers, outside of kind of the one that you would have maybe sometimes in a specific classroom, where like it would be mathematics or language learning, for example. It was common to see that there.
But I graduated high school in 1991. So that was still kind of the era where you had the lab model. The whole school might have three to seven to whatever systems to work on. So I never really had access to computers growing up, and then I ended up enlisting in the Marine Corps and had some exposure to systems there. But still, it wasn't a regular part of my job, and I didn't really get exposed regularly to computational systems until like after I got out of the Marine Corps in 1995. So I figured in 1996 or so was the first time I really like had hands on.
For me, I didn't realize that I understood how computers work because I hadn't ever been around them. It was like this talent that I never knew that I had kind of thing. But I was working in a print shop, and it was the very dawn of kind of electrostatic electronic-driven prints. This system I was working on had broken. We weren't able to get somebody to come out and fix it. So I ended up trying to fix it myself because it was – I was the young guy on the team and trying to impress the boss and all that stuff. It turns out I turned out to be able to fix it. It was a SunOS system.
But that's when I realized nobody else seemed to understand how to fix this, and I did. But then the person who came to fix the system was like, “Hey, I'll hire you right now. You're wasting your time here working at this print shop.” It turns out they were right. But then I ended up – Within, I guess, pretty short order, I worked briefly for a small networking shop, running lines through rooftops and doing some point-to-point RF networking at the time.
But I ended up having the opportunity to move to Southern Indiana. A friend of mine went to school there. I moved down and moved in with him and ended up getting a job the day I arrived in town, which was my second clue that I had some in-demand skills. It still hadn't dawned on me how good I was at doing it or that there was really a career path there because computing was still so new, right? You know there's value in being a plumber, but it wasn't obvious value in being a programmer or a sysadmin or any of those things.
Out of coincidence, I ended up moving down there, applied for some jobs to do like basic help desk type of work and got hired very quickly. Then within like a week from there, these folks asked me to go start doing other stuff. So it kind of went from there. Cybersecurity, as far as cybersecurity interests went, that was also kind of a coincidence of I was working in high performance computing, and there was a security incident on one of the systems that I helped manage.
That really also kind of turned into me understanding that I saw cybersecurity differently than the rest of my peers. In the High Performance Computing Center, they didn't see the risks the same way I did. I guess, for lack of a better word, I've been at the right place at the right time, without knowing either.
[00:07:19] CS: But also having the right instincts and the right sort of mental processes as well. So coming back around, did you sort of retroactively sort of fill in the blanks in your knowledge? Did you do any kind of focused computer science study or security study or anything like that? Or have you been able to sort of do instinctual sort of learn-in-the-moment things?
[00:07:42] DM: Yeah. I'm completely an instinctual learn-in-the-moment person. I'm not anti-academia, but I've taught in academia. I've taught like 200-level and 400-level classes. So I get to kind of see the change that people go through as they proceed. One of the things that I – Again, I'm not an anti-academic person, so I hope any of your listeners don't take what I'm saying is to suggest that. But what I feel as maybe an unintended side effect of kind of the academic model, because you end up knowing only that what you studied, and some people will fall into this trap of like not considering anything else. They only know what they know. If they don't know what that is, then that thing doesn't exist. So kind of the –
[00:08:31] CS: Yeah. The nervousness of straying off the path.
[00:08:33] DM: Exactly. Yeah. So though I've never had it, I also have never felt handicapped by it because I have this intuitiveness, I guess. Now, I've read parts of lots of books. I get to the part, once I figure out what it is I was looking for, I tend to move on. Actually, I used to be total digital everything. I was like, “Let me be constantly online, and let me constantly digitize my existence.”
But probably in the last 10 years or so, I've been doing the opposite. I actually tried to recharge offline as much as I can because I spend so much time online. So funny enough these days, I'm in pursuit of a more analog existence.
[00:09:18] CS: I love that. So tell me about your work as chief evangelist at Team Cymru. What are some of your common tasks and your day-to-day responsibilities? Because I feel like the role of evangelist, it can mean a lot of things at different companies. So I'm just kind of – Because people are always looking at our show to figure out where they want their career to go. What does your average day look like as a chief evangelist?
[00:09:42] DM: Sure, happy to. So first of all, I'll tell anyone out there, if you get offered the opportunity to be an evangelist for anyone, be flattered for starters because to be an evangelist means that someone else has determined that your ability to deliver a message is better than most kinds of things. So it's like someone coming along and telling you that you have a good voice, or you're very photogenic.
Unlike the people at the mall, who are trying to convince you that you're a model, if only you sign up for their acting classes or whatever this nonsense is, typically, when it comes to evangelism in IT, it is a compliment. So characteristics-wise, when you get to the high-powered nerdery, don't often lend themselves to evangelism. There's kind of like introversion and then characteristics like that and then kind of steering people.
But, no, day to day as an evangelist, for us, we have a couple of different, I guess, routes, I could call it. So one of the components to our business is, obviously, promoting people to understand our business and what we do and that we're out here. But another angle to us and what evangelism really, more importantly, is for us is making friends around the world so that we have more access to problems.
In a lot of people, that may seem strange. That may sound like a weird thing to say. But we are an intelligence provider. So we're in constant need of understanding what information we should be looking to collect and what information we should be looking to curate into products and things like that. The big driving factor for us there, when you think of it as far as markets go, is problems.
So the funny thing, though, about problems is like if we walked down the street, and we just grabbed strangers and said, “Hey, what's bothering you,” most of them would say, “Well, you are. You are what's bothering me,” right? But there is a different thing that happens when you encounter someone that you know on the street who's your friend, right? They say, “What's bothering you?” If they're your friend, and they're genuinely your friend, you'll share with them what that problem is.
A lot of evangelism to us at Team Cymru is kind of a cross or a mix of, I should say, demonstrative trustworthiness. Meaning at every turn, we make ourselves available, and we take other people's problems to heart. That’s not in return now to keep in mind that we're not a services business. So this isn't to mean pay me, and I'll worry about your problems. Actually, it's more like we're friends. We're in this together. We're both members of the same Internet community. We're both trying to make the Internet function every day, and we believe that the Internet –
By the way, at Team Cymru, we believe the Internet warrants stewardship of its own. So we spend a lot of time and energy kind of doing that community service. So for us, the primary function of an evangelist is to be proof that we are who we say we are, that we're trustworthy and good people, and that we're in it with people, and that we're out there to try to help them solve the problems they face.
Typically, when you think of the commercial side of evangelism, we typically just have to go out and make sure people know who we are. So it's much more work for us, I think, for the community service evangelism, than it is for kind of the commercial service.
[00:13:34] CS: Yeah. I like hearing that in detail, and I appreciate you not using the usual sort of high level thing of saying, “Oh. Well, different every day.” You have – There are –
[00:13:45] DM: Sure.
[00:13:46] CS: That happens a lot. But I think that's worthwhile for people to hear because, again, this is – As someone who doesn't have much of a tech background either, that there are so many people who can be plugged into the overall sort of cybersecurity programming risk management industry that don't necessarily need to have all the certifications and all the stuff like if you're –
Especially if you're a good speaker and a good communicator and, like you said, you're not afraid of talking to people at an extended basis and listening and being empathetic, then that can really get you far and it’s –
[00:14:24] DM: Very much so.
[00:14:25] CS: It’s not necessarily as common as you might want it to be.
[00:14:29] DM: Yeah. Some people, they like to call this talent a soft skill. I think whoever came up with that term like really hasn't spent time around technologists because it seems to be way harder than the word. I would call it a hard skill. But you're absolutely spot on, and it is really important for folks out there to keep that in mind. When you consider technology an occupation or a career in technology, they have to keep in mind that for everybody else that's not in technology, you kind of are going to need someone who can bridge those two constructs, from the technical to the non-technical.
I know that sounds like – I forget the guy's name. But in that movie, Office Space, the guy who ends up inventing Jumping to Conclusions, the game, if you recall, before he gets fired, he gets pulled in the meeting room with the Bobs, and they're like. “What is it that you say that you do?” He's like, “Well, I take the specifications from the customer, and I go to the to the engineers.”
The Bobs in that and probably to someone who doesn't understand the realities of technical work, that all seems funny. They all think like, “Ha, ha, how funny. You have this person whose job it is to act as like a Rosetta Stone between technical people and not.” But I can attest it, it is a real thing. If you have enough technical acumen and some social skills, you can kind of create a niche for yourself.
[00:15:59] CS: Yeah. No, I totally agree. Also, I think it befits a company to have someone like that because I think there's probably a possibility that your board or your C-suite or your executives, if they don't know what you're talking about, they might be more hesitant to do what you say. They might just say like, “Oh, I don't know. We'll deal with that. Let's table it for now,” and so forth and so on. Yeah. I think it really does sort of rise to the top in that regard. Yeah.
So like I say at the beginning, today, I want to talk about attack surfaces, talk about attack surface management and some DevSecOps and the state of attack surfaces. I will admit that I'm kind of new to some of these ideas, and maybe some of our listeners are as well. So can you tell us about an ASM or an attack service manager, and what role this plays in the security creation and deployment of applications?
[00:16:56] DM: Sure, absolutely. So attack surface management or ASM is a concept that was presented by some Gartner analysts. What you could think of it as is the packaging, is the assembly. Let's call it that. I hate to call packaging but is the assembly of a few disparate, which historically had been separate functions for operations, and that is asset discovery and management. So identifying what you have, right?
Then once you identify what you have, so think that's kind of a logistics exercise, right? Then once you have it, you look at, okay, what's the state of it. So you might scan it. You might just do a perfect – Sorry, a surface scan to like see what services it's running. Or you may do like an exhaustive or enumerative vulnerability scan to look to see like, “Hey, it's running these services, and they're vulnerable to these attacks.” Then kind of what to do with it from there, which typically, from that point, tends to kind of shoo into patch management.
So when you think of like historical attack surface management, you could think of it as that process of identify your assets, understand what they are, then scan them, and then do something with what you find. That was what we refer to as kind of ASM 1.0. This was kind of the original core concept for ASM. Interestingly, it wasn't designed as those pieces together from the get go.
As obvious as it is, after you heard me explain this, it’s like, “Oh, yeah. That makes perfect sense.” Well, we went 20 years, 20-plus years, without this, with having disparate pieces. It's similar. When I think about it, when it kind of clicked for me, it's up there with like wheels on suitcases. It was such an obvious good idea. How did we get this far without it donning us? So I have some kind of started that same way.
Then to kind of draw on that same example, what we did is we came along and evolutionized. We took it to the next level, and that's kind of our MO. To use the same suitcase analogy, right? We put casters on and not just wheels. So we were the first 360 roller. But, no, we typically don't. So as an intelligence company, we tend to try to find other folks who have a product and then make that product smarter. With our intelligence, we try to help them make it smarter.
So we looked initially at an ASM because we consider – By the way, we don't consider ASM to be kind of a security tool. We consider it to be an intelligence tool with a security application. What that means is if you really break down the pieces of what ASM does, it's all about what you know about your assets. It’s either – Is it showing you something you didn't know, and then it's showing you something about that thing that you didn't know that you should be concerned with?
So we consider ASM to be an intelligence solution, the application of intelligence toward security. But we consider security to be a measure that you take towards handling and mitigating and understanding risk to your organization. So we are not believers that security is a state of existence. We consider security to be a process and that these tools kind of get you to there. But at the end of the day, it all comes down to intelligence. We looked at kind of the ASM model, and we thought, “Where can we apply intelligence to it?”
To give you some background on Team Cymru, we've spent the last almost two decades building relationships with the people who make the Internet itself work, and helping them to kind of maximize the profitability of their components, and helping them make the most of the Internet. We feel that the Internet is an incredibly powerful tool. So we've partnered with these folks that kind of make the Internet happen.
In return, they let us see what's happening on the Internet. So like we help them remove what's bad from their network and then helps us to learn how people are misusing the Internet, for example. We collect like 400,000 pieces of malware every day. We see tens of millions of IP addresses misbehaving in every hour of every day.
So we realized that we had this kind of data lake of reputational information that would be significant. Let me walk you through a scenario. So in the ASM 1.0 world, let's say there was a vulnerability in some application that you're running on a mission critical system. It gets exploited on Tuesday by way of some because no one knows that it's out there, and you learn on Wednesday that there's this vulnerability, and you now have to go out and apply these patches.
Perhaps your ASM product catches all of that. Maybe once your scanner was updated, you ran it, and you were able to update your system immediately and patch it. But the problem is you are already compromised on Tuesday. So all you've really done when you apply the patches to your system is you've kept anybody else from breaking into the system. Meanwhile, someone already has broken into your system.
This is where the application of like reputational intelligence can come into play. So we're tracking all of these compromised devices every day, either from watching the command and control sources where they come from, or we're watching to see who downloads malware, things like that. But it helps us to understand victimologies of botnets and things like that. But imagine if your ASM tool, you discover this new asset, and it automatically tells you, and it's vulnerable to these, and it was compromised yesterday.
Now, you know, to rebuild the system as opposed to patch it, which is a considerably different exercise, right? And will help you get some idea to know maybe what risk by way of exposure you've already endured to help you understand how to change that posture. So that was the first and one of the more obvious applications of applying intelligence to that.
Now, we also take and apply intelligence and change the ASM 1.0 model, also an asset and device discovery. So what we did is we sat down with our analysts who have observed miscreant operations for decades, and we figured out how do the bad guys figure out where everybody's things are? So if IT managers have a hard time identifying their own assets, how is it that bad guys always seem to find the unpatched or the unlocked down device? How is it that they're so good at that, once they determined that they want to get access to a target? How are they so darn good at doing it?
So we sat down to try to solve that, and we're pretty good at it. We’re pretty good at understanding how this stuff works. Well, we realized, well, this should be how the discovery component, this discovery stage, the asset discovery capability of an ASM product should behave. This is where we started to kind of diverge from let's try to add our stuff to somebody else's product, or let's make a product of our own.
When we got to this point, we realized we're going to need to make a product of our own. So that's when we launched our Pure Signal Orbit product. So that's one of the other big capabilities is our tool will find more stuff than other folks because it's using the same type of methodologies to look and find stuff. To give you an idea, I know this is – I'm like king of long story analogies, by the way. So I apologize in advance.
[00:25:08] CS: This is the central thesis here. So we can definitely spend all the time we want here to sort of set the table. We have a very elaborately set table, so please.
[00:25:16] DM: Okay. Perfect, perfect. It goes with me not being an academic, right? So everything's in layman's terms. Right now – But it goes back to – So you have assets, right? Typically, how a tool works is you – It works this way often time because of licensing because it's tricky to decide how to price your product and then how to enforce the licenses.
In the case of ASM, and this isn't just the case for ASM, by the way, any vulnerability management tool tends to or any asset discovery tool tends to go by how many assets you have, like what do I know of? Oftentimes, that's determined by IP addresses. So if you've been given an IP range from your ISP, and you go out and license that when you go to buy your license, it says, “Well, we're going to scan your products. How many IPs do you have?”
Well, if you know already that you have, let's say, 256 IP addresses, let's say you have a /24, and you know that to be the case, well, what's this tool really telling you? I mean, nothing new that – I mean, you had to tell the tool. It’s not going to find things like AWS instances that you didn't know of that are outside of your tool. Like maybe you have developers that spun up some temporary equipment. A lot of people call this the shadow IT problem.
Shadow IT is a piece of many, many breaches out there, and what shadow IT means is infrastructure and services running on equipment that you just didn't know about. It happens all the time. In particular, with the dawn of cloud computing, it has massively escalated how often shadow IT pops up. It’s still a huge piece of many, many breaches that are out there.
But what we do is, like I said, we take the approach of, well, just how do bad guys find it? Well, they pull and look at data, and they go to services online. There's a lot of open source services out there, Shodan, for example. We could go in and – Or VirusTotal or –I mean, there's lots of them out there. But you can go out and put in seeds and see, hey, where does this domain show up at?
Now, where can I find instances or mentions of this domain that are outside of this address space I know they have? Now, like to – Folks who are listening out there, you may be thinking, ‘Well, so what if someone has your domain there?” Well, if you have a certificate, for example, that should be on your enterprise but has shown up in Amazon space, that suggests this asset out there, if it has your real certificates on it, this is probably part of your infrastructure that you didn't know about, that's off your network.
So this kind of evolution is what we have been just expanding on. As we proceed down this path of, like I said, originally, we were saying what is ASM missing, now we're saying, what more can we put in here, now that we have built our own platform?
[00:28:24] CS: Yeah. Now, does that transition into – So I don't quite understand if this is something that happened externally in the industry, or whether this is something of your making. But we talked about the coming or the changeover from ASM 1.0 to ASM 2.0. How does that tie in to – Because it sounds like with your product, you've made your own jump? But how does that tie in with the idea, like the sort of like mass adoption of ASM 2.0?
[00:28:55] DM: So ASM 1.0 is just a generic term, right? So ASM is a generic term. So it's not an actual protocol, right? But we're taking this kind of protocol version to it, this like version one, version two. But we feel that the contributions that we're making towards the technology as a whole are significantly empowering, what would you think of as the traditional stuff, which is typically static. You provide the domain name. You provide the IP address.
Then all it's really doing is the scanning for you and things like that. But it's not showing you anything you don't know. Like it shows – Even if you had a vulnerability on a service that you knew you're running, well, all services eventually have vulnerabilities. Again, it's not really showing you something you didn't know. Now, the thing where it goes out and shows you 300% increase in the number of assets that you thought you had, now that's something new, and that's really helping you to curve your risk modeling and better understand what the real threats that you're facing look like.
To us, our approach is such a – I hate to call it an upgrade because, to be honest, our approach fundamentally is even different. So it's not just an upgrade. We take it at a different angle all together. A lot of that – We don't waste – As a company, we are very frugal in an economic sense. But we're even more frugal in a time sense. We don't believe in wasting time. The only thing that we believe you can never get back is time. So we don't want to waste anybody's time, our own or anybody else's.
Before we went down this venture, we actually set out to better understand the ASM industry. The study that you've mentioned, it was a set of questions that we sent out to verified ASM owners. So these are people out in the world who had already decided to take on ASM as the way that they were going to manage their infrastructure and the way that they were going to help understand their assets.
A massive percentage of them said they were not going to be renewing those tools because they simply fell short of showing them anything that they didn't know. So that's been our big driver. The very first people that we showed orbit, once we created our tool to were people who had existing ASM solutions, and the capabilities that we've added on to it were significantly different than what the folks had.
In some cases, they have immediately said, “Okay, we're dumping this other thing that we have, and we're moving to your product,” which we had to explain to people it was a brand new product at the time. So let us get it done first kind of thing. But, no, that's where we are now. So ASM 2.0, arguably, is just us presently. I expect, though, the industry to pivot pretty quick and look to get their products doing what I like to refer to as a more dynamic approach to ASM.
[00:32:14] CS: So this – Thank you for that. That elucidated very nicely for me. So, as you said, you sent out the survey. You created a state of the attack surfaces report. Were there any particularly surprising findings to you, anything that really like changed your opinion of how people were using this equipment or like big holes or blind spots?
[00:32:42] DM: I think the most interesting piece to it to me was just the massive percentage of people who said they were unhappy with it. I mean, I can only think of another, only a single other product in kind of like the history of computing, where this has also been true, and it's an anti-virus software, where everybody was like, “I hate this one the least, so that's what I use.” Yeah.
Until Microsoft kind of tackled the problem by rolling Defender into the platform to where now you didn't have to run this additional piece of software, until they kind of hid that experience, that used to be the number one thing that people complained about. So this – I was very surprised to see that ASM as it – Because it's a still a very new technological concept, I was surprised to see it had so many enemies out of the gate. Because it was new to us, because really we were looking at other avenues of applying intelligence to problems that humanity faces, and that's kind of how we ended up in the risk space.
But, again, we also perceive risk is the number one driver and not security. We think that security is a step towards it. So that might be why it's different for us. But I was very surprised that how many of them out there said, “We have this.” Greater than 50% of them said, “We're not keeping it because it's not useful to us, because it's not teaching us things we don't know.”
[00:34:14] CS: Or they're not seeing the value or they're not using it in a way that it can be useful to them or something.
[00:34:19] DM: Right, exactly. Yeah. To some degree, I think a lot of people got hung up on the power of ASM was some kind of single pane of glass thing. No offense, but if that's the only capability you have to hang your hat on, you're betting that LCD monitors stay as expensive as they are the day you launch your product. Because if they eventually get cheaper, the pane of glass can get bigger and more than – There's more than one way to put more things on a pane of glass. Do you know what I’m saying?
[00:34:48] CS: Right. Yup, for sure.
[00:34:49] DM: Yeah. That’s quite the gamble. So we're trying not to be that.
[00:34:54] CS: Yeah, absolutely. I read through some of the report, and one of the things that was most interesting to me of the key findings was the disconnect between having a CIO or CTO at the top of the masthead but noting that most technical work was done on the department level. It suggested kind of a wide gulf between people doing the work and the people doing the risk planning.
Or if I can pull out the report, more than in the past, organizational leaders treat risk holistically, including security risks, security mitigation, and remediation strategies must be risk-based to make a meaningful contribution to the organization's risk profile calculus. So do you have any recommendations for ways to sort of that tie this better than it's being done right now, tie them together?
[00:35:39] DM: Yes. What that's on about, by the way, is not every asset you have in your infrastructure is created equal because it's just true. Your primary Active Directory servers, probably the key, it has all your authentication components to it, right? So that's probably 10 times as more. It's probably 10 times as valuable as your website.
When you ask people what's the most important thing, they might say, “Oh, well. Our website because that has our brand. And if somebody came and defaced that, boy, we'd sure be in trouble.” But in actuality, the bigger risk to your business is, well, if somebody comes in and can pretend to be your CFO and take all the money out of the bank. Then you're out of business altogether, and it doesn't matter what people think of your website.
That’s true for everything. So like if your tool doesn't allow you to make those definitions to apply that kind of, let's call it, operational business intelligence, if your tool doesn't allow you to inform it of some of those things, you're probably going about it in the old way. So those are like – My advice to folks like looking for that is make sure your tool is going to teach you something. Make sure that you can scope what it's telling you.
So like if you have two – I hate to always pick on Active Directory. But if you have a local instance of an Active Directory server and one Dev instance that doesn't have any accounts on it, just because to your system scanner they look the same, but you know one of them is an active AD and the other is like a development instance of an AD, you know that, so you should handle that accordingly.
But if you can't tell your tool to do that, and it's alerting you about problems on a system that's not actually important to you, that suggests you have an older tool. Sorry, I may have wandered some from the question.
[00:37:53] CS: That's okay. No, no. Yeah. I mean, that totally works. I just wanted to sort of get a sense, and it folds into the next question because, again, I was sort of struck by anytime that there's kind of gaps between the people that are doing the planning and people that are doing the implementing and the people that are the intermediaries and so forth.
[00:38:12] DM: Sorry, that was the part that I had left out. So on that question, the other thing to keep in mind is a lot of the world out there, there isn't a delta between the decision maker and the person who's doing the execution. We have a lot of what I would call active management or technical leadership, still boots on the ground. It's not until you get into the really big companies where you start to see that kind of separation.
But one of the things that I can tell you is that a lot of the practitioners are hung up on this notion of security as opposed to risk. It’s better we turn this thing off because it's insecure than endure the risk of something bad happening to it while we stay in business. Too many technological-only people will pick that first one. They'll say, “Let's shut this off and be out of business.”
I think a lot more people need to realize, in particular, where they are, these smaller teams, is that your board or the people on the business side need you to be making decisions for the sake of the business, not for the sake of the systems. So you have to see things as a risk, as opposed to some binary state of secure or not secure, if that makes sense.
[00:39:34] CS: That does make sense. Yeah.
[00:39:36] DM: Yeah. I think that you'd find, though, that, though, the report does suggest there is a big gap there, that a lot of that had to do with because, in some cases, they were one in the same. Well, in most of the cases, actually. I think about half, they were like one in the same, and it wasn't till you get over a certain line until they actually start to become different teams.
[00:39:57] CS: Okay. So moving into sort of a career-related question around that, obviously, OPSEC and related fields are going to be a growing field of employment. So for our listeners, can you talk about some key skills, experiences, talents, and areas of learning that you would like to see from security novices or aspirants, people looking to make big career changes into this field? By how some of these skills and requirements change as you move also from the nuts and bolts tech level we were saying to the holistically planning C-suite and executive level.
[00:40:30] DM: Yeah. The biggest thing that I can tell people will be useful to them is a broad base of experience or of knowledge. What I mean by that is you have to be able to know how things work generally in order to, A, build upon that and understand them in greater detail.
But when it comes to InfoSec, it's even more important because you need to know when something isn't quite right, and the only way you'd know that is to know, well, what right might look like. So what has helped me the most is, and I know this is kind of contrary to many people's typical approach to things is, but I have benefited the most from not becoming an expert in anything in particular, until I got way down my career path.
So I spent like 15 years, which, by the way, our CV at the beginning, I think it says more than 20 years. I'm coming up on like 28 or something. I guess I should update that to [inaudible 00:41:40] my CV. But I spent probably the first like 15 years being a generalist, not in pursuit of a specific thing. Though I was personally interested in kernel hardening, I didn't pursue some whole life. I'm very, very interested in Linux system kernel hardening. So I follow like – Shout out to grsecurity folks, Brad and PaX Team. A big thumbs up for both of those teams, projects from me, longtime fan.
But I could have like stayed with that, and I don't know what my – I won't tell you that my feature would have been bad or something like that. But I know how good my feature has been because I didn't do that at the same time. I know that kind of diversity of understanding is critical, in particular when it comes to InfoSec.
So don't spend all your time just being a programmer. Learn how the systems work that you're on. Learn why they work that way, in a lot of cases. Like I mean and I'm talking nuanced stuff. Like go back and learn why is there a difference between System Five and BSD Unix. Why is that? What were those things? Know why it is that browsers all claimed to be Mozilla. If you look at the user agent, why that is. Little nuanced stuff, but it'll help you better understand kind of the world that you live in and electronically speaking, at least.
[00:43:07] CS: Yeah. Now, in terms of the sort of wide-ranging learning, it sounds like it was – You were learning these things partly because you enjoyed them. But mostly, it was whatever the next sort of challenge was. So you were kind of learning according to where you wanted to sort of extend yourself and, well, I need to know this to do this, rather than –
I think everyone's already sort of spoken out against the idea of like alphabet collectors who want to get every cert and stuff, but don't have any application for it. But, yeah, again, I think it's important to reiterate that learning comes from solving the next problem in front of you, rather than building a big toolkit that, yeah, you know.
[00:43:49] DM: Even before that, the first problem that everybody faces, when you wake up every morning, a bunch of this happens subconsciously, but you start with what am I and then where am I. Then eventually, you get to what do I want to do today. Now, most of this process is invisible to us, but it happens to us every day. Because when we return from our sleep state, our brain has to reorient itself.
The reason why it happens silently to you is because we've had the opportunity to kind of assess how things work here. Like you know about gravity. You know about light. You know that you're going to put your feet down and stand up. You know all of these things that we kind of take for granted. That's the type of stuff that I'm talking about. Not just like how do I get someplace but like what am I, where am I. Then kind of build out from there.
But the more kind of demystifying exercise that you can apply to InfoSec, the better you'll be at the job because everybody is going to be outsmarted by somebody at some point in the InfoSec game. I don't care who you are or what you're doing.
[00:45:01] CS: Yeah. Don’t be afraid to step in it.
[00:45:04] DM: That's right. Yeah. Someone's going to come at some point and outdo you. So what your job really is isn't to be the best at anything. It's to be the most versatile at everything because at some point, somebody's going to make a pivot or a move. If you're wed to possibilities to where you've excluded outcomes, just because you think you know better.
[00:45:26] CS: Or you’re digging your heels because you are the specialist, and there's that sunk cost fallacy of like, “Well, I already learned all this stuff, so I'm just going to keep doing it.”
[00:45:34] DM: Yeah. It’s in – What is it? When you're a hammer, everything's a nail, whatever that saying goes. I mean, all of those things are true. All of those things are true.
[00:45:42] CS: Yeah. Well, I think it's a great place to wind up because I always like to sort of end with actionable career advice like that. So as we wrap up today, you've talked a bit about Team Cymru. But what are some of the sorts of projects you're working on now that you're excited to sort of premiere or unveil in the months to come here?
[00:46:02] DM: So our Orbit Platform, again, it's a business risk platform in the ASM 2.0 space. I encourage people take a look at that. Our attribution platform called Recon, it’s – Again, our belief is an evolutionary step going from threat hunting and taking it to the next step and allowing you to do full reconnaissance, adversarial reconnaissance. If you're a hunt team out there, I would encourage you to drop us a line and take a look. But the rest of the stuff that we're working on that I'm very excited about, we haven't even begun them.
Like I said, our biggest objective is to get access to more problems, and I'm hopeful that someone out there, and maybe they're listening right now to your show, is going to come to us with the most exciting thing we've ever worked on. That's really what I'm most excited for is for tomorrow's problems. I'm not trying to say we solved yesterday's, but I much prefer fighting dragons when they're still a scary story because it seems like whenever you find them, they're always just a mad iguana, as opposed to actually a scary dragon. So I like it better when they're still mystery.
[00:47:18] CS: Fabulous. Well, perfect transition to my final question here. If our guests want to learn more about Team Cymru or Dave Monnier or want to write you and tell you that they have the solution that you're looking for, where should they go online?
[00:47:33] DM: That’s cymru.com, and it’ll redirect you to the longer version of our domain, which is team-cymru.com, but just cymru.com. If anybody wants to find me, I'm on LinkedIn. I have a Twitter account as well, though, I don't use it very often. I have to admit. But you can find me on LinkedIn, and that's D-A-V-I-D and last name, M-O-N-N-I-E-R.
[00:47:57] CS: All right. Well, Dave, thank you very much for your time today. This really helped clear up some difficult concepts for me and, hopefully, for our listeners as well. I really appreciate that.
[00:48:05] DM: Thanks for having us, Chris.
[00:48:07] CS: And as always, thank you all for listening to and watching the Cyber Work podcast. On an unprecedented scale in the past three months, all of you have helped more than double Cyber Work’s viewership on YouTube, and I couldn't be more thankful and humbled. So if you're subscribing to the podcast, thank you. If you're watching it when it goes live on Mondays at 1:00 PM, Central, thank you again. And if you're telling friends and colleagues, thank you, thank you, thank you. We're delighted to have you along for the ride.
Every week on Cyber Work, listeners ask us the same question. What cybersecurity skills should I learn? So try this. Go to infosecinstitute.com/free and get your cybersecurity talent development e-book. It's got in-depth training plans for the 12 most common roles, including SOC analyst, penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder, and more. That’s infosecinstitute.com/free, or click the link in the description below, and get your free training plans. Thank you very once again to Dave Monnier and Team Cymru. And thank you all for watching and listening, and we will see you next week.
– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
0:00 - Attack surfaces
2:55 - Dave Monnier's first interest in cybersecurity
7:30 - Instinctual cybersecurity learning
9:20 - Monnier's work as a chief evangelist
14:00 - Cybersecurity soft skills
16:30 - What are attack surface managers?
28:25 - ASM 1.0 to ASM 2.0
32:22 - State of attack surfaces
34:58 - Asset infrastructure in your business
40:00 - Key skills cybersecurity novices need
43:07 - Learning in cybersecurity
45:42 - Learn more about Team Cymru
47:19 - Outro
Transcript
[00:00:00] Chris Sienko: Every week on Cyber Work, listeners ask us the same question. What cyber security skills should I learn? Well, try this. Go to infosecinstitute.com/free to get your free cybersecurity talent development e-book. It's got in-depth training plans for the 12 most common roles, including SOC analyst, penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder, and more. We took notes from employees and a team of subject matter experts to build training plans that align with the most in-demand skills. You can use the plans as is or customize them to create a unique training plan that aligns with your own unique career goals. One more time, just go to infosecinstitute.com/free or click the link in the description to get your free training plans, plus many more free resources for Cyber Work listeners. Do it, infosecinstitute.com/free. Now, on with the show.
Today on Cyber Work, Dave Monnier of Team Cymru joins me to talk about the state of attack surfaces, the strengths and shortcomings of attack surface managers, and why something we refer to as a soft skill might, in fact, be the hardest skill of all. All that and a little bit of talk about shadow IT today on Cyber Work.
Welcome to this week's episode of the Cyber Work with InfoSec podcast. Each week, we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of InfoSec professionals, while offering tips for breaking in or moving up the ladder in the cybersecurity industry.
David Monnier was invited to join Team Cymru in 2007. Prior to Team Cymru, he served in the US Marine Corps as a noncommissioned officer, then went to work at Indiana University, helping to build some of the most powerful computational systems of their day. He then transitioned to cybersecurity, serving as lead network security engineer at the University, and later helped to launch the Research and Education Network, ISAC.
At Team Cymru, he has been systems engineer, a member of the community service outreach team, and a security analyst. David led efforts to standardize and secure the firm's threat intelligence infrastructure, and he served as team lead of engineering, establishing foundational processes that the firm relies on today. With over 20 years of experience in a wide range of technologies, David brings a wealth of knowledge and understanding to threat analysis, system hardening, network defense, incident response, and policy.
So for today's episode, we're going to be talking a little bit about DevSecOps, as well as attack surfaces and attack surface managers, about the move to ASM 2.0, and Team Cymru’s state of the attack surfaces report. Lots to get to, so let's get to it. Dave, thanks for joining me today. Welcome to Cyber Work.
[00:02:53] Dave Monnier: Thanks for having us, Chris.
[00:02:55] CS: So to start with, I like to get to know our guests a little by tracing your interests and background. So what first got you excited about computers and tech, and how far back did that go, and where did the interest in cybersecurity go from there?
[00:03:08] DM: Sure. Yeah. I maybe a little bit of an anomaly in the industry. I grew up very, very, very poor, I guess, for lack of better word, and didn't really have access to computers, outside of kind of the one that you would have maybe sometimes in a specific classroom, where like it would be mathematics or language learning, for example. It was common to see that there.
But I graduated high school in 1991. So that was still kind of the era where you had the lab model. The whole school might have three to seven to whatever systems to work on. So I never really had access to computers growing up, and then I ended up enlisting in the Marine Corps and had some exposure to systems there. But still, it wasn't a regular part of my job, and I didn't really get exposed regularly to computational systems until like after I got out of the Marine Corps in 1995. So I figured in 1996 or so was the first time I really like had hands on.
For me, I didn't realize that I understood how computers work because I hadn't ever been around them. It was like this talent that I never knew that I had kind of thing. But I was working in a print shop, and it was the very dawn of kind of electrostatic electronic-driven prints. This system I was working on had broken. We weren't able to get somebody to come out and fix it. So I ended up trying to fix it myself because it was – I was the young guy on the team and trying to impress the boss and all that stuff. It turns out I turned out to be able to fix it. It was a SunOS system.
But that's when I realized nobody else seemed to understand how to fix this, and I did. But then the person who came to fix the system was like, “Hey, I'll hire you right now. You're wasting your time here working at this print shop.” It turns out they were right. But then I ended up – Within, I guess, pretty short order, I worked briefly for a small networking shop, running lines through rooftops and doing some point-to-point RF networking at the time.
But I ended up having the opportunity to move to Southern Indiana. A friend of mine went to school there. I moved down and moved in with him and ended up getting a job the day I arrived in town, which was my second clue that I had some in-demand skills. It still hadn't dawned on me how good I was at doing it or that there was really a career path there because computing was still so new, right? You know there's value in being a plumber, but it wasn't obvious value in being a programmer or a sysadmin or any of those things.
Out of coincidence, I ended up moving down there, applied for some jobs to do like basic help desk type of work and got hired very quickly. Then within like a week from there, these folks asked me to go start doing other stuff. So it kind of went from there. Cybersecurity, as far as cybersecurity interests went, that was also kind of a coincidence of I was working in high performance computing, and there was a security incident on one of the systems that I helped manage.
That really also kind of turned into me understanding that I saw cybersecurity differently than the rest of my peers. In the High Performance Computing Center, they didn't see the risks the same way I did. I guess, for lack of a better word, I've been at the right place at the right time, without knowing either.
[00:07:19] CS: But also having the right instincts and the right sort of mental processes as well. So coming back around, did you sort of retroactively sort of fill in the blanks in your knowledge? Did you do any kind of focused computer science study or security study or anything like that? Or have you been able to sort of do instinctual sort of learn-in-the-moment things?
[00:07:42] DM: Yeah. I'm completely an instinctual learn-in-the-moment person. I'm not anti-academia, but I've taught in academia. I've taught like 200-level and 400-level classes. So I get to kind of see the change that people go through as they proceed. One of the things that I – Again, I'm not an anti-academic person, so I hope any of your listeners don't take what I'm saying is to suggest that. But what I feel as maybe an unintended side effect of kind of the academic model, because you end up knowing only that what you studied, and some people will fall into this trap of like not considering anything else. They only know what they know. If they don't know what that is, then that thing doesn't exist. So kind of the –
[00:08:31] CS: Yeah. The nervousness of straying off the path.
[00:08:33] DM: Exactly. Yeah. So though I've never had it, I also have never felt handicapped by it because I have this intuitiveness, I guess. Now, I've read parts of lots of books. I get to the part, once I figure out what it is I was looking for, I tend to move on. Actually, I used to be total digital everything. I was like, “Let me be constantly online, and let me constantly digitize my existence.”
But probably in the last 10 years or so, I've been doing the opposite. I actually tried to recharge offline as much as I can because I spend so much time online. So funny enough these days, I'm in pursuit of a more analog existence.
[00:09:18] CS: I love that. So tell me about your work as chief evangelist at Team Cymru. What are some of your common tasks and your day-to-day responsibilities? Because I feel like the role of evangelist, it can mean a lot of things at different companies. So I'm just kind of – Because people are always looking at our show to figure out where they want their career to go. What does your average day look like as a chief evangelist?
[00:09:42] DM: Sure, happy to. So first of all, I'll tell anyone out there, if you get offered the opportunity to be an evangelist for anyone, be flattered for starters because to be an evangelist means that someone else has determined that your ability to deliver a message is better than most kinds of things. So it's like someone coming along and telling you that you have a good voice, or you're very photogenic.
Unlike the people at the mall, who are trying to convince you that you're a model, if only you sign up for their acting classes or whatever this nonsense is, typically, when it comes to evangelism in IT, it is a compliment. So characteristics-wise, when you get to the high-powered nerdery, don't often lend themselves to evangelism. There's kind of like introversion and then characteristics like that and then kind of steering people.
But, no, day to day as an evangelist, for us, we have a couple of different, I guess, routes, I could call it. So one of the components to our business is, obviously, promoting people to understand our business and what we do and that we're out here. But another angle to us and what evangelism really, more importantly, is for us is making friends around the world so that we have more access to problems.
In a lot of people, that may seem strange. That may sound like a weird thing to say. But we are an intelligence provider. So we're in constant need of understanding what information we should be looking to collect and what information we should be looking to curate into products and things like that. The big driving factor for us there, when you think of it as far as markets go, is problems.
So the funny thing, though, about problems is like if we walked down the street, and we just grabbed strangers and said, “Hey, what's bothering you,” most of them would say, “Well, you are. You are what's bothering me,” right? But there is a different thing that happens when you encounter someone that you know on the street who's your friend, right? They say, “What's bothering you?” If they're your friend, and they're genuinely your friend, you'll share with them what that problem is.
A lot of evangelism to us at Team Cymru is kind of a cross or a mix of, I should say, demonstrative trustworthiness. Meaning at every turn, we make ourselves available, and we take other people's problems to heart. That’s not in return now to keep in mind that we're not a services business. So this isn't to mean pay me, and I'll worry about your problems. Actually, it's more like we're friends. We're in this together. We're both members of the same Internet community. We're both trying to make the Internet function every day, and we believe that the Internet –
By the way, at Team Cymru, we believe the Internet warrants stewardship of its own. So we spend a lot of time and energy kind of doing that community service. So for us, the primary function of an evangelist is to be proof that we are who we say we are, that we're trustworthy and good people, and that we're in it with people, and that we're out there to try to help them solve the problems they face.
Typically, when you think of the commercial side of evangelism, we typically just have to go out and make sure people know who we are. So it's much more work for us, I think, for the community service evangelism, than it is for kind of the commercial service.
[00:13:34] CS: Yeah. I like hearing that in detail, and I appreciate you not using the usual sort of high level thing of saying, “Oh. Well, different every day.” You have – There are –
[00:13:45] DM: Sure.
[00:13:46] CS: That happens a lot. But I think that's worthwhile for people to hear because, again, this is – As someone who doesn't have much of a tech background either, that there are so many people who can be plugged into the overall sort of cybersecurity programming risk management industry that don't necessarily need to have all the certifications and all the stuff like if you're –
Especially if you're a good speaker and a good communicator and, like you said, you're not afraid of talking to people at an extended basis and listening and being empathetic, then that can really get you far and it’s –
[00:14:24] DM: Very much so.
[00:14:25] CS: It’s not necessarily as common as you might want it to be.
[00:14:29] DM: Yeah. Some people, they like to call this talent a soft skill. I think whoever came up with that term like really hasn't spent time around technologists because it seems to be way harder than the word. I would call it a hard skill. But you're absolutely spot on, and it is really important for folks out there to keep that in mind. When you consider technology an occupation or a career in technology, they have to keep in mind that for everybody else that's not in technology, you kind of are going to need someone who can bridge those two constructs, from the technical to the non-technical.
I know that sounds like – I forget the guy's name. But in that movie, Office Space, the guy who ends up inventing Jumping to Conclusions, the game, if you recall, before he gets fired, he gets pulled in the meeting room with the Bobs, and they're like. “What is it that you say that you do?” He's like, “Well, I take the specifications from the customer, and I go to the to the engineers.”
The Bobs in that and probably to someone who doesn't understand the realities of technical work, that all seems funny. They all think like, “Ha, ha, how funny. You have this person whose job it is to act as like a Rosetta Stone between technical people and not.” But I can attest it, it is a real thing. If you have enough technical acumen and some social skills, you can kind of create a niche for yourself.
[00:15:59] CS: Yeah. No, I totally agree. Also, I think it befits a company to have someone like that because I think there's probably a possibility that your board or your C-suite or your executives, if they don't know what you're talking about, they might be more hesitant to do what you say. They might just say like, “Oh, I don't know. We'll deal with that. Let's table it for now,” and so forth and so on. Yeah. I think it really does sort of rise to the top in that regard. Yeah.
So like I say at the beginning, today, I want to talk about attack surfaces, talk about attack surface management and some DevSecOps and the state of attack surfaces. I will admit that I'm kind of new to some of these ideas, and maybe some of our listeners are as well. So can you tell us about an ASM or an attack service manager, and what role this plays in the security creation and deployment of applications?
[00:16:56] DM: Sure, absolutely. So attack surface management or ASM is a concept that was presented by some Gartner analysts. What you could think of it as is the packaging, is the assembly. Let's call it that. I hate to call packaging but is the assembly of a few disparate, which historically had been separate functions for operations, and that is asset discovery and management. So identifying what you have, right?
Then once you identify what you have, so think that's kind of a logistics exercise, right? Then once you have it, you look at, okay, what's the state of it. So you might scan it. You might just do a perfect – Sorry, a surface scan to like see what services it's running. Or you may do like an exhaustive or enumerative vulnerability scan to look to see like, “Hey, it's running these services, and they're vulnerable to these attacks.” Then kind of what to do with it from there, which typically, from that point, tends to kind of shoo into patch management.
So when you think of like historical attack surface management, you could think of it as that process of identify your assets, understand what they are, then scan them, and then do something with what you find. That was what we refer to as kind of ASM 1.0. This was kind of the original core concept for ASM. Interestingly, it wasn't designed as those pieces together from the get go.
As obvious as it is, after you heard me explain this, it’s like, “Oh, yeah. That makes perfect sense.” Well, we went 20 years, 20-plus years, without this, with having disparate pieces. It's similar. When I think about it, when it kind of clicked for me, it's up there with like wheels on suitcases. It was such an obvious good idea. How did we get this far without it donning us? So I have some kind of started that same way.
Then to kind of draw on that same example, what we did is we came along and evolutionized. We took it to the next level, and that's kind of our MO. To use the same suitcase analogy, right? We put casters on and not just wheels. So we were the first 360 roller. But, no, we typically don't. So as an intelligence company, we tend to try to find other folks who have a product and then make that product smarter. With our intelligence, we try to help them make it smarter.
So we looked initially at an ASM because we consider – By the way, we don't consider ASM to be kind of a security tool. We consider it to be an intelligence tool with a security application. What that means is if you really break down the pieces of what ASM does, it's all about what you know about your assets. It’s either – Is it showing you something you didn't know, and then it's showing you something about that thing that you didn't know that you should be concerned with?
So we consider ASM to be an intelligence solution, the application of intelligence toward security. But we consider security to be a measure that you take towards handling and mitigating and understanding risk to your organization. So we are not believers that security is a state of existence. We consider security to be a process and that these tools kind of get you to there. But at the end of the day, it all comes down to intelligence. We looked at kind of the ASM model, and we thought, “Where can we apply intelligence to it?”
To give you some background on Team Cymru, we've spent the last almost two decades building relationships with the people who make the Internet itself work, and helping them to kind of maximize the profitability of their components, and helping them make the most of the Internet. We feel that the Internet is an incredibly powerful tool. So we've partnered with these folks that kind of make the Internet happen.
In return, they let us see what's happening on the Internet. So like we help them remove what's bad from their network and then helps us to learn how people are misusing the Internet, for example. We collect like 400,000 pieces of malware every day. We see tens of millions of IP addresses misbehaving in every hour of every day.
So we realized that we had this kind of data lake of reputational information that would be significant. Let me walk you through a scenario. So in the ASM 1.0 world, let's say there was a vulnerability in some application that you're running on a mission critical system. It gets exploited on Tuesday by way of some because no one knows that it's out there, and you learn on Wednesday that there's this vulnerability, and you now have to go out and apply these patches.
Perhaps your ASM product catches all of that. Maybe once your scanner was updated, you ran it, and you were able to update your system immediately and patch it. But the problem is you are already compromised on Tuesday. So all you've really done when you apply the patches to your system is you've kept anybody else from breaking into the system. Meanwhile, someone already has broken into your system.
This is where the application of like reputational intelligence can come into play. So we're tracking all of these compromised devices every day, either from watching the command and control sources where they come from, or we're watching to see who downloads malware, things like that. But it helps us to understand victimologies of botnets and things like that. But imagine if your ASM tool, you discover this new asset, and it automatically tells you, and it's vulnerable to these, and it was compromised yesterday.
Now, you know, to rebuild the system as opposed to patch it, which is a considerably different exercise, right? And will help you get some idea to know maybe what risk by way of exposure you've already endured to help you understand how to change that posture. So that was the first and one of the more obvious applications of applying intelligence to that.
Now, we also take and apply intelligence and change the ASM 1.0 model, also an asset and device discovery. So what we did is we sat down with our analysts who have observed miscreant operations for decades, and we figured out how do the bad guys figure out where everybody's things are? So if IT managers have a hard time identifying their own assets, how is it that bad guys always seem to find the unpatched or the unlocked down device? How is it that they're so good at that, once they determined that they want to get access to a target? How are they so darn good at doing it?
So we sat down to try to solve that, and we're pretty good at it. We’re pretty good at understanding how this stuff works. Well, we realized, well, this should be how the discovery component, this discovery stage, the asset discovery capability of an ASM product should behave. This is where we started to kind of diverge from let's try to add our stuff to somebody else's product, or let's make a product of our own.
When we got to this point, we realized we're going to need to make a product of our own. So that's when we launched our Pure Signal Orbit product. So that's one of the other big capabilities is our tool will find more stuff than other folks because it's using the same type of methodologies to look and find stuff. To give you an idea, I know this is – I'm like king of long story analogies, by the way. So I apologize in advance.
[00:25:08] CS: This is the central thesis here. So we can definitely spend all the time we want here to sort of set the table. We have a very elaborately set table, so please.
[00:25:16] DM: Okay. Perfect, perfect. It goes with me not being an academic, right? So everything's in layman's terms. Right now – But it goes back to – So you have assets, right? Typically, how a tool works is you – It works this way often time because of licensing because it's tricky to decide how to price your product and then how to enforce the licenses.
In the case of ASM, and this isn't just the case for ASM, by the way, any vulnerability management tool tends to or any asset discovery tool tends to go by how many assets you have, like what do I know of? Oftentimes, that's determined by IP addresses. So if you've been given an IP range from your ISP, and you go out and license that when you go to buy your license, it says, “Well, we're going to scan your products. How many IPs do you have?”
Well, if you know already that you have, let's say, 256 IP addresses, let's say you have a /24, and you know that to be the case, well, what's this tool really telling you? I mean, nothing new that – I mean, you had to tell the tool. It’s not going to find things like AWS instances that you didn't know of that are outside of your tool. Like maybe you have developers that spun up some temporary equipment. A lot of people call this the shadow IT problem.
Shadow IT is a piece of many, many breaches out there, and what shadow IT means is infrastructure and services running on equipment that you just didn't know about. It happens all the time. In particular, with the dawn of cloud computing, it has massively escalated how often shadow IT pops up. It’s still a huge piece of many, many breaches that are out there.
But what we do is, like I said, we take the approach of, well, just how do bad guys find it? Well, they pull and look at data, and they go to services online. There's a lot of open source services out there, Shodan, for example. We could go in and – Or VirusTotal or –I mean, there's lots of them out there. But you can go out and put in seeds and see, hey, where does this domain show up at?
Now, where can I find instances or mentions of this domain that are outside of this address space I know they have? Now, like to – Folks who are listening out there, you may be thinking, ‘Well, so what if someone has your domain there?” Well, if you have a certificate, for example, that should be on your enterprise but has shown up in Amazon space, that suggests this asset out there, if it has your real certificates on it, this is probably part of your infrastructure that you didn't know about, that's off your network.
So this kind of evolution is what we have been just expanding on. As we proceed down this path of, like I said, originally, we were saying what is ASM missing, now we're saying, what more can we put in here, now that we have built our own platform?
[00:28:24] CS: Yeah. Now, does that transition into – So I don't quite understand if this is something that happened externally in the industry, or whether this is something of your making. But we talked about the coming or the changeover from ASM 1.0 to ASM 2.0. How does that tie in to – Because it sounds like with your product, you've made your own jump? But how does that tie in with the idea, like the sort of like mass adoption of ASM 2.0?
[00:28:55] DM: So ASM 1.0 is just a generic term, right? So ASM is a generic term. So it's not an actual protocol, right? But we're taking this kind of protocol version to it, this like version one, version two. But we feel that the contributions that we're making towards the technology as a whole are significantly empowering, what would you think of as the traditional stuff, which is typically static. You provide the domain name. You provide the IP address.
Then all it's really doing is the scanning for you and things like that. But it's not showing you anything you don't know. Like it shows – Even if you had a vulnerability on a service that you knew you're running, well, all services eventually have vulnerabilities. Again, it's not really showing you something you didn't know. Now, the thing where it goes out and shows you 300% increase in the number of assets that you thought you had, now that's something new, and that's really helping you to curve your risk modeling and better understand what the real threats that you're facing look like.
To us, our approach is such a – I hate to call it an upgrade because, to be honest, our approach fundamentally is even different. So it's not just an upgrade. We take it at a different angle all together. A lot of that – We don't waste – As a company, we are very frugal in an economic sense. But we're even more frugal in a time sense. We don't believe in wasting time. The only thing that we believe you can never get back is time. So we don't want to waste anybody's time, our own or anybody else's.
Before we went down this venture, we actually set out to better understand the ASM industry. The study that you've mentioned, it was a set of questions that we sent out to verified ASM owners. So these are people out in the world who had already decided to take on ASM as the way that they were going to manage their infrastructure and the way that they were going to help understand their assets.
A massive percentage of them said they were not going to be renewing those tools because they simply fell short of showing them anything that they didn't know. So that's been our big driver. The very first people that we showed orbit, once we created our tool to were people who had existing ASM solutions, and the capabilities that we've added on to it were significantly different than what the folks had.
In some cases, they have immediately said, “Okay, we're dumping this other thing that we have, and we're moving to your product,” which we had to explain to people it was a brand new product at the time. So let us get it done first kind of thing. But, no, that's where we are now. So ASM 2.0, arguably, is just us presently. I expect, though, the industry to pivot pretty quick and look to get their products doing what I like to refer to as a more dynamic approach to ASM.
[00:32:14] CS: So this – Thank you for that. That elucidated very nicely for me. So, as you said, you sent out the survey. You created a state of the attack surfaces report. Were there any particularly surprising findings to you, anything that really like changed your opinion of how people were using this equipment or like big holes or blind spots?
[00:32:42] DM: I think the most interesting piece to it to me was just the massive percentage of people who said they were unhappy with it. I mean, I can only think of another, only a single other product in kind of like the history of computing, where this has also been true, and it's an anti-virus software, where everybody was like, “I hate this one the least, so that's what I use.” Yeah.
Until Microsoft kind of tackled the problem by rolling Defender into the platform to where now you didn't have to run this additional piece of software, until they kind of hid that experience, that used to be the number one thing that people complained about. So this – I was very surprised to see that ASM as it – Because it's a still a very new technological concept, I was surprised to see it had so many enemies out of the gate. Because it was new to us, because really we were looking at other avenues of applying intelligence to problems that humanity faces, and that's kind of how we ended up in the risk space.
But, again, we also perceive risk is the number one driver and not security. We think that security is a step towards it. So that might be why it's different for us. But I was very surprised that how many of them out there said, “We have this.” Greater than 50% of them said, “We're not keeping it because it's not useful to us, because it's not teaching us things we don't know.”
[00:34:14] CS: Or they're not seeing the value or they're not using it in a way that it can be useful to them or something.
[00:34:19] DM: Right, exactly. Yeah. To some degree, I think a lot of people got hung up on the power of ASM was some kind of single pane of glass thing. No offense, but if that's the only capability you have to hang your hat on, you're betting that LCD monitors stay as expensive as they are the day you launch your product. Because if they eventually get cheaper, the pane of glass can get bigger and more than – There's more than one way to put more things on a pane of glass. Do you know what I’m saying?
[00:34:48] CS: Right. Yup, for sure.
[00:34:49] DM: Yeah. That’s quite the gamble. So we're trying not to be that.
[00:34:54] CS: Yeah, absolutely. I read through some of the report, and one of the things that was most interesting to me of the key findings was the disconnect between having a CIO or CTO at the top of the masthead but noting that most technical work was done on the department level. It suggested kind of a wide gulf between people doing the work and the people doing the risk planning.
Or if I can pull out the report, more than in the past, organizational leaders treat risk holistically, including security risks, security mitigation, and remediation strategies must be risk-based to make a meaningful contribution to the organization's risk profile calculus. So do you have any recommendations for ways to sort of that tie this better than it's being done right now, tie them together?
[00:35:39] DM: Yes. What that's on about, by the way, is not every asset you have in your infrastructure is created equal because it's just true. Your primary Active Directory servers, probably the key, it has all your authentication components to it, right? So that's probably 10 times as more. It's probably 10 times as valuable as your website.
When you ask people what's the most important thing, they might say, “Oh, well. Our website because that has our brand. And if somebody came and defaced that, boy, we'd sure be in trouble.” But in actuality, the bigger risk to your business is, well, if somebody comes in and can pretend to be your CFO and take all the money out of the bank. Then you're out of business altogether, and it doesn't matter what people think of your website.
That’s true for everything. So like if your tool doesn't allow you to make those definitions to apply that kind of, let's call it, operational business intelligence, if your tool doesn't allow you to inform it of some of those things, you're probably going about it in the old way. So those are like – My advice to folks like looking for that is make sure your tool is going to teach you something. Make sure that you can scope what it's telling you.
So like if you have two – I hate to always pick on Active Directory. But if you have a local instance of an Active Directory server and one Dev instance that doesn't have any accounts on it, just because to your system scanner they look the same, but you know one of them is an active AD and the other is like a development instance of an AD, you know that, so you should handle that accordingly.
But if you can't tell your tool to do that, and it's alerting you about problems on a system that's not actually important to you, that suggests you have an older tool. Sorry, I may have wandered some from the question.
[00:37:53] CS: That's okay. No, no. Yeah. I mean, that totally works. I just wanted to sort of get a sense, and it folds into the next question because, again, I was sort of struck by anytime that there's kind of gaps between the people that are doing the planning and people that are doing the implementing and the people that are the intermediaries and so forth.
[00:38:12] DM: Sorry, that was the part that I had left out. So on that question, the other thing to keep in mind is a lot of the world out there, there isn't a delta between the decision maker and the person who's doing the execution. We have a lot of what I would call active management or technical leadership, still boots on the ground. It's not until you get into the really big companies where you start to see that kind of separation.
But one of the things that I can tell you is that a lot of the practitioners are hung up on this notion of security as opposed to risk. It’s better we turn this thing off because it's insecure than endure the risk of something bad happening to it while we stay in business. Too many technological-only people will pick that first one. They'll say, “Let's shut this off and be out of business.”
I think a lot more people need to realize, in particular, where they are, these smaller teams, is that your board or the people on the business side need you to be making decisions for the sake of the business, not for the sake of the systems. So you have to see things as a risk, as opposed to some binary state of secure or not secure, if that makes sense.
[00:39:34] CS: That does make sense. Yeah.
[00:39:36] DM: Yeah. I think that you'd find, though, that, though, the report does suggest there is a big gap there, that a lot of that had to do with because, in some cases, they were one in the same. Well, in most of the cases, actually. I think about half, they were like one in the same, and it wasn't till you get over a certain line until they actually start to become different teams.
[00:39:57] CS: Okay. So moving into sort of a career-related question around that, obviously, OPSEC and related fields are going to be a growing field of employment. So for our listeners, can you talk about some key skills, experiences, talents, and areas of learning that you would like to see from security novices or aspirants, people looking to make big career changes into this field? By how some of these skills and requirements change as you move also from the nuts and bolts tech level we were saying to the holistically planning C-suite and executive level.
[00:40:30] DM: Yeah. The biggest thing that I can tell people will be useful to them is a broad base of experience or of knowledge. What I mean by that is you have to be able to know how things work generally in order to, A, build upon that and understand them in greater detail.
But when it comes to InfoSec, it's even more important because you need to know when something isn't quite right, and the only way you'd know that is to know, well, what right might look like. So what has helped me the most is, and I know this is kind of contrary to many people's typical approach to things is, but I have benefited the most from not becoming an expert in anything in particular, until I got way down my career path.
So I spent like 15 years, which, by the way, our CV at the beginning, I think it says more than 20 years. I'm coming up on like 28 or something. I guess I should update that to [inaudible 00:41:40] my CV. But I spent probably the first like 15 years being a generalist, not in pursuit of a specific thing. Though I was personally interested in kernel hardening, I didn't pursue some whole life. I'm very, very interested in Linux system kernel hardening. So I follow like – Shout out to grsecurity folks, Brad and PaX Team. A big thumbs up for both of those teams, projects from me, longtime fan.
But I could have like stayed with that, and I don't know what my – I won't tell you that my feature would have been bad or something like that. But I know how good my feature has been because I didn't do that at the same time. I know that kind of diversity of understanding is critical, in particular when it comes to InfoSec.
So don't spend all your time just being a programmer. Learn how the systems work that you're on. Learn why they work that way, in a lot of cases. Like I mean and I'm talking nuanced stuff. Like go back and learn why is there a difference between System Five and BSD Unix. Why is that? What were those things? Know why it is that browsers all claimed to be Mozilla. If you look at the user agent, why that is. Little nuanced stuff, but it'll help you better understand kind of the world that you live in and electronically speaking, at least.
[00:43:07] CS: Yeah. Now, in terms of the sort of wide-ranging learning, it sounds like it was – You were learning these things partly because you enjoyed them. But mostly, it was whatever the next sort of challenge was. So you were kind of learning according to where you wanted to sort of extend yourself and, well, I need to know this to do this, rather than –
I think everyone's already sort of spoken out against the idea of like alphabet collectors who want to get every cert and stuff, but don't have any application for it. But, yeah, again, I think it's important to reiterate that learning comes from solving the next problem in front of you, rather than building a big toolkit that, yeah, you know.
[00:43:49] DM: Even before that, the first problem that everybody faces, when you wake up every morning, a bunch of this happens subconsciously, but you start with what am I and then where am I. Then eventually, you get to what do I want to do today. Now, most of this process is invisible to us, but it happens to us every day. Because when we return from our sleep state, our brain has to reorient itself.
The reason why it happens silently to you is because we've had the opportunity to kind of assess how things work here. Like you know about gravity. You know about light. You know that you're going to put your feet down and stand up. You know all of these things that we kind of take for granted. That's the type of stuff that I'm talking about. Not just like how do I get someplace but like what am I, where am I. Then kind of build out from there.
But the more kind of demystifying exercise that you can apply to InfoSec, the better you'll be at the job because everybody is going to be outsmarted by somebody at some point in the InfoSec game. I don't care who you are or what you're doing.
[00:45:01] CS: Yeah. Don’t be afraid to step in it.
[00:45:04] DM: That's right. Yeah. Someone's going to come at some point and outdo you. So what your job really is isn't to be the best at anything. It's to be the most versatile at everything because at some point, somebody's going to make a pivot or a move. If you're wed to possibilities to where you've excluded outcomes, just because you think you know better.
[00:45:26] CS: Or you’re digging your heels because you are the specialist, and there's that sunk cost fallacy of like, “Well, I already learned all this stuff, so I'm just going to keep doing it.”
[00:45:34] DM: Yeah. It’s in – What is it? When you're a hammer, everything's a nail, whatever that saying goes. I mean, all of those things are true. All of those things are true.
[00:45:42] CS: Yeah. Well, I think it's a great place to wind up because I always like to sort of end with actionable career advice like that. So as we wrap up today, you've talked a bit about Team Cymru. But what are some of the sorts of projects you're working on now that you're excited to sort of premiere or unveil in the months to come here?
[00:46:02] DM: So our Orbit Platform, again, it's a business risk platform in the ASM 2.0 space. I encourage people take a look at that. Our attribution platform called Recon, it’s – Again, our belief is an evolutionary step going from threat hunting and taking it to the next step and allowing you to do full reconnaissance, adversarial reconnaissance. If you're a hunt team out there, I would encourage you to drop us a line and take a look. But the rest of the stuff that we're working on that I'm very excited about, we haven't even begun them.
Like I said, our biggest objective is to get access to more problems, and I'm hopeful that someone out there, and maybe they're listening right now to your show, is going to come to us with the most exciting thing we've ever worked on. That's really what I'm most excited for is for tomorrow's problems. I'm not trying to say we solved yesterday's, but I much prefer fighting dragons when they're still a scary story because it seems like whenever you find them, they're always just a mad iguana, as opposed to actually a scary dragon. So I like it better when they're still mystery.
[00:47:18] CS: Fabulous. Well, perfect transition to my final question here. If our guests want to learn more about Team Cymru or Dave Monnier or want to write you and tell you that they have the solution that you're looking for, where should they go online?
[00:47:33] DM: That’s cymru.com, and it’ll redirect you to the longer version of our domain, which is team-cymru.com, but just cymru.com. If anybody wants to find me, I'm on LinkedIn. I have a Twitter account as well, though, I don't use it very often. I have to admit. But you can find me on LinkedIn, and that's D-A-V-I-D and last name, M-O-N-N-I-E-R.
[00:47:57] CS: All right. Well, Dave, thank you very much for your time today. This really helped clear up some difficult concepts for me and, hopefully, for our listeners as well. I really appreciate that.
[00:48:05] DM: Thanks for having us, Chris.
[00:48:07] CS: And as always, thank you all for listening to and watching the Cyber Work podcast. On an unprecedented scale in the past three months, all of you have helped more than double Cyber Work’s viewership on YouTube, and I couldn't be more thankful and humbled. So if you're subscribing to the podcast, thank you. If you're watching it when it goes live on Mondays at 1:00 PM, Central, thank you again. And if you're telling friends and colleagues, thank you, thank you, thank you. We're delighted to have you along for the ride.
Every week on Cyber Work, listeners ask us the same question. What cybersecurity skills should I learn? So try this. Go to infosecinstitute.com/free and get your cybersecurity talent development e-book. It's got in-depth training plans for the 12 most common roles, including SOC analyst, penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder, and more. That’s infosecinstitute.com/free, or click the link in the description below, and get your free training plans. Thank you very once again to Dave Monnier and Team Cymru. And thank you all for watching and listening, and we will see you next week.
Subscribe to podcast
Free cybersecurity training resources!
Infosec recently developed 12 role-guided training plans — all backed by research into skills requested by employers and a panel of cybersecurity subject matter experts. Cyber Work listeners can get all 12 for free — plus free training courses and other resources.
Weekly career advice
Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.
Q&As with industry pros
Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.
Level up your skills
Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.