Career advice from McAfee's lead scientist

Chris Sienko: Hello and welcome to another episode of CyberSpeak with Infosec Institute. Today's guest is Christiaan Beek, the Lead Scientist and Senior Principal Engineer with McAfee. Christiaan has had a diverse career encompassing many aspects of the cybersecurity field. And today he's going to talk to us about his career path as well as the future of cybersecurity and the No More Ransom Project.

Christiaan Beek, Lead Scientist and Senior Principal Engineer is part of McAfee's office of the CTO leading strategic threat intelligence research within McAfee. He coordinates and leads the research in advanced attacks, plays a key role in cyber tech take down operations and participates in the No More Ransom Project. In previous roles, Beek was Director of Threat Intelligence in McAfee Labs, and Director of Incident Response and Forensics at Foundstone, McAfee's forensic service arm. At Foundstone he led a team of forensic specialists in Europe, the Middle East and Africa during major breaches.

Beek develops threat intelligence strategy, designs threat intelligence systems, performs malware and forensics analysis and testing and coaches security teams around the globe. He is a passionate cyber crime specialist who has developed training courses, workshops and presentations. He speaks regularly at conferences including Black Hat, RSA and Blue Hat. He is also teaching at universities, police academies and public schools to recruit, mentor and train the next generation of cybersecurity specialists. Beek contributed to the bestselling book Hacking Exposed, and has two patents pending. Christiaan, thank you for being here today.

Christiaan Beek: Well thank you very much as well.

Chris: So let's start out with your security journey. How did you get involved in security? And I saw a video of you on the Forbes website. What was it about hacking specifically?

Christiaan: I think it was about the age of 12 I was involved in getting a Commodore 64 computer, one of those old farts I would say. And my next step was really of course the Commodore Amiga. I loved that machine, the graphics, the sounds, all that stuff. And of course, I wanted to do some expansion, some extra hard drive and stuff like that. So I went to one of those small congresses here in Holland. And there was a group of people and they had those like a big sign called Hack-Tic. And I was like, "What is these guys doing?" Because the title sounds amazing. And then they were playing with some phones and some computers. And just started to talk with them.

And actually there were a group of hackers here in Holland that actually was doing phone hacking, phone freaking. And actually they sold me their complete year's subscription of the magazine. And honestly, I have started to read those from back and forth and back and forth. And that's actually where I decided like, "Hey man this is so cool. I want to do that stuff too." And that's actually where the spark started for being curious and actually getting access to systems where you're normally not supposed to have access to.

Chris: Now that's interesting because I guess my question from there is what motivated you to join the good guys regarding hacking? Because it could've been very easily for you to say, the phone freaking and so forth like, "I just want to be a hacker." And go out into the wilds and do damage. What was it that convinced you that you wanted to both be a hacker, but also be a hacker for "the good guys"?

Christiaan: I think the scene in those days here in Holland was definitely not about like going to the dark side. It was really about the curiosity, the technology, the challenge, right? Challenging to get into systems that were not designed to be accessible over the internet. I think it was more the challenge there and the mental challenges we were having, and the fun we had to break into those systems or test them. And nobody actually realized or actually had a bad choice or actually they wanted to do some bad stuff. It was really about the curiosity. And for myself, I never thought about joining the dark side. So of course, like you said, it's easy, right? And especially nowadays it's very profitable, but in those days, nobody thought about that.

Chris: You just were in it for to see how the thing worked and how the sausage gets made so to speak, or how the process works.

Christiaan: Yeah.

Chris: So tell me about your job as lead scientist for McAfee. What does McAfee's threat intelligence division specifically research? What does your day-to-day job look like?

Christiaan: Well thank God it's every day different, right? So there's never a dull day, especially in the threat defense game nowadays. If you look average, like to set the team, the picture there is that our threat response research team, we have kind of two departments within the team. So one is we're looking into vulnerabilities from cars, from airplanes, IoT devices, kind of the zero days in those spaces. And really to start the dialogue with the industry, not to shame vendors or really create a kind of fear picture like, "Hey, we need to be scared and afraid." It's more like, we really want to start the dialogue with those people. It's great that we have smart cars coming out, but why don't we already start thinking about security because they are in many ways connected to whatever, the internet.

So that's one part of the division of the other part of the team is where I'm leading the team as well is around really nation state attacks and phones technologies. What are they using? What can we learn from that? How can we innovate on those kind of things? But also, we all see, and that's probably a maybe related discussion that talks about the attribution challenge, like, "Oh who's behind it?"

And I really try to teach my team like, okay that might be something interesting for some customers or some people in the world. But for us it's more important like how they do it? And how can we actually develop new research techniques to actually be better at finding those guys? Or at some point even find better ways to attribute, to go back in time and where we can stop it.

So one of the things I'm working on currently is a lot about what I call digital code DNA, where I really tried to see like, okay, you have one piece of ransomware for example, in different family versions, but they all have some same building blocks. And if I find those building blocks, how can I actually identify those and stop them? So at the end it doesn't matter which next version they create, we already stop it. So kind of a nutshell what we're doing here and that's really it in a nutshell.

Chris: Okay, so you're going beyond finding solutions to the actual problem and finding the sort of patterns that sort of run through all of these.

Christiaan: Yeah, yeah.

Chris: So obviously you didn't just sort of walk into McAfee one day and say, "I want this career. I want this life." So you know, a lot of our viewers are people who are maybe a few steps down the career ladder who are interested in moving up and changing direction, getting involved in security or just different aspects of security. So if someone wanted to get started in a career in say, threat intelligence strategy or research, where would they start? What combination of experience, certifications, learning activities would you want them to engage in to move into this career path?

Christiaan: I think honestly when we recruit people, I mostly look at, okay, what did they contribute to the community already? Where's that passion at? So if somebody wrote already tools or stuff, like doing stuff like that, that's interesting to me. It tells me something about the person. But also analytical skills, I would say, to be able to take one step back and think about the context. Because what we see nowadays a lot to be honest, I see like, okay, somebody who's an analyst or somebody who's a malware reverser, somebody who's like a pen tester, but being able to take that one step back and to say like, "Okay, I understand the role from like, hey, if somebody tries to break into a system, how would he do that?" That will help you as a defender, as an analyst as well if you look at the data.

And on top of that, the context. What is the geopolitical context, for example, when we look at a campaign? That's really why we try to challenge my team. It's like, "Look, we have the different roles in our teams and we actually, we hook them up with each other." So we have an analyst hooked up with a malware reverser.

But then on top of that it's me and some other colleagues that are reading the final checks. It's like, okay, but what about the context? If you find something like really to encourage the people to look beyond that.

So if somebody wants to start in this job, I would say like, "You need to be multifunctional, or at least learn some pen testing skills so you understand how to break into system, because that will help you as a defender as well where to look." And if you understand that, where to look, it's those combinations. That would be great. And honestly with the internet nowadays and all the tools and the courses available, or you can read so much. There's some really good books out there where you can start or tutorials, videos. So there's plenty where people can really start.

Chris: Well that leads into my next question perfectly. So what do you think the role of education in certification is in this path? Do you think that researchers who put in the time to learn the topics in an educational setting get the certs and so forth, have a better handle on things than those who are learning by trial and error?

Christiaan: I think obviously it's individual based. Like some of the people really benefit from doing a certification education track. They flourish from that part. Where if you look at myself, for example, I never had the education. It wasn't available at the time.

Chris: Yeah.

Christiaan: But still, being self taught and have that discipline to actually every time try to encourage yourself to be better and get better and improve your quality, that'll definitely help you. But I think thank God nowadays there are some really good educational tracks available. And what we mostly look at, if it's a lot of practical knowledge they have. If the education is not only like just study a book and how a tool works, but also like, "Hey, if I would actually deliver you the tool, would be able to come online and do the same thing?" Or, "Do you have practical experience with it?" So I think that that's really important for us.

Chris: So yeah, in addition to the education, you also want there to be sort of an element of play. Obviously they should on their own time have been, you know, trying out these combinations or building tools or finding ways to automate things and so forth. And that's going to go a long way as well.

Christiaan: Well, absolutely. I mean if you look, for example, if you have to testify in court, for example, if the judge asks you for like, "Okay, how does this work?" And you can say like, "Oh, I only clicked on the tool, a left mouse click this menu." Right?

Chris: Right.

Christiaan: But you need to be able to explain in layman's terms like, "Hey, what is really happening? And how did you do your research?" So it's not about just using the tools.

Chris: I think that's something that's come up in just about all of our career track things is in addition to knowing the skills you need to have the ability to convey what you did well. You need to have a good communication skill background, not just in terms of with your team and your individuals. But also, telling other people what you've done and how it was done. So if one of our listeners wants to get into threat intelligence research and strategy as a profession, but they might feel like they're kind of out of the range of you know, appropriate activities, what is one task they could take on today in their own job or life that would put them a step closer to their goal?

Christiaan: I think there's some really good material out there from conferences. Like for example, there's forensics conferences or summits and threat intel summits. Read those presentations. There's a lot of tips. There's a lot of advice in them. And it will really help you direct in what people are doing, what the trend is. I think that that's a big quick one you can do that. That's something really easy to do and gives you a lot of insights in what it is and what you can do.

Chris: Do you think that there's things you can do kind of in your day-to-day life? You could you volunteer with a local organization or you know, take on their sort of security issues and so forth like that. I assume that sort of like you say, building up a storehouse of hands-on experience that you can show to a potential employer is important as well.

Christiaan: Yeah, absolutely. For example, if you look at a great initiative, it's called MISP, it's a malware information sharing platform. You can actually download a virtual machine version of it. Just start to play with it. Understand where people are submitting threat intelligence. What are they submitting? Why are they submitting it? How's the structure? Why would it be useful for a company to really understand the whole, I would say chain of events? Like, okay, why would somebody in a company collect this information? Why would it be useful, right? What are the answers you're trying to answer here? Really try to understand those kinds of steps and why it would be important. That really would help you.

Chris: Now moving on to some of your other activities outside of McAfee, what is the No More Ransom Project? Is that an attempt to eliminate ransomware as a viable attack factor?

Christiaan: Absolutely. So a few years ago, McAfee was one of the co-founders of this initiative actually is that ransomware was booming. It was going like crazy. And it was really hard to get hold of it. Or people didn't go to the police and the file their cases.

So at some point one server with keys was actually hold by the police. And they came actually to us vendors like, "Hey guys, we have the servers. We have the keys, but we don't have the expertise to write a decrypter." So that's actually where it started. Very small. But then with the support of the European police and some other support organizations, we slowly built it out to a big initiative where we now currently have like out of my head, 86 decryption tools for ransomware families.

But also in every European language and also languages around the world, people can actually read the websites. They can file their case to the local police. But also there's an answer, right? Because either your files are gone or you have to pay. We give the answer, "Do not pay." And we have this decryption opportunity as well. Not always. Not always there, but there are so many partners now involved from peers in our industry, but also a huge amount of law enforcement agencies that support the initiative.

And the great thing is as well is that if we find something like we have a clue of where a command to control server is, we go through our partners here with law enforcement and within a day they seize the server, or they put a tap on it so they can try to get an arrest on the actors. And to be honest, I'm very proud because last year, thanks to cooperation with the Dutch and the crime unit and our team, we were able to arrest a ransomware gang in Romania. So that was a big success.

Chris: And do you believe that there's a flowchart that everyone who is hit with ransomware should follow? Like say you get hit with ransomware, whether person or company. What is the first step in No More Ransom's mind? Where do you start? Do you call the authorities? Do you contact you guys? What do you do?

Christiaan: On No More Ransomware's websites, there is like a kind of page where you can actually upload the note, the ransom note, and it can help. Or upload a few files and it'll identify with which ransom you are being hit. And it also gives you the opportunity to say like, "Hey, we have a decrypter." Yes or no. And also the opportunity, do you want to file a case? So that's actually the flow in the No More Ransomware initiative.

Chris: Okay. And this is something you can do in the span of the ransom. I mean because a lot of those ransoms are only a couple of days. So you-

Christiaan: This is like in less than half an hour, you're going through the flow.

Chris: It's a fairly automated process.

Christiaan: Yeah.

Chris: And is this free to the person who's been hit? Or is there a-

Christiaan: It's a totally free service.

Chris: Wow. Okay. Is available to people all over the world? Or just-

Christiaan: All over the world in all kind of languages. I think you can't imagine. The amazing thing is … I'm so happy that you actually mentioned this in your show, because many times when we are on stage and we asked people if you heard about No More Ransomware, you see only a couple of hands and were just like, "Yeah." Yeah, we were surprised by it. It's like-

Chris: We talked to someone about ransomware and yeah, this is the first I'm hearing about it. So I'm very excited about this.

Christiaan: Yeah.

Chris: So do you feel that ransomware is an issue that could be cured in the way that you know, a disease like measles or whatever has been? Is there a sort of an inoculation possible? Or is this something that's there's just going to be an escalation of better hacks, better, you know?

Christiaan: Well, to be honest, I already see the decline in ransomware. It's more like your amount of families that's already going lower and lower instance, I would say a few months. It's the decline of families. Of course volume-wise, it could be having ups and downs. But what we've seen of course that a lot of the ransomware actors have moved away and go to cryptojacking. Because if you can actually... Because let's be honest. They go for the quick way of getting money.

Chris: Yeah.

Christiaan: Yeah. For a ransomware campaign, you have to fire maybe 10,000 emails and pray they pay as we say. Where cryptojacking, you could be very successful in stealing someone's wallet. And only three Bitcoins is $12,000 at the moment or a bit more. But that's far more lucrative, and that's what they're looking after.

And on the other side, yeah there are still some gangs out there that really do some targeted ransomware campaigns where they really go after big fish and really try to infiltrate a hospital or something like that, where they try to ask a lot of money. So yeah.

Chris: Right. And you know the person that... Our previous guest was talking about ransomware and he was saying that it's actually, you're almost better off with a better organized group, especially if you get to the negotiation phase because you're dealing with an organization that has people you can communicate with and so forth. But some of the worst ones are these ransoms where it's some weirdo out there who bought ransomware in a box and doesn't really know how to work it and doesn't really want to get in touch and whatever. And you know, it was sort of, you know, it was a contradiction that the worse they are at it, the worse it actually is for the person being hit.

Christiaan: Yeah. We did live a little project last year where we actually infiltrated in this world of ransomware actors. And we actually said like, "Okay, hey we're students and we're doing our master's thesis on ransomware and we want to learn a bit more about motivation. Are you willing to answer a few questions?"

And what we found out as well, we took a quarter of ransomware families and samples, and all the ransomware notes. There were email addresses in there and we started to write to those email addresses. And 35% of those email addresses were already fake. So even if people had paid and actually sent money, it was gone.

Chris: It just went away somewhere.

Christiaan: Yeah.

Chris: Wow. Moving on. In your bio it says that you frequently teach at universities, police academies and public schools to recruit and mentor and train the next generation of cybersecurity specialists. And we talked earlier that you started obviously in the golden age of Commodore 64. In your teachings and travels, what have you seen about the future of cybersecurity specialists? Do you think that the next generation are more or less or differently prepared to face the cybersecurity challenges of the future?

Christiaan: I think there's plenty of tools or software or education available for them. I think the challenge for them is like what is the right things I have to pick? Because now there's now such a overload on information or things available, that it also makes it sometimes difficult for them. Like, okay, what do I need to choose? What is important for my job to learn about?

And also, if you look at the cyberspace, the knowledge you have to have, and I'm lucky because I have my penetration hacking background. Then I moved forward with forensics and then I did instant response and a malware reversing. So that whole skillset with like analytical political background helped me a lot to do my job nowadays. But not everybody has that skillset or does not know right how to pick that.

So that's why I really try to teach when I, or inspire them is like, "Look, this is important and this is what you need to focus on." And so changing from sort of sharing from my experiences in the field what we learned sometimes the hard way, and try to prevent that for them to make their lives a bit easier.

Chris: Are there a proportionate number of people who are interested in getting into cybersecurity? Because you hear stories all the time that there's a gap between how many people are needed and how many are out there. Do you feel like that there's a large number of people who are finally interested in wanting to get involved in studying and learning about cybersecurity?

Christiaan: I think we should be honest here. It's that as an industry we should be more in front of the classes. Like go to the schools and actually tell about how cool a job we have. Because honestly, if kids don't know how cool the job is, or we demonstrate what we are doing, how would they actually ever want to choose for this job?

So that's one of the things I'm doing here for example in Holland is I'm going to some of the universities or some of those schools, and just tell them about my job. Or I would do like a master class and actually we simulate a campaign and let them analyze side-by-side on some of the evidence to solve the puzzle. And then you see the twinkle in their eyes like, "Wow, this is very cool." And it's like, "Well this is my day-to-day job and honestly if you want to do this, we need a lot of you guys." So joining forces.

Chris: Do you think that there's any sort of industry-wide campaign that should be taking place to get younger people more interested in this? What would be the angle other than this is really cool.

Christiaan: There's several initiatives where, what we're doing, and I know from some other competitors that they do the same. For us we do for example, something that UK in Bletchley Park, the famous location where Mr. Alan Turing decrypted the Enigma code. So we do an initiative over there. So we bring school classes of kids over there. We give them a tour and then we talk about our jobs. And so those are kind of initiatives. And there's a few initiatives we're going to launch this year out of McAfee as well, so stay tuned for that.

Chris: Well, Christiaan, thank you for joining us today. This has been very, very educational.

Christiaan: Oh, thank you very much.

Chris: Thank you all for listening and watching. If you enjoyed today's video, you can find many more of them on our YouTube page. Just go to YouTube and type in InfoSec Institute to check out our collection of tutorials, interviews, and past webinars. If you'd rather have us in your ears during your workday, all of our videos are also available as audio podcasts. Please visit infosecinstitute.com/cyberspeak for the full list of episodes. And if you'd like to qualify for a free pair of headphones with a class signup, podcast listeners can go to infosecinstitute.com/podcast to learn more. Finally, if you'd like to try our free security IQ package, which includes phishing simulators you can use to fake phish and then educate your colleagues and friends in the ways of security awareness, please visit infosecinstitute.com/securityiq.

Thanks once again to Christiaan Beek, and thank you all for watching and listening. We'll speak to you next week.