How to become a cyber threat researcher

On today’s podcast, John Bambenek of Netenrich and Bambenek Consulting talks about threat research, intelligence analytics, why the same security problems are so evergreen and the importance of pitching in a little extra bit of your time and talents to make the world a bit better than you found it.

– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

  • 0:00 – Intro
  • 2:45 – Getting into cybersecurity
  • 9:40 – Threat researcher versus security researcher and threat analyst
  • 12:05 – How to get into a research or analyst role
  • 16:32 – Unusual types of malware
  • 19:03 – An ideal work day
  • 23:06 – Current main threat actors
  • 28:50 – What cybersecurity isn’t addressing
  • 31:38 – Where can I volunteer?
  • 36:02 – Skills needed for threat researchers
  • 40:53 – Adjacent careers to threat research
  • 45:11 – Threat research in five years
  • 48:55 – Bambenek Consulting
  • 49:35 – Learn more about Bambenek
  • 50:26 – Outro

  • Transcript
    • [00:00:01] Chris Sienko: InfoSec skills is releasing a new free challenge every month with three hands-on labs to put your cyber skills to the test. It’s November. With the colder weather and shorter days coming, we’re burrowing deep into insecure networks to practice with the tools and techniques used by expert penetration testers worldwide.

      Challenge one, you’ll get authentic hands-on experience using a variety of vulnerability scanning tools. The same type of tools that pen testers use to expedite processes, so they can focus on target specific tasks. Challenge two, you’ll leverage a client-side code injection attack to take over a victim’s browser. For your top-level challenge, you’ll enter our purple team cyber range to exploit local files and perform remote code execution.

      Complete all three challenges, download your certificate of completion, upload it in LinkedIn and tag InfoSec for your chance to win a $100 Amazon gift card, an InfoSec hoodie and a one-year subscription to InfoSec skills, so you can keep on learning. Just go to infosecinstitute.com/challenge and kickstart your cybersecurity skills today.

      [00:01:07] CS: Today on Cyber Work, I have a great talk with John Bambenek of Netenrich and Bambenek Consulting about threat research, intelligence analytics, why the same security problems are so evergreen and the importance of pitching in just a little bit extra of your time and talents to make the world a bit better than you found it. Great talk today. That’s coming up today on Cyber Work.

      [00:01:34] CS: Welcome to this week’s episode of the Cyber Work with InfoSec Podcast. Each week, we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of InfoSec professionals and offer tips for those breaking in, or moving up the ladder in the cybersecurity industry.

      As an experienced global cybersecurity expert and researcher, John Bambenek oversees threat intelligence, research and modeling at Netenrich. For more than 20 years, John has as advised Fortune 500 companies and government agencies on threat research, incident response, and SOC operations. He investigated major cyber threats and criminal organizations, while coordinating with US and foreign law enforcement entities.

      John is currently an Incident Handler at the SANS Internet Storm Center and president of Bambenek Consulting. He is an admired industry speaker, known for presenting at RSA, Blackhat, Defcon, Shmoocon and various other conferences. As we can see from John’s bio, John has spent his career steeped in all things threat intelligence, threat research, threat modeling, intelligence analytics, and more. We’re going to talk about some of the threats on the horizon, what’s keeping him awake these days and his recommendations to turn the tides. John, welcome to Cyber Work.

      [00:02:42] John Bambenek: Thanks for having me, and for that great introduction.

      [00:02:46] CS: Very glad to have you here. We always like to take the temperature of our guests by understanding a bit how they got interested. Where did you first get interested in computers, in tech, and specifically, in cybersecurity? Because I see, you were an undergraduate in astrophysics.

      [00:03:00] JB: That’s right.

      [00:03:01] CS: When did you make the jump over to computer science, cybersecurity?

      [00:03:05] JB: Well, that’s actually an interesting story. At six-years-old, my father got a computer, a TI-99.

      [00:03:15] CS: I know it.

      [00:03:16] JB: Basically, a keyboard, you plug into a TV. Didn’t have floppy disk. Had a cassette tape. I had to index everything by little tick marks on the cassette player. I would write just miscellaneous computer programs back in the day. They had little computer programming magazines, a magazine or whatever. It’s like, oh, make this game.

      [00:03:38] CS: Spend 15 hours writing code, so that you can make a little man walk across the screen and

      [00:03:42] JB: Exactly. Right.

      [00:03:44] CS: But fun. Yeah.

      [00:03:46] JB: Yeah. No, it was a great time. There are two things that got me into security. One is, probably a lot of people listening, right, do video games. The most annoying thing for me to do – I like RPGs, where there’s a plot, but the most annoying thing for me is just grinding to get whatever you need. I just like to skip again. Let’s move the plotline along. Go into a hex editor, or start flipping bits to add gold, or better swords, or whatever. Cheating in video games is my gateway drug to malware reverse engineering at pre high school. Learning, “Oh, there’s a difference between little endian and big endian and how things go and things rotate over.

      [00:04:29] CS: That was something that you learned instinctively? Were you just breaking it, putting back together? Or, were you looking into hacker magazines, or things like that?

      [00:04:39] JB: No. I mean, this is before then, right? I mean, it was, to say, date myself. You’re talking mid-80s at that point. I mean, they existed. I just didn’t know where to find them. I mean, later in high school I figured out BBs is and a little a little bit farther along. so genetically, I come from a family of lawyers and petty criminals find a loophole in anything, right? Just I mean, there’s just no hope. Thou shalt not commit murder, I can find seven loopholes off the top of my head. Right, right. I really have no hope. part of it is just second nature of just finding the path of least resistance, which probably made me a pain in the ass of a kid to raise. I have sympathy for my parents now that I have six of my own, which all have various iterations of my own personality challenges. I probably had that coming. and then Then another aspect that is I’m not entirely sure how I got into this, but it’s 1011 years old, was making extra money by by selling bootleg software. Oh, yeah. Okay. Yeah. behind the public library, whatever is hey, Corel WordPerfect. Yeah, right. Masking tape over the knotch. the floppy disk. Masking tape, right. There was there was a whole whole thing. Right. I was I was breaking copyright before before it was cool. It turns out cheating was back when it was really easy to you will, right, right. Yeah. Now with with online verification, right, this remote servers doing all the license verification, which actually is a very useful tool for law enforcement, because now I know, buying and selling. so all of that, coincidentally, and my parents probably thought I was on track to be a degenerate of some kind. it turned out to be a really lucrative career. I’m not being powered by technology, but I am enriched by it. Well, let’s, let’s talk about that moment. I mean, maybe there’s not much to it. did you have one of those moments, we’ve had numerous guests who have been walked off their high school campus college campus for, for hacking into a place that they should not have been, and had that moment where they said, Okay, this is not for me, or, or it was a matter of I hacked into it, because I wanted to see if I could hack into it. I wasn’t looking to be malicious. did you have? Did you have the petty criminal versus white hat discussion with yourself at some point? Or was it always Oh, I’m not going to do that. I’m more inclined to mischief right then than anything else. anything that I’ve ever done that could be mapped to criminality, right, was mischievous and oriented in orientation, right? I helped fix the computers at the high school, because at that point, the early 90s. Geek Squad wasn’t a thing. what may have engaged in some levels of mischief during class, as a Catholic high school that kicked me out, I had a conversation with a Dean, who had no idea what the hell I was doing. He just had stopped disrupting class. I was Okay, that’s fair. then eventually, I got bored with high school and just really wasn’t going but I was getting A’s and B’s and nobody could really say anything about it. I want to say twice in college, the university tried to call the FBI or they didn’t call the FBI me that I heard about later. the FBI didn’t want anything to do with it. Because there’s mischievious oriented right, I had a terminal open. I modified his dot logout script to log him back in something annoying enough to get your attention, but not annoying enough to really dig dive deep into it and just escalated to preserve observed proportions. then ran for student government on the platform to dissolve it, but email the entire campus, and they saw your your dossing our mail servers. Yeah, no. I got lucky, right, because I said that mid-90s. it’s it many names that people recognize and security. I’ve been on the business end of aggressive use of the Computer Fraud and Abuse Act. just, there’s no good reason why I got lucky as just the field office I was in in the US attorney. I don’t even know if the US attorney was ever question was just Yeah, this is just not something that’s interesting to me. Right. yeah, I didn’t get the Kevin Mitnick treatment to the Aaron Schwartz treatments. Yeah, yeah, they looked at they use their very important context clues to see that you were not to I’ve always err on the side of do no harm, right mischief and pranks is fair game. anytime I find vulnerabilities or old days, I report it to software vendors. I want nothing to do with that vulnerability exploit market because we see where it’s going with NSO and dark matter and others, right. It’s yeah, we could say hey, I’m uncompromising terrorists to say people, and then the next day those tools are used to vivisect, a journalist and an embassy. Mm hmm. Yeah, I’ve got problems come the end of my life. I don’t need that on my conscience. No.

      Absolutely perfect. Perfectly put. moving on to some of your different job roles. You’ve had a number of jobs with similar titles and presumably similar responsibilities. for our listeners, many of whom are attempting to find their career paths for the first time. Can you tell me about some of the distinctions between security researcher threat research searcher and threat analyst. I mean, largely depends on context of job, right? Okay. the first 10 years of my career security research was more of a hobby. It’s we’re vulnerabilities and how to make things more secure. Okay? Just at a higher-level general thing have say Oh, wasp, right is a good security research outfit of let’s figure out how to wait. Right? That’s not suck, because I have enough work to do without yet another SQL injection vulnerability. Yes. threat research is what are the criminals doing? Right, and how you can defend against that specifically versus say, hardening research hardening infrastructure, though they feed into each other a little bit. It’s some measure my time is trying to get people actually arrested and convicted. It’s very rare because of the International limitations of law enforcement. Mm hmm. sometimes sometimes there’s some success right there. No, only in threat threat analysis is a I’m doing it inside of a company what’s coming after me threat research. I evil vendor land, right is just what are bad guys doing generally? what can I do to either put stuff into my product to protect my customers or I tried to give give a fair bit outwards, also, because hey everybody’s, there’s lots of vendors out there, but at a certain point, we need to protect broader society, too. there’s lots of my personal data and threat research that, for instance, goes into quad nines to just provide free DNS filtering to anybody who points their DNS resolver at quad nines. Okay, could I monitor? I do monetize it, but I monetize it more sure. Yeah. until we provide security for the 95% of the world that isn’t protected by a sock. It’s all academic it’s in the enterprise environment, we see that in the work from home reality is, if I compromise somebody who’s a remote worker, I can pivot into the corporate infrastructure fairly easy. Hopefully, I’ll detect it then. you’ve already got a foothold. Yeah. Now, can you talk about how those job titles differ in their responsibilities? Or more to the point, I guess, what, what types of experience or preparation, if one of those three people say I really want to I really want to learn security, security researcher, threat researcher? how, how similar are the skill sets in those in those three types of jobs? how how fluid are people who can move between them? Or do you have to have three, three buckets of knowledge? I would, I wouldn’t say it’s three buckets of knowledge that built into each other. Right is there’s lots of people talking about your security career path. I said that teaching at a university, right, I deal with this with undergrads is how do you go from point A to point B, and people talk about, okay, let’s talk about threat intelligence. Could you do that as an entry level job? I mean, kinda, but you need the understanding of how technology works. Right. and to get an idea that same is true for forensics, right people I want to go into forensics. there’s a huge need for it. it’s very lucrative. I could teach somebody how to use it to celebrate and a month or week long class, but that doesn’t mean they understand what’s going on, it means they know how to use the tool. Yes. that is a fundamental problem with just generally of how we structure our industry, we teach people on tools. I would say, if you want to be I mean, even while there’s a big gap of trained professionals, it almost doesn’t matter. You can pick whatever path you want, right now, some baseline of skills, and you could figure it out there. to be truly successful, it’s now doing threat intelligence work is the security analysis and research I did 1015 years ago helps that because I understand, okay, how Windows internals works, and how network security works. I might have to sit there and look at a cheat sheet, but I can figure out how packets are structured in Wireshark, or TCP,

      , and there’s a wide variety of other things not in threat intelligence work, it’s actually understanding some of the processes of how intelligence analyst analysis works in the intelligence community me of the geopolitical realities that go into why we’re seeing certain type of cyber attacks and that flow, and economics and philosophy, right? It’s gotten more philosophical as of half a degree in a master’s in theology that I’ve never finished, right? People sit there and say, Hey, why can’t we fix things in security? Well, the fundamental problem in cybersecurity is it’s not a technical problem. People have been killing and stealing since the dawn of our recorded history. We just couldn’t do it at greater distance and scale with technology. I can try to mitigate it and minimize it, hopefully create some things that could detect problems. I can’t stop the criminal problem, right? Because because it’s it’s depressing to see As inherent or an inner nature, but it’s inherent in our nature, right? the way we architect our tech stack really just lends itself to lots of criminality. Yeah. it’s people get to burnout insecurity, when I get mid career and they realize is, we’re not really solving problems, we’re pushing bits around, we might, we might minimize some risks here or there. fundamentally, I don’t think anything’s really changed in 30 years, except the scale of the problem, the dollars lost. now, instead of in the 90s, we talked about the dystopian where you can kill people with hacking. We’re here today to kick over hospital ransomware. all of a sudden people can arrange life saving care at the speed with which to is necessary to sustain life. Yes, or self driving cars that can be manipulated to drive over pedestrians because it thinks it’s a crosswalk. Right. we’re building the dystopian future that we all talked about in the 90s on Hacker magazines. apparently, nobody thought to say, hey, we saw this 20 years ago how to stop this 90s. Now we’re just in a world where we’ve got to minimize risk, which is a nice insurance euphemism for keeping the death and mayhem to financially acceptable levels. Yeah, yeah. Right. Right. Very sad. I don’t write to predict the future I write to prevent the future. Anyway, future on the shoulders. If history’s saying stop, and there’s still marching on anyway. Mm hmm. All right. a slightly lighter note, your introduction. Under your areas of expertise, there was a title that caught my eye. it’s you described yourself as an artisanal malware curator. what does that mean? What does your what is your interest in unusual types of malware? probably, most people in the industry, I get the term that’s get banding bandied about as neuro divergence is, I have real problems with boredom is that I cause all sorts of problems when I get bored. I just need new things. Right is it’s, it’s, there’s lots of commodity malware we see every day, right I don’t need another report on dried X or ID or whatever, right? It’s I mean, there’s new indicators, great but it’s known, I finding unknown and new stuff. when I figure it out, then I want to find more unknown or new stuff. when I get stagnant, then I said, then I create problems. it’s better to find new things. that’s part of the Genesis and then part, right, there’s the inherent sarcasm of our industry, right of of how we title things. Right. the thing that I can say is, I’m a digital janitor. Right, right. Sure. Artisanal malware curator sounds important. Important to the lady so to speak. Yeah, I can almost smell the cinnamon coming off of it or something it’s, it’s very appealing. does that mean that you’re you’re you’re trying to write unusual malware to see if it can do something different? Or are you just researching out in the field for the strangest malware that you can find? then reporting your findings? I mean, if finding Strange New Things really. Yeah, I don’t I don’t so much, right. I mean, there’s there’s an infinite number of ways to commit violence, there’s only a finite ways to protect life. I focus on the other end of that equation. it’s, I finding new stuff, because I said, once something’s known, hopefully, you can automate a defense against it. Yeah, I think there’s an inherent problem in the security industry where we don’t automate as much as we should, because that would minimize the value of our services. the reality is, there’s so much new stuff going on all the time, especially when you get into the abt space. Yeah, you would have told me in 2014, that I’d be center stage in an investigation affecting the presidential election, I’d be you’re out of your mind, and then 2016 happened. that’s exactly where I was.

      Yep. Yeah. Now, to that end, well, I want to get back to a PTS in a little bit here. uh, going back to job role things you’ve, we’ve talked about a lot of different tasks and roles and hats to wear that you have over your professions. my usual stock question is what is your average day ? That’s obviously going to be tricky. Since I mentioned that changes a lot from day to day. let me ask this instead. What is your ideal workday? What combination of the things you’re involved with? Do you to do most in a day and now knowing your your your disdain for boredom? How does what what does the day’s activity looks that ends with you coming home and saying your family? That was a really good day? Yeah. I would say minimal amount of zoom. Yeah, yeah. That’s the world we’re in now. I get it, but I hate it. Yeah. Oh, yeah. so. I mean, I would vary. I don’t know how you slice up a specific day, right? There’s different aspects. I mean, one of the nice things at least this stage of my career and where we are in the industry is, is the conference circuit of seeing, hey, what other people are doing. There’s just not much of that going on right now. Yeah, of course, reasons which which sucks, right? that’s usually a day long thing or, or multi days, right. I’ve done the Blackhat DEF CON thing most years in the past five or six. I mean, even RSA which we don’t think of really, as a real security conference, it’s a trade show. Hopefully, no one from RSA is listening, where I just got black headed from are blacklisted from ever speaking again. but all my people are there, right? a lot more. Right? what are you working on? That’s new, because I’m excited human being finite. There’s only so much I can find, or, or who I can work with to collaborate to tackle interesting problems. if I can get to some end result or something. I’ve done a lot of cryptocurrency research of neo-Nazi groups, and to clarify what I mean by neo Nazi, I mean, using swastikas and saying Heil Hitler. Sure, versus somebody whose politics I don’t who have been tied to violent activity, right, and trying to say, okay, how can we I’d have helped get judgments against them, right, because of the lawsuits. Now, how can we extract money out of them to victims I’ll feel much better when I can succeed. nobody’s really figured out that problem aside of the Secret Service, rolling everybody up and just taking their crap. Right. I mean, do you see any any Do you can you even see a a path into that direction? is it? Is it a matter of it could happen if X, Y and Z happen? Or you’re I don’t know. We’re trying to figure out what X y&z look . I I having new problems and trying to figure out, Okay, how’s the path to solve this? so there’s a notion of imposter syndrome that several people talk about. The reality is that at a strict level, we’re all imposters if we knew how to solve the problem, we’d script it and move on. Yeah, right. We’re dealing with problems that nobody knows the answer to, that it’s certainly not a complete answer. we’re all figuring out as we go. by the time we think we might figure it out, somebody introduce new technology or new risks that now we need to figure out. Yeah. on one hand is people I don’t know what the answer is. once you get past it, no one really knows what the answers are. Then it’s Okay, I’ve got a, I’ve got a, I’ve got a big problem and grind on it and hopefully solve it. I guess a good day would be, I’ve solved a big problem I’ve identified specifically who bad guy is I figured out some new technique, new defense, new way to detect something new way to achieve some security outcome the tax but the PRC is doing to the Uighur Muslims pick, pick whatever, right, it’s once there’s an outcome, I could deliver something for some marginal value for broader society. I mean, yeah, my day job might have my own business, I got to deliver value to my clients, I get that right, that puts food on the table. what makes me excited is figuring out some way to deliver at least some marginal value to society writ large. Yeah. Well, to that end, can you talk about some of the main security threats or threat actors that you’re currently researching and dealing with? what what, what, what trends are threat actors or whatever are keeping you awake at night right now? I the General Mattis response to the the what keeps you awake at night? when he says nothing? I keep other people awake at night. the reality is, there’s not much fear I can instill in anybody. Yeah. so, I mean, at this point, I’m done to the reality is people are stealing and killing everywhere in the world all hours of the day, all I can do is try to marginally make that better for whatever sphere of influence that I have.

      ransomware is something I’ve been dealing with for eight years, right? It’s something we’re still going to be dealing with for a while. now, it’s a lot of policy discussions of the camp of, hey, let’s never pay ransoms. I’m probably the exception to that rule of saying that policy is stupid. it’s going to lead to dead bodies. use never, which is a moral word, you need to answer Okay, how many dead bodies you willing to tolerate for that moral imperative? Mm hmm. Nobody s that. Because Oh, it’s just money. Well, not what involves a hospital or our grids or right? A subset of circumstances because we have attributed desta. Ransomware infections. Yeah. there’s lots of crime just directed at normal people. Right romance scams, where there’s not much that happened to people right. it’s an abstraction it’s recently right now newly divorced so it’s okay it’s how people are dating is now more relevant to my life as but people get lonely especially in the pandemic, and then you’ve got to extract tons of money, their life savings, and there’s no one to make them whole. There’s no insurance policy they can buy and the bank says, Hey, you wire $200,000 to Nigeria, sorry and that are then then some more virulent varieties of of now I’ve got intimate pictures and sexting that I can use some blackmail. we saw at least with the Ashley Madison breach that ended with suicides. Yes. I mean, we’re, we’re moving into a world where death is an outcome. Yeah. Not a good outcome, obviously. Versus 10 years ago, it’s okay, credit card fraud is bad. I’m not going to say it’s good. Right. when’s the last time anybody has had to pay for a fraudulent credit card transaction? Exactly. Yeah. most of the time now, as I’ve I’ve had, I don’t know, maybe a dozen credit cards compromised? Yeah. it just, it is not it is not the a week long disaster that it once was, you call your you call your bank, and they put a freeze, metimes they even reverse the charge and, I mean, worst thing that happens is you have negative $250 to Nike that never goes through or whatever. Right? I mean, the biggest inconvenience I’ve ever had with that is that I’m overseas so I can’t get a new credit card. Yeah. What do you week of waiting for your debit card? Yeah. All right. I mean, it’s, it’s I’ve always used credit cards and debit cards for transaction. I don’t have to add hassle. I mean, it’s right. It’s a minor hassle. I could deal with it all online half the time. Just, Oh, I’ve got a new credit card. Okay. Nope. Here’s the new one. Fine. trade, secret theft is a thing. if you care, that’s really company problem. I want to say it’s not significant, right? Because I am paid to protect other people’s trade secrets. that’s just stealing information is just it happens. It doesn’t I it’s impactful. it’s dealt with, right. I that until recently, I steered away from a PT SP a PT work, because espionage is espionage. Right? We’ve been dealing with that for 1000s of years. Right? There is no end game to that. our endgame is we caught somebody we send them a PNG and kick them out of the country, and they send a new spy in. Mm hmm. No, that’s just a circle of geopolitics. There’s no that versus rifle cyber crime. Maybe I can get somebody arrested. Yep. Yeah. I think that goes to what you were saying about. forensics is more than just tools. if you’re interested in computer forensic, you have to be interested in forensics. it just says a thing, rather than this isn’t the cool side. It’s just a different tool to do. you said something that’s 1000s of years old. you have to decide whether that that root thing is interesting to you, rather than the cyber spin on it, right? Well, yeah, no, definitely. I mean, forensics is about law. I said, I taught a year long class in forensics, law and CS class, six weeks on the lawn, and one of the things I drilled home is we’re talking about Black Lives Matter and criminal justice reform. Now, you’re in forensics, right? You’re almost always working for the prosecution. yeah, you’re on the powerful side of very unbalanced power dynamic, especially when you’re dealing with criminal matters. Right. that led to me volunteering to do work for Public Defenders is two days ago, I picked up a murder kidnapping case. I’m just doing my analysis of what the police did have the computer evidence involved in that case? so that’s something to keep in mind is that some of the stuff that we enter into is actually part of the political discussion when you think about it? Oh, yeah. If you care about criminal justice reform, then you really need to care about getting your analysis, right. forensics, because 99% of the time, you’re just not challenged. if you say, boo, everybody believes right. I unless you’re willing to volunteer for the defense side you damn well better be right.

      Yes, ma’am. Well put, yeah. This is a great discussion. I want to circle it back into cybersecurity. I really enjoyed the the ethics of this. from a threat researchers perspective, can you talk about some things that the cybersecurity industry isn’t addressing or isn’t taking seriously enough at the moment that makes you want to shake everyone and say, Why are you letting this slide? I think I made reference to it romance games generally. Right? Because when you think threat research, it’s almost always vendors. Yeah, somebody’s got to be paying the bill. Yeah, right. that’s just the nature of a free market economy. Fine. I get it. there’s a whole lot of threat landscape where there just isn’t anybody. threat, threat research in terms of the work Citizen Lab does with with NSO and others. The works of EFF does and Eva Galperin with stalkerware. There’s lots of threats out there that are effectively unaddressed, right, there’s an ad hoc group there. I can’t point to an organization that deals with business email compromised, but romance scams are a part of that. Okay. Which is more money going out the door than there is for ransomware. Yeah. I mean by dollars, it’s more impactful I mean, if I steal from a company, they probably have insurance. I’m not going to say it’s fun. I’m not going to say you don’t have to deal with it, but insured threat. I mean, the whole point of Insurance insurance is to deal with a threat when you deal with taking somebody’s life savings. I’ve just had a handful of pro bono clients as I can’t do anything for him. Right. I got to talk about this is what happened in whatever. there was some elderly lady who her lawyer got business email compromised, sent a down payment for a house that got redirected and, sorry, your actual life savings, that was your retirement? I mean, I could tell her how she got screwed. I can’t do anything about it. Because well, there’s nobody paying that bill. Yeah. I don’t know how to solve that problem, except contributing some measure of my time for pro bono work. Okay. encouraging others to do so. Because pick anything that you’re interested in any? Yeah, oh, look, kids speak to a PTA about how to monitor your kids cell phone and how to deal with sexting in schools and bullying. There’s, especially after the pandemic, so much of our life is lived online, where there’s no protection. Yeah I’m not a big, cheerleader for Facebook. in the last year or so they’re putting together they put together a team to say we’re going to protect our users while they’re on our platform, instead of just protecting our platform, right, and realizing that this is a captive portal. there’s some measure of responsibility, we have good good on them, I think they should get more. there’s a lot of people out there that are just whatever. You’re not, you’re not the customer, you’re the product being sold. Can you can you talk about some of I you said, you can volunteer anywhere. do you have any particular organizations or starting places for people who want to contribute their their effort to pushing back the time? Well, I mean, it’s, I mean, I said to some groups I mentioned, I don’t know, Citizen Lab takes volunteers. I know, eff does have a network of network of people that’ll connect you to even in forensics, right, as I picked up a couple of pro bono forensics cases through the FF, don’t help out with beyond that, it’s it’s almost local groups. Yeah, no, it’s really, it’s you don’t have to go out somewhere else to go find something. Right. It’s just look around in your own circle, and you’re going to find things, right? Know, if if you have kids, and you’re involved with a PTA, there’s something to do about cyber bullying, stalking, all the threats that children elderly, there’s go to a nursing home or an elderly support group or an elder elder abuse hotline, if cyber stalking is your concern, there’s crisis pregnancy centers and crisis, residential centers for women in transition, or more, even more, even men who face similar threats. it’s if there’s a social cause that you care about, or a social group, you’re part of odds are, there’s a cybersecurity concern, right? Yeah, that that didn’t go to write this generally, I don’t pro bono my time to companies who can pay me? because while you’ve got money, and you need to go figure out your books, so that you pay appropriately. you’ve got lots of civic groups, I mean, there’s rotary societies, right? Anything that that you’re building your social security or social network in the community you’re in, opportunities will find you, right, if you’re getting well, I’d say, if you’re getting out of the house, depending on where you are, and where we are in the pandemic, that might be hard. almost everybody has has some network close to them, where their interest level where they they can be involved.

      Yeah, I’ve had that image in my head since talking to Emily Miller about about infrastructure security, and how many local municipalities and city governments and stuff have just appalling lack of security. of course, the Oldsmar water case is the perfect example of that. I feel there could be this new volunteer ism that you speak of where people are not only doing doing their job well, and putting food on the table, but also contributing those skills towards this unbelievably huge field of unsecured things and unsecured people and safety, safety compromised people forth. Right? That actually I think it vulnerability research is your thing. There’s I am the Calvary because this is no case note this this notion, right. okay, somebody else needs to fix it. During it. Nobody else. Yeah, yeah. If my problem was one of the problems I face is the nose is people know, I volunteer time. There’s only so much time I have right yes. Yeah. I’m also a sucker for cases where what, if it’s not me, there ain’t nobody else. Yeah, yeah. also I wouldn’t give my time to say the city of Chicago. They’re big enough city with enough money. but a rural town I live in a rural community, that’s your population. 9000. Yeah okay, right, there’s only so much money to go around. You’ve got to be big enough to be able to get started. Right. there’s lots of small stuff in there even involve your local chamber, if you care about SMB issues. Yeah. For local Chamber of Commerce, Farm Bureau, right. whatever, whatever interests, you happen to be there. and I said, there’s probably some measure of people who need help or need advice, or need something church groups, another another avenue, whatever your social circle is, right? There’s somebody not too far from it, that that could help plug you into people in need, or, or institutions or organizations. Yeah. I say just do it, do what you have to do, but also do do a little more on the side if you can. Yeah, I mean, Patrick, patch of this rock we call Planet Earth marginally better, I mean, problems, but we can help help individuals have somewhat of a better experience. Absolutely. let’s, let’s talk about how we’re how we train the next generation of people to do that there’s there’s there’s a lot of gradations of careers and jobs relating to all of these jobs, threat researcher threat, intelligence incident response. for folks who are interested in, in, in the really taking the fight to the cyber criminals, as you say, and shutting down ramps and networks and stuff, what types of skills knowledge or experience should they be acquiring to make them desirable people hiring for that type of work? Gotcha. I said, I would, I would argue that having a broad base of understanding of technology really helps. it’s not strictly required. Yep, that really makes you more effective in the out years, yeah basic barrier of entry is at least have some digital forensics or malware, reverse engineering skills. Because ultimately, it’s the starting point as either some piece of malware or some network incident that needs to be dug into going back and digging backwards. Yeah, there’s a couple of online courses and other things. I’ll teach you open-source intelligence in cybersecurity, to go through all of the various tools, some paid some free, right? There’s lots of free resources out there abuse, that ch does a lot of stuff, and SM information URL scan.io. I forget the name of the GitHub, but there’s a amazing threat intelligence, little GitHub, but it’s really just a list of stuff. and it really depends on what you’re you’re interested in research, right? There’s resources, if you’re interested in industrial or OT systems, there’s things of, of now where there’s things of threat intelligence proper, there’s things of various social engineering, type intelligence. it pick something that interests you, right? The advantage we have in this industry is that there’s so many things you could do. Find whatever you’re interested in, there’s no there’s no reason to not be really passionate about something you’re researching. Yeah. Because there’s always something right, if you care about health care, plenty of health care stuff, but lots of health care, care about educational in K 12. All sorts of systems being put in there. Right? Risks? Yeah, I think the thing that I want to keep reiterating to people is that there’s there’s no downside to specializing in something we hear so many things, it’s Well, should I should I learn about Windows 10 vulnerabilities, because what if I don’t have to use it or whatever. It’s you’re, there’s, there’s there’s no downside to learn? and I think that seems to be one of the things that keeps coming up again, and again, is, is what if I put all this time into learning this one thing, and then I don’t want to do it, it’s well, then do something else.

      Yeah. the core skills and mentality are developing learning something else will help you learn the next time. there’s, I mean, there’s no waste of time, right? You’re learning something new, you’re developing things have a tendency of coming back around. Yeah, right. It’s yeah, I was about to remove the entire concept of worms from my courses. Is when’s the last time we saw a worm before I want to cry? Right, what happened is Oh, I guess worms are still a thing. Because, guess what, we still haven’t learned the lessons of not putting SMB Internet facing in healthcare environments, looking at you NHS. IoT security. The problems in IoT security, the same things that we had in Linux, when when it security in the late 90s and early turn of the century, it’s just a new company started making devices. their experience was in manufacturing, not hardening operating systems. they reintroduced things that more or less were solved. Tell him that was a dead protocol. then Bri happened yeah. even if things aren’t valuable in the next six months, I said it there’s a cyclical nature of things where If you extract, extract away the very deep level stuff about, say windows 10, some of the fundamental realities will still be there come windows 15, or whatever, Microsoft. That’s right people in 95, right, smashing the stack for fun and profit was a big thing. Yep. 26 years later, we still have buffer overflows, but you strip away memory manipulation we still can’t safely process inputs. the, it’s the same problem that goes into SQL injection, it’s the same problem that goes into the various attacks in machine learning. It’s all input validation off of untrusted data and three decades on where are we? P? Yeah, introduce new ways to suck instead of solving the old ways. The old ways of sucking are still there. Yeah. conversely to there’s a lot of people who might want to contribute to this industry, but might be not so keen on being directly in the crosshairs of actual cyber criminals and stuff. can you talk about some adjacent careers around this type of work that that don’t make you cybercrime Public Enemy? Number one be, let’s say threat modeling your incident response or other religions? Sure, I would just say upfront, it’s very rare that I have observed any targeting of me, based on what I do. I very publicly kick Neo Nazis. Yeah, okay. They taught me a little bit, but fine I’d research some Russian and Chinese stuff, they did some stuff caught on whatever, it’s all very low level, no one’s no one on our industry is going to get a plenty of green tea at a cafe anytime soon. there’s, there’s a subset of things that could get you in the crosshairs, but it’s pretty obvious of what those are, by and large, most people don’t have any significant risk. I mean, unless you’re developing high level zero days, which are useful for intelligence agencies. even that problem is is billable, you step into that space to know you’re taking a look at and if that’s uncomfortable for you then think about being in a different space, there’s, there’s a whole lot of research that just nobody really cares about, right. They in terms of that targeting, buying threat modeling, is ultimately we think of cybersecurity as a technical problem, it’s really a human problem. the most you can do in a business is is manage risk,

      , is if you tell me hey, here’s a blank check, I want all the security, you’re going to get a high dollar amount. very few people can pay that, right. if you’re working for a small business, or medium sized businesses only so much you can do right. Threat Modeling is is understanding attacks and threats at a general level and being Hey, give me an example. Ransomware is essentially an availability, problem, availability, and business continuity. it’s you take all the stuff you learn in the CISSP, you strip away data center fires and natural disasters and swap and ransomware. Ultimately, it’s the same response strategy is how do I get back up and running quickly? The other problem is, is that backups haven’t evolved in 40 years? Because we’re still using tape. Right? at its core, it’s the same, you could be one of those people that’s, that’s pushing that, that technology forward. Yeah. Right. if you’re a medium sized business to say, Hey, what are we going to do about ransomware? It’s I need to have a plan to replicate my ad somewhere else and get a central business operations running in a different facility in a different cloud somehow, right? instead of saying, Oh, I’m going to buy this endpoint in this thing. here’s your $3 million, with a budget that I need, is finding easier ways to do that. Threat Modeling is Okay, I’ve got all this much to work with, what do I spend my time on? Right? This I’ll tell you, it’s with, with with threat modeling, right of an observation of just looking at recent abt ransomware, a handful of attacks. If an organization just can manage PowerShell, you would solve so many of your problems, and my manager is log it, make sure all PowerShell scripts are signed, that you’re managing the keys of signatures, because almost everywhere on the chain of a modern attack, somebody is using PowerShell, that’s unrestricted, which means the attackers use PowerShell. The same, same reason, reason we do, they don’t got a lot of stuff to manage, right? they want to manage all of our stuff to just be not for availability and confidentiality. Right. I said if you’re looking at that stuff, and that’s, that’s just a lot of reading. Alright this is dozens of security, security research companies that publish blogs and PDFs and you read all this and you start gleaning, gleaning insights to say, Hey, I’m a medium sized business, I can’t afford FireEye and CrowdStrike and name vendors. what, I can click on these GPO settings and manage my PowerShell 100%. No, but it’s a lot better than and it doesn’t cost anything aside of time and effort and engineering, right? It’s all internal cost versus po cost, right? Yeah. I’m looking to the future. I mean, we talked about the depressing trudges of history and 30 years of things not not changing, demonstrably in terms of threats and just finding different ways. do Do you have any predictions for how threat hunting and threat research will be in five to 10 years? I think at a high level at substantiating the substantially the same bad guys are going to still do bad things, and we’re going to need to get out what they’re doing and try to protect things. Right. I think the things that will change are really outside the security space proper the geopolitical trends of less stability and congeniality between the various power poles in the world impacts things, and can impact things because we we’ve seen a lot of destructive attacks waged when geopolitical tensions are high. the higher they get, the more we’re going to see things kicking over power grids for not for fun and profit, but for for patriotism or lols fact that Comos Yeah, yeah I we’re adopting technology in so many areas of life where we’re inventing new risks. come 911 I hated the term cyber terrorist 20 years ago. it’s not a thing. There’s nothing I can do with a computer in 2001. That creates debilitating fear in society. Right? There’s malware, there’s lots of bad things. It isn’t to say it’s a bad thing, but it’s not terrorism. Right? No, we’re self driving cars that are connected on 5g networks. if you don’t get that right and I start driving cars into each other in a major metropolitan area. Then all of a sudden, people are afraid to stop start going in cars, city grinds to a halt. Right. Those are the kinds of things

Free cybersecurity training resources!

Infosec recently developed 12 role-guided training plans — all backed by research into skills requested by employers and a panel of cybersecurity subject matter experts. Cyber Work listeners can get all 12 for free — plus free training courses and other resources.

Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.

Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.