Chris Sienko: It’s a celebration here in the studio, because the Cyber Work with Infosec Podcast is a winner. Thanks to the Cybersecurity Excellence Awards for awarding us a best cybersecurity podcast gold medal in our category. We’re celebrating, but we’re giving all of you the gift.
We’re once again giving away a free month of our Infosec skills platform, which features targeted learning modules, cloud-hosted cyber ranges, hands-on projects, certification practice exams and skills assessments. To take advantage of this special offer for Cyber Work listeners, head over to Infosecinstitute.com/skills, or click the link in the description below, sign up for an individual subscription as you normally would, then in the coupon box type the word ‘cyberwork’. C-Y-B-E-R-W-O-R-K. No spaces, no capital letters and just like magic, you can claim your free month.
Thank you once again for listening to and watching our podcast. We appreciate each and every one of you coming back each week. Enough of that. Let’s begin the episode.
Welcome to this week’s episode of the Cyber Work with Infosec Podcast. Each week, I sit down with a different cybersecurity industry thought leader and we discuss the latest trends, how those trends are affecting the work of Infosec professional, while offering tips for those trying to break in or move up the ladder in the cybersecurity industry.
Today’s guest, Ken Jenkins, currently serves as the Chief Technology Officer of By Light’s Cyberspace Operations Vertical and leads the organization’s EmberSec team. He brings more than 24 years of information technology and cybersecurity experience to his work in red teaming, penetration testing, threat hunting, threat emulation, incident response and systems engineering.
Ken is also a decorated combat veteran and retired soldier. His active duty responsibilities covered operations and defense of DoD networks and battle command systems. Some of his assignments included a variety of combat units, the Army’s Criminal Investigation Command, Army Cyber Command, United States Cyber Command and the National Security Agency.
Ken regularly competes in capture the flight competitions and is a technical mentor to the CyberPatriot Program. He earned his BS in technical management from DeVry University and holds over 30 commercial certifications including CISSP, OSCP and many more. Ken, thank you so much for joining us today and welcome to Cyber Work.
Ken: Hi, Chris. Thanks for having me. I appreciate it. I’m always humbled to be invited on shows, or for interviews. Thank you.
Chris: Well, great. I hope we have a good time today. I want to start out the way I start out with all of my guests and ask you a little bit about your tech and security journey. How did you first get interested in cyber security? Did that come during your military service, or have you been a lifelong tech and computer fanatic?
Ken: No, it did. I’ve always had a thing for taking things apart and messing with widgets and seeing how things work. I think my path was a little bit more opportunistic than I planned a thing I wanted to do when I grew up. I initially joined the military and I worked on track vehicles. Bradley fighting systems, MLRS, track vehicles, really cool thing right when you’re growing up and you see those things.
I knew very quickly that I was wanting to do something else. The army had this program that will allow you to leave one under-strength critical career field, but only to go to another. The IT, what we call the Signal, the Army Signal Corps. I was able to transition to that and that’s where my IT journey took off. I was fortunate to work in some really cool units in the military. We started off very early, routing traffic over circuit switching and satellites and line-of-sight radios and even RF radios.
I quickly was able to go to train in an industry with Cisco. I learned the whole, basically network and switching, routing in a very advanced level within – engineering and providing large-scale communications. I did that in Korea. I join the Army’s 1st Stryker Brigade. Those are very expeditionary comms. You had to move very quickly and keeping communications up was key.
I did that for a good a good five years after I re-classed, after I changed jobs from being a mechanic. Then I and I moved into – I got fortunate enough to get selected into the Army’s Warrant Officer Program. The Army’s Warrant Officer Program, it’s divided up over 20 technical disciplines within the army. They basically send you off and retrain you. You become the Army’s expert in whatever field you’re in. Mine was IT and communications. I was able to train with Microsoft, with Cisco, lots of battle command systems, worked with defense contractors that would deploy systems to the military.
That was a lot of fun. It moved very quickly. After I became a warrant officer, my first assignment was at the Army’s Criminal Investigations Command. I knew very little about the organization’s mission. I pretty much respond to felony investigation, anything sensitive to the government. While I was there, I noticed that the criminal – we had these criminal crimes, computer crimes coordinators that would respond to cyber events. Of course, we weren’t calling them a cyber event. It was more did somebody commit fraud? Felony-level investigations, anything to do with computers.
I quickly learned how to conduct forensics with the computer crimes coordinators. I’ve learned this from supporting them. They needed massive servers built. They needed computing power. They needed analyst workstations, things like that. I really started learning about the law enforcement side of forensics, which prepped me very well for the more cybersecurity relevant forensics that we do these days and security operational centers and whatnot.
After I left there, I was fortunate enough to get accepted into the army’s first cybersecurity career field. I changed my job once again and it just took off from there. I mean, I had the deep comms background and I had the support to law enforcement and doing some really cool forensics. A matter of fact, while I was at CID, we responded to the shooting at Fort Hood. There was a lot of forensics work that had to be done wit the buildings where that occurred. That was a huge effort and I really enjoyed working with the agents on that work.
Fast forward, I finished that course. The course I got sent off to with I attended with the sands. They put us through seven sands courses. That was a kick in the mouth, because sands training is very, very difficult, very relevant, good hands-on, lots of labs. You’re being taught by industry experts. Sands doesn’t just have instructors to be able to teach there. You have to be a practitioner in a field and the depth that they teach at was nothing I’d been exposed to previously.
I got through that program and I was able to get assigned to the SWA cyber center in Kuwait. The SWA cyber center was – at the time, it was called, it was known as the computer network defense service provider for all of Centcom, so the Centcom AOR which is one of the largest areas of operation within DoD. We were responsible for the daily defense of those units. They were operating out of Kuwait, Qatar, Bahrain, Saudi, Egypt and Iraq. A massive sensor grid.
I mean, at the time, if you’d think of a capability that existed, we had it. It was tremendous. All the way from IDS, IPSs. Name a vendor that’s out there that had a cool product, we had it. Reverse malware engineering guys. We had a robust sensor response team. I don’t think a lot of folks give the military credit on this, but we had this. I was the first cyber defense guy assigned out there from the army to work with a lot of our contractors and civilians. It was really a great learning experience and it really catapulted what occurred afterwards.
We handle some pretty significant intrusions, particularly nation-states. I mean, there’s always insider threats, things like that. I mean, when you’re operating across those many countries, you’re going to have threats coming in.
It was a good time. Lots of incident response. You wouldn’t believe the sophistication that adversaries are operating with, why we were trying to defend unclassified networks, classified networks, all the way up to top secret. There’s activity on all of them, whether it’s insider threats, or whether just unknowns anomaly.
After I left there, I went to the National Security Agency, which was an awesome assignment. I was a mission director at the NSA’s blue team and we merged with the hunt. We were responsible for intrusion detection, intrusion analysis, incident response and vulnerability assessments for government customers, well for government agencies. Wide exposure to lots of threats, lots of adversary activities and how to do vulnerability assessments the right way.
I mean, we were we were well-organized, well-funded. The talent pool that we had, there was no other I’d ever worked with. I mean, I pinch myself every day. Be able to be the director of those operations. Yeah, I did that for a few years and I went over to the NSA’s red team. The red team is a really cool organization to work in. It feels like you’re in a military organization. The reason I say that because the way they operationalize their operations.
Their response for penetration testing and red teaming of government – of US government agencies. Getting to operate in that environment was really cool. Just from the way we organize the organization to the way we conducted our operations, it was very similar to what I was used to in the army.
I was getting close to the end of my 20-year career there. I hit 19 years and I got this itch that I just wanted to retire. I wanted to move on the next thing. It was a great experience. There was no downside. I loved it all the way to the end. I felt I was sprinting all the way to the end. The larger army and the cyber mission force was being stood up, the cyber army cyber branch. I spent a significant time really helping create that structure, contributing to create that structure, to training pipelines, the positions, the vision of the organizations, how they would conduct offensive and defense of cyber.
I really enjoyed my time there, but my itch was needed more scratching. I went ahead and retired. I was fortunate enough to join a company called IronNet Cybersecurity. It’s a very comfortable feeling going there. A matter of fact, our CEO was General Keith Alexander was the former director of the NSA. Lots of mentorship there. I started the red team at that organization and I stood up the solutions engineering and services teams. At that point, I was promoted to VP. Then I moved on to By Light’s.
I’ve been here roughly 15, 16 months now; the Chief Technology Officer for the cyberspace operations vertical. I also run the EmberSec team. EmberSec team is pretty much focused on technical managed and GRC services. A really deep and wide breadth of expertise we have on this. I really enjoy what we do.
Chris: Okay. You gave me a great timeline of all the different positions you’ve had. Most of them were clearly in the military or government sector. Can you tell me a little bit in an umbrella way, what did your time working on cybersecurity and cyber defense in the military teach you methodically, or procedurally that you’ve been able to bring into the private sector?
Ken: Yeah. I think one of the things we were good at in the military is understanding the threats and the adversary’s capability. We did that through different forms of intelligence collections, previous experience sharing with our partners, things like that. Really understanding our threat model, understanding what we need to do to reduce that, the risk from that threat model that we’re up against. That was one thing. That can help you prepare a proactive defense plan.
Also operational, how we operationalize cybersecurity on active – just not active, but within the government. We ran it as a military operation. I mean, it wasn’t – it wasn’t a mundane task. Cyber is a war-fighting domain. As such, you have to be proactive. You have to plan as current future operations. I really liked that aspect. I’ve been fortunate enough to work with some major energy companies, banks. It’s the little minor things like that that I pick up at the really good ones.
Fortune 50 banks, no secret. You go to their security operation center, they have morning stand-ups, they have – there’s real-time communication or near-time real communication. There’s practitioners on the teams. There’s a really good understanding of how do you respond to things and they exercise. It’s very similar to how we did in the military.
I think companies learn a lot from that way of doing business. That’s really what I like to share with companies. Usually, what I’m saying is smaller company cybersecurity is like a side gig, or additional duty, where if you think about it though, it requires practitioner depth expertise to do it effectively. I think it can’t be a side gig, or a side hustle for someone.
Chris: Yeah, yeah, yeah, yeah. They’re not taking it seriously enough, or they’re not allocating enough resources.
Ken: Right. That’s exactly right. I see that a lot. Dedicated personnel operationalizing, I think those are all keys that I brought with me and try to implement that where I go.
Chris: Okay. You’ve given us some ways and maybe you can expand on this, but what are some ways that the private sector could, or should adopt security practices used by the military? Then maybe on the other side of the coin, are there things that the private sector does, or enterprise does really well that might have something to teach DoD, or the military?
Ken: Yeah. There’s a couple things. I mentioned about the proactive approach, so I won’t harp on that one too much. One that I think is very helpful is think of your enterprise is constantly under duress. Someone’s always trying to get in, whether it’s a sophisticated adversary, or someone’s scripts running, or scans running looking for vulnerabilities, but that is always going on. I live out and in a wooded lot, no one’s knocking on my door every day. If I live in a neighborhood, I’d probably see more and more activity, right?
On the Internet, if you open a firewall and just watch the traffic, I mean, it’s constant; scanning, automated scanning, exploit attempts. I mean, you name it. Most IT guys, they would do that for more than a few minutes, they would also see that there’s massive attempts all day long to try to get in. A lot of more are dropped by different security controls, but just take it – consider that you’re constantly under duress and pick up the optimal proactiveness on how you defend the network.
That doesn’t mean panicking. That just means like, “Hey, this thing is being attacked, that we need to try to defend it.” That’s one of the key takeaways. Having resourcing, projecting resources up to a board I think is important. I’ve had the privilege of briefing a few boards over the last probably six years. Very few of them aren’t talking about cyber now. They’re generally asking, “What should we do differently?”
Oddly enough, they really listen to people who come in and talk to the board, whereas some other people can be saying the same message, but it’s just not resonating the same way. It’s good to come in and give a different perspective, or reinforce with what their team is telling them. Those things are definitely changing.
One thing the private sector does very well is they keep deeper expertise and practitioners. The military and even the government agencies, there’s quite a bit of expected promotion and moving on to the greater responsibility. There’s a nudge constantly. “Hey, I’ve been here two years. Hey, I’ve been here three years.” You start looking for your assignment managers tapping on the shoulder, “Hey, it’s this time to go, Ken. We got this other opportunity for you.” You want to figure on better things.
What I’ve seen with practitioners in the private sector is they get to stay a little longer. They get to really hone their skills and I like that. I’ve seen that quite a bit. Not everyone has to be a leader. Some people want to just be on the keyboard. They just want to be a developer, or a practitioner.
Chris: Yeah, that’s something we see common with people who find themselves suddenly in managerial roles and saying, “I don’t get to do the hands-on stuff anymore.” Compared to you said with military, you serve a two or three-year thing before people are starting to look for the next lily pad to jump to. Comparatively speaking, what is the average time in a position in more of a private sector job? Four or five years?
Ken: Yeah. When I was at IronNet, we had developers that it was nothing for them to have 10 years coding in a specific language or two. Some of the more, I don’t know, the rise in some of the cybersecurity jobs, it’s hard to clearly say, but what I’m noticing people and people are wanting to specialize in an offensive, or defensive, or some instant response. On the offensive side, could be red teaming, penetration testing, thread emulation. Then on the defensive side it’s like, “Hey, I want to take apart that malware. I want to try to catch these adversaries.” In incident response it’s like, what happened? Those are those are formalizing themselves a bit.
Then there’s this whole other – I don’t want to call a faction, but there’s a whole another – they are building products. If you’re building products, you probably need some expertise in software development, understanding threats. If you’re doing red teaming, pentesting, you need an adversary understanding and how to emulate those things for companies and defenders. For the defensive side, you need a little bit of both of that to build within an organization. I think the tides are changing on people staying a little longer in those positions, but those of all came along in I mean, roughly the last 10 years.
Chris: Right. Yeah. No, this is a such a changing field for sure.
Ken: Really became prevalent, right? I think seeing those stones starting to be set, the foundation starting to be set – I mean, you’re seeing some very deep practitioners now in those different specialties.
Chris: Yeah. Go ahead. I’m sorry.
Ken: Yeah. Not to beat up on the military, but one thing a lot of people forget is soldiers that they’re part of a larger weapon system. They’re a capability. There’s readiness standards, there’s training outside of their job, there’s mandatory training and employee funding. That has nothing to do with their specialty. It’s just as part of being a larger force for our country. A lot of civilians don’t necessarily have to compete with that. As a give and take, but I see the deeper expertise and more practitioners in a commercial scope private sector.
Chris: Okay, that’s interesting. Our goal with the podcast as I mentioned before is to walk newcomers and people who are wanting make careers or position shifts and help them to see potential job titles in a new light. We’ve been talking about this a little bit, but let’s talk about some of the more active forms of security, specifically red teaming, threat hunting, penetration testing, threat emulation. What drew you to this interest? Obviously, the military brought you into this, but what are in your mind some of the most important skills, experiences, certs, etc., that you should have to excel in these types of fields? If you want to get into this, where do you start?
Ken: Yes. That’s a whole lot to digest. I think I took a great interest in understanding adversaries before I went to the SWA cyber center in Kuwait. I got to be honest, I don’t know how I ever defended networks, or helped red teams defend networks.
Chris: How’s that?
Ken: Just not knowing the sophistication the adversaries operate with. Some of them are very well-organized, very well-funded. I mean, you have nation-state capabilities, state-sponsored capabilities. When I got a little bit exposure to that, it really perked my interest. I want to learn more. I always thought that a lot of adversaries just they got access to credentials and then that was it, right? To being honest, it’s so much more than that.
Let me touch here on one of your points. Defenders, you have to follow rules. You build a network, you follow a framework, you have to implement compliance. Adversaries don’t have to do that. They find whatever least path to resistance, the foothold that they’re given and they run with it. They can be very dynamic. Defenders really have to focus more on a larger breadth of capabilities and learning. I think understanding that has really helped me.
Then I took interest in wanting to be able to do that myself, like the red teaming aspect of it. I’ve gotten to the point with the red team and the penetration testing, how do you give that to a customer where they can actually do something actionable with it? Because that’s really why we’re all here, right? We’re here to defend companies and to protect our government infrastructure, protect our organizations from the cyberattacks at home. Does that answer your question, Chris? I know it’s –
Chris: Yeah. Yeah, yeah. For sure. Yeah, I guess I’m trying to think of – if you’re currently helpdesking, or you’re security analyst, or you’re somewhere lower, what are some of the things – It ties in to my next question, but let’s think about it in terms of you’re just getting into security and this sounds intriguing, but you don’t really know, because all these are related, but they’re different. Red teaming is different from penetration testing, it’s different from incident response, from blue teaming and so forth.
How do you parse out what you do and what you like to do versus which of the things that you like doing would be right for you. Then how do you go chase after that thing? Obviously, because you were in the military, you had this great natural support system around you of we want you to do this and we have the training for you. If you’re having to be go on a self-initiative and say, “Red teaming sounds great, but how do I get from me reading log files here to doing something as advanced as that?” What would you recommend?
Ken: Sure. I’m sure you hear this a bit, but who are the industry leaders in some of those things? I had the good fortune to meet Dave Kennedy from TrustedSec. I think it was maybe back in 2012 when things were just starting to get off the ground. DerbyCon had ran a couple years. I asked him many questions. He made a great transition from the Marine Corps and government sector. Find a mentor. He’s very active on social media. Well, I shouldn’t say oddly enough, surprisingly enough, most of these folks are very approachable.
Chris: Yeah, I’ve found that too. A lot of the industry leaders we’ve talked to all freely hand out their LinkedIn file, or profile. They’re someone who’s like, “Just get in touch with me. I’m happy to talk to you.”
Ken: I mean, I think for most people if they were to reach out to someone like Ed Skoudis at SANS and Tim Medin and some of the prominent instructors, or cybersecurity leaders, they’d delightfully surprised if they probably get a response that day, whether it’s Twitter, whether it’s on LinkedIn. Reaching out and finding a mentor and asking those questions.
One of the things that was very helpful for me when I was getting ready, well I shouldn’t say when I was getting ready to retire, but when I moved here to Maryland and I was at Fort Meade assigned to the NSA, it was conferences, local conferences, ISSA meetings. Jumping into those things and really going in with an open mind and observing initially and then starting to narrow the focus on what would interest you. When I was doing more IT, those things weren’t really prevalent. Most IT conference I’d go to that someone’s trying to sell us something. Go to some of the very specific cybersecurity congress is people pouring their heart into the community, providing talks, providing their research, releasing tools on github. Then being available.
I could literally go to a cybersecurity meetup every day of the week if I wanted to, especially where I’m at here. Jumping on social media and getting out there and talking with folks, I think is a really good way to do that.
Chris: Okay. In thinking especially of the more, like I say, aggressive, or the offensive security things, the red teams, the penetration tests, whatever, what are some type of activities that you should really enjoy doing on a daily basis if you’re thinking of these type of careers? You might be imagining, “Well, I’m just going to go out there and I’m just going to go dig around and I’m going to solve all these things and I’m going to break into this, break into that.” Obviously, there’s a lot of report writing to do. There’s a lot of communication with the client.
What are some of the main chunks of work that you have to do that you should really be cool with doing a lot of that? What are some of the surprising fun things, but also some of the surprising downsides of these types of jobs?
Ken: Yeah. That’s a good question. I was fortunate to come and well, I don’t know if you call it fortunate, but I came into cybersecurity mid-career. Some of the opportunities I could steer, or I could voice my concerns, “Hey, I really want to do that. I want to do this.” Hey, I want to go on this path in my career and mentors would help me set a path and go in that direction. Especially, I think you’re referring to specialization a bit here, right?
Ken: Almost all of the things we’ve discussed today, so red teaming, blue teaming, incident response, hunting, all of those even within each of those their specializations. Getting good, getting good. Listen to me, having a great understanding or a depth in specific things is necessary contribute to these teams. For instance, blue teaming, generally there is someone with deep expertise and Windows systems, active directory. There’s generally someone who’s got really good experience or depth and UNIX or Linux and then infrastructure and I would say everything else OTE, or IOTE.
Finding a little specialty – finding some things you’re passionate about within the type of proactive cyber security you want to do, I think is the start. Then plotting a course, how do you become good at that? For instance with red teaming, we had guys they were very focused on an initial access. Their drive was how do I get an initial access? How do I become a official user? How do I use an exploit? How do I social engineering someone? How do I do a physical intrusion into an environment? Find that passion. Which of those components of red team, blue teaming hunting, incident response really draws you in. Then see how you –
Chris: Yeah. Since you’re going to be on a team anyway, it behooves you to be the person on the team that’s known for doing this one thing and doing it really well.
Ken: Yup. Most of these are – I’m not going to say most, all of these are team sports. I mean, they’re not individual operations or capabilities.
Chris: Yeah. Yeah. Since we’re talking about these methods of learning how to break into systems, I want to talk some about the capture-the-flag competitions that you compete in. Do you compete in solo, or as teams? These are also team sports, I assume?
Ken: Initially just because I think we all suffer from a bit of a impostor syndrome.
Chris: Oh, yeah.
Ken: You’ll hear that a lot in cybersecurity and it’s pretty prevalent, right? You don’t want to go in a meeting and say something and prove everyone. You know what I mean? I think everyone suffers from it. I was a little bit nervous on things. I had to dabble as an individual initially. Also, I came – like I said, I came in mid-career. I had a lot of catching up to do. I wasn’t good at coding initially. I didn’t understand all these different types of encryption or capabilities, so I had to learn those on the fly. I started off competing in individual events. Not all of them were read in nature. Some of them were crypto challenges. Some of them were defend the flag, or capture the flag and then defend it as well.
Someone more task-oriented, someone more there’s a trail that you had – a storyline that you had to follow. Oftentimes, it was good to go as an individual to those. Later on when we started doing more exercises in the military, or even in the government, things like cyber flag, or the cyber guard, those are well-published cyber exercises. I really enjoyed more of the team concept to it. We would use that for CTFs as well.
We had the presidential cup and that’s a big one that was just in the news. We did the army cyber skills challenge, where we invited pretty much anyone in the army to come compete in this. Did them here in local chapters and really in conferences is where I’ve done the most. I would say almost every B-sides, regional B-sides conference has a CTF that someone brings along, or creates. I really like going to the CTFs down at Carolina Con. They seem to have a pretty interesting every year. DerbyCon always has it. Of course, the larger conference they definitely – they have multiple conferences. Also, if you can get into a sands, that’s usually day five and six has a CTF, or an exercise. It’s really cool and has – there’s a competitive nature to those things.
Chris: Okay. Again, moving it back even more remedial level. If you’re interested in this thing, but you don’t necessarily want to go to a conference to do capture the flags and stuff, are there free ones, or things online that you can do? One of our articles on our regular articles on our website is one of our authors will break apart a decommissioned, hack-the-box tutorial and things like that. Are there things like that that you can go out online and dip your toe in before you take yourself out to one of these big conferences and then find out that you’re not quite ready yet?
Ken: Yeah, definitely hack-the-box. I like hack-the-box. Most of my guys, they have a profile on there. The hacker one, that’s another one. Hacker one, they generally publish bug bounties. You go sign up and you get aligned to a project and then you see if you can penetrate or find a vulnerability. I like that.
Also, this wasn’t around early on, but the CTF time data work, or data work, really have an event list on there. You can see all these capture-the-flag events that are going on. I really like the rise of the Pentester Academy. Initially, I didn’t know that was – I don’t know. It just popped up and I didn’t really pay attention to it, because we had opportunities with sands and all the local conferences. I went back to a number. I’m pretty impressed with this. Also, stuff off phone hub, pulling down binaries and watching how people have exploited them. I think that’s a good start.
Chris: Okay. Can you give me any examples of some of the more interesting CTF puzzles that you were able to solve? Are there any brain bogglers that made you shake your head with admiration in their complexity that you could share with us?
Ken: You know what, it’s been a – starting this business unit, it violated – it’s EmberSec. The last year has been a little slow for CTS for me personally, but my guys have continued competing in them. At DerbyCon, there was a guy that used to bring these coins. I wish I could tell you his name. I was looking for it before we joined the podcast, but he would he would come with a Pelican case full of these crypto challenges, coins. It would have interesting enough around the coin, if you flipped it to the side, you would see something in binary, or something is encoded and you’d have to break that encryption.
Then there were different phases. It might be something like, I decoded this then I went out to this website because it provided the URL, or it provided some clue and you went out to that URL and the plot thickened, right? Next thing you know, here’s a couple websites and then there was a thing off this site you had to decode. I really liked that crypto challenge. I wish I’d had done more of the crypto ones, because there were times on intrusions where I would have a string of characters or something out of a – we’d pull out a memory, or pull up a hard drive, some artifact around a network traffic.
Being that I wasn’t well-seasoned in reversing, or decryption, or descriptive challenges, now I look back in hindsight, it set me back a little. You don’t know how you’re going to apply that later on from the challenge, but I really enjoyed that one. Then last year, well within last year, I went to the AWS as a reinforced in Boston. There were several – well, they were CTFs and crypto challenge built into one.
It was pretty clever. You got some clues and you had to go over to a booth. They did some coordination. I went over to a booth and they gave me a t-shirt. I took that t-shirt and I had to overlay something from another booth.
Chris: Oh, wow.
Ken: I had to overlay it on the t-shirt, then I had to count some of the characters within there and that’s one of the string. I took that string and – We had to do some ROT13. We had to flip bits around and then we had to code that. That was pretty clever. Obviously, those are conferences and those aren’t straight CTFs.
I think the ones that I was seeing at DerbyCon and the B-sides are by far the ones I enjoy the most. The crypto challenges, it was really, really – really, you got a leverage expertise around you and really go deep. Also, I liked the blend of trivia that gets put into these. It adds a bit of an adventure to it. One of the things of my family and I did, we were down in the Riviera Maya a couple of months ago and we had an opportunity to go to an escape room.
The escape room was mostly IT, or cybersecurity built. There were things – it was a Christmas theme, but things were – the order of the lights in the room, what colors were they, what orders were they, how many were there. We were in there for a long time, so we had to take these things out, observe them. Then there was a couple. We had to get on the computer and you go do something. Those are cool too. I mean, escape rooms can be all over the place.
Chris: Of course. Yeah.
Ken: If you can find a escape room as a group that has a cybersecurity flair to it, they’re a lot of fun.
Chris: Wow, that’s really cool. I never thought of that as a possibility, but it makes perfect sense when you think about it. Yeah, as you were describing the almost scavenger hunt-like nature, or some of those conferences where you’re getting this shirt and overlaying with this shirt, I was like, “That sounds like an escape room.” Or yeah, it’s like a scavenger hunt or something, so it’s cool in that regard.
Just ramping up here a little bit, tell me about the CyberPatriot Program. What do you do as part of the program and what is it about really?
Ken: Yeah. The CyberPatriot Program is a really cool program that the Air Force stood up. I think it was the Air Force Cyber Associates if I recall. What they do is they’re just trying to bring cybersecurity and STEM – like in STEM programs in high schools and middle schools to more awareness, more exposure to kids at a younger age. What they do is they have these rounds of competitions. Before you do the rounds of competitions, they have lessons, or materials that the technical mentors and the coaches teach the students on.
My team, we were able to be the technical mentor for underserved girls school. We went there every week. We would teach the material, obviously, but then we would bring in our experiences in our careers and show how that’s applicable and what that can lead to later on if they stay the course in either computer science, or computer engineering, any STEM related program. Then we would form the group and then we would actually compete in the challenges that CyberPatriot puts out.
It’s a really neat program, because they provide virtual machines that the coaches pull down and they have challenges and lessons that you walk through with the students. It really exposes them at an early level. Because it’s one thing to go through a school to learn the academic side of cybersecurity, it’s another to see the practical application. I really like CyberPatriot for that.
It has gotten to be a very large event. I mean, they have sponsorship to Microsoft and the Microsoft Imagine program. Any coach, any student that’s participating in this, they get access to Microsoft licensing and lots of virtual machines and really exposure at a young age to technical experts in the industry, really grab and hold with mentors early on to help them.
I still keep in touch with a lot of the kids that I’ve helped with it at the schools. They’re asking me how to navigate college now. They’re asking me, “Should I take this course? Hey, do you know about this conference? Or hey, I’m here this weekend. Is there anyone that I can catch up with?” What’s come out of the program, I really liked the more active involvement with the community.
Chris: If you’re a student or educator and you want to get your school involved in the CyberPatriot Program, do you know how to put yourself on the map for this?
Ken: Yes, absolutely. You would go to the CyberPatriot website. There, you can – Someone has to administer the program at the school, obviously. Usually, that’s who’s ever in charge of the STEM club, or the computer science or technology piece. Different schools, different capabilities, right? Usually, someone there has to take ownership of that and then become the coach. Then you sign up for the program and then you get access to all the materials.
It takes off very quickly once the school reaches out. There’s a whole database of folks that you’ll get access to where you can request, “Hey, can you be a coach for us? Can you be a technical mentor for this these few days?” It happens very quickly.
Chris: As we wrap up today, where do you see the work that you do specifically offensive and defensive security going in the next several years? Can you predict the methods that threat hunting and other forms of defense strengthening are going in terms of new technologies, or methodologies that are coming up in the future?
Ken: Sure. I spent some significant time thinking about this, because my career has taken some pretty sharp turns, I always say every three to four years. One thing is consistent, when I’m seeing there’s a rise in products. You’ve probably seen that chart of logos that says, here’s all the companies that are vying for your business and technology. I mean, bunch of logos. I think one of the biggest issues we had with keeping up with adversaries as far back as 15 years ago was just habit, being able to automate the detection of them.
Obviously, you’re probably hearing this a bit, but the rise in AI, machine learning and behavior analytics, that’s going to help defenders keep up and businesses continue continuity of operations. A lot of those products right now are nice to have, not must have. A lot of the blocking and tackling that the organization should be doing, the things that you see in the sands, or excuse me, the CIS top 20 miss framework.
If you do those things, you raise it across to the adversary, but adversaries have gotten so sophisticated that now we need more help. You still need a human to interpret these things, but these products are where I see the rise. Also, IoT is on the rise. I think, I was counting the other day, I had about 60 devices in my house, they’re deploying an IP address. I think two, maybe a third of those devices in my house no longer have software support. The company has run out of business. I think we’re going to see more problems with IoT. Mobile devices and I know you’re probably seen a lot of this in operational technology’s ICS SCADA. Those environments are under duress.
The only way we’re going to keep up with that is by using machine learning and AI and then tracking those observables and then and enriching that with intelligence. Not a human interpreting, but it being baked right into those products or capabilities.
Chris: Yeah. It’s not neither, or. It’s a collaborative experience.
Ken: Right. You’re still going to need all the traditional blocking and tackling. I think that’s really what’s going to change the tides a bit, because right now defenders are having a very difficult time keeping up with the offensive side of the house.
Chris: Yeah. Yeah. We need all hands on deck. Okay, so one last question today. If our listeners want to know more about By Light or Ken Jenkins, where can they go online to learn more?
Ken: Yeah. We have a website that we’ve stood up. It’s embercybersecurity.com. We have a blog on there. Our guys are pretty active. We have a couple security researchers. We have some compliance guys. We’re really taking off with that piece. Then obviously, follow the EmberSec LinkedIn site and then our Twitter. Our Twitter sited at @EmberSec. Excuse me, @Ember_Sec. We’re really focusing more on community outreach and helping to get the word out on some of the things we’re interested in helping.
Chris: Awesome. Ken Jenkins, thank you so much for your time today. Really appreciate it.
Ken: Yeah. Thanks, Chris. Appreciate your time.
Chris: Okay. Thank you all for listening and watching today. If you enjoyed today’s video, you can find many more on our YouTube page. Just go to youtube.com and type in Cyber Work with Infosec to check out our collection of tutorials, interviews and past webinars.
If you’d rather have us in your ears during your work day, all of our videos are also available as audio podcasts. Just search Cyber Work with Infosec in your podcast catcher. Thanks once again to Ken Jenkins and thank you all again for watching and listening. We will speak to you next week.