From stealing servers to saving lives: Working in red teaming | Jim Broome

[00:00:00] Chris Sienko: Today on cyber work. I have a great conversation with Jim Broom of direct defense. Jim has been doing red teaming since before it became a term and pen testing back when pen tests were basically red team operations. Jim talks about some of his wildest red team stories and we find out why Jim thinks soft skills are more important than all the tech you can study. If you have any interest in ethical hacking of any sort, you must not miss this week's episode of cyber work.

The IT and cybersecurity job market is thriving. The Bureau of Labor Statistics predicts 377, 500 new IT jobs annually. You need skill and hustle to obtain these jobs, of course, but the good news is that cybersecurity professionals can look forward to extremely competitive salaries. That's why InfoSec has leveraged 20 years of industry experience Drawing from multiple sources to give you, cyber work listeners, an analysis of the most popular and top paying industry certifications.

You can use it to navigate your way to a good paying cyber security career. 

So to get your free copy of our cyber security salary guide ebook, just click the link in the description below. It's right there near the top, just below me. You can't miss it. click the link in the description and download our free cyber security salary guide ebook.

Your cyber security journey starts here. 

Now let's get the show started 

 

[00:01:20] Chris Sienko: Welcome to this week's episode of the Cyber Work Podcast. I'm your host, Chris sko. Our my guests are a cross section of cybersecurity industry thought leaders, and our goal is to help you learn about cybersecurity trends and how those trends affect the work of InfoSec professionals, as well as leaving you with some tips and advice for breaking in or moving up the ladder in the cybersecurity industry.

My guest today, Jim b Broome is a seasoned it IS veteran with more than 20 years of information security experience in both consultative and operational roles. leads direct defense where he is responsible for the day-to-day management of the company as well as providing guidance and direction. For service offerings.

Previously, Jim was a director with ACU Event Labs where he managed, developed and performed information security assessments for organizations across multiple industries, while also developing and growing a team of consultants in his charge prior to ACU event labs. Jim was a principal security consultant with Internet Security Systems, ISS and their X-Force penetration 

[00:02:19] Jim Broome: Uh. 

[00:02:20] Chris Sienko: Uh, Jim has also developed and provided training courses on several security products, including being a primary author of the Checkpoint software, uh, CC, uh, S-A-C-C-S-E-C-C-S SI training program, as well as creating and delivering numerous client-focused training programs and events. Uh, Jim is a. Star superstar, red Teamer, and as we will 

[00:02:43] Jim Broome: Hashtag. I'm old. It's okay. 

[00:02:45] Chris Sienko: he is Yeah, I, I know all of us.

Yeah. Legendary in the, in the field here. It means we've been here a long time, but, uh, we are gonna talk about, uh, red teaming and, and go real deep into it. So, 

[00:02:56] Jim Broome: Sure, sure. 

[00:02:57] Chris Sienko: you for joining me today. Welcome to Cyber Work. 

[00:02:58] Jim Broome: Yeah. Thanks for having me on board. 

[00:03:00] Chris Sienko: My pleasure. So Jim, uh, tell me about what got you interested in computers and tech.

I'm guessing the tech bug bit you hard later on. Uh, or were you always into it like this? 

[00:03:11] Jim Broome: definitely always into it. Uh, I was, uh, early adopter, courtesy of my father, uh, so hardcore ham, uh, you know, self-taught soldering when he was like five all the way up to, so he was, he was a nerd in his own Right. in his own era. Uh, and so by the time I came along, Yeah.

Was like my first computer, I think was when I was six, and that was, like the Timex Sinclair, uh, all the way up to the ti, you know, 99 4 A then eventually, uh, into, uh, more industrial systems, uh, such as, uh, the original like, uh, Z one hundreds early PCs, uh, you know, that did PCM and so forth.

So I've been using for a long time. Uh, and then in my own right, uh, I. Kinda started, you know, working with computers and grew up in a small little area in coastal Georgia that, uh, wound up being able to actually like, maintain the computer network for the, uh, organization or for the, for the school board around there.

And then, uh, eventually was able to start one of my first companies just doing, you know, you know, back when you could make money building pc, uh, you know, building PCs and, and you know, kind of growing from there. So really the, From the ground up of the earliest days, uh, running one of, you know, one of the, you know, more moderate sized bulletin boards in the state of Georgia, you know, phyto net early days.

So yeah, the, my, you know, my propeller spins, uh, pretty well there on the hat, so, yeah.

[00:04:24] Chris Sienko: the, uh, what, what, what were, what was part, what, what was going on in the, the BBS? What type of, uh, like groups did you have?

[00:04:30] Jim Broome: Um, so I was the phyto net area coordinator for my area code. And then, uh, roughly had about 5,000 pay subscribers on the platform. And, you know, we had an amalgamation from those that are really old. They remember Wildcat VBS and VBS for gaming and so forth. So we kind of had to roll our own experience.

Um, you know, we got fortunate, if you will, and that's, you know, the, the euphemism in there simply because, um. The German auto manufacturers were coming into Mayport in Jacksonville, and there was a problem with acid rain back in those days. And so the, the paint jobs were going bad while in dry dock, so they moved all that production up to Brunswick, Georgia, which is where the area I lived in.

Uh, and so we inherited a whole bunch of Germans that understood net mail and you know, like, you know, pre a OL there was no CompuServe dial up, those type of things. And so they, you know, essentially that was like the only game in town for the longest time. Between that and, uh, like the, uh. Uh, St. Mary's, which is the, uh, home of the Kings Bay, you know, uh, or submarine fleet. 

[00:05:26] Chris Sienko: Yeah.

[00:05:26] Jim Broome: so it had a bunch of, bunch of people that, you know, were nerds in their own right and were using email and, and or what would become email, uh, before there was internet. And then, uh, you know, roughly by 93, 94, we were starting to get gobbled up by some of The, bigger organizations. And, uh, but yeah.

I remember being a US robotics tester with 144 phone lines and all the fun stuff that comes with that. 

[00:05:47] Chris Sienko: Love it. I love it. The, the Silicon Valley of the South there. Yeah. That's 

[00:05:51] Jim Broome: Oh yeah. 

[00:05:51] Chris Sienko: Yeah. Yeah. Big tech influx. I love that. Uh, so yeah, you, you mentioned that you, uh, started out in, in kind of building computers and also network security. Uh, you know, and I, I do this already about you because I look at everyone's, uh, LinkedIn experience profiles to get a sense of your, uh, sort of narrative, 

[00:06:07] Jim Broome: Mm-hmm. 

[00:06:08] Chris Sienko: of your, your career leading up to being president and CTO of direct defense.

So, um, I wanna kind of. Ask if you remember a point where you started sliding away from network operations and into red and blue teaming as your primary focus, or was that something you were interested in? And then it just, when the time came, you jumped over there?

[00:06:25] Jim Broome: I was always interested in, like, uh, the biggest part was just supporting, uh, so, you know, it wasn't in the industry. Uh, it wasn't like you could just dive into this and so you had to kind of quote unquote, you know, uh, make, make your own and, and go out there and, you know, kind of build your career path.

And so at the time it, was, I. From general, what we now call help desk and, you know, server administration, network administration, operations, keeping things up, you know, during natural disasters like hurricanes and and whatnot. Um, you know, learning from those experience, um, you know, in my own right. And then finally just, you know, supporting users and seeing the silly things that users do all day, um, or that we don't have a manual for Uh, and so, uh, you know, that turned into. Um, you know, email 

[00:07:07] Chris Sienko: Yeah. 

[00:07:07] Jim Broome: from the earliest days, or if you remember, Palm Pilots, 

[00:07:10] Chris Sienko: yeah. 

[00:07:11] Jim Broome: you know, you know, you know, users leaving, you know, leaving a device, which is still a problem with, uh, BYOD these days, you know, lost or, you know, stolen phones. We didn't have, you know, mobile device to management platforms to help us.

And so having to figure out what's going on, having to work with law enforcement, which. Was also a background because of the proximity to the federal law enforcement training center there in Brunswick, Georgia, actually known as glenco. Um, you know, I got my earliest days in my, honestly, my teenage years learning how to do basic dos forensics, uh, back in those days.

And so, um, through that, I, you know, took that into my professional career. And so I was always the guy looking at how they got in or reviewing, like, you know, how, how bulletin boards were broken into and how user accounts were compromised all the way up to personal devices. And if you remember, um. Uh, PC link, uh, the way to copy two files and when they've actually added their own first, uh, dial up fossil driver, you know, that became when they've actually added their own first, uh, dial up investigations.

'cause someone world outward dialed them and found their phone number and 

[00:08:06] Chris Sienko: Wow.

[00:08:07] Jim Broome: onto their pc. So, 

[00:08:09] Chris Sienko: Yeah. Yeah. It's a, it's a, it's a long tradition. I mean, you're, you're, you're talking about stuff that, you know, almost kind of goes back to, uh, you know, like phone freaking in the seventies and stuff like that. And like 

[00:08:17] Jim Broome: oh, yeah, that's, that, that's, that's my core book, that's my core background, so, yeah. 

[00:08:20] Chris Sienko: of a, all kind of a continuum, which is really cool.

Uh, you mentioned, um, doing work for, uh, weather, weather stations or weather communication. What, what was that like?

[00:08:30] Jim Broome: Um, you do going through weather events. So essentially by living in the Caribbean, I, uh, for a while there I lived on the Virgin Islands. I've gone through lots of, uh, hurricanes and so forth, and so in, uh, helping both, uh, like?

fema, uh, federal or local responses get back online. You know, as an example, I as a, in my teenage years when I was, uh.

My, it.

would've been my senior year, my family moved down to the Virgin Islands, and we, we went through Hurricane Hugo down there. Uh, at the time my father was an engineer for a, uh, local radio station. So we were the only game in town for six months. Like everybody else, all the towers were down, things like that.

But we were able to get back online using the a am transmitter side, just because, you know, again, my dad being a a, an RF nerd. Uh, you know, being able to back go to 1950s copper wire between two points and be able to actually be the only form of communication to the local public. So, you know, if you, you know, have a, you know, belief in a higher power or whatever that may be, that was our cause for being there at that time to be able to, you know, bring communication back to the island. 

[00:09:27] Chris Sienko: Love it Now, um, uh, you know, I always wanna ask about your, your current job role. And obviously, uh, direct defense is a, you know, is a, is is a organization that I think our, our listeners are gonna know about. Like, what type of tasks and projects do you work on as president and CTO in an average week?

[00:09:44] Jim Broome: Um, well, I know teasingly, I had also head janitor. Uh, but uh, uh, outside of that, uh, really today is, uh, you know, working with the various teams on the various projects they're going on to, uh, you know, from a business leadership side, actually figuring out what's next for us as a company, what's our growth strategy, and, you know, all the way up to marketing and things.

So I kind of, my hands in a lot of buckets at the end of the day, 

[00:10:05] Chris Sienko: Are you 

[00:10:05] Jim Broome: from a prac. Go ahead. 

[00:10:07] Chris Sienko: yeah, I was gonna say, are you ever looking in on, on sort of like projects that they're working on, on, on a technical side? Are 

[00:10:12] Jim Broome: Sure. 

[00:10:12] Chris Sienko: like checking their homework and stuff like that?

[00:10:14] Jim Broome: Um, Yeah.

I mean, honestly, at the end of the day, we are a services company, so, you know, we have to review our, you know, we, we believe in peer review. Matter of fact, I still occasionally, you know, break out the old rusty, uh, you know, uh, backpack and, and go do some work myself. And I go through our own peer process.

So it's not like, oh, it's my name's on the door. No, it's, we still believe in making sure it's collaboration across the board. So, um, Yeah.

uh, really working with the net pin guys. Uh, you know, in, in addition to that, we have a dedicated OT practice and. Thankfully, my hair is gray enough. I, I qualify, uh, that I can go and work inside of those environments.

And so, uh, that also gets into my own background of also being an RF nerd from my father, 

[00:10:51] Chris Sienko: Mm-hmm.

[00:10:52] Jim Broome: of, uh, working inside of those, you know, closed environments. Uh, you know, doing work with specific utility companies as they add new solutions to their, um, you know, field area networks, all the way up to what's on the side of your house, uh, legacy wise.

And so, you know, that. could be, you know. Black box testing scenario or an actual, like proper or Faraday environment, um, you know, testing radio signals and so forth. Like even just, just recently we got a request to see if, uh, someone could do GPS hacking. Like, Yeah.

been there, done that. Um, here's the requirements.

Um, you know, you can't do this in the wild boys and girls. You will go to jail if they catch you. Uh, so it's more of, you know, here's. Here's the environment you need to provide for us to be able to do this. You know, not only ethically, but also, you know, you know, without causing damage to the immediate area.

Um, which there are environments that, that, you know, work like that. Uh, you know, you can easily look us up as one of the certifiers for. In flight entertainment systems, uh, for the PCI, you know, standard as well as, uh, infotainment within automotive and in, uh, marine. Uh, so we get a chance to kind of play with, you know, you know, infotainment and Lansing and air, uh, all the way up to utility companies and, you know, you name it, you know, you get it thrown.

You know, most recently was doing some device hacking for tele, you know, coming to market telemetry, medical devices. 

[00:12:02] Chris Sienko: Yeah.

[00:12:03] Jim Broome: so, you know, it's, it's always fun, uh, if you will, to, uh, you know, be on the offensive side. On the defensive side, I'm still a forensic guy, so, you know, from, you know, business email compromises and working with the team all the way up to uh, you know, really acting as breach coordinator, uh, during ransomware events and helping clients get back online, that's.

Also a skillset set that myself and other couple of colleagues here, like, you know, Chris Walcott, who, uh, also represents the OT practice, he and I have played disaster bingo. And there's not many boxes we haven't, you know, ticked off yet. So it's one of those things that 

[00:12:34] Chris Sienko: board.

[00:12:35] Jim Broome: yeah, it's a skillset we can bring.

Uh, we, we haven't been able to tick off, uh, locust, haven't gone through one of the plague locusts yet. I've heard about one in the data center. 

[00:12:42] Chris Sienko: Okay.

[00:12:43] Jim Broome: and then, uh, haven't done a tsunami. Uh, I've done flooding, I've done volcanic eruption. I've done a trail de train derailment through the front, uh, through a data center.

So, yeah. 

[00:12:52] Chris Sienko: I dunno if you've seen the movie phase four, but if you, you'll have to watch out for a tech takeover by, uh, Legion of Sentient Ants, uh, that they could add that one to your, if you have an extra room on your Bingo card there. Yeah. 

[00:13:02] Jim Broome: Uh, yeah. Why? Well, yeah, yeah, I do remember it. And then, uh, uh, teasingly, I have gone through a plague of, you know, ants and not in a data center, but in a personal computer, so, yeah. 

[00:13:15] Chris Sienko: They weren't, they weren't, they weren't as as smart 

[00:13:17] Jim Broome: Not a Cynthia. They were just looking for warmth. 

[00:13:19] Chris Sienko: They were just looking for a warmth. Okay, well you, uh, you know, I wanna do this, uh, for a change because, uh, you mentioned in your LinkedIn description of the job, I work with 

[00:13:26] Jim Broome: Mm-hmm. 

[00:13:27] Chris Sienko: of people. Uh, and we don't always get to do that, but yeah.

Tell me about your amazing team. Like you really have, you know, the type of work where you have to have kind of people who are top line in terms of, of red teaming and defending, you know, pen testing, forensics, like you said. Uh, tell me about the people you work with.

[00:13:43] Jim Broome: Sure. Yeah.

I mean, um, start on the offensive side. Uh, really we've got, uh, you know, folks like Nick Schumann who leads the team over there on the net pin side, as well as the red teaming practice day to day. Uh, you know, we got individual contributors like Jesse, uh, Rodriguez, uh, who is kind of our, one of our little stalwarts and loves to go out there and do all the physical pin testing.

Uh, most recently got a chance to play in a prison. So that was fun. Uh, and then, uh, on the, uh, application side, we've got the quite a few contributors that met Everett, uh, you know, running the shop as well as, uh, Sean, um, you know, uh, Sean Stewart, uh, running, you know, running with the crew and Sean Sherman, sorry, uh, running with the crew as well.

Uh, and individual contributors, like, uh, um, uh, let's see. Uh. Uh, Hudson, uh, uh, just recently I got a chance to do a couple of, uh, fun projects for a few companies We can't name, but, uh, you know, I got into actually being able to do some protocol analysis and reverse engineering. You know, time is always an an important factor.

Uh, you know, you know, you know, cheat code for everybody. If you really wanna start, you know, doing protocol analysis, play with time. Uh, and then, you know, from the, you know, managed services side, uh, Charlie, uh, you know, uh, bun and crew, you know, run that, you know, practice from a day to day standpoint. Uh, recent acquisitions would be like, uh, Andrew Kagan, uh, who is our IR specialist, all the way to the guys that are there on the front lines, you know, day in and day out.

Like, uh, you know, both Dan Brunell and um. Uh, Steve Pua, you know, just handling cu you know, customer and events as they come through 'em. So it's kind of,

[00:15:05] Chris Sienko: Yeah.

[00:15:06] Jim Broome: touch a lot of people every day. Uh, roughly, uh, yeah, this week about 128 employees. Um, so. 

[00:15:12] Chris Sienko: Now, as, as, as as president, CTO and as you said, janitor, I'm assuming you probably had at least some, uh, overseeing, if not outright, uh, influence in hiring these folks. So can you talk about what you to pick these team members if there were certain attributes or things in their background that attracted you to them?

[00:15:31] Jim Broome: Um, sure. Actually, uh, that's a deeper dive. Uh, literally just got finished doing a presentation at Rocky Mountain InfoSec, uh, about helping people get into the industry or doing a career change, but realistically and more opportunistically as an employer, I. Uh, number one is we try to be as concise as possible.

We're looking for specific talent or specific roles. Uh, really the contributors that we're looking for when we talk about consultants either have a really good background in that skillset, so they're a little bit more senior in their journey. Um, all the way up to the ones that are just coming into the industry that we're looking for some self-starters, uh, but more importantly, really showing that drive and really have that basic foundational, um.

Skillset that we're looking for, which is actually soft skills. They already know how to communicate. So, you know, one of the biggest things we've, uh, been very successful with is people looking at career change early in their career. Um, for better, for worse, we've been very successful in hiring, uh, a few people that were coming outta the education world.

Uh, you know, they're already class teachers. Um, and most recently, especially for, you know, the ladies, uh, out there, uh, that Are most com uh, commonly coming from event planners. Uh, as well, uh, you know, so they, they, they understand how to work in pressure, uh, but also, uh, uh, those coming from the medical field.

So, uh, you know, again, better for worse, you know, looking for a change in career. And they already understand the concept of working under a methodology or a process, and so they really get it. Foundationally, we just need to teach them the technical part. They already got the soft skills to run and, and lead an organization 

[00:16:54] Chris Sienko: are 

[00:16:54] Jim Broome: a room.

[00:16:55] Chris Sienko: are you sort of recommending to them that they come to your company or are they, they, they were actively looking for this type of work and were making the job change. Is it, is

[00:17:04] Jim Broome: I also do career counseling for people looking to just try to get in and cut their teeth. So it's like, do you start with, you know, my, my part is I don't have a formal education. Uh, you know, you know, high school, you got my good enough degree,

[00:17:16] Chris Sienko: Yeah.

[00:17:17] Jim Broome: to Georgia Tech for three weeks and said, nah, I'm good.

Uh, and basic, you know, met some people along the way. They started some bigger companies like Chris Klaus at ISS, uh, but, uh, the, the joke being that, you know, this Is a new, you know, if you will, this is a blue collar job. it, is a trade skill. And so there is apprentice and mentorship programs that we can bring in.

There are certifications that people don't have to go get a four year degree. I do recommend it if your, if your ultimate goal is to be management in five years or less, but if it's not, come on board. Let's come to work. Don't go into debt and we'll train you along the way. Um, and so that's kind of my, my biggest, you know, uh.

You know, give back, if you will. Just making sure that A, we foundationally do it as a company, but b, you know, talk about it to other employers out there like, Hey, you know, there's, there's no reason to look for a four year degree because 90% of the content being taught at, at the higher ed right now is not applicable to the job you're hiring for. 

[00:18:07] Chris Sienko: Right. Um, now boy, you, you got me wanting to, to, to tangent a little bit here. Can you talk about like what attribute. some of the, you know, the, you said you had people from education, you had people from event planning. What, what attributes of those former I mean, I could, I could make a whole matrix outta this.

'cause that, that's a big part of our listenership and our, you know, customer based is people who are trying to transition into cybersecurity later in life from other 

[00:18:31] Jim Broome: Mm-hmm. 

[00:18:32] Chris Sienko: careers. So like what, uh, of, of, of the type of, uh, job roles that you mentioned, what, what attributes, uh, from their previous job, uh, directly match to what you're trying to teach them?

Once you get the tech in 'em.

[00:18:42] Jim Broome: Yeah.

I mean, the biggest part of that is, again, it's gonna be soft skills. So being able to communicate effectively and concisely, um, you know, all the way up to, you know, if you're looking for someone that, that is looking to be a principal consultant in a short amount of time, you know, they've gotta be a leader.

They've gotta, you know, draw attention to themselves because, you know, let's, let's be real. There's a difference between engineering, consultant and engineer is a highly skilled, trained, you know, individual, uh, that's delivering on the skill that they've been taught. So was the consultant, but they were mostly paid for their opinion.

So if you don't learn how to express your opinion, you're gonna struggle to get advancement. And so, you know, we hire consultants. Uh, we we're looking for, you know, people that are opinionated and, and you know, do go out and do the legwork And the homework for themselves. That's something that's kind of intangible.

I can't, I. Teach you to do that. I can do my best to foster it to you, but you gotta want to. Um, And so that's kind of one of the bigger challenges of finding the, those people that want to be out in front or at least part of the conversation and have a, having a voice in a room to, you know, be part of a team or be part, you know, help guide a customer to their, their end goal.

Their end destination.

[00:19:46] Chris Sienko: And

[00:19:47] Jim Broome: secondarily is problem solving number one. Like, you know, how do you handle pressure and how do you like, you know, from, you know, teasing back in the day where, you know, Oh, my, my laptop busted on the plane. All of you like, you know, corporate can't gimme a laptop fast enough. yeah. Go rent one from Best Buy for the day and just get the job done. Uh, you know, those type of things. Just, you know, all the way up to, you know, uh, colleagues in the industry that, uh, you know, a couple generations ago they came in from the analog to digital migration of audio. So guys like Martin B or uh, Lee Baird as an examples, they were, they were formerly sound engineers, sometimes roadies, uh, for well name acts.

And, and, and you know, they got, that's how they got their teeth and they,

[00:20:25] Chris Sienko: I

[00:20:25] Jim Broome: cut their teeth on, you know, working under pressure. And they had that mindset of wanting to continue to learn, but they also had a really good opinion and they, you know, they would, we were more than willing to share that opinion in a, in a, in a setting.

And those are, you know, really the biggest intangibles. I, I, I, I can't. You know, train you. I can, I can give you the mindset, but you gotta want it to be able to really connect it.

and understand where it's gonna go. And that's the thing, that's the character I, I constantly look for So 

[00:20:48] Chris Sienko: So look, so looking at those, those types of candidates and knowing that they don't have, uh, the technical background, what is the, what is the sort of basic bootcamp for someone who came from, say, events planning or education or, uh, audio, you know, AV or whatever. Like what, what is the baseline of tech? You need them to understand that you're gonna sort of teach them on the 

[00:21:06] Jim Broome: It really depends on, you know, you know, the good news is we're in industry. The bad news is we're in industry, so now we have specialization. 

[00:21:12] Chris Sienko: Yeah. Yeah.

[00:21:13] Jim Broome: I think literally for the presentation I tracked out like 30 potential skills or, or jobs you could go do in this industry today. And that was even I. A lot of that was rolled up.

Uh, but, you know, to, to directly answer the question, like if you're looking for an entry level SOC analyst working your way up to lead analysts, you know that, you know, basic foundation, CompTIA, you know, security plus, plus, you understand just the general concepts of why we log things all the way to learning, you know, the next advanced levels, which are, you know, either learning the specific technology or learning an actual, um, you know, methodology like, uh, malware analysis, forensics, you know, those will train you into the jobs that we're looking for.

You know, the technology should be transferable because, you know, as an MDR provider, I use several tools. So, you know, I need you, you know, ultimately I'm gonna have to train you to be proficient in those tools. But you need to understand the basic, you know, framework of why we're doing it in the first place.

So it's, those certifications are the ones I'm looking for. Be it, you know, GIAC and Under Sands and individual, uh, you know, courses all the way up to, you know, people that, you know, when we talk about offense security, the OSCP, um, you know, even the. Um, you know, the, the newer reverse engineering classes that have been coming out, uh, hardware hacking, so forth like that, that have been very tangible for us.

Um, and then even, you know, some of our. You know, uh, most recent, uh, hires as well as, uh, folks that have gone to their, you know, starting to lead their own shops, uh, you know, using Nolan Johnson as a great example where here's a, you know, uh, literally a, a young guy, a kid, not to, you know, he's now 26, uh, but we've known him for a long time.

But, you know, he's, he got his first CVE at 17, you know, he's been doing hardware hacking, you know, for, um, you know, Android devices for decades, you know, at this point. And so he, you know, kind of grew up in a, in a, in a. Bug bounty economy all the way up to now. He literally paid, you know, uh, he's just getting, uh, uh, engaged and getting ready to buy his first house, and he's paying for it with bug bounty money. 

[00:23:02] Chris Sienko: Wow.

[00:23:03] Jim Broome: so in addition to being a principal, you know, consultant at the end of the day, So, 

[00:23:07] Chris Sienko: Amazing.

[00:23:07] Jim Broome: yeah. 

[00:23:08] Chris Sienko: yeah. Uh, uh, uh, as, as our listeners know, a third thing that 

[00:23:11] Jim Broome: Yep. 

[00:23:11] Chris Sienko: is death, death and taxes, at least here on cyber work, is that if we post a new episode with the words red team in it, uh, our numbers are gonna spike. So we like to get, uh, do our best to get as many people as possible talking about.

You know, this most appealing and roguish version of ethical hacking. 'cause I, you know, I think we all have, uh, the idea in our head of, of what this looks like, and I think some of it's actually true. 

[00:23:32] Jim Broome: Mm-hmm. 

[00:23:32] Chris Sienko: can you talk about some of the big companies or brands that you've done red team operations on,

[00:23:37] Jim Broome: Uh, we will give you dated references if that works for you. So, uh, I mean, I might end, you know, I was one, you know, very fortunate to actually work at Internet Security Systems. Back in the day. We were one of the very first companies. It was literally us and like at stake, uh, you know, we were the only two real big companies on, the.

Private sector doing this type of work, you know, as a vendor of products, we were doing it simply to show people why they needed to buy our products. Um, and so, you know, but both alumni here, like Phil Brass is an example. His name was on part of the patent for system scanner and internet scanner, uh, Caleb SMA of, uh, web and spec fame.

And, you know, you know. New, new companies. You started, uh, right and left Lately, uh, you know, we all came from that same core environment of really just teaching, you know, companies they needed to. So my answer is gonna be a little dated and old guy-ish or ageist ageism, which is back in my day. You know, a pin test is what we now call a red team.

Uh, so it was a $25,000 no questions asked, no scope asked. We will just tell you when we're gonna start. And that's it. And it was a real, you know, for lack of a better analogy, it was a punch in the mouth. Is the organization prepared to, you know, you know, withstand a direct attack? And how, how good are they?

And in most cases, back in those days, 'cause again, firewalls were not common yet, um, really didn't start seeing those commonplace till like 2001. Uh, it was pretty easy. Uh, in most cases it was really, uh, you know, you would. Break in, you know, if they had a firewall, cool. If they didn't, you'd almost be guaranteed to break in.

They were using, um, uh, like a Qualcomm's pop service, you know, for pop three email. And that was always notoriously, you know, uh, over flowable, uh, all the way up to SCO boxes and, you know, Solaris boxes back in the day, which I always carried about a good half dozen o days in my back pocket for those. Um, very easy to, to find an unpatched system.

Breaking it off you would go. Um, or in the rare instance where they were actually, uh, a challenge, uh, you just basically call up the front desk and find out where the data center was, fly out to the facility because part of the pen test was to put a file on a server, the capture the flag moment. So I, I'd physically walk into the data center and, and walk out the door with the server, like, okay, you know, do I win now and sit in the parking lot with a, with a server under my arm?

Uh, and so, you know, being able to push all those buttons, yes, it was very cowboy-ish, uh, but be able to, you know, push out those buttons and really drive the point of why we're doing the testing is really, you know, like, man, make, make it hurt, make it painful. Um, so, uh, teasingly to, you know, asked for a name and so like, uh, did one of the very first pen tests for Semantic way back in the day. 

[00:26:02] Chris Sienko: Wow.

[00:26:02] Jim Broome: so like 1996 and 97, um, um, all the way up to other organizations that, um. You know, from, you know, engineering the, the picket.com, I basically spent my time on the, you know, uh, the 1 0 1 corridor between, uh, you know, El Camino real and all the way down to the Mil pita exit. Uh, so you know, from Google, you know, at one point there was some, Microsystems was on the right hand side of the street.

Google was over here into, it was two blocks down, so you name it. We tested them all. Uh, at some point in time, but so they're, you know, fairly dated, you know, we're talking, you know, nearly 15 years ago in 20 ca 20 years ago in some cases, but every single one of 'em. Yeah, exactly. I hope they've changed the solutions by this point. 

[00:26:46] Chris Sienko: right? 

[00:26:46] Jim Broome: but in most cases, Yeah. it was many of the common mistakes of, uh. You know, early wifi in 2001, when that, when that hit with, uh, Peter Shipley going to Bewa at the Napster building and doing that presentation, we were there hanging out and, you know, had fun with him. Uh, and then the next day we all went out and got these kits and built them.

We were driving up and down and, you know, literally you were jumping in and outta network. So like jumping on, you know, Google's network or this network without actually, you know, doing anything. You're just pack caption as you're going down, you know, the highway at 70 miles an hour. 

[00:27:14] Chris Sienko: Right.

[00:27:14] Jim Broome: Um, all the way to, uh, our favorite one, and without naming names.

Um, I, I went through a rash for about, uh, nine and a half months there. Uh, I had a lot of big multinational companies that, for whatever reason, I got really lucky at the time. Uh, MIT was graduating a lot of Compsci guys and early InfoSec, uh, builders that they all read from the same manual. So, uh, the running gag was, uh, I would call the company up, find out where their Boston office was.

Get the IP range for that and I would attack that office 'cause I knew exactly the blueprint on how to break in. 'cause they were all MIT grads. Uh, so literally I had an entire sump, you know, a nine month, you know, window of just breaking in just because I knew they all went through the same instruction manual and did the same thing time and time again, 

[00:27:57] Chris Sienko: Yeah. 

[00:27:58] Jim Broome: had the manual literally 

[00:28:00] Chris Sienko: Any particularly unusual events or wild moments, or has any of your team ever been arrested during red teaming? 

[00:28:05] Jim Broome: never been arrested on our side. Um, obviously everybody knows the, story of what happened with the guys over coal fire a couple years ago. Uh, but. 

[00:28:12] Chris Sienko: they were on the show to tell the story. Yep.

[00:28:13] Jim Broome: Yeah. Yeah. But at the same time, uh, literally, you know, we've, I can tell you in my personal career, the only two places I've ever been caught physically had first strike capabilities.

So, you know, that was, you know, doing other work, uh, outside of that and, you know, so, you know, never underestimate the power of an 18-year-old with an M 16. Um. Uh, 

[00:28:33] Chris Sienko: Okay. 

[00:28:33] Jim Broome: outside of that, in the, in the, in the private sector? No, I've never been caught in, in process of, uh, however, we have had a couple of guys, um, you know, using Jesse as a great example, literally his first engagement coming in, um, the customer actually engaged us to go in.

They actually wanted a physical penetration to the facility, didn't let anybody know and on. Fortunately, the person that caught him as he was walking through the facility tried to kind of manhandle him a little bit to get him out. Like, I don't, you know, you're not supposed to be here. And in the process of wrestling around and, you know, it was all on video.

Jess, you know, Jesse never touched him. Just basically, you know, let, let the guy push him back out. Uh, but during that process, the guy actually started going into, uh, a cardiac event. 

[00:29:14] Chris Sienko: Whew. 

[00:29:14] Jim Broome: So having to stop the PIN test and literally go over there and pull off the a ED off the wall and, you know, you know, help the guy.

So not only did we successfully break into the building, but we also, you know, helped the, uh, helped the poor gentleman that was there at the customer site, uh, you know, and got him, he called first response and, you know, got him through the fast forward a year later, uh, they let Jesse go back and do the same penetration test and the first guy to meet him was that guy who immediately came up and gave him a huge hug.

So it does end out well. 

[00:29:41] Chris Sienko: Yeah. Glad you 

[00:29:42] Jim Broome: Yeah. 

[00:29:42] Chris Sienko: Right. Um, you know, I, I'm not gonna ask you to name or shame any companies that, uh, were especially unprepared or, you know, what brought, brought down, you know, for them. But can you talk about any clients or companies that were strong enough to really keep your team at bay?

Does anyone ever get an A grade from you guys?

[00:29:57] Jim Broome: Um, short answer is yes, I, I'll put the caveat. Um, usually it's been scoped. Uh, so there's been been a few things that, uh, you know, the gloves aren't off. Uh, again, I, I go old school, which is, you know, this should be a real world event and you should not, you know, you know, everything should be on the table.

I. That's not the reality where we live in, especially now because of insurance and compliance and X, Y, Z. Um, but, you know, my own career, I can tell you the, my, my favorite, uh, example of that was, uh, if you remember, wizards of the Coast Magic, the Gathering Online when it first launched in what, 2002?

[00:30:27] Chris Sienko: Mm-hmm.

[00:30:27] Jim Broome: That was one of 'em.

Uh, so, you know, I was charged to break into the facility that hosted their systems and actually tried to attack their systems and they did it right. Literally there was only two ports. Didn't matter if you were on the internet or inside the building, and there was only two ports open, so they were locked down and, you know, properly logged.

They had their own, uh, security, you know, solutions in place. And they caught me. Um, so I was like, you know, you know, props, you know, physically didn't catch me. I, I still was able to, you know, get out, get outta the building with the servers, but they were locked down really well. Uh, fast forward to today's environment, really the things that we're getting asked to do. time and time again, uh, because of the OT practices really testing.

Uh, environments that are getting prepared for other major sports event. Um, which if you think about all the. Solutions that are in play during that time just to be a host city. Uh, you've got state, federal, you name it, they're all there. Uh, plus the event itself and, and all the things that go with it. So we get asked to, you know, or tasked, if you will, to test a lot of different things.

Um, you know, so sometimes they're prepared, sometimes they're not. Um, you know, one of the things I we constantly talk about publicly is OT still lives in this. Um, utopia that no one's ever gonna get access to the tools. And so really the, the only thing preventing, uh, bad things from happening is just getting access to this one app or this one piece of hardware or this, and you'll be amazed what you can find at, uh, Harbor Freight.

Uh, so, you know, so, you know, you can bypass, you know, physical bypasses all the way up to, um, you know, literally, uh, we have one utility provider that they have this really cool thing that if you're familiar with the way the, um. Power works if there's a storm now, you know, if you grew up as a kid, especially in the south, get a lightning storm and it blows out the whole area.

Nowadays that's minimized because they have this magical box at the top of the, of the pole that, you know.

back in the day, the guy would have to go out there with a long stick and, you know, pull the fuses at the top to uh, you know, just, just minimize the impact of the area. Now these things are automated.

They're called in inte Intel Raptors. And so, you know, that software, you know, is the vendor that makes that software, makes a very, very compelling security model. 

[00:32:30] Chris Sienko: Mm-hmm.

[00:32:31] Jim Broome: up to the utility company to implement that. And so in many cases it's just, you know, can you get access to someone's laptop and you make that software off of there.

And you know, I've, I've proven time and time again that, you know, the solution actually has robust security. You guys should really roll this out. 'cause otherwise just, I, I went over to the maintenance bay and just stole your laptop out of the truck. 

[00:32:50] Chris Sienko: Well, you got me thinking about, yeah. Now that you said, uh, major sporting events, I, I don't suppose you've ever read team to an an Olympic 

[00:32:57] Jim Broome: Um, not a city.

uh, but, uh, you know, 

[00:33:01] Chris Sienko: venues. 

[00:33:02] Jim Broome: our company's based in Colorado, so, uh, we're right there with the, uh, us uh, you know, team USA. We've actually supported them through multiple, um, you know, uh, years of testing, so I can, you know, we can go back and definitely have beer conversations over the first Beijing in Olympics all the way to, 

[00:33:16] Chris Sienko: Wow.

[00:33:18] Jim Broome: which was very interesting to the most recent, uh, Olympics.

So, you know, just, you know. 

[00:33:22] Chris Sienko: I feel like I could feel like every, every answer is giving me 15 more questions. So anyway, I, I won't, I won't. We, we won't, uh, uh, you know, linger in the glory days. 'cause I 

[00:33:31] Jim Broome: Mm-hmm. 

[00:33:32] Chris Sienko: about a more practical aspect of this discussion. Uh, one common thing I hear with pen testers and red teamers, and I just spoke with someone, uh, last week, ed Williams from Trustwave, talking about.

Um, issues with red teaming is that, uh, a lot of companies jump too fast into hiring red teams against them, maybe feeling that it's the thing you do once you get to a certain size or it's a, you know, a vanity marker or something like that. So, what, could you talk about what metrics companies should use when determining the appropriate time to carry out red teaming?

Like what, what should they already have done and put in place before they even think about getting you and your team on the phone?

[00:34:06] Jim Broome: Um, so first and foremost, uh, you know, it's great question actually. Uh, so first and foremost is are they ready? Are they have, have they gone through penetration testing and they reliably are repelling them? They're not. Finding a lot of highs and, you know, uh, critical unpatched things because I'm not there to validate you patch and unpatched the box.

I'm there to actually break your security. Um, and so, you know, that's part of the, and part of the norm is expecting what the results are supposed to be. You know, a red team is not supposed to be. Run some scans and sprinkle some meta. Boy, you can call it a day. That's, that's not the engagement. It's, it's supposed to be a punch in the mouth.

I'm here to either simulate stealing stuff Or legit steal stuff, uh, you know, from the organization. And it's your job to detect, you know, I. Quarantine me and isolate me and get me out of there and then, you know, come back and write a report on everything I touched and did. Um, and so it's really that, you know, I also can do the duality of this, which is I also, you know, help manage a soc.

Uh, so I see both sides of the equation of, you know, what is the red team and is the organization prepared? So that's, that's really the first and foremost. You know, the, the question we try to qualify outta the gate is what are, what's your goal? What are you hoping to get out of this? You know, I, I'm happy to help you write this so you can get the proper funding.

You look, you need, uh, you know, and, and drive the, the point home of you need these things. But realistically, you know, when we talk about red teaming. It is that going the next step? And so, uh, the most common example we get to is, oh, can you do phishing? Sure. We do phishing all the time. Um, you know, what do you want us to do?

Do you want us to actually, you know, use those creds, log in and pivot and check someone's email? You want us to actually drop payload on your systems and circumvent your EDR and really get persistence in the environment? No, no, No, I just need somebody to tell me if they click the link and I'm like, well, that's, that's no. before,

[00:35:46] Chris Sienko: Yeah.

[00:35:47] Jim Broome: that's user awareness training.

That's not exactly. 

[00:35:52] Chris Sienko: Before is our arrival anyway. 

[00:35:54] Jim Broome: sorry, sorry, sorry, sorry. 

[00:35:55] Chris Sienko: No 

[00:35:55] Jim Broome: Yeah, yeah. 

[00:35:56] Chris Sienko: I 

[00:35:56] Jim Broome: mean, but, but again, Yeah,

apologies. Uh, but yeah.

just, uh, but you know, the concepts, you know that that's user awareness training, that's a feedback loop to see if people are getting the message. I'm here to really test it, and that's, that's really the big qualifier is like, you know, we want to go the next mile.

Matter of fact, most red teamers will pay you because they have so much fun doing it. 

[00:36:15] Chris Sienko: Yeah. 

[00:36:15] Jim Broome: Uh, you know, to get, to be able, you know, the gloves are off. I really can actually go do the things I've been, you know, wanting to do for a long time. And that's kind Of where physical comes into play. And one of the things that we prompt people, especially when we talk about um, events, uh, or, or preparedness, is, you know, please get someone from HR involved in legal.

Um, you're, you're, you know, we are gonna push buttons and, and it's not, and you know, it's truthfully not. And. Uh, intended to be a harassment or, uh, you know, like, you know, piling on somebody. This is an education moment for the organization across the board. And, uh, we can use one example of, you know, we, we did a phishing campaign.

They caught the typical example, um, and then we went back and did another one. And all we did is we trolled 'em for a little bit, used some TPT to write up a campaign. And what we had found out was this particular organization was partnered with a local hospital. It was coming into the time of the year, sorry, not camera.

Uh, it's coming into that time of the year where it was time to volunteer and give back. And so it was, we were rolling into Thanksgiving and so we wrote a campaign saying, Hey, who here would like to sign up for a $500 gift certificate to vol to volunteer at this hospital that you work with, with, you know, sick kids?

Everybody in the company fell for it, including the CEO. 

[00:37:27] Chris Sienko: Yeah. Yeah, yeah. We've, we've, we've talked on, 

[00:37:29] Jim Broome: Yeah. 

[00:37:30] Chris Sienko: whether you wanna really sort of use the, the phishing nuclear option on things like, you know, you've lost your insurance or there's no bonus this year, and things like that, like that, that, that, those have a shockingly high open rate. Of course.

[00:37:42] Jim Broome: But again, it's the reality of, you know, like thankfully the c Yeah.

after the initial shock, the CEO actually saw that, you know, this was intentional, you know, you guys paid for it and we kind of, you know, uh, walked someone off the ledge. 

[00:37:53] Chris Sienko: Yeah. 

[00:37:54] Jim Broome: we treated it and immediately pivoted to a education moment.

And that's kind of the thing I, I, I do a lot, especially with when we talk about penetration testing or just red teaming, um, you know, you hired us to break in. That's kind of what we do. That is my job. So don't treat this, you know, treat it adversarial outta The.

gate, but don't treat it as this, you know, pass fail thing.

It's our job. I'm always gonna get in. If you really, if I'm allowed to really use what I got at my disposal, what I really wanna do is give you context on how long it takes. And so, you know, like part of my penetration testing is, you know, uh, learning to write with context and, you know, talking to a customer is like, well, you got some really.

Busted processes and here's what's going on. And they were, they were all upset. 'cause I broke in. I was like, that's my job. I mean, just to kind of measure you guys, it took me an hour and a half. My normal is under 20 minutes. 

[00:38:40] Chris Sienko: Yeah. 

[00:38:40] Jim Broome: So, you know, you, you, you lasted an hour and a half with a, with a quote unquote skilled pin tester or skilled attacker sitting inside your office and, and, and beating up on everything.

So that's pretty good 

[00:38:51] Chris Sienko: Well, yeah, yeah, yeah. The, the poet Mike Tyson once said everyone has a plan until they 

[00:38:55] Jim Broome: until you get punched in the mouth. Yeah. 

[00:38:56] Chris Sienko: uh, so yeah. So I mean, I guess to that, to that end, can you talk about why it would be bad to get a red team run on your, before your security system is ready to handle it? Is it just a waste of money?

Is it demoralizing? Or is that punch in the mouth maybe gonna actually drive some change?

[00:39:11] Jim Broome: Um, it's too, uh, the bad side of the equation is Yeah, really you're, you're gonna. Hurt some feelings. Um, and, and really just kind of, you know, it, it's, it's more the education and more the, um, you know, advertisement marketing, if you will, within the company. Why we're doing these type of things. As far as preparedness, really, again, that's gonna be a reality check for companies.

Uh, my favorite example of that one is I. Uh, you know, everybody has a disaster recovery plan, business continuity plan, and then ransomware come in. You know, threat actors get in there and they delete. The first thing they go in there is they log into the Veeam server and delete all the backups. So the question is, when is the last time you did an offsite backup and is with inspect of your business operation, you know, requirements.

The answer's almost 99.9% of the time. No.

uh, you know, two months outta date. And it's, you know, that's too big of a window. We gotta go pay the ransom to get our data back. Um, and that's the reality. Like say, you know, if we really went this far, then we do ransomware simulations that go that hard. Like, Hey, I can touch it, I can delete everything you got right here.

I won't do it. But, um, or we put, you know, a couple thousand files on your file server and we intentionally delete and encrypt that folder. So every EDR and everything else in the world should have been screaming, uh, just activity wise that we were doing this and we were shuffling it out to mega to io and all the other, you know, typical recipients, just to see if you could see it.

So we can give you as near real world as possible with a few, you know, safety measures in place. But again, it's are you prepared? Um, this is not treat it pass fail, but this is an education moment on how you can actually take these as initiatives, validate your findings, kind of go from there. Um, you know, I can, I can give you the, the best red team.

Most recently we went through, um, large organization. They had actually three socks. Uh, they have, uh, uh, an outsourced, um, uh, MDR provider doing one specific, you know, visibility story. They have a normal eight to five soc, but then there are large global, you know, organization. So they have an extended SOC that handles things after hours.

You know, when we got in there and started doing our testing, I. All I had to do was a couple of things and looked, I knew they were gonna fail, um, simply because they weren't logging the right things. And that was part of the conversation. Like, you know, you, how much are you spending on your solutions today?

Are they properly giving you the visibility you're looking for? You think they would, you know, knowing that someone's coming in scheduled. It was no, you wasn't blind, it was everybody. It was participant as a purple team. Um, just basic homework like, Hey, what's the video to detect file deletion and file renaming and, you know, if, if everything else fails, can I see files move in my environment?

Nope, none of that was turned on, so. They were totally blind. And I was sitting there with the sock, like, anybody see it yet? How about do we, this, you know, the, you know, the bad actors over here? You already got his IP address and like, you know, nudge, nudge, nudge, nudge, nudge. And finally I was like, all right, you know, the reason you're not seeing this is, you know, I gave him the answer key.

So once they turned that on, magically they could start seeing, you know, the activity going on. And they gave him that visibility story. Um, but that's just basic foundational fundamentals. So if you. You know, you think you're prepared, but in reality you haven't gone back and just made sure that, you know, you're actually logging this stuff.

You, I can hold you accountable, uh, in this scenario. And so that was the, that was the, the, the biggest learning thing was there was a lot of that foundational things that had just never been done. 

[00:42:15] Chris Sienko: Yeah. Yeah. Now, um, I imagine an especially disastrous, uh, report from, from a red team. Uh, you know, attack might be something you could take to your leadership and say, uh, you know, in, in case you wanted to whistle past the graveyard, or you don't think we have the money, like, find the money. Like we, you know, like it, it certainly would open that conversation up with a, with a, a more concrete example, I suppose,

[00:42:38] Jim Broome: Um, Yeah. but that also comes back to the maturity organization as well as, you know, how good their CISO is. You know, sitting down with CISOs and just kind of having the, the brass tacks of what is your insurance policy, what technologies have you invested in? 

[00:42:49] Chris Sienko: Mm-hmm.

[00:42:50] Jim Broome: is your real, you know, uh. Uh, the, you know, worst case scenario, a risk profile, you know, risk tolerance in the organization.

You know, when we deal with ransomware as the, as the, you know, the, you know, the good guy helping the customer get back online, uh, like the bigger challenge there, just, you know, the realm of reality of how many systems failed. I. I was like, you could have tested yourself to see, you know, beforehand, but unfortunately we got a real world example.

Um, and then, you know, the secondary part of just the reality of, you know, why this failed, we didn't think about that. You know, the, if then, you know, like, you know, the good news, bad news, in my case, in my own background of growing up around some natural disasters, I. You know, you know, it's really hard to restore a server when there's no building.

Uh, and so, you know, you, you kinda learn the hard way of us, like, you know, I'm just gonna take, you know, my backup restore process and I'm gonna break certain parts of it to see if I can still get a recoverable backup out of this thing. Um, that mindset doesn't exist at times, and so you kind have to retrain people or, or help them develop that muscle to just question the entire process and, and look for foundational visibilities, 

[00:43:48] Chris Sienko: Yeah. 

[00:43:49] Jim Broome: across the board. 

[00:43:50] Chris Sienko: You've stated emphatically in various articles and interviews that you've, you've written that AI tools and various automations have made attackers a lot more, uh, effective and, and subtle, but that the defense side hasn't necessarily kept up with the times. Uh, can you talk about some changes you'd like to see the security industry adopt to better address these sort of speed and efficiency challenges, uh, 

[00:44:09] Jim Broome: Um, sure. A couple answers on that one. Um, so the bigger challenge that we have, whenever any new technology comes out and, you know, like, uh, I'll use SOAR as the first example and then go to, you know, ai, can we, you know, soar. For better or for worse, especially the first couple generations was there to automate noise.

It was to close things out that was quote unquote driving the sock, you know, uh, bonkers because it was just low confidence, low low fidelity type of alerts, you know, signal to noise ratios we talk about. And like, you know, there's not a lot of detection coming out of this, or a lot, a lot of, you know, true positive this is an attack.

Um, and so. That's where the first source were spent majority of the time. You know, like the investment, the vendor creation, the, the, the stories they would come to market with was all about just clearing out noise. That's kind of where we're at right now with ai. Uh, AI is cleaning out noise faster and letting us get and trying to surface higher signal to noise or higher confidence alerts up to us.

When we're still stuck with a lot of noise. And so what I really work with a lot of socks on purple teaming is let's get to the quick, you know, like you don't need to spend a lot of these new, these new technologies are great, but you don't need 'em. If you can actually just always have a, you know, if this alert goes off, it's highly confident we're having a bad day.

I mean, They're there will be some false positives along the way, but you know, at the end of the day I can always kind of rely that we, we should all act if this comes in. And, you know, orchestrating a sock is the same way on our side of, you know, what we call a. Sev one priority, one severe warning. You know, there should only be a handful of those.

Like this is worst case scenario. Def con rally, everybody. There shouldn't be a hundred of those. You know, the D one down, like high P two, whatever you wanna call it. You know, there. should only be like 30 maybe tops. Like there's only certain, you know. But again, highly, highly confident. So we know we have proof positive what we have to work and where AI is hopefully helping us and starting to help us.

As if we move further to the left of low confidence, now we're down to 40, 50, 60, 30% confident that this is a sign of an initial attack. And greatest example I can give you that is literally every holiday season, uh, as the runup, uh, to, you know, from Thanksgiving forward, the amount of, uh, brute forcing and, and, um, uh, phishing campaigns that go against our, our clients, especially, you know, it doesn't matter if you're on G Suite or if you're on uh, M 365, they all have the same issue.

They all get hit. 4.4, you know, 4.4 times per hour. Uh, and so you're literally seeing all this stuff come at you and like, alright, now I know one of you got hit.

[00:46:35] Chris Sienko: Mm-hmm.

[00:46:35] Jim Broome: so how, you know, like, like the bad guy hasn't logged in yet. So I don't have proof positive the account is compromised, but I think it kind of is.

And so that's where you're looking for, you know, the enrichment story from soar. And now ai, which is alright, it's, it's probably a personal VP n provider more than likely out of M 24, you know, 24 7 out of New York or down out of uh, LA or down out of Miami. So that's the, or you know, that's who owns the IP address.

It's already Got a, eh, reputation. Uh, now I can actually associate this with logging in. This person's never come in from this before and then, you know, start. Applying just a basic threat model of is the likelihood high this user has been compromised? And then work with the organization to have a level of, is it. okay if I just go ahead and knock your user offline and reset their account right Now, 'cause I think they are compromised. so it's like that early kill switch. And so CISOs are starting to really ask for that. Like, you know, like you, you know, Jim, you guys caught it when the bad guy already logged in. I need you guys to start catching it. Before they even log in. And I was like, well, now we're getting into analytics and you know, Microsoft and, and Google haven't cracked that nut yet, and you're expecting a human to figure it out for you.

So let's, let's sit down and just come up with a level of confidence, you know, if I can see the following things. And that's where we're looking for AI and those type of tools, they're really start adding value. And they're not there yet, but they're, they're, they're starting to come, you know, I give 'em about another 12 to 24 months and they'll be there.

[00:47:54] Chris Sienko: Got it. Now,

[00:47:55] Jim Broome: Yeah. 

[00:47:55] Chris Sienko: our listeners who are, are glued to this episode and, and are already thinking about doing red teaming themselves as a career, uh, what should they be working on immediately to put their feet on the career path they want? Or are there certain things that you've noticed younger, ethical hackers are not paying attention, paying enough attention to or keeping up with that you think is crucial?

[00:48:12] Jim Broome: Um, multi-story again, I go, I always go back to the soft skills. First and foremost, learn to write, learn to have context in your writing. Like I was giving the example of. Typically takes me 20 minutes. You guys lasted an hour and a half. You know, that is, you know, at the end of the day a client is hiring you, especially for a red team to validate something.

Either their investment for the past year on security technologies or you know, new SOC provider, whatever it may be is working or it's not working. Learn to write with that context. Secondarily is really. Taking it beyond just the initial, what, you know, you know, run, scan, run Metasploit, that's not, you know, that's not red taping.

Uh, in most cases you can actually do a lot of damage with never running to exploit inside the environment either getting a password log, you know, physically breaking in and picking a lock all the way up to just honestly walking around the building and asking people to let you in. Um, once you're in, you can actually start looking at file cabinets, that old stuff called paper.

You know, there's Still a lot of it in this industry,

[00:49:04] Chris Sienko: Yep.

[00:49:05] Jim Broome: all the way up to, uh. 

[00:49:06] Chris Sienko: lot of, A lot of Post-it notes on people's computers, on your 

[00:49:08] Jim Broome: Sure. I mean, using, using Jesse as our example there, he, uh, you know, there's actually an article on the, on the website that we talk about where he essentially posed as a groundskeeper. They had a very formal interview process, including having to come out and do a CBT training, uh, on the company.

They hired him. They, they gave him a job offering and he finally had to, you know, divulge, he was a pen tester at the end of this. Like, you know, thanks for the job, but I think I'll, I'll keep my day job. Uh. Yeah, but the, the joke was during the, the CBT session, he literally just walked in there, unplugged, you know, unplugged the computer that they gave him access to and plugged it right into his laptop and started, you know, he got domain admin in like 10 minutes and then finished the CBT test. 

[00:49:46] Chris Sienko: Whew. Boy. That that's a, that that's the, the, the, the, the report you don't want to share with your boss, like 

[00:49:51] Jim Broome: Actually they took it in stride. 

[00:49:53] Chris Sienko: Okay, 

[00:49:53] Jim Broome: again, it's like, you know, this is our job. The question was, you know, why didn't you have, you know, why couldn't you detect a rogue device on your network? We haven't invested in nac. And you know, basically you just kind of give 'em the whole play by play. And eventually when, when it was all said and done, you're like, alright, we get it.

We see how we failed. The only thing that we had was we, we asked you for an ID and we put you in a room with live network jacks that don't need live network jacks. 

[00:50:15] Chris Sienko: Yeah. Yeah. Now, like when you've hired red team members in the past, 

[00:50:19] Jim Broome: Mm-hmm. 

[00:50:20] Chris Sienko: interview question or line of questioning that really sort of surprised them or knocked them back on their heels? Or are there certain things that. Red team, red teamers to be should be like ready to, to rattle off in a, in a moment's notice.

[00:50:33] Jim Broome: Um, the one that usually poses everybody is, gimme an example of where you felt and what you learned from it. 

[00:50:39] Chris Sienko: Mm-hmm.

[00:50:40] Jim Broome: You know, a lot of people aren't prepared to answer either they think it's a personal slide or something like that. But no, we're we, you know, as a, as a an employer, I'm looking for how you actually compartmentalize learned and, and move forward.

You know, my, my own personal career, uh, using the example was, uh, working at Chrysler for about nine months. I was the only non-union guy in the shop, so it was the best and worst engagement I ever worked on, 

[00:51:00] Chris Sienko: Mm-hmm.

[00:51:01] Jim Broome: literally. You know, on, on top of that insult injury was, uh, I, I, I drove a Honda at the time, so that was another big no-no.

Uh, so my car would be keyed every day from, you know, the, the folks that were there. So it, it was kinda like that scene from, uh, uh, Roadhouse without the, without the mullet. Uh, but. 

[00:51:18] Chris Sienko: right. And you didn't get to not be nice at the end of it 

[00:51:22] Jim Broome: Exactly. Yeah, exactly. Uh, but you know, my claim to fame is I helped get him from four character passwords to eight character passwords. And I literally had to sit in front of the union during a major charter and listen to them for three days, try to get more funding. And I was like, you know, again, timing wise is, you know, I asked you to remember four more characters.

You ought already told me to go pound sand. I had this thing and it was the RSA, you know. Uh, to, you know, back in those days the badge, um, it was like, you know, there's 185,000 employees globally. We're looking at spending $8 million, or you guys can help me remember, four more characters to log in. 

[00:51:53] Chris Sienko: Mm-hmm.

[00:51:54] Jim Broome: Like I had to, you know, the joke was I walked up on stage and I had the three ring binder note and everything, and I just kinda like, you know, like, you know, security is like, nah, I just ripped it All the shreds and kind of talked to 'em as plainly as that.

Uh, and yeah, I got my, my stuff got voted that it was literally the only thing that got voted through. 

[00:52:10] Chris Sienko: great. Yeah, no, I was gonna say communication again. Yeah. You 

[00:52:13] Jim Broome: Yep. 

[00:52:14] Chris Sienko: gotta know your audience. Uh, so what's the best piece of career advice you ever received? 

[00:52:18] Jim Broome: Um, honestly, be humble. 

[00:52:21] Chris Sienko: mm-hmm.

[00:52:21] Jim Broome: Be humble and don't be afraid to ask. Um, at the end of the day, I, now, I will, I will, I will caveat, I was raised the military way. You only get to ask once. Uh, after that. You gotta go figure it out for yourself. Um, and so, um, you know, that, that's kind of the biggest thing I tell people is, you know, you, you know, I want you to get the confidence to actually contribute to a conversation if, if not, lead the conversation in the very near future.

Um, but be humble. When you're coming up there, like you will, you know, like I was that young guy. I literally, it's using the example, I was 24, the next closest academy was 54. Uh, so age, everything, everything that could go against you as a, a very young employee in a very large company. And I got the opportunity to actually go up there and shine just because I had a few people that were willing to listen to me.

Um, and so same time of, you know, be humble when you're actually asking and, and, and more importantly contribute. And that's all, that's all we're ever asking across the board is, you know, you know, peer, you know, peers, teammates contribute. So, Yeah.

[00:53:14] Chris Sienko: Perfect. 

[00:53:15] Jim Broome: Yeah. 

[00:53:15] Chris Sienko: so I'm always looking for new recs. So, uh, let me just ask, is there anything you're currently reading or listening to or watching these days, whether cybersecurity or not, that you're especially excited about?

[00:53:25] Jim Broome: Uh, unfortunately it caught me at a bad time where I literally just got in the middle of moving. So I haven't had a chance to, 

[00:53:31] Chris Sienko: Okay. Okay. 

[00:53:32] Jim Broome: a little upside down, but, uh, reading wise, honestly, uh, uh, haven't really had a chance to kind of, you know, get down in, into new weeds, uh, uh, or, you know, new reads on that side.

But, uh, you know, with my. Both my kiddos, uh, who, who are 26 and 21. Uh, we have shared TV shows, things like that. So just kind of getting into some of the stuff like, uh, um, uh, what was it? Uh, drawing a blank at the moment. So anyway, 

[00:53:57] Chris Sienko: Okay. 

[00:53:58] Jim Broome: just Yeah. Haven't, Yeah. haven't had a chance to, uh, you know, commit that one to, to memory.

Just, just watch the first three episodes. 

[00:54:03] Chris Sienko: You got a lot, you got a lot, you got a lot going on right now, so that's, uh, totally understandable. So, alright, well I'm gonna let you go here, but one last request, um, tell our listeners more about direct defense and how listeners can find direct defense and Jim Broom online.

[00:54:16] Jim Broome: Sure. Sure. Um. So, yeah.

at the end of the day, direct defense, we are cybersecurity services company. Um, you know, for ourselves we specialize in offensive testing. Actually, the majority of the revenue for the company today is based on penetration testing services. We do a lot of it. Um, so it doesn't matter if it's just your annual penetration test to, you're looking for a large programmatic approaches to continual penetration testing.

We got you covered, uh, both on network and app. Uh, in addition to that, we do managed services along the way so we can help you not only. You know, identify your vulnerabilities, but we can actually monitor 'em for you and make sure you're getting 'em patched. Uh, as well as, uh, you know, keep your back, make sure the ransomware guys are not inside your network, uh, you know, from a day-to-day basis.

And then we have a, uh, dedicated OT practice as well. So, uh, we like to say we help secure the things you can't live without. Uh, that would be water, power, light,

[00:55:02] Chris Sienko: Very 

[00:55:03] Jim Broome: All the way up to, uh, automation of assembly line, which is actually one of our biggest customer segues of manufacturing today. so.com? Yeah.

[00:55:12] Chris Sienko: com. All 

[00:55:12] Jim Broome: Www direct defense.com.

Yep. 

[00:55:13] Chris Sienko: right. And can our listeners follow you on LinkedIn? 

[00:55:16] Jim Broome: Yes. Again. Yeah. 

[00:55:17] Chris Sienko: Great. All right. Jim Broome, B-R-O-O-M-E. All right. Well, Jim, thanks for your excellent stories and insights. This was a ton of fun. I really appreciate it. 

[00:55:24] Jim Broome: Yeah. Appreciate it bud. 

[00:55:26] Chris Sienko: Uh, so this has been another episode of the Cyber Work Podcast.

Thank you for listening and watching. If you have any topics you'd like us to cover or guests you'd like to see on the show, drop 'em in. The comments, make use of our YouTube community tab or just let us know by commenting on our new TikTok channel. Uh, before we go, please check out InfoSec institute.com/free for a wealth of free and exclusive things for cyber work listeners.

Uh, that includes our free cybersecurity talent development playbook with in-depth training plans and strategies for the 12 most common security roles. Including SOC analyst, pen tester, cloud security engineer, information risk analyst, privacy manager, secure coder, ICS, professional and more. Or take a look at our cybersecurity salary guide for the latest data on popular certifications in their related roles, as well as the average salaries for these roles.

We've also got security awareness posters, search study eBooks, and you can sign up for 100 plus free courses for a free month of our info skills InfoSec skills platform. Uh, learn incident response forensics. Security, architecture and more. One more time. That's InfoSec institute.com/free. last time.

Thank you to Jim Broom and direct defense, and thank you for watching and listening. 

[00:56:31] Jim Broome: Yep. 

[00:56:31] Chris Sienko: Chris Seko signing off. Until next time, make sure to learn something new every day. Keep one step ahead of the story and don't forget to have a little fun along the way. Bye for now.