The Team House - Red Team Hacker, Cybersecurity Expert & DOD Advisor | Matt Devost | Ep. 176
Episode Date: November 21, 2022Currently, Matt is the CEO & Co-Founder of OODA LLC. Prior to OODA, Matt was the EVP for Strategy and Operations at Tulco Holdings. Previously, Mr. Devost was a Managing Director at Accenture whe...re he led the Global Cyber Defense practice responsible for Accenture’s cloud, mobile, infrastructure, network, endpoint, incident response, threat intelligence, threat hunting, vulnerability management, IOT/IIOT, and red teaming offerings. Mr. Devost joined Accenture following their 2015 acquisition of the global cybersecurity consultancy FusionX LLC where he had served as President & CEO since 2010. As a Founder of FusionX, Mr. Devost helped an international clientele identify and manage dynamic threats in complex operational environments. Mr. Devost was an Adjunct Professor at Georgetown University for fourteen years teaching the flagship graduate course entitled “Information Warfare and Security”, and is a Founding Director of the Cyberconflict Studies Association. Mr. Devost was also appointed as a special government advisor to counsel the U.S. Department of Defense leadership on a variety of security issues from 2010-2013. Mr. Devost was a founder of the Terrorism Research Center, Inc. (TRC) in 1996, where he served as President and CEO until November 2008. As founder and President, Mr. Devost oversaw all research, analysis, intelligence, assessment, and training programs including the development of the renowned “Mirror Image” training program, the Responder Knowledge Base, and the Terrorism Early Warning Group program which established local intel fusion centers in 56 high-threat U.S. cities. In addition to his duties as President, Mr. Devost also provided strategic consulting services to select international governments and corporations on issues of counter-terrorism, intelligence, information warfare and security, critical infrastructure protection, and homeland security. In 2004, Mr. Devost was appointed to the Defense Science Board Task Force on Critical Homeland Infrastructure Protection to provide advice to the Department of Defense and Department of Homeland Security. Mr. Devost served as a Senior Advisor to the Airline Pilots Association National Security Committee and is and adjunct member of the Los Angeles Terrorism Early Warning Group. Today's Sponsor: BUB's Naturals https://www.BUBSNATURALS.com/ Use the code "TEAMHOUSE" for 20% your order! Pick up their collagen protein, MCT oil, and apple cider vinegar gummies today! BUBS Donates 10% of all profits to charity in Glens honor, starting with the Glen Doherty Memorial Foundation GO TO: https://www.BUBSNATURALS.com/?discount=TEAMHOUSE or Use the code "TEAMHOUSE" at checkout for 20% off your order! FEEL GREAT. DO GOOD. Words that we live by. To help support the show and for all bonus content including: -2 bonus episodes per month -Access to ALL bonus segments with our guests -Ad Free audio feed Subscribe to our Patreon! 👇 https://www.patreon.com/TheTeamHouse Team House merch: https://teespring.com/stores/my-store-10474963 Social Media: The Team House Instagram: https://instagram.com/the.team.house?utm_medium=copy_link The Team House Twitter: https://twitter.com/TheTeamHousePod Jack’s Instagram: https://instagram.com/jackmcmurph?utm_medium=copy_link Jack’s Twitter: https://twitter.com/jackmurphyrgr?s=21 Dave’s Twitter: https://twitter.com/dave_parke?s=21 Team House Discord: https://discord.gg/wHFHYM6 SubReddit: https://www.reddit.com/r/TheTeamHouse/ Jack Murphy's memoir "Murphy's Law" can be found here: https://www.amazon.com/Murphys-Law-Journey-Investigative-Journalist/dp/1501191241 The Team Room Reading Room (Amazon Affiliate links): https://jackmurphywrites.com/the-team-room-reading-room/ Intro music by https://www.youtube.com/user/RemixSample Want to sponsor the show? Email: 👇 theteamhousepodcast@gmail.com #cybersecurity #hackingBecome a supporter of this podcast: https://www.spreaker.com/podcast/the-team-house--5960890/support.
Transcript
Discussion (0)
Hey, folks, I just want to take a minute to ask you to go in rate this podcast, let the Teamhouse know how you think we're doing, go and rate us on whatever platform you're listening to this on, whether it's iTunes or Spotify or whatever else.
Those ratings really help us out, and we really appreciate the feedback to let us know what you like and what you don't like.
And if you do like the Team House and you'd like to support us, go check out our Patreon page and you can actually support the stream and well as get access to our team house.
the team house and you'd like to support us, go check out our Patreon page and you can actually
support the stream and well as get access to our bonus segments and bonus episodes. Yeah,
if you're going to give us a great review, please do. And if you're going to give us a not
so good review, why don't you just send us an email and we'll talk about it. Special Operations,
covert ops, espionage, the team house with your hopes, Jack Murphy,
and David Park.
Hey, everybody.
Welcome to the Team House episode 176.
I'm Dave Park.
This is Jack Murphy.
And tonight we're joined by a very special guest, Matt DeVoe, one of the original
OG hackers and actually one of the first actual red teamers, right?
Yeah, way back in the day.
Before red teaming was cool.
That is true.
Although I felt like it was pretty cool, but not a lot of other people.
thought so at the time. Right. So, Matt, one of the things we love to do is ask people,
how did you get your superpowers? What is your origin story? Yeah, I had an interest in computers at
an early age. Actually, wasn't a small town in Vermont, though, so computers are not readily
accessible. And interestingly, we had a new kid move into town, and new kids were interesting
and of themselves.
And my family had lived in the same town in the Northeast Kingdom of Vermont for a hundred
years at that point in time.
You know,
I was being educated in a one-room schoolhouse.
So a new kid arriving in town was interesting.
But what was interesting to me is that he had a Commodore 64 computer and I became
enamored with the computer.
He was not interested.
So I actually traded him a hunting rifle for that Commodore 64.
So it was this interesting trajectory.
I went on to do what I do.
he actually went on to have a nice career as a Navy SEAL.
So I feel like there was some serendipity of us meeting and being in the same town
and me getting the computer and him getting the gun.
And then for me, that just became, you know, an obsession.
I wanted to learn how to do more with the system.
It was constantly, you know, taxing the capabilities, writing my own code.
I was a big hockey fan.
So I wrote a hockey game on the common over 64 and I'd charge kids a quarter to come play at my house.
So, you know, kind of get that early interest.
And then I started doing software development, you know, found the hacker community through bulletin board systems and some of the online zines and continued to pursue that interest into college.
And it really was as an undergrad that I had this kind of aha moment.
There were a lot of high profile hacking cases that had taken place.
There was a big roundup of teenage hackers that the Secret Service had conducted called Operation Sun Devil.
There was evidence with regards to all of the questions.
corporate and government systems that they had compromised or were compromising.
And so I knew about the vulnerabilities, but then also as a political scientist focused on national security studies
and with a specialization and issues of terrorism and asymmetric threats.
And I had this aha moment that said, geez, you know, the world is moving towards an increased dependency on computers.
And I know that those systems are vulnerable.
We're seeing it.
You know, I can hack into things.
Friends can hack into things.
This is creating a new national security threat.
And so I started writing about that.
And it turns out, you know, the first year that I wrote a paper was the first year that DoD was talking about those issues in a classified directive in 1992.
So as I was out there and started speaking at conferences and started publishing papers, I became kind of the, you know, academic equivalent of the kid that built an atomic bomb in his garage.
The U.S. government became very interested in how I was coming to these conclusions and the types of things that I was talking about.
very interesting just out of curiosity like you you're a kid um so i assume it's like in the
mid-80s whatever you get a commodore 64 um like i got a i had a commodore 64 too and all i did was
play games like what what was it that drove you to figure out how to code on it and how to write
programs and that there were other things you could do than just play bard's tail yeah i think i
inherently had a hacker mindset. You know, if you go back to the truest definition of the word,
kind of the MIT folks that were a combination of pranksters, but people that wanted to figure out
how to take things apart, put them back together, you know, optimize them. I kind of always had
that interest. I wanted to, you know, understand how to make this computer do interesting things.
And I wasn't just interested in what other people were writing, the software they were writing.
I wanted to write my own. So I certainly had that interest. And then,
in college, you know, it encountered applications where it was like, okay, what can I do to make this
better? And you'd dive in and you'd understand exactly what was happening. And then you'd fix the parts
that were broken. And back then, the source code on the, you know, the applications that you were
running was accessible for most of the software that you were accessing. So you really could see
the inner workings. You could dissect it and figure out exactly what was being done and figure out
ways to create, you know, better variance of that for yourself. So really, I think over time,
I've just had this traditional hacker mindset of wanting to figure out how technology works,
wanting to figure out how to break it and how to make it better as part of the process.
Not asking you to admit to, you know, any illegal endeavors, but were there ever times that you heard of,
like, what was the most exciting thing you heard of a kid doing on their Commodore back in the day?
Yeah, on their Commodore back in the day.
like when they're like adrenaline got going they're like this is the shit yeah once the modems entered into the equation it became a brave new world because now you could connect the systems that were connected to mainframes or connected to some of the early nodes of the internet and elsewhere so once that happened i certainly observed you know i saw that in the hacker community and folks that i was becoming friends with almost an ability to hack into things on command and things were so insecurely
secure at the time. In fact, I remember a videotape I had, I think it was the 2,600 crew that
recorded it, where they had some Dutch hackers, and the Dutch hackers basically just did a lookup
of all the hosts that were, you know, registered with dot mill domains. They let the cameraman
pick one at random and then they broke into it. So certainly at that time, just about everything
was vulnerable. A lot of the folks that were, you know, breaking into those networks or trying to access
those networks, really though it was driven by curiosity.
It wasn't criminal.
Most of my friends from back in that day were accessing systems because they wanted access.
They wanted to learn how they worked.
They wanted to get connected to these networks.
And at the time, too, you know, if a system administrator found you on the network,
oftentimes they might just create you an account and say, hey, go play around.
It certainly wasn't, you know, as such a denied behavior as it is today, but we didn't have
any other resources to learn.
And today you can build on a single Linux box, you know, multiple VMs and hack against yourself.
But back then, all we had was other people's systems.
Yeah, that's fascinating.
So you go through college and you keep on doing it, then you start writing papers.
So what was the next step for you then?
Yeah, I decided to get my master's.
And I decided that I wanted to write on this topic of national security in the information age.
Interestingly enough, when I proposed it as a thesis topic, it was denials.
as a topic. And it really only was through serendipity, through the attention that I attracted
to some of my earlier writing within the Department of Defense, U.S. government, even within the
Canadian government, the private sector, that allowed for me to pursue that as a thesis topic.
I basically got so many inbound requests for my research at the political science department I was
at that the chair of the department pulled me in and said, hey, what is it you want to do your
thesis on. And I told him, and, you know, he agreed he had been short-sighted and actually
gave me a fellowship for my second year of grad school so I could go for free. Prior to that,
you know, typical I was going to grad school full-time, but I was also managing a network for a
local school district up in Vermont. So, you know, I was responsible for making sure that
kids didn't get into trouble on the network, was able to drop that job, focus my attention.
And I wrote a thesis called National Security in the Information Age that, you know, really was one of the
first academic pursuits at that level that looked at what is this topic of information warfare,
is this a national security threat, how do we put this in context from traditional national
security constructs like realism and liberalism? And then what, you know, I basically put out my
own plan. What do I think are the steps that are necessary in order to address this emerging
threat? That thesis had a lot of legs. You know, I had about 300 requests for it at the time that I
wrote it. I was presenting at conferences. It got reprinted overseas in Europe. And that really was
the catalyst for me to enter into the workforce. That's amazing. So, but you entered the workforce
on on the technical side more than the policy side, right? Yep. And was that your choice? Is that what
you, throughout you wanted to go? Yeah, I really was able to bridge the two. At that time,
there were very few people that could bridge the cybersecurity hands-on keyboard hacking capability
with the national political aspect of it.
So I got my first job at SCIC, which was a big defense contractor.
There were two retired kernels that were building what they called an information assurance practice,
you know, an early phrase that we used for cybersecurity.
I was the technical guy, you know, and they were the guys that knew DOD and had the network
and could go figure out where we could get contracts.
And I was able to, you know, do a lot of really technical things.
I built the first red teams for the Department of Defense traveling around the world,
breaking into systems classified and unclassified.
I then built a coalition red team that activated during Five Eyes military exercises.
It was targeted exclusively at classified coalition command and control systems.
Got to do all sorts of interesting things, you know, as it relates to that.
But then I would bridge the policy piece, too.
I remember helping the Secretary of the Navy write a memo response about how the Navy was going to deal with this threat of information warfare, wrote some of the early reports for the J6 in the Pentagon.
I got pulled into the President's Commission on Critical Infrastructure Protection.
I got pulled into the Defense Science Board.
So I had this unique blend of technical skills where here I am, you know, one week I'm hacking into systems on an aircraft carrier while it's deployed as part of an exercise.
the next week I'm in talking with DOD leadership about how to address the national strategic
aspects of information warfare.
Now, Matt, I got a question actually to follow up on some of that before we move along
is there's so many misconceptions, including amongst myself, about computer hacking.
And you're talking about creating a red team, like an opt-for that goes in hacks and, you know,
authorized, you know, they're authorized to sort of exercise the defenses of DOD and
test it out and see, you know, if you can break into those systems. And, you know, like,
in my mind, I still have visions from, like, the movie hackers. Like, are you, is this,
like, a disembodied astral projection of Matt flowing through the cables and there's, like,
numbers flying by your head? Like, you know, all this sort of, like, like, sort of imagery that exists
in popular culture. But I was wonder if you could walk us through the reality of, like, how does
that work? Like, how does a team, like, what kit do you have? Where do you go? How do you begin that
process of like testing DOD defenses in early cyberspace.
Yeah, we were building tools, you know, they were kind of custom driven for assessment
purposes. We were using stuff off the shelf. This is a time when internet security systems was
releasing their scanner so you could do some of the early scanning with that. There was a group of
guys had a Canada called Ballista Networks. They had a tool, you know, those are these are like
early versions of what we might consider, you know, neciss or cobalt strike or, you know,
tools that exist today that are a little bit more modern. So we'd use a combination of things
that we built ourselves, commercial tools that could assist us with the heavy lifting,
you know, scanning networks at scale. But it really was a lot of creativity. And we would combine
social engineering. We would combine, you know, different elements of it. And I remember one time
where we were targeting a, it was a military exercise, you know, they had announced
who the JTF commander was.
We had identified on the network, on the classified network, the JTF commander's personal
workstation.
We couldn't get into the system.
It was not vulnerable.
But we did notice that it had a policy configuration issue and that it gave us infinite
tries to try and crack the password.
So we're doing that.
We're doing some brute force, you know, attempts to log into the system.
And then we decided to resort to a social engineering aspect.
We actually reach back in through public relations.
and said that we wanted to invite this particular military personnel to go speak at their old high school graduation
and asked them to send a bio and details and started getting what was, you know,
interesting amount of personal information as a result of the request around the individual.
And in the last line of the bio, I think it said something, you know,
was a proud father of two people, one of whom is, you know, Division I football player.
And I forget it was like Rutgers University or something.
And I'll be damned if the password.
for that JTF workstation wasn't Rutgers 1997, you know, with the current year.
And it allowed us to break into the system.
So we're doing a combination of really elegant coding, but then also combining the social
engineering and the human element as well.
From a adversarial point of view, what would that mean if you really were the bad guys
and could break into the JTF commander's, you know, terminal?
Yeah, we had full access to basically change intel, you know, so sorty missions with
regards to where planes were flying and of course this was all simulated
simulated munitions there's no real munitions dropping we could see all sorts of
message traffic we when the co at the coalition space we took the country of
Canada completely off the command and control grid so they weren't able to
communicate with anybody we did that with New Zealand we got on to systems on
the aircraft carrier like I mentioned onto nuclear submarine I actually also got
into systems and speckled trout, which was the name at the time.
I don't know what they call it today.
It was the chairman of the Joint Chiefs version of Air Force One, was a command plane that flew
around.
And that was actually the only time I got a cease and desist around my red team.
We operated stealthily.
One year we operated down in Virginia Beach where we could get access to some classified
networks in a warehouse.
A second year, we operated out of the back of an 18-wheel tractor trailer in Blandford, UK,
which is where the Royal Signals Corps is.
was, and I had a, you know, we had a couple of rules at the coalition level.
One was if we were targeting systems in Canada, I could be the campaign manager,
but I actually couldn't enter the commands on the keyboard.
I had to have a Canadian military representative that did that.
Interesting.
Yeah.
And the other rule was, and of course, these were unprecedented.
You know, we, DOD basically challenged me saying, I bet you can't get permission to put this team together,
but if you do, we'll pay 100% of your costs.
So then I was able to go to our, you know, five eyes allies and say, hey, you know, over a pint of beer, the U.S. DoD is going to pay for this. Let's do it. It'll be really cool. So that was one rule. You know, the native country had to be the ones actually executing the command so that we had the responsibility for any actions that took place. And the second rule was when we got into critical systems, there was a disclosure list. It was about six people. And when we got into Speckled Trout and we sent out the disclosure, hey, we're on the system. It's an aircraft. It's airborne.
we weren't targeting the, you know, avionics or anything.
We were targeting command and control systems,
communication systems on the platform.
It turns out one of the people on the disclosure list of six people
was on board the aircraft at the time.
So we immediately got the cease and desist and not, you know,
they went into a panic that we're going to send them, you know,
out of the air into a fiery crash, which was not the case,
but we got to, you know, had a lot of kicks out of it.
So, Matt, with, you mentioned that like these days, you know,
people can, you know, build a virtual network on a machine, you know, they, they can take the,
you know, the EJPT, they can take all these courses. They can take with labs and these tests.
When, when you were first coming on scene, obviously, anybody that could do this, because there
weren't those virtual environments to practice on, there weren't these classes they could take.
Anybody who could do this could do it because they had done it. How, and having done it meant
that you were most likely, you know, you would commit some sort of less than legal trespass at
some point. Like how, how did you convince the DOD to bring these people on, you know,
define these people who probably had reputations because they were good at what they did,
but they only got good at what they did by doing it. How did you, were there, were there like
political navigation you had to do to do that or? Yeah. Back then, if it was, if it was,
If it was somebody that was known in the hacker community, really couldn't use them.
There were some exceptions.
I know my friend Chris Goggins, who was, you know, Eric Bloodax, that was the editor of Frack
magazine, got pulled into a few things.
But really, for these teams, I was recruiting a lot out of guard units, in particular
for some of these exercises.
I would go and see, you know, is there a member of the National Guard working at Oracle
or Sun or something like that?
And I would pull them in knowing that they likely had some technical capabilities.
and then we'd train them on the hacking side.
But that was a challenge I had early on, you know,
when I was kind of self-identifying as a hacker in DoD with a clearance,
and hacker had really negative connotations.
In fact, when I worked on the President's Commission
on Critical Infrastructure Protection,
I, on my own initiative, produced something I called the hacker primer
that I distributed to the commission and got sent over the White House
that explained to them, you know, what hackers were,
that they held their own conferences, that they wrote their own tools,
that they had their own newsletters and, you know,
Usenet groups and IRC channels and was really fighting to kind of humanize
and recognize that hackers were a national resource.
Of course, one of the chapter or a section in my thesis
was literally titled Use Hackers as a National Resource.
So this was a bit of a holy mission for me.
I wanted to bridge that gap between, you know,
the work that needed to be done and the people who had the actual skill sets to do it.
And at that time,
Did, was the United States government envisioning nation state actors as a threat or just, you know, people sitting in their bedroom, you know, exploring these systems?
Yeah, we were envisioning nation state actors.
I mean, I like to say we kind of took a page out of General Van Riper's toolkit, you know, and that we were, we were emulating real adversaries and we're not, they're trying not to put artificial constraints on the capabilities that we had in targeting these network.
works. There were other exercises that took place. There was an exercise, I think in 1997,
called eligible receiver that was largely driven out of NSA and the intel community that
emulated a nation-state attacker targeting not only DOD, but critical infrastructure in the
U.S. And that was really eye-opening, I think, for a lot of policymakers with regards to what a
small, capable team was able to accomplish. And then we had a couple of incidents that took place as well,
one that I worked on really closely
with something called Solar Sunrise
and this was during the first, you know,
Iraq conflict after we had expelled Iraq out of Kuwait,
we had instituted a no-fly zone.
Iraq had violated that no-fly zone multiple times
and we announced a deployment of,
I forget how many, you know,
over 100,000 troops back into the region.
And at the time, it was noticed
that the unclassified systems
that would support the logistics
around that deployment had been compromised. And in doing the forensic analysis and
investigations, one of the IPs that was traced back actually originated in the Middle East.
So it was briefed all the way up to the White House that this was potentially Iraq that was
targeting U.S. Department of Defense systems on unclassified networks in order to prevent
the U.S. from deploying military forces. At the end of the day, when the investigation was all
said and done, it was an Israeli teenager and two 16-year-old kids out of California.
But, you know, it was certainly in the mental framework of, you know, this could be a nation state and that this was a real risk.
Right.
Of course, we had other incidents a couple years later with Moonlight Maze, which was attributed to the Russian government.
So we were starting to see the nation state attacker stuff take place.
And then a real eye-opening document for me came out of China, I think in 1999, when I first saw it, called Unrestricted Warfare.
And in there, they talked about, I'm sure you're familiar, and the folks watching this,
many are going to be familiar with it.
They talked about information warfare, economic warfare.
It really was, you know, kind of a new strategic look at the role that this would play.
And I remember thinking it was so important.
I forwarded it to a bunch of people.
I kind of effectively leaked it.
It was not classified.
It was just a Fibbist translation, but I was so adamant that this was basically showing us a roadmap for future China capabilities in this area
that I felt like as many people as possible needed to read it.
And we ended up putting it on the Terrorism Research Center website too in 1999 as well.
Guys, I got to give a quick shout out to the sponsor for this show.
It's Bubbs Naturals.
Bubbs is a health food company.
And they're actually named after Glenn Doherty, who was one of the Navy SEALs who perished in Benghazi, Libya.
And so Bub's is not only a health food company, but they also work with the Glendority Memorial Foundation.
and they donate 10% of their profits towards that foundation,
which helps veterans transition into civilian life.
So, you know, having met Glenn once and, you know, really thinking he was a great guy,
and I'm sorry he's not here anymore, but the Glendorty Memorial Foundation continues to do some great work.
And I've actually, this isn't just a sponsorship.
I really have used this product for, you know, probably like five years, and it's very good.
This is their protein powder, which is actually flavorless,
So you can mix this in with coffee, soft drinks, whatever you like, and it's flavorless.
So highly recommend this.
They also have MCT oil powder, which can be used as a creamer substitute.
Also increases brain functions and things like this.
Yeah, connectivity.
It's really great if you go on keto, things like that.
It helps.
It's kind of a fatty oil that replaces some of that, you know, some of the carbs that you're missing out on just in terms of like functioning.
Yeah, it tastes really good when you make.
mix it in with your coffee. Yeah, fantastic. And then they have these apple cider vinegar gummies,
which I know that probably sounds maybe not the most appetizing thing in the world,
but I promise you these tastes like normal gummies. They're actually very good. And these
help with your digestion. So yeah, there's another really good product. And again, 10% of their
proceeds go to the Glendority Memorial Foundation. So that's bubsnatchels.com. And the promo code is,
what is it, team house. Team house. You go to the.
team house, or I'm sorry, you use the promo code team house at bubs naturals.com and you get 20% off your
order. So that's team house at bubs naturals.com to get 20% off your order. I hope you guys will
go check them out. And we appreciate, you know, them working with us. Yeah. And thanks for your
patient, Matt, when did the idea of AP to your advanced persistent threat first, like first make way into
cybersecurity consciousness.
Yeah, I would say probably, you know, in the U.S. military was that 1997 time frame, which
correlates when when I was doing my red teaming, when eligible receiver took place.
That's when we had the cognizance around, you know, there's a nation-state element of this.
We didn't start calling it APTs, I think, until much later, you know, early 2000s maybe
or a little later.
I think it was Kevin Mandia, actually, at the...
mandient that first used the phrase, but it's certainly, you know, sophisticated state
sponsored attackers were on the spectrum of things that we were concerned with and dealing
with in the, you know, late 90s, call it.
When you were first getting on board with these new red teams, did you have to,
was it difficult to get buy-in from organizations that you might expose their data and
things like that?
It definitely was difficult to get buy-in.
And of course, my early days was all focused on DOD and Intel community and then later pivoted to doing red teams against the private sector.
So critical infrastructure, you know, et cetera.
Yeah, it was tough to get by and it was tough to get behavior change as well.
And I was in this unique position because I was, you know, relatively young, mid-to-late-20s, you know, this traveling hacker going to all these interesting places.
and I would have to have conversations with some of the DOD leadership at Paycom and Socom and elsewhere
around why this was an important issue, what I was able to accomplish, what they needed to do.
I had a fascinating run-in with the head of Socom at the time where it was just one-on-one.
It was, you know, him and I having a conversation.
And one of the behaviors I needed to change was his.
He had a one-character password that he used to access the network that he called his combat-ready password.
right so here i am you know um and i i attribute it with you know a lot of my success because i i had to learn
how to articulate why this stuff was important and i had to find useful analogies and convince people
that that didn't want to be convinced that this was an important topic so did you convince them
to change his password from the letter a to like lovebug 69 or whatever i did you know at the time
we were trying to get just seven character passwords because there was this weird thing that windows did
where like if it was over seven characters,
it hashed it in two parts.
So really the first seven
were the important piece of it.
Because if you had eight characters,
we could crack that second hash instantly.
Yeah, I had an interesting conversation.
You know, I went in.
I've been told by his staff
that he called it his combat ready password.
And so it really was kind of at odds
when I went to have a conversation with him.
And it's a bit of a funny story,
but it's also one of those when I talk about
useful analogies.
I mentioned to him, you know,
towards the end,
I said, hey, sir,
and I'd love to talk to you about
your personal password.
I noticed it's one character,
and he's like,
right, that's my combat ready password.
I was like, yeah, I understand that.
I said, but really, you know,
we're at Socom headquarters,
which I'm sure most people are familiar with
as a secure building within a,
within a secure base,
didn't feel like, you know,
we're really in a combat situation
that necessitated just a one character password.
He kind of looked at me. He was like,
and then I actually, this was an interesting time.
I had started my assessment with his predecessor,
and then there'd been a,
changing command and now I was working with the new head of Socom. And I had observed a behavior
and that had nothing to do with cybersecurity. And that was that whether he drove himself or
had a driver, drive him in, in his parking spot at the building, he backed into the spot.
And of course, you refer to that as combat ready parking. So if a combat ready password,
you have a combat ready parking. What I observed, though, was that over the course of two weeks,
almost everybody in his chain of command emulated that combat ready parking. They started backing into
their spots just like the boss. So I raised that point with them. Is it, sir, you know, did you notice
what happened after you arrived and he started parking by backing into your spot, you know, that people
started emulating? He said, no, I didn't notice that. And I said, well, you know, what do you think
will happen? Do you think that people on your team are going to emulate the one character password?
And is that worth the risk that it would put, you know, people in your command at in, you know,
actual life and death situations? It kind of looks at me and he says, huh, so son, I'll change my
fucking password and that was the end of the conversation. So I counted that as a win,
but it also taught me an interesting aspect that was sometimes when you're talking about
cybersecurity and you're trying to get them to understand why some of these are important.
In this case, you know, setting an example and creating behaviors that'll be emulated,
it was a completely non-cyber analogy that hooked him. Yeah, it's interesting. The idea of a combat,
a combat ready password, though, is so Charlie is in the wire. Got it.
done.
It was fun, you know.
I ended up, it was, it was frustrating because a lot of things didn't get done.
You know, I had been out to Paycom and we had observed a lot of vulnerable systems,
a lot on the classified networks.
I actually got in trouble at Jickpack because I changed the background on all the workstations
to be an image of my design instead of having the official kind of TS background image.
So they were upset about that.
But there are unclassified systems as well that were sitting on the internet.
There were some of these kind of key logistic systems.
And I remember being out there and saying, look, when I leave the room, you need to point your finger at somebody.
And you need to tell them that they're responsible for going and patching these systems because this is a critical vulnerability.
I can over the internet hack these systems and gain root access, which was administrator level access.
And so I left.
And it was like six months later.
I was actually down at socoms.
the only time I've ever gotten a classified facts in my life. I get this classified facts down to
SOCOM. This is please come back to DC ASAP report to DISA headquarters. And I show up at DISA headquarters,
and it turns out that Solar Sunrise is taking place. We've noticed that Solar Sunrise,
the attack that I mentioned earlier, is happening. They wanted me to participate in the forensics
team to figure out what was going on. So I get there. I ask for, okay, give me, you know, the details
on a compromise system. They hand me this big stack of paper put it in front of me. I
I kid you not, one of the first systems I looked at that had been compromised was actually one of those systems at paycom that I had told them to patch six months earlier.
So that was when I kind of decided, okay, maybe there's a better use of my time and maybe I should try and migrate towards the private sector.
Yeah. How hard is it? Because I know even these days it can be challenging because a lot of companies have IT, but they don't have cybersecurity and they expect their IT guys to be able to do cybersecurity.
Did you run into a lot of that back then where either you would get pushback from the IT guys because they didn't want people to know that they didn't know how to do that stuff or that people would think that they're supposed to know that it's supposed to be their job and put the workload on them when they don't really know what needs to be done.
Yeah, cybersecurity wasn't really an established profession.
So it was all IT people.
And you either got people who are really engaged that recognize the issue or you got folks that just didn't want to deal with it.
another responsibility. And if it wasn't in their list of official responsibilities, they would
just prefer to, you know, assume that they didn't know that the problems existed. And that perpetrated for a
while. And I think even in the private sector as well, with this, you know, we called it security through
obscurity. If I don't know that vulnerabilities exist, then I don't have any liability for not fixing
them. So that was, that was a consistent problem for sure. And, you know, the tech community was kind of
growing into it. It was the system administrators are the ones I'd get the most engagement with
because they understand what I was doing, understand the consequences, and they were ready to act.
At the leadership level, you know, didn't quite get the level of engagement that I was hoping for.
So around that time is when you were like, there's money to be elsewhere.
Yeah, yeah, decided to leave. You know, I'd worked, I mentioned on the President's Commission
on Critical Infrastructure Protection. One of the things coming out of that was something
called the PDD 63, presidential decision directive 63. And in PDD 63, there is a call for the
creation of something called ISACs information sharing and analysis centers that would be responsible
for sharing cyber vulnerability information between the U.S. government and the private sector,
but then also for facilitating information sharing amongst the private sector participants.
And I had a meeting with some folks, you know, a rag-tag group of folks in the D.C. area.
And we decided that if the government was going to mandate this, there probably was a private sector opportunity.
So what we did is we created a company to go out and do it first and created the first cyber threat intelligence company in eye defense.
And that again was green fields.
You know, we had to convince people that cyber threat intelligence was something that would help improve their security posture.
Nobody had produced a cyber threat intelligence report before, you know, so we were figuring.
you're not how to do that. How do you do collection? How do you do analysis? How do you do
dissemination? How do you figure out which information is worthy of sending in that'll actually
guide action, you know, that'll help reduce risk in the enterprise? And at the time, if you can
believe it, if you're familiar with org charts, the chief information security officer role
didn't really exist. There was only one person in the world that I knew that had the title CISO.
And of course, that was one of the folks that we're talking to. So I left doing stuff in the
Intel community space and focused on the private sector by building this first cyber threat
intelligence service.
And lo and behold, you know, the U.S. government and the Department of Defense came and knocked
on our door and they wanted a subscription as well.
So we still were, you know, providing intelligence.
It was all unclassified, all what we call it kind of open and proprietary source, but really
was kind of the, we were the first to market in kind of proving the value of cyber threat
intelligence.
For people who might not be familiar with that term, can you kind of outline what cyber threat intelligence is, how you guys came up with this idea that it was this product that you could create and disseminate?
Yeah, there are a couple of things that we wanted to track.
The first was what were the threat actors doing?
So that was kind of the collection side of the equation.
Were they researching vulnerabilities against particular systems?
Were they releasing vulnerabilities?
So, you know, were they talking about targeting someone for political reasons or for,
for criminal reasons.
So there was a collection aspect or kind of a human element
of understanding the threat actors
and what they were doing and the capabilities
that they were bringing.
And then there was the what I would call
kind of the knowledge aspect of it,
understanding the totality of the systems
that were out there at the time
and tracking the vulnerabilities associated with those
and making customers aware of the fact
that if you were running Solaris with this version,
that there was an active vulnerability
that could be explored
that needed to be patched. So it really was kind of an early version of almost inventory
management of letting them know when there were issues around the operating systems or software
that they were running. And then the other piece of that was collecting information on the
incidents that were happening and anonymizing those and disseminating that out to other folks in the
sector. So if I'm a bank and I suffered an intrusion, you could share with us some of the
details around the intrusion, and we could anonymize it and we could share it with other folks
in your sector and thus kind of improve the collective defense of the financial services sector.
And, of course, you would get the benefit of getting that information and intelligence around
how your peers are being attacked so that you could better defend yourself.
So really, we were doing, you know, the anonymized information sharing element of it.
But today, the environment has continued to grow.
Obviously, they've advanced the capabilities in all of those areas.
Now some threat intelligence teams do internal organic research.
Some will buy vulnerabilities off the market to understand what the research community is doing.
So it's become a lot more robust.
But back then, those were the primary focus that we had.
And how, to me, it seems like a monumental effort because you're,
The one you're talking about actually going to these forums and these hangouts and these places online where they're talking, right, so that you're gathering that intel.
You're also getting people to send you, like, reaching out to anybody who got breached or got hacked or whatever and having them send you stuff.
So you've got to be in constant, like, reaching out mode.
Because there aren't main, there aren't pipelines where there's not like a patch Tuesday.
imagine going on at this point in time, right, where you're finding out about these common vulnerability,
these things that are happening. So how did you guys start that type of process when nothing was there
before? Yeah, I built it from scratch, you know, and I've been digging up old documents and sharing
them with a colleague is going to write, you know, some of the history around the commercial
cyber threat intelligence practice. But we were building the capability from scratch, you know,
the technology systems, the collection systems. I found.
found an old memo where, you know, was talking about the the OPSEC risks, you know, where I was saying like,
hey, we can't do this collection from our commercial internet point because it shows our IP and
our IP shows that it's registered to eye defense and, you know, somebody can figure out who we are
and what we're doing. So I was literally, you know, for people in the D.C. area, we used to have a
dial-up internet service provider called Aerole's Internet. I was walking into Aerole's with a couple
hundred dollars cash and I was paying one year in advance for dial-up internet access just so that we
could get, you know, anonymous connectivity into some of these forms. It was primarily used net
IRC and mailing lists that we wanted to be able to monitor for activity. That's amazing. You know,
because there are so many things out there, tools out there now to allow people to find these
things and do these things. But I can't imagine the effort you put into it to create these first tools
in order to stand this whole thing up.
Yeah, it was a lot of fun.
It was a lot of manual research, too.
I also surfaced a memo where it was like, okay, you know,
oh, crap.
It was a combination of, you know, hooray and, oh, shit.
We had sold our first subscription.
We actually sold it for a million dollars a year,
so it was a pretty high price point to a very large U.S. bank.
And I remember there's a memo I wrote for the team that's basically like,
hey, we haven't automated all this stuff yet.
I mean, it's going to be a shitload of effort,
you know, almost like it was like a 24.
four by seven watch plan with responsibilities.
So-and-so is doing this.
So-and-so is doing that.
By 8 o'clock a.m., I need it on my desk for review.
You know, we were really war building the aircraft during takeoff.
But it was a lot of fun.
And, you know, we were really innovating at the time.
It was an emerging field.
It's kind of the ultimate entrepreneurship to create something,
a commercial capability in a field that didn't previously exist.
Yeah.
And so then what sort of happened?
with you guys next, with you next, and sort of with the overall cyber world, cybersecurity world.
Yeah.
So, you know, with ID defense, I was one of the founding folks.
I was ahead of Intel, created the product, you know, sold the first customer, but was not the CEO or the CEO.
And for me, it was a valuable business lesson.
I won't go into details.
But, you know, I learned some stuff about business ethics that I didn't want to emulate.
So I ended up leaving IDA.
offense and joining a small group of hackers that were friends of mine, including Eric Bloodax,
who I mentioned, you know, Chris Goggins, Bob Stratton, and others. And we had a little
commercial red teaming company. And we started going out and doing the same types of things that I
had been doing against the Department of Defense, but doing that against the private sector
and having the same types of success, demonstrating that the banks were vulnerable, the power grids
were vulnerable, the gas company was vulnerable. It was, you know, one of the early kind of commercial
red teams. Now, red teams that existed. And Chris himself had actually started a company years prior that
hadn't been successful, but people were out there doing the work, but we banded together,
you know, unique capability went out and did that. We ended up in this weird, you know, cycle of we
got acquired by Silink, which was a link encryption company that was run by the former deputy director
the NSA. They were a publicly traded company that was selling product. And when they bought a
services company, the market didn't like it. So six months later, they sold us to somebody else.
And it was just kind of this chaotic ride. I ended up leaving there and focusing my attention
on a company that I had built as a hobby that I felt like there was some real legs to. And that was
a company called the Terrorism Research Center. The TRC actually got created in 1996, even though I was
actively working at SAIC. I get special permission from the CEO to build this commercial entity.
And it was a result of the fact that myself and two colleagues, Neil Pollard and Brian Houghton,
we wrote this paper on information terrorism. And it was the first peer-reviewed academic
published paper on the topic. In fact, we called it information terrorism. Can you trust your
toaster? So I've been forever introduced at conferences for the next 25 years as the toaster guy.
we got it into the terrorism political terrorism and political violence journal at St. Andrews.
We submitted it to National Defense University that was running a contest that called Sun Suu in the Art of Information Warfare.
And we won the Sun Su Award for that year.
So NDU put it in a book.
And we decided that we wanted to do more collaborative research and wanted to publish a follow-on to that paper.
And we couldn't find a place to do it.
So he said, hey, let's create our own think tank.
let's create a virtual think tank, which at the time was unheard of.
So we created a website and we created a public facing to publish the research and we created
a back end that allowed for us to communicate with colleagues around the world because
even back then Skype and these other technologies didn't exist.
You know, trying to talk to somebody was a long distance phone call.
So we created this collaboration environment.
We started publishing research and people started coming to us and saying, hey, really like
the analysis you did on this topic, can I pay you to do analysis on this particular issue?
And then we would get police departments and counties coming and saying, hey, could you build us
a custom terrorism awareness training course? And we would start doing that. I had a couple of other
ideas that we had grant applications out for. And, you know, Brian had gone off to get his PhD.
Neil was going into work in the intelligence community. So I said, you know what? I'm going to
I'm going to make this my full-time job. I think that there's some legs here to build.
build a real commercial company around this, you know, hobby company.
So I quit and that's what I did full time.
I ended up building and operating the terrorism research center.
And how long did you keep that going for?
And what were some of the highlights of that?
Yeah, we had a lot of great highlights.
And we had, you know, great programs and things that we were doing prior to September 11th.
So we had real credibility, you know, where people understood that we weren't opportunistic.
This was a real issue that we were focused on.
So we had multiple elements of the business.
We had the research side that was doing classified and unclassified research and analysis
to support to private sector, unclassified agencies and classified government entities.
We had a global fusion center, which really was the next generation of what I had built at
eye defense.
But instead of just doing cyber threat intelligence, we combined the kinetic or conventional threat intelligence.
So physical risk factors and things that were happening from a geopolitical perspective.
And in that, we built a 24 by 7 basically, you know, it was early warning.
Again, all unclassified, what we called the open source and proprietary source.
So we had source networks that we operated in regions that would collect intel and send it to us.
And then we served as Tier 1 crisis response.
So if you were an employee of a company and there was a terrorist attack in the city that you were visiting on business,
It was our fusion center that you would call first to get situational awareness,
and then we would invoke the escalation path within your company, you know,
depending on what it was.
So we're doing that.
We had a very active training program, as I mentioned.
It's really diverse business.
And then September 11th happens.
And those programs that we were operating on shoestring budgets for, you know,
NIH National Institutes of Justice and places like that,
all of a sudden now the U.S. government wanted to just accelerate them.
The intelligence that we were collecting, the training programs that we were running,
we were doing something that we called the terrorism early warning group.
It was a capability we had helped build out in L.A. County to do all-source intel fusion,
but what we called pre-incident planning as well.
So if you look at Los Angeles, you can say, well, what is a viable target of attack?
Okay, the staple center is.
I guess we don't call it the staple center.
I don't know what it is today.
SOFI Center or something like that is a target of attack.
Well, if there's an attack there,
the incident commander is gonna need this type of intelligence.
How much of that can we re, can we pre-compile into a playbook?
So we'd create these playbooks around all these contingencies,
but then we would also do the threat fusion
that combined law enforcement,
it combined emergency EMS,
it combined the private sector,
combined some of the military folks around understanding
what threats faced LA.
We were in the process of expanding that capability
as six cities in the U.S. when September 11th happened.
And then once DHS got stood up, they came and asked us to expand that capability to 56
cities.
And that basically became what was the precursor of the DHS fusion centers.
So we had lots of programs like that.
Another highlight we built and created a program called Mirror Image, which was an advanced
counterterrorism training program where we basically took primarily U.S. military personnel,
some intel, any Canadian military personnel, actually, you couldn't deploy to Afghanistan as a
Canadian military personnel without taking our training. But what we did was we took the good guys
and pretended like they had been dropped into a bin Laden training camp in Afghanistan.
And we trained them to see themselves as the adversary sees them. Very innovative,
became an army foundry class. We did just an incredible amount of training.
got great feedback from that.
And that put us on the radar with a lot of other folks as well,
you know, with regards to doing more advanced training.
So definitely lots of highlights.
Sounds almost like dark phase in the Saloo Scouts training
where they used to put them in a G camp.
That was like the final phase of training.
And it was a turned gorilla who was the chief instructor.
That's how it was for us.
You know, we had this idea.
We decided to build the training.
we had access to, you know, Robert Young Peltin was a friend.
I'm sure you're familiar with him.
He had this guy, Akeel Collins, who actually had been in a bin Laden training camp.
I read his book.
Yeah, yeah.
So Akeel is one of the guys that we pulled in to help us build the training.
And then we had access to some of the folks that were conducting interrogations of, you know,
renditioned or captured terrorists.
So we built what we felt like was a really great replica.
and not only of the training that they were receiving from, you know, kind of a fighting capability,
but just the indoctrination and the mindset and those sorts of things.
So we used to go down to the Blackwater facility and lease out the bunkhouse and the training facility down there.
And we would bring people in and we'd take away their pagers and their blackberries and issue them Middle Eastern garb and, you know,
make them sit on the floor and eat with their hands and read the Quran.
And we'd be playing, you know, propaganda videos and all that sort of stuff.
And we would train them to think like a terrorist and then actually engaged, you know, in the physical training as well.
You know, how would you ambush people?
They would form into cells.
And then on the last day of the training, they actually had to engage in a terrorist attack.
And they had, you know, different targets depending on which cell you were in.
So it really was interesting and kind of innovative.
We had a guy who had worked, you know, as a undercover kind of embedded person in the IRA.
So he came and contributed to the training.
We just had a really great cadre was really well received.
You know, for me as an entrepreneur, it was not cheap to rent that Blackwater facility.
And it was an unproven training element.
And we went down there, I think the first course, we had 17 people.
And I lost about $60,000, I think, to pull it off.
And, of course, you're thinking, man, I don't think we can, I don't think we're going to be successful here.
You know, the economics just don't work.
And we did the training over the course of a week.
And then we always did this big pig roast at the end of the week where we got the kegs of beer.
And it was where us as trainers, we had adopted personas as well.
So nobody knew who we were.
So we came out of persona, told who we were.
The attendees were given personas.
So they started to talk about who they were.
And I remember I had a Marine colonel who stood up and said, hey, maybe not the Marine.
It might have been an Army guy.
I forget.
So this is some of the best training I've ever attended.
I've ever attended and this training well saved lives.
And can I took that to heart and said, okay, well, you need to go tell everybody you know
that you think this is worthwhile training.
And then from there, we basically were sold out.
You know, we started doing deployed versions of it.
We continued to rent the Blackwater facility.
I think at the end of the day, I trained several thousand people through mirror image.
That's pretty cool.
I don't know that program even existed.
That's really interesting to hear.
And I mean, I believe Akeel has passed away.
but I mean, that would have been an interesting guy to interview.
He converted to Israel.
I think he was like a, was he like Irish Catholic or something like that?
Yeah, it converted.
Yeah, converted to Afghanistan, went to training camp, you know, lost the lower part of his leg,
came back to the U.S.
He was for medical treatment.
He was.
Yep, absolutely.
Yeah, that's where he was wounded.
Was not happy with the medical service that he was getting, came back to the U.S.,
and then when September 11th,
happened, realized, you know, that maybe those weren't the people that he wanted to be affiliated
with or the cause that he wanted to be affiliated with. But he was really great at kind of personifying
that mindset. And of course, he had been through the training. He had been at some of the same
camps that Bin Laden had been at. So we used him not only for mirror image, but we did some custom
training for local police forces too, where we basically let him serve in a submunitions environment
as the terrorist. And he was very unconventional. I remember doing some work with some
police departments where they were a little shocked, you know, with regards to the tactics that he
used. So it gave them that kind of early insight into somebody who had been trained, you know,
basically to have that suicide mentality, but also, you know, had some combat experience as well.
Now, for you, you had spent, you know, the earlier part of your life in the cyber world.
And mixing that with policy, you weren't, you know, just with a cyber.
But now you're in this expanded intel world. Like you said, you guys had human,
networks that were bringing back until you were doing all this.
Did you feel like you were moving further away from cyber and just more into like the
intelligence world in general and business in general?
I was.
Yeah.
I mean, definitely from an intelligence perspective, you know, tying in the conventional
security with the cyber stuff.
We still would do cyber red teaming, but we'd combine the conventional red teaming with
it, the physical red teaming.
And those blended red teamings were really interesting and compelling, you know.
What happens when you have a,
a former Navy seal that gets you access to a building and you're a hacker like me.
It becomes pretty interesting proposition.
Now I've got access to equipment and network jacks and all sorts of stuff.
So we started doing more and more of that.
I definitely became more of an entrepreneur.
You know, I was building a rapidly accelerating team.
We were hiring people, you know, dealing with, you can you imagine the writing the,
underwriting the insurance on something like mirror image where it's like we're going to
Blackwater, renting the facility or blowing cars up to show what it looks.
like we're doing, you know, we had our own arsenal of simulation weapons that we would use
for the red exercises down there. So I definitely focused on, you know, kind of being much more
rounded from a career perspective. I had the national security academic experience,
but got it, you know, from a more managerial and contract perspective as well.
Yeah. Yeah. Excuse me. So can you tell us, because that's a really fascinating,
because there is that aspect of physical penetration testing,
which there are some experts in the field of,
they can get in almost any door,
you know, it's amazing what they can do.
And how when you combine that with a cyber,
what is that due to like the total package?
Oh, yeah, it's a huge accelerator because people rely on, you know,
kind of physical security as part of their IT protection strategy.
So just getting access to a facility,
getting access to a network jack, you know,
especially at that time,
would typically put you on the internal corporate network.
And then we could scan and find other vulnerabilities.
We could go and leave devices behind.
We were doing all sorts of kind of innovative testing at the time
based on getting that physical access.
Somebody gets you into the building and then it was greenfields again.
Sometimes you would encounter computer systems that weren't even locked.
You know, you just hit the space bar and they would unlock
and they were sitting right there in the corporate network with a USB drive exposed, you know,
where we could load tooling or an internet connection where we could download tools or do whatever we wanted.
So it really became kind of a fascinating aspect of it.
Also, a leave behind.
You could break into a facility and leave a USB drive behind or do something like that and see whether somebody in the employee population would pick it up and plug it in.
And, of course, higher probability of them plugging the USB drive if they find it sitting on the floor next to a colleague's desk,
vice if they find it in the parking lot that strangers have had.
access to. You know, and you mentioned something else earlier. You mentioned social engineering. And I think
that a lot of people when they imagine, when they have the image of a hacker, you know, it's the hooded
person sitting in a dark room doing nothing but typing on a computer. But can you tell us about the
social engineering aspect of it and like how important that is? Yeah, it's hugely important.
You know, most of the success as a red team or even as a cyber attacker with malintent exploits the
human element. You're you're getting a human to engage.
in behavior that advances the goal that you're trying to achieve.
They're clicking on a link.
They're opening a document.
They're providing you with credentials, you know, into a system that they shouldn't
be providing credentials into.
So the human element, the human factor in cybersecurity is hugely important and continues
to be exploited, you know, day in and day out.
As a red team are targeting the private sector in particular, you know, even later in my career,
we often incorporated the human element.
It was, you know, the ultimate endpoint is not the computer on your desk.
The ultimate endpoint is the human being that is engaging and interacting with that computer.
And, you know, you can't understate the human element in, you know, the attack chain when trying to compromise an organization.
Yes, fascinating.
So, so you've got this, the terrorism.
Can you tell me the name of the business?
Terrorism Research Center.
Yeah, yeah, so we operate that.
Yeah, 2016, we decide to exit the business.
So we had a transaction that took place and now I was working for somebody else.
I continued to do that for a couple of years.
And the company continued to grow.
It was interesting and of itself, especially for your community.
The individual that bought the terrorism research center at the time was Eric Prince, who also owned Blackwater.
So from an executive leadership perspective, I got an inside seat of what I will call, you know,
time of the acquisition was kind of the Fallujah days.
and by the time I left, it was, you know, the Nisar Square.
And about a year after I left, he was exiting the business.
So interesting perspective there, but gave us an opportunity to tie into a whole new user community.
You know, what does it mean to be cyber secure if you're Blackwater, right?
There are interesting things that we're doing there as well.
And then the intelligence picture and even some of the classified stuff that we're doing in at DARPA and other places like that.
So spend a couple years kind of post-transaction and then got back into the cyber threat intelligence business.
I became the COO of eyesight partners, which is now the threat intelligence arm of Mandiant, which is now part of Google.
So that was one where went back in, you know, the CEO asked me to come and help build the business,
wanted to kind of readjust for what should cyber threat intelligence look like.
circa 2009. And so we built a company that was much more robust from an international
collections perspective, but also much more robust with regards to how we disseminated the threat
intelligence. You know, previously, threat intelligence had been produced for a human
being to read and to take action. So it was PDF reports. It was access to a database. And we
started moving now more towards an API layer. You know, can we tell the machines what is important
from a threat intelligence perspective and create, you know, patch lists or automate actions,
things of that sort. So we're still doing the human consumption of threat intelligence,
but we're looking to automate it a lot more. Right. And how did you still have you,
did you still feel like you had your finger on the pulse of cyber threat intelligence while you were,
you know, while you were doing more the terrorism training stuff, the intel, the overall intel stuff?
I do, yeah. Okay. Yeah, the terrorism piece, we ran a global fusion center of which,
We did cyber threat intelligence collection.
So it was not just understanding the kind of traditional cyber threat intelligence,
but we had a particular focus, obviously, on counterterrorism.
We did some really innovative things at the TRC.
You know, we had penetrated some of the radical Islamic closed communities.
We had, you know, drawing on my hacker pedigree, I'll describe it as
taken advantage of a misconfiguration and a server that was being used to share
video files internally among some of these terrorist organizations. So if you think about,
you know, a beheading video or some other atrocity, there's the raw video that was captured on
the camera. That would get shared with a tech team that would do the overlay and add the
background music and do all that sort of stuff. We actually had visibility when the folks who
had engaged in the raw terrorist behavior uploaded the video, we would get access to that video.
So we had early warning with regards to videos coming out,
but then also kind of seeing the traffic in and out of that server.
So we were doing very innovative stuff.
We did an open source, the report for the open source center that we called Terror WebWatch,
that was our roundup of what was happening in those communities, what was important.
So definitely felt very connected to not only the cyber threat intelligence community,
but repurposing some of the TTPs we developed for cyber threat.
intelligence into the counterterrorism domain as well. That's fascinating. So you guys were like
balls deep in some of these networks. I mean, were you involved then at that point like in,
I guess for lack of a better term, like targeting intelligence for the intelligence community at
that point? We indirectly, yes. So, you know, we'll say at a couple awkward moments where we had
people that were violating the terms of service on accessing our data only to find out that it was a
front or, you know, a cut out from a consumption perspective for the Intel community. What we wound up
doing was actually agreeing to license, because we created a, this is another area where my
technical chops came into play. We created what was the first relational database for counterterrorism
data. We had 500 terrorist group profiles. We had an attack database where we documented not only
successful attacks, but failed attacks because we felt the failed attacks were great indicators
to be looking at all this stuff we were collecting from the forums and the groups, etc.
We had that in a relational database, and the consumption model was not only did we push out reports,
but if you were a customer, you got access to that database, so you could query, you could conduct
searches, you could track particular topics.
What we ended up doing for the U.S. government was creating a relay where they could replicate
that database on the SIPRet.
and we had a one-way push through, you know, I forget which contracting element, but, you know, we basically, as we updated our database, it got pushed to this intermediary, and then it went through a one-way guard onto the SIPRet.
So the intelligence community was able to access everything that we had, but without letting us know what was of interest.
The terms of service violation that I had, it was basically somebody who was conducting hundreds of queries every single day against our database.
and when we tracked it down and reached out,
they basically said, well, we're conducting 100 queries.
We really only have three queries,
but we can't let you know what those three queries are
because you're not cleared to understand.
So we have to generate 97 other queries
to obfuscate what we're interested in.
And that's when we devise this model of,
well, let's just get you a raw copy of the data
for use on classified networks.
Fascinating.
And one of the things that a lot of people to understand
is how hard intelligence correlation
And even a database was for, you know, in that sector of the world because of the English transliteration of their names.
And it was different everywhere.
You know, the naming conventions.
So you might be searching for, you know, Muhammad.
Well, even looking at Osama bin Laden, how many different ways people have spelled his name.
So how did you guys rectify that?
So did you come up with a standardized form for, standardized means for the transatlantic?
Yeah, it was a relational database so we could basically store all forms, you know, all variations and allocate it to a single record.
I had the advantage, you know, if this is one area where the guy who was my deputy on my coalition red team back in the 90s was a naval officer in Canada.
And he went on to get his Ph.D. in knowledge ontologies.
And he actually came and lived with me during this TRC period for a period of time when he was doing his PhD research.
And that's when we sketched out, you know, and like I said, when I say it was early form of a knowledge base, we really were, you know, from a relational knowledge base perspective out the gate very early.
He helped us actually confront some of those issues where we were able to build some resiliency into the data.
We were collecting how we were storing it in the way that we were able to search and present that to folks that had access to it.
That's fantastic.
Yeah.
That's fascinating.
Yeah.
It was a weird blending of, you know, we knew each other as hackers.
and, you know, he went on to pursue this PhD when in the private sector.
He ended up actually as like the number two in charge of critical infrastructure protection in Canada.
A few years later, then wound up as the, I think the chief technology officer at Bank of Montreal.
So, you know, he had an interesting career trajectory as well.
But we first met.
He was a naval submariner that got detailed to my hacking team.
We became good friends.
When you get sequestered in an 18-wheel tractor trailer in Blanford, UK,
where you get locked into the pub at your hotel,
you develop close relationships with people.
Yeah.
So then you move on to, do you say Mandate?
You moved on to the cyber.
Went to eyesight, yeah, which later would be acquired.
So I spent some time there building that team.
And then I ended up leaving, I call it my back to the future company.
I was really frustrated with the state of red teaming in the private.
sector in particular. I felt like we had kind of shifted to the lowest common denominator.
We had all these automated tools. And if somebody wanted a red team, they would just go run the
tools and they'd hand the client a 300 page report. And, you know, I was really a true believer in
that you needed to understand the threat actor intent and the threat actor TTPs. So I decided to
build a special purpose red teaming company that did what we called adversary emulation.
If you are a bank and one of your top threat actors is a Russian organized cyber crime with the intent to steal money from your bank, we would replicate the TTP, the decision trees, the attack tree related to attack chain, kill chain, related to achieving that objective.
And we would also operationalize the attack.
So we would actually steal money from your bank and we would see whether you detected us or not.
And if you detected us, we'd see how efficient you were in understanding the level of compromise
and what we were trying to do on the network.
So we really built what was a very advanced red teaming capability that broke ground in a couple of ways.
One, we brought the threat actor perspective back into the equation, but then we operationalized the attacks.
Now when I would go brief a board, and I had made that mistake earlier in my career where you would run scans
and I'd go brief a board of directors and say, we found 50 high level vulnerability.
And 75 medium and 100 low.
In the next quarter, you go and say, we only found 45 high level vulnerabilities.
And the board says, so we're more secure.
And the answer, of course, is, you know, well, maybe, but probably not.
With the Fusion X team, I could go and say, we were emulating sophisticated Russian
organized crime with the intent to steal money from your bank.
Here is the attack surface that presented itself.
Here's how we exploited it.
Here's the decisions that we made.
Here's how we avoided the detection of your team that you're paying.
paying a lot of money to detect the activity.
And here's where we took 10 million out of the bank undetected.
And you know, you determine, you know,
would we take 100 million, 200 at what level?
Would you actually detect the threshold?
Now the board of directors really understands what's at risk.
We've contextualized it for them.
And they would allocate appropriate dollars to remediating
or removing some of that attack surface.
So we built a special purpose company that that's all we did.
We did, you know, day in and day out for
largest companies in the world demonstrating how a real threat actor would target and exploit them.
And then we had a small incident response component as well. As people would get compromised around
threat actors that we really understood, we could go in and provide that perspective. You know,
well, if it was us targeting you, here's what we'd be trying to accomplish. And here's where we
would go next. And we could help them prioritize their incident response. How did you sell that?
How did, because there are now, you know, there are so many red teams out there now.
so many companies to do that. And, you know, there are a lot of great people, but they're also
companies out there with a bunch of people with just Cali boxes who are just running automatic systems.
How do you set set yourself apart in that world? Yeah, part of it was, you know, the early sales
were definitely based on my network and my reputation, where I could go to the head of security
for a large global bank and say, hey, I know you're doing red teaming. Give my team a shot.
let me show you how much better our approaches.
I used to joke with a team that my mouth wrote a lot of checks that they had to cash.
Because I would go in and say, look, we're going to steal money from your bank.
Give us a shot to come in and do it.
And then I hired the absolute best people.
Of course, I had an incredibly strong network.
I knew the best hackers in the world.
So I only hired a team.
So we really established ourselves in the market as no junior engineers, all senior folks.
really incredibly capable, blend a private sector, military intel capability.
But it was a challenge.
We encountered a lot of friction around the operationalizing the attacks.
Banks don't like it when you take money out of accounts.
Stuff like that that happens.
You know, the CEO of the oil company, you know, says, hey, I guarantee you that you can't
cause oil, you know, refinery lines to overpressurize and pop.
And we'd have to go demonstrate that we could actually do that.
So it was, you know, really through the demonstrated capability, we established a reputation.
Once you have those early successes that blow the top off what everybody else has been experiencing
in the industry, the market kind of makes itself.
You know, the bank CSOs talking to the other 10 bank CSOs and they all say, well, I want
some of that in my network.
You know, I need to engage with these guys.
Yeah.
So once we had the early success, it was based on my reputation, kind of this new approach.
providing a new perspective, contextualizing, what was at risk.
That was a big piece of this, being able to get executive leadership to understand what the risk was to the organization.
I remember one red team we did where it was a Fortune 10 company.
I had been briefing the board of directors.
The board of directors had their list of risks for the company.
And cyber attack was number seven on the list.
And I asked the board, I said, give me three things that would be catastrophic or
consequential meeting and it'd have to report it in your quarterly SEC filings that could happen
to the business, non-cyber related, just tell me bad things that could happen.
And so they gave me three scenarios.
And the next quarter, we went and accomplished all three of those scenarios through a cyber
only attack.
Well, guess what?
Now, all of a sudden, cyber goes to the number one risk for the board of directors.
They're thinking, oh, man, we haven't been spending enough money.
We have some liability associated with our negligence.
in this space, they start buying the tools and hiring the staff that they need.
So that contextualization, you know, really added value as well.
Sure.
Sure.
And then I don't know if this is what you were talking about earlier before the show
we were talking, but you said at a certain point, you realized that you were in the management.
You were in the campaign management phase now.
Yeah.
Yeah, I became a really good campaign planner and that I could tell you what adversaries
would want to accomplish and how best to accomplish it.
But my hands-on keyboard skills had natural atrophy.
In fact, as talking before the show,
I used to try and assign myself to a team every quarter
where I could deploy and be part of the red team
and then realized I was slowing them down
because they were having to explain to me what was happening.
So that really is really building great teams
and having the trust in the team to execute
and realizing that my value is really,
on helping these executives in our customer base understand the risk,
develop action plans around the risk.
And then with my own teams,
I was really good at doing what I called the campaign planning.
You know,
here's how we're going to target this organization.
With a lot of the companies we worked with,
we did red teaming with them for four or five years in a row on a recurring basis.
So there was also this aspect of what I called out innovating the attacker.
We would have to figure out,
you know,
this enterprise is pretty secure.
We know that they're going to continue to be targeted because it's where the money is or it's where critical infrastructure is.
How would we have to innovate in order to attack this entity?
And that's where we started adding in physical security assessments, you know, into the Fusion X methodology.
We started adding in supply chain.
You know, it's amazing what happens if you ship a company, an HP printer and, you know, just goes to the receiving department with a letter that says,
thanks for being a loyal HP customer. Here's the latest model of our printer. It's yours to keep.
All we ask is that you fill out this survey after 30 days. Two findings came out of that.
One is nobody fills out the survey. Shame on them. Number two is they don't ask,
why did I get this printer? Is it really from HP? They say, who asked for a printer? And they put it in a
list and it gets deployed in the enterprise. And well, guess what? Once they plug it in the network,
you know, that's a printer that we've pre-owned. It's running our version of firmware. It's connecting out to us
after a period of time.
We did that with printers, other supply chain elements.
We did it with mobile phones to executives.
I remember sending executives' mobile phones.
And if they had a large Twitter following, saying, you know,
hey, you're an executive influencer.
We'd love you to understand the latest Samsung phone.
We'd send them a phone that we had pre-compromised.
So we started just doing really innovative stuff like that,
where we were blending supply chain and physical and cyber attacks together.
That is incredible.
and scary. And does anybody ever turn down a free phone or free printer?
No, not in my experience. It's definitely one of those areas where, you know, people like free stuff.
And the phones, we did have examples where the executive that we sent it to did not use the phone,
but they gave it to somebody else in the organization and that person used the phone.
Wow. Wow.
And then along the way, you know, in this period, I'm doing a lot of other stuff as well.
I'm a special government employee to the Department of Defense.
2010 to 2013 as we write the first cyber strategy, trying to address some of the workforce issues,
teaching at Georgetown, a flagship information warfare and security class,
of which I put about 600 students in the course of 28 consecutive semesters through that class
that created what I feel like, the backbone for the next generation.
In fact, the Cyber Warcon day that we were both at last week, I had three prior students, you know, just come and get me at the happy hour and say, hey, I was a student of your class.
You know, your class is what got me into the field.
So trying to be very active in the community and mentor and identify that next generation.
And then also active with conferences like Black Hat.
I'm on the Black Hat Review Board.
So I'm helping select that next generation of research.
So maintaining, you know, not only the commercial aspect, but the community aspect of cybersecurity as well.
What would you say? Because, you know, they talk about this big skill gap in cybersecurity right now,
that there aren't enough people to fill the positions.
What would you say to people, whether they're younger or, you know, older in life transitioning,
like what are the best avenues to get into cybersecurity?
Yeah, there's so many free resources out there that I'll always tell people, you know,
depending on what you're interested in, you can go, you know, engage in a capture the flag type class or
contest. If you're a student, you can do Cyber Patriot, you know, other contests like that.
You can do some of the, you know, the cyber threat intelligence challenges or programs out there.
So the self-learning aspect of it, I think, is really important. So many books, so many websites.
I always prioritized when I was hiring people, the person who had the basement
lab that would tell me like, oh, I built these systems. I hacked myself. I did this. I did that.
Best interview I ever had at the Fusion X days, the guy came in. And we always did a round
robin and a highly technical element of the interview. And then we had a test that they had to
take and, you know, various things of it. We had one guy come in one day and he's like,
oh, hey, you know, look at this. So I captured this Chinese zero day, right? So an unknown
exploit and I reverse engineered it and I weaponized it and I wrote my own code and
look at targets these types of systems and I kind of looked at my CTO and like yeah this guy is
hired right he's doing the work at home right to to reverse engineer the Chinese zero day
and weaponize it you know for use in a safe manner right so he's kind of figuring out how to deploy
it safely in a red teaming perspective so it's really go out there and learn there's you know I think
we've gotten better, but the cybersecurity community did a lot of gatekeeping in the early days.
And I think we've moved beyond that, but recognizing that there, you know, it doesn't matter
what background you come from. There's entry level skills that you can acquire. Taking advantage
of the veteran workforce, one thing I did at Black Hat is I created the transitioning veteran scholarship
program. I did that grassroots. I paid for it myself the first year, brought two guys that
or recently had exited the military that were interested in cybersecurity out to Black Hat,
got them into the training for free, invited them to parties, helped them network.
They both got in the field.
They did it the next year.
I think we did four passes.
And then Black Hat recognized that it was valuable enough.
And now every year we do 20 passes, right?
So that's just a small drop.
But recognizing that there are skill sets that exist out there, either intellectual capacity,
leadership capacity, that can translate.
to providing value in the cybersecurity community,
you don't have to be an elite hacker
in order to have a career path year.
Yeah.
You mentioned another interview you did.
You mentioned a story of the Africa,
the spy craft, was a spycraft?
That was the bycalf.
Spicecape, I think.
Yeah.
Can you tell that story?
Do you mind telling that story?
Yeah, yeah, I definitely can.
I still haven't listened to the full Spyscape interview because it's so overproduced that I'm like slightly embarrassed.
Don't worry.
Nothing is overproduced around here.
Sorry.
Yeah.
Yeah.
That was an interesting one where, you know, it was a resource in Africa that was potentially for sale.
Chinese government had penetrated into the parent company to get data around the elements of the sale, you know, what it would, would.
be sold for, et cetera. We had detected that. We had polluted the information environment a little bit,
you know, without doing anything wrong from a deception perspective. If they're downloading a
spreadsheet off the company's internal network, they shouldn't be accessing that has bad data. Well,
that's on them, not on us. And it turned out that the transaction kind of fell apart. They decided
not to pursue the sale of this resource. And a little while later, we started getting, they started
I said we, the client, you know, kind of the broader team started getting the call kind of, they were, it was extortionist style emails that were coming in anonymously.
And the emails contained documents and insight that were derived from the inside the network in this resource in Africa.
And of course, this launched an investigation with regards to, well, you know, who is doing this?
How are they getting access to the documents?
it really became one of the more fascinating case studies, I think, in investigations that I've
participated in in the private sector, in that we were able to, A, because they had come in via
email, we were able to interact and do some very elementary web bugging, you know, and things
of that sort to determine the IP address of the person that was communicating with us.
And then we did the analysis on that IP address.
We didn't know at the time, you know, we knew it was DC.
base. So we started doing war driving to see are there coffee shops that have an open connection
to the internet that are issued that IP. We started correlating it with what I would call,
you know, all sorts of alternative source data is that IP address connecting to other services.
It might have identity information. And finally, we got a hit. But the hit in of itself was an
anomaly in that the hit, you know, was at a residence, but the residents we couldn't find any
reason why they would be involved in this activity. So now it becomes a question of, well, do they
have a vulnerable Wi-Fi router? And we've got a Mr. Robot type scenario where somebody's
hacking into their Wi-Fi, and that's why the IP is showing up. And it turns out that when
we expanded the investigation to look at other affiliated people with this address, we found somebody
who did have that relationship with an entity in China that was suspicious. And it turns out that
that was the perpetrator of those emails. And the irony of it was that the relationship between
the person sending the emails and the person actually had the residence was a in-law relationships.
They basically were engaging in this malicious activity while they were at the in-laws to try and
cover their tracks, which I thought was kind of an asshole move from the get-go.
So we started building, you know, all these different pieces. We knew who the actor was in the U.S.
We knew who they were communicating with in China.
And then we started monitoring with regards to this resource in Africa communications,
and we found a link out to the person in China.
And that created this kind of investigation around, okay, who is this person that for some reason
has this connectivity into what we had also identified through other channels as an
intelligence operative for China.
So now this is nation state, you know, industrial espionage.
type stuff. In investigating the individual at the organization, we found out that they were actually
child pornographers, and that was the catalyst that the Chinese had used, right? That was the blackmail
element that they had used to get them to obtain these documents and share it with them. So at the
end of the day, we unraveled what was really just a really interesting Chinese intelligence operation
where they had compromised an individual inside the company that had access to documents,
had gotten them to share those documents.
They had what was primarily a monetary relationship with an individual in the U.S.
where they were being highly paid in another capacity and were using them as a proxy
for this whistleblower-style campaign.
And the sole intent of all of this activity was to make this asset in Africa a nuisance
so that the parent company would come back to the negotiating table and would sell it
to what was, you know, obviously when you're dealing with Chinese companies, you have the state
relationship as the de facto. It was, you know, a Chinese state-owned organization that was trying to
buy this resource. That's just a great demonstration of kind of how deep entangled the web can become,
but also the way in which these operations play out, you know, in something that seems as simple
as trying to buy a resource in Africa. Yeah, that's fascinating. Can you tell us a little bit
about war driving, that's not something that's talked about much?
Yeah, it's not as common.
Yeah, I mean, war driving and basically we all are dependent on these wireless networks that
exist and those wireless networks for the most part are broadcasting.
You know, hey, I'm a network here.
I exist.
I'm, you know, require a password to authenticate or maybe I don't.
And in war driving, all that you do is you just go out with the RF signal capability to
collect all of those access points. You're documenting, you know, where those access points are,
what type of authentication they require. And, you know, you just move around the city or the area
that you're in. Back in the early days, we have, you know, I have actual video of myself, when
wireless first came out, myself and Chris Goggins, I've mentioned a couple of times for CBC TV
out of Canada. They came and did a piece where we war-drived around Washington, D.E.
and found wireless networks.
Of course, all around government buildings and at national airport, you know, etc.
And the idea is that, you know, you can identify vulnerable networks.
You can identify open internet access points where now I can connect to your Wi-Fi.
And because you haven't protected it, I can engage in illegal or other activity and kind of use you as the proxy.
So when the FBI does the investigation as to who targeted this organization comes back to your IP address for your home Wi-Fi router,
not the actual perpetrator of the attack.
Matt, I have a quick question for it.
Well, maybe not a quick question.
I should say that.
None of these questions are quick.
But you mentioned it early on in your career
first starting off about how DOD systems were pretty wide open.
We haven't really talked about whatever offensive capabilities DOD may have.
But I was wondering if you could speak a little bit about the progress that has made that we all hope has been made since then.
Now there is Cyber Command.
Cyber is being treated as a domain along with air sea land and space.
I just wonder if you could talk a little bit about where we are today.
Are we better prepared for both defensive and offensive operations in cyber?
Yeah, absolutely.
And I think, you know, as somebody who actively has worked in the classified domain for, I guess, 27, 28 years now,
it's a difficult conversation to have.
But I say, you know, we can look at open sources and identify that we've become much better.
at offensive operations and we'll use them against a variety of targets, whether it's a Russian
troll army or even law enforcement. I think the FBI director disclosed in testimony in the past
week or so that the FBI has a capability in offensive cyber operations. So I think it's safe to say
given our capabilities in the U.S. it would be one of the top offensive cyber operations players
that exist out there for certain that we've been.
we've definitely come a long way.
Where I think we have challenges that still exist is the context in which we're willing to use
those operations or which targets are important enough.
And this is something I actually confronted early in my career.
I walked around the Pentagon.
I'd have to look at the exact date, but I mean, it was, you know, over 20 years ago, where I was
making the argument.
I had come out of this DOD red teaming pedigree and understood some of the
what I would call kind of the black bag of cyber tools that we had.
And the frustration that I had is in an operational DoD context,
we never were facing an adversary that justified the use of the tools that we had built.
And the reason why is that obviously these were vulnerabilities that were not disclosed,
there were capabilities that were not disclosed.
The first time that you use them, you're disclosing the capability.
And now it can be analyzed.
It can be reverse engineered.
It can be protected against.
And we kept running up against this barrier that I called where there never was a target that was important enough to justify use of the most classified tools.
And that was a huge point of frustration for me.
To the extent I walked around with a presentation that I called Kill with a Borrowed Sword after the Chinese stratagem.
So it took a great pride years later when Tom Clancy and other authors started keying in on that phrase, where I basically argued for operations going into Iraq after.
September 11th, there were things that could be done through a cyber non-kinetic means to take
critical infrastructure down that could be accomplished with completely unclassified tool sets.
So what I would love to see is kind of more use of cyber tools in accomplishment of conventional
kinetic objectives, degradation of infrastructure, et cetera. And of course, my pitch back then was
I can take this telecommunications infrastructure down, I can take this power grid down,
But it's a soft down. When I want it to come back up, I can bring it back up. I haven't physically destroyed it.
So I would love to see us, you know, adapt and use greater capabilities there as it relates to targeting critical infrastructure for some of these traditional military campaigns.
Is there any fear of like mutually assured destruction in the sense that like let's say today if we were to use some of these classified cyber weapons we've developed on Russia in regards to the war going on.
Ukraine that the Russians might retaliate in kind. I mean, does Matt exist in the cyber warfare
spectrum? That's an argument we have all the time in academic circles. And it has probably been
50 Atlantic Council panels on deterrence in cyberspace and the kind of the mutually assured
destruction component of it. I think, yes, that risk does exist once you escalate into
targeting critical infrastructure. Now you've opened the gates for your infrastructure.
structure to be targeted. And in the United States, I would say we are incredibly vulnerable,
but also incredibly dependent and less resilient. So it does create a little bit of an asymmetry there.
You know, you take down a Russian power grid and they'll say, okay, well, you know,
drink more vodka and eat more potato soup. You know, you take down a power grid in the United
States and we're shooting each other at our door stops, right? So there's a, there's a resiliency
component to it where it makes you hesitant to target critical infrastructure.
For me, I think one of the key transition periods was when the U.S. and others allegedly,
I guess we still need to say despite the academic and other body of knowledge around Stuxnet
targeted what could be considered critical infrastructure, but from a counter-nuclear
proliferation perspective in Iran.
And actually wrote a really quick essay at the time that basically put U.S.
critical infrastructure on notice and said, hey, guess what?
The game just changed.
We are showing that from a national strategic perspective, again, it's a righteous mission,
nuclear nonproliferation, we're willing to engage in cyber attack against critical infrastructure.
Guess what that does.
It means that critical infrastructure is a viable target in the United States.
And I think if you went back and I don't know that anybody has, it'd be useful in
If you went back and looked at that as an inflection point, you would probably see a shift towards more targeting of civilian infrastructure by nation-state actors, you know, once that gate was open.
This was the big question after we killed Soleimani, who's a uniformed Iranian general.
Does that open up the door?
Does that mean the Iranians can now target our joint chiefs of staff as a viable military target?
Those conversations are ongoing, right?
Sure.
Those threats are ongoing.
Yep. Yeah, that was the Olympic Games and the Stuxnet operation, I feel, was a real shift from a critical infrastructure protection perspective and that infrastructure was now a viable target from a national strategic perspective.
And what about, I'm sorry, go ahead, Matt.
Well, I was going to say, that's something I've written and talked about a lot as well, right? Critical infrastructure is a viable target, but this recognition of what I call time shifted intent, we always look at critical.
infrastructure and we say, okay, if the Chinese or the Russians or, you know, pick your threat
actor with capability, wanted to target that infrastructure, that they would target it in order
to take it down within the same time frame, you know, the frame being a period of time.
And what I always argue is this concept of time shifted intent where an adversary can be
targeting our critical infrastructure and compromising it right now without current intent to
degrade or deny access to that infrastructure, but they have future intent.
Right.
I use an analogy a lot when I'm speaking in public where I say, you know, if you were the
president going into World War II and somebody came and said to you, you know, hey, Mr.
Mrs. President, you know, we have the capability to clandestinely put explosives in German
bulb-bearing manufacturing plants.
And we can do it without attribution.
We don't ever have to push the button.
But if we wind up in conflict with them, you know, pushing the button, you know,
pushing the button would degrade their military capability and it would save American lives. Do you do it?
Any realist is going to say yes. You have to flip that and say our adversaries are looking at our
critical infrastructure the same way. We can compromise it now without current intent to deny or
degrade it, but recognizing that there might be a future scenario in which having that capability
would be strategically advantageous. And one thing that we as a community have a hard time wrapping
our head around is that type of attack looks very different from the types of attacks we're used to
thinking about. Right, right. They'll get in a system or they potentially could get in a system
and just sit there and give no indicators of compromise, just hang out until they deem it's time
to do something. And even take the risk of not wanting to beacon out for, you know, that they might
lose access to the system, but the beckoning might be such risky behavior that they're willing
to forego that because they want to maintain the capability in the future.
So I use that.
I call it time-shifted intent as kind of the normanclature used to get people to understand that concept.
Go ahead, Jack.
I was just going to say on that note, from a defensive aspect, I mean, the way you were talking about it earlier makes the 56K modem era.
It sounds like a lot of our systems were really wide open.
I was wondering if today, whether we're talking about DOD, Pentagon, or critical infrastructure, do you think we're in a better place today?
Are we better protected than we were 20 years ago, 25 years ago?
Absolutely.
I mean, DOD is much better protected.
You know, we've had the resolve and made the investments to protect that.
Obviously, nothing is perfect.
But in that environment, there's been great strides.
Critical infrastructure as well, although I think critical infrastructure is variable.
Financial services, I think, have made great strides invested a lot of money.
When you look at more conventional infrastructure, oil refineries, power.
grids, etc. I think you would find them to be not as resilient and maybe a bit more vulnerable.
I was going to ask you about that because you can go to a bank and show them the monetary cost of
not locking down, right? And they can look at other banks and go, oh, we're not locked down.
But now with sort of the internet of things with the industrial control systems and things like
that. How do you go to like colonial pipeline or go to somebody else? You know, how do you go to a piece of
the infrastructure and say, hey, these systems that were put in in the 1950s, 1960, 1970s, and really now
you just run wires and they haven't been upgraded. They're not secure. And you've got to pay a lot of money,
but you're not going to see any return on that money. Yeah. Yeah. That's a, yep. That's that that's the
challenge of the cybersecurity community right now, right? Is that,
Security is viewed as a cost center despite the fact that, you know, security incident would obviously be consequential to the company.
Right.
So there's an education aspect of it.
And I think red teaming has a great role to plan that.
I mean, in the, with Fusion X, we demonstrated that capability to some executive teams that change their perspective.
They're like, oh, geez, you know, we always dismissed the potential for physical consequence from a cyber attack.
And now you've demonstrated that physical consequence is actually a.
result of a, you know, can be resultant from a cyber attack. So it would change their perspective and get them to
invest the money. But part of it is, you know, we modernized that infrastructure and connected it to
networks in very insecure ways. So, you know, we're we were able to provide for a lot of advancement to get
better telemetry, better management, you know, an engineer no longer needs to go turn a dial on a
turn a valve manually. They can do it remotely via computer. But along with that, you know,
that acceleration of technology and convenience and modernization,
we've introduced a tremendous amount of vulnerability.
My fear on a go forward basis is we keep making the same mistakes over and over again.
How are we securing autonomous vehicle systems?
How are we securing AI systems?
How are we securing blockchain systems?
There's so many lessons learned as we build and develop and innovate new technologies
that can be adopted from a cybersecurity perspective.
that we always rush to market.
We don't take the time to think about how can we do this in a way in which security is given a
priority or given at least a seat at the design table.
Right.
Do you see that on our horizon where security, like the security protocols are taught along
with the coding that and along with the engineering and that it's part of the design?
Yeah, I think so.
I think we're starting, you know, the whole concept of devSecOps.
having a security component of DevOps and thinking through it,
the whole concept of being able to do in-line fuzzing of applications as they're developed.
I think we are getting better,
but we've got to go back a layer as well and think about education.
How do we teach people to code securely?
I remember talking with Jeff Moss,
the founder of Black Hat and DefCon a few years ago,
where we were talking about, well, if you're a coder,
and obviously when you run into a coding roadblock,
you do what everybody does,
and you go to Google.
And if you looked at the top samples that were being returned from Google about how to solve
a particular coding problem, none of them were the secure examples.
So I feel like there's a whole body of work in the education domain, not the cybersecurity
domain, but the education around computer science and engineering that needs to be reworked
to incorporate a security foundational layer to it where, hey, maybe we should prioritize returning
code sample results that are actually more secure.
Or maybe we should write a grant for somebody.
Gosh, it would be cheap to do a grant to rewrite the top 10 textbooks on computer science
to make sure that the code samples that students are being taught actually have a devsecops component.
They're being built with security considerations from the get-go.
We're just not there yet.
You know, that's the concern I have as we continue to build new generation of engineers and experts,
but without changing that foundational educational layer.
Yeah.
So Matt, what are you doing today?
Yeah.
So I have a consulting company that I run called Uda.
We do a variety of things.
One, I still do direct consulting work with usually very large companies at the executive level
that have a cybersecurity challenge.
It usually has a geopolitical nexus.
And that just means that there's a nation state element involved that they're trying to navigate.
But then I do a lot of advisory work as well.
I sit on boards of advisors, boards of directors for cybersecurity companies, helping them grow their
capability, you know, identify and exploit new markets.
And then we run an expert community as well at udaloup.com where we do subject matter expert-based
research around innovative technologies, cybersecurity, geopolitical risk to inform executive decision
making that is a combination of an independent research and analysis team coupled with an
expert network of folks that get together on a monthly basis. Today we just had our Uda network
monthly meeting and had a briefing from Brian Jenkins, who many might recognize as kind of the
godfather of counterterrorism analysis on kind of what does the next generation of domestic
counterterrorism initiatives look like at kind of a both strategic and tactical level. And then I also
do some investing. I'd like to be entrepreneurial without being the entrepreneur. I don't want to go
build another big cyber security company. I want to help others build their big cybersecurity company.
So guys, if you need some money, you got it. If you got the, yeah, come talk to me. Yeah,
if you got the next great idea. Do we got any questions for Matt? We have a couple questions from Matt.
You want to check, or I can check the Patreon. Let me. I'll look. Let's see here.
Okay. So we have a question from Joe. He says,
He digs the new Playboy Club vibe of the studio, like Heff's going to come out and have cigars with us.
His question for you, Matt, do you think there's a such thing as hegemony in cyberspace,
or is there a better concept that reflects the dynamic of hegemony to frame the military competition among present-day nation states?
Yeah, they took that in a direction that I didn't expect.
I thought they were going to talk about the hegemony of technology.
you know, and the anchor bias associated with, well, if we have a uniform system, we can really secure it, but then it's uniform and it means that if there's a vulnerability, everybody's vulnerable.
I think right now, if we expand that out to kind of the geopolitical, which I think is the intent of the question, that we really are in what I would call kind of like a cyber great power struggle.
And I would say it's really going to be between the U.S. and China.
I don't want to discount Russian capabilities, but I think the next great power struggle in this domain,
and I would broaden it to be the technology domain, just not cybersecurity, is going to be the U.S. and China,
and it's going to be around the security of our infrastructure, but also the capability to innovate and access to the technologies that will allow us to innovate and drive our economies forward.
So enough that answered the question in particular, but I don't think there's a hegemony that occurs right now.
I think we still are in that great power struggle between the U.S. and China.
In this particular space, in this cyberspace, do you feel as though the liberties that we have in America actually hamper our ability to conduct this type of warfare?
To a certain extent, yes.
but I think that that's one where the trade-off is worth it, right?
The juice is worth the squeeze.
Absolutely.
But certainly, yeah, no, I mean, obviously when you have an authoritarian regime,
the security that you're able to build into the system can be much more resilient.
The consequences associated with not being secure can be more robust.
So, yeah, there's definitely a disadvantage there, but, you know, it's a calculated and worthwhile disadvantage.
Right.
Isaac asks, he's a 29-year-old second-year university student going into computer information systems, wants to get his master's.
He wants to join NSA or FBI or CIA and do the kind of stuff that you did, but he's afraid the older I get, the more of my chances dwindle.
Recently got fired from the help desk.
I only had for six months.
That makes me lose more confidence.
What can I do to increase my chances of getting a career in cyber?
Yeah.
Yeah, it's a very community-based field, right?
There's so much stuff that happens at conferences,
and those conferences are so accessible.
I would say the number one thing you can do,
A, we addressed one already,
which was the kind of the self-study,
go and learn and build your own systems
and hack into those and learn how to secure it, right?
So there's a self-disciplined component to this,
where if you have the real passion,
you can go out and learn on your own.
The other piece I always say is,
is network. Go to B-sides, you know, go attend these events that are cheap, that are community-based,
participate and capture the flag. If you're a student, it means that Cyber Patriot contest is
accessible to you. There's lots of initiatives that you can take advantage of if you want to put
the work in that will really help advance your career in this field.
Yeah. Thank you, David Maynard, who is my CyberCed.
daddy, I would say.
Who would, you know, you talk about networking and mentorship.
And, you know, there are people out there who are just willing to take you under
their wing and help you out, you know.
Sure.
He said, who would win in a fight?
Rambo or Greg Conti.
Greg Conti, is that what you said?
Yeah.
They're not familiar with you that is.
Yeah.
I don't know either.
Yeah.
Dave, you're going to have to help us out here.
Ian, thank you so much.
How did Matt find the level of cooperation with the five eyes?
What level was he interacting with?
Yeah, I found the cooperation to be great, but I would say I had the advantage back in the day of being able to do very grassroots.
I mentioned it was beers and pubs. I had a budget, you know, carrot that I could dangle of, hey, let's go do this. It'll be really cool.
But the level of cooperation and interaction I found to be great, you know, established a great ongoing networks.
And we did some really cool things. So the Five Eyes engagement from my perspective was was definitely a high.
of some of the coalition red teams I was able to build and lead.
Yeah.
Danny, thank you very much.
Does Matt have a favorite programming language?
Man, I don't, you know, I'm, I'm old school.
So a lot of this stuff I learned was, yeah, assembly and then C.
I always encourage folks because I've learned the value of,
of data science and machine learning.
When people talk to me, I encourage Python just because I've seen some of the magic
capabilities associated with that in being able to do some of the advanced analytics but can also be
used for coding tools as well. So that might be one angle that I lead you towards. I would be so definitely
develop some capabilities in Python because it's a multifaceted language. When you learned when you were
learning in the Commodore 64, what were you learning at that time? Basic. Everything, Commodore 64 is basic.
And then when I got to college, it was primarily assembly, Pascal, and then C.
T-Barr, thank you very much.
Any thoughts for balancing security with the ease of use?
How to secure without encouraging people to write down passwords, use personal devices.
That's my experience in the Army.
Yeah, yeah, yeah.
I think we're getting there, you know, with biometrics, device-based security,
you know, the fact that your watch on your wrist cannot.
authenticate your phone. But yeah, now that is a challenge, right? If you put too many barriers,
then the users are not going to enable it. We had that with two-factor authentication. That seemed like
a very simple kind of low barrier of entry. You know, let's enable it. And then you'll have this
six-digit code that you'll have to type in every 30 days, but that seemed like it introduced
enough friction that a lot of users didn't want to incorporate it. So our real challenge with
security is to make it as transparent as possible. And I would say to build more a ton of
for the individual users kind of control over their data, their privacy.
A big proponent, what we call it, digital self-sovereignty.
I feel like we should be building technologies that put the data back in the hands of the users,
as opposed to in the hands of the platforms and the networks that we're interacting with.
So I think, you know, over time, hopefully we'll migrate towards those models,
but really it is a matter of how low, you know, how much security can we add and keep the friction as low as possible.
So where can people find you now?
Yeah, yeah.
Yeah, you're doing podcasts.
You've got Oudah.
What else are you doing?
And where can they find out here?
Yeah, I mean, the Uda loop.com is where I publish, you know, all of this, whenever I'm writing about a particular topic, cybersecurity and AI or Olympic Games or whatever it may be.
I'm on Twitter.
I'm on Twitter, our corporate sites, just Uda.com.
I mean, I have a pretty established presence on the internet.
you know, some easy to connect with on LinkedIn and everything else as well. So, and always happy
for the connectivity. One of the things I like about this industry is the ability to network with
others and always make time for mentorship. I know it's come up a couple times, but I had great
mentors early in my career. In fact, one I didn't mention when I was doing that initial research.
I had come to D.C. to speak at a conference. I got an invitation over to National Defense University.
and there was a professor there who's now deceased named Dan Keel,
and he brought me in his office and he bought me lunch,
and he said,
I know you feel like you are operating in isolation right now.
You're all alone.
Nobody is doing the same research that you're doing.
You have no peers.
He's like, I'm here to tell you, just keep up with it.
Keep going.
Keep plugging away.
There is a there there.
And of course, the insight that he had that I didn't have is that he knew on the classified
side all the work that DOD was doing and that eventually there would be a collision.
So from those early days, I've learned to, you know, take advantage of the mentors that I've had in my life, but also to take the opportunity to mentor others as well.
That's fantastic.
Yeah.
Well, thank you, Matt, Rami.
I really appreciate you spending your Friday evening with us.
And next Friday, we're going to have Shawnee Delaney on the show, Thanksgiving, post- Thanksgiving episode.
So you guys are trying to burn off some of the turkey and the...
I'm coming in in sweats.
Just so you know.
Yeah, hoodie sweatshirts may be maybe the deal, the six craft IPAs that you had over Thanksgiving.
Shawnee Delaney was a DIA Huminter.
So she's really cool.
I'm excited to have her on the show.
So that'll be next Friday after Thanksgiving.
And hope to see you guys there.
And again, Matt, thank you for your time and for sharing your insights with us.
My pleasure.
Thanks for having me.
It was a fun conversation.
Yeah, thanks, Matt.
We had a great time.
All right, guys. We'll see you next Friday.
Thanks, everybody.