Insights into Security Research and Internet Mapping

Show Notes

Join us on an inspiring adventure through the world of cybersecurity, as we share a cup of digital coffee with our guest, Emily Austin, a seasoned professional in the tech field. Prepare to be enlightened and intrigued by her unlikely journey into the world of cybersecurity, a detour from psychology to tech that not only shows there's no single path into the industry but also demonstrates the value in diversity and unconventional paths. 

You'll gain insights into the world of security research, understanding the importance of different perspectives and the value of effective communication. Discover the nuances of internet mapping and security research, and get a glimpse into the day-to-day life of a team handling comprehensive internet scan data. Learn how modern conflicts shake the tech industry, as we unravel the complexities of cyber warfare and the critical role played by the Ukrainian IT army. 

Finally, brace yourself as we lay bare the underbelly of tech: the increased attacks on back office software. We'll take you through the potential risks and implications of assaults on file transfer tools and shed light on how these attacks are affecting enterprises and regulated industries. This episode is a thrilling exploration packed with insight and analysis - a must-listen for those curious about the ever-evolving tech field, cybersecurity, IT, and the true essence of a career in technology. Tune in to join the conversation!

LinkedIn: https://www.linkedin.com/in/emilylaustin/
Censys: https://censys.com/

Support the Show.

Affiliate Links:
NordVPN: https://go.nordvpn.net/aff_c?offer_id=15&aff_id=87753&url_id=902

Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today

Chapters

• 0:00: Path to Security Career in Tech
• 9:43: Overcoming Doubts, Taking Initiative
• 19:55: Effective Communication in Security Research
• 24:17: Internet Mapping and Security Research
• 29:29: Cyber Defense Strategy and Challenges
• 40:58: Security of Back Office Software

Transcript

Speaker 1: 0:00

I was going. Emily, it's great to finally have you on. I feel like we've been trying to schedule this thing for, I mean, what seems like an entire year at this point.

Speaker 2: 0:09

Yeah, no, I'm glad we could finally finally make it work, make it happen. So, yeah, I'm excited to be here and to chat with you.

Speaker 1: 0:17

Yeah, absolutely so. You know, Emily, I always start everyone off with telling their background because I feel, like you know, for a wide variety of people that may be listening to the podcast, if they want to get into security, it's important for them to hear you know a different background, right For them to hear it and know like, oh well, if they did it, maybe this is possible for me. So what's your background? How did you get into IT? How did you get into security? You know, maybe, what peaked your interest in those areas to make you go down this kind of crazy rabbit hole of cybersecurity?

Speaker 2: 0:57

Yeah, yeah, yeah. So I love this because I feel like I often get asked you know, how do I get in? As if there's sort of this one core or ideal path and really the reality is very different. Like I think, as you probably know, like lots of different ways to get into this industry. So I, for me, I was really interested in like computers. As a kid I kind of, like you know, did the whole, you know, learn how to build websites and write HTML and notepad and like all of that kind of stuff, and so that was really interesting to me and I had no idea that that was actually a thing you could do, is like a job, because I think this was a little bit before I don't want to date myself too much, but this is a little bit before that was like a big, a big thing. This was before tech was such a big thing and such a like highly sought after career, and so it was very into that. I really loved it.

Speaker 2: 1:52

And then when I went to undergrad, I wanted to do computer science and I was actually told by a very well meaning person but that it would be too hard for me that I wasn't caught out to do CS and I listened, which I wish I hadn't, and I would encourage anyone who hears that to not listen like. If it's something that you really feel pulled to do like, go for it. And I ended up doing psychology instead. But this turned out to be kind of a great thing because I spent about a year and a half working in a research lab, stayed and did like an undergrad honors thesis and all that and I through that I really discovered that I loved research. I loved the idea of kind of like carving out new information and figuring out new, new facts and uncovering new, new pieces of the puzzle. You know, in that case it was around cognitive psychology. But that was really kind of the first inkling to me that like research was a thing I was interested in.

Speaker 2: 2:47

And I went on to like I worked for a neuro marketing company for a couple of years, which is wholly unrelated to what I do now. But then I got my first job in tech about 10 years ago now and I was a quant essentially for a user research team. So they brought me in to help essentially identify customers, as I was working at a software company and the user research team there wanted to find interesting customers to talk to, to interview, and so my charge was go look in our user database and find people who are doing interesting things with our platform. So you can probably kind of start to put the pieces together like oh, this is, this is anomaly detection, you're looking for weird things and very large sets of data. And so I did that for a few years and that's really where I'd say like I honed my like programming skills and kind of got more, more experience like with databases, with actually writing code to, like you know, analyze data, doing computational analysis and things like that. And so I did that for a few years and I still always kind of felt pulled a little bit toward security.

Speaker 2: 3:56

Like I read 2600 and like hacking magazines like at various points in my life and I was just really, really interested in it. And somehow an opening came available on our security team, the company where I worked at the time, and I had no business applying for it. Frankly, like I still don't know how I wound up getting getting the role, but I wound up getting a position on the security team and it was like I feel like that's what you know. You think back about your life and you think about these branching points of like the decisions you've made and I feel like this is still one of probably the most impactful decisions I ever made was taking that role and it was actually kind of a hard, hard thing to step into because I got on the team and I was so excited. Everyone was super nice, like just really wonderful. But everyone on the team was either an application security engineer, just like software security engineer, or they were a pen tester.

Speaker 1: 4:56

And I was like well.

Speaker 2: 4:57

I'm not. I don't. I'm not one of those Like I can write code but I'm not a software engineer. I can kind of figure things out but I'm not a pen tester. And so I had to spend some time kind of figuring out like how my skills actually fit into this broader team. And it turned out that in that particular scenario you know, I had been at the company for a while, I knew the data, I knew the user data quite well in our databases, and so that actually put me in a good position to be able to help, from a security perspective, find unusual things that were going on in our environment and user accounts against the application, like all of that kind of kind of domain right, and so it enabled me to actually carve out another sort of like subgroup on the team which became the blue team for our org.

Speaker 2: 5:45

So that was really really cool and rewarding.

Speaker 2: 5:47

Kind of going from I have no idea what I'm doing here to everyone, kind of going you'll figure it out, it'll be fine, and then being able to kind of say, no, actually there is a place for these skills here.

Speaker 2: 5:58

I think you know, coming from sort of the analytics and data place, data, data world, there are a lot, there's a lot of need for those skills in security and it's not getting, it's not, it's not going away. I'll say and yeah, so I spent a few years there and worked on a couple of big projects where I felt like I was really, I really wanted to get into security research. That was really just like what was calling me Incident response got really really a lot after a while like I just wanted to sleep and not have a pager and so, yeah, had a couple of different roles in security, engineering and research and now, and for the last almost two years, I've been at Census. So I am a senior researcher here and lead the security research team. And yeah, I mean it's. I feel I feel so lucky to get to get to do, to do this every day. The internet is a wild, weird place, but man, it's fun.

Speaker 1: 6:58

Yeah, it's really, you know, it's. It's interesting how, like, the internet came about and now we all have careers based on the internet, you know, and it's like we all have, you know, a million different niches and areas of specialty and things like that. It's just, it's really, it's fascinating, you know, because, like I'm sure, those people that you know cobbled this thing together right in the beginning, like they never, they never imagined that. You know, that there would be security issues and security researchers and things like that. It's just, it's fascinating to me, yeah.

Speaker 2: 7:36

Yeah, well, I mean, if you think back, like if going back to like the late 80s, when when you had like the Cuckoo's egg cliff stole kind of, the first really big like intrusion, like computer network intrusion, that kind of you know, captured the public's imagination, I guess, or interest, that was fascinating. And you go back and you read that book now and you're like, wow, I can't believe there were. There were no protections, there were no. You could just kind of like dial up and log in and there was no. Like things have changed so much and it's such an interesting it's been. It's interesting to see, like you know, going back and reading that now and seeing kind of how things have changed and all the different needs we have as we kind of shift more and more into this very like online space in our lives.

Speaker 1: 8:22

Yeah, yeah, it's a. It's a completely different world because of it. Yeah, so when you, when you were applying, you know, to that first security role, that first security team, you know, you said that you know you basically had, you know, no business applying to the team or the role or anything like that. How did you overcome that? Because there's a lot of people out there that you know see roles on the internet and if they're not 100% a match, if they don't have everything on the list, like they don't even consider it. You know, and for me, you know, with my background, I mean I did over 300 interviews before I got into security, you know, and that was the most frustrating part, and I was applying to things that you know, I was 50% a match for I would meet the, I guess, the social skill part of it, but I wouldn't meet, you know, half of the mental skill or the technical skill part of it.

Speaker 1: 9:27

You know, so how did you, how did you overcome that part of it? Was there anything that you did that you know helped you through it? Or did you just say screw it? I'm going to see where this goes.

Speaker 2: 9:40

It was a little bit of both. So I totally want to like double down and say to anybody who's listening if you see something that's interesting to you and like you know you've been working on those skills and you don't meet like 50% of the job criteria, apply anyway. Like, do it anyway. We tend to self-select out for a lot of things that we would actually be really good fits for. So, like, do it anyway. And this was kind of that like, and to give some more context for this, in my case it was a little bit of a special situation because it was an apprenticeship program, so kind of like an internal internship, where the applicant got like three months to go join this new team, kind of see if it's a good fit and then if at the end of the three months it was, then you'd get hired onto the team and if not, you had the safety net of your existing position to sort of fall back into. So I want to fully acknowledge like I had a lot of safety nets and kind of training wheels and sort of like.

Speaker 2: 10:36

This was a very unique situation. But in terms of preparing and kind of getting ready, I leaned really heavily on the experience I did have. I was like you know, I've been here several years, I know the user data, I understand the application, I understand, you know, from a user perspective, I understand where things are in the database, like I know kind of where the like the skeletons in the closet are, if you will. And so I kind of leaned on the things that I knew were my strengths, which I think is always a good strategy, right, like leaning on things that you know, that you know very well, and kind of going from there and saying like, hey, this is what I can bring to the team and also showing that you know, I kept up with security news. Even then, you know, like following certain RIP Twitter I guess but like certain accounts on Twitter, or like you know different blogs, different security kind of influencers. Even back then I was ready to talk about that and say like here's how I kind of learn things, here's what I'm interested in, here's what you know, here's my plan or here's kind of what I envision being able to do in this role.

Speaker 2: 11:48

And so, yeah, I would say just like really leaning on your strengths, because the wonderful thing about security, I think, is that there's a lot of space for a lot of different skills and I think for those of us who kind of got into it a little bit before the before, it got really really cool to be in security, like it became a thing Like I think you know, now we're seeing degree programs and like boot camps and all that. Like a little bit before that, I think you kind of just had to be like, hey, here's what. I know how to do, I'm really good at this thing and I think I can, I can, add some value because this is my area of expertise, yeah, so I feel like that. You know, your mileage may vary. Again, everybody's got a different background and different experience, but for me that's kind of what I what I tried to lean on.

Speaker 1: 12:37

So did you know the hiring manager beforehand or anyone on the team beforehand?

Speaker 2: 12:44

I had like met them briefly at different like company functions. But I actually did go and like talk to the hiring manager a little bit ahead of time and I was like hey, I'm really interested in this. I just want to let you know I'm going to be putting my application just to kind of chat with him and let him know. Like hey, I probably don't have a really strong chance at this, but I'm going to give it a shot. But apart from that, no, like I really didn't know anyone on the team at the time.

Speaker 1: 13:11

Yeah, I have a good friend of mine that I actually grew up with and he went down a totally different path in life and he's, you know, warehouse worker and he's he's been doing that for like 15 years at this point and he's kind of miserable, you know, and so he's always been interested in IT and security and I always told him like, hey, man, you're, you're literally working at a giant company.

Speaker 1: 13:38

I guarantee you they have, you know, not just one security team, they have like probably five or 10 security teams. Like all you need to do is just reach out to someone in IT and go from there, you know, and like I feel like it's that actually doing that, you know, and saying, saying to himself like oh, it's okay for me to do this, which like holds him back from actually making that a progress, you know, and yeah, it's a daunting thing, but at the same time, what do you have to lose, you know, like what do you really have to lose in this situation? If you're unhappy, probably not making enough money, you know, and an email is standing in between you and you know, a happier, more fulfilling future, like, why not send the email?

Speaker 2: 14:34

Yeah, I mean it's scary to put yourself out there Like I have. I've talked with folks, I have friends who have been in similar situations and it's like it can be, I think, crippling for some folks too, because they're like, why don't want to? I don't know, is this okay to do? Like it's just, it's not clear always, I think, that kind of norms around it. But to your point, like shoot your shot, like you get one chance at this, like do do it. Like the only thing that's going to happen, like the worst thing that's going to happen is they're going to say no or just not respond and like, yeah, that does burn a little bit, it stings a little bit, especially the first few times. But you start to get a little more resilient and you start to realize like no, I can do this, like I am worth putting myself out there, like I know things, I have skills I can offer, like you know. And I think just showing that initiative sometimes can go a long way.

Speaker 1: 15:25

Yeah, when, when someone tells me no with a job and I don't know why I've always been like this like okay, onto the next one, you know like I'm going to waste any time like they didn't like me for whatever reason, you know, when interviews go really well, I'll like I'll dwell on it a little bit. I'll be like man, I was really frustrating, like you know. Why did I not get that?

Speaker 2: 15:48

Right.

Speaker 1: 15:49

Right. But yeah, it's. You know, I feel like you almost have to be a bit of a like a mercenary. You know at some point, right, like you got to, you got to be. You know, give it a mission. You got to give yourself a mission and then you got to not care how it gets done. You know like it gets done, how it gets done and don't ask any questions. Yeah.

Speaker 2: 16:13

I mean and that's the thing too is like you just kind of have to be willing to keep pushing and it's so. Again, it's exhausting, like I know. I see stories all the time of people who, like they've hundreds of applications, all of these things. But, like you, you will find the right thing when, like you just have to keep pushing. Um, and I would say, like, if there's folks on LinkedIn or, you know, twitter or Mastodon or wherever that like reach out to people like you know, again the worst folks can say is like no, I can't, or like just not respond. But like, get people's perspectives. Like, if you're continuing to get rejections and you're not quite sure why, like get some extra eyes on your resume, get some extra eyes and like do a mock interview with some folks, some friends, or something like that. Um, you know, because there are definitely ways to improve at that and like it's.

Speaker 2: 17:06

I think it's especially weird, for I mean, for me it's really weird. I know, for a lot of folks in the industry it's weird. It's weird to feel like you kind of have to market yourself. Um, because that feels very unnatural, I think, to a lot of us who are like I don't want to, I just want to like sit and do computer things Like this is my happy place. I really want to be thinking about like what is my personal brand or all of that kind of stuff, but like it really can help in terms of like you know folks, kind of knowing your name, folks, knowing who you are, um, you know being being somebody who's putting you know, writing a blog, publishing posts on LinkedIn or different things like that. Like those things can help. I mean, it's nothing is guaranteed, but like thinking about how you're putting yourself out there and kind of the public presence that you have, uh, can can help, especially like in those early, kind of early stages where you're trying to break in. I think.

Speaker 1: 18:00

Yeah, you know, and when you're doing that, I always thought that I didn't have anything unique or valuable enough to like provide to the industry. Right, why am I creating some you know extravagant LinkedIn posts or a blog post? Right, like I don't have anything special, like I'm nobody, um, but it gives you a voice, really, when you don't really have a voice outside of it. You know, and you know you're not going to be able to do that. It's very easy to snowball the interactions and the views and downloads right, like with a podcast or a blog or anything like that, and I found that it's actually really beneficial.

Speaker 1: 18:43

Like I've gotten opportunities just because I started that blog and I started this podcast. Right, I've gotten opportunities I never would have, I never would have even been considered for, I never even would have considered myself for them. It only benefits you because, as you're doing it, you're developing other skills. You're developing new skills of how to think about a technical topic and then write it in the way that many people can consume it. That's something that's actually really unique. That published authors even struggle with is actually taking a technical topic and dumbing it down. Enough, I mean, I don't want to say dumbing it down, but like yeah, like making it accessible.

Speaker 1: 19:32

Yeah, you're taking it down to its most basic parts and you can say like OK, if I can visualize this, I can build everything else off of it.

Speaker 2: 19:41

Yeah. Yeah, I mean yeah, sorry, go ahead.

Speaker 1: 19:45

No, you go ahead. I wasn't going to say anything of value.

Speaker 2: 19:50

I doubt that, but I just want to like piggyback on that because I it's folks. Folks I get people asking, well, like how do I get into security research or what skills do I need to have? And I think writing and effective communication is one of the most underrated skill sets. Like nobody is going to care about the really cool zero day you just found, like in anything, if you can't effectively communicate why it matters like nothing. Nothing is going to change that.

Speaker 2: 20:18

And so being able to to like communicate those ideas effectively and at different levels like you know, in my role now, like I have to talk to folks who are, you know, who are other researchers, who are deeply in the weeds, like I am, and also like folks at the executive level so being able to kind of go between those two levels and figure out like well, what's important to like bubble up to folks who maybe don't want all the weeds, don't have time for it or that's just not their, their wheelhouse Like being able to do that and figure out like what is my like, what is the executive summary of what I'm trying to say?

Speaker 2: 20:51

Essentially, it's really important and I know it's not like the most exciting thing, but it's so so critical for being able to, like, get get your work noticed, get your work kind of help, push it forward, to help others understand the impact that you might be having or could have. Being able to communicate is just, especially in a written form, is just so, so important. I can't, I don't know, I can't understate that or I can't overstate that enough.

Speaker 1: 21:18

Yeah, you know, when I was working for a credit bureau Actually, this was the only time that I ever had a technical writer on the team and she was, you know, fresh out of college studied English. You know, maybe the most boring topic to me, like when I took I delayed taking. I had two English classes to take an undergrad and I delayed taking them both until like senior year because I hated them so much and everyone's like, oh, you're the oldest person in here, like we're all freshmen. I'm like, yeah, I hate English so much.

Speaker 2: 21:55

Yeah.

Speaker 1: 21:56

Like I'm already speaking it? Why do I need to learn about it? You know, that was just my mentality with it, but it was really helpful for her to be there. Right, that had that different, totally different skill set. Right, she's not technical at all. So when we're talking about technical things and she has to take notes and create a paper about a community post, whatever it is, you know she she would have to slow us down, be like, hey, break this thing down for me. You know, why does it work like this? Why does this make sense? Why did you say this? You know, and she also learned a lot, and now she's moving into more technical roles, you know, just from that experience, which is really it's really interesting.

Speaker 2: 22:42

You know, I never would have thought that that was a possibility, you know yeah, I mean I worked with someone who excellent pen tester, one of the best I've worked with who in terms of like writing reports, thinking through ideas, collaborating with others and just obviously the skill set that he had he was like a masters in literature, Like no, no, like formal educational background and it like totally different, but it gave him this different perspective and it gave him a way to be able to really clearly communicate the ideas and the things that he was finding and it just, I mean, it just made him a stellar pen tester. Like he was just fantastic at his job because he could actually talk about at multiple different levels like what he was finding, why it mattered. Why should we care? Why do we need to patch this? It was just, yeah, I think having those like different backgrounds on a team is so, so important because you get all that different perspective.

Speaker 1: 23:38

Hmm, so you know, let's dive into what a security researcher is and what your, what your day to day looks like. You know, are you? Yeah, we'll just start with that before I start diving into my million questions.

Speaker 2: 23:53

Yeah. So security researcher, I think, is one of those very, very broad terms that can mean a lot of different things depending on where you are. In some cases, you know these are folks who are doing exploit development or research or vulnerability research. In some cases, you know they're working at vendors and they're they're studying things that are happening on endpoints, that their vendors are watching. So for us, for me and for my team, you know we we sit, we sit with access to this really really comprehensive map of the Internet.

Speaker 2: 24:26

So Internet wide scan data, the entire IPV for space, and so really for us there's a, there's a couple of like kind of, I think, common paths that our day might take. On one hand, there's a lot of just exploratory data analysis. Like the Internet's a really big place, really weird place. There's lots and lots of stuff. To you know, there's always new rocks to kick over. So in the case that like there are fewer internet fires than usual, like we'll do some exploratory stuff will dig. Well, like I noticed this weird thing, I want to look into it, and so like just kind of the natural curiosity takes over and then, kind of on the flip side, is the slightly more reactive work when you know a CV comes out that's like critical or says add something to the kev list. Or you know there's something really going on in the security news cycle and if that's something that we have the ability to see as in like it affects a public internet facing device, will go and look for it in our data and try to understand. You know how broad is the impact of this particular vulnerability. You know how many hosts, where are these hosts located? Are there particular autonomous systems that are really affected by it? And so that's kind of the more reactive piece.

Speaker 2: 25:38

So it just sort of depends on, kind of like, what's happening in the world, what we end up looking at, and we also, like I say what's happening in the world because there's also the geopolitical angle to that as well. You know, when there are conflicts or very big things happening, whether they're natural disasters or other things, from our perspective we want to better understand. You know what is internet connectivity, look like there and what can we say about. You know operational technology in these regions. What can we learn based on kind of patterns around them being online versus offline? So what color can we add to those stories and context can we add to those. So yeah, it's kind of a mixed bag of things and again, that's pretty unique to sort of what we have access to, a census and sort of what we do. But more broadly, like, I think security research is just a lot of being very curious about whatever data you have at hand.

Speaker 1: 26:37

So what? What is census? What? What do you guys do?

Speaker 2: 26:41

Yeah, so there's two pieces to what we do. So on the one hand, we have our exposure management or tax surface management platform. So if you've been in IT, you've been in security, you know that asset management is not really an easy thing. It's kind of a pain, and so the idea there is that we help teams identify all of the things on the Internet that they own, that they're going to be able to get access to, that they own, that their company owns, ideally making it easier for them to sort of administrate them. If there are problems with them, like end of life software, or maybe we think you're running something that might be vulnerable to this new CDE that's popping off, we want to let you know about it. So that's one big piece of what we do.

Speaker 2: 27:22

And the other big piece is census search and data, and this is near and dear to my heart because this is what my team and I really really focus on.

Speaker 2: 27:31

So census scans the entire IPv4 space all day, every day, and we maintain this, this comprehensive map really, of the Internet. So Internet connected devices, edge devices you can go to census search, dot, census, dot, io, and and find these things in our data and start to look and investigate them. So where this gets really cool is if you're a security researcher, maybe you want to investigate some recent threat actor activity and you want to understand what you're doing and you want to understand more about their infrastructure so you can use our data. We have both the host data set so all of those IPv4 and some IPv6 hosts and we also have a certificate data set. So we ingest lots of CT logs, we ingest lots of certificates on the order of billions, and so that also is a really interesting data set to play with in terms of looking for interesting infrastructure based on based on certificates. So it's kind of census in a nutshell.

Speaker 1: 28:33

By chance? Did you see any sort of I guess new infrastructure stand up or new attacks launched before or even during the Russia US Korean conflict and now Israel Hamas conflict? Did you, did you see any, any kind of digital precursors?

Speaker 2: 28:57

Yeah, so I can't get into super detailed response here, but yes, these were, these have both been things that we've we've followed pretty closely and just trying to get a better handle on again, like some of the things that we're often interested in these scenarios are you know what is operational technology infrastructure look like leading up to, during the, during these types of events? So, yes, there are definitely changes you can start to track and start to see, unfortunately, when these things unfold.

Speaker 1: 29:29

Yeah, it's really interesting because I feel like, you know, in the in the digital age of, like, big data, you know, I feel like, before a you know physical kinetic attack ever happens, there's typically, you know, some sort of attack or preparation in cyberspace, right.

Speaker 1: 29:53

And so I've had, on other people that you know have looked specifically at Russia, ukraine, and they're a little bit more, I guess, liberal with what they say, because they're a little bit closer to the battlefield, so to speak, and it's just, it's just a fascinating area, you know, because it's it's like a developing, it's almost like a developing space of security right in front of us, of identifying like, oh, something might be going on over here or, you know, like, whatever it might be. Because you know, as, as I guess, kinetic attacks are kind of, they're kind of, you know, basic or very standard and you know what they are and how they're deployed and things like that. The cyberspace side of it is that new evolving field that now countries are diving more into. That you know, it's interesting to see, like even how the NSA uses cyber cyberspace. You know, like it's really fascinating to see that.

Speaker 2: 30:59

Yeah, one thing that was super interesting to me during the kind of the ramp up of the Russia Ukraine conflict was the Ukrainian it army sort of self organized group of folks on telegram who are just like we're going to try and attack Russian infrastructure. And it was just this sort of kind of ad hoc group of folks who were trying to like DDoS, different Russian sites or you know, do what they could to have some kind of impact, to like impose cost and difficulty on Russia. And I don't actually know like how impactful it was. I know there have been, there have been some studies that have come out that have talked about that. I haven't looked super deeply into them and like that's a fascinating thing to is you have, you know, and at one point I want to say it was like somebody high up in government in Ukraine was like, hey, we're developing an it army, come join us.

Speaker 2: 31:51

And I cannot remember his, his exact position or title, but it was like this call to cyber arms, so to speak, of like, hey, we're doing this, like you know, hop in, we're going to go, we're going to go try and, like you know, lob some attacks toward Russia. And so that was just fascinating to me to see like such a large scale kind of civilian orchestrated thing. And so, yeah, I think you're right, like I think this is a very interesting time, like we've seen, you know, kind of precursors to these sorts of things in the past. But I feel like this is really like this is the new way forward, like this is how things will go going forward. And so you know, if a nation is spending a lot of time developing offensive technology and kind of letting the defensive piece of it from a cyber perspective sort of fall, I think, just broadly speaking, I think that's a huge disservice because, you know, while the exploits are cool, like you've got to be able to defend, you've got to be able to detect and defend these types of things.

Speaker 1: 33:00

Right, yeah, you know, with the IT Army of Ukraine, when, when that was actually starting you know I'm not a hacker by any means, like I can spell the word, but like, when it comes to actually hacking things, you know, I'm not the person that you should be going to ever. And when that stood up, you know, I went onto the website to see, like you know, like okay, you know, how successful could this really be. Like it's Russia, you know, like Russia has a pretty good cyber warfare program. You would think, like they have this stuff locked down, probably better than ours even. You know, because they don't have as many. You know, I view it as they don't have as many like politics in between their engineers and what actually needs to get done. And I was on the site, and I mean constantly. This is a site of hundreds of targets and the entire time that I was on the site, every single thing was down.

Speaker 2: 33:58

Yeah, yeah, so there were there were all of these like coordinated DDoS campaigns and like they were just sending like multiple requests obviously as a DDoS would, but like it was just this in browser thing, like they made it very easy to actually do, which I thought was fascinating. So, like I it was, it was kind of interesting to see that like yeah, they actually did like DDoS a bank or like other different like services and companies. It was like, oh, this is, this is an interesting phenomenon. Like I don't think I've ever actually seen this play out in my lifetime like this.

Speaker 1: 34:32

Yeah, I don't think anything, maybe. I mean was like the last time, you know, a large group of people came together and achieve something. Might have been like the collapse of the Soviet Union, you know, like when they had the protest across Europe, right like yeah maybe I don't know, you know, the first one in cyber war fair like for sure, cyberspace for sure.

Speaker 2: 34:59

Yeah, yeah, definitely, like I think that was just what was so like I even still looking back, like it just almost doesn't even feel real, which is maybe and I don't mean that to sound insensitive like I know it's very real for folks who are experiencing like the direct impact of it. But you know, kind of sitting back from a, from a strictly like cyber perspective, just what a fascinating kind of like of unfolding of events, I guess.

Speaker 1: 35:28

Yeah, so you talked about, you know, shoring up the deep defenses and ensuring that you're good on the defense side. How, how do you go about doing that? Because so for companies, for large companies, that is a seemingly unsurmountable task that you will just forever, you know, be doing. You're never going to be on top of it, you're never going to be in front of this thing. You know you're always kind of trying to play catch up, right, and there's a lot of different facets to that in and of itself.

Speaker 1: 36:07

But then when we talk about a country and the critical resources within the country and the different, you know companies that you know are small businesses. You know one person owns it, runs it, does everything themselves. They have one contract with the government. That's all that they do for 40 years. You know who cares about IT at that company. Right, like this guy's doing all the work. You know how, like where do you? Where do you start? You know how do you? How do you get ahead of this thing? Can you get ahead of this thing, or is it just forever a losing battle?

Speaker 2: 36:47

So I, so as, like a former defender like I, I got used to hearing like, oh, you know, you're always behind like you're, you know they only have to be right one time. You've got to be right all the time, like all of that kind of stuff, and so I think it does feel oftentimes like we're at a little bit of a disadvantage trying to defend. But I, I think, and to like to be clear, I am not a policy expert or anything like that. This is just sort of my off the cuff, like thinking about this. So like I would almost take some of those like you know, principles that I would try to apply at a company and sort of expand them in a sense.

Speaker 2: 37:26

So like there are a couple of things that like, if I'm coming into a company we'll use this analogy I'm coming into a company as a defender with no like actual blue team, no defense To speak of right. There are a couple of things that I would do right, and one of those is make sure there are logs and lots of them, get a handle on the assets that we own, like where is everything, where is all my stuff, and get kind of a sense of just like, what is what does normal look like here in terms of logs and traffic and behavior and employee actions and all of those kinds of things like get some baselines.

Speaker 2: 38:03

These are very, very broad, I realized. But like so. So those are a couple of things that I think are really important, as like trying to build a defense program, like as a cyber defender, right and I think you can kind of extrapolate that a little bit to a larger level as well right, like for for a country or a nation state understanding, you know, where are all of my really important assets? Where are all of my operational technology? Who runs it? Do I have relationships with those, those organizations or individuals? Could I like identify all of them right now, if I needed to? Do I have a list of those things? Do I understand what normal activity and I will leave that very broad do I understand what normal activity looks like? You know, having a sense of, again, baselines, I think is really important.

Speaker 2: 38:53

And then telemetry, right, like and I think we obviously have many agencies who this is their sole focus, right, so, like, I think this is probably an area where we're, you know, where most most organized. Most countries, I would say, probably already have a good bit of this going. But, like, having the proper telemetry in place is really important so that you can actually start to understand what is normal, what is unusual. And can I actually point to measurements and point to like data to say like this is something that's concerning Well, why? And so I. So I think I feel like maybe that's a cop out answer. But just like thinking broadly about like how I approach it at companies versus how I would approach it for a larger kind of, on a larger scale, like I think a lot of the principles kind of remain the same.

Speaker 1: 39:39

Yeah, yeah, that's a. That's a good point. I mean the principles, they tend to remain the same, it's just to add a much. You know huge, or scale, yeah, significantly, multiple times over, you know. So I really want to talk about maybe what, what's some of the research that you've that you've dove into right, what's maybe some interesting areas that you've, you know, researched, written papers about, potentially things like that.

Speaker 2: 40:11

Yeah, there's been actually quite a few interesting things I think we've looked at this year. I think probably the one that I'm closest to has been all the managed file transfer shenanigans. I often joke now that MFT actually stands for my favorite topic, because it's like all I thought about for months on end. So kind of looking at that whole ecosystem which we're shifting, really we're taking like a hard left away from like talking about nation state, like cybersecurity to like cyber crime, right, totally different flavor of things and different flavor of actors and all of that. But this was actually like so so we had move it over the summer, which has just been kind of really this awful like fallout we're seeing. There have been some others in the past go anywhere, you can go all the way back to like 2020 and you see, like kind of the way I think of it is like the bookend.

Speaker 2: 41:07

This sort of initial file transfer hack that was kind of along the same lines was Accelyon's legacy file transfer and that was a CLOP operation. So CLOP extortion group, ransomware group, all of that right, and they've actually gone on to hit several other tools in this category. So I think it's been written about, folks have talked about it. But there have been multiple tools in this vein that have been targets of attacks, particularly by CLOP, in some cases for ransomware, in some cases just pure extortion. And it's really interesting because, like, if you look at their leaks site, so they'll post the data leaks or a sample of them on their leak site, they'll give a company time to respond and then, if they don't like, they'll go public with the data and they'll actually, you know, post notes and say like, hey, we're not interested in, like, government data, we're not interested in like all of that. Like we're just we're financially motivated. Like they will explicitly say we're just doing this to make money. And it makes a lot of sense because these tools are, like, if you look at any of the websites for these tools, for move it, for go anywhere, for share file, for all of these other tools, right, the idea behind them is that they they facilitate secure file transfer between and within organizations and they do it, are claimed to do it, in a way that is compliant with, like lots of different regulations. So GDPR, pci, you know your alphabet soup there and so, like this has been kind of fascinating to follow for me because, from a financially motivated threat actor perspective, these tools are like a goldmine. They are usually adopted by enterprise organizations to like lots of data at play, and they also.

Speaker 2: 42:56

So we did some research over the summer when move it kind of was popping off and we actually looked at every move it instance on the internet that we could find several thousand of them, and then we went through and did attribution on all of them, like we wanted to see who owned them, and so we ended up being able to do that for I want to say, around 1500 of those instances, and what we found was that the majority of these, these instances were either in financial services companies or healthcare companies, so these are really highly regulated industries. We also found a non trivial amount, like in government, government space as well, but these are like highly regulated industries that have, you know, arguably pretty sensitive data on hand and they're big companies. So like that's been really fascinating to follow and I think like I'm really curious to see kind of the next evolution of this, because I have this sort of suspicion that these kind of like back office apps, so they're not necessarily like customer facing software, but they're like B2B types of applications. I feel like this is an interesting area for threat actors, because it's not necessarily something I think we've often, you know, thought about in terms of like the security of these tools, because they're they're not like again, like necessarily consumer facing all the time. So I'm kind of fascinated with, with that Especially so like also enough, I'm rambling a little bit. But one, one final thing I'll say kind of along these lines is during all of this file transfer sort of wild activity Back in April we also saw paper cut print server software was also attacked by his clop and lock bit, and it wasn't a ransomware extortion.

Speaker 2: 44:40

They essentially like use those servers to like gain access, gain a foothold on the network and then install some like remote management software. But again, like this is sort of a like a B2B kind of tool. It's not necessarily like something that's customer facing or client facing, but it's there to like facilitate business, and so I'm kind of fascinated with this whole category of software and and sort of like. I think I'm kind of like, I'm kind of like, I'm kind of like, I'm kind of like and and sort of what we will see in the coming months and years as far as like those, those tools being targeted.

Speaker 1: 45:19

Yeah, you know, earlier on in my career I worked for a company that was B2B and you know I didn't think I never thought anything of it. You know, like if I had to transfer files to them or whatever might be, I didn't think anything of it. You know, I was told, open up this tool, log into this thing and do it. You know, sometimes I didn't even have to log in and now, now that I'm in security, right, like it's like oh, that was actually like really bad that was. You know that that was frowned upon.

Speaker 1: 45:59

You know it's, it's fascinating because it's a, it's a solution that just about every company has to have, some some sort of you know way of doing it right.

Speaker 1: 46:11

And it's really tricky because you're moving potentially sensitive data across the internet from one company to another and you need to be able to send it securely, receive it securely and, you know, move it within your own network, knowing that it's not malware or some sort of you know Trojan, that's, that's, you know, waiting to strike or you know, looking at your network and whatnot. It's, it's an interesting area and you know, I, you know I, you know I, you know, I find it really fascinating that recently those attacks have kind of picked up. Right Like now. I'm starting to think of you know things that are going on in the world and being like, oh, like is it? Is it getting attacked this way? Um, you know, and then my mind also goes down the rabbit hole of well, the government still uses you know couriers, like actual, physical people, real people, to take you know sensitive documents from one facility to the other. Um, they still actually do that.

Speaker 1: 47:19

I mean maybe there's something to that right, like I don't know, like yeah, I mean you know, just you know, with my limited experience with the government, you know they they trust, they trust their technology, they trust their IT, you know architecture and team and everything like that, but they only trust us so much, right, right, like there's still that's like the paranoid part of society, like you want to talk paranoia. Like go work for the government, you know, like I've I've been in facilities where you know it's a cube farm and people have mirrors situated, you know, very specifically at their monitor so that they could see if anyone's looking at their computer behind them without them knowing or whatever. Um, like that's the sort of people that are that are in those jobs doing that work.

Speaker 2: 48:11

I mean that's kind of fascinating because it I mean it sounds like it sounds a lot like a lot of security folks I know Um, to some extent right, like, and I think I think there's a healthy, there's something kind of healthy about that, about not totally trusting everything like trust, but verify trust to a point but then just kind of assume, like always assume the network is out to get you always assume that there's something compromised somewhere, like, and I think, yeah, it's kind of an exhausting like sort of overly paranoid way to think about things, but like we're also kind of paid to be paranoid.

Speaker 2: 48:46

I think in some, in some respects, um, we kind of have to assume that that could be the case. Um, and so, yeah, I it's that's really funny because, like I said, I've I've definitely worked with a couple of people who've been, who've been kind of on that level, um, and I mean I respect it, I get it Um. I think when that's when you're kind of looking at this stuff all day, every day, you just kind of have to assume that that something like that's going on somewhere.

Speaker 1: 49:16

Right, yeah, you know trust but verify. It's interesting. You know, we even have to do that with, like security solutions in this field, right, yeah, recently, you know, I did a like a cloud native WAF POC and my, my manager chose a product that I was very against. You know that has its own, you know dynamics with it and whatnot. But, um, you know, at the end of the day, right, I'm an engineer, I'll deploy whatever you tell me to deploy. I think it's a bad idea, but it doesn't matter.

Speaker 1: 49:50

You know, um, and along with that came when he, when he chose the other product, I'm like, okay, well, I don't believe that it's going to do what it actually is supposed to do, and so I'm going to set up a lab environment where all I do all day long is attack this thing when we make a configuration change. You know, in front of an application, like I'm attacking that very specific rule set and if it ever, you know, pops, if it ever actually doesn't block it, like it's claiming, then we're, you know, I'm going to be documenting all of it and presenting it to you Like, see, like we shouldn't have done this. You know, um, like, even in security, we have to really take those measures, because how do you know your EDR is actually doing what an EDR should if you never try it?

Speaker 2: 50:44

I 100% agree. Um, I've also been in this situation, funny enough, like with with a new WAF a few jobs ago. Same kind of thing. Like we need to test and make sure this actually, you know, this does what it says it does and in our case, it actually did. So we, if everything worked out well, um, but, yeah, I mean you.

Speaker 2: 51:03

I feel like you kind of can't always take things at face value, particularly when you were essentially hiring a product to do a job for you. Like, the whole idea is that you can kind of offload some of your like mental resources to this product, to this tool, and you need to actually make sure you can, because then, if you can't, you're going to end up in a really worse situation than if you, you know, not install the tool in the first place. Um, and it's, it's. It can be hard to cut through like a lot of this sort of buzzwords and jargon and kind of like oh, this, this will do this, will it really, though? Um, you know, I think, I think it's important to kind of have an empirical approach and like no, like, show me the data. I want my hands on the data, I want to see proof. Um, yeah, yeah.

Speaker 1: 51:48

Absolutely Well, Emily, you know, and unfortunately we're coming to the end of our time here. Um, I feel like we could talk for another hour or two.

Speaker 2: 51:58

Yeah, I agree. Yeah, this has been great.

Speaker 1: 52:01

Yeah, I'll, I'll. I'll have to have you on again and we'll talk about you know, maybe, maybe wouldn't you release, you know, some new research or something like that. You could absolutely come on and talk about it, Um, but you know, before I let you go, how about you tell my audience, you know, where they could find you if they wanted to reach out to you, Um, and where they could find census.

Speaker 2: 52:21

Yeah, so for census, you can go to censuscom. Um, you can also go to searchcensuscom, which is, which is a lot of fun. Go search, go play around. It's free. Uh accounts are free, so you can sign up and um, go and have some fun with that data. Um. And then for me, um, I'm on LinkedIn and mastodon, primarily these days. Um, on LinkedIn, I'm just Emily Austin, um at census, and then um on mastodon, I am MLE, uh at infosecexchange. Um, so, yeah, uh, that's how you can, how you can find me. Um awesome.

Speaker 1: 52:56

Well, thanks, emily. I really appreciate you coming on and I hope everyone listening to this episode enjoyed it.