Mick Leach: Hello and welcome to SOC Unlocked: Tales from the Cybersecurity Frontline. I'm Mick Leach, your host and guide on this exciting journey into the SOC universe. In each episode, I chat with various cybersecurity professionals about the latest industry news, emerging threats, practical strategies to keep your organization safe and more. And this week we are excited to have Dave Kennedy. Dave, welcome to the podcast.
Dave Kennedy: Mick, thanks so much for having me on. It's a total pleasure to be here, man. And appreciate what you folks do for spreading information out there. The pleasure is all mine.
Mick Leach: Yeah, absolutely. So first I want to just open up, I know you, I've known you for a long time. You're a big pillar in the community, but maybe some folks tuning in don't know who you are and your background. So if you could tell us a little bit about yourself, what your current role is and how you got
Dave Kennedy: Yeah, absolutely. So I am the founder and Chief Hacking Officer. When you get to be an owner of multiple companies, you can create your titles, which is cool. So I thought Chief Hacking Officer sounded pretty good. It's actually a funny story. Kevin Mitnick, who passed away recently from pancreatic cancer, he was one of my best friends and him and I were talking about titles we can give ourselves that are cool. So he and I came up with a Chief Hacking Officer title. So he became Chief Hacking Officer at KnowBe4 and then I became chief hacking officer for TrustedSec and Binary Defense.
You know, we are a global company between the two companies. I think we have over 400 and some employees worldwide. We work with a lot of the big organizations out there to the small. We focus on everything from, you know, incident response, managed detection response, MSSP work, SOC operations, those types of things all the way down to, you know, consulting work down to penetration testing, red teaming, application security, everything. But, you know, pretty much do all the board. I'm a technical person. You know, I wrote a number of exploitation frameworks, I was on the Kali Linux development team. So the backtrack development team at the time before it became Kali Linux. You know, I wrote a number of exploits, zero days, research papers, guides, a kind of a cool title that I have that not a lot of folks know is Jeff Snover, the father of PowerShell PowerShell who created PowerShell who wrote PowerShell Jeff Snover considers me the father of PowerShell security, which is kind of a cool title. So I did the very first ever PowerShell security talk at DEF CON with my good buddy, Josh Kelly.
Mick Leach: Interesting.
Dave Kennedy: And I got the title Father of PowerShell Security. I started the whole PowerShell security movement, which is pretty cool. So, you know, long lineage in cybersecurity. I got about 27 years, worked for the NSA doing cyber warfare, which kind of started off my career. So I worked actually in Hawaii. I was a few doors down from Edward Snowden in Kenya at the same time. So didn't know who he was or anything like that. But, you know, and then I did a couple of tours in Iraq for intelligence related missions and then got out and been everything from a Chief Security Officer for a Fortune 1000 company to you know, starting my own businesses in the basement of my house to what you see today.
Mick Leach: Awesome, awesome. Well, first of all, I want to say thank you for your service. I love talking with fellow veterans, even if they're Marines, we can overlook that as an Army guy.
Dave Kennedy: Thanks for overlooking that for me, I appreciate it. I'll overlook my bias as well, but Marines being the best.
Mick Leach: Absolutely. Yeah. I love it. You know, the beauty for those of you tuning in who don't know the different folks from the military services love to kind of give each other grief. It's all in jest. It's all in good heart. Indeed. Indeed.
Dave Kennedy: Yeah. absolutely. All love and respect.
Mick Leach: Moving forward, what inspired you to pursue a career in cybersecurity? How did you find your way into sort of that SOC environment? I heard you did some work with the NSA before starting your own companies.
Dave Kennedy: Yeah, you know, I got so fortunate early on because I was really heavy into computers prior to even joining the military. You know, I was running my own mud multi -user dimension, which is, tech space video games I had on my own BBS that was running. We had like 500, you know, players online and you know, was was an op at like 16, 17 years old, cold, you know, coding and CC plus plus I'm actually, you know, pretty much skipped high school and failed out of high school.
And had to go back to summer school just to pass because I was so obsessed with tearing apart computers for now, they worked programming, you know, so my mind always worked. You know, I, the best way can explain it is when I don't understand how something works, I have to, like, I obsess about it in a way that I want to dive down into that subject and become kind of an expert in it. And so like for computers, I couldn't understand how electricity turned into certain types of current that then modulated to a circuit board that then, you know, propagated up to code that, binary code translated to assembly code and then assembly code translated to other programming languages that gave you this user experience. So I just needed to understand, you know, that, and I didn't think, you know, cybersecurity wasn't really even an industry at that point in time. You know, this is, you know, circa 2000, so probably, you know, 95, 96. And so, you know, I just knew that I loved computers. And then when I went into the Marines, I tested very highly on what's called the ASVAB test, the aptitude test, as you're familiar with. And they like, the Marines are great because they'll guarantee you a position.
So if you sign up for intelligence, for example, you will get intelligence, they can't move you to a different group or anything like that without your permission. And so I picked intelligence because I thought, you know, top secret clearance, I would learn whether or not there's aliens or not. That was my big thing. So yeah, so I was like, hey, I'm gonna get a top secret clearance. I'm gonna know if there's aliens. And I actually told my buddy Sean, he's like, he's my best man, my wedding. I was like, Sean, dude, if I call you at like two o 'clock in the morning, and I say yes, and I hang up, there's aliens.
And never, never made that call, unfortunately, and never knew because, you know, even if there are aliens have no idea, you know, can't even, you know, can confirm nor deny. But even if there were aliens, I would never be read into those programs because it wasn't part of my job or mission. Right. You know, the government's very specific off of that. The military, the Marines specifically saw my knack for computers. And I was able to get into a very specialized group that was focused on computer exploitation. So I went to, you know, a school in Pensacola to learn network exploitation, got really heavy into offensive capabilities and cyber warfare, the early days of cyber warfare. And that's really what kicked off my career, getting into cyber security. I actually loved it. mean, breaking into, you know, countries and, you know, hacking into the, you know, the, you know, we're doing crazy stuff here, you know, 2002, 2003, you know, even going into Iraq, you know, cracking all the signals and things like that. And then, you know, being able to do certain things
It was such an amazing experience at such a young age to be able to do that. It really forged my career getting into private.
Mick Leach: That is fantastic. So with that vast, rich history of things that you've done, super cool stuff, you probably have some stories. So can you describe a particularly challenging cybersecurity threat or attack that you've encountered and kind of how you guys responded to?
Dave Kennedy: Yeah. So, you know, being an owner of multiple companies, I get to see a large breadth of things. And while my career has been predominantly offensive, it really hasn't been, it's been offense and defense. I've been really focusing extremely heavy, especially over the past 10 years on, on how do we build systems or an organization to build a security program that's successful in defending the types of attacks that we see, you know, as a Chief Security Officer, I was the Chief Security Officer for D-BOLD. I came in after the voter machine issues. I just want to throw that out there.
But I built an amazing security program that at the time was very much state of the art. So my career is definitely offense and defense, but I think by understanding offense, you have a much clearer picture about the best way to defend against the attackers, right? Which is why I think you see such a hybrid approach in cybersecurity to defending, right? You can't defend something you don't understand. So if an exploit's being fired at you or there's suspicious behavior, let's just say you see a living off the land binary in script and it's calling a specific DLL.
Well, as an attacker, I know that's malicious, but if you don't understand the offensive capabilities of that as a defender, you're going to miss that it's going to be a false positive, right? And so I think, you know, a story that comes up to me is actually a really big recent one where we dealt with, so if you look at, you know, our security operations center, you know, one of the things we've been able to do extremely well as of late, and I understand this is a big buzzword, but it's incorporate a lot of large language models, artificial intelligence, and machine learning into becoming more efficient.
You know, I'm not here to say that AI is going to replace humans and you know, we're going to have, you know, cyborg body parts and things like that. But there are certain applied principles and use cases that you can leverage these types of things. And think of this as, know, the needle in the haystack, you know, you don't want an analyst combing through that haystack trying to find a needle. If you could leverage, you know, more automated ways of being able to respond to it and then centralize all that data to, to an analyst. You know, that's a better way of being able to do it. And so this is a cool one. One of our data scientists Angus was, we have a data lake house and we're always applying different models and they're unsupervised. they're kind of taking a look at all the data that we have being adjusted into us. And Angus had triggered a new language model that we were training to look at service creation probability of maliciousness. So, taking a look at all services, all data, and then looking for abnormal baselines of things that don't make sense.
And if you think data in itself, you know, most of the time attacks are going to be this, this really tiny blip of a standardized data, you know, a data set across your entire environment, right? You know, you have normal behavior that is exhibited every single day. And if you look at that behavior, that's this, this large copious amounts of noise. If you look at it as like a pie chart or a chart going downward, you know, a graph, you know, down here, these little tiny things over here, the things that we miss, right? These little tiny one hit or two hit type of things. And,
Angus had put this new model up in place and it literally bubbled up the service creation that was suspicious. And we had missed it from an analyst perspective because it looked like a legitimate one, but based on the behavior that it was exhibiting, bubbled it up and it was a malicious service that was created. So we were able to respond and minimize the threat based off of that specific issue, based on just training a new model that we hadn't tried before, that needle in the haystack that we may have missed as we're coming along. So for me, the exciting part, and you know, as an industry we have to focus on more is those behavioral elements. If you, when you make security your own based on your environment, because your environment is completely different than anybody else out there, completely unique. You know, you might have different programmers, different web applications, different third -party services, different people, different technologies, you know, that makes it unique. So if you can baseline your own environment and look for those deviations of patterns of behavior, that's where your butt's going to be safe versus, know, anything else that's typically happening to these, these big data breaches.
Mick Leach: Yeah, that is awesome. And I will throw a disclaimer out there because that is exactly at the heart of what we here at Abnormal are doing in terms of email and messaging security, SaaS security, is that behavioral data science, that behavioral analysis to identify anomalous activity. So Dave, keep me honest here. We didn't put you up to that. That's your own thoughts.
Dave Kennedy: No, no, 100%. Absolutely. And, you know, but I think that's, when you look at where a lot of the innovation in this industry is happening today, it's around the behavioral analytics. Here's the thing, like, if you look at EDRs today, okay, and I'm not saying EDRs are a bad thing, they're great, you know, from a visibility perspective, being able to see the data that's coming out of there, they're fantastic.
However, just like the issues that we ran into with antivirus, EDRs are still predominantly signature based detections, they look for previously defined data sets or data breaches from previous adversaries, which again, I'm not discrediting it, I think that's a great thing that you have this cache of previous data that's happening out there to respond to. But if you're anywhere of a savvy attacker, you're going to understand, hey, if I'm going against this specific EDR product, which by the way, if I go to LinkedIn and I look at the experience of the employees there, I know which EDR are using based on the experience that you list on your public profile. I know I need to get around this specific technology.
If I know you have this specific technology and it's out of the box, here's the things that I can do to get around that so I don't get detected by this specific piece of technology, right? And, you know, what I think a lot of the innovations are coming to is saying, well, that gives you an average level or maybe even a little bit below average level of protection. But when you start to look at your own environment and you make those tools morph to yourself, and you start applying some of these principles, we have newer, newer technologies or newer ways of looking at data sets.
You have a much better chance of understanding these threats. Another story I'll tell you, we had an incident recently where we had an organization that we're doing a threat hunt for. And we looked at their baselines and they were using Microsoft remote assistance and Intune kind of for the remote management and stuff like that, right? So that's their baseline. That's the high dataset, right? But we noticed that there were two machines in their environment that had TeamViewer.
And TeamViewer is a corporate application, enterprise licensed type of thing. could be used maliciously, could be used corporate. But why is there a baseline of Intune Remote Assistance when there's two deviations here of two outliers of TeamViewer? And we investigated it and there were two compromised machines that just happened a few hours before, had been social engineered over the phone, pretending to be the help desk, and had downloaded TeamViewer.
But if you have an EDR product, the EDR product might log the data that Team Viewer has installed, but it's not gonna report that it's malicious because it's a legitimate application. So, you know, that's the problem that we run into today is that attackers are very savvy at understanding we may have these products in place. And unless we have our own defensive mechanisms in place around our own environment, what makes our own environment unique, we're really gonna be caught off guard with, I think, a lot more data breaches that we see.
Mick Leach: Yeah, yeah, I mean that that really speaks to the thing that bothers me the most with where we are today in terms of the solutions that we're bringing in. They're great at what they do, but they're also siloed. They don't integrate very well. I mean, I think that's what SIEMs were supposed to do for us. Yeah, yeah, and they never really I think they always fell short in terms of uniting all of that data and really understanding the breadth of your environment, what's really happening. So I think that still remains a place that we need to continue to work on.
Dave Kennedy: And it's been a challenge for us at binary, you like we have, we're one of the only open XDR companies out there where we'll use the technology stack of the customer. You can use our own platform or whatever. But what's interesting about us is we have to integrate into, know, the top five to eight SIEMs. We have to integrate into multiple EDR products with multiple, you know, email gateways, cloud infrastructure, cloud gateways, cloud spam filtering, you name it. We have to integrate into everything.
And so, you know, to consolidate that and centralize that was a major uplift for us, let alone an individual company that has to just deal with five or 10 or 20 disparate technologies. We're dealing with hundreds. So the way that we kind of adopted this is we leveraged SOAR extremely heavily and think of SOAR as kind of the plumbing between all of the different technologies to centralize all that data, standardize our detection engineering process based off of that data that we have coming across the board.
And then from there being able to apply that across all of our customers and centralize it to our analysts. So our analysts have one single, you know, pane of glass that pulls in our threat intelligence, pulls in our data analytics or data science, pulls in, you know, our counterintelligence, anything else that goes into there, combines it all into one so that the analyst has a full representation of what's happening, but still allowing them to be flexible to get into the individual tools that they have to, to kind of investigate or respond to see what's happening. But, you know, I don't envy the complexities that we have today in the enterprise, you look at businesses and you know, they're continuously pushing cloud. Cloud typically has a very tough time with visibility, unless they're security products that are designed to integrate with, with others. But, you know, most cases you look at like Microsoft 365, you know, it's very difficult to get amazing visibility and then you have to pay for premium tier licensing to even get that. you know, you, you, you're continuously evolving technology in your organization to allow your organization to grow.
And at the same time, you have to reduce the complexity because you don't have enough analysts and people and data and everything else to be able to handle that volume. It's just this, this really big, weird spot. I think that we're in today just based on how fast technology is progressing and how security is really just trying to catch up with that. I think we had a really good handle on it with kind of the waterfall approach for web applications. You know, like we were the showstoppers, right? We're like, Hey, this can't go into production until we check it out. And then we went into agile workflow and that went to hell in a handbasket. We lost our whole control over that. And then the whole, you know, it infrastructure took up agile, you know, we have to be pushing out iterations and getting things out as quick as possible. And then security comes in after the fact, after the security vulnerabilities and exposures all out there trying to kind of retroactively bolt things on to try to try to fix it. You know, think of it as a starship. You have these holes that are leaking air. Hey, we're gonna bolt down really quick to fix it while we're in space. You know, it's a tough challenge that we're running into.
Mick Leach: Absolutely, absolutely. So we've talked a little bit about the past. What is, in terms of present, what are the biggest threats that you see out in the wild today? What are the biggest threats that companies are facing?
Dave Kennedy: Yeah, I think it's really three big things that I think most companies are really facing from an adversaries or a tactics, techniques and procedures perspective. First and foremost, we're used to the Russian accents or Eastern European accents calling us on the phone. With a lot of the voice modulation software that we have now, you can remove those. You can appear to be somebody from the South. You can be a woman, a man, whatever you want to be on the phone and appear to be anybody. And if you look at what happened with MGM, Caesars, and a few others, you know, calling up the help desk on the phone.
And there's a talk you can go back to that I gave several years ago. I'm talking probably 15 years ago I gave this talk. And I gave an example about what a help desk is designed to do? What's the help desk function? What's there to help, right? So you're taking a role and a function within organizations that's supposed to help. They're dealing with hundreds, if not thousands of customers a day, you know, environment scale, depending on the size of the company.
And they have to be able to be on edge at all times too, which doesn't work really well. And so now you have voice modulation software. It doesn't sound suspicious. They've already done their homework. They have previous breach data in many cases. So they're compiling previous breach data to associating the pretext that they're going to use for the attacks. Then they call it the help desk and they're well versed to what they're doing. And so, you know, the help desk challenge right now is a major conduit area that I see as a major exposure vulnerability. In fact, I did a talk at DEF CON with Kevin Mitnick.
And we did a lot. was one of my best talks, favorite talks of all time. And I called Kevin up on stage randomly and we had got permission from one of our customers. And I called the help desk. I had Kevin call the help desk. I ran the technical stuff behind the scenes and Kevin Solstron engineer, help desk person downloaded some malware. We had an interpreter running on there, you know, we're live. And this is in front of like 6,000 people in the audience. Everybody's super quiet because you know, we have, we're live on the phone and as soon as we hang up, everybody starts going crazy. But it was, it was literally four minutes of talking to somebody to get somebody to go and click on things. So I think, you know, the social engineering aspects and the sophistication that has gone into those and not just in corporations, like the sophistication levels of social engineering going down to the individual personal level has hit an all time high. just had a family member that got hit with probably one of the most sophisticated attacks. And I was like, I couldn't believe how complex this attack was. I mean, they spoofed their phone number coming from chase. They knew they had a Chase account. They already had access to their email. So they knew all the bank accounts they had.
They were listing transactions that they knew were legitimate because the financial statements were attached to the PDFs. And they were able to coax them through getting through their multifactor authentication so they can get access to their bank accounts and then drain all their bank accounts. You know, it's, it's, it's, you look at them, you're saying that that's an individual level and they're, you know, they unfortunately got about $80K off of them, but $80K is an amazing payday for these attackers that spend maybe a few hours using previous breach data, credential stuffing, get access to an email, you know, build them out of data, then call them up on the phone. It was elaborate. It's sophisticated. And I think that the social engineering aspects of things are at an all time high, all time criticality.
Mick Leach: Yeah, yeah. And so back to that demonstration at DEF CON, keep me honest here. I believe that Mick Douglas, my last guest, was in a chicken costume on stage for that. Is that right? my God.
Dave Kennedy: Yes. Great memory. That's a great memory. And Mick was the chicken in the background holding the sign, let's pop a box. you know, my favorite talks at DEF CON were always the the shmoo con group, you know, the cult of the dead cows, like, you know, like some of the really, you know, loft, some of the amazing, like, folks that really forged the industry, you know, that the industry is really kind of built upon.
And, you know, CDC would come out with like these skulls and everything, these cow skulls and, know, the, the showmanship and the presentation of it was awesome. So, you know, for me, I always wanted to recreate that and have some fun as I'm doing it. Like I remember one of them, you know, I found a vulnerability at SCCM where you can patch an SCCM server to deploy malware to the entire company. So I patched my entire company, you know, a Fortune 1000 company, patched it all live with malware live on stage. So I had like 15 ,000 shells ringing and heavy metal with a lighter in the, in the air, you know,
like it's those types of things that you know, I thought were really cool and Mick was awesome. We literally just came out of the thing like, I don't feel like we have enough we're gonna be social engineering, you know, someone live on stage, we need like a little bit more and I'm like, what if we would have a chicken calf costume? Next, like, I'll go get a chicken costume. I like, yes, we'll get a chicken costume. And then we'll be on stage with like chicken costumes. This is how it started. So you know, there's no rhyme or reason just thought it'd be good to have a chicken costume.
Mick Leach: Absolutely epic. And you're right. It does go down in history as one of the best talks I've ever seen up there with with John Strands talk about his mom sending his mom to prison and then eating cake.
Dave Kennedy: Yes. Yes, John is amazing. I love John.
Mick Leach: Yes. Me too. So we've talked a little bit about the past. We've talked a little bit about the present. Now it's time for the future. What what advancements or changes do you see in the field of cybersecurity and how do you think they're going to impact the industry?
Dave Kennedy: Yeah, I think, you know, there's a big push and focus on data normalization. Now, I mean, think, you know, what, what at least machine learning has done. And I, I, and I hate to say AI, cause it's not really AI yet. Generative AI is good for like programming things. And there's some good functions for that. Like for example, it's not just good at human language is great at like PowerShell and C and assembly and things like that, right. It can analyze, you know, abnormal patterns and code very quickly, which I can tell you a story about that, but, where I think machine learning really has an applied principle is taking all of these different data sets, normalizing them in a way that you can consistently apply them across your entire organization. You know, the biggest challenge I think most companies faced, is how do you, how do you apply a detection engineering strategy to an organization that is continuously changing and adopting different technologies? And how do you keep up with the latest and greatest threats that are out there? So I think, you know, with, with machine learning being more and more adopted, the model is becoming a lot more accessible.
I do think defensively, we will have much better visibility into the threats and attacks that are happening out there. You know, we're not going to fix the lack of staffing, alert fatigue, you know, things like that, but what we will fix is hopefully more simplistic ways of looking at complex data that will allow us to be more refined in responding to threats versus the noise. Our balance, our challenge has always been the noise.
You have so much noise out there coming so many false positives, so many other things that it's so difficult to say, well, that one thing right there out of this 50 million things that I just got is, is it, is it, you know, there's a true positive. So those are the things that I think, you know, when we look at the future, the focus really needs to be on that, you know, there's always going to be innovative ways of protection. There's always been innovative ways of other things, but protection takes a really long time to implement in organizations in our industry, everything else. I mean, it's just not an easy thing.
We're going to have these big security programs that are going to take years and years and years, new initiatives. We're going to do DLP and all this other stuff, whatever it ends up being, CASB or whatever the heck, you know, the newest latest stuff is. But at the end of the day, you know, our detection programs are really what saves our asses every single day, because those are the things that don't require substantial uplifting. As long as we have the visibility, we can make changes very quickly in our environment. And I think that's what we have to look at in the future is saying this process here around when we get this data to when we apply detection engineering to what the analyst sees, that has to be agile in itself. We have to adopt those same principles as the rest of the industry. And I think that will be kind of the saving grace for us in our industry and really make things a lot easier for us.
Mick Leach: Yeah, could not agree more. So I've got two final questions for you. Number one is, you know, for anybody that's looking to get into a security role, a SOC role, you know, we talk a little bit about there's a few different ways that the journey can come, right? Do I need a formal education, a traditional college education? Do I need certifications? What if I just work my butt off and I study and I just learn stuff. What is the journey that people can come into this world?
Dave Kennedy: Yep. You bring up a great question. It's a complex one. I'll try to make it super quick. There's a multiple different ways that anybody in this industry can find their own way here and you name them. You mean almost all of them pretty much, you know, straight for you can go the college route. The thing I'll caution you on there is and this is an unfortunate situation, but many of the colleges that we have and we have folks that interview for them. They're horrible at teaching the knowledge. They're not security practitioners. The information is out of date. So we basically have to completely retrain them.
So be really cautious on the actual colleges that you go to the ones that are NSA accredited are probably my favorite. We see just brilliant kids going through the know, NSA, red team type of ones, you know, having an offense, easy to parlay back into defense, right? You know, even any type of initial IT role like IT help desk systems administrator roles, those make fantastic security professionals, because you understand the architecture, the communications, the protocols, that's the foundation of cybersecurity. So if you can understand those, that's where I came through, basically, right? If you can understand all of that, it's easy to build up in your career and to really go into any industry vertical, I think probably becoming a systems administrator, or network engineer, or help desk individual, that's probably the best route that I've seen for people to convert over into literally incident response, being a SOC analyst, offensive capabilities, be it a penetration tester, application security, you name it. Same thing for being a developer. If you're a developer, going into web application security, mobile security becomes extremely easy to parlay into that. I think the issue that we run into is that most cases cybersecurity isn't an entry level position, right? It's very difficult to say, hey, I have no experience. I need to come now here and do this. And that gap, that bridge in between is what we really struggle with in this industry. have thousands of kids getting cybersecurity degrees that can't find jobs because everybody wants to get experience today.
So, doing capture the flags, differentiating yourself through certifications can be a decent way. I'm not an end all be all in certs anyway. I think, you know, there, you know, there's some, some good ones out there. You know, the hack of the box one, the offensive security is great. SANS has some great ones out there. The SANS college program is fantastic. so SANS has a great college program. If you can, if you can go that route, you basically do all your entry level stuff, your social studies and you know, language arts and stuff like that all, and then you go to SANS to get your final degree.
They have a bachelor's, associate's bachelor's and master's program, I believe. and that's a phenomenal program there. Dakota state university has probably one of the best cyber security programs I've ever seen out there. So DSU definitely love repping them. We've hired so many folks from them and they've all been rock stars. you know, there are good programs out there, but to me it's understanding the foundation. You can definitely self -teach yourself. If I see somebody with a resume that doesn't have any experience, but they've done CTFs, blog posts, coding examples, things like that. like, okay, that person I can train.
They've figured it out. It's their obsession. It's their passion. It's a hobby. I can mold them from there. I don't care about them having this experience or this college or anything else. It's that passion I think that we look for.
Mick Leach: Yeah, yeah. And I talk about much the same thing, right? And I look for folks that are insatiably curious. They just have a driven need. They have a driven need to understand. I think the other thing is I love hands-on people. I think those are the folks, when you see those two things combine, you know, they've got a lab at home. They've got some sort of virtual thing. It doesn't have to be, you know, 11 boxes and some elaborate network that they built that's high dollar and all that stuff. It can all be virtual, but show me how you're testing your theories out, you know when I see that curiosity combined with the hands-on activity. That's usually when I've seen I found somebody that is going to be successful in our world.
Dave Kennedy: We definitely recommend, you know, like on a resume, if you, if you have a college certification, cool. But if have a college certification and you have a GitHub page and blog posts, you've done, it doesn’t have to be anything like revolutionary. I'm not saying like, Hey, you just released this crazy, you know, zero day that does all this stuff. But you know, your experiences of how you learn something will help somebody else learn. If you're posting about that, you're showing how you got through certain critical thinking steps. Those are the things that are going to differentiate yourself from anybody else. If you have two candidates that both have the same college degree, you know, but one person has GitHub pages and a blog post and you know, is studying for the Offensive Security, you know, Certified Professional, you know, I'm to look at that person much more myopically than I am the other, right? And so those things make a big difference for sure. And that passion, I can't elaborate enough. Like what made me successful in cybersecurity is cybersecurity wasn't a job. It was my hobby. I loved doing it. I loved exploring things that hadn't been done before or trying to figure out a topic.
I spent two weeks in the basement of my house with soda and pizza, trying to figure out how to bypass data execution prevention, one of the most frustrating things I've ever done in my life. But I came out of it doing it. And it's that type of pushing yourself forward to learn to figure out a problem that's complex that we can't teach you that. If we can find folks that have that, there's shoo-in.
Mick Leach: Yeah, and I would encourage for our listeners who may be thinking, don't have anything, you know, to share with the community. You know what, it doesn't matter. Start with what you're studying. It doesn't have to be groundbreaking. It doesn't have to be innovative, but remember that someone is also starting at the start line and you may be able to help them get from zero to one. And so that's even something that obvious, that is well known, well documented, sharing your own journey, your own story and how you accomplish that, right? That's going to help someone else. So it doesn't have to be, you know, doing what you were doing, right? In terms of, you know, evasion of systems and those kinds of things.
Dave Kennedy: The first tool that I ever wrote was literally a wrapper for DB autopone and Metasploit. Like, you know, it was a Python script that literally automated DB autopone. You'd give an IP address, it would select the ports, and then it would select the exploits to go and do the most basic trivial thing. But yeah, you know, it was my first foray into coding, you know, Python and, you know, kind of learn my tool, you build your career over time, you know, and I think that's what people need to realize is that, you know, you don't need to be an expert day one, I still consider myself an expert, I'm always learning, right?
And it's those small things that you do over time that build your foundation of that knowledge that continuously elevate you, move you up and up and up to where you get to a point to where you can release something very cool, right? And I'm working on a new tool right now. And I'll be releasing it think at GERCON, but it's the it's the social engineer toolkit AI edition.
Dave Kennedy: And so I'm building, you know, large language models that help automatically clone websites, rewrite them to do social engineering more effectively and efficiently analyze the websites for query string parameters that analyze it and tell you what the usernames and passwords are. So, you know, it's like, you know, but I'd never done that before. And it just starts off with something really small and turns into something really large, you know, down the road. So it's just, you know, take, take your time, have fun, but don't, don't spread yourself all over the place. Focus on some really cool things that you like to do and that's what you can build your career off of.
Mick Leach: Yeah, yeah. And I love that we touch on some of these things because imposter syndrome is real and we all struggle with it, right? And I want the folks that are new and coming up in the industry to know that, you know, I don't feel like I have it all together. I don't think you probably feel like you have it all together either, right?
Dave Kennedy: No, never. No, no, it's always learning. And, you know, I see so much innovation happening all the time, you know, in our industry. And, you know, even when I was just first starting off, I'm like, man, you know, all these folks have already done it. They've already done all the cool stuff. Like, there's nothing out there for me to even try. Right. And that's not that's not true. There's always new ways of innovating, doing cool things, being creative, or just again, sharing your knowledge. Like we had a track at a conference that I ran called DerbyCon and it was new to InfoSec once.
And I'll tell you, to be honest with you, I spent most of my time in those tracks because I was learning from people that were just coming in the industry, how they learned and they learned very differently than I do because you know, the new technology progression, they've been immersed with technology since they were kids and we didn't. So they learned very differently than we do. So it was very creative in a lot of ways that I would hear these folks actually helped me be better in my job. So, you know, don't don't discredit yourself in your career or where you're at, you know that everybody starts from some location to go to different places, no one's better than one another. We just have different experiences and journeys that we've taken. And at the end of the day, you can and will be successful if you apply yourself to go and do it.
I mean, I am not a smart person when it comes to like, like you look at people like HD more, for example, that's a walking brain, right? Like, like, there's no way I'm gonna ever be HD more, right? You know, it's just not gonna happen. But I've been able to work with my limitations of who I am and still be successful in my industry because
I've made it a hobby and been awesome to it. So, you know, don't compare yourself to others. Don't hold yourself, you know, at a lower bar. You're not. It's just different. Everybody's different,
Mick Leach: That's what I love about the pillars of our industry is that they're very encouraging and helping others move forward and move up in the world, right? You and John Strand and Ed Skotis and, you know, there's just so many folks out there that have done so much to give back to the industry. And I love it. I love it. So thank you for that.
Dave Kennedy: Yeah, absolutely. And John same thing. I mean, we're, we're literally brothers from another mother, you know, couldn't have been any more aligned on who we are as people and the industry, you know, Black Hills has some incredibly amazing folks over there. You know, love love their team love the people of the mission that they're doing as well. And, you know, you try to surround yourself with a lot of folks like that yourself, you know, included in that Mick and, you know, a lot of amazing folks out there. Mick Douglas, too. I love Mick. He's such a good dude. No Mick for probably 15 years, if not more.
Good people trying to do good things. And you know, my mission has always been to make the world a safer place. And you know, we always continue to give back to the community. We just started a K-12 mission for kids coming into cybersecurity inner city schools and now come to internships here at trusted sec fully paid. You know, so just really cool things are trying to help people and you know, again, everybody here can do the same. I started TrustedSec in the base of my house with four months of rent in the bank, you know, like had no idea what it's doing. Had no idea how to start an LLC had no idea how to run a business didn't know what a P and L was. You figure it out as you go along. This doesn't happen overnight.
Mick Leach: I love it. Dave, you're the best, man. So one last question is this. If someone can only take one thing away from this amazing conversation that we've had, what would you have that be?
Dave Kennedy: Detection detection detections like to me that making your own environment your own based on the behavior that your company exhibits will save your butt There's nothing else out there that we have today. No preventative mechanism that can't be circumvented Where did we're an attacker where we really flip the script is when an adversary doesn't know the landmine field he's on and Here she is on and so, you know when I'm walking forward if I know crowd tracker sent a ones I know I need to move to the right right I need to know I need to move
But if I've made CrowdStrike or Sentinel one my own and it's my own environment, well, now I moved to the right and there's a landmine there, right? And that's what really shifts the entire discussion around being successful in defense and not being successful in defense. And I think if one thing you could take away is if there's one or two positions that I would say they're most critical for this industry right now, it's threat hunting and it's detection engineering. Those are two top things that we need in our industry right now, understanding adversaries, building that visibility into our environment and making things our own, that's what's gonna save us in this industry.
Mick Leach: Yeah, in the immortal words of Dr. Eric Cole, prevention is ideal, but detection is a must. He said that in my 401 class years and years ago, and I think he still says it today.
Dave Kennedy: Eric's amazing. Love Eric and holds true to this day and it holds true from I think when you first said it 20 years ago. You know, it's the same thing. We just need to work on it and buckle down on it. We'll be successful.
Mick Leach: That's right. Well, Dave, I want to say thank you very much. I appreciate you taking the time to be with us. Folks, I'm Mick Leach reminding you all of our cyber defenders out there to keep fighting the good fight. You are the tip of the spear, so stay sharp. Thanks for tuning in. Don't forget to like and subscribe and check out our other SOC Unlocked episodes. We'll see you all next time. Thank you all.
