A THANKSGIVING SPECIAL: Phishing Failures, Red Team Career Advice, and Cybersecurity Ethics
47:12 Share

The most is hat ein special word's most interest .

hats get three million dollars .

in damages in life, in the shadows, on the rise.

Welcome to hacker in the fed. I'm Chris turbo. Former FBI speciation were in my entire career, and cybercrime join is always by a hecker monster friend and pod csco host hecker S A former black hat hacker who once faced one hundred and twenty five years in prisons for us, many years of hacking out of the code name b our stories collide in june two thousand and eleven when I arrested hector or and convince ed him to work with me at the FBI vectors. Now a red teamer researcher, cyber security expert, and like I said, close personal friend, hector, how are you doing today?

And my friend, how are you?

hector? This is a very special episode. First, this is going to go live on think's giving.

So very thankful thanksgiving in the united states for our U. S. listeners.

We get listeners all over the world, so hopefully everybody knows what thanksgiving is. Happy thanksgiving to all the listeners. Happy thanksgiving to u. Actor.

thank you. You too.

IT also made me reflect and be grateful, because this is our first live recording sense. The pod cases come back, and hector or I have been blown away by the number of downloads, the number of listener reach outs, everything. The podcast is back and going and strong, and we were completely grateful for everything we've received from our listeners. Ers.

hey, I got to say one thing. You know, I first of him happy to do this with you again. That's that's that's the most important.

But the second point I want to make up is how fascinating IT is to get a bunch of my question or emails. Those have been really good, a lot of support, a lot of messages and linked. So I really do appreciate you guys this life you press always appreciated.

But the listeners, the fans, uh the folks that you know just want to ask us some red impression. It's been it's been such a journey that you have no idea how how emotional I get when I see that stuff. So yeah the hacking .

the flippers have been greater reach announced say great to have the show back. We've gotten so many emails, so many downloads again but but spread the word get tell your friends hacker in the feds back um and get the show stronger than ever. But yeah, we traveled to florida this month.

This week we were down there. H for a gp sec or landowning. A great event, great audience turnout.

And I SAT on stage with you, and I just know while you were or chat, I was listening to what you're saying, but I was also thinking how grateful I am for for our friendship. I'm grateful that we both have beautiful families. yeah. And this, like we were able to like travelling around the world in sydney on an audience and tell story and talk about cyber and spread the good word of what you can do to make your cycling ity stronger. And, you know, just kind the message I can do together, like you and I were once adversity, and that we're sitting in here as close, close friends, and you can share with the honest and then at the end, dictor people clap in for us. I mean, how can we not be grateful for kind of the life in the show and everything we've built this, right?

That is a beautiful feeling and experience. Every time we're on stage, even we have a conversation with folks offline. Um you know people are really accepting and open and that means a lots. We have to remember. I spent a lot of my life being in the shadows in fact right now i'm wearing a hold right you can see that right ris.

So I always with someone has been like you know quiet until myself a longer um and so I was say weird for me at the beginning to be able to couple on stage with you or you could have conversations like like the way we do so um but now it's it's a second nature. I feel comfortable and happy and excited and we ve got we think of some great question as there in this this event with gay point. So the shelter have focused down in orlandi know the people that we met very serious about the security.

And I even get a break out something right after, right after we we finished hours. So how they go IT went pretty well. I think the folks didn't know what was going to talk about, and even I I had a good idea as to what I was going to talk about, budd structure and everything.

IT was very, very intimate, very small room. IT was a packed hostel. So shut out the guy point and shut up to today, today, today ecosystem. We had a small room, but I was filled to the brim. People were standing up.

And so the topic that we discussed to on that brick out social was on the mystifying cyber risk services um and for those that there not in the no cyber s services could include things like fantastic or assessments um offensive or defensive purple teams except set up. And so one of the problems that i've seen in Chris is especially i'm deal with customers that are like new to my space, meaning I just met them for the first time. They may have had some sort of pint testing services in the past but the thing that taking away from the other conversations are one um they are not really sure as to um what a pen test really is.

In some cases they don't know the differences between black box or White box and I get i'm not immodesty anybody um but these are things that the security industry in many ways may have failed some of these customers but not probably breaking down and explaining differences or nuances. So that's what the break out section was really about, just kind of do not want to want and what is a penis and what is a black box and what's the difference between a and email social generation campaign, maybe a targeted campaign and then of course, answering questions. So um IT worked out really well and I ended believing the place about an hour a half after.

uh, you had departed, let me say you have a small or maybe a medium size company. And after this point, you've had an IT team. And the IT team is about providing services and moving your technology for IT, letting the customers have, you know email, letting you know, making sure that you know the printers are working there to provide service, not really security base.

Maybe they, you know update passwords once in a while or a reset passwords and that's worth thing. But where would someone like this get information like you're talking about this breakout session? Like what do you offered to people like what you say? You know, maybe the industry has let them down by not informing them about these things, but what is a good source beside tacker in the fed to get this information .

is right and hacker and that going to try to provided to those details and those new answers. So I that is a great question. I want to answer IT in my usual hacked away by providing context.

So at one pots, when I started in this space, the nineties, and then, of course, two thousand, there really wasn't much information, right? Really was much as to, you know, hey, so what is a penta of? Why do you need an acta? And plus, back then, you didn't have too many regulations, requirements.

We requisites guidelines, frameworks and required cybercriminals. So a lot of folks were not interested until they were compromised in some way. Okay, now if you were a customer back then in early two thousands, maybe made to two thousand tens, you would go online and type in, hey, I need a pented on google, and maybe you got, you know, top one hundred security companies offering services like this trusted sex at the world.

And so for, and that was cool. Now the problem you have is that as soon as you type penta services into, like a google surge engine or similar, you're going to be bomb boarded with marketing. Now some security copies do kind of put together the content on breakdowns and differentiators or different differences between services, but everything else that you're going to see in a search engine is probably going to be marketing and our sales content, which is not too useful.

So so to answer your question directly, yes, you could probably find that information online, some very specific google queries, something like what are the differences between a black box penetration test and a White box penetration test? And you might find some great resources there, assuming that you you don't do not get bar with sales marketing, you can also utilize and i'm sure people are tired of hearing IT, but definitely utilize ChatGPT or similar claude, you gi these source. I will do a great job at kind of hyper focusing on your question and providing you a more direct answer than like a general or generic search inquiry you know but yeah so you know if you are an organization, midsize, small, S M B, um you know whatever what have you um and your curious is what IT is that you need to do what IT comes to like cyber and testing eta utilized.

Chat, P T, talk to people in your space. Look at your local community. If you're from lander, what do you have in orlando? You have very good research is out like mike felt a met another good guy.

You have vendors out there like guide t point and other organizations that too pretty good at communicating a lot of the stuff we discuss so far. The local communities are always gonna a great research for you specifically to identify a good local venture that IT could build A A relationship with. So this a matter where you're rat you going to find a local vendors, sit on to have a conversation with them asking to these questions. And if there's a flop and is a work out and look for someone else for sure.

Yeah, I agree with everything he said. No, two other things. You, if you do every question, recharge your questions at hacker in the fed dcom. We will help you've gna go through your stuff and and teach you what you need to know and point in the right direction. I don't, hey, i've done well over sixty episodes and we would have been nothing but honest with the guys on all that stuff.

But yeah, you're all right about the AI searches know not a google guy but I I listened to another podcast and they were going off about how great that is if the AI searches now are coming up on google and it's really condensate the research and put in the right way. So but are some great AI searches out there put in there? Um but that brings up our next topic, our first topic of the day, fishing training. Is that actually effective? Um so you were perusing through and through X H, you found the a research studies titled understanding the efficiency of fishing training in practice was by researchers from the university of chicago and the university of CAD ago when he tells a little bit about what found.

Yeah, no, it's it's a great, great report of research projects. I have to say that I I really enjoyed the reading through IT.

Well, first, what is fishing .

training? But let's start there. Yeah, no, yeah. Let's do IT right. Let's be professional about that right? Is break IT down. So fishing training, there are several different ways to go about, didn't with that. First let's talk about what fishing is.

So fishing is when an adversary, a bad actor, is trying to um obtain information that could be credentials that could be sensitive details, wiring details, maybe customer details um by means of the human elephant elements, not elephant uh but by means of the human element, uh where they are they're going to utilize emails uh s fishing which rather way very effective they're use linked in social gering rather social media uh and then you know of course you have things like even physical right um walking into a building and say, hey, i'm a new hire um I I need a past security um can you kind of walk me through as your guests right? So when you have fishing training and organization, there are two things you're going to do. One is there is going be some sort of contents, materials, reading materials, baby screen shots and actually some really cool platforms where they do training.

I've seen IT as effective because, you know, in order for you to move forward from you know the first screen, you have to read through and answer the question to the next Green and kind of you know go to that process IT can be annoying for folks. Um I think people tend to speed run, which I think you is implied to support here speed run through those kind of training. The next wave of dinner with fishing training is sending out emails from within your own organization and kind of I guess to go here to get your employees to take one links, kick kick open the emails, uh, provide credentials of things in that of that mature.

Now, base off of, you know, what happens once a bad email comes in, whether you open IT a, whether you kind of look like a visual inspection of the emails of the center, of the subject, of the body of the link arrow, that the next, the next days there for the, for the person one of the engagement is, does our ploy click on the lake? And if so, are they providing credentials or Edwards sensitive information? So also you two, I would say two different directions when IT comes of fishing training. And you kind of don't like self tests or self self social general engagements, like that's this kind of what this reports going to cover.

So I know for a long time they try to make the links as sexy as possible, like they would try to send about and say, like the bonuses they put on the year and the bonus to spread to everyone's bonus, and they you weren't supposed to get this and trying to get to click on this everything. But they also do like to make you look like they got kicked out. If you click on link, you kicked out and you have to log back into the system though a fake drive by page or sound like that, are you find IT it's getting more and more sophisticated? Or do this doesn't named to have to because people are clear and links?

H man, yeah. So it's definite, become more sophisticate adversaries and even like security researchers have come up with very cold tours where the social general will kind of go beyond the email link and onto a landing page. And inside the landing page is some sort of credential harvesting form.

What memories have done is that they've set up maybe a platform that hosts a static repaint. And when you click on the static weave, IT will redirect you to the real home page. But as a um in in between.

So the the the mAlice website or or you are well that you went to is acting as a man in the middle so that if the potentials um you know are harvested from the a employee and M A phase enables that the adversary could just hijack of these session cookies um and or wait for you to submit your ma fate talking or one time pad um or once I pin and you want to submit that. Now the f story has that plus the session cookie and credential. So you've seen a lot of that stuff as well. Um there's also things like all fishing where you get uh a lethal page which uses like a legitimate authorized APP for microsoft or or looks like this for microsoft and you authorized the log in and what you've done as you've backboard your a your email car. Um I mean, there's a lot of ways to fail some really sophisticated Operators out there and to beyond review curus. I can see why the the stats of statistics we're seen from different reports to this one year um have kind of said well, regardless of training and you know international education, we're still saying regardless of any security tools plus training, the success rates are still two of five percent uh across billions of emails I mean what we sort the variation on data v report couple years ago and river vries is look at billions of emails are two qualifiers uh or five percent of billions of emails are still a massive number of employees clicking on links, pretty scary.

So let me go through this study. We're quick in the results of IT and then you share some some points that you found from this data. So the study was about twenty thousand full time employees at the university of california city ago health collected over eight month campaign fishing campaign against them. There is you know mostly focused on active full time employees. Um data that was for main active accounts was sort of just included from the study. Um but the partisan spin of variety of medical roles doctors, nurses, you know hr, IT, administrative staff, everyone in involved no Operation and involved ten unique fishing email focus on dry by download and credential fishing attacks but the participants were randomly assigned to different training groups um to evaluate at the effectiveness of the various training programs so what they found is fifty six percent of users are over eleven thousand and feel at least once by clicking on an a benfica al ural surprising .

to you that no no so open the email and they click on the link began fifty six percent does not surprise me because that's the human element where IT is curiosity. What is this when my working on?

So I will say click on the email. I clack on the emails like I know there's efficient campaign. IT was in an obvious study.

I click on IT, but then I go to the head and find team from a fishing campaign or something like that. But I don't think I ever looked on the year else, I think was good with that. But twenty six percent of the users failed at least two fishing simulations.

Ten percent failed at least three and three and a half percent failed. Four and one user failed every single time. I don't know that. I think you might have to make an example than that one person you may you know I know they don't really fire people for fishing stuff, but but why not what's gets fire in someone for fAiling at fishing over and over and over every time?

Well, remember, a lot of these have been going through training. So this way he was a social entering campaign against these active employees. But from the report were reading, these folks are also doing in house training so they're going through you know reading material and content screen shots.

Here's what a fishing email is. Here's what you should not do um here's what you should do with your compromise. If you provide potential, you need to speak to your security team. A A so for us to see, uh, ten percent of your nineteen thousand employees are fAiling three times or more or rather three times. Um is is quite scary that one person to filled every single simulation i've started to figure IT inside a thread one .

hundred and there are inside thread. I would I would take their computer from them.

Yeah well, you good point. accountability. We've talked about this before, previous episodes. okay. So for the fifty six percent of users that clicked on the link, that was bad. But I could understand the curiosity.

Okay, for the folk states, you clicked on a to three campaigns for three different engagements. Those are people that we need to sit down. Okay guys, we need to like really address a, you know, the situation that had why you guys keep you have clicked on at least three different engagements is IT our training?

Let's sit out to have a deeper is for this. But for points four and five, where folks are three point five of those nineteen thousand failed for exercises. And then of course, that one person we may have to consider some sort of a probation ary period um or even more extensive training.

Something has to happen has been sort of possibility because they're doing internal training. Now if out of twenty thousand people, these folks are all non technical. I've never had any sort of IT training a security trading these engaged has happened prior to set trading then yeah, I could understand these numbers. But post the training up and these folks are still fAiling, well, maybe they're not taking the job serious. This is my take know .

you're sort of in this world every single day as you provide some of these services in this world. Are you seeing these similar results uh, no matter the size of the organza or how big the security .

um yeah we are seeing some summer results for sure um whenever we kind of engage as service engineering campaign, these emails or S M S with sm actually seen much higher numbers by .

the way of .

really this is why S M S is much more successful is and a winning wager is because of accessibility. Your phone is always all you you always screen around your phone. You getting messages from P, T, president or councillor or your therapies.

So email, rather S S. Message comes into your phone. You immediately take a look at IT.

Now you curious, you know, ups or usp link and me click on that. A man, I need to cinema reductions are I bomb and that's IT right? Um so we're seeing a lot more success rate with SMS.

Um I care really tell you about you like social media because a lot of times asking us for that. But for emails, the numbers are very pretty similar here. We're looking at like half half of the emails are being opens.

Uh maybe small percentage emails um yield like lake clicks for sure. That's a big difference. A lot of my clients and then as four specific clients fAiling four, five times when I seen that IT as often. But we're definitely at least like ten to twelve percent access rates with each campaign.

So do you think this sort of trains is important?

I think the training is still important, but I think is even more important to start putting in technical controls to really help with A E mail security concerns. So put.

because people are fAiling, you have your employees are fAiling in these test, you are seeing what technical aspects are, are being circumference because of IT. And you think you can identify, you know system vulnerabilities just because the user screw up.

So bad? Yeah no, there always going to be gaps you're going to take away from the reports. And I think that this report was extremely useful. I think that any listening here takes you to look at the report and can start to identify potential captain their own environment. Remember, the whole point of this report is to question or put to put into question, is fishing training efficient or effective, uh, to help mitigate against outside adversaries and social engineering campaigns and the anxious? Probably no, right.

So I think that you as a technical person, you know if you are not as a technical person, you are looking at this and say, okay, maybe we need to start focusing efforts on technical controls as well aside from the internal training um and of course, sends to sort of policies and we ve regard to accountants. And so for I think that this report, once all the things are explored, what yield ld you know much Better results for the organizations. As for technical controls and again, these these things I think we have talked about before.

Um but you want to use like A E mail security provider that's going to do a few things for you. One is going to monitor incoming email from bad indicators like a smooth email. Is the email send someone? Is email this before? Are there a brand new center? So let's put a tack in the subject says new center.

If the email come from outside of our domain, we going to put an external tags somewhere in there so that the the employee understands that this email came from the outside and you have to be very suspicious of its contents. Another thing we want to look at is, you know, if an email comes from the domain is similar to hours and that's a permutation permutations are usually indicators of uh a bad actor and then finally a safe mall of that um and using like a kind of EMS creme solution. You also want to take a look at something like a web content filtering or dn s conversation.

You know, even if so, let's go back to the one main start, the first step, rather, of fifty six percent of users as eleven thousand and seventy seven out of eight thousand and eighty nine, they feel at least once by clicking on the embedded fishing link. These are curious users. Now if the link goes to domain or an I P address that is not categorized, what that means is you um depending on the product of you, decide to use that utilized DNA carrizo.

If it's an I P address is automatically you fail and you will get a warning before um you're redirected to that that U R O. And that right is going to deter a lot of people. Now if IT is a domain is part of the U R O stead of an pads, if IT does not fit, a categories like facebook would be social media, you know a and t would be a service provider and of course, uh U S bank 点 com will be a bank。

Um you know if if if that euro fails any category that does not. Categories, again, you can get a warning message. And again, that's going to a deterrence.

Any warning message is going to be a determines for your client, your employees, especially if part of your training, you say, by the way, we're using CS o umbrella. We're using I, B, M, X force. You gna see a little morning message.

If you see that warning message, you have to scrut ize the email and link even more so. And I promise you, Chris, these numbers would start to the window. I mean, I agree with you.

I saw I read a few these campaigns and I first for as a technical rols, I know you'll go in sometimes you have to tell the I T. People, well, can we need to turn this this this off so people one get the emails and then two don't get those warnings. Um so technically, controls are very important.

But know you also talked about these domains and put in the different locations and that I think they saw big up take years ago and probably six years of the hosting on google ducks so that the link got a google domain. Most companies didn't black google, so you know gets down to the sub domains, uh, in the type of documents, you know and then you have to just White wash all the different domains that you want you blocking google dogs and I think but yes, there there's a lot of good recommendations. Do you have there for the audience? What know mfa, you know d mark DNS category.

You hit a lot of good part parts in that are for the autists take away here. We're in this more and more social media. You know, you said with this one by the test but you are seeing that more and happened you know the link in context becoming connected to people they don't really know um you know victim was a big part of the the mgm and the seizure hack right? So you know that your attack vectors are braining all .

the time the more you add onto your place, whether social media, if you're using a linked in from business networking, which is great, I love IT, but you know it's still adds your tax surface if you're adding ah you know a thousand brand new new employees next month as you guys have a massive optic um if you are adding new vises your network, if you are you know try be convenience with your executives and opening up certain ports and services and providing them more source of policy weight listing.

Yes, you are expanding your attacks service to more and more you guys you know kind of a add that into into your ecosystem IT becomes difficult to to maintain outside uh a good bird eyes view of everything because eventually advertized view is onna reach a limit is what is so far that you can see。 And if you not actively monitoring itself, you're always going to put yourself at a disadvantage, especially with an adversary that just needs to win once, right, you could win a thousand times a day. You could block twenty thousand hacking attempts a year you could identify and in block, in an active campaign, could have your camera spot someone bricking into your building and three morning, and have the capture and arrested person.

These are all great winds. All the adversary needs is one, one oversight, one this configuration, one account without, even if enabled, and that IT games over, you know. So I would say that this was a great report.

Chris and I really took a lot of away from IT. As a reader, I put myself this one thing you guys don't know right? When I read a report like that, i'm not looking at IT as hacked and one cigar or Christoph.

I'm looking at IT as the n consumer and or the clients. I'm a seso, so I pretend to be a CEO here. I'm emulating that.

Let me take a look at this. Okay, here's what i'm doing with your organization is what i'm not doing with organization. These are things that are party to fix. So you know, I think the exercises are still great. I think this the fishing trading is fantastic.

I think that holding people accountable and setting up policies and like all that's all fantastic, having table table top exercises great um but you're still gonna to you know uh, implement technical controls. You're still going to have to validate those technical controls um and then hope that uh, you know you guys hold on, you guys hold on as long as you can because I guys said, you know one attacker, this persistence may get in. And i'm hopefully by this time that happens, if IT happens, you've put in or implemented internal text of controls to the kind of waste time.

Actually, like I said, the beat in the show, lot of great listening questions, lot of things coming in the questions at hacker in the fed. If you guys have a question, please reach out to us questions at hacker in the fed. We got a tons of questions, but I only I picked out three, so we'll get to every question I tell you for a fact factor.

We're going to do our thing. You've been great at the answering right back to people. So if you guys send in a question, you know actors is gonna sponde, you're pretty quickly judge on long before I do.

Uh, IT gets a personal email back to you, but a couple of to add to the show. So we did getting email from my friend court court sent messages before. Actually, I even had a private conversation with offline.

She's a federal cyber investigator, so she's know he is amazing. She's doing great. So cordy asks, what's your take on security researchers probably disclosing adversarial campaigns causing potential disruptions in ongoing investigations.

So this is a tough one for me, hector. As a former investigator, the federal level, you know i'm going after people. I've got sep as and search warrants and everything going out there.

I'm trying to build my case and all that the researchers think think they're doing a great job and lets the bad guide knows the mistakes they're making uh hey bad guy, you're doing this and policy shames them um so kind sort of misses out of my arrest because of IT IT changes is techniques or changes the way is doing things. So all the work i've done to this point built in the case is out the window. Not really so somewhat because I still have the charges, I still have the information to come in into identity who IT is.

I may not be able to identify the victims now but you know it's going to try sort of change the mo of what's going on. What's you take about this from the security regio standpoint? You're on the other side of this. Um do you know you wouldn't know about a federal investigation happening. So IT would be hard to blame you as a security researcher unless you're working with the fed.

IT is in a poor question if that is a question of you. I've asked you before twenty plenty of times, so as a researcher and asked someone who was a researcher before, you know, the whole not a missing and getting a recent thing that was a thing that was part of my life. So before all of that, I was someone that would do a disclosure I would put together right up in a blog post.

In fact, my old blog post from, you know, twenty years ago, still online, is upset. Can I find a block spot? Is more about my advisory stuff there. So I would do the same thing.

I would post A A disclosure I would try to follow you know a friendly security disclosure with your organza the vendor rather where I would put together right up of email them start a communication um they would acknowledge and or a generic response to say, yeah, we're looking into this and they'll just disappear. Okay they'll disappear and at that point have no idea where to go from there. I've reported the vulnerable to organza has been two months.

If since they will acknowledge my email um they have not corrected the problem. And so as a research now I have a dilema. The dilema is, if I stay quiet and mum and hush about this vulnerability discovered, and you know, nobody else knows about IT, technically, i'm sitting zero day, right?

I'm sitting on a zero. And if I could order ate that the individual steps to exploit the modern way that I have a web ized zero exploit just sitting there, oh, my laptop. I'd, by the way, for the rest of you in audience, there are party.

Thousands or tens of thousands of that exact thing happening right now speak security researchers are extremely important, our industry in our space and and for society, it's i'll take IT that there are great people, very smart people, but the dilema is always going to pop up, which is you report something. The Better is a really interact with you beyond the initial email and you have no idea what to do from there. Some security researchers will then do a full disclosure.

They'll post a blog post, will go on twitter, you'll do or x theyll hop IT on T, V. Interview or media interview. I say, yeah, i've identified the building and x, i've reported IT to why when there and these about that happen um and or hey, i'm seen people actively exploiting this and i've reported nothing's happening.

So here's a full disclosure. Here's the product, here's the vender, here's the vulnerable, here's how you will exploit. Good luck.

Good luck, everybody. right? That's a full disclosure that is extremely scary for anybody, including the end users.

However, in some cases, IT makes sense to go that road, especially with vendors are kind of dead beats and that beats landlords, right? They're not taking their security series. I think in courting case, a corny case, IT might be little different.

The question that he asked, fantastic. And if we would apply that to something like then I say a ongoing campaign of some source. If you are secret tive researcher and you're able to intercept a ongoing campaign, you should probably speak to someone enforcement IT or some sort of connection you can email, see.

So now you can reach out to nest, right? You have resources you communicate with, uh, the computer merge response to serve. You can reach out to them like there's people you can reach out to if they look identified. Our active campaign against you, uh, potential victims up tears how the campaign is going. Let me know what you guys want me to do because I want to exposes the bad part is when you find a researcher that immediately just discloses everything, make zero effort for communication that I think will cause problems and you and investigate .

case so you know from the investigator said I would be scared to IT reach out to a security researcher that got to me I I would be worried that that was the adversary um tried to gain information for my investigation and again, that's just the skeptic you know you copied me coming out but on the other side of IT you take to reach out to certain people you don't hear back. I was an FBI age and tell me a quick story.

I was an FBI agent in new k city working big cases. I got a tip that there was a vulnerability in cbs uh, systems, uh, and someone was exploiting IT. I reached to C, B, S.

They didn't believe me. They wouldn't even take my call. They, I couldn't get. I eventually found out and got less. Moon versus here at the time, was the CEO of cbs.

I got his cell one number, and I called his cell one from my desk. Now, my boss thought I was crazy, but I was the only way I could get them to pay attention. And I always had the same trick. H, every time i'd cob and they say not believe, I said, my name is Christine bell.

Call the FBI any number you want to find for the FBI on in the internet call and ask to talk to me and they wouldn't would call you the switch ward done dc in the new york switch ward to be put through to me um so then they would believe me and we'd have a conversation um but again, I mean, I wasn't a security researcher. I was an FBI asia you would think would Carry some credibility. And I couldn't know when that cbs would take me serious until I went the head of cbs.

哦， so good luck to you know the security researchers are trying to get out there and get their information known. You sometimes you have to just publisher and then people you know and i'm not saying that's the best. Um and again, if I was in court these you know position which I was historically, um I would pissed me off. But you know sometimes these guys just don't have anything else to do and can get get information that anyway.

So with that being said, right so if I am an investigator and I see someone publish a story, a blood poles of contents or maybe maybe even do a speech at defcon or another conference, uh, besides whatever all the exact topic that i'm investigating, yes, so sort of ongoing. Sm, uh, big buttering, for example, they see investigator do handle me a ton of picture in cases, and you see your research to speak with the topic and actually includes what your victims.

I don't know what the the adequate would be, but I would think that I would, as the investigate, I would reach out to the research to say, by the way, I chek out, you know, your blog post, you talk IT just so happens that one of the people that you you spotted red as a victim is actually one of my victims. I would love to collaborate with you if possible. Again, I don't know what the eh atis are.

A good investigation would do exactly that. They would do a little bit of research into who that person was, and they would reach out to them and say, I love to bring you in on the case. You know, I can't tell you all the details. I can't tell you what i'm doing, but you've touched some major points of of my case and you know they can even go to the point of you know in the FBI at least you know I can sign you up as a source and then you you are part of the investigation know there is a lot of something that goes along with sources, but you know some some people think it's really frequency .

to be I source so yeah no hundred percent a question.

Yes, that builds a good relationship. So we're get long. So one more question after or joran jay rates said i've been working in cybersecurity for several years now, is a blue teamer. Can you tell me what a blue teamer is, how the audience of bluem's is?

yeah. yes. So of the little timor is, is, is someone that works on the defensive side of your IT security program.

Those sitting monitor to borne ability management detect and respond. h. Ta.

so Jordan recently had the opportunity to pivot more towards the red timing in the offensive side of security. And he wants to know, what would you recommend for training, education certifications? Cea, to hone his skills in the serious. So if he already has a good skills set, he's been blue teaming for a long time. What skills sets does he need to kind of pivot de to become a good red teamer? Um and do you think you know having that skill set as as a blue teamer makes you a good retire if you know if you good at defense can you then go offence?

Yeah I think that there there will be um some concepts that he would have to introduce into his his knowles space for sure. But I think that he really has the fundamentals and not to he really has the fundamentals. He has a good understanding of the kind of attack vector or or vulnerable ties and advisory may look for.

He's already already done some hunting. He's party, already looked at sim logs and suck emails community. So I would say from from the blue team side, he has a head start vers somebody who just came out of college or or university, they want to get in to cyber rudie the offences side.

And they had to learn a home match offense, offensive stuff plus curry fundamentals. And then they also had to learn the blue team defensive fundamentals right in order to feel to break. And so building you have not a building Operate um if you get past the first door, you have to know you know the kind of the layout of the organization or you have to learn how to do connections and liberation.

Uh georgian property hazle fundamentals. So all geordan has to do is swapped that around a bit and start looking at attack vectors from the adversarial perspective, not the deef sive perspective, there are two different conversations. So the good uses in twenty twenty four, there are a ton of good resources all over the internet.

Um you have great youtube birds like IP sac and other people that will walk you through h try hacked me to hack the box viral machines. They kind of walk through what the tour is, how to use that tall, and is all, I would say, most of the all offensive, which is great for Jordan here. Now finally, as for certifications, at one point of my life, Chris, I was kind of IT get certifications. I thought they were kind of them. And so I realized that the reason why I don't these certifications because of who I am, and that's not really fair, because ninety nine nine percent of people, you know didn't go, didn't mean a Christa when .

I go to prisons, right?

Who you were, who you were, who I was, he was.

we don't want you to read that.

No, no, no definite. So because of that, i've taken a much deeper look at your fictions. More recently, i'm even partner ing up with a uh of a start of company coming out where they are.

They are putting together security concepts, security training content, of course certifications that are I so certified, which really good for in the us. So what that being said, yes, you know, look at what space you want again into what IT comes, a facto security. If you want to go to some management, you can have to do look at at management specific certifications and training.

If you want to get more the the highly technical, which is what I do, the red timing emulation, then you have to look at things like op and similar specifications that will tell the people that you're going to work with. Hey, this guy has a little understanding of office security. X, Y, Z.

This guys ready to go. So, yeah, twenty four IT. So in terms of trading, you have a lot of great resources.

Now you could use, try hack me, act the box. You can serve your own virtual machine, set up some vulnerable applications and do some practice runs. You're going to have to look at cvs and security research of affordable reports.

I would also tell focus out there to take a look at the intel reports. Those are really fantastic read regardless if your intelligence not there's a lot of indicators of compromise and methodologies that you can leverage. Its your own knowledge base.

You and I have a different opinion of fantastic reads.

Is this exciting?

What about the job market? Are you seeing good advances like if you saw a Young kid getting either red team or blue ming, is this an expanding market or A I started to affect either one of those .

i'll be on of you, Chris, you know, have had this conversation before. I'm still in the of the position that the job market here, at least here in the united states, I can't be for european asia, but here in the united states of job market for cybersecurity jobs is just weird. I've seen debates, uh, buy several different researchers from different spaces of different categories who will say there are two hundreds of thousands of jobs people, let's come on and get, let's get, let's get going and then you have come someone to come say, well, just because you see one hundred thousand hundred thousand jobs on late in those media, there's one hundred thousand jobs available.

They are, but you need ten years experience for entry level.

That's not a thing. Accessibility, right? So you are a cottage grad.

You just fit school, right? Let's say Christmas is up here is to school. He's ready to go. He's into security.

And then yeah, he meet an H R person is like a we would love, give his job however you d at least five years of experience, not just how I am. I going to get five years of experience in the job right now. And I just fit at school two weeks ago. So where i'm gonna work, then now the jobs that they're open to work, where there is like no hard requirement for, like like a minimum required time limit, whatever.

Those shops really don't exist like that unless is like an entry level sock analysts with thick enter analyst job, which is like, hey, just look at the screen all day and look for alert and write a report what you say but even those are limited in nature also to insist in math in book um so yeah the job market itself is is difficult. I would say folks I his where would say do what Jordan has done. Jordan has found a job in the blue team side.

He wants to go the offensive. He can easily now switch over to the office cide. And if his business told Jordan, hey Jordan, you don't really need a red team right now.

So if you don't want to do the brute's work, you have to find out the job. Here's what Jordan has. He has an extensive known space.

He has the minimum required right time for of experience. And now George will be able to start applying to all those mythical jobs. Are you linking all those crazy number of jobs? And i'm i'm hopeful and and and confident johna will get a good job.

But for folks with without George's experience, unfortunately, you going to have a much more difficult wrong at IT definitely network local communities in turning. And if that doesn't work, guess what? Become an entrepreneurship t out Young.

And Jordan was smart to find resources as they needed to find. Jordan listens to hacker the fed, and he reached out to us that questions at hacker in the fed. So guys, if you got a question like Jordan reaches that questions at hacker in the fed, leave some five star reviews, shares with the social media and tell, you know, work is some friends about us.

We really want to grow the show hector re dedicated, get the show back and going um with three weeks in a row and we're going strong where we love doing the show, hector. Great show, happy things given to you, happy things given to all of our listeners. And so I hope everyone can enjoy their families and friends and and just have a good data, relax and just appreciate you know how good we have in life.

Oh yeah, absolutely. We listen. Sometimes we get called up and all all of the world affairs are now here. And in this space of cyber security, that's that's all the mess. I'm hopeful that you guys could just sit back, relax, disconnects, has a good food, enjoy a good football game or two and h and have a great holiday, thanksgiving.

You thank you everybody in I to, I love you appreciate rather like wise.

Well, let me to go.