TRIBE OF HACKERS BLUE TEAM TRIBE OF HACKERS BLUE TEAM TRIBAL KNOWLEDGE FROM THE BEST IN DEFENSIVE CYBERSECURITY MARCUS J. CAREY & JENNIFER JIN Copyright © 2020 by Marcus J. Carey and Jennifer Jin Published by John Wiley & Sons, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN: 978-1-119-64341-8 (pbk) ISBN: 978-1-119-64344-9 (ebk) ISBN: 978-1-119-64342-5 (ebk) Manufactured in the United States of America No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permissions. Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or website may provide or recommendations it may make. Further, readers should be aware that Internet websites listed in this work may have changed or disappeared between when this work was written and when it is read. For general information on our other products and services please contact our Customer Care Department within the United States at (877) 762-2974, outside the United States at (317) 572- 3993 or fax (317) 572-4002. Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com. Library of Congress Control Number: 2020941812 Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book. Contents Acknowledgments vii Foreword ix Introduction xi 01 Marcus J. Carey 1 02 Danny Akacki 6 03 Ricky Banda 9 04 William Bengtson 14 05 Amanda Berlin 20 06 O’Shea Bowens 27 07 John Breth 31 08 Lee Brotherston 38 09 Ronald Bushar 47 10 Christopher Caruso 56 11 Eddie Clark 66 12 Mark Clayton 74 13 Ayman Elsawah 80 14 Sahan Fernando 91 15 Stephen Hilt 96 16 Bea Hughes 101 17 Terence Jackson 109 18 Tanya Janca 113 19 Ruth Juma 119 20 Brendon Kelley 123 21 Shawn Kirkland 129 22 Sami Laiho 139 23 Kat Maddox 143 24 Jeffrey Man 147 25 April Mardock 154 26 Bright Gameli Mawudor 159 27 Duncan McAlynn 164 28 Frank McGovern 170 29 Donald McFarlane 172 30 Nathan McNulty 180 31 James Medlock 187 32 Daniel Miessler 192 33 Alyssa Miller 196 34 Maggie Morganti 205 35 Justin Moss 211 v vi • Contents 36 Mark Orlando 218 37 Mitch Parker 224 38 Stuart Peck 231 39 Carlos Perez 236 40 Quiessence Phillips 242 41 Lauren Proehl 248 42 Josh Rickard 255 43 Megan Roddie 266 44 Jason Schorr 270 45 Chris Sistrunk 274 46 Jayson E. Street 280 47 Michael Tanji 286 48 Ronnie Tokazowski 294 49 Ashley Tolbert 298 50 Ismael Valenzuela 304 51 Dave Venable 321 52 Robert "TProphet" Walker 326 53 Jake Williams 334 54 Robert Willis 340 Acknowledgments I want to dedicate this to my family and all the people who have helped me over the years. You know who you are, and I love you. —Marcus J. Carey I would like to thank my friends and family for being my support system and the Tribe of Hackers community for supporting our mission. We had no idea what kind of reaction the first book would bring, and now here we are with an entire series. I am grateful for the team at Wiley for working with us to bring these books to life. Lastly, thank you, Marcus, for believing in my potential. I wouldn’t be here without you! —Jennifer Jin vii Foreword I’ll be honest with you: I destroyed the first Tribe of Hackers book with my highlighting, dog ears, and pencil and pen mark- ings. The 14 questions that interweaved career and personal lives sparked inspiring and thought-provoking concepts. I was thrilled to learn it was going to become a series. The Tribe of Hackers series is one that every person in the InfoSec community should read. It showcases red teamers, purple teamers, blue teamers, and veteran leaders who have partici- pated in the InfoSec community. It is their lives, their stories. From hearing their stories, we learn more about the community and the importance of understanding the human element’s role within security. Let’s face it—it’s one of the reasons why securing anything can be a challenge. To secure anything, there needs to be a balance between offense and defense. We need both to keep us secure. Sometimes it seems blue teamers are not getting equal attention as red teamers, and this needs to change. So, prepare yourselves: I thought I should take the time to share why they need equal attention and praise. It is the blue teamers who are identifying what lies ahead and what tools will assist them. Honestly, blue teamers have the uncanny ability to self-study to solve problems and know how to apply new skills and technology. They are the ones working with the end users and customers when receiving a security issue. They are the ones who know who to go to and create and run processes. They know the ins and outs of different departments and the various roles to communicate and reduce risks across the organization. They become leaders to share security concepts and possible items that can impact business. At times, those individuals don’t know much about security at all. Being a good blue teamer sometimes requires a bit of patience and empathy when sharing risks and strengths within an organization’s security. Blue teamers work with constructive communication; in other words, they try their best to build and have good relationships between team members. At the end of the day, we cannot fix or solve anything unless we work together ix x • Foreword and understand one another. There are times when they need to take a deep breath and try their best not to scream. Once they are done, they focus on the problem, discuss the issues, operate with facts, try their best to not point blame at someone or call them out if they don’t understand, and, most importantly, listen actively. Overall, there’s never a break for a blue teamer. Once the containment of the security risk is assured, blue teamers still don’t get to press pause. It is an ongoing battle to prevent breaches at all hours and to be on top of everything with the ability to predict. I know that’s not everything about a blue teamer, but I hope it paints a picture of why blue teamers deserve recognition, because let’s be real—you never hear about the hack or breach that never happened. To be a good red teamer, you need to experience what it’s like to be a blue teamer and vice versa. In the end, no matter if you are a blue teamer or a red teamer, you will never be perfect. What do I mean by this? Red teamers: You will never find every single vulnerability for a specific target. Blue teamers: You will never be 100 percent secure. The eradication of all vulnerabilities is what we all strive to achieve. Many of us have experienced a breach in some way, shape, or form, or at least know someone who has. Those of us who have entered InfoSec to protect the world from malicious attacks and our loved ones’ personal data know how bad the recovery can be. We all know that we cannot do what we do without the collaboration of red teamers, blue teamers, and purple teamers. It is the Tribe of Hackers series that demonstrates why this community is wonderful, from how much we want to learn about the world to how we can protect it by using lessons learned by others. Tribe of Hackers Blue Team provides stories of the everyday heroes who you may never hear about in the news. But they are the essence to keeping us secure every day. Their reflections are honest and true and have provided a deeper understanding of what it’s like to be a blue teamer. I hope these interviews encourage you to understand their perspectives and have a deeper empathy for them. If you are a blue teamer, I’m incredibly grateful for your dedication in keeping us all safe. Thank you. Chloé Messdaghi Founder, WomenHackerz May 2020 Introduction There are two clichés that I think about when I think about cybersecurity, especially the blue team aspect of it. The first is, “The definition of insanity is doing the same thing over and over again and expecting a different result.” This has been so true over my 20+ years in cybersecurity. Some tools and practices are still in place even though they aren’t effective risk countermeasures. If you asked about the effectiveness of certain tools to 100 cybersecurity professionals, you’d get about the same number of takes. Without real testing and metrics, who knows what works? But regardless, we keep on keeping on with the same things. Another cliché classic is from Otto von Bismarck, who said something like, “Only a fool learns from their own mistakes. The wise person learns from the mistakes of others.” Most blue teamers are graduates of the School of Hard Knocks. Many blue team careers have been built on using trial and error to create effective security models. The reason I started the Tribe of Hackers series is so that people can learn from other professionals’ insights on how to optimize cybersecurity technology, processes, and personnel for optimal impact. Just like the Tribe of Hackers: Red Team book, we took our questions from social media. We are pleased that the community came together once again to ask those questions. Our amazing contributors are leaders in cybersecurity who want to share their tribal knowledge. Knowledge sharing is key to getting better at cybersecurity. Back in the day when I worked in the intelligence community, there was information sharing problems. This problem is still with us today, especially in the civilian sector. I think we can learn a lesson from the medical profession on how they share new treatments. It helps out globally. In cyberse- curity we do not share information globally. If any country, demographic, etc., is more vulnerable to easy-to-mitigate attacks, we all lose. We should treat vulnerabilities like infectious disease outbreaks. xi