The relationship between law enforcement and the infosec community can be cordial and cooperative at times. But it can also be confrontational and divisive, as in the debate surrounding backdoors in strong encryption for lawful access or the arrest of cybersecurity researcher Marcus Hutchins on charges of creating and selling malware.
In this Q&A conducted at Black Hat USA 2018, Amanda Rousseau, senior security researcher at Endgame Inc., a cyber operations platform vendor based in Arlington, Va., explained why the term “hacker” is unhelpful and how cybersecurity researchers find their way from being a script kiddie to putting on the white, black or gray hat.
Editor’s note: This interview is part two of a Q&A with Amanda Rousseau, and it has been edited for clarity and length.
What is your take on the apparent tensions between the cybersecurity researcher community and law enforcement or the government?
Amanda Rousseau: ‘Hackers’ is really a term for people that don’t know the industry. I don’t usually say ‘hacker,’ unless they don’t know what a security researcher is.
If I’m in my running group, and they ask me what I do for a living, I’m like, ‘Oh, I’m just an engineer — a security engineer.’ [And they ask,] ‘What’s that? It sounds boring.’ You know?
But even people that started out as a black hat or a gray hat hacker when they’re young usually transition to white hat when they get older. Back in the day — like ’80s, ’90s — that was the case. You can probably find someone and ask them, ‘Hey, did you ever download off of Pirate Bay before?’ … And they’ll probably say, ‘Yeah.’
But now, because they have that knowledge, they are the white hats of today helping out law enforcement, because, now that they’re older, they know it’s bad.
I mean, even with law enforcement, there’s a fine line between legal hacking and illegal hacking, right?
What is the best way to explain to those outside the community the nuance that comes with being a cybersecurity researcher?
Rousseau: I think that they’re marketing it wrong. They use Hollywood really heavily to show this cool hacker lifestyle. But there’s a whole other side to that. I see it in the military sense; I see it as my mission. It’s more like cyberwarfare to me — that it’s my duty to protect whoever I’m protecting from the digital threat. If you see it in a sense of being a protector or a blue-teamer, it’s much more approachable than the negative context of being a hacker, right?
And ‘hacker,’ in the dictionary, it was considered as a negative term. But in reality, it’s someone who thinks outside the box, finds the bad thing and then tells people how to fix that. And it’s hard to explain that to people who are not in it. But I think if you explain it in military terms, it’s much more easy to consume.
If you’re going after someone’s assets, you want to protect those assets as the guard. But you have to actively monitor what’s going on and then fix it as you go. And that’s pretty much what we’re doing, [asking], ‘How can we think outside the box to protect ourselves?’ And, ‘Can we probe ourselves to make sure that we’re protected from ourselves, too?’ — which we call pen testing.
With the military analogy, the defensive part is pretty easy to explain. But could you expand on the offensive pen-testing angle?
Rousseau: There [are] two sides of that spectrum of people doing the offensive work so that the bad guys don’t actually do it. And [there are] the people who are defending, [who] build those infrastructures to protect it.
Somebody has to play the other side, but they can’t know anything about the other team. They have to figure it out during the exercise. And that’s where you evaluate whether or not your assets are protected, which we call ‘red versus blue.’
The analogy I like to use is my car analogy. You have a purse in your car or a bag, backpack, right? It’s out in the open; [the] bad guy sees it [and thinks], ‘I want that bag.’ He could just bust the window in and get it. And you’ll figure it out early, because the car alarm will go off, the window’s busted and your bag is stolen. So, you can immediately rectify the situation.
But because the bad guys are learning and getting smarter, they’re finding stealthier ways to get the bag out of the car without you knowing about it. Say, they figured out how to open the door through the rearview mirror by messing with the switches and unlocking the door. And instead of just taking up the whole bag, what they do is they put in a decoy bag so that you think that nothing is wrong until you look inside and there’s nothing in there.
It’s similar to protecting your assets. How do you know someone’s in your network if they’re being sneaky about it? You have to bubble up all of these alerts and logs in order to respond to it. And respond to an alert that makes sense.
In the Target breach, they didn’t know how to respond to the alert, because the alert was so vague that they didn’t do anything about it until it was too late. A lot of it comes in usability and scalability. Can I put it on 1,000 desktops? And can I manage it with one to two people?
If you think about it, there are more people trying to attack you than you can defend. So, the whole science around all of these vendor tools and everything is trying to make those two guys’ — that are doing blue team — lives much easier in protecting a huge company.
What do you think when you see stories about something like the recently discovered Yale breach, where they didn’t realize that it happened for 10 years?
Rousseau: That’s common. I’ve been in breaches where they didn’t know it was in there for six months. [The attackers] kept coming back in and stealing more, coming back in and stealing more. And they found out they came in from a previous breach, so there were multiple people in the same network stealing.
They thought that they were covered. Their internal team, they had these certain [security] tools, but they weren’t actively looking. When they did log analysis, they were manually printing them out and analyzing the logs one by one, thinking that they would catch something. But scaling-wise, you really can’t do that.
Amanda Rousseausenior security researcher, Endgame
It comes down to data science to bubble up the things that are anomalies and are important. With all of these cloud servers and data all over the place, there’s so much information on the internet that you’ve got to be able to scale to that level.
Even now, I’m having trouble going over just 1,000 samples an hour. I can’t make copies of myself. But I can make code that can do my job.
There [are] not enough people in the industry that do these technical jobs. That’s why I try to give back to the reverse-engineering community as much as I can — doing workshops and talks like this and different code — because I know how hard it is. It took me forever to get to where I am. I didn’t have those types of resources growing up; I just had to sit there and figure it out.
Even the trainings that people come out of the military with, or the DOD [Department of Defense], or law enforcement, they’re forced to get some trainings, but some of them are not up to par of today. I think Black Hat is probably the closest you’re going to get to training that people actually use.
How do we scale training and education to create the next generation of cybersecurity researchers?
Rousseau: That’s a big question that I might not be able to solve.
Slowly, but surely. You look at how big this conference is now and how big DEFCON is and all the other conferences, how big RSA is. There [are] all these little tiny conferences spinning up, and we’re all sharing information, but we have to compete with all the other careers out there, like medicine and finance.
There are so many BSides out there that try to cater to people local in the area, like Minnesota, Chicago, the Midwest, pretty much. So, they’re trying, but the content has to be there, too. Everyone can do technical work, but not everyone can teach. That’s another thing.
If they don’t know their audience, it’s going to be intimidating to people, and they’re going to lose them through teaching it. That’s why you have to provide more opportunities for different learning styles. I’m a visual learner; if you don’t have slides up, I’m not going to absorb anything. Or, [some] people just like to listen; [some] people like to read.
It’s kind of a balance of who can actually learn the material, and who’s passionate about it. When I was young, I was going for art. And I didn’t know I would be really good in this field until I took a class. So, you never know what you’re good at until you actually try it.