Inside Mandiant: Charles Carmakal on the Front Lines of Global Cyber Warfare

Show Notes

In this episode of the Cybersecurity Mentors Podcast, Charles Carmakal, CTO at Mandiant, discusses the current state of cybersecurity, the evolving threat landscape, and the importance of resilience in organizations. He emphasizes the ongoing arms race between cyber attackers and defenders, the rise of ransomware and extortion tactics, and the critical traits needed for aspiring cybersecurity analysts. Charles also shares insights into the day-to-day life at Mandiant and the transformative role of AI in enhancing cybersecurity efforts. He concludes with valuable advice for those looking to enter the field, highlighting the importance of passion, persistence, and continuous learning.

Chapters

• 0:00: Sponsor Message And Setup
• 1:36: Guest Intro And Context
• 3:13: Current Threat Landscape Snapshot
• 7:00: Arms Race And Mass Exploitation
• 11:55: Case Study Klopp And Oracle EBS
• 16:20: Ransom Credibility And Payment Factors
• 21:05: What Mandiant Does And How It Works
• 25:45: Day In The Life Of An IR Analyst
• 30:05: Offensive Security Workflow And Ethics
• 33:40: AI’s Impact On Defense And Offense
• 37:30: Career Advice Passion And Persistence
• 44:20: Closing Notes And Community CTA

Transcript

Charles: 0:00

One of the best ways for us to assess at Mandy and how bad is the problem or how frequent is the problem is based on how many organizations call us about a security event every week. You know, by the end of this year, we anticipate we will probably respond to north of a thousand security events. Most of these security events are fairly large scale. They're orchestrated by foreign governments or organized criminal groups. There's a lot of disruption that the organizations that are dealing with these security events are facing.

Steve: 0:36

Then learn fly.

Speaker 4: 0:47

But I can only show you the door. You're the one that has to walk through it. What is the most inspiring thing?

Speaker 2: 1:06

We aren't here to waste your time with postwords. In IT and cybersecurity, what you know and what you can do makes all the difference. We are ACI Learning. Training built for novices and pros who need measurable results. Hands on left, real-world effects, courses that get you certified and ready for what's next. Build confidence, strengthen defenses, achieve more. Visit ac ilearning.com slash simply cyberlearning.

John: 1:36

Welcome back to the Cybersecurity Mentors Podcast. On today's podcast, we have Charles Carmichael, the CTO at Mandate Consulting, which is part of Google Cloud. We're glad to have you here, Charles.

Charles: 1:50

It's great to be here. Thank you.

John: 1:52

Yeah, Charles and I met, it's got a bit of 2019-2020 timeframe. We did a previous podcast with Charles. We'll link to that podcast, which was a great episode. And we talked kind of about his history, how he got into cybersecurity, his leadership perspective, something, some of some mentorship stories that are in there. So go check that out. But Charles is he's he's on the front. We talk about the front line. Charles is on the front line. Like he his mainly, of course, um is on the front line. And well, they come in and they help everybody that's been affected by so many things that are happening in the world. But I follow, if you're not following Charles's LinkedIn, you should be, because he's he's giving us fresh intel from what they're seeing and what the landscape looks like. And it's it's it can be scary, right? Um, and so for our our folks, you know, as we we always ask this question, where do you how do you keep up with what's going on in industry? How do you keep up with the the latest threats? Um, and so Charles, I I definitely recommend your feeds and and the stuff that that you guys put out there. But we won't go too in depth, but any what is your vibe? What if you were having like your temperature or your your threat level right now, right? What does that feel like um in at this stage of 2025?

Charles: 3:13

Yeah, John. First of all, thanks for having me on. It's great to see you again. Um, Steve, great to meet you here. Um, so from a threat landscape perspective, um, I think we're at a kind of a constant, steady stream of cyber attacks from a variety of actors. You've got nation state actors that are breaking into organizations for some kind of you know political, military, or economic advantage. You've got criminals that are uh mostly motivated by finance, they're looking to make money, but they're also, you know, they're they're pretty excited by the bragging rights that they get. And so when they could say that they've hacked into a large organization, and when media covers them, it's kind of exciting for them to be able to know that they were responsible for a security event. There's a number of insiders that we're identifying at organizations that uh um might be doing something overtly malicious. Other times they're not necessarily doing something directly malicious, um, other than the fact that they are North Korean IT workers and that the money that they're making, um, a good portion of that is going to the government for their weapons program. But um when I think about the threat level right now, there's there is a steady stream of security events. And probably one of the best ways for us to assess at Mandiant how bad is the problem or how frequent is the problem, is based on how many organizations call us about a security event every week. You know, by the end of this year, we anticipate we will probably respond to north of a thousand security events. Most of these security events are fairly large scale. They're orchestrated by foreign governments or organized criminal groups. There's a lot of disruption that the organizations that are dealing with these security events are facing. Um, and it requires a whole lot of effort from a bunch of defenders to investigate incidents, to contain them, to eradicate actors, and to recover their environments. And so um, again, I think there's just a a decent amount of threats that are out there that are kind of keeping us all um you know focused on on the problem at hand.

John: 5:16

Yeah. I and I always talk about it's an arms race. You know, we we're always leveling up our defenses and and even offense uh capabilities, and then the the threat actors obviously are as well. And it's back and forth. It does feel like a lot of times that they have the upper hand because they're able to iterate faster. The way I describe it is you know, they might attack us once and with a technique that we've not seen before, but they've already done that technique, you know, maybe 500 times and they've been able to tweak that technique over those iterations. Um, and then we have to level up from that. But what is your I mean, feeling on this kind of that arms race? And are we, are we doing okay? You know, just from your sense.

Charles: 6:02

Yeah, look, um, you know, I want to go in with an optimistic view of the situation. I think um, yeah, adversaries will come up with clever ways to break into organizations, to escalate privileges, to steal data, and to achieve their objectives. Um, defenders also come up with very creative ways to better defend their networks, to stop attacks, to detect attacks, to respond to attacks at various phases of the attack lifecycle. And so I um I'll start by talking about the wins. You know, there are wins from defenders every single day. We just don't necessarily celebrate them because it's hard to say like how often are you actually stopping an attack. Yeah. But the fact is, you know, organizations, whether it's you know, the organizations themselves or the security companies that they work with, they're constantly finding ways to defend against advanced adversaries or not so advanced adversaries. And those are wins that are happening every single day. Um, and uh it's hard to measure that because how do you actually quantify how many attacks you've truly stopped? Um, but a lot of that happens. Um, it's a little bit easier to talk about the losses or the wins by the adversaries. And um there are a number of wins by adversaries. Um, to your point, John, we see a lot of um mass exploitation events where an adversary finds, say, a vulnerability in a product. And maybe that vulnerability isn't yet known to the vendor, or maybe it is known to the vendor and a patch has been made available, um, but organizations are slow to apply the fixes or apply the patch. And it gives the adversary the opportunity to exploit in mass at scale and um cause a lot of impact to a lot of organizations. And we're seeing a lot more of these mass exploitation events. We're actually seeing a lot of mass zero-day exploitation events that are occurring where the adversaries are finding new vulnerabilities, they're mass exploiting them in a certain way. And uh just maybe to kind of give you a few examples just to illustrate the point, um, we see both nation-state actors and criminal groups mass exploiting zero-day vulnerabilities. And one of the more recent mass exploitation events that we saw was uh something done by a group that goes by the name of Klopp. They found a vulnerability or series of vulnerabilities in Oracle e-business suite. And since uh probably July of this year, but definitively at least in August, they mass exploited this vulnerability across a number of victims. They stole data from a number of companies. And today, right now, we what we see playing out is they're extorting these companies, asking them for a certain amount of money in order to not publish the data that the threat actor stole from those organizations. And probably the alarming thing to me here is that uh this exploitation event definitively happened in August, probably happened in July. And I say probably because we don't have the concrete proof of successful exploitation, but we definitely see the attempts. Um, but so many weeks and months had gone by without any victim or security company knowing that this actually played out. For the most part, the world learned about this attack because the threat actor essentially announced the attack to the victims. They sent mass extortion communications to a bunch of victims. And in the very early days, you know, within day zero and day one, we weren't entirely sure if the threat actor was serious, if they actually exploited a vulnerability in Oracle EBS. Now, because the actor has a um a proven track record of being um uh you know serious about their attacks and um not really making things up. I mean, they might embellish a little bit, but for the most part, they're that they've got a uh certain level of credibility. Um we took it very seriously when we saw these extortion emails. And we were able to tie the extortion emails to prior campaigns. By the way, just for those that are listening that might not be familiar with Klopp, this is the group that mass exploited a zero-day vulnerability in the Move It software, where there are hundreds, if not a thousand plus victim organizations that dealt with the mass exploitation, data theft, and extortion event in 2023. And there are other products that were mass exploited. So because we saw what happened um a few weeks ago, because we tied the extortion emails to Klopp, we took it very seriously, we put in a lot of effort to try to figure out what's going on. So that's that is one example um of a mass exploitation event that occurred. We see a lot of mass exploitation events with security products, um, whether it's a VPN product or a network device. And usually the actor behind those attacks are nation state actors. Um, and they're not hacking into hundreds of companies. Usually it's like a dozen or a few dozen. And they tend to go after very high value targets to them, whether it's a law firm or a technology company or a telecommunications organization or a semiconductor company. Just kind of depends on who they're tasked by, by their governments. And um, you know, obviously the more victims that they touch, the higher the likelihood it is for a victim organization or security company to figure out that there's a mass exploitation event going on. And as immediately as that happened, they start to lose access to victim environments, maybe not all, but a decent number of victim organizations. So you've got to be really careful as an adversary about how many targets you want to go after because every new target you hit increased the likelihood of you getting caught.

Steve: 11:33

Wow, that is incredible information from someone who is not living that life like you are. So from that standpoint, when you are seeing certain companies get attacked, get breached, and they it gets to the point where uh they're sending emails requesting money and saying, hey, we won't expose the information we've already gathered from your organization if you pay us X amount. Are you seeing where they are actually keeping their word? Is that something we could trust? Or is are they just getting their money and then just still doing what they said they weren't going to do?

Charles: 12:11

Yeah, so you really have to understand which actor you're dealing with, because certain actors have a certain amount of credibility and track record that uh um that makes it um more palatable for victim organizations to pay them. So um if you're dealing with, for example, with Klopp, Klopp is a relatively high-integrity actor. I know that sounds kind of silly because they're they're a criminal group, but but at the end of the day, they understand the business model. If they produce outcomes that are positive, and if they stay true to their word, then victim organizations um will be more inclined to pay an extortion demand for the promise that they're giving because they're staying true to their word. Um, now the thing to note about Klopp is in the past they've hacked into so many companies, they've struggled a little bit with managing all the victims that they were dealing with and communications. And so there were some makeup mix-ups that happened in the past. But in general, what we find is that victim organizations that pay Klopp end up not getting their data published on the internet in general. That's kind of the general historic track record that you have with them. Whereas there are other threat actors that um aren't as organized, they aren't as credible. And um I'm I'm mostly referring to some of the younger uh English-speaking threat actors that are loosely affiliated with each other. And some of those folks, they tend to um not be able to establish long-term relationships with other operators that they're they're um you know compromising organizations with. So they fight amongst each other. They um don't generally stay true to their word. Um, sometimes people get upset because maybe the group got paid, but not every operator ended up getting their fair share from the person that's controlling the wallet. And so sometimes you end up getting um you know leaks of data um from the threat actors, uh, even though they promise not to do it. So you kind of have to look at each group. Um, you have to look at the exact operators, and as best as you can, you got to cluster it to the actual group that is conducting the intrusion, and you got to look at the historical track record. And if they've proven to be semi-credible, then a company will use that as one of the many data points into their calculation of should they pay or not. And you know, as companies are thinking about extortion payments, there's a lot of questions and considerations that they you know they need to go through. They need to think about um, by the way, is it a just a data theft event? Um, or is it a data theft and a business disruption event? Or are there other things that are going on? So are you paying to accelerate the recovery process? Are you paying for a promise for the threat actor to not publish the data that was stolen on the internet? Um, you know, to what extent um can you accelerate the recovery process through paying and getting a decryptor that might allow you to scale your recovery process? You also have to think about, you know, who are the actors and are they sanctioned by the government? So is it illegal for you to actually pay the actor? Uh so there's a number of questions that need to be thought about. Um what I usually guide clients to do is don't come in with a default assumption that you either will pay or you won't pay. Make sure you go through the robust exercise of assessing, you know, what are the pros and cons. And there's essentially a list of nine considerations that we ask our clients to go through. And once they've gone through that process, then they could make a you know determination. Should they possibly pay or not?

Steve: 15:35

Wow, that is pretty pretty crazy. That there is still some code among thieves per se.

Charles: 15:42

Yeah, yeah. There is.

John: 15:46

Yeah, um, so uh and I think just think kind of pivoting back to uh analysts and future analysts that want to maybe work for a company like Mandient one day. Uh I guess to start with, what what do you see? And you've been there, you've been at Mandiet for a long time. How long how long have you been there now?

Charles: 16:05

I've been there for almost 14 years. I think in two weeks it'll be 14 years.

John: 16:09

Nice. Congratulations. Um, what what do you see like the a good analyst? Like, yeah, I I I know you guys have all great analysts, but what what stands out maybe as traits or skill sets that I kind of one thing I think about, and I'll let you answer this question, is um sometimes I think about an analyst in different ways, um, incident response, but there's the you know, the kind of the stock analyst, but then there's the the breach response, hey, we're here to find find what happened and how it happened, and there's different skill sets within there. But is there anything that stands out from that to you that you would you would say?

Charles: 16:46

So yeah, absolutely. So um when I look for talent, um, entry-level talent, you know, usually they're coming out of university. And what I find is that most people in university they don't necessarily have work experience, and that's okay. Sometimes they have internships, and when they do, that's great. Um, but I'm looking for a few key things. Number one, I'm looking for people that absolutely love cybersecurity. This is not a job for them, this is a career, this is a passion for them. Um, the work should be fun for them. Because if the work's not fun for them, realistically, they're they're gonna struggle working at a company like Mandiant um because the intensity could be quite high. So I look for passion. And how do I find out if people have passion? It's uh I look for folks that are uh volunteering to participate and capture the flag competitions. They don't necessarily have to win them, but I want to know that they are learning, that they're participating. And um, you know, if they make it to like a semifinals or finals, that that's great. But those that are winning it, those those are folks that I think, you know, um have a pretty good shot. I look for folks that um try to learn a lot on their own. Um they're creating GitHub repos and they're publishing code that they're developing. They've creating they're creating blogs and they're publishing either novel research or just things that they're learning. Um and and I actually encourage a lot of folks that are just getting started to create a blog because when you write the things that you're learning, you're gonna learn it better. You're gonna get more depth into whatever it is that you're studying. Um, you're also showcasing that you know these things to the world so potential employers can see it. You're also helping other younger folks that are also trying to get started in cybersecurity. You're helping them learn. So even though you're might be documenting something that's not novel and maybe the world knows about it, you're kind of sharing your perspective on how you've learned something and other people are going to benefit from it. So I really look for folks that um, you know, that do things like that. I also personally, you know, when I was a student, I built a home lab. And uh look, I didn't really have a whole lot of money to do that. So it was the cheapest possible home lab that you could build. But I get excited when I hear about people building home labs and the things that they're doing. I look for folks with technical aptitude, folks that are just really smart, that can learn cybersecurity, can learn how to break applications, can learn how to do forensic analysis, they can learn how to reverse engineer malware. Um they have to be smart. Now, again, they may not be doing that in a professional setting while at university, but if they've got the technical aptitude, they will have the opportunity to do that really well and effectively in a job setting. I also look for folks that are willing to live a consulting lifestyle. And what I mean by that is, and by the way, a consulting lifestyle is very different today than it was 20 years ago. So 20 years ago, um, you know, when I started, a consulting lifestyle was somebody that was willing to pack their suitcase and be on the road four days a week. Um, we don't really travel like that anymore. But what's similar today is that you essentially have a lot of bosses in consulting. You've got the person that you HR report into, but then there's lots of other people in a consulting organization that you're matrixed into. Maybe because you're running a project or working on a project with somebody else. You might be supporting multiple clients. And by the way, what you find is that a lot of your bosses, whether they're people that are ambient or people that are, you know, working at your clients, everybody assumes that their priority is the most important priority. And so as a consultant, you are juggling multiple priorities, competing priorities, and you have to figure out which is the most important priority and how do you how do you load balance, how do you juggle, how do you prioritize the right things. And it it's not always easy, um, but you have to be able to manage competing priorities. And so in order to be successful in a consulting organization, you've got to be okay with the fact that in a given day you might be asked to do multiple different things, and you're you will have to find a way to prioritize it and complete the things that you need to complete. Um you're not gonna get a whole lot of credit for starting a whole lot of things. You're gonna get credit for finishing the things that you started. Um so those are kind of the three key things that I look for. Again, the passion, the technical aptitude, and the willingness to work in a consulting organization. There are other things that I find are a nice, you know, a nice thing to have for you know folks starting up um in their career. But I I want to I want to find people that um that are humble, that are um willing to share their knowledge with other folks. Um I want people ideally to have decent communication skills because ultimately you've got to communicate what you're finding to a client. Now, at me idiot I find that you can be successful without great communication skills because you're so strong at the technical stuff, you've got the passion down, you can do great work, and somebody else can help you communicate it to people that don't maybe understand the bits and the bytes. And that's actually one of the things that I help do. You know, I help take and translate the very technical stuff that the team's telling me, and I present it to say a CEO level person or board or you know, a general counsel type of person that is very smart within their own domains, but they're not cybersecurity experts. Um, so if I could find somebody with good communication skills, great, but you don't have to have that. Um, I guess those are probably the top four things that I look for for entry-level folks.

John: 22:22

Yeah, no, I think and I think the blog part of it too, it helps see their community. I mean, it helps for you practice communication, you know, written communication at least. Um, and then for a potential employer, oh, let me go read, you know, what you wrote and see number one, it shows that passion, but also how did you do? And you will get better the more you write and the more practice you get.

Charles: 22:44

Yeah, and maybe something I share with your um, you know, the the viewers here is when I go back and I think about, you know, how well did I write when I was in high school, or how well did I present in front of my class. I would, and if if you saw me in high school, you would think that this guy would never amount to anything because I couldn't say three sentences in front of in front of my class. Um, and in fact, I actually remember in high school, I want to say that I was probably a sophomore, and I was asked to recite, you know, 10 lines from a book. And I think I got to maybe the third line and I just gave up. And I just went, I sat back down, felt humiliated. Uh, I was so embarrassed, I was so uncomfortable. Um, I couldn't write for the life of me. But over time, as I practiced more, I just got more comfortable and I got better at it. And uh it what helped for me was that I started writing about or you know, speaking about topics that I was just passionate about and very comfortable with. And so, you know, talking about a cyber topic, it was easy for me. But talking about, say, you know, uh a passage from the Iliad or the Odyssey, I wasn't interested in that at the time. And I certainly couldn't, even today, I couldn't get up in front of somebody and you know recite 10 lines from the Iliad.

John: 23:56

That's a good point.

Steve: 23:57

There's a lot of things you mentioned that we try and mentor others, we we suggest. And so it's it's great to hear that someone your caliber would also recommend some of the similar things if someone were to be looking to get into this kind of red team incident response kind of uh career. So for those who may be listening who are new, completely new, they may not have an idea what or who Mandiant is and and are learning for the first time what you guys do. Could you kind of talk maybe about what would a day look like for an entry-level person working in your team or for your company?

Charles: 24:36

Yeah. So probably the easiest way to describe what Mandiant is is um so we're a company that's been around for 21 years, and we were founded under the under the premise that breaches are inevitable, and we wanted to help companies respond to cybersecurity events as they happened. And over the years, what we learned is as we investigated countless security events, we saw that the threat actors were essentially doing kind of the same thing over and over and over again. Um, the methodology was the same. The tooling might have been different, the infrastructure might have been different, but um, we created what we call an attack lifecycle, which is basically the methodology that an attacker uses to get into an organization and to steal data. And uh as we kind of mapped out that attack life cycle, we started building out um ways to defend against each step of the attack, ways to detect the attack, and ways to respond to the attack at various phases of the attack life cycle. And so over time, we started building out new capabilities at Mandiant. We built out offensive security capabilities so that we could do red team exercises or penetration testing to hack into companies and to help them identify weaknesses or vulnerabilities and fix them before an adversary could break into it or take advantage of it. We built out a number of other capabilities like uh an operational technology security consulting practice, so that if somebody were to break into, say, the power grid or a nuclear power plant or a pipeline, that we had the skills or the experience to be able to respond to incidents on SCADA infrastructure or ICS infrastructure or whatnot. But for the purposes of this conversation, um, I'll describe Meantian as a company that essentially does two things. Number one, we respond to security incidents. And number two, we help companies become more resilient to attacks. And we do that by taking what we've learned from responding to a thousand-plus incidents to help companies kind of understand what are the most important things that they need to do to defend their networks. Um, and when I look at what our people do on a day-to-day basis, just for simplicity, I'll describe two core capabilities. We have a capability of folks that do incident response work, and we have a capability of folks that do offensive security work. And so the day-to-day for somebody that's doing incident response work, for the most part, you're working on maybe a single investigation, or maybe you're working with a second client, but you are essentially trying to answer a few fundamental questions, or the team is trying to respond or answer a few fundamental questions. How did the adversary break into the network? Do they still have access to the network? If they have access to the network, what are the ways in which they're maintaining that access? So are they using the company's VPN to get into the network? Are they using backdoors? Whatnot. We want to understand what the adversary do while they were in the network, and then we want to understand what data did they take from the company. So those are five fundamental questions that we try to answer for every incident that we're responding to. And so our day-to-day analysts, for the most part, they're analyzing an environment at scale, looking at host-based forensic data or network-based forensic data or logs or whatnot to try to determine what systems did the attacker touched. And when they find a system that the attacker touched, they're doing deeper dive forensics on those computers to determine how did the actor got on the computer, what do they do while they were on the computer, and did they access any other systems from that computer? Um, and they're constantly analyzing the systems that the attacker touched, and we're basically building out a map of what the attacker did and a timeline of what they did. So, how do they get into the network? What do they do? What do they take from the environment and whatnot? So we're trying to answer a lot of those fundamental questions. And those investigations could last weeks. If it's a large-scale enterprise incident, it could last a few weeks, it could last a few months. It depends on how complex it is. What we find is that um those analysts that do you know hosts or network or you know, SaaS investigations, um, you know, when they start, they're um they're looking at a lot of data. And early into their career, they can't tell the difference easily between what is good activity or benign activity versus what's malicious activity. Um, and so they're looking at data, and it might take them, you know, four times as long to do their analysis as somebody who's been doing this for say two or three years. But over time, through repetitions and cycles, they get better and quicker and they start to recognize these patterns. And they'll remember six months from now, oh, I saw this activity. This is definitively evil, and I'm gonna start to pivot off of this definitively evil data. And I'm gonna figure out what else um you know the attacker did. And so you get a lot of speed and you get a lot of experience just simply through cycles, just doing this over and over and over again. And so I got pretty good pattern recognition when I see something to a brand new analyst, it may not look like anything all that you know malicious. But just to kind of give you an example, so in uh December 2020, we announced that our company, Mandi, had a cybersecurity event. We were compromised because we used SolarWinds Orion software, and there were about a hundred some other um odd other companies that were also impacted. Right. As I was talking to companies, That um thought maybe they could have been compromised. There's this one very obscure data point that if they told me, I knew that they were compromised. And um, there are a number of organizations that said on their SolarWinds Orion system, they saw, like roughly in June of 2020, they saw some evidence of the WinRAR tool being executed on that computer. To the average analyst that had never investigated a SolarWinds Orion, you know, APT-29 incident, that is not any indication that the system's compromised. But for somebody that is, you know, by this point had worked with six other organizations at this point in time that had been compromised, that had some evidence of Winrar executing on a Solar Windsor Orion system in June, I knew that just by that one little data point in and of itself, that we were dealing with what would have likely been a very significant incident because that was a victim organization that the adversary had a lot of interest in. I was only able to learn that because my team had told me six times prior that they found evidence of WinRAR executing on a system. By the way, one of the benefits and the beauty of my role is I had the benefit of asking team members, what did you find? What's the outcomes? What did you learn? And they're they're doing the hard work. They're spending, you know, days or weeks analyzing something. And I'm getting the 20-minute download of what's going on. But that was one of the data points that they'd shared with me six times prior, and I was able to benefit from that. So that's what an investigator does. They're looking for constant, they're constantly looking for evidence of attacker activity. Um, and by the way, you're also analyzing a bunch of benign stuff, but you don't know it's benign yet. You're you're going through the process of figuring out is this malicious or benign. Then there's the the folks that are focused on offensive security. And on a daily basis, they're doing a few things. One, um they're working on a client engagement where they're just constantly trying to hack into the company's network, um, usually in a way where the company doesn't know that they're actively testing them. Um, and so they are finding, they're mapping out the company's network, they're figuring out what infrastructure exists in the environment, and what historic tradecraft have I used that has allowed me to break into an organization? So a lot of folks they might think, okay, I could curber roast and try to get privileges to the environment or domain admin rights, or maybe I could exploit a vulnerability in the Active Directory Certificate Services because I see that over and over and over again in victim or my client environments. Um, and so they're constantly trying to break into companies' networks. And when they get some level of access, they're trying to get higher level of access, they're trying to find vulnerabilities and whatnot. The other thing they're doing is um they're constantly researching new attack tradecraft. They're reading the blogs from other um researchers or other companies. They're trying things out in their lab environments. Um, and by the way, as they find new things, as they're developing tools and whatnot, they're they're blogging about it, they're publishing it. But um what's important for us is from an offensive security perspective, we ask ourselves the question before we publish our research, or before we publish a tool, we we have to ask ourselves very honestly, who does this research and tool benefit? Does it benefit the defenders more or does it benefit the adversaries more? And if the honest answer is it benefits the adversaries more, then we won't publish the research. Or we will um redact parts of the research so that the research is beneficial or more beneficial for the defenders than it is for the adversaries. So again, high level, those are maybe the two um key capabilities that we have. There's others, but those are the two key ones for the purposes of your audience that I'd share.

John: 33:52

All right, perfect. Thank you. Yeah, that's great. So um the future of the cybersecurity workforce. And we can't go into the future without talking about AI, which you can cover however you want to, but just thinking about what if you were to give you know advice to somebody that's getting on this path now and things that they should think about and maybe niches that they should go into, if that's AI or whatever. But what do you think about that from um the future and what we what we're preparing for?

Charles: 34:26

AI is totally changing the game for so many folks. It's it will help adversaries, um, but right now we think it's helping defenders more so. Um it's changing kind of everybody's day-to-day lifestyle lifestyle. Highly recommend everybody that's listening to this to ensure that you are using AI on a daily basis to help help you learn, to help you become more efficient in things. Yes, there will be some job displacement. Um, the people that will end up mostly being impacted by AI in a negative way are those that are not leveraging AI on a day-to-day basis to make themselves better and smarter. Um, it's important that you don't lose your own analytical ability. So don't get dumb by relying too much on AI. Yeah. I'll give you an example. Um, I've become dumb with directions. I use my GPS to go everywhere. Right. And um, you know, I direct to the Memphis every single day. I use my GPS to get me to the office and to get me home. I've been driving to the office for however many years. Um, I've become a little bit too overdependent on GPS and I've become dumb. What I don't do is I don't become overdependent on AI and use it to think for me. I will use it to help teach me things so that I can learn things, or I will help, I will use it to help automate things or to improve upon things. But you don't want to lose your own analytical ability. Uh I teach at a university, one of our first assignments, um, we recommend that our client or that our students use AI to help write the first paper. Because we want to help them understand how to get comfortable using AI. We want to make sure that people understand how to identify the hallucinations. We want folks to understand, or students to understand how to engineer your prompt so that you get the output in the way that you you want or that it needs to be. Um, and so um again, use AI, don't cheat with it, but use it to get smarter, to get more efficient. Um and then, you know, from a defender's perspective, look, we're we're using AI at Google in a number of creative ways. Um we announced a few months ago something that we call big sleep. It's uh a capability that we have where we use AI to find critical vulnerabilities and applications, open source applications. Of course, there's human intervention, um, but but the AI was able to find vulnerabilities and products. Um we also just recently announced um another capability where we're able to remediate or fix uh vulnerabilities and products by using AI. Of course, there's humans that are involved there. But but the key point here is that um we as defenders are trying to find vulnerabilities and products quicker and faster and more effectively using AI. And that will ultimately help defenders. Yes, adversaries could do the same thing, but um, for the time being, I think that um, you know, defenders have the upper hand. At some point in time, that might change. We might say, hey, adversaries have the upper hand. Where adversaries unfortunately have the upper hand is around um the creation of synthetic voices and deepfakes and creating misinformation and disinformation. So when you're on um social media and you see a video, it's hard to tell what's real and what's not. Yeah, some of this is watermarked, um, but um, you know, there's a lot of content that's not watermarked, or you could edit out the watermarks so that it's not obviously visible to the person that's hearing or or seeing um the content. And so that unfortunately is the area that adversaries have the upper hand in. And I think we've got a little bit of catching up to do from a defensive perspective.

John: 37:59

Code words. Have your family have a code word. Yeah, and you and your and your and your C-suite. Right. Yeah, there's there's a lot to to learn from that. No, thank you. That's great, Charles. Um, any final thoughts you want to share? You know, if there's anything, um, hey, you know, you've got a somebody that wants to maybe work for Mandy one day. I think you gave us a great list of things to think about and to be passionate, make sure you are passionate. Um, that is one of the questions we ask folks is like, okay, you're passionate, but show me that you're passionate, right? What are some things you can outline of how people can say they're passionate, but are they actually passionate? Um, because it can be it can be challenging. I I I love it. I still love it, you know. Um, but it's not for everybody. But yeah, any any final less lessons, yeah.

Charles: 38:48

You got to find a way to show the passion. Uh and it's sometimes it's hard to do that. Um, the ways that I can easily tell if there's fashion is through saying people are competing in capture the flag competitions or writing a blog or GitHub repo or whatnot. Um also it's important to stay positive and persistent. You know, when I was in college and I was looking for a job, I got rejected about um, I can't remember the exact times. I think it was 11 or 12 times before I finally got an internship offer from PWC and Excel Mobile. And I remember going through that whole process thinking, well, what's going on? I'm my grades were great, super active on campus. Um, I thought I was doing what I needed to be doing to demonstrate to an employer that I was really serious about cybersecurity. And for me at the time, you know, in the early 2000s, a lot of companies just simply weren't hiring folks from university to do cybersecurity work. At the time, I think they were looking for IT engineers that had been working for two or three or five years to convert them into cybersecurity professionals. And so I got rejected so many times that at some point in time I was just totally demoralized and I thought, man, I need a job. And I ended up going into a master's program to buy me a little bit more time to apply for a job. And um, I just got really lucky that even though I got rejected initially from PWC twice, um the third time around, they ended up giving me an internship offer. And that internship changed everything for me. Because after having about three months of work experience on my resume, um, I ended up getting 12 job offers in my last semester of my master's program from pretty much every company that I talked to. And really, the only difference at this point in my career was that I had an internship with PWEC. And um and that was something that really, really helped me. Um, I ultimately took the job with PWEC and I had what I feel was a great career uh for about a decade after joining them. But I joined them because I knew that I wanted to be a consultant and I knew that PWEC was the right place for me because I had three months of internship experience that absolutely loved, and I wanted it to be a lot longer than three months. And it ended up being you know close to close to a decade. Um, but for those folks that are looking for jobs right now, they they might be going through similar emotions because you know the difference is companies are willing to hire folks from university. Um, the problem is there's so many folks that are looking for jobs. And um there aren't enough jobs available for all the folks that are looking for them. And so what I would ask people to do is stay persistent, um, try to stay motivated. You know, sometimes it takes a lot longer to find that first job. Um, but when you find that first job, it usually changes a lot of things for folks. And um, you know, I've I've had the opportunity to mentor a number of people, like very young folks that I could tell are really smart, that are passionate. And look, I I get approached by lots of university students. Like pretty much every time I post an ad for an internship role at Mandiant, um, folks want to work at Mandiant, they want to work at Google. I get, I'm not exaggerating, you know, over a thousand folks that reach out to me. I can't possibly respond. Well, I technically respond to everybody, but I can't talk to everybody on the phone. Everybody asks for a phone call. Um, I will pick a small portion of the people that reach out to me and I will spend a little bit of time just giving them some mentorship advice. But I'm looking for the people that have like real clear demonstrated passion for cyber before I say, yeah, I'll get on the phone with you, just because you know the big the calendar's gotten quite crazy over the years. I was able to meet with more younger folks, you know, five years ago and 10 years ago. Now it's getting harder and harder. So I've got to be a bit more selective. And it's really rewarding for me when I see a message for them say, hey, I just got an offer at Company X or Company Y. And I know how hard they fought for that. They were fighting for it for a year and a half or two years. And I know that that job offer is going to totally change everything for them because two years from now, five years from now, they're going to have more and more opportunities, either at that company or at the next company. Hopefully, you know, I love to see when people have longevity at a single company. Um, yeah, I've essentially had two jobs in my career: PWC for about a decade and now you know Google Mandian for about 14 years. Um, the longevity at companies is nice. Um, it's not not for everybody, but uh, but I I do appreciate it when I see it.

John: 43:24

Yeah. No, that that's great. Persistent, especially right now, it is tough, but showing your passion. I mean, if you reach out to Charles, he's got you got a thousand folks. Look, you've got to really, I've been there. You're looking at folks like I need to really feel that you I'm gonna, it's a commitment on your part to to mentor somebody. So you want to make sure this person is ready to go and they they are excited about this, right? You can feel their energy when you're on the call. Like, hey, I'm I'm jump, I'm jumping in. Um, please help guide me um based off of your experience. So I'm glad I'm awesome. It's awesome to hear you're doing that. I know it's tough um with your schedule, but that's that's really cool. But um, yeah, that that's it. Uh Steve, any last final questions you had?

Steve: 44:09

No, not at all. Thank you so much for spending some time with us, Charles. Always a pleasure. Um, could could uh people reach out to you somehow? Yeah. Maybe on some platform.

Charles: 44:20

Yeah, probably the easiest way to reach out to me is over LinkedIn. Feel free to provide my email address. Um, I'm happy to chat with some folks. It's a little bit easier to do it over email than than video calls nowadays, but um always happy to chat. And thanks for doing what you guys are doing, uh Steve and John. It's it's good to get information out for the younger um folks that are trying to get started in cyber. It's daunting for people that are trying to get in here. It's yeah, you you you can only take so many rejections before you think, huh, is this really for me? And uh and so um I don't want to I don't want the community to lose what would otherwise be really good folks too early on because they just couldn't get in as easily as they thought maybe they should.

John: 45:04

Absolutely. Thank you, Charles, and we really appreciate it.

Charles: 45:08

Absolutely.

Steve: 45:09

With that, we're out. And a huge thank you to our sponsor for season five of the Cybersecurity Mentors Podcast, HCI Learning. You can check out HCI Learning at hcilearning.com slash simply cyber. Thank you for tuning in to today's episode of the Cybersecurity Mentors Podcast.

John: 45:27

Remember to subscribe to our podcast on your favorite platform so you get all the episodes. Join us next time as we continue to unlock the secrets of cybersecurity mentorship.

Steve: 45:38

Do you have questions or topics you'd like us to cover, or do you want to share your journey? Join us on Discord at Cybersecurity Mentors Podcast and follow us on LinkedIn. We'd love to hear from you.

John: 45:50

Until next time, I'm John Hoyt, and I'm Steve Vigoretta. Thank you for listening.