More Blue Team Voices

Dan Mellinger: Today on Security Science, the need for more blue team voices in cybersecurity. Hello, and thank you for joining us. I'm Dan Mellinger, and today we're discussing the general lack of defensive perspectives in cybersecurity, media, and culture. My guest today has a ton of experience on both the red and blue sides of this topic, from turning a hotel towel into an RSA badge and discovering unauthenticated cURL commands for Google Home Hubs, to running our entire security program and defending the company, I have with me Kenna Security's very own purple perspective and Director of Security Research, Jerry Gamblin. What's up, Jerry?

Jerry Gamblin: Not much. Just wearing my purple people eaters Minnesota Vikings hoodie today, and ready to talk some blue and red team with you.

Dan Mellinger: He is definitely in theme today. I know we haven't made this a video yet, but it stays like this, I wish we could. So today we're talking about a topic that's pretty near and dear to your heart. Right? And that's kind of this lack of kind of the blue team perspective. So just to kick things off, do you mind just giving us an overview? Who's the blue team, who's the red team, why does this matter?

Jerry Gamblin: Blue team and red team, they're military terms and that's kind of where the similarities stop. Blue team is the people defending it, it's people who control the network, who set up the network, and who try to run the network. Those are generally your blue team people. Blue team people can be anyone from the people who run your vulnerability management program to your help desk people, to the people who run your firewall. Red team, and the military term is the offensive side. A lot of times when people talk about a red team in a security sense, they're talking about a consultant group or a group inside a company that you've hired to try to penetrate your network offensively. In a broader sense, a red team is kind of anybody who's doing offensive type work. Or even, we'll just use bad actors for this and then stick with that kind of wording, any bad actor sometimes just falls under the red team category.

Dan Mellinger: Got it. So thinking of blue team as kind of the defense. Right? The guys who are protecting the networks. Red team, in a cybersecurity context, would be the guys trying to break in whether, good or bad in this case.

Jerry Gamblin: Yeah, but it's different than that. And this is where all analogy fails. This one fails the hardest. If you're playing defense, you think you get to defend yourself in some manner. That's kind of not... That doesn't happen in network security. In a war game, the blue team gets to shoot back. They're defending something, but they have some level of offensive ability, something to defend themselves with. Here, the blue team is really just the build it to be defended and then walk away and let the red team try to get in while you watch kind of way. So, it's different there. Everybody has seen a military reenactment or studies history knows about Fortress Europe or whatever. But all the time defensive people have offensive weapons, they're just trying to stop somebody. That isn't the case in security.

Dan Mellinger: Yeah. That actually speaks to something we'll hit on a little bit later, but essentially blue teams in this kind of context are just doing their jobs.

Jerry Gamblin: Correct.

Dan Mellinger: This is what they do every day, all day. It's not the sexy stuff. The red team guys are like the cool pen testers, all that fun stuff that people traditionally associate with hacking and cybersecurity within the mainstream. Right?

Jerry Gamblin: Exactly. 100%.

Dan Mellinger: Cool. All right. Well, getting into that, I do want to kind of jump into a couple things that are relevant. So two real key concepts to this discussion, and one of them is a kind of a primer on gatekeeping. So one, I'm a comms major, I studied mass media and marketing, all that fun stuff. Gatekeeping is a process by which, typically news outlets, but today it's a lot of stuff, Twitter, all that fun stuff, but it's essentially a process by which information is filtered before it gets to the public. So there's a million stories happening across the world every day and media plays a critical function where it has to pick the stuff that's notable and important and will, in their case sometimes drives revenue through ad clicks and stuff like that. But they ultimately have the job of filtering all this mass amounts of data into the stuff that really means something to the audiences and the general public. So this is a critical function, it's existed forever, and it should continue to do so. But you got to keep in mind that there are sometimes other motivations. There's other reasons they might want to share some stories over the other. And sometimes these perspectives can make certain issues seem bigger, more prevalent, more actionable, more important than they necessarily are in reality. So sexy sells, there's an over prevalence of reporting crime statistics, for example. Crime rarely happens when you look at it on a macro level, but at the same time, that's all you're going to see reported because that's what people want to know about. So you get a perception that it happens more often. So that's gatekeeping. Wanted to jump in that and I'll have some links just to the Wikipedia articles for that stuff, if you want to learn a bit more, you can start digging in there. And then the next concept is something called group polarization. And this is something that Jerry actually taught me. So Jerry, I'll let you run on this one. What's group polarization?

Jerry Gamblin: I love group polarization. And I love to talk to people about it in information security, because they don't connect those two together. Dan, do you have that friends that your wife doesn't like you to go out with because you always do something crazy when you're with them that you wouldn't do on your own?

Dan Mellinger: Not anymore. Never. Of course not. crosstalk.

Jerry Gamblin: Yeah. Everyone has that friends that when they go out with, they kind of lose their ambition and they do something crazy. And that's kind of what group polarization is on the negative side. Right? A lot of times you hear people who get involved in crime or whatever, like," Oh, Johnny would never do that." And a lot of times that's probably right. Johnny, left to his own devices, wouldn't do that, but Johnny with these other group of people gets talked into it and decides that it's okay and will do it. The other part of this is it also plays backwards. It can make people more cautious. If you're with a group of people who are overly cautious or overly worried about something, you become, not in a political sense, but just more conservative, more worried. And we see this a ton in in security. We haven't done an episode on the SolarWinds breach yet because it hasn't all cleared out. But when we do, we'll talk a lot about group polarization. I spent a lot of time talking to people about why the SolarWinds hack might be the biggest hack in the world, et cetera, DOJ, so there might have been a thousand developers. No matter all the press from the gatekeeping part that you're talking about, how much press it got this fall and winter, actually I guess just this winter, it doesn't make a difference to most people, to most organizations that weren't running that software and that weren't a target. There's probably a list of a hundred organizations that were a prime target and maybe another 100 or 200 that were picked up on the side. That's 300 out of every organization in the world. And I'm starting to see people talk about securing your supply chain, and everything willing, and if karma plays right, and we have DEF CON and Black Hat this year, I bet you that we can do a floor walk and there'll be 40% of the booths will have something about supply chain. Right? But most companies don't need to worry about... Sorry, I don't want to say they don't need to worry about it. What I want to say is they don't need to take resources that they would spend on the regular risk based vulnerability management, patching, making sure their apps are up to date, and move that to this, because they've been part of a group that's polarized to think that their supply chain is how they're going to get hacked, when that risk really hasn't gone up in any meaningful sense.

Dan Mellinger: Interesting. So, in a sense, and tying this back to I guess SolarWinds and group polarization, cybersecurity in general tends to be, I guess, a risk averse group. Right? And so if we hear something, we get questions all the time, the next Dark Reading piece that comes out on a new vulnerability, we always get questions from customers on what's the risk score? What is this about, should we care about this? And you're saying on that initial inclination, either towards risk aversion or risky behaviors, tends to motivate the rest of the group to follow towards that extreme, whatever.

Jerry Gamblin: I shared an XKCD article and people talk about that when you fly or whatever... Flying is one of the safest forms of transportation ever. But there's been studies that if there's an airplane crash in the continental United States, air traffic falls 15% that year. I mean, that doesn't make any sense, but it's kind of gatekeeping, group polarization, brought together to make people think that the risk of flying is too much, so they become more conservative and more cautious in their travel plans.

Dan Mellinger: Yeah. No, that makes sense. A giant fiery plane crash is going to be the headline for every media outlet, from the local to the national, and likely get covered widely. And then that drives this kind of a group polarization towards risk aversion from there, because it's scary. And that's why it's compelling in the first place.

Jerry Gamblin: Yeah. I mean the SolarWinds thing is outside the loss of life, a giant fiery crash, and everybody's watching it. Microsoft just announced that they lost a bunch of source code. It's terrible. But your average corporation, does it need to be worried enough to change what they're doing and change their risk posture based on that?

Dan Mellinger: Yeah. Yeah. No, all that makes sense. The average company isn't providing... The number two solution provider for cloud.

Jerry Gamblin: Exactly.

Dan Mellinger: Makes sense. Well, let's jump in a little bit. I mean, let's face it, red team gets covered a lot. In this case, hacks and hackers and all that fun stuff. Because I mean, it's sexy, right? That's what people think about, the dark hoodies and Mr. Robot television series, and even The Hacker's movie. I need to rewatch-

Jerry Gamblin: 100%. or even those early'80s movies. Those were all hacker movies too-

Dan Mellinger: That was so good.

Jerry Gamblin: ...from War Games-

Dan Mellinger: The graphics.

Jerry Gamblin: Yeah.

Dan Mellinger: But I mean some of these people may have started as cyber criminals and turned consultants, is kind of a big meme in the industry, things like that. So do you think there's, I guess just an over- reporting of this kind of activity in the cybersecurity space?

Jerry Gamblin: Yeah, because it's interesting an it's amazing to watch and it's fun to look at. You mentioned two of the things that I've been in the media for in my career, which are practically useless to most people. I cloned an RFID badge to a towel, because I could. That was way before I even worked at Kenna. That was the first time I got global attention. I think there was even a story that ended up in CNN for some reason about that, because The Register wrote about it. That has no bearing on anything. Just so happens that the towel company used the same RFID tag as RSA. And even the Google Home vulnerability, it's interesting, but the likelihood of that being used in any meaningful manner is pretty low. But you could take talks like that to DEF CON, to any conference, and it's going to fill up a room of people. And people are going to come and see it and they're going to watch it and it's going to be awesome. I do the same thing. I love to go to DEF CON, I love to hear what people are hacking on. But if I were given the same talk at the same time on five ways to reduce your corporation security while spending$ 0, I would be lucky to get 20% of the audience of someone talking about hacking an ATM machine that they don't own or that they've never even seen another model of. Right? Because it's entertainment at some point.

Dan Mellinger: Well, and it's like that car crash that people don't want to see it, but you also can't look away. And this is why I brought up gatekeeping a little bit as well, because I was doing some research just because I haven't been up on it in a little while, but there was a study that showed that in Canada, half the media stories were about violent crimes. Right? Because that's what people... That's what drives clicks. That's what drives an audience. But even though violent crime were only 7% of all crimes ever committed, but they're half of what was reported.

Jerry Gamblin: Yeah. I mean, and you got to fill the news with something interesting and something to get people fired up and going. I was kidding with my son about this just recently. We we're watching the news and CBS News did a 90 second piece on the Megan Markle and the Prince, Charles, no, Harry, I don't know which one she's married to or whatever, about what they're doing. And he's like," Why is this on the news?" And I'm like," Well, politics is boring now. We're going to have to get used to what happens on the national news..."

Dan Mellinger: When it's not based off of one person's tweets.

Jerry Gamblin: Yeah. When you don't have that. And yeah, that's the gatekeeping. And I think that people are like," Oh, this is what normal news looks like on a normal day?"

Dan Mellinger: Yeah. Well, what's interesting, and this kind of speaks to the whole piece, is these kinds of patterns of over- representing these instances. So crime and just entertainment filler, they reinforce this kind of distorted public understanding of prevalence. Right? So people believe that crime is much more prevalent than it actually is, and this leads to poor decision making. Right? From a policy standpoint, it leads to like emotion driving where our budgets and resources and all that goes. And I think that's a big deal for cybersecurity. So you were talking about the conferences. I think that's a really, really good example is mostly people hacking Jeeps and that's what gets reported on, and showing these kinds of novel red team hacking style talks, where I think you said on the byline, most of the audience is blue team. Right? It's the defenders.

Jerry Gamblin: It's kind of the joke that you talk to people about. When you go to DEF CON, everybody wants to play up the red team part that they do, and that could be as simple as running Nessus on their network. And I'm completely lucky to have a full- time research role now. 20 years in and this is my first full time dedicated research role. And it's blue team focused. I'll give you that. But there aren't many of these roles out here for people to do red team stuff. And to be completely honest, a large majority of the red team roles that I know about get paid for by marketing. Because, Dan, you're a marketing guy, it's no secret what happens when we get our name in the news? Our clicks go up and whatever-

Dan Mellinger: It drives page views, and gets people going to the website.

Jerry Gamblin: I think it's called the funnel. Right? I'm learning more and more on the startup stuff. At some point maybe somebody reads an article about something I did, and in six months they buy the product. That's the whole goal. And a bunch of these cybersecurity companies and marketing companies know that they can absorb the salary of a red team person, and if they get three or four or five articles in major newspapers a year that it'll drive stuff through the funnel and pay for their salary, if not more.

Dan Mellinger: Yeah. Brand exposure and" thought leadership" and all that fun stuff that really helps I guess surface a brand and therefore solutions to more people.

Jerry Gamblin: And then there are people who are like me also who have weird hobbies like car hacking that it's not... Nobody's paying me for it anymore. And if I go and talk at DEF CON about my car hacking, it's going to look cool and people might get interested in it, but it really doesn't solve anybody's problems. Right?

Dan Mellinger: Well, that's actually interesting too. I would say, in terms of overall split, any large corporation is going to have a very large security team. So for the most part, most companies are not outsourcing all of their security nor can they really. Yet red team pen test, these kinds of offensive, ethical hackers, I guess you could say, for these kinds of roles at most companies, they probably don't even exist in. If they go and hire you, I think you said earlier, they might work for a service or a consultancy or something, to come in and try to penetrate network and come back with recommendations.

Jerry Gamblin: That was the big deal with Coalfire last year. We can put that link in there, those red team guys who got arrested in Iowa for breaking into that courthouse. Yeah. Was that last... Oh man, if that was two years-

Dan Mellinger: That was last year, I think.

Jerry Gamblin: Two years ago.

Dan Mellinger: Was it?

Jerry Gamblin: I don't know, I might be having COVID brain. It might've been two years ago.

Dan Mellinger: Last year didn't happen. We'll just go with that. It was either 2019 or 2021.

Jerry Gamblin: Yeah. Most corporations don't have certified people to do inaudible. You have to be super mature to be to a point where you're like, " You know what? I got all my patching and stuff done. My next good investment is to pay someone to come in and spend all day trying to hack me." Every organization I've worked in are like, " We could use three more people to help with the firewall or help with patching or help building images." So I've never personally been in an organization that had a big enough team to have somebody on a red team full- time.

Dan Mellinger: Yeah. That's interesting. So, I mean, with that being the case, I would say blue team probably outnumber red team people like 100- 1, 1000- 1. I'm actually curious.

Jerry Gamblin: And I hate it. And I laugh at it every time you hear somebody says that," Everyone's on the sales team." Or like," Everyone's on marketing." To be honest, at some point, most people in an IT organization perform some level of security, even if they don't know it. We have two IT people at Kenna, they both make sure all our patches are applied, make sure that all our 2FA is set up right. They do a security role. It might only be 20% of their job, but at the end of the day, they provide a security service for Kenna.

Dan Mellinger: So if I try to ignore critical updates to my operating system, does that make me a red team member?

Jerry Gamblin: Only if you try to figure out how to get around it like that girl that I read that story about who locked out her Zoom account for six weeks in a row and nobody could figure it out.

Dan Mellinger: Nice. Oh, that's awesome. Anyway. Okay. Well, I guess the point I'm trying to get to is how do we bring sexy back to blue team, to being like the cyber security day in, day out stuff. Right? It seems like those perspectives, they're not shared as much. And we do a lot, cyber hygiene, we think is sexy as hell. Because it's critical and that's kind of what we focus on.

Jerry Gamblin: As hard as it is, defense isn't sexy. And if you try to make it sexy, you're just going to kind of end up looking foolish. How many times the dishes get done in your house every week-

Dan Mellinger: Too many. Too, too many.

Jerry Gamblin: Yeah. But like, if I ask you how you make cleaning your kitchen sexy, you're just going to laugh at me. And blue team is kind of the same way. You can't make it sexy. You have to make it important. And I think that that's the one thing that blue team has that they need to keep kind of ringing the drum on and have a plan and say," Hey, we're working this plan." And that's what stops you from getting bombarded by this group polarization or group think. Right? If I have a really solid roadmap laid out for my security team, we're doing this and this is what we're doing. And then a SolarWinds blows up and the CEO reads about why you should be investing 20% of your budget next year into supply chains. Everybody can explain to them like," Hey, we're not going to turn our ship around this fast. We have these risk- based vulnerability management programs that we're trying to put in place. It's really important for us to do software refreshes. We're not saying that making sure that's not important. And if you want to give us extra money, that's fine. But we don't have... Everything that we laid out with our budget this year will reduce more risk than if we go chasing supply chains or waterfalls."

Dan Mellinger: That's interesting. I'm going to steal that." You don't make it sexy. You need to make it important." I mean, I think that kind of resonates a lot. Like you said, I do marketing, we are very... Cyber hygiene, here's the stuff that is going to reduce risk and it's not sexy, but here's why you need to do it. So that resonates for me because we're trying to figure out how do we make this important, because typically, like you said, it's like washing dishes and most, I would say, companies out there and the stories are all in the hacking and CEO's are getting bombarded with SolarWinds and why that matters to you. And Facebook is monitoring everything you guys are doing. And this is the stories that executives are reading or maybe non- technical, non- security people are reading. So there's kind of, I guess, a point about education and why this doesn't matter necessarily, or be armed to speak to that to someone who may not be security centric.

Jerry Gamblin: And I always try to coach people to say, not that this doesn't matter, but it doesn't reduce the risk or we're not as exposed to biggest risk as this or that. And every company has that list of stuff that they're trying to work on, that they can bring up. It's," Hey, we could spend 20% of our budget on supply chain or we can spend 20% of our budget getting a security review done on that ten- year- old app that brings in 40% of our company's revenue." Right? Where do you want to put the money? And understand that and be able to talk about real risk and why you need to watch where you spend your money and how you handle it. And it's adult conversation. It's not sexy, it's important.

Dan Mellinger: Yeah. Yeah. Instead I'm going to invest in an AI based robot that can do my dishes for me.

Jerry Gamblin: Exactly. Or on the other side, you hear, just to keep the kitchen cleaning analogy up, because it works, is companies who are really bad at it and get hacked. Somebody's like," Why isn't this kitchen clean? This is a mess." And then after they get breached, it's like," Oh, you really need some help cleaning up your kitchen." And then they get that infusion of cash and they can clean it up. Most people are just trying to get the kitchen clean and keep it clean. I had a friend who grew up in a house who probably didn't know how his kitchen got cleaned, but his mom kept a perfect kitchen every time. And I remember him going to college and he's like," Wow, this sucks." But his mom was one of those people, if you put a plate in the sink-

Dan Mellinger: It was gone.

Jerry Gamblin: She would come pick it up and put it in the dishwasher. And he just thought it magically happened. And you go over to his college apartment and it's a mess.

Dan Mellinger: I roommated with a friend like that. And it was just... It lasted seven months before I was out. That's a very good analogy. So I mean, that being said, you need to make it important as a blue teamer. And you want to have this voice, that seat at the table, so what are some of the best practices? We know this isn't easy. So what does that mean for these people on the defensive side?

Jerry Gamblin: You've got to have a plan and you got to work the plan. So many people don't have a plan and they let the gatekeeping group polarization kind of drive what they do. And then we see it all the time. You see it more because you're in marketing. And I'm a jerk and I always give you a hard time about it. But it was zero trust two years ago, companies who are still running Windows XP and Windows 7 are like," We're doing zero trust." And so they changed their budget plan and they bought some zero trust stuff. And those same people-

Dan Mellinger: We just bought zero trust. It's all good. They're fine.

Jerry Gamblin: And those same people this year are going to turn around and buy supply chain software, security software. Because somewhere when the winds changed, they kind of changed their thing. What we need to do is to help people build frameworks and understanding so that they know what they're working on and can weather these storms. So when the next SolarWinds happens or the next big breach happens and people are like," Hey, we really got to do this." They have something to take to their leadership and say," Yeah, I understand that's important. And we have some risk exposure or a little risk exposure to that. But when we sat down in December, we decided that our priorities this year are this, this and this." What are we going to move around to fix that, to swap that in? And be able to play a little better defense on that and not let like the CEO's or the board just kind of run over you and change your strategy midstream.

Dan Mellinger: Midstream. Yeah. Or the next time a major breach happens that is likely super highly targeted to go after one company and how that doesn't apply to maybe your company.

Jerry Gamblin: Yeah. I know companies who never had SolarWinds and have very little stuff who are all up in arms about this.

Dan Mellinger: Infiltration. Interesting. Well, I mean, do you have any other things you want to leave? I thought this was awesome conversation. And I think really pertinent as we kind of... I think every day people, it seems like at least once a week there's a new hack and people are like," Do we need to be worried about this? Should we be worried about this? Oh God, we're going to go invest in red team pen testing and supply chain tools." And what's the next trend of the day. There's a big kind of fear, uncertainty, and doubt that comes up in a lot of the marketing, all that fun stuff. How do we change that tide, ultimately.

Jerry Gamblin: There's a lot of blue team love on the internet now. You just got to know where to find it. There's a blue team village at DEF CON that I highly recommend. There's the app sec village. There's OSquery. There's a bunch of those kinds of groups that you can get into and talk to people who are blue team focused. There's the blue team sec on Reddit, which is great. It's all people who do blue team, who've moved away from the net sec kind of subreddit because it was all offensive. And while that stuff's cool and everybody will admit it, it really didn't help them in their day- to- day roles. You just have to find other people that are doing the dishes like you do every day and start kind of hanging out with them a little bit more and you can still love the cool hacks and the red team stuff, but you have to know that you're not in a minority and that 90, 95% of people in security are doing the dishes along with you.

Dan Mellinger: Hashtag blue team love.

Jerry Gamblin: Yeah.

Dan Mellinger: Yeah. That is awesome. Speaking of, I guess, kind of doing the dishes and maintaining your skills as a kind of a cybersecurity professional, I do want to let everyone listening know at the very end that you can actually get( ISC)2 CPE credits for listening to our podcast now.

Jerry Gamblin: That is awesome.

Dan Mellinger: Yeah, pretty awesome. We're pretty stoked about that. We're providing education.( ISC) 2 thinks so. So if you'd like to get your credits, you can actually go to the kind of security blog. So we link the podcast episode on our blog every single week, and there'll be a little form fill so you can put in your name and your( ISC) 2 member number, and you'll get some credits for listening to the podcast there. So anyway, Jerry, thanks for being on. This is one of our first podcast recordings of 2021. Like we all know, 2020 did not happen. So appreciate you being back on again. And everyone else listening in cybersecurity realm, have a nice day and don't succumb to the group polarization.

Jerry Gamblin: Awesome.