EP-S1001 - Cyber War Stories with Alex Aquino - Red & Blue Team #redteam #pentest #hack #cyber
**Full Transcription: "Beating the Drum with Cyber Gri" - Episode 1**
---
### **Introduction**
Hello and welcome to our very first episode of *Beating the Drum with Cyber Gri*. In this series, we’ll be diving into the world of cybersecurity, hearing from experts, sharing stories, and exploring the latest trends in the field. Today, we’re honored to have Alex Kino, a seasoned information security leader with over 20 years of experience, ranging from the US Air Force to Microsoft, Amazon, and currently running Security Programs at Autodesk. We’ll be talking to Alex about his career, his experiences as a red team member, and the lessons he’s learned along the way.
---
### **Introduction to Alex Kino**
Hello, Alex! Welcome to the show. It’s such an honor to have you on our very first episode. We’re looking forward to this conversation and sharing some exciting stories with you. Just for our viewers, let’s start by having Alex introduce himself in his own words.
---
#### **Alex Kino's Introduction**
"Hi, I’m Alex Kino. I’ve been in the world of security for almost 20 years now. It kind of fell into my lap when I was in the Air Force. I started at the lowest level, packing parachutes and loading cargo on planes, and eventually worked my way up to become an officer. During my time in the Air Force, I supported network operations for Air Force bases, did cybersecurity work, and even got involved in international guard missions, doing red teaming and blue teaming exercises. After 24 years of service, I decided to move on to the private sector. I joined Amazon, where I worked in their fulfillment centers, which was an exciting experience because those operations never stop—it’s the backbone of what they do. From there, I moved to Microsoft, where I did security program management for their cloud services, specifically M365. That was a crazy ride—I still can’t believe some of the things I got to see and do there. I also had a brief stint at Google, where I was a program manager for Android Biometrics. It’s funny because when I walked into a Best Buy, I realized how my team’s work directly impacted everything from face recognition to thumbprint scanners on those devices. After that, I came back to Microsoft and then moved to Autodesk, where I’m currently assisting in building out the Enterprise security team."
---
### **How Alex Got Into Cybersecurity**
The next part of the conversation delves into how Alex got into cybersecurity. He shares a fascinating story about how he ended up in this field.
#### **Alex's Journey into Cybersecurity**
"When asked how he got into cybersecurity, Alex shared that it was a combination of being in the right place at the right time and his passion for technology. While serving in the Air Force, he was approached by a guard unit that specialized in red teaming. They wanted to perform red team exercises on his network, and because of his forward-thinking mindset, he allowed them to do so. This experience not only taught him the importance of security but also opened doors to opportunities he never imagined. He emphasized that cybersecurity is a field where people often stumble into it through curiosity and passion rather than formal education."
---
### **The Role of Passion in Cybersecurity**
Alex highlights the importance of passion and curiosity in pursuing a career in cybersecurity, especially since many professionals in the field come from non-traditional backgrounds.
#### **Passion and Curiosity in Cybersecurity**
"During the interview, Alex discussed how many cybersecurity professionals, including himself, didn’t start with a degree in computer science or a related field. He shared that he met people in the industry who had degrees in English, art, or other unrelated fields but still excelled in security because of their passion and curiosity. He advised aspiring professionals to focus on learning through hands-on experience, attending conferences, and participating in online communities. He also stressed the importance of formal education in cybersecurity, noting that future generations should have more structured pathways into the field."
---
### **What Is a Red Team?**
The conversation then shifts to explaining what a red team is, as Alex dives deep into his experiences as a red team member.
#### **Understanding Red Teams**
"A red team, as explained by Alex, is a group of cybersecurity professionals who use adversary tactics to find vulnerabilities in networks or systems. These teams simulate attacks to test the resilience of security measures. While red teaming has evolved over the years, the core principles remain the same: footprinting, evasion, initial access, movement, and persistence. Alex shared that while traditional red teams may not be able to fully emulate nation-state actors due to resource limitations and persistence requirements, they play a crucial role in identifying vulnerabilities before real-world attackers exploit them."
---
### **War Stories from Alex's Career**
One of the highlights of the interview is when Alex shares some of his war stories from his time as a red team member.
#### **A Harrowing Red Team Experience**
"One story Alex recounted involved a supply chain vulnerability during his time in the Air Force. His team was assessing a network, and through curiosity, they discovered a script hidden in a system folder. The script contained domain admin credentials for multiple networks across the country. This discovery underscored the importance of securing sensitive information and the risks associated with poor security practices. Alex emphasized that such vulnerabilities can be exploited by attackers, leading to devastating consequences."
---
### **Lessons from the Target Breach**
Alex also touched on the infamous Target breach as an example of how critical it is to follow best practices in cybersecurity.
#### **The Importance of Following Best Practices**
"Discussing the Target breach, Alex highlighted the need for organizations to go beyond just conducting red team exercises. He stressed that true security requires a comprehensive approach, including patch management, log analysis, and identity verification. He advised businesses to treat security as an ongoing process rather than a one-time checkmark on a list."
---
### **Supply Chain Vulnerabilities**
The conversation also covered the importance of securing supply chains, drawing parallels to the SolarWinds attack.
#### **Securing Supply Chains**
"Alex explained that supply chain vulnerabilities are often overlooked but can have significant consequences. He shared insights from his time responding to incidents involving third-party vendors and emphasized the need for organizations to vet their suppliers thoroughly. He also discussed how attackers exploit trust relationships in supply chains to gain access to sensitive systems."
---
### **AI and Its Impact on Cybersecurity**
As the discussion progressed, Alex shared his thoughts on the advent of AI and its impact on cybersecurity.
#### **The Double-Edged Sword of AI in Security**
"Alex expressed mixed feelings about AI’s role in cybersecurity. While he acknowledged that AI has the potential to accelerate tasks like threat detection and response, he also warned that it is not a panacea. He stressed that AI tools require proper training and prompting to be effective. He shared concerns about misuse by attackers, who could leverage AI for malicious purposes, such as creating sophisticated phishing campaigns or automating attacks."
---
### **The Future of Cybersecurity**
Alex also shared his thoughts on the future of cybersecurity, touching on emerging trends like cloud security, zero trust models, and the importance of continuous learning.
#### **Emerging Trends in Cybersecurity**
"Alex discussed how organizations need to adapt to new threats by embracing modern security frameworks like Zero Trust Architecture. He emphasized the importance of staying updated with the latest tools and practices while also highlighting the need for ethical use of technology. He also touched on the importance of fostering a culture of mentorship and training within organizations to address the ongoing shortage of skilled cybersecurity professionals."
---
### **Key Takeaways from Alex's Book**
Alex concluded the interview by discussing his book, *Cyber Gri: The Art of Storytelling in Security*.
#### **The Power of Storytelling in Cybersecurity**
"Alex explained that his book was born out of a desire to share knowledge and experiences in the cybersecurity field. He drew inspiration from the role of griots in West African culture, who use music and storytelling to preserve history and pass down wisdom. His book aims to do something similar for cybersecurity professionals, providing them with a resource to learn from real-world examples and stories. He hopes that *Cyber Gri* will inspire the next generation of security professionals and encourage organizations to prioritize ethical practices in their work."
---
### **Conclusion**
As the episode wraps up, Alex expresses his excitement about being part of the show and looks forward to future discussions on cybersecurity.
#### **Closing Thoughts**
"Alex expressed gratitude for the opportunity to share his experiences and insights with the audience. He emphasized that cybersecurity is a constantly evolving field, and staying informed is crucial for professionals in the industry. He also encouraged viewers to reach out with questions or topics they’d like to explore in future episodes."
---
### **Final Words**
Thank you, Alex, for sharing your wealth of knowledge and experience with us. Your insights have been invaluable, and we’re sure our audience will learn a lot from this episode. Stay tuned for more exciting episodes where we’ll continue to beat the drum for cybersecurity awareness and excellence.
---
This concludes the full transcription of *Beating the Drum with Cyber Gri* - Episode 1 featuring Alex Kino.
"WEBVTTKind: captionsLanguage: enhello and welcome to our very first episode of beating the drum with cyber gri today I'm honored to have Alex aino Alex's uh information security leader with Global Experience uh ranging from the US Air Force to Microsoft to Amazon and currently running Security Programs at Autodesk we will be talking to Alex and he'll be sharing some War stories with us in the meantime I'll be right back stay tuned and when I come back we'll have a chat with AlexHello Alex welcome to the show and Welcome to our very first episode so I'm actually honored to have you on this this is our very first one so I'm looking forward to this chatting and and having an exciting conversation um just for the our viewers to know we're going to be sharing some more stories Alex is going to be sharing some more stories with us and uh we're going to take it from there hopefully um this is a fun episode for you all to enjoy so Alex welcome to the show and thank thank you for doing us the honor of uh recording our very first one so without further Ado I know I did a little bit of an uh some introduction about you but I will let the guest um our viewers hear it from your own mouth so tell us a little bit uh wow umz you made that person started sound really cool well let me let we go from to the start from there I'm Alex Kino I have um yeah I guess I've been in the world of security kind of fell into it now for gez almost 20 years now uh thanks for mentioning yeah I did uh did 20 years in the Air Force I did everything from I started at the Air Force at the lowest level from packing parachutes and loving cargo on planes and and uh eventually moving my way up through the service to becoming an officer there um well my time in the Air Force I you know Grand uh networks for Air Force bases um and uh supported that and then eventually ended up uh doing work for the International Guard uh doing cyber operations missions uh what we probably consider red teaming uh blue teaming work in addition to uh running the the Western defense actors networks so did total of 24 years uh in in the service during my total time there after all a sudden I decided I wanted to move on to uh to other pastures I joined the private sector where I moved on to Amazon and I did it operations and fulfillment centers and that was actually it's a really exciting work it was those fulfillment centers Amazon I'm sure everyone's aware just runs at they don't stop and and it operations is their backbone it's a lifeblood of of keeping things going and um so I did that I also uh from there moved over to uh Microsoft where I to when I was a security program manager on on on some clouds I did a lot of cloud work there doing security and Security in response for M365 which I still can't believe some of the the things I got to see and do there uh did a brief job at Google where I was the Biometrics uh I was a program manager for Android Biometrics at one point in time I it was crazy for me I walked to a Best Buy and I saw all these Android devices out there you think my team directly impacting anything that has a Biometrics you know be it Vision be it you know Bea eyes Bea face identification thumbprints Etc um came back around to Microsoft and then I decided to go uh try different things where now at Autodesk where I'm a security program manager um assisting building the Enterprise security team there wow that's awesome that's my career that's quite a unpack I know you and I know you mentioned a lot of terminologies in there and just for the viewer sake we'll cover some of these as we get you talked about red team and and so forth um I think I heard a few other terms that we'll talk about I'm just curious like in your over close to what two decades or or more than two decades of security career was there anything what what was the initial thing that Drew you to security like was there any men like that you know I consider myself to be a very very lucky person I I I I seem to have an ability to to be drawn at the right place at the right time and uh my path when I started uh you know was not insecurity I I I know a lot of people including yourself that right who are insecurity or Security Professionals or you go to security conference right and and I think even here at Autodesk the most interesting thing I've noticed is like you start asking people what did you go to school for yeah what what did you go to school for and the number of English Majors and art majors there are Security Professionals blows me away which which for me is always a signal that that security it's changing now right we have more formal education and security right but everyone kind of seems to fall into it in our generation I'm hoping that future Generations have formal education again I'm really passionate about that we could talk a lot about that but um anyways it's a longwind way to sit there and say how I got into security uh was uh being in a little bit of the right place at the right time um I was an active duty officer and the Air Force at that time was making the decision to reduce the number of active duty officers and there was a guard unit um on on my base that focused on red teaming at one time they came to me and they were like and they talked to previous people who ran the network there and they're like hey we want to do some red team activity on your network are you okay with this and and they were very like yeah you know because normally we're used to getting kicked out and I'm like no come the bre come do your thing what do you need to do I'm like the more you prove that's wrong the more opport the more we better we you'll make us better and by establishing that relationship um was a huge one for me because uh I didn't know that at the time I established a relationship they they appreciated that I had this Viewpoint of like security was a good thing cuz pantastic red teaming well it may seem sexy now doesn't exactly like the hotness back a lot of time red teamers are by it guys are looked as like the devil like get away get there I want us to talk a little bit about right team we will talk we will I know that's the fun part but uh I'm just so you you brought up a really good point and I get this these questions quite a lot too right I'm trying to transition into security is there any particular coursework and so forth and I always emphasize the fact that there's a lot of security folks that I know in our space that you know they have music degrees not not necessarily degre music degree or whatever but they didn't start in that space like they didn't take a computer science degree or whatever I think you called out something very important which I want to highlight to our viewers is passion for this job or passion for this industry is key and and I wanted you to just kind of touch B on let let me talk about that yeah you know cuz I get that question a lot too right very often I you know I was wonder about Microsoft or I was here I was there like how did you get there like what did you what did you go to school for I fortunately did you and I both did go to school for a cyber security degree the first one right here at state of Washington but um what I'd always tell people are two things one your first point you know they're like well how do you hire someone for I go you know I don't necessarily hire when I was in the Air Force this in the guardan I didn't hire because someone came very few people came in like hey I'm a red team Rik and blah blah blah I I asked the questions like what do you do for fun with your computers and if someone no kidding someone came to and said oh yeah I have virtual machines okay I'd automatically hire you right um P that demonstrates passion that demonstrates curiosity that demonstrates interest and then secondly we live in an amazing day and age where if you really want to learn it you can't you know everything everything's available um so if you want to get into this world um nowadays uh it is working I that's the other advice I always give people go to Issa conferences go to security meetups go to these things meet these people go online learn skills in crafts you know you don't need a supercomputer or anything you can absolutely go on you can go to Best Buy by by the most basic $6 $700 computer right teach yourself how to put Linux on it start running Linux commands I mean there's a amazing hack Five series taught by snubs that I use yeah right that walks you through Linux to installing to running metlo to to doing all these things right yeah yeah and and and you know what because here's here's what I'll tell people today will not this the the penetration or the or the vulnerability of today would not exist tomorrow absolutely absolutely I love and and you have to you have to be you have to be flexible you have to always this is a this is a I'd say all Fields nowadays right just the way things move but this is a field of constant change right and uh you know with with the Advent of AI and everything right C your point aptitude passion curiosity just just a natural interest in wanting to learn and and and do something more you can get into this field this field is is uh is not without opportunity absolutely you know I said look at how much I've jumped around people would tell me oh you can't change jobs because dude I never have a problem finding a job you know I can attest to that you know I've been very for Ian part of it I've been very fortunate this kind of going back to my story in the beginning I was trying to say how I got into it was simply because I met these red team people when I left the Air Force I walked across the street because I demonstrated an interest in it and everything right and they're like you know they hired me into that unit and that and and they gave me a full headson training into into the world of cyber security so that that's how I got into it aesome it's entirely like follow we covered the term red team quite a bit already and and I know people here those of us who don't know what it is right kind of walk me through what a red team is okay well um you know these phrases uh I know we'll use red team we use penetration testing we use blue team we use green team so we love colors for some reason I guess it's the best way we like we want white hat hat get that purple teams right seriously green purple red you you know what we we got it uh but a red team uh if I was to sit there to make it very specific it would be a team that uses adversary tactics uh or to break or to find vulnerabilities in a network or or in a network or a system or environment and I even say network shows how old I am because nowadays you know You' be going after a cloud environment right you could go penetration testing against a cloud environment you go penetration testing against internet of things right SC system I I'm sorry oh let me be careful my terms here uh system uh system control devices that control industrial Control Systems right controls water plants power plants that kind of thing so you could have a discipline of specialty in um penetration testing red TV that would find that would use adversary tactics to get into these uh these environments right Cloud those kinds of things and and that's continually changing uh you know the like what iar dur working at Microsoft with with the with the doing with the the thread actors right amazing variety of different ways that you can you can break into a network and such yeah so what would you say are are red teams like kind of standardized across the board or say they're they're like pretty much like SWAT teams and then they're teams like you know I think so if you look at um what's it called uh M should be the miter yeah the miter attack look up the miter attack chain the basic ideas of you know evasion movement uh entry you know all the different parts of the miner framework are extremely valid to it doesn't matter what the system is right the that the basic thing is there techniques are then you get into specialized techniques of like the differences of how you get there so you know whereas like uh a team that's let's let's make like an industrial control system that's like controlling water in a dam right because those systems they like to change it much might still be running an old version of Windows and they'll sit there and and then they pull out the old books of like how do you attack you know Windows XP or something which scary might be true right versus where if you go after like a cloud like a Google cloud or an Azure right you'll use a totally different technique but but where you start will always be the same how do you gain initial access how do you footprint how do you move around how do you hide your tracks all that's true true as the different techniques of are true of the movement of a threat actor makes sense so it it seems to me when we talk about red teams um these are high stakes right and you as a leader I'm curious how that you know manages such a team feels like even just like in terms of my only job was my only job was just to bring them donuts and food and then set themfree I showed up I brought Donuts I brought fos I go forth and and do a great thing no um no the the managing leading um teams like this is uh you know one of the the the biggest skills I definitely left the Air Force with was uh was um a passion and a lesson of leadership and and taking care of people yeah right and and that doesn't change as a matter if you're being any any team organization I can I can give you leadership principles all day long but what I would do specifically as a manager is that you know when you're touching a production Network right people systems lives like if you're going after a hospital right depend on these networks so you have to if you're a red teamer going against a production Network you have to plan you have to coordinate what are what are the entry points what are the places that we don't touch right are you is your you know when you're working with the customer right do they want to test your instant response services and you're going to be completely you know uh under the water right you know completely or are you going to be open it's like hey we're doing this work right so you work that you work the the agreements you work the time frames you explain what you're going to do because the first thing obviously you want to find these vulnerabilities the next thing you want to do is cause them harm yeah right because the worst thing you could do uh which would be a war story if if I could talk about it would be to shut down an entire segment of a network yeah because you decided to run a tool um I'll say that for a wor story but I was on the receiving end of um of of a security activity that shut down something that was critical for me and I and I if you want me to remind me I can get into that later but no being the leader of the team you have to organize a team you have to ensure they're ready to go you work the agreements with the customer um you make sure your your team is trained they know what they're doing right and you have good uh the way it worked in my organizations um I was obviously the officer in charge but we also have a person called the technical lead and um and then the other aspect which is um which was also very important too is that we brought new people on and we created opportunities for for new people to to get their hands dirty get hands on keyboard stuff and even forced me as sometimes the officer to be the hands- on keyboard you know I took on I call the Mio task of like building spear fishes and stuff like that right what some things I did makes sense uh I do want to highlight on something and then maybe just get your thoughts on it so with red teams and the evolving like ecosystems and Landscapes of like you know information security and all the systems we have out there now on our biggest concerns or one of our biggest concerns is nation state actors like how does in terms of how we deal with those like traditional red team I'm sorry goad Sor no I was just saying traditional red teams in terms of like now moving towards these like a lot we see a lot of the nation state actors like this you know I I don't want to mention names but you you're you know what I'm talking about so um and let me make sure I'm clear on your question are you asking if like you for me a red team or pin testing team is brought on in a friendly aspect yeah right you know here's my networks or here's my in devices or here's VIP address Mar SL you know the class A or Class B that you know my company runs against right uh Nation straight threat actors are a whole whole imagine yeah and I think my question was more of is is a red team that's more targeted in terms of like mimicking those nation state actors does that work function differently from a tradition I don't think I to be completely honest with you I don't think a red team can emul can effectively emulate the persistence the resourcing I me as a red team I came on I I would come in a mission could be timed out could be I think the longest one we may have ran was a month right Nation straight that doctor they're they're they're they're time Horizon are years yeah right they're they're planting accounts they're planting identities and they're letting it sit right or they would go and wake it up just to make sure it doesn't time out or whatever these teams these people are highly organized with project managers and program managers and and I say that too is like a serious thing right like they their mission set they focused they got super well trained people um and and they are there their persistence is insane um so I mean correct me on this isn't like the average time to detection now like 18 months yeah yeah a threat actor y exactly right yeah probably you know um so anyways so I'll be honest with you my opinion I love red teams it's sexy it sounds fun um I think the better investment are blue teams blue teams like having a blue team assessment in yourwork you're going to go out what of difference a blue team assessment is going to come in you know a red teamer I love my red teamers I was one of them but red teamer is going to come in we're going to knock the door we're going to go down the hall we're going to knock the door go oh this door is unlocked okay we're done congratulations you have vulnerability yeah a blue teamer is supposed to look at your entire absolutely the scope right right the entire scope the entirety of your network right you know I know our organizations bring in red teamers from the external and we feel that's we feel really good about it we have a red team done but I feel like a red team are really Limited in scope because you're coming you know um I'm I'm more I'm a bigger fan of purple operations and you know we can discuss that that's when you have the the Homegrown security team working in partnership with the red team um and and you're contining looking at the entire scope of your networks are you checking your logs are you making sure the identities are supposed to be in bit you're looking at your entire network security is a constant thing you know a lot of people too like sometimes I feel like you're like oh we patched we did a red team the check we yeah you know right we passed well I don't know if you guys heard of this little company called Target right I love it you know a few years ago the little company on target had an exceptional PCI inspection right exceptional and what they got owned hard to a vulnerability through I think was it the pin p the payment P vendor yeah yeah pin pads and it was a vendor was working that's a very good actually that's a nice seg go into something else I did want to bring up when you were in terms of the supply chain vers right how does a red teamate or or or even mimic their defense against like something like that like especially the target example you just brought up you would have to to in my opinion and in my experience that's really good stuff right like like um I think if we talk about the Thor winds uh was probably a really great um example of a supply chain to chck and um I lost a month of my life to to the Thor wind's uh response in my in my past my past deployment and you you know that was a nation state threat actor from what I understand from what I saw I'm not saying anything that wasn't in the the public in the public domain right um and and they took advantage of quite frankly you know bad uh was Secure development life cycle sdlc right yeah sdlc life cycle yeah so they took advantage of bad life cycle right where there was a build process and they had a weak password in the build build process and they got themselves in and they sat quietly on that access forever and and and and eventually injected your C code into updates to everyone yeah but think but think about that but but you know back to your question right how would I emulate that as a red teamer unless I've decided that's a vector or path yeah um I am I'm a bigger advocate of uh you know are we you know when you go when you listen to these industry conferences the black hats you those kinds of things right and people are talking about those things are we taking some of those those things seriously and additionally I don't know if anybody was really even thinking about that yeah um when Sol WS happened you know pretty much like the sort of like a first of its kind especially on that large like large scale and so forth though well again let's go back to let's go all the way back to the beginning to the minor framework right yeah footprint ofense and and yeah right you know if you once you know uh it's like I'm big into Aviation right and and like an airplane crash doesn't happen because of a bunch of little steps and when you trace back a good nation state threat actor attack it's a bunch of little things right it was literally if I remember Sol WIS yeah please I'm sure the comments will correct me on this but you know if I I mistake I an intern put a bad password into the build system of Sol WIS right always it always starts with the most basic things little crack little crack in the ho yeah um anyways yeah I could I could go on and on about that awesome I know I know one of the things that we we totally wanted to talk about is was you sharing some of your War Stories from this uh your red team and I'm curious as you can see down there I have our our bner set up when doing the right thing isn't done right I'm I'm curious to hear this story so do you want to kind dive into it yeah so let's talk about that um so I I have to be very careful sh my my sources how I can generalize the story but we uh we were doing we were doing uh we were doing an assessment of of some networks we came in it was actually my first mission as a mission Commander for this and uh so there we are we're doing our thing right and and um he's yeah I'm not going to name the names cuz I I haven't talked to him but he is now well known in the industry as a as a security leader he actually's running he's running an amazing company and I I wish I could mention his name because uh he was he was he was a low level E4 E5 you definitely should you should definitely get get get him on here right and and all he did so imagine back in the day and still even true now right um there were if you if people remember it was the um that was the uh the industrial control system BB thumb drive attack right where malware using uh using famous vulnerability in the auto what you call it the auto mounting system of USB devices you eject a little bit you put your power on there then someone take a USB device and move it from device to device and it would just move along on its very we very elegant very beautiful system and the networks I was I was assessing were attempting to um mitigate that threat so there was a product gosh now s show my age I think it wasm or SCS it was a Microsoft product that pushed patches across networks to to do that and and the team had um VB script that was entirely focused on getting you know patching the threat but it had to run um you know this is you know this is this is the first mistake they made it was overpowered right it the script round the machines as a domain us a domain admin identity credential so they push this out across the network the script goes off blah blah blah hey okay did this thing did the fixes whatever well they uh the first thing is um and this is where I'll test you have met does security through is security through obscurity a method of security does it work not just cuz you think somebody doesn't know about it so my uh my pin tester and let's reiterate that security through obscurity is not security is not security so they put the script in a hidden folders hidden files in the computer my troop decides to Unos to me just out of curiosity decides to do a search for hidden files right and he did a search for the word password it hiddenfil oh I forget this say and um and and I remember him sitting there and he goes this is this a familyfriendly show right um he he sits there and I'm sitting there I'm sitting there doing my thing and I I hear go holy B he goes oh my this can't be bleep I'm like I'm like what's going on dude he goes y'all got to see this so he came over and he found that script I was talking about beautifully beautifully authored script with the first top lines going was a password for each domain in this major Network wow across the entire country every domain had a beautiful you know domain country AC say across a lot of important places and it had like the domain and then it had you know the the the domain admin account equals and and a beautiful 32 character password so for each one on the top that's interesting does it sound like this script was exactly the same thing that probably deployed across many other organizations right oh yeah yeah yeah they deployed this across everywhere right and then on top of that harded all the credentials in there too in the script so he so G my TR sh was at this point literally just took that P took that took that credential net use boom boom put in there it pop that good let use create use that you create own domain admin account yeah right this is getting fun and prove that it worked and we created it in each of those places nobody caught us each of those did yeah no one no one said anything we created domain admin accounts dan. generous was was the person's name for for context I want you to sort of touch on what domain admin accounts are just for listen to kind understand what that what the extent of that powerful account that someone you can do if you're a domain admin you can do everything and anything you can control everything you can install software because they were using that to install this patch on all these systems because it's the most powerful pushing Windows like like pushing Windows Windows update yeah yeah right so think of it this way right so there are many many types of accounts of the Windows system right did you necessarily have to deploy it was lazy in my opinion right did you have it maybe you know I hate being critical because I've been the guy on the other end of running it systems abely right but you have to think about it right you know this is this is where you know we sit there and say these lessons are you know are learned are are designed for a reason right um so yeah we created it and and holy crap I at that point in time I had the ability to shut down all these networks if I wanted to right my viewpoint was this I didn't care what I had I was sit there going shoot if I found it I'm darn well know threat actors already have this they have this right and the problem that I had is I called up middle of the night I'm calling generals and all these people like dudes we got problems here sir ma'am and they're like yeah we'll get back to you on that back then nobody really understood what that I was just gonna say to your point yet nobody understanding did you even have run books for for such a situation D my first first time as as running a team like this and my team's like I'm like so what do we do we're like we have no idea love and luckily I had some background of knowledge I started waking up people on in the middle of the night and people I tried to explain to people and they were just like so you created an account and I'm like yeah but the BL is right think of the yeah it still it still pains me to the St um the lesson was to your point they were attempting they were trying to fix something right they were trying to Lally ironically to patch another vulnerability and in doing so open themselves up for something way worse been way worse that's crazy that's that's crazy so I what would you say just citing that example if if that was something that was happening today would you say that in both situations the attackers would probably even have more sophisticated ways because of advancements we've made cuz I assume this is like a one right you know that's you know if few a couple years ago if you based on um some recent things I've seen I would tell you I would sit there telling somebody the other day it's like oh CH those kinds of things that's not robing you everything's in the cloud but there have been some recent events that have has in my life professionally that has highlighted that the basics are still important right and and I would even argue that these that we've gotten more sophisticated now now we do have um you know in Windows and such uh specialty accounts that are only used for updates right now we're trained in notion of like you know lease privilege lease power right um one of the things I'm a huge advocate for right on doing administrative actions are is something called jit and Gia right and you're probably looking at me like what's that mean jit stands for just in time yeah jit G right and just enough access so what that does like if you need to do an administrative thing on a system right you're you have it's like a you know it's like in the nuclear world we have two keys one person turn one both people are turn kid same time to launch the missile same process right so what happens in the G type environment is that one person goes in there and says hey I need to do this this maintenance action right I need this super account to do it their personal account doesn't have any ability to do that right then they submit that that gets authorized right and they're given just enough access to do that work in that space for a Time bound period so I'm going to sit there and say he like but that's you know what that's probably one of the most powerful tools we can use to administer security and access to the network I don't see used that often actually um to be honest with you I'm quite surprised by the adoption of jit in in terms of like as you mentioned the industry this is something that's available but I don't hear a lot of people talk about that I mean we still go with the old fashioned trying to lock things down and so forth but you know like with jit there's there's always like a time frame right if I just in time yeah there's a just in time there's a time time down and count right one thing I do want to ask when it comes to jit and I think I've seen this in in many places like with like the break glass situations right could I guess can jit be done wronglyoh there's no such thing as a perfect system right you know who someone famly said if more than two people know a secret it's not a secret right and um I I worry about jit and G in the sense of uh Insider threat right so if you have an administrator is someone who has the ability to kick off a jit thing or or you have you know you have someone who has access right a person who has the right privileges but decid to do bad then you you know but then again even think about it right let's even think about that that means you have to have two people willing to do that rightyeah collusion cusion right but but I have seen situations where jit and Gia I have dealt with this situation directly my some of my other professional life as a as a security program manager raing against this where it's like well jet and G is like too Troublesome so we we we automated some some jet actions there's some things we'll just let people do without you know without having to go through the whole process I'm like then you don't have J and G yes we do yeah but we made some things automated it still logs it I go but you I go either you use it or you don't right yeah so um yeah it it's really really you can any look any security system any security operates can go bad doesn't doesn't matter right it's how many how frustrating do you make plan that in my life is how frustrating do you make your system so a threat actor decides you're going to go somewhere else whatthat that that kind of drives away the you know as we call it the script kitties and and the you know as you mentioned APS they they probably will still go at it for a while right you know um nice uh nice nice segue into something I do want to talk about as we talk about emerging Trends how do you see the Advent of AI affecting TRS in our oh oh my gosh oh oh wow you you went there you know I'm going to I'm going to be very very very honest with you I don't know um I I don't know I think uh my my experience personally withAI I you know everyone is scared of AI yeah it's a new thing and there's there's stuff to be scared of right but if you don't have the basic foundational knowledge to ask the right question AI doesn't matter you can you you know how many times have there been famous stories now of lawyers using AIS for and getting busted right to do briefs right because they because because you know had hallucination had fake cases in there right um in the you know in the hands of someone that actually knows something AI is an enabling superpower I use AI on my job as a program manager because even as like as something as mundane as like help me get started on a statement of work or something right give me the great but I asked it the right question I knew I need a statement of work I you know and I know to read through it um AI will accelerate my opinion um I think I think uh AI in the future may enable people with like hey I want this effect and it may have you know you may it may get that once it gets trained to that point so I think uh I think AI is scary it's not and it's probably already doing things because it makes things easy um but you have to be able you still need the knowledge you still need that minor framework you know you still know yeah I mean what is our our our our most uh popular term we like in programming garbage in garbage out right so yeah if you if you're able to prompt it as as good as you can then it depends on the output as well too but again I'm not a I'm not a person with the hands on keyboard right you know so I wouldn't say I'm an that's my my view my opinion I could be you know things could already be happening or probably actually probably already are happening in the AI space I was just watching um I'm in the process of teaching myself llfs and uh and I'm working on on this little computer I got right now right um of running LM I'm working with llama and I'm watching the YouTube video again when I talk about beginning curiosity and interest right I'm teaching myself how to do it and the first video I got run into is a guy who's like well what if you want a llm without the the Safeguard your controls right this is how you do it right so yeah you know but anything but like I said you know you still need to have some kind of knowledge you still need to plan I mean you know a nation state threat actors are they're really working through things right and it'll it'll probably just accelerate script Kies and those things right all the knowledge is out there right absolutely absolutely and I think with the with the ADV of like things like deep sea which is like non-op source and so forth like these tools in in the hands of the wrong people the wrong folks become much more weapon nice awesome yeah cool awesome um so I do want to cover this this is the part of this show where we do s of sort of like a rapid fire questions and I'm curious to hear what your thoughts are now this is the game how we play it is I'm going to ask a question and I and you tell me the first thing that comes to mine and then we'll take it from there so you when you're ready to go so oh boy all right all right for good so let's do this log 4J where were you how they affect you uh I was I was actually in the military and it didn't impact us at all it's interesting I I worked for a guy who led to security for log 4G at Microsoft right and it didn't you know what it was actually bigger pain in the ass was like how do we patch against it yeah in a cloud in giant hot environments right and at my end we were at the receiving end of it right but it weirdly it was a big deal rightly so right but did it really I I don't know personally of any attacks that have been been attributed to that I think it's one of those where everybody found out about it at the same time and then and very and and but it's also but also we always oh my god I've lost I've lost so many holidays but the whole point of it is is I um is that it wasn't I think it was so complex to to uh you had to be on system you had to have root on system you had to do you have to do so many steps to roll it that it just yeah I think lower hang fruit yeah one takea away for me especially for L was everyone Panic that's a fact um but then when people started to kind of investigate you know just cuz you know it's out there it's a big vulnerability and so forth there are a lot of systems that were not even running those you know libraries and so forth and and so it just you know you had it was very deterministic on your environment and what you were doing and so for so cool awesome uh in one word what is your information uh securityphilosophy oh boy um honestly it's du the hard work it's you know I'm I'm I'm in the process right now of dealing with situation my current my current company where everyone has an excuse of like this security is hard we can't afford it and you have to you the only way you're going to be successful as a thread actor like like I talking about the pentest right they got only hit one unlocked door you have to protect every door yeah so what are you doing to protect every door are you doing the hard work are you training people are you putting in systems are you staying patched are you are are are you looking are you hunting I think that's really underappreciated is hunting for thir doctors right um are you do the hard work there's you know a lot of times people want to automate out security or automate out patching or or take away a set that's inconvenient right because it's you know because it's hard or you whatever do the hard work makes that makesense open source or proprietary both both I think I think I have I have I have I I think both have produced amazing results and and I think the marketplace has spoken right I think absolutely do you remember the time when uh I don't know if you were part of it but I I probably I I used to ascribe to those kind of like you know Microsoft haters I'm like yeah we we're open source we love the open source world you know and then you know many many years later what guess who's running Linux and other things on aure and all yeah yeah but I think I think both have their place and and both you can go on your windows box right now and hit the TRL WSL and so forth I I just actually was running something on there the other day and it was pretty awesome so I was like yeah this is great you know um biggest challenge in crisis Management in our space Oh biggest challenge is that we don't have a culture of growing and mentoring new new Cyber Security Professionals um we can't get enough right we I've seen it personally where it's like you we don't want to train and hire new people we just want to hire people that know it that know right and and we don't do a good enough job I don't think we have enough schools I I like a friend of mine is teaching in school and I you know it's amazing what they're doing I'm not trying to criticize it but the curriculum was so behind I I remember doing a special talk for them and I go what's iaz what's P what's this they knew nothing about the CL nice right you know and um we have to have schools that need to keep up and um you know I'm not saying CH look I I got that right but you know you know we need to start talking about Cloud security we start talking hypers skill security you start talk about AI security you and I can go to a whole separate like talk about AI security absolutely absolutely um so and then the I guess the last thing I would say one piece of advice for infos leader you being being a leader in in this space for quite some time you know I think the one piece of advice is uh don't the no man you know um don't be the person that that that is willing to um uh to to work with you want you want to be early in development cycles and you don't want to be the person that's always say no you want to be the person who works with teams to enable the security to to happen right you want you want to be a partner in security right because a lot of people avoid security because security is like what's our first answer no yeah well we're supposed to be the god reals right not the stop Gat right so exactly absolutely absolutely well gosh like I didn't I didn't think we'll get through this but you know this has been super awesome and an amazing chatting up Alex and I appreciate your time this is the very first of our episodes um we are going to have a lot of experts like Alex Alex is probably going to be back I know there's a lot of topics we could cover so I'm I'm already signing him up for that but what I would say though as we wrap up um you know is there any key takeaways that you would love to I want to I want to turn I want to turn the the the pages here on you because you're successful you have you have a book that uh that that I helped I helped look at for you you're publish that kind of thing um what drove you to start this to do something amazing like this so that that is a good question I think it go I think it goes to the point you made in the beginning right so like one of the things so my book was you know you know a combination of a lot of things that happened and and kind of drove me into that I was as you are well aware in going into like a you know a PhD program for cyber Studio whatever and I figured you know like I didn't want to do school anymore I I'm like why not just get all that stuff in my head and put it in something now that said I chose absec especially building like an absec program because there's nothing out there like you know you and I have you know been in spaces where we struggle to even figure out where do we start like as I'm I'm here I'm the ABC program manager I'm building the programmer on this what do I do that was my goal of the book and and so the the primary goal that was to put a resource out there let individuals and Industry folks share that knowledge if anything and to your point starting this um I would give you some context on the name so griots in West Africa are literally historians and they tell like you know they they know the history of the land the people whatever and they tell the history oral tradition or oral tradition exactly um they you use instruments such as the K or the jimbe in some places like like with my tribe in Ghana they use the J Bay and so forth and they you know they drum and they tell the stories so the idea behind our name is cyber G we're all GS in this space we're telling the story and I couldn't be happier that you came in and told such a wonderful story especially around red team when doing the right thing is done uh when doing the right thing is done it's not done right sorry I was trying to get that but yeah so that's kind of where it was so I'm just hoping uh this would be a platform that I can bring on guest we can we can share the stories we can Inspire the folks like you mentioned I'm sure someone is going to probably land on this channel and see what we're doing it's going to Peak their interest you and I like you said we it was the interest that you know peing our interest was what kind of got it started right so yeah I'm hoping this would be useful for some folks in in in out there so yeah well thank you so mucha it's an honor for me to be here I I hope I I hope I did well uh thank you so much for for the opportunity we we we definitely are looking for forward to having you again I'm sure there's a ton of topics we can talk about and so forth so um yeah thank you so much and I absolutely appreciate the time and hopefully this was uh enjoyable for all our viewers that are watching as well too so thank you Alex that was good all right bye\n"