Down the Security Rabbit Hole: A Cyber Journey - Marcelle Lee

All right, thanks everyone for coming to Bides Bournemouth today and I'm proud and pleased to present the first speaker of the day, our keynote and my good friend and colleague Marcel Lee. She's going to give you a really good interesting keynote to start with the rest of the day and it hopefully will resonate with the rest of the talks and uh and look forward to what she has to say. So take it away Marcel. Thanks very much.

All right, good morning everybody. I am uh super excited to be here today. Uh as Will mentioned uh we well we work together at uh both of our previous jobs and uh he is uh quite an inspiration and this whole conference I'm so impressed like I have never seen anything quite so organized for inaugural conference like this. So I'm hope you're all going to enjoy it. So, question for everybody before I get started. Who has not been to a Bsides conference before? Oh. Oh, quite a few of you. All right. So, Bides are my very favorite security conference out there. Um, yes, there's things like Defcon and Black Hat, all these things I've been to, but Bides, they're so much

more like community focused. And, uh, you by the end of today, you will learn some things. Hopefully made some new friends. uh definitely do some networking and yeah so it's I'm I'm proud of you all for being here. Come on in. Don't be shy. Okay, let's make sure this is all working. All right, so my topic if you will. It's a keynote so it's not something super specific but down the security rabbit hole and it's a little bit of uh sort of my journey. Not a lot of that because you know I don't know it's not that interesting but uh and also getting into cyber threat intelligence. Does anybody here work in cyber threat intelligence already? Oh

yeah I know you do. And you do. Yes. So there's like two people in this audience that I know both of whom just raised their hands. But anyway a few of you I met yesterday. So without further ado let's get started. All right. Who am I? Um, I'm a cyber security consultant. I used to work for a big company called Equinex. It's a world's largest data center company, but I do not do no longer work for them. I've been in cyber security for about a dozen years, probably a little bit more now. I did something completely different before, not even vaguely technical. So, I am a career changer to this space. Um, but I found my passion,

so I'm very lucky. And what else? I have four degrees and a lot of certifications. All the degrees is kind of related to like my wandering around trying to figure out what I actually really wanted to do. And uh the certifications just became a strange addiction like once I got one, I just wanted more and more and more. So I have like I don't know 14 or something like that. It's ridiculous. Um I have written some things and have you know different uh I don't know books, articles, whatever out there. And I'm also an adjunct professor. So, I I come from the US, as you probably have figured out. I live in Maryland, which is near

Washington DC, and I teach for University of Maryland, uh, cyber security things, of course. And then I'm also on the board of directors for an organization called Women's Society of Cyber Jetsu or just Cyberjitsu for short. And, uh, I'm going to talk more about that in a sec. And then if you want to, you know, find any of my contact stuff, I use Linkree. Is Linkree a thing in the UK? Do you all use link tree much? Yeah. Yeah, I just started using it. It's actually quite handy. Um I'm sure you get more if you pay for it. I haven't explored that yet, but it's pretty good the way it is for free. Uh so anyway, so Cyberjitsu, this is a

picture of uh all of us at Cyberjitsu Con, which is a conference that we do. Uh it used to be annually, now it's more like bianual. So I do know the blood, sweat, and tears that go into producing a conference because I too have done this thing. And uh anyway, but it's a nonprofit. It's all about getting more diversity in the field of cyber security. Um it's open to anyone. It's not just for women. I encourage people to check out the website. We do all kinds of interesting trainings and it's pretty much all virtual. So you could certainly do it like from here. Um not this hotel necessarily, but somewhere in the UK. Is anybody else here from the

States by the way? Allan, I know. >> No. Okay. Well, you're lucky. It's kind of horrible there right now, but anyway. >> Okay. Yeah, it's a giant show. Oh, sorry. I not sure if I'm supposed to cuss or not. >> Come in. Don't be shy. It's fine. There's two seats right here for brave people. >> Do it. Oh, I'm so impressed. Okay. So, as you will see, I have this Alice in Wonderland theme. Um, I I'm kind of into Alice in Wonderland. I dressed up as Alice for Halloween last year. I should have put a picture in the deck, but I didn't. Um, I have this tattoo on my arm that says down the rabbit hole. And for me, that was all

about being a security researcher, which is essentially what I do. And as such, you do spend quite a lot of time in rabbit holes. So apparently I felt the need to document that on my arm just in case I forgot what I did. But anyway, so a little bit about my journey. Um like I said, I am a career changer to the field. I ended up landing in academia to start with and from there I went to the department of defense which is sort of a euphemism for uh I don't know sort of like GCHQ but not the the US version. So, I learned a lot about intelligence, uh, cyber threat intelligence, but all the other kinds of

ins, if you will. And there's lots of ins. Who can tell me some other ins besides like I don't know, just tell me any ins. >> Oh, yes, for sure. What's another one? >> Sigot. Yeah. And >> humid. >> Humid. Yeah. Very good. Very good. Or >> what is it? >> Mass. >> Mass. >> Rumid. >> Rumid. Yes. Yes. That's fun. >> Elid. Oh, very good. >> Yeah. So, there's lots of ins as you can see. Um, so my my goal was not to stay at Department of Defense because really when I got into cyber security, the two main things that attracted me to the field were the ability to work remotely and the ability to make fat stacks of

cash. No, I'm just kidding. Not really, but Well, I mean, that is an attraction for sure. I'm definitely making more now than I did in my previous career. Um well, not for this very second, but um so so I left DoD and I went to the managed uh security services space and I worked a few different companies in that space uh basically producing threat intelligence for customers. Um bless you. Everybody all of a sudden starts sneezing and coughing. Um so from there I went to Equinex that I mentioned which is where I met Will. Will actually interviewed me. >> That's right. Yeah. >> It was a fun panel interview. I was like these guys, I don't know.

>> Anyway, so um so yeah, so my next act is TBD or to 2BD TBD to be determined. Anyway, but more on that. So anyway, so we all have different journeys, which is one of the things I love about cyber security just because everybody comes from like some different space and you know, I'm sure some of you are probably students right now. All right, raise your hand if you're a student. Really? I was expecting more of you to be students. All right. Well, okay. Like three people are students. You should all be students. Students of life. It's a lifelong learning thing. So, so speaking of journeys, these are the questions that I ask myself and I think

you if you're not asking yourself, you probably should, is how do you know when you've arrived or do you ever arrive in this field? Right? Like I feel like I feel like kind of like you keep working towards some end goal, but I don't know what the end goal is. I like personally I do this because I love it. I love this space. Um when I talked to like my financial person, they're like when do you want to retire? And I was like I don't know, never. That's not the right answer, but um but anyway, cyber security is is definitely not a static field, right? and it changes constantly, which is another appeal for me, just the the endless

opportunity for continued learning and growth and and whatnot. So, like if you don't really want to grow and change and adapt, then probably maybe you want to do like I don't know history or math or something like that that doesn't really change a whole lot. I mean, history does change, but we seem to be stuck on old history. So, anyway, um defining and growing. So, this is an important thing, too. And it took me a hot minute to figure it out, but um and actually one time I had a boss who described me as a jack of all trades or Jill of all trades, whatever. Um and I was insulted by that. Like I I kind of thought he was

dissing me and he wasn't. And it turns out really that most of us are um Jack or Jill of all trades. It's very few of us who only do like one thing in cyber security. But I will say it's very useful to find your niche, right? Find something that particularly drives you and you can just develop like an expertise around that and and use that sort of like as your calling card. So like I see Allan over there and I think ransomware and now that I've met Julian I also think ransomware. But yeah, so my my jam is um network traffic analysis, right? It's random, but I love it. How did I find network traffic analysis? I was doing a cyber

competition and it was a digital forensics competition. I was brand new. Like I was literally taking classes at my local community college just trying to figure out what this whole cyber security thing was all about. And so I was doing the competition and it was basically like you had to like analyze different sort of problems and then write up a nice answer in like essay format. Um the the point was that you have to report things too. You can't just like do the research. You also have to report. But anyway, so I got this one and it was like examine this pcap file for you know what happened you know in an intrusion. And what's the first thing

I had to do? >> Somebody guess. >> Wire shark. Oh, I wasn't even anywhere close to that yet. Yes, exactly. Google what a pcap was. So, but now that's like, you know, one of the things that I'm actually kind of known for. Uh, so it that leads me to say also that there's ways to develop your skills and find interest too that um, you know, I highly recommend. And one is cyber competitions. Who here has done a cyber competition before? Yeah. Yeah. Yeah. All right. A few of you. There's there's a lot of them out there. I highly recommend it. Um, I have a bunch of resources listed in the end of this presentation and I do not have any

cyber competitions in there, but if you talk to me later, I can point you in the right direction. Um, I also love learning platforms. So, one of my favorite ones right now is try hackme. Has anybody used try hackme before? A few of you. Okay, so you all definitely need to use tryh hackme. It's it's a wonderful platform. So many different topics within there. And then uh networking. So meeting other people is another way to like learn about new things. Like you might meet somebody who's I don't know a malware analyst and you're like oh that sounds kind of interesting. Let me talk to this person about malware analysis and uh it might be something that turns out to be your

passion or not but you won't know until you kind of explore. And then there's something called the nice uh cyber security workforce framework in the US but it's available to anybody to use. And has anybody heard of it before? Few of you. Yeah. So they do a pretty nice job I think of taking all the different roles in cyber security and categorizing them. And they used to have like eight categories and they've condensed that down to five I think at this point. Oh yeah it says in my little diagram there. Um, but it's a good place for exploration also because you can look up different job roles and it'll tell you sort of like the knowledge, skills, and

abilities that you would need to, you know, be successful in that role, the kind of tasks that you might be doing with that role. So, it's very a very useful place to start if you're in exploration mode, which most of us are all the time. Okay. All right. So, some things to remember along the way. First of all, no one is good at everything. It's impossible. This is such a broad field. Um, when people say, you know, I want to work in cyber security, like I hear that and I I hear like, I want to work in medicine. I'm like, oh, well, that's great. Do you want to be a brain surgeon or a phabotamist or I don't know, there's so

many possibilities. And not even like consider all these sort of cyber adjacent roles too. Like cyber doesn't just exist in the ether by itself. if you have, you know, people who like send out invoices to customers and your human resources team and whatnot. So, actually, I always encourage everybody to get into the space because it is a good place to work. Well, lately it's been a little we we're having some redundancies, I think you call it, in the US, but uh but that's you know, it it happens. So, imposter syndrome, people talk about imposttor syndrome all the time. I had never even heard the phrase until I got into cyber security and then I was like

what is this weird feeling I'm experiencing and then I found out what it was called. So imposter syndrome if you don't know what it is it's basically just sort of like the fear of you know people think you know what you're doing but you're like I don't know what the hell I'm doing and something like that. Uh so it is okay to fail. We don't learn unless we fail. And uh so it's okay. Try. Just try. And if it doesn't work, it doesn't work. That's okay. Take chances. All right. So, I have this weird little series of numbers and what I don't know what appears to be a date. Does anybody It's like right here. Does

anybody want to take >> You'll never guess in a million years. >> I have some suggestions for 69, but not in mind. I should have thought of you but when I did this >> related to that I kind of had the same idea. However, you can tie that into a nice framework. >> Oh, that's true. I could all right. Well, these are interesting notions but not correct. So, I was made redundant, laid off, rift, whatever you want to call it. Reduction of force, that's what that means. I don't know if you say that here. Um, on April 4th was my last day at Equinex. So, uh, they did a a round of layoffs and I think they just picked

everybody who was sort of high paying but an individual contributor and they're just like goodbye. So, so it's okay because I look at this as an opportunity to do other things and I'm working on that. However, 69 the number of jobs that I've applied to since then. Okay. 39. The number of interviews I have had in that time period and I know people >> it's brutal. It's brutal. Um better ratio than me. >> Well, I mean and that's the thing too because I hate to complain because there's lots of people who aren't getting interviews. But on the flip side, oh, so many interviews and and you know, I've had a couple of like actually I had two. I had one where they're like,

"We're going to offer you the job." And then like three days later, they sent me um a rejection email and I was extremely confused. But uh turned out the senior leadership had eliminated the position. So So much for that. Anyway, so six smaller number. Anybody want to take a guess what six is? >> The ones that made an offer? >> No. >> The ones you like. >> I would be happy if there was one that had made an offer. second rounding of interviews. >> Oh, no. No. The the the 39 includes like multiple rounds, but good guess. >> Number of times you thought of retiring. >> No, that would be a much larger number. >> Bodies you left behind

>> the body. I'd like that one. >> Number of those interviews you actually thought you enjoy the role. >> Oh, that's a good one. That's a really good one. But not right. >> And were you gonna say something? >> The amount of companies you actually wanted to work. >> Oh, right. Right. Um What's that? >> Yeah. >> Oo, that's a good one. >> So, you know, like the the recruiter that you talk to first, and you all know the drill, right? First, you talk to the recruiter who decides, you know, whether or not like you're an insane person or maybe you could at least do an interview. and uh that person is typically a woman, but then you get to

the interview process with the the hiring manager, the technical people, and really it's often not women. Um because, you know, the whole diversity thing, we're working on it. This conference has done a really good job, by the way. I'm very pleased to see the diversity here. Um so, six is interview homework. Six different homework assignments that I have had to do. And I didn't even know homework assign or interview homework was a thing. So I'm not doing anymore. Like like seriously, you can just Google me and and you'll see my blog or whatever. Like why do I have to jump through these ridiculous homework hoops? So not doing them. And then 35 is the number of rejections that I've

had so far. So I mean I don't know what 69us 35 is. 34. Um anyway, I guess I can't do math. So, I have 34 ones that are open that I don't know. Maybe something will come of them. I I keep applying. But anyway, I just I'm sharing this with you because, you know, people might look at me and be like, "Oh, this woman is like wildly successful, blah, blah, blah." But we all have our things like this that happen. So, so I'll be back next year for sure and hopefully I will be, you know, gainfully employed or retired or starting my own company. Anything is possible. Um anyway, so enough about all those things. Let's

talk about cyber things. Uh so cyber threat landscape. Uh I do a lot of like cyber threat landscape presentations and what I like to talk about really is um just kind of like what is what do I think is hot in the space right now. Um and this is pretty much it. Uh so I made the font so small that I cannot even see it from here. So, I'm just going to sort of look this way. Uh, credential abuse. This is like to me like one of the number one issues right now. What do I mean by credential abuse? Thread actors are, you know, they're using uh stolen credentials. They're using uh brute forcing, password spraying, all these

things. But it's it's very prevalent. And information stealers, I could talk all day about information stealers. it is like the current scourge of uh I think the landscape and if you're not up on info info steelers I definitely recommend becoming familiar with them because they are so like on trend right now um and then vulnerability exploitation this is you know a non-stop thing as well and I I could talk for like eight hours about all this stuff but Will's like please don't we have a schedule but uh but yeah I Knowing your attack surface, like being aware of your externally facing assets and whatnot is huge. And so many companies like I I don't know, it makes

me slightly insane when companies are like, you know, we got hacked by some really sophisticated AP and it's like no, I was just talking to somebody about this yesterday. It was like, you know, some teenager who probably just figured out that you forgot to like close some port or whatever or you didn't patch something. And then malware and social engineering attacks. These things are just also prevalent and will always be probably fishing and all variations of fishing. Um, quishing. Who knows what quishing is? >> QR codes. >> Yes, it's a horrible word. Who came up with that? >> Um, smishing. SMS, right? Um, I'm sure there's going to be some other issuings that will come about. Spear fishing.

Yeah. Spishing. Spishing. I don't know. Yes, there's lots of them. Um, malvertising, SEO poisoning, fake browser updates. Your browser is not a safe space anymore. And, and the sad thing is is all of our users think that you can 100% trust a browser. You 100% cannot trust a browser. Thread actors have money and guess what they buy with money? >> That but not even Yeah, see not even that fancy. They buy Google ads and they they promote themselves. So they become like the link at the top of the page and it's not really what you think it is. It's it's something else. All right. Uh ransomware. I'm not even going to talk about ransomware because we have so many

experts or at least two but but it's not going away. Uh, other attacks, AI powered attacks. I think this is the only time I'm gonna say AI in this presentation because everybody's just like AI. But um, artificial intelligence is it's actually really interesting what's happening in that space right now and it's something that I'm following um, pretty closely. But this is not a talk about all these things. So I'll just stop there. Supply chain attacks. This is something I see a lot of in like um, application development world. um you know different like packages that are being um compromised, things like that. Denial of service attacks, they're getting quite um quite serious, very they're throwing lots and lots of

packets these days. Uh physical attacks could be a thing. Insider threat. Yeah. Yeah. Yeah. These are it's not a short list unfortunately, but these are the things that are always top of mind for me. And then of course the uh top three initial access factors are credential abuse, vulnerability, exploitation and social engineering of all types. These are how threat actors are getting into your environment. It is not some usually some fancy zero a day exploit, right? Um okay. And then basically the anatomy of a cyber attack and I know most of you probably are familiar with this but I just want to sort of level set um the different phases. So we have, you know,

recon and initial access. This is the threat actor kind of scoping out your environment and then um getting into your environment. Persistence and defense evasion. Uh these are just how they end up staying in your environment, how they are not detected in your environment. Discovering lateral movement is slurping up all the data and figuring out the lay of the land moving around. Command and control Xfill. uh that's the external communications with their like C2 server or whatever and then impact impact is just you know why are they there in the first place what's going to happen so just a quick thing so I started um I don't know a few months no a few weeks ago uh cyber threat

bulletin so this is just an example of the topics that I selected this past week to write on I published these on Thursdays it's on my LinkedIn if you're interested it's also on that link tree thing you just can't get away from it. It's there. But so these are the things that I covered um because I thought they were particularly relevant. Um one is this uh continuing telecom breach uh situation. So that's been pretty like hot in the news over the past year or so with Salt Typhoon and whatnot. This one was not a Salt Typhoon thing. It was just a breach. But you know, you think about telecoms, ISPs and whatever. They have so much like like influence in our

worlds and uh when they are being attacked it's it's potentially pretty significant. Um every time I look at that I think it's like Bougie the name of the company I think it's a French telecom I don't know Julia do you know is it >> what is it >> okay I'm gonna trust Julian I heard somebody else say something else but anyway. All right. So not bougie but um Forinet uh has yet another vulnerability being exploited and I don't know at this point if you are using forinet in your environment like you might as well just like I don't even know. Yeah, consider something else. Um and then malicious Ruby gems. And this is something else I

love about this field is I'm always learning something new. I'm like what's a Ruby gem? It sounds like something you would collect in a video game or or maybe something that I would buy at a store. >> Yeah. Um I have to keep an eye on my time. Okay. Um so yeah, it's they're actually packages for for Ruby programming language. So yeah, so the South Koreans are being targeted by a supply chain attack using these uh malicious package or compromised packages. And then this is a spicy one and if you haven't seen it, I definitely recommend. And this is also rabbit hole territory. Right. So um a couple of hackers hacked into um uh a North Korean

uh computer, DPRK threat actor's computer and extracted all sorts of information. And five minutes left. What? >> Yeah. >> Oh, I thought it was an hour long. Okay. Well, I'll go on really quickly, but um All right. I didn't plan that very well. Anyway, so uh you can look into it, but you can actually download all the material and and also learn all about these things. All right. So, I'm going to go much faster now because I've been going at a much slower pace because I thought I had an hour. It's all good. So, anyway, information overload is a thing, right? There's just constantly news coming to us and how do we prioritize and whatnot. All right.

So, CTI, this is the important part. So, what is CTI? Cyber threat intelligence. It's basically it says here the process collecting, analyzing, and applying information about current and potential cyber threats blah blah blah. And associated with that are indicators of compromise, indicators of attack. This is not a comprehensive list of these things, but just examples of different types. All indicators are not created equal, right? So, who knows what this is? >> Pyramid of pain. >> Pyramid of pain. Right. Right. Exactly. And it's basically just how how tough it is for thread actors to like recover say if you burned a domain name or something like that. Um, so my point here is that you can't just

like grab a IP address and be like, "Oh, I've got some intel. Let me just plug it into, you know, all my systems or whatever." You have to enrich and you have to have context and and that's a big important thing. So CTI process collect analyze disseminate operationalize. I'm going to talk about each of these a little bit and give an example but the collection piece you know this slide kind of speaks for itself. An example of this that I wanted to to talk about is partnerships. So threat intelligence uh sharing partnerships are really useful or they can't be they're not always but um you can get a lot of good intelligence from different organizations. So this is a US- ccentric

one but I'm sure you have equivalent things in the UK and other countries. Um but sometimes you'll get data from them or intel from them and it's not going to have a ton of context uh because you know maybe it's sort of classified or whatever. So you're going to have to pull some threads to get any sort of usefulness out of it. And then analyzing I'm going to give you an example of this one. So miter attack. Who here uses miter attack framework? Excellent. I hope that soon all of you will be using it because it's so useful. It's it's a framework basically to break down threat actor tactic techniques and procedures or TTPs. And it it's just a a

way for us to all be on the same page about how we talk about what threat actors do. It's really essential. Um I'm always sad when I read a blog and they talk about all this stuff, but they don't bother to like break it down for you, so you have to do it yourself. Um but it's it's just super useful. And then another thing, you'll recognize some of this will um identifying gaps. So when you break down like you know an attack so you just maybe read about something in Osent um say the defer report for example does a great job of uh providing tons of details. This is good for lessons learned, right? Your your your CISO

would be interested as we know, right? Do a a attack analysis for us, please, and identify gaps. But you can break down what happened. So this is a scattered spider example and you know, how did they get in? What did they do? Blah blah blah. And then look at your company's controls and just see are we covered if this kind of thing happened in our environment? What are the tools that we're using in our security stack that would help with this? So, it's a really useful uh process to go through and I I don't know that a lot of people do it to be honest. And then dissemination. What I want to drive home here are

priority intelligence requirements. So, when I first started working for MSSPs, I was like I've always been the person like in charge of like the rest of the world or emerging threats or whatever, not like something specific like Iran or whatever. Um, so I would just like write about whatever or research and write about whatever shiny thing I wanted. Out of time. Ah, okay. Anyway, but the important thing to know here is that you have to know your audience and you have to be writing and reporting on things that are useful to them. So, this is just an example of, you know, some of the different teams that might be your audience or your stakeholders and the

kind of things that you can help them with. All right. Well, I have more, but I think we're gonna wrap it up. But let me uh just fast forward real quick to the end. You really just missed like kind of a case study thing, but that's okay. I've made this like cyber threat intelligence program checklist um which might be useful to folks. And I am going to share these slides. So, um because this is very small to see um lots of different things that you can look at when you're maybe creating a program or evaluating like a vendor program. These are some of the links and again they'll be in the slide and then that's it. Thank you. So,