360 Privacy, Intel Briefing, & Jeffrey Davidhizar Member Spotlight
Luke Vander Linden: Hello, everyone. This is Luke Vander Linden, vice president of membership and marketing at the Retail and Hospitality ISAC, and this is the "RH-ISAC Podcast."
Luke Vander Linden: Thanks for finding us again in our little corner of the internet. We have a couple of really great guests today, both from members of the RH-ISAC. We'll start with Ben Barrontine, vice president at 360 Privacy. 360 Privacy is an associate member of the RH-ISAC. Their mission is to protect the digital identity and reputation of high-profile individuals, people like executives, athletes, high-net-worth families. Their work really touches on the intersection of cybersecurity, physical security, fraud prevention, which really is a theme we're seeing, kind of a trend. And I'm not just talking about today's episode but more and more in the work our members are doing and what we're really starting to see out there in the industry.
Luke Vander Linden: Then we'll have another core member spotlight, one of my favorite features of the podcast. Jeffrey Davidhizar from Crutchfield will join us. Jeff and his colleagues are a small team, but they punch above their weight when it comes to sharing and collaboration in the RH-ISAC. Jeff's going to share a little bit about himself, how he got to where he is now in his career, and we'll learn a little bit about Jeff on a personal level. This is also the episode where we'll welcome back Lee Clark, cyberthreat intelligence analyst at the RH-ISAC, who will present the briefing, our monthly segment summarizing the latest cybersecurity threats facing the retail and hospitality industry.
Luke Vander Linden: You know, I know you could be listening to this episode at any time, but this week I got to escape the Connecticut cold to attend a conference in sunny Orlando, Fla., where an organization called FMI was having their annual Asset Protection and Grocery Resilience Conference. You've heard us talk about our partnership with the National Retail Federation. We also have a number of great partnerships with several other trade associations in the sectors we serve. FMI is the association for large supermarkets and other food retailers. Their asset protection conference is historically all about physical security, but again, we're seeing that convergence between physical and cyber. And frankly, if you take a long view of the history of security and how threat actors work, it's really only the tools that have changed. The bad guys are constantly innovating and using whatever new is available to them. Take out the technical aspects of cybersecurity, take that out of the equation, and it's been the same for hundreds of years.
Luke Vander Linden: Anyway, in Florida, I got to moderate a panel on social engineering. Our two panelists were each from regional grocery store chains, and they had some amazing stories. You know, they've gotten pretty good at using technology to block phishing and other technical things or attacks or attempts. But when it comes to someone just calling up, you know, on the good, old telephone and convincing a store employee, say, that they're from the corporate office and they need to kick down the door of the room where all the money is kept and convert it all to bitcoin and send it to them - or another great story, someone testing a bunch of stolen credit card numbers they were just reading from their cellphone to buy thousands of dollars' worth of gift cards - honestly, the work of security professionals, whether it be cybersecurity or physical security, will never be done.
Luke Vander Linden: From our industry, this is where we're seeing some of the early effects of the collapse of Silicon Valley Bank and uncertainty in the banking sector overall. Now, I will never claim to understand banking and finance or why what happened happened, and the financial services industry has its own ISAC, even. But the high level of uncertainty and angst around this industry is perfect for phishing attacks. There have already been a flood of emails preying on people's worries over the safety of their savings accounts. Think about emails from banks - really, any bank - doesn't have to be Silicon Valley or Signature - or purporting to be from your payroll department. Click here to confirm their money or your paycheck is safe. The tools, tactics and procedures may change, but a threat actor is going to use every opportunity they can. Anyway, we'd love your thoughts on this or anything you hear on the "RH-ISAC Podcast." Just let us know at firstname.lastname@example.org. That's email@example.com.
Luke Vander Linden: All right. I am joined by Ben Barrontine, vice president of executive services at 360 Privacy. Welcome to the "RH-ISAC Podcast," Ben.
Ben Barrontine: Hey. Thanks, Luke. Thanks for having me.
Luke Vander Linden: So 360 Privacy does some interesting work. Your main goal is to protect the online identities and all that goes with that - security, reputation - of high-profile individuals.
Ben Barrontine: Correct, yeah. High-profile individuals, high net worth, celebrities, politicians, anyone that has a greater vulnerability online. We've all heard of executive protection. We like to think we live in the digital executive protection space, protecting one's PII and other digital footprint.
Luke Vander Linden: Excellent. So let's start with the basics. Can you describe how your firm defines personally identifiable information? And a little context - we usually run into this all the time when it comes to laws and regulatory issues, like GDPR in Europe or the patchwork of privacy laws around the U.S. And we've talked on the show before about the regulatory environment. I imagine we will again. But what does PII mean in 360 Privacy's context?
Ben Barrontine: So PII at 360 is just one sector of things that we work in, but we view it as, you know, personally identifiable information. So anything from your name, email address, physical address, Social Security number, driver's license number, any of that. What we like to think of, when you're applying for a credit card, any of the information that you're filling out in those blocks, that is what PII is to us. And then it kind of bleeds into the PAI, right? So a lot of times, that's one of the other sides of the house that we cover. And a lot of people don't know what PAI is, and it's publicly available information. That's social media. That's the things that we're willingly giving out on the internet - news articles, that sort of thing.
Luke Vander Linden: Yeah. We live in an age where people are voluntarily sharing all kinds of things about themselves that, arguably, they shouldn't, but it makes them feel good. I'm definitely guilty of that. So obviously, we just talked about how that kind of information gets shared willingly. What other ways does sensitive information get out there onto the open web?
Ben Barrontine: Data breaches. We all hear about it. I think there's a data breach every three days now on the news - right? - whether it be a big corporate account or, you know, your mom-and-pop shop that accidentally - or didn't have good two factor or good digital hygiene. So you have data breaches, and not all of that goes to the dark web either. A lot of that is fed right back into the open web searches. Data brokers. You know, we deal - that's our bread and butter, if you will, with the data brokers.
Ben Barrontine: Online trackers - so anything for marketing analysis, we all experience that. We use that in almost every facet of our lives. Your iPhone, your Android, whatever it is, has something built in to - for - to help with marketing, marketing behavior, behavioral analysis, something to help them sell something to you, right? Well, if that - in the wrong hands, that can be used against you, right? That's just - that's basically building out that pattern of life - the electronic pattern of life - on you. So that's one aspect of it.
Ben Barrontine: Public records - a lot of people don't realize that, you know, marriage records, you know, court records, things like that, it used to not be as big of a deal - right? - because you had to physically go down to the courthouse, request a record. Well, now everything's digitized. You can - everything's compiled online, and you can just pay $5.99 or whatever it is to have access to it.
Ben Barrontine: Surveys, contests, rewards points, memberships, subscriptions - you know, anything that we - that you can think of that you're signing up for online to get that 15% discount off of whatever subscription, that's all compiled and built out as a targeting aspect for marketing, but, again, in the hands of someone who wants - a bad actor, you know, it's not great. And that's just the first step on being targeted. I always tell clients, when it comes to the subscriptions and the online when you're signing up for things, if it's free, well, you're the product. And you just kind of...
Luke Vander Linden: Right.
Ben Barrontine: ...Keep that in mind when you're doing it.
Luke Vander Linden: So you mentioned the bad actors. What are bad actors actually doing with this information?
Ben Barrontine: What we've seen, it's almost different targeting packages, if you will. If you'll think about it from that point of view, you have opportunistic, and then you have direct. Almost all of us are victims of opportunistic targeting, where it's the - you get a text message saying that your Amazon account has been logged into. Please click this link. Obviously, don't click that link, if you're listening to this.
Ben Barrontine: You get the phone call around this time every year from the IRS saying that you owe X on back taxes, and if you don't pay it, you're - the FBI is going to be knocking on your door. They're staged 15 minutes away. Obviously, that's not true. But those - your information, your phone number, your email address, that contact information is found on these either data breaches or the data brokers, and that's step one of contacting you. We like to call it at 360, you're being probed, right?
Luke Vander Linden: Right - just to see you exist. Yeah.
Ben Barrontine: Exactly. You know, at 360, we're all special operations, intelligence community background. So we have experience doing this on the other side of the house. But when it comes to the everyday person being - becoming a victim of identity theft or whatever, this is that same aspect, right? You're being probed. So you have - we like to call a soft target.
Luke Vander Linden: And I imagine those kind of go out pretty widely. Like, they're not necessarily targeting the high kind of net worth or high-profile people that you're working with. Those are pretty wide.
Ben Barrontine: Pretty wide. However, there are different lists, right? There may be a list of high-value - our high-profile individuals, high-net-worth individuals. The limits of these lists and sectors - it's only limited by your creativity and imagination, honestly. And then once you do click it and you identify as a soft target, then you move over into the direct targeting, right?
Ben Barrontine: So now you're on a list of susceptible individuals where, OK, now instead of looking up your information, what else can I find out around you? Your mother's maiden name, right? Your mom, your parents, they're going to have profiles as well. And if I can just link those to you now, I'm building out your pattern of life. I'm finding the weak and the soft targets within your support system. And now I know I can answer security questions, right?
Ben Barrontine: And a lot of people don't really understand that. Like, OK, mother's maiden name, street she grew up on - and it kind of goes into PAI as well. If you don't - you know, if your Facebook is public and has been public since 2008, there may be a picture of your wedding or where you went on your honeymoon. And then you can find dates and times. And it's not just one thing. It's an amalgamation of all this, obviously, that's being used against you.
Luke Vander Linden: So I imagine then that's where the difference is in some of the information that's out in the open web versus the dark web. Once they identify you as someone who's going to be susceptible to their ploys, that they can get more information about you on the dark web and use that even more to try to build those networks of attack.
Ben Barrontine: Exactly. Dark, deep social media, all of those, we look at them at the same - as the same. What I like to think, or what I like to say about the dark web and even the deep web is - we have an analogy we use, where it's the toothpaste is out of the tube, right? Have you ever - you know, once you squeezed out some toothpaste, you can't get it back in, OK?
Luke Vander Linden: Yeah. I tried.
Ben Barrontine: It's out there. Right.
Luke Vander Linden: I tried.
Ben Barrontine: Right. It's out there. But what you can do is you can - if you think about it this way, you can notice that it's out. You can clean it up, put the cap back on and monitor it, make sure that nothing else is being left out, right? And so when it comes to the dark web, it is much more important to monitor for new leaks, new information that's being put out there about you and then being proactive in your policies, proactive in your - OK, if something else is leaked, what am I going to do? Who do I call? - you know, having that plan in place so that your attack surface is as small as possible during that time.
Ben Barrontine: And honestly, that's - a lot of people do get confused. We get questions all the time from clients saying, hey, I just got a letter from - or an email from X company saying that my information was part of a data breach. Nine times out of 10, you got - everyone, every employee, every client got that same email. But just because there's a data breach or a leak does not mean that it was ingested into the dark web as well. There's a lot of confusion about that. But it's good to know or have a service, or do it yourself, monitoring the dark web saying, OK, there has been a breach, A. Now I need to look for dark web instances, B. And that's where that really comes into play - and having a plan around you when that does happen.
Luke Vander Linden: So is this something that's solved by technology, or is this something that there's a big human element to it? What do you do once you're engaged? I mean, you obviously can't go into great detail, but tell me what you can.
Ben Barrontine: Yeah. So technology, automation - all of that is great. You know, we live in a world of smart things. Again, I like to say, what's the point of having a smartphone if it doesn't do all the smart things that you want it to, right? But technology will only get you so far. At the end of the day, the weakest link in every exploitation, every vulnerability is the human element. It's human error. And so at 360, we specialize on bringing that human touch to high tech, OK?
Ben Barrontine: So you have a technology - or technical service that may be automating your deletion service. You have a monitoring service, but at the end of the day, if you click that link, if you answer that email, if you give out that information, it's kind of all a moot point. And so if you can marry a good digital-hygiene program, raise the education level not only for you but your support system around you, then we as a - you know, culture, if you will, are going to become more and more secure.
Luke Vander Linden: So there's the education aspect for the individuals you're trying to protect, but also all of those people who might interact with them - so not only their family friends, but maybe their colleagues who might be reached out to by someone pretending to be them, that kind of thing.
Ben Barrontine: Absolutely, at least in the corporate space. Executive assistants, right? In a previous life when - you know, when we would be either targeting or looking at a potential bad actor, it was never going after the bad actor. It's always the support system, you know? - the living grandmother, the kid, you know, whatever it is. But in the corporate world, it's the executive assistant, someone in HR, someone with that access to the executive that is just as susceptible.
Ben Barrontine: And as a whole, you know, with - when we are growing, and, you know, there's a lot of different plans and opinions, but at least in mine at 360 Privacy, we believe that - you know, the whole the-last-to-adapt-is-the-first-to-perish mindset, and so constantly staying updated with not only the best solution or the most - the highest tech, but actually reaching out to colleagues, finding out what bad actors are actually doing and then building a plan against that rather than just adapting for the sake of adapting, but actually building a tailored plan, saying, hey, how would you be exploited? And then that's how we're going to protect you.
Luke Vander Linden: That's excellent. So give me some tips. Give me some first steps that someone can use, whether it's their behavior, whether it's something that they can do with their own devices. Just get us started. Give us a little free consulting here.
Ben Barrontine: Yeah, absolutely. So when it comes to cellphones - right? - we all carry one. At this day and age - actually, I remember back in the early 2000s that, you know, you couldn't have a cell phone in school due to, you know, 9/11. It was - you know, you'd get expelled, almost, right? But nowadays, if you don't have your cellphone on you at all times, it's almost irresponsible.
Luke Vander Linden: Right.
Ben Barrontine: So with that, there are a number of things on your phone that can lead a bad actor to you, whether that's through your Wi-Fi - right? So we all love connecting to Wi-Fi, or love using Wi-Fi wherever we go. A lot of places have free Wi-Fi - making sure that you don't connect to free Wi-Fi without a VPN, or turning your Wi-Fi off when you're not using it, right? So your preferred networks - when you walk into your home, when you walk into work, you know, your parents' house, whoever it may be, your phone automatically connects, and we love it. We love - it's your preferred network list.
Ben Barrontine: However, if I, as a bad actor, can get access to your packets by Wi-Fi sniffing or whatever it may be, I now don't have to wait on you - or follow you. I'm sorry. I don't have to follow you. I can just wait on you. I'm building out that electronic pattern of life, figuring out where you're going, right? Another aspect is turning off significant locations on your device. We can actually walk through it if we have time, but they're - going through settings and then privacy, system settings, then all the way down. It's kind of hidden. But turning off some of those settings is going to eliminate giving out free information, giving out that free nugget of location and not only what you're looking at, as well.
Luke Vander Linden: Excellent. So - and then as far as not just devices but just general digital hygiene, any advice there?
Ben Barrontine: Absolutely. We utilize a holistic approach - OK? - going back to the human and the technology, right? So when businesses or corporations need to look from a macro to micro level, it's, OK, how do I protect - yes, we all need to be responsible for our own phones. We need to be proactive in the beginning of having good policies in place, whether it's bring your own device, whatever it may be, but then making sure that instead of the cybersecurity training that we've all been through at work where it's, OK, click the block and you're just going through to the next slide, making sure that your clients and the people around you understand the why, right?
Ben Barrontine: You know, we're all taught the how. You know, we all know the what. But I think it's very important for us to know the why. And the more that we understand why we're doing this, the more we can make those educated decisions, right? A full-spectrum policy plan from deletion monitoring, education, being proactive in case of an incident but then having good policies about being reactive when it does happen, shortening that attack surface. We say all the time - and I know I've got a number of one-liners here, but modern vulnerabilities require modern solutions. And so constantly updating those and constantly being - or being active in the community, figuring out, what are my people actually being exploited on? And then building a plan on that.
Luke Vander Linden: Excellent. Well, thank you very much, Ben Barrontine, VP of executive services at 360 Privacy. Thank you very much for your time. And I'm sure anybody who contacts you, you'll be happy to help walk them through how to optimize their device and...
Ben Barrontine: Absolutely.
Luke Vander Linden: ...Talk to you about all the other stuff that we discussed today. So thank you again very much for your time.
Ben Barrontine: Thank you.
Lee Clark: All right. This is Lee Clark with the briefing. The first topic we have up is on social engineering scams targeting fashion and brand influencers. During the second half of last year, a lot of the RH-ISAC community started observing increases in fraud activity and phishing activity targeting popular social media figures and user-generated content, or UGC, creators, what we commonly call influencers, right? A lot of this activity is leveraging major brand names as part of ongoing scams. Now, what we've seen reported is typically falling into one of three categories, in which the scammers universally claim to be representing large retail or hospitality brands, right?
Lee Clark: In these three cases, we have scammers trying to recruit influencers to be brand ambassadors or trying to recruit influencers as models for brands or in trying to recruit content creators as contracted, creating content for brands, right? This can often include sending false contracts to the social media users in an attempt to appear legitimate, right? We've seen two key contact methods being leveraged over and over again to contact these influencers. The first is fake social media profiles pretending to represent the brands on various platforms, whether they be Instagram, TikTok or Twitter, and then privately messaging targets on those platforms. And then the second is emailing the creators at email addresses that they've made public for their business purposes, right?
Lee Clark: And then on top of the general category of scams and then contact methods of the scams, we've primarily observed four key behaviors and corresponding objectives of those behaviors, all right? In the first one, targets get tricked into paying fake shipping fees for free merchandise while scammers keep the money and never ship any item. Targets get tricked into undressing on video calls where scammers are misrepresenting themselves as modeling scouts, and they're calling the video calls virtual fittings or job interviews. And the goal here is to fraudulently record the influencer without their informed consent, right? And then potentially blackmail them with that footage. The third is that targets are tricked into providing financial data and account details on the promise of receiving payments in exchange for services, after which scammers simply steal money from the compromised accounts. And then the final one is that targets get tricked into providing personal identifiable information, PII, such as name, address, driver's license, social security number, which scammers will likely leverage for identity theft or store for future fraud efforts.
Lee Clark: So whenever we started talking to the membership community about this activity and talking about things that could be done, we basically came up with three broad options for helping to mitigate this activity, especially since it doesn't involve a compromise of any of the brands, simply scammers leveraging the brand image for their own use. The first was to file abuse forms against email addresses reported as sending fraud and scam activity. Email providers say that's the fastest way to actually try to resolve the issue and then start shutting down some of the email activity. The second is to educate content creators through public messaging on how employment brand ambassador and promotion programs work with major brands and how to avoid common fraud tactics, techniques and procedures. And then the third one was to refer targets of successful fraud activity to law enforcement for official investigation, for documentation purposes, and to help start to build a public pattern, right?
Lee Clark: The next topic we have for the briefing is on a ongoing initiative here with the intel team at the ISAC. The intel team of the ISAC is publishing a catalog of the most prominent and prolific threat groups that we see target the RH-ISAC community. We're leveraging this as a resource for analysts, for future research, as an archive and for pivoting on technical intelligence as they're conducting investigations, right? This catalog is going to be available for membership in the RH-ISAC MISP instance. And it's going to include a number of categories of useful data, like known aliases, background information and brief history, prominent open-source incidents that are attributed to the group, some closed-source reporting from members based on when members share things that are TLP: Amber+Strict or TLP: Red with the community, known tactics, techniques and procedures that are being leveraged by groups, any indicators of compromise and other technical intelligence that we may have on the group, both pulled from open-source and paid feeds and indicators given to us by members themselves and then data sources on where we're actually obtaining the information on threat actors.
Lee Clark: The intel team is going to be seeking input from the member analyst community, including any nonpublic incidents, technical data TTPs that analysts may have. And these contributions from the membership can be attributed to members or anonymous if they prefer not to have intelligence attributed to their teams directly. That program is now live with our first threat actor profile, which is on the threat group FIN6. We're going to be leveraging community resources to enhance the data we have for that organization. And then as we move forward, we'll be releasing additional group profiles over time and enhancing them until we get our full list out. And then we'll curate, catalog, archive and update these threat group profiles as we move on and new information becomes available.
Lee Clark: The third item on our list is an open-source report from Sekoia. On the 20 of February, researchers at Sekoia reported technical details of a new information-stealing malware that is advertised for sale as Stealc by developers on dark web criminal forums. Now, according to this report, Stealc is a fully featured and ready-to-use info stealer, ready and packaged to go as soon as purchased. A technical analysis of Stealc pretty much shows that it's been developed based on already prevalent information stealers. It features copied code and shared tactics with a number of other information stealers, including Vidar, Raccoon, Mars and Redline, all four of which are some of the most prominent and successful information stealing malware that we see reported. We have a report on this on the RH-ISAC blog. That blog includes indicators of compromise, tactics, techniques and procedures from the MITRE ATT&CK framework and detection options for public use, including a little bit of technical analysis detail from the original Sekoia report.
Lee Clark: So the community impact for this is that the campaign demonstrates the scale increase of cyberthreats that malicious actors are achieving through automation capabilities and the continued intent to target popular development vectors for financial gains. Any retail and hospitality and travel organization is advised to maintain situational awareness around cyberthreats to Python, especially because most organizations leverage it and especially if they leverage packages as part of their operations that are identified. Now, Phylum security researchers provided a lengthy list of popular packages that they've seen targeted. And that list is available in that original report and in our report on the activity on the RH-ISAC blog. And that will do it for this week's threat report.
Luke Vander Linden: Well, Lee, thank you very much for that. So social engineering - it's always here. It always will be, eh?
Lee Clark: Right, right, right.
Luke Vander Linden: When I first heard about those attempts to deceive influencers or content creators or whatever you want to call them, I guess I shouldn't have been surprised. You know, the tools and tactics - I've always looked at it - tools and tactics may change when there's new technologies, in this case new professions, I guess you can call it, but social engineering has been around for centuries, hasn't it?
Lee Clark: Right, and it's been around for centuries because centrally, it works, right? I may have stated this on the podcast before. I know I have said it in briefings to members, but my ongoing rant for this is that a lot of the times in information security, we focus on the newest and most interesting malware that we see come out. But you don't actually need the newest AI-enhanced, machine learning-enabled remote access Trojan to compromise an organization if a phishing email will do it, right? The analogy I always use is a fancy, new ray gun will kill you, but so will getting hit in the head with a rock.
Luke Vander Linden: Yep. Yep. The old methods work. So anyway, speaking of new and exciting, I heard a little bit of Hollywood came to your neck of the woods.
Lee Clark: Yeah, I got to meet a local celebrity, interestingly enough, long after their death. So there's a new movie out called "Cocaine Bear" - right? - directed by Elizabeth Banks. I live in Lexington, Ky., and there's a local legend that the incidents depicted in the film or dramatized in the film occurred in our neck of the woods. We do have a connection to the real-life events. They actually happened in Tennessee. Essentially, what happened is some drug runners dumped a large package of cocaine out of an airplane over a wooded area in Tennessee. An American black bear tore into the package and ate a bunch of the cocaine. All right.
Luke Vander Linden: I guess we should have warned for spoiler alerts for the film. But please, go ahead.
Lee Clark: So this all happens within, like, the first 30 seconds of the film. The rest of the film is the fallout of this, right? So here we'll go into spoilers, right? For the rest of the film, the bear, having ingested large amounts of cocaine, goes on a violent killing spree, right? And the rest of the movie is, like, a gory horror comedy. In real life, the poor thing just died. So the way I met the bear is at one of our local movie theaters on the night of the release of the film - that bear, the taxidermied (ph) bear, at one point was purchased by Waylon Jennings.
Luke Vander Linden: Oh, wow.
Lee Clark: And he ended up giving it to a museum here in Kentucky. And today, that bear resides in a mall in Lexington. So whenever the movie came out, they moved the bear to the local movie theater, and you could get a selfie with it wearing a nice University of Kentucky beanie before you went in to see the movie, right?
Luke Vander Linden: So now Lexington not known just for horseracing and bluegrass but also known for taxidermy and Hollywood bears.
Lee Clark: Yeah, yeah. It's the - we're the home of the cocaine bear, and, you know, our hometown pride is that the drug runners that threw the cocaine out of the plane were actually from this town and on their way here.
Luke Vander Linden: Excellent.
Lee Clark: That's our connection to the story.
Luke Vander Linden: Excellent. Well, I hope your connection is not too tight. Don't let it go to your head that you've a little bit of Hollywood there in Lexington, Ky. Lee, thank you very much for joining us and giving us the briefing this episode.
Lee Clark: Thank you for having me, Luke. Pleasure as always.
Luke Vander Linden: Jeffrey Davidhizar from Crutchfield Corporation, thank you so much for joining us. Jeff, you're one of our more active members, I have to say. You are one of our top five contributors in our sharing and collaboration challenge contest that we acknowledged last year at our member meeting at the annual summit. So love that you're on with us. And great to see you.
Jeffrey Davidhizar: Thanks for having me.
Luke Vander Linden: So for our listeners who may not be as familiar with you, could you introduce yourself? Tell us a little bit about your background, what you do at Crutchfield, that kind of stuff.
Jeffrey Davidhizar: Sure. I'm Jeff Davidhizar. I grew up in Hampton Roads, Va. My dad worked at the shipyard there in Newport News. I've lived in Virginia my whole life, went to school here, went to UVA for engineering in Charlottesville, which was really kind of the first time I started to use a computer consistently. I changed my mind a couple years in, so I ended up getting a degree in math and something that they called cognitive science, which, at the time, was just kind of like a beta test mashup of, like, computer science, philosophy, psychology. It wasn't - it was like an interdisciplinary degree at the time. I think it's an actual offering now, though. I graduated in '09, which was a tough hiring market, to say the least, so I actually ended up going into teaching for seven years. I taught high school and middle school math.
Jeffrey Davidhizar: Yeah, I taught at an all-boys boarding school in central Virginia and then a couple of years at a boys' middle school, which - kind of different than the education that I had grown up because I went to public schools, but I enjoyed the idea of trying to help shape how kids thought about math. And hopefully, I was doing a better job of getting them to appreciate it and engage with it instead of just having it be unapproachable or too hard or a lot of things that I heard growing up.
Luke Vander Linden: For most people, math is considered more of a chore, and they don't understand all the applications.
Jeffrey Davidhizar: Yeah, so I was trying - hopefully, at least a few kids got a different viewpoint of math. But...
Luke Vander Linden: Have you stayed in touch with any of them? We're going way off topic here, but...
Jeffrey Davidhizar: No, I've only seen - it's happened a few times since I taught around Charlottesville, and I still live in Charlottesville, that I've run into a couple kids. A few of them work in areas around where I've, you know, still been around. So I have run into a few parents and gotten maybe a couple really good, hey, you know, we enjoyed the time. But it hasn't really happened as much as I would have maybe expected being around the area.
Luke Vander Linden: Well, it might be interesting to try to recruit some of them and go into cybersecurity, if they...
Jeffrey Davidhizar: There were a few that I would be very curious where they are now because I think the youngest I taught are now in college, which is kind of weird to think about, but hopefully they're going down - some of them - down this path.
Luke Vander Linden: So how did you make the leap from teaching math to cybersecurity?
Jeffrey Davidhizar: I think eventually I realized that teaching wasn't just wasn't for me. And so when I was teaching, I started to incorporate things like some computer science programming. We programmed these things called mBots, which used kind of like a basic puzzle piece programming language, taught the kids how to do formulas in Excel. And I'd always been interested in the idea of programming, computer science, and cybersecurity was kind of a hot topic at the time. And I started to look into it more, and it kind of afforded me the way to still help people and also be integrated into the computer world. And I just kind of took the leap.
Luke Vander Linden: Some might say it's still a hot topic, still on trend. So...
Jeffrey Davidhizar: Yeah, it's definitely still on trend.
Luke Vander Linden: What's your day to day like at Crutchfield? What do you work on?
Jeffrey Davidhizar: So my title is a security analyst, but for us, we have a really small team. There's only six of us, so that kind of runs the gamut of administering all the security tools like the firewall, sim, EDR, vuln scanners, all that kind of stuff, but also triaging phishing, responding to incidents when they occur. And I'm part of the team that runs the security awareness as well, so anything for, you know, monthly simulations or however long the cadence is that we decide, PCI compliance training, all that kind of stuff.
Luke Vander Linden: Yeah. At a small shop like yours, you really have to wear a lot of hats. You don't get the benefit of having a huge team, right?
Jeffrey Davidhizar: Which I honestly appreciate being my first kind of deep dive into the cybersecurity world because I don't - I'm not locked into, like, a SOC analyst where they're just doing the same thing every day - not that I'm knocking that as a way to learn, but I got to really learn about quite a few different tools right away.
Luke Vander Linden: Is there any aspect or certain type of work that if you were to have the luxury of working at a larger place, you'd like to kind of go into more?
Jeffrey Davidhizar: I think that the idea of kind of focusing on one thing - my favorite thing to do right now is the true analysis blue team aspect where you're trying to poke holes in your own stuff and making sure your detections work, writing - you know, not true pen testing but sort of the blue side of pen testing where you're writing simulations and attack simulations and seeing what detections you get, making sure that your tools are actually picking up on the current techniques and tactics.
Luke Vander Linden: What are the challenges that you see in your role other than, I guess, resources and staff size that you regularly encounter, would you say?
Jeffrey Davidhizar: I would say that one of the things I really like about cybersecurity is that it's constantly changing, but the other edge of that double-edged sword is that that is also one of the biggest challenges, that it's always changing. So...
Luke Vander Linden: How have you seen it change since you've been in your role?
Jeffrey Davidhizar: Even in the five years I've been in the role, just the ability to dive in as a threat actor is so - the bar is so low now where you can just get an open-source tool online. You can spin up a cred harvesting tool or a password-cracking tool or anything. You just spin it up for little to no money and go after...
Luke Vander Linden: Right. Or knowledge - like, it's hacking as a service, right?
Jeffrey Davidhizar: Right, right. Yeah. You can easily find free e-books about it, you know, even more so than you could. I know you could do that before, but the bar for getting into it is so low.
Luke Vander Linden: And so building on that, looking forward, how do you see the industry or cybersecurity changing over the next five, 10 years?
Jeffrey Davidhizar: I'm hoping that the way my role will change will be a lot of the day-to-day repeatable stuff will be automated to the best of our ability and that we'll be able to actually focus on sort of the higher-order stuff, the actually looking at trends, kind of proactively seeing what's happening out there in the world. But I know that that technology is going to match the threat actors, too. So they're also going to be able to automate a ton of stuff, probably do things like ask AI to write things for them and just kind of send it out to the world. Yeah.
Luke Vander Linden: I wasn't going to bring up AI. That's something that we'll have to address at some point. I know the other...
Jeffrey Davidhizar: That's an entire conversation by itself. Yeah.
Luke Vander Linden: And continues to be. That's great. Yeah. But I also hear that a lot, that automation can save some analysts from tasks that they could then work on, like, as you said, higher-order stuff and more strategic things.
Jeffrey Davidhizar: Right. Yeah. It really would cut down on, you know, trudging through what are probably false positives and just really getting to things that actually need looked at. Yeah.
Luke Vander Linden: So with the RH-ISAC, like I said, you're one of the more active individuals on our sharing platforms. Tell me a little bit about how you're involved with our community and what you like about it.
Jeffrey Davidhizar: I - no, I do. I do like it. I actually finally got to see people in person this last October. I missed it in 2019. And then things got shut down in person for a couple years. And so this past October, I got to finally meet colleagues that I've been working with for years, and it was awesome.
Jeffrey Davidhizar: I think that the way that I engaged at first was just to sort of be a fly on the wall with all kinds of working groups and Slack channels and to just kind of see what it was all about. And when I finally got the courage to put information in or intel in that I had found, the feedback was phenomenal. I think it - I see in my own personal and professional life that it fast-tracked the transition because I really felt overwhelmed when I first started getting into the cybersecurity world, and to have people at the ISAC to ask questions with and to just listen to the knowledge and experience was a really powerful way to engage.
Luke Vander Linden: Yeah. Everybody learns differently, as you learned as a teacher, but, you know, actually getting your hands dirty and having to do things and not necessarily going in order of entry-level simple tasks and then working your way up to intermediate, but just diving right in, right? And...
Jeffrey Davidhizar: That's how I learn best. Yeah, for sure.
Luke Vander Linden: Right. Definitely a good support network. So what kind of advice would you have for people who are just getting into cybersecurity right now?
Jeffrey Davidhizar: I would say almost the exact advice you just said. Do not be afraid to just dive in. There are tons of resources out there. There are lots of free YouTube videos, Cybrary, a lot of free ways to engage with cybersecurity knowledge and a lot of tools out there that you could just download for free and use yourself. You can build a lab easily. You can run things on just a - I had a cheap ASUS laptop that I bought secondhand online when I first started and was running little VM analysis environments. And that's just a really good way to just do things. You have to do it. You can't read about it. You've got to do it.
Luke Vander Linden: Right. It's a very hands-on role. So...
Jeffrey Davidhizar: Yes.
Luke Vander Linden: ...All work and no play would make Jeff a dull boy. What do you do...
Jeffrey Davidhizar: (Laughter).
Luke Vander Linden: ...In your free time - any hobbies, anything you do for fun?
Jeffrey Davidhizar: Well, when I was teaching, I actually got to coach climbing for a couple of years and that sparked an enjoyment of climbing, indoor climbing, bouldering specifically, that I still do. I was on hiatus for a few months, getting hurt - maybe eight months. I pulled something. But I just got back into that recently, and I really enjoy indoor climbing. My wife and I also live in rural Virginia around the Shenandoah National Park. We like to unplug and go up there and just enjoy. And then I - you know, video games and board games, D&D, kind of the typical...
Luke Vander Linden: That's the good stuff. Yeah.
Jeffrey Davidhizar: ...Stuff that we do. Yeah.
Luke Vander Linden: Excellent. But no outdoor climbing, just indoor.
Jeffrey Davidhizar: I have outdoor climbed before. I've actually done my own setup for a top rope before. It's, well, somewhat terrifying to tie yourself in to go on your own gear. So I don't know. Once I got married, I kind of decided that maybe I won't do that kind of thing anymore.
Luke Vander Linden: You have greater responsibilities and other people relying on you. So you have to be a little bit more careful.
Jeffrey Davidhizar: Yes, exactly.
Luke Vander Linden: Excellent. Well, Jeff, thank you very much for joining us. And thank you for all you do for our community at the RH-ISAC. Really enjoyed talking to you. And I'll see you out on our sharing platforms.
Jeffrey Davidhizar: Of course. Thanks for having me. This was really fun. Appreciate it.
Luke Vander Linden: Well, that'll do it for another episode of the RH-ISAC podcast. I want to thank all my guests - Ben Barrontine from 360 Privacy, Jeffrey Davidhizar from Crutchfield, and of course, our own Lee Clark with the briefing. This episode and all of our past episodes can be found at thecyberwire.com or wherever you listen to high-quality podcasts like ours. As always, thank you to our senior producer Jennifer Eiben and the sound team of Elliott Peltzman and Tre Hester, and to our own producers at the RH-ISAC, Annie Chambliss and Marisa Troscianecki. Once again, if you have anything you want to say to us, good, bad or ugly, shoot us an email at firstname.lastname@example.org. We'll have a new episode in a couple weeks. In the meantime, stay safe out there.