“Sure, I Can Hack Your Organization” – with Eric Escobar (Part 1 of 2)
Andrew Hammond: Hi, and welcome to "SpyCast." I'm your host, Dr. Andrew Hammond, historian and curator here at the International Spy Museum in Washington, D.C. "SpyCast's" sole purpose is to educate our listeners about the past, present and future of intelligence and espionage. Every week, through engaging conversations, we explore some aspect of a vast ecosystem that looms beneath the surface of everyday life. We talk to spies, operators, mole hunters, defectors, analysts and authors to explore the stories and secrets, tradecraft and technology of the secret world. We are "SpyCast." Now sit back, relax and enjoy the show.
Andrew Hammond: Today, I'm up at over a hundred thousand felonies. If you were to look at what I was able to do and the number of users I was able to compromise, from my perspective, it's the coolest job in the entire world. This week's guest is professional hacker Eric Escobar. Eric has legally compromised, well, almost everything from health care and banking to technology and critical infrastructure through to amusement parks and next-generation military aircraft. Listen in for Part II next week. In Part I, we touch on what keeps Eric up at night, thinking like a professional hacker, hardening your attack surface - i.e., protecting yourself and your information - and plain English explanations of important cyber concepts like kill chains and zero-days. Hint - they're not the names of heavy metal bands. If you're a fan of the podcast, I would greatly appreciate it if you could leave us a kind review on Apple Podcasts. Make sure to check out this week's show notes for resources to learn more. Thanks for listening, and enjoy this week's episode.
Andrew Hammond: I was just wondering, just to start off, Eric - so you're a professional hacker. You attempt to compromise all different types of networks, from the military through to amusement parks. I guess one of the first questions that I had, just when I was thinking about this interview - you've seen quite a lot. Is there anything that keeps you up at night? Is there anything in the wee, small hours where you're like, that one really, like, scares me?
Eric Escobar: You know, the ones that really keep me up at night are anything to do with critical infrastructure, which is, you know, obviously, Colonial Pipeline and all the havoc that that caused. Those are the ones that really just keep me up at night for a couple of reasons. I mean, really, if you look at any of our traditional, you know, different internet uses - Amazon, you know, Google, Apple, like, all these different services - what's the worst that's going to happen? You might lose some files. You know, you might need to recover from a backup. You know, your information might get out there. But with all the critical infrastructure, there's chance of potential for loss of life, which is way worse than anything that can happen in the cyber realm. So those are the ones - like, watching any critical infrastructure get compromised is really the thing that keeps me up at night because, you know, lives are in the balance, lives are on the line.
Eric Escobar: And we do a lot of testing for critical infrastructure. And I've seen computers and machines that have been online, and not been taken offline, longer than I've been alive. So when you think about how often you have to reboot your machine, and it's like - well, these haven't been rebooted in my lifetime. So it's really interesting to see those types of things because, you know, they interact with really big, expensive hardware. And so there's a Catch-22 that happens where you can't really take the machine offline to do maintenance on it because it's critical infrastructure. So then how do you test it to make sure that a hacker can't take it offline or maintenance can be done on it, right? So to answer your question, critical infrastructure is what really keeps me up at night because of the actual physical harm that it can do in the world.
Andrew Hammond: Wow. And before we met today, I mentioned that some of our listeners are involved in this business - some of them are involved in intelligence business and some of them are just people on the street that love a good spy story or that are trying to get up to date with what's happening in the world. So just to give them a better understanding of what we're talking about here, at the Spy Museum, we have a shard from the Aurora Generator Test in 2007, which basically is a test to prove that a piece of code can affect the physical world. And basically, to cut a long story short, they blew up a generator. So something that's intangible can affect the tangible world. So that's ultimately what you're talking about. Is that correct?
Eric Escobar: Yeah, that's my actual job is doing exactly that. Not - like, not too dissimilar, a couple weeks ago, we compromised a - what's it called? - an oil refinery. So that same exact, like, hey, we're able to access, you know, industrial control systems. And if we touch the wrong computer, if we do something wrong, things go boom. And so that's why it's my fear 'cause exactly that - that code can affect the real world in those - you know, in those circumstances.
Andrew Hammond: OK. Wow. And how did you get into this business, Eric? How did you end up - because your background - actually, like our intern-at-the-moment's father who's a civil engineer, your background's in civil engineering. So tell us a little bit more about that transition.
Eric Escobar: Yeah, absolutely. So when I was in high school, I was like, man, I want to do some engineering. I'm good with math, good with science. So I did, like, the survey of all the different types of engineers that there were. There's, like, a class that my high school offered. And so it was either computer engineering, or it was civil engineering. I was like, you know what? I don't want to be behind a desk all day on a computer, so I'm going to go into civil engineering and build real things out in the real world. So I go to school, get a master's degree in civil engineering, get my - you know, I'm a registered civil engineer still in the state of California, you know, in the United States. And I started working for a couple of years, and they kept sending me out to these very remote places. And I was like, hey, I'm getting married. I'm going have wife and kids here soon. I can't be, like, out on all these, you know, remote places doing random work out in the field. And so then as luck would have it, my college roommate, his dad was a, you know, head of security for a large company in Silicon Valley. And he goes, you know what? You got the mind for this. Do you want to - like, I'll replace your engineering salary if you just want to give this a go. And so I looked at - you know, I talked it over with my soon-to-be wife. And I was just like, so how are we feeling about this? And she's like, well, I mean, no time like the present. So I made the hop from civil engineering into the security industry, and I never looked back. I still do some random, you know, engineering stuff on the side if there's a unique problem that arises. But yeah, it's a weird, windy path. And it all comes back to the who you know and the connections that you make. And you never know how they're going to reform or impact you later on in life.
Andrew Hammond: So before this interview today, I was at the National Cryptologic Museum, which is reopening after a refurb, and they're the - in the early days of American cryptography, they didn't test so much for what people knew at that time. They tested for particular ways of thinking. So I was just wondering if you could tell us a little bit more about - what are some of the similarities between the way that civil engineers think and systems engineers and people that are working in your field think? Like, what are some of the things that carry over that mean that if you've got that, if you think in that particular way, you'll be good in this field?
Eric Escobar: Yeah. I think it's - it just comes down to problem-solving and enjoying a good puzzle. You know, and when you're a civil engineer, you're looking for, hey, I need to get water from this dam to this hydroelectric facility. Or I need to build this building, and it needs to hold a thousand people. And so you're looking at - you know, you have constraints of time, resources, you know, budget, all of that stuff, right? And so you're trying to solve that problem of - how do I achieve this objective with the limited constraints that I have? And that's exactly what hacking is. In the same regard of, hey, I'm trying to, you know, compromise your active directory, compromise your oil refinery, break into this aircraft, and I have a very limited amount of information. How do I achieve this objective? So really it's just problem-solving and always loving a good puzzle.
Andrew Hammond: So - and with this field that you're in and being a professional hacker, is there any space for people like me and Erin, people that are more humanities type folk, or is it still a preponderance of people that are, like, math, engineering, that type of mind?
Eric Escobar: No. I mean, honestly, it's the full spectrum. The amount of people that we have on our team - so my background's civil engineering, right? If you were to take a survey of our team and say, what are your backgrounds? And we have several English majors, one of our best hackers used to be an RV salesman. We have a Ph.D. in physics. So we all kind of meander and find our way into this career through - you know, everybody's story's completely unique, just like mine is. But a lot of us come from the humanities aspect of it. And really the aspect there that I think is most interesting is the ability to communicate to your clients who are running these systems because yes, I'm very technical, but if I can't explain something in such a way to somebody who is maybe not as technical as I am, then my complete job has failed and fallen apart if I can't communicate that accurately. And so I always make the joke to my wife, who's an English major, that I never thought that I would be writing this - like, I went into engineering so I wouldn't have to write a word a day in my life. And now I read, you know, several thousand pages of reports as I QA them for our team. And then I have to write several hundred page reports a week for our clients. So, yeah, the humanities, it's definitely one of those things, just the ability to communicate, the ability to pull from historical, you know, precedent and all that stuff, pretty much - the way that I see it for this industry is everybody has a unique skill set that is, you know, wildly in need, even if you don't quite realize it yet.
Andrew Hammond: One of the things that I find really interesting about that industry is that a lot of the barriers to entry that exist for other fields are different in the cybersecurity realm. So, for example, if you want to be on the Supreme Court, you have to have been to law school. If you want to be in the Supreme Court, you don't have to have been to three or four law schools in the whole country, but it's pretty much a certainty that you're only going to get onto it unless you've been to one of those three or four law schools, if we look at it historically. But it seems to me that the barriers to entry are different in this - in the field that you're in. And it also seems like - I could be naive or idealistic - but it seems like it's more meritocratic in that sense because it's like, you turn up in a kitchen as a chef. People don't really give a monkey's where you went to chef school. They're going to judge you based on what you cook for them. So I wonder if you could just talk about that a little bit for us. I find that really interesting about the field that you're in.
Eric Escobar: Yeah, you hit the nail on the head. It's complete meritocracy as far as - if you're good at what you do and you can communicate it, you'll rise to the top. And that's absolutely what I love about it. And it's kind of funny because I have several of my friends who - they see - Eric, you know, what - you know, this is what you do? Wow. You know, you get to work from home? That's awesome. You know, the pay's great. That's even better. And I'm like, you know what? You can do it, too. And so I have a good friend of mine who was once a pastor, now turned hacker - and same thing. He's driven, he wants to do the work, he loves solving puzzles, and so he can apply all of his communication skills and all of his other soft skills to the actual technical aspect of it.
Eric Escobar: My wife's college roommate is - has a master's degree in biomedical engineering, and I was like, you know what? You could also do this too. And so sure enough, I keep trying to get, you know, all my friends and family - and it's kind of a joke now where it's like, oh, Eric's going to try and recruit you, huh? But that's exactly it. The barrier to entry - you don't need a four-year college degree to do this. You know, there are - when I started, there was no such thing as a cybersecurity program. And so if we did hire anybody, the closest match potentially would be a computer science degree.
Eric Escobar: But really, what we care about most, at least on our team, is your ability to communicate and your ability to solve problems and your ability really just to think on your feet. And those are - you know, it's harder from one aspect because you can't teach it. You can't just decide, I want to do this and be incredibly successful at it. You might have a four-year college degree in computer science. Heck, you might even be a Ph.D. in computer science. But if you aren't going to be able to work a problem, think on your feet and communicate properly, it doesn't really matter what your credentials are. You can't teach it. A lot of this is something that you have to, you know, innately have as a part of your personality.
Eric Escobar: So from one end of the spectrum, it's awesome because somebody who could be good at it in, you know, a year, you could show them everything that they need to know, and they'll be off to the races. But on the other aspect of it, there are some things you just can't teach, you know, just like any other profession or any other field. And so in that regard, I absolutely love it because if somebody shows a proclivity to it, if somebody shows that, hey, they're willing to invest the time to learn a new skill, you know, the sky's the limit. We only need more adversarial testers. We only need more computer science folks from all walks of life, right? So, yeah.
Andrew Hammond: And just thinking about this historically, when you see things like this in the past, quite often there's then a movement towards professionalization and certification and codification. And then those barriers get reestablished where, if you want to get into field X, you'll have to have ticked all of these boxes. Do you see that in tech, or do you ever think that that could really take off? Or do you just think that it wouldn't really work for this particular field?
Eric Escobar: Yeah, you definitely see it now. So you see now - that now there are degree programs or certifications, certification bodies, you know, all these different things to, like you say, try to make it more professional, try and put a suit and tie on a hacker, right? I think to a degree, yeah, that - they will, you know, shut out potentially some, mostly because if you're trying to hire for - you know, if you have a job opening for, you know, hacker for hire, and you see that you have a hundred and - you know, a hundred potential employees, and 50 of them have a four-year degree in computer science or, you know, security, if you're trying to just find a way to filter that down, you might just filter by that and you might lose a bunch of great candidates.
Eric Escobar: But if you're a human and you're trying to make sense of, how do I, you know, stack this - you know, how do I sort and filter this stack of resumes in front of me? - that might be a way that there be - that there could be some gatekeeping. But I even still feel like with that, that there are ways to break into the industry even if you don't have that four-year degree, even if you don't have that going forward, just because, like I said, it's - or like you said, it's a meritocracy. And if you have skills, if you have ability, you'll eventually find your way to a place that's going to appreciate and want and need those skills.
Andrew Hammond: And when did you first realize that you had the chops to do this or - not just the chops. I don't want to embarrass you, but you've - you know, you went on to become and still are a very successful hacker. Like, when did you realize that, wow, this is somewhere where I can excel as opposed to just, yeah, I guess I'll be able to keep a roof over my head and, you know, stay out of jail and stuff like that? Yeah, when did you - when did it dawn on you that, you know, this is somewhere where you could distinguish yourself?
Eric Escobar: You know, I don't think it has yet. Have you ever heard of...
Andrew Hammond: OK.
Eric Escobar: ...Have you ever heard...
Andrew Hammond: That's good.
Eric Escobar: ...Of imposter syndrome?
Andrew Hammond: Yeah, I've got it.
Eric Escobar: Everybody in this field - I shouldn't speak for everybody - but I would say if you surveyed this field, everybody feels like - I feel like they're an imposter to a degree. And for those in your audience listening, imposter syndrome is where you feel as if, like, man, is somebody going to figure out that I don't know what I'm doing? There was one time my wife - you know, she walks in my office, and she's like, are you just Googling how to do something for your job? I'm like, absolutely. And she's like, what if your coworkers, you know, found out or, you know, like, you know, wouldn't that be kind of funny? I'm like, oh, no, we all - like, we're all Googling all the questions. Nobody can know at all. And so really, to answer your question, like, I - like, some people might look at me and be like, wow, Eric is a great hacker. He compromises and breaks into all these large companies. And then I have the people that I look up to. I'm like, oh, my gosh, like, you could never call me a hacker compared to, you know, these individuals that I've met and these individuals that I know. Like, they're the real deal. I'm just an imposter here. So I really don't think it's quite hit. I mean, it does pay the bills, don't get me wrong. And I don't think I'm going anywhere any time soon. But, you know, you're - what's the saying? If you're the smartest one in the room, you're in the wrong room. And I don't think I've ever been (laughter) in a room where I've been...
Andrew Hammond: (Laughter).
Eric Escobar: ...The smartest person. So, yeah, hopefully that answers that question, but I really just - yeah, every day feels like I'm an imposter to a degree.
Andrew Hammond: And in this field, as well, how much of it depends on current knowledge, and how much of it just depends on this way of thinking and this skill set? So, for example, if you - say you went into a - God forbid, say that a - let's not say you. Let's say a hacker went into a coma for 10 years and then woke up. There's different technology, different problems, but a lot of the underlying fundamentals are the same. How difficult would it be to get back up to speed? Is that, like, you need to start all over again, or is it just, OK, you know how to think the right way, now it's just the case of a slightly different technology or slightly different code?
Eric Escobar: I think you could take any person who is adept at solving challenges with constraints, and they could get up to speed in this job - in a year, be able to talk the talk, walk the walk, and in two years, be able to hold the conversation in a room of professionals and nobody would've knew that you never touched a keyboard a day in your life. So realistically - my view anyways - is that it is not about the tools, it's not about, you know, how the systems interact and operate. It just comes down to being able to, you know, the - think on your feet. It comes down to being able to work through a problem with those constraints. And anybody with that mindset, I think that they could go into a coma for a hundred years, wake up and still have that same of like, OK, I may not know anything. I may take some time to get up to speed. But it would not be, like, the nail in the coffin of like, oh, I waited too long. Like, this has all gotten away from me.
Eric Escobar: Because technology changes so rapidly, that I'll go on - I went on paternity leave last year. And so, you know, I'm not hands on keyboard for, like, three months as, you know, taking care of kids and taking care of the family. And then I get back to it. I'm like, whoa, look at all these new attacks. This is really cool. You know, look at all these things that are now available, and look at all these things that previously, you know, we had no capability to test. And now, you know, oh, wow, we bypassed full-disk encryption on the laptop. That's incredible. So it really - I think it is just - if you're a problem solver, you could do this job, no problem. Doesn't matter when you decide to pick it up.
Andrew Hammond: And full disclosure for our audiences, Eric was talking there - both Aaron (ph) and I were on Craigslist looking for apartments in California because I think we're both going to have a career change coming up quite shortly (laughter).
Eric Escobar: Please do. And I don't live in the cool part of California. I live in a place called Fresno, which is the agricultural, like, you know, capital of the world, so...
Andrew Hammond: Heartland.
Eric Escobar: Yeah, it is - I see way more cows than I do waves.
Andrew Hammond: It's "Grapes of Wrath" country, right?
Eric Escobar: Not wrong.
(LAUGHTER)
Andrew Hammond: So this is really, really fascinating. Just to take a step back, Eric, tell us a little bit more about Secureworks - like, the company that you work for - and tell us what you do there. So we know you're a professional hacker, but help us understand the connection between you and Secureworks. What does your company do?
Eric Escobar: Yeah, absolutely. So, gosh, that is - I feel like that's a loaded question, right? Like, our - I'm sure all of our marketing team and sales team are looking at me like, come on, say the right things, Eric.
Andrew Hammond: (Laughter).
Eric Escobar: But essentially, Secureworks is a security company. And we have a bunch of different departments within our company that all, you know, take care of one aspect of security. So I work on what's called our SWAG team, or Secureworks Advisory Group - that's our acronym, is SWAG, which is kind of cool. And basically, we're the adversarial team. Clients come to us and say, please try and break into us, tell us how you broke into us and - so we can patch it before a nation-state, you know, or another threat actor is able to break into them. And so that's why it's the coolest job in the entire world from my perspective, because on any given day, I'm committing several thousand felonies if I didn't have permission to do what I'm doing. Today, I'm up to over a hundred thousand felonies if you were to look at what I was able to do and the amount of users I was able to compromise. And so as far as, like, looking at the broader part of Secureworks, I'm in the adversarial section where we attack our clients. You know, we - for - to try to make them more secure.
Eric Escobar: But what's kind of neat is that we have a bunch of other, you know, divisions, I guess, is the best way to put it, within our company that do different aspects of security. So we have our incident response team. So basically, if your company were to get breached and find out, oh, no, you know, you've been breached, you can call us. Our guys will parachute in and basically say, hey, we're going to evict the threat actor, find out how they got in, patch the hole and make it so that your company can function again, right? If there's ransomware, how do we recover from backups? Is there, you know, potentially a recovery key somewhere? So that's incident response. So I break in. Incident response responds when somebody like me that's not friendly breaks in.
Eric Escobar: And then we also have our CTU team, our Counter Threat Unit. Counter Threat Unit - they're responsible for seeing, what does the adversarial landscape look like? What are nation-states doing? What tools and techniques are being used by other threat actors that aren't friendly, you know, out in the wild? And then can we take what we've learned from there and apply it to our defensive products so that we're able to make sure that an incident never happens 'cause we catch it before it does, right? So you can think of them as, like, you know, the researchers in the field sampling all the things that are bad, taking it back home and writing, you know, different definitions to be able to catch any of that malware going forward. Or, you know, it doesn't have to be malware. It could be, more often than not, how threat actors operate and, you know, their operating principles.
Eric Escobar: And then we have our flagship product, which is Taegis. Taegis is like - it's an XDR platform. XDR is a fancy, basically, way of saying it is your enterprise way to monitor how threat actors are, you know, potentially trying to pivot into your network, how they're trying to access your network and, you know, what does that look like, and can they catch that threat actor before - you know, before they're able to do anything? So it's kind of a fun cat-and-mouse game that we - you know, all those different divisions play against one another because incident response is like, oh, man, like, how could we find out, you know, what you're doing in your network? And, you know, there's always a cat-and-mouse game that goes with our Taegis platform of, hey, can we bypass our own security product, right? And so it's a fun game to go back and forth, and, like, OK, you know, we bypassed it here. Then they patch it, and then they can detect it and, you know, just going back and forth.
Eric Escobar: But really, it makes everybody sharper on our team and same thing with Counter Threat Unit. We're pulling in stuff that's being used in the wild so we can see, hey, what is - you know, what are threat actors and nation-states and other, you know, adversarial groups - what are they doing? What do we see? So that's in a very - like, that is a very quick and concise, you know, summary of what we do. But it's really fun because you get it from all different angles. You get to see what's happening in the - basically, cyberspace, on the internet.
Andrew Hammond: Wow. And how do you spell that, Taegis?
Eric Escobar: I should know this - T-A-E-G-I-S.
Andrew Hammond: So this is, like, a model for just protecting a network? Is that correct?
Eric Escobar: Not just protecting a network, it's protecting your (laughter)...
Andrew Hammond: Oh, sorry, not just protecting network, yeah (laughter).
Eric Escobar: Yeah, so it's - I did spell that right. I had to look it up just to make sure. Yeah, so it's - so it essentially goes - you know, you - it looks at your network holistically and basically says, you know, not just, hey, what is happening to the server? It looks at your network holistically and says, you know, do we notice weird patterns? Do we see machines that are maybe not connected to other machines? Do we see authentication attempts that shouldn't be from certain hosts? It does a wide range of different things to look, not just at one single endpoint device - not, hey, was this one computer compromised? - but evidence of compromise throughout your entire network.
Eric Escobar: Because, oftentimes, if I'm going to break into - like, to get a little bit technical, if I'm going to break into your network, I typically don't like to use malware. I typically don't like to use, you know, some tool that's going to get captured. What I typically do is find a way to gain credentials - you know, someone's username and password - and then I use their user account to basically do everything throughout their other network. So there would be no malware to find 'cause I'm using their network and their accounts as they should be used and finding vulnerabilities and weaknesses in their permission authentication schemes. That, you know, is basically undetectable 'cause I'm not using malware. And so there's a lot of pattern matching, a lot of, you know, really technical stuff on their side of the house, you know, to prevent and discover things that are anomalies, so to say.
Andrew Hammond: OK, when you say a security company, you mean cybersecurity. Is that correct?
Eric Escobar: Cybersecurity company.
Andrew Hammond: Yeah.
Eric Escobar: Although we do do - so as part of our adversarial testing, we also do physical security as well. So I've, you know, done the whole secret agent, break-in, clone badges, you know, go in at night, pick the lock and all that stuff as well.
Andrew Hammond: Oh, you have? Wow. OK.
Eric Escobar: Yeah.
Andrew Hammond: We'll be right back after this.
Andrew Hammond: One of the things that I was - that I'm interested in is, you know, with this field - you know, like, "SpyCast" is on the CyberWire network now. And we've done traditional intelligence espionage and people kind of get that, more or less, OK, that's over here. And then they sort of get cyber. They're like, OK, that's computers. That's over there. I'm increasingly interested in the places where they overlap. And it seems that, you know, a lot of people are like, OK, well, the NSA - like, that's an area where, you know, both of them overlap. And other than that, it gets a bit fuzzy. I'm not sure about it.
Andrew Hammond: But, you know, when you hear the term InfoSec - like, information security - I mean, that's what - a lot of what intelligence agencies do. Or when you were speaking about, like, breaking in without using malware, it's - like, intelligence agencies as well, they - I mean, sure, you can do some kind of brute force attack and get information, but if you scream out that you've just done something, then they're going to go in, change all their codes and do a whole bunch of countermeasures to try to protect themselves against what you've just committed against them. So I don't want to say that both of them collapse into one another, but it just seems really interesting to me, all of the places that they overlap. And I don't know if I've ever read a book or something that adequately explains that overlap. But do you have any thoughts about that?
Eric Escobar: Yeah. So InfoSec - like, I think all the - like, the industry terminology is always kind of funny 'cause you say, oh, I'm in InfoSec. And everybody's like, I don't know what that means. And it's like, that's really fair. And so when you think about it, you know, you expand it out, information security. And so a lot of people are like, oh, so you safeguard, you know, the typical things - right? - your health data, your financial data, your - you know, all these different things that you think of when you think of, like, oh, my online accounts is what is being safeguarded. Well, it's interesting when you think about it. You know, so you mentioned, you know, ways that they overlap. Really just information - you know, if you're a spy agency, if you're a nation-state and you're trying to discern information, there's a lot of guesswork - a lot of educated guesswork - that goes into that.
Eric Escobar: And so an example that I always kind of like to think about realistically - if you look at, say, the United States political landscape - totally not a hot-button issue. If you are a foreign, you know, nation and you're trying to understand, hey, what - you know, what are the political parties, you know, angling to do? What's going on here? Well, think if they were able to break into, say, the, you know, manufacturer of, like, flags - right? - of little American flags that get waved around at campaign rallies. Well, if you knew how many orders of each of those flags are going to respective, you know, different political campaigns and parties and all that stuff, well, now you've built up - just with that information of orders of flags, if you're able to compromise a small manufacturing place, now you know all the ordering, all the processing information of how that goes, typically logistics of who, how, where and why those flags are going to be in that position. You typically know how many are in the war chest or how many people they're expecting at a campaign rally, right?
Eric Escobar: And so there's - it's one of those things that it's information security 'cause you don't necessarily know how the information is going to be used. You know, you might have a threat actor that breaks in, trying - to that same flag company - trying just to steal, you know, email addresses so that they can send out, you know, phishing emails just willy-nilly. Or you might have a nation-state trying to compromise that same flag factory for the purpose of trying to divine, what does the political landscape look like in the United States for the upcoming midterms? There's a lot of hypotheticals. And then there's a lot of, like, you know, where things actually overlap, like you said, with NSA and other intelligence agencies.
Andrew Hammond: And even for - it seems to me that even for - like, for someone like you that's in the private sector, this is still part of your world because the companies and so forth that you're doing this penetration testing for, this hacking for, it seems to me that quite a few of them will be trying to protect themselves against nation-state actors like Russia and China and hacker groups that are affiliated with intelligence agencies from those countries. So, I mean, that's quite interesting, as well. It seems to me that whether, you know - you don't have a choice in the matter, almost, because nation-states have a large amount of resources. They can put manpower to a problem for decades and decades, theoretically, or even longer. So people like you are up against, this - these foreign intelligence agencies. It's not, like, a matter of choice. It's just - it just is. That's quite interesting to me.
Eric Escobar: Yeah. And that's - I mean, you hit the nail on the head - is - the way that I always like to think about it, is that if I said, hey, Andrew, you know what? I'm going to send 12 special force operators to come break into your house. And if I said that and then, you know, it got plastered all over the news - oh, my gosh, can you believe Andrew? He got compromised 'cause 12 Navy SEALs kicked in his door. Everybody would be like, well, yeah, it's a normal person against 12 well-trained Navy SEALs. Of course that's going to happen.
Andrew Hammond: What do you expect (laughter)?
Eric Escobar: But realistically, in the cyber domain, it's even worse because you have nation-states that are funded with millions and billions of dollars potentially targeting, you know, a small company, a medium-sized company, even a large company. Even if you look at a large company and you said, hey, 12 Navy SEALs, kick your door - your way in the door, you know, a lot - you know, the news, the - you know, the media apparatus would be a lot more friendly, saying, oh, well, yeah, no one would expect that they should be able to withstand an attack against a nation-state. But that's what we're asking everyone to do. I mean, that's what we're asking you and I to do every time we're trying to protect our email, every time we're trying to use encryption for anything - login passwords to Facebook, Instagram, all your social media accounts. All of these things have to be able to defend themselves against, you know, the latest and greatest technology threat actors and, you know, the equivalent of the digital Navy SEALs. And that's exactly it, is that it's - is that we are having to, you know, do this, not by choice, but because this is the state of the world.
Eric Escobar: And not only - you know, to break down the analogy even more of, like, 12 Navy SEALs kicking in your door, they can do that from their respective countries. They don't even have to, like, get out of bed, you know, to potentially perform that attack. Whereas if they were, you know, physical, actual operatives, they would have to. And so that's just the reality of where we live, is that, you know, all of this information is constantly being attacked 24 hours a day, seven days a week from, you know, like, hacking groups that are built out of teenagers, right? The most recent hacks, I think, of Uber was tied to Lazarus Group, which is a bunch of teenagers, right? I could be totally wrong on that. I'm pretty sure - I think that's right, but the analogy stands up. It could be anybody. It could be a nation-state. It could be a bunch of teenagers across the world.
Eric Escobar: So it is - it's one of those things that when you frame it in that mind, you're like, yeah, that's a really hard problem because it turns out countries have a lot of resources that if they want to break in somewhere, they can apply hundreds of people, potentially, to focus on one problem, you know, to put in all that brainpower into - in trying to break in.
Andrew Hammond: I like that analogy, the Navy SEALs. I was also just thinking that the Navy SEALs can't break your door down while eating a bag of Cheetos, but a hacker overseas can, right (laughter)?
Eric Escobar: Absolutely. It's funny. There's been several times where it's like, oh, I'm making dinner or, you know, like, got to watch the kids right now, you know, before - if they woke up from their nap early. So it's like, wow, I'm breaking into a Fortune 500 company while, like, hanging out with my 4-year-old.
(LAUGHTER)
Andrew Hammond: That's funny (laughter). And this is where this term APT comes from - right? - Advanced Persistent Threats. That's a nation-state that can just throw relatively infinite amounts of money and time at a problem.
Eric Escobar: Yeah. And it could be a nation-state. It could be combinations of nation-states. It could be really well-resourced, you know, threat actors. So it doesn't necessarily have to be a nation-state. But yeah, advanced, persistent threat - and they're typically named so if - you know, a lot of different threat actors, they have, you know, similar processes. They have similar techniques, similar tools. And so you can kind of aggregate those. So, like, what our CTU team would do is they'd basically say, OK, there is this hacker group that we don't know anything, or, you know, we don't necessarily know, like, oh, this is who they are. But we can tell from their attack pattern and, like, what they're doing that this is probably a similar group, and they might have some crossover. But not necessarily needs to be a nation-state but definitely well-resourced and definitely professionals in the field of what they're doing.
Andrew Hammond: Wow. And one of the things that I wanted to ask as well was, can you break down this term kill chain for us? I've heard this, like, used quite a lot, and I know that in the realm of cyber it's quite important. And for some of our listeners, this will be, you know, something that trips off the tongue. But for others, they'll be, what the heck are they talking about? So what's a - what's the kill chain?
Eric Escobar: Yeah. So I'll give you a brief example with a story of a test that we recently did. So kill chain in, like, a one-sentence thing is basically how you're able to achieve your objective, how you're able to compromise somebody from the beginning to the end. So if you're reading a book, it's just a quick story, a quick narrative of - how were you able to do it? So for, like, one of our tests, we're trying to break into this medical facility, and we're trying to break into it from the public internet. So just, like, any other internet user has the same level of access as we do, and they give us, hey, here's our target computers to break into. We found, hey, there's a page publicly available. It says, have you forgotten your password? Click here to reset it. You only need to answer some security questions. So we found a list of users on LinkedIn, and we compared them to social media profiles such as Facebook, Instagram, Twitter, Snapchat, all these publicly available social media things. And we found some of the questions were things you can probably look up on social media. So one of them was like, favorite superhero - found the person's Facebook page, instantly obviously it's Batman. And so it went from there, and so we had one of their security questions already. The next question was their maternal mother's maiden name or maternal grandmother's maiden name. So something seems pretty abstract until you stumble upon an obituary that contains that same information.
Eric Escobar: So now we're able to reset this user's password. We reset their password. We're able to log into their VPN, so the way that they remotely access their company. And then from there we're able to impersonate them on the network. We're then able to access a file share on their network. And now from the public internet, we're accessing a server within their internal corporate network. Turns out that file server had, you know, some vulnerabilities with it, and it was able to basically access a more secure server. So we're able to go into - from one file server into a more secure server, which contained the entire company's username and password database. And so I was then able to extract all that information sitting from the public internet. So that's essentially what a kill chain is - all the different steps that you use to achieve that objective of whatever the client wants or however a company was compromised. So does that make sense? Hopefully, I explained that OK.
Andrew Hammond: I think so. So it's like going over a bridge and then at each stage of the bridge, there's the potential to be stopped or the potential not to complete your journey. And you have to keep completing every 50 meters to get to the end. And the kill chain is just if you can stop them over the length of the bridge, getting to the end of the bridge then - does that make sense, or is that not a good analogy?
Eric Escobar: Yeah, yeah, yeah. That's very similar of just - you're trying to find a path to achieve your objective. And for us, the kill chain is all the different steps that you achieve that objective. And then what's nice is that when we generate a report for our clients, we basically say here are, like, you know, the 10 or 15 key steps. Had you stopped us at any point along the way in these steps, then you would have potentially stopped us from the compromise. And then - you know, so that's like a chain if you think about, like, a physical chain. But then it's - also can be more like a web from the standpoint of, like, there's more than one way to - you know, to potentially compromise. And so there's all the, you know, additional kill chains potentially and how those stem and weave. But yeah, that's the nail on the head is - where can you get stopped along that path - along that path of compromise?
Andrew Hammond: And help us understand a little bit more as well about hardening the attack surface. So that's one of the terms that I've heard. How do you harden an attack surface? Break that down for our listeners.
Eric Escobar: Yeah. So say you're just a standard computer user, right? You have your - just your standard laptop. And let's talk about, like, hardening your laptop or - you know, this sounds like a really, oh, we got to harden, you know, secure, you know, batten down the hatches kind of thing. And really, it's not that dissimilar from just, like, if you're in standard, you know - large companies try to harden their systems just like you could harden your laptop. So, hey, maybe the password that you use to log into your laptop, maybe that's just, you know, a four-digit code. Well, if you're trying to harden it and make it harder for somebody to get in, instead of having a four-digit code, maybe use a sentence that's, like, 15 characters long. So it's easy to type in your keyboard. That would be one way that then I couldn't just potentially guess what your password is, you know, if it's four zeros in a row. Other things that you might do is, hey, I'm not going to, you know, potentially connect to, like, public Wi-Fi or if I am, I'm going to use something like a VPN to protect my internet traffic as it leaves my computer. Other things that, like - trying to harden yourself might be something physical. I'm not going to leave my laptop in my backpack in the back of my car when I go to the grocery store, right? So it doesn't have to just be in the - you know, the digital domain. And there's a lot of things like that. Like, just enabling something like multifactor authentication, which is, like, if you log into your bank, you're logged into something else where you get, like, a text message, or you have to, you know, hit a button on your phone. Just adding those simple things is hardening, you know, your attack surface, is limiting your attack surface, so that if I'm trying to break into, say, your Facebook, your Gmail, your Instagram and there's a second-factor authentication, I would need to - I would basically need to steal your phone in order to, you know, get that second-factor authentication. And same thing if you're using a hard, unique password that I couldn't just guess - well, good luck then. There's something else that I don't know. So that's really all that it is, is a really simple concept of just - you're limiting the way that somebody like me is going to be able to easily break into you and just creating more and more barriers of difficulty.
Andrew Hammond: OK. So it's almost like - it seems it's almost like defense in depth. Rather than one huge wall, like in the "Game of Thrones," it's just - here's, like, two dozen walls where I'm going to make it really difficult for you to do this, and it's probably going to be easier for you just to go somewhere else and make your life easier.
Eric Escobar: And that's the - so there's always an analogy I like to - or it's more of a joke of - you're camping with your buddy. You and your buddy are at your campsite, and a bear stumbles into your campsite. And you start putting your shoes on. And your buddy leans in and he goes, there's no way you're going to outrun that bear. And he goes, I don't need to outrun that bear. I just need to outrun you.
Andrew Hammond: (Laughter).
Eric Escobar: And that's exactly what it is.
Andrew Hammond: I like that one.
Eric Escobar: Hackers are lazy. We're opportunistic. And, you know, we're not going to struggle and try and crack the hardest server if, you know, the next server over is going to be something that is old and outdated and easy to compromise. We're always going to go find the path of least resistance. And so in that same case, if you are a hardened target, if you're a target that has multi-factor authentication, unique passwords for everything, and long passwords, I'm not necessarily going to go after you. I'm potentially going to try and find another way either into your system through somebody else or I'm, you know, just going to leave you alone all together. And so that's really all that it is, is just adding - you know, it's like layers of security, right? So it doesn't have to be, like you said, one big wall. But, hey, little incremental steps that you could do just to make it - my life harder as a hacker.
Andrew Hammond: OK. And just before we move on from these definitions - which are really, really helpful, by the way. Thanks so much for doing this and indulging me. Zero-days - this is the last one. Help us understand what zero-days are.
Eric Escobar: Yeah. So zero-days - the quick definition of it is it's basically a vulnerability or an exploit in a system that nobody knows - that, you know, no company is aware of. And so the reason where it gets the term zero-days is it's days since it was discovered. So say a vulnerability is found in Windows. And it's been, you know, a certain number of days since it's been discovered - so it's been 10 days, it's been, you know, 11 days, it's been, you know, three months. So how many days past since it's been discovered has it been out in the wild? And zero-days are at zero because they are out in the wild and nobody knows about them, potentially.
Eric Escobar: And so the reason that zero-days are so, you know, I guess, like, mythical or, you know, so scary is because you could be, you know, using a fully patched iPhone. And that fully patched iPhone - completely up to date, all the security stuff, you know, technically as secure as an iPhone could be, if it has a zero-day in it, that means that a threat actor or an attacker potentially has access to it, even though it's been completely patched, completely updated and has all the latest security definitions. And that's what makes it so scary, is that you don't even know that you're vulnerable because you don't even - you know, 'cause nobody else in the world, other than the attacker, potentially, knows that this vulnerability exists. And so that's why it's called zero-day 'cause hasn't even, you know, basically been released. Nobody's aware of it.
Eric Escobar: And that's the reason that they're scary is because, again, you - like, Apple recently patched a couple zero-days where, hey, they found out iPhones are being actively exploited and - against fully patched, updated, you know, devices. And so they had to release - you know, once they discovered it, then they released patches and, you know, all that stuff to update your phone, which is why you should always keep your devices up to date. But that being said, that's basically the simple definition of it, is just something that is not known to the rest of the security community.
Andrew Hammond: And how do these things come to light? Like, with zero-days, is there malicious actors out there that are just specifically hunting down zero-days, or is it someone stumbles across it that works for a company, puts it on the darknet and says, you know, I'm offering this for this amount of bitcoin or something, send it to this address? Help the average person on the street understand how these things come to light, or - not come to light for everybody 'cause the whole point is that you're - you get access to this before other people know about it, so you can take advantage of it. So help us understand how these things, like, bubble up and come to the surface.
Eric Escobar: Yeah, so there are dedicated researchers that they spend all of their time, you know, looking for very specific vulnerabilities into very specific systems. That's not everybody. That's not how all zero-days are discovered. But what's interesting is that there's a term called bug bounties, where basically, companies say, hey, if you find a zero-day, if you find a vulnerability, by chance or because you're a researcher, in any of our systems, we'll pay you a certain amount of money per level of the vulnerability to report it to us and let us know. So I think, you know, Apple has some crazy, like, $2 million bug bounty so that if you did find a zero-day in the most up-to-date, you know, iOS and you report it to them, you get, you know, several hundred thousand dollars for sure. And I think maybe up to a million is the most that's ever been paid out.
Eric Escobar: So companies will pay to say, hey, if you find it to us, report it to us and, like, all above board, all - you know, we'll send it to you. You're not a criminal. You are more than allowed to try and find this stuff. And if you report it to us and do responsible disclosure, you know, completely, you know, please let us know. You know, make the - you know, the world a more secure place. Sometimes, you just stumble into them. So there's been several, you know, websites, applications that I've looked at. And, you know, you get into, like, a weird edge case where you're like, oh, if I just don't put a username in this field and hit submit, it logs me in as an administrator. Well, that's a vulnerability. And was I trying to do anything nefarious? No, not necessarily. It could have just been an accident, but that's technically a zero-day. So it's - you know, there's researchers - it spans the whole spectrum of researchers who are dedicated to, like, only looking at certain platforms for high-paying bounties. And then there are, you know, just people that stumble across a vulnerability.
Eric Escobar: And just 'cause it's a zero-day doesn't mean that it is, you know, actually weaponized or anything. It might be like, oh, I notice that there's a flaw in this application. So maybe the zero-day doesn't actually get me any, like, really great access or really great ability to do something, but still, nobody knows about it. And if it helps you as a part of your kill chain, then, yeah, that could be kind of a scary zero-day. But not all zero-days are like, and then we got access to all of this text messages and just from his phone number, but, yeah. Does that make sense as far as, like, the ranges of what's out there?
Andrew Hammond: It does, yeah. That's really helpful. And tell me if I've understood this properly. So one of the ways that I have thought about this in the past is a zero-day is like Buckingham Palace, where you can go around and make sure that every single window is closed, but if one window out of 15,000 is not closed and no one knows that it hasn't been closed, then the whole palace is potentially vulnerable if someone knows where that one window that hasn't been closed is. Is that - would that be a good analogy?
Eric Escobar: That's pretty spot on as far as - I always tell my clients, look, I have the easy job. I need to find one way in. You have the hard job. You have to, you know, basically make sure all of those windows are all completely closed. In the past, it used to be exactly like that, of, like, hey, you find one window open, game over, you've completely taken over the entire thing. Different applications, different websites, different, you know, physical devices like iPhones and Android phones - they're starting to implement - or not starting, they have implemented additional security layers and security features so that - say you were to compromise an iOS app or an app on an iPhone. You know, there's things like the secure enclave, to get really technical, that keep, you know, things like keys and private data secure on those devices.
Eric Escobar: So, you know, for some networks, you know, there are some times where if you get a zero-day on the network or if you're able to compromise that network, you have the keys to the kingdom and you can run around all of Buckingham Palace, you know, scream at top of your lungs and you have - you know, you are good to go. And then there are other - you know, and a lot of time it's from larger companies that have, you know, different layers of - you know, of security aspects in place that make it so that, hey, maybe you got in through the entryway, but you're never going to make it down the hallway into, you know, bedroom chambers or something like that.
Andrew Hammond: And in the context of Buckingham Palace, the kill chain would be everything that's trying to stop you getting into the queen's - sorry, RIP - the king's bedroom.
Eric Escobar: Yeah, the king's bedroom.
Andrew Hammond: It would be the fence. It would be the electronic security system. It would be the dogs. It would be the security team. It would be the windows. It would be the material of the windows. It would be the sensors in the hallways. All of those things are trying to stop you getting through to the end.
Eric Escobar: Yeah. And so the kill chain in this perspective is all the different things that an attacker did. So, you know, did they - like you said, did they bypass the motion sensors? Did they jump the gate? All the different things that they were able to do, that if any one of them had worked properly and kept out the attacker, you know, that kill chain wouldn't exist. The kill chain is all the things that were breached along the way.
Andrew Hammond: And in the context of your job, you would try to get into Buckingham Palace. And then when you got in, you would say, here's how I got in and here's how you need to harden the attack surface?
Eric Escobar: Yep. And that's exactly it. And it's funny because you bring up the Buckingham Palace example, but the thing that I always tell our clients are, hey, look, I can steal user passwords all day. I can't access file shares all day. Tell me what your crown jewels are and what keeps you up at night. And so when you say Buckingham Palace, it's funny, because I always tell our clients, tell me what your crown jewels are, and that's what I'll go steal. And I'll tell you exactly how I stole them so that you can, you know, block every aspect of that kill chain so that if somebody like me were to come back, all those things have been patched, blocked, updated or remediated in some way.
Andrew Hammond: It would be funny if the royal palace reached out to you and said - and you said, you know, watch your crown jewels - the crown jewels.
Eric Escobar: The actual crown jewels, Eric. All right. Challenge accepted. Let's go.
(LAUGHTER)
Andrew Hammond: So, I mean, one of the things that I find quite interesting as well is for your job, do you, like - you know, you're, like, this affable guy living in central California who, you know, obviously enjoys what he does. Like, how much do you get a sense of butting up against the darkness, so to speak? You know, because there's malicious people out there that want to harm individuals physically, materially, emotionally and so forth. I mean, for someone like you, you're relatively inoculated from that. It's just like this is the accepted game.
Andrew Hammond: There's people like me that do their job and we're left alone because, you know, we have a particular role within the game - or, you know, how much are the people that are doing the Lord's work like you - are there people out there trying to stop you or trying to mess with the - we don't need to use a specific example, but people that are trying to, like, mess with you or get you to stop what you're doing or to dissuade you or disincentivize you, or are you kind of seen as a civilian and you're part of the game and therefore you're out of bounds or something? I'm trying to formulate a question, there. Yeah, the person like you, who's done this legally for a company, trying to help other companies protect themselves versus the people out there that want to commit genuine harm and rip people off and sometimes hurt people.
Eric Escobar: Yeah. So, I mean, we are targets, just like you are a target, just like pretty much anyone is a target. You know, there might be a little bit more of a target painted on our back by the sheer fact of this is what we do, you know, and maybe we have some special tooling that a threat actor potentially wants to get at or access. But really, at the end of the day, like, there is no, like, honor among thieves, right? Like, I don't get a pass because they're like, oh, we can't attack Eric's machine or Eric's network because it's Eric. You know, typically, when I say that hackers are lazy and opportunistic, if somebody - if you're not a direct target yourself, you are just a line in a spreadsheet, you know, that they're trying to, you know - a password spray attack, or they're trying - typically threat, you know, attackers, threat actors, aren't going to target you or somebody like me specifically unless they have a really good reason or there's going to be huge payout at the end of it, right? If you knew that I was sitting on a hundred bitcoin, you know, then am I going to be more of a target? Absolutely. But really, like, for me, being in the industry, you know, I'm definitely not well enough known. And, like, OK, cool. You're going to break into my office and steal a bunch of, you know, USB cables. My wife would thank you for that. You know, good luck.
Andrew Hammond: (Laughter).
Eric Escobar: And the other thing, too, about that, too, is, yeah, the threat actors, the attackers, they need a payoff. And, really, attacking me, that doesn't get them a ton of, you know, juice. That doesn't - you know, maybe they get some access to, like, the current report that I'm working on. But past that, you know, if they were able to try and compromise me, then they should just go compromise the company that I'm trying to compromise. So I'm never really that worried about it. I do sometimes feel bad, you know - if I'm, like, say, doing a test and there's a system administrator that's clearly overworked and, - you know, and doesn't have enough hours in the day to do all the things to try and keep somebody like me out, those are the clients that I'm like, look, when I'm breaking into you, don't think of me as, like, an actual adversary. Think of me as somebody who's going to write the report that's saying all the things that you've said this entire time.
Eric Escobar: Like, hey, Jim from IT - look, he wants to implement MFA, and I - you know, I bypass you know - if that MFA, multi-factor authentication, had been in place, that would have stopped me. He wants complicated passwords. You should let him roll out complicated passwords because I was able to break in using weak passwords. And so those are the ones where it's like, look, I'm trying - you know, I can sleep easy at night 'cause I know, hey, I'm trying to make the world a better place.
Eric Escobar: All the companies that I break into are often all the places that I myself use. You know, I've broken into my mortgage company before, which was kind of funny. I said like, hey, if I break in, can I pay off my mortgage? And, you know, everybody, like, nervously chuckles, and they're like, no. You know, but hopefully that answers your question. But, yeah, I don't think I'm any more of a target. And I think when - you know, when an actual, you know, threat or adversary is going after you, it has to - there has to be a big payoff because typically nobody's going to waste their time on somebody just like me.
Andrew Hammond: And is there - you know, like, in the world of intelligence, where you have people that are working for one side or people that are working for another side, and then you have people in the middle that are double agents or that are agents of an adversary and so forth. So the question I have is, has ever been the case in the professional hacker community? Like, do you - has there ever been someone that's - I'm a professional hacker. I'm on the up and up. I work for a company that's trying to protect other companies. But actually, I'm a secret scumbag who's selling information or doing stuff for the other side or vice versa. Or is there somebody that's pretending to be, you know, a nefarious hacker, but actually they've been working for the good guys the whole time. Yeah, help us understand that gray area in between.
Eric Escobar: Yeah. So I don't know anybody personally - and obviously I don't know anybody personally that's done that. But there are - I am sure that of the world's most elite hackers, of the, you know, adversarial APT crews that are out there - the advanced persistent threats - for all of the, you know, crazy bad criminals in those groups, I would say probably 90% of them hold standard respectable jobs in, you know, either some intelligence capacity, in some large tech company capacity or in some technical capacity because why not? If you're good at that, you know, it could just be, hey, this is what I'm going to do at night. Some of them are, you know, hey, we work for this intelligence agency, and that's it. But yeah, I mean, there are several cases, you know, if you were to just go, like, look this up online where, you know, users are - basically said, hey, I'm just going to come in and plug in this thumb drive.
Eric Escobar: There's a very famous thing that happened recently. There's a company called Ubiquiti Networks that make a ton of, you know, networking equipment out there. And they had a system administrator that basically got a - went home, got on the VPN, logged in with a set of credentials that he knew about, that he had compromised in his role as a system administrator, and then was able to hold hostage his company. And so from that perspective, he was the bad, nefarious threat actor, but he was the system administrator of the company that he was a threat actor for. And so he tried to ransom them for - I think it was like $5 million or some amount of, like, bitcoin. And it was just - you know, obviously, he didn't do a very good job at covering his tracks because, you know, they caught him. But that's a great example of the fact that, like, he was trying to compromise his own company that he was a system administrator for. And it doesn't get as much, you know, double agent-y (ph) as that. I am acting as a threat actor. And it was even more interesting, and I shouldn't say funny 'cause I'm sure Ubiquiti lost a lot of money and got a lot of egg on their face. But one interesting aspect is he was brought in to do the incident response of the threat actor that he was. And so that's - it's just, like, one of those real-world examples of, like, yup, that was a double agent that was working to catch the double agent that he was the double agent of. So yeah. And I'm sure it happens.
Andrew Hammond: (Laughter).
Eric Escobar: You know, obviously, I don't have a ton of knowledge about what happens in the inner workings of intelligence agencies, but that would not surprise me in the slightest to know that that same thing happens at that level as well.
Andrew Hammond: And see; for the - just thinking about this in terms of the world of intelligence as well, like, for you breaking into a company's network - so that's one part of it that's offense for defense. Is there ever a case where - not you or someone like you. But, you know, would it not make sense to, rather than just help you protect against the next attack, what if I can get into their network, the bad guys' network, and figure out what they're doing so that we've nullified the attack before it's even begun? Or am I just overthinking this? Or is it completely different in the world of cyber from espionage?
Eric Escobar: You are not overthinking it at all. So that's - I think the typical term for that is called hacking back, right? Like, hey, if I hack you first - like, offensive hacking into that. And yeah, intelligence agencies - you know, not just ours, but all of them - all try and do that to some degree of, hey, if I can figure out what they're doing and I know what they're thinking and I know what their tooling looks like, you know, what can I do from there? You know, what is there? The hard part when it comes to the cyber domain is - that's easy when you're like - it's easy in, like, terrestrial, like, normal warfare where you're like, hey, I saw this soldier go into this barracks, so I'm going to go follow him and try and get intelligence from there. But in the cyber domain, you could be attacking a machine that doesn't even know that it's compromised.
Eric Escobar: So, for example, what might happen is if - say you're a nation-state, and you want to try and, you know, kind of cover your tracks. You might compromise, say, a small flag company and then use the server that you compromised from there to then perform all of your attacks against. You know, and so you can say, hey, I'm a flag company that's now attacking, you know, this other company. And so the company looks at it and says, hey, we're being attacked by, you know, this flag company. And so if you were to take the analogy of hacking back, well, now you're - that company - you'd potentially be hacking into somebody that doesn't even know that they're already compromised.
Eric Escobar: So there's a lot of weird attribution at play that you can say, you know, that if you're not 100% sure, then - especially if you're just a standard person like me, hacking any machine that you don't have explicit permission to hack is a felony. And so if you're not explicitly sure that, you know, that that machine is doing something nefarious, you shouldn't do it. And if you're in the military intelligence agency, you play by a different set of rules. But even then, you might be hacking into, say, a company that has been compromised, and maybe now the exploit that you used to get into that network, now that foreign intelligence company is going to say, oh, this is the tool that they used to do that. This is how they did it. So let's copy that now.
Eric Escobar: So it's - you know, the whole, like, Soviet era, Cold War era of, you know, spy versus spy - that game is so much at play in cyberspace that, you know, it's - only now it's - you know, there's not, you know, cold, clandestine, you know, underneath-park-benches, you know, kind of thing when it comes to that level of cybersecurity. I mean, that still might be a thing. But when it comes to the cyber realm, it's even harder because, you know, you can travel around the world in a couple microseconds trying to access servers and do all this different stuff.
Eric Escobar: So, yeah, hacking back is definitely a thing. There have been several well-documented cases where United States intelligence agencies have hacked back. You know, if you look at - I don't know if the United States has been actually - it was U.S. or Israel - some intelligence agency basically took over another intelligence agency or - hold on. I'm going to find you the exact story because it's really great. They played "Thunderstruck" across all of the computers.
Andrew Hammond: AC/DC? Wow. Awesome.
Eric Escobar: Yeah, and they played - so they...
Andrew Hammond: Good choice (laughter).
Eric Escobar: Yeah. So hold on. Let me find it for you - exactly for you 'cause the story is just too good. It's like hacker gold. They took over the Iranian scientists' computer network, and on all of their machines, they played "Thunderstruck" as their computers were all completely locked out.
Andrew Hammond: (Laughter) Wow. Great.
Eric Escobar: Which is - I mean, like, that's, like, hacker movie fodder, right? Like, that is, like, legitimate...
Andrew Hammond: It really is.
Eric Escobar: ...Like, real world, like - but yeah, so hacking back is definitely a thing. The legality of it is questionable at best. And the ethics of it, if you're an intelligence agency that has permission to do it, are - you know, you really have to know, and you have to really be able to feel confident that you are truly hacking back because that can backfire in many different ways. Yeah. So that could be a whole subject of an entire podcast of...
Andrew Hammond: (Laughter) Let's do it.
Eric Escobar: ...All the clandestine operations and the ethics behind it. And should you do it, and what are the ramifications if you do it and you get it wrong? There's tons of wild stuff that can happen.
Andrew Hammond: And for that hacking back, that brings me on to the next question I was going to ask. It seems to me that, in former eras, the expertise for a lot of these types of information operations or the protection of information or the attacking of information, a lot of the expertise was with governments. So if you think about the - again, just coming from the National Cryptologic Museum today. Back in World War II, the leading cryptographers were not working for, you know, Kraft Foods or something like that. You know, all the leading cryptographers worked for the government. But it seems to me that with - in the modern era, it doesn't necessarily follow that the best hackers or the leading hackers all work for the government. And in fact, some people would argue that the opposite is the case because of the financial incentives and so forth. So I just wondered if you could help us understand that a little bit more because I know that the intelligence community are increasingly working with the private sector, and I'm assuming that part of that is because they realize that the main currents of expertise don't necessarily lie within those institutions in the way that they used to in previous eras, if that's - if that makes sense.
Eric Escobar: Yeah, absolutely. I mean, it's one of those things that - I would be shocked if, you know, all the members on our team haven't, at one point or another, been asked to work for a three-letter agency. And there's a lot of reasons that a lot of people wouldn't work for an intelligence agency or a government. And part of them - you know, who knows? It might come down to ethics, might come to, like, their thoughts and views on things. But realistically, like, I am talking to you from my office right now, and it is 10 feet away from, you know, my kitchen. And so I like that aspect of it. And so when you look - when you say, like, oh, the world's best hackers, you know, they work for private industry - I'd say it's probably a mix. I don't think that, you know, Google has - you know, Google, Amazon, Facebook - you know, any of these large tech companies, that they have any - like, they're not way ahead as far as, you know, their technical prowess.
Eric Escobar: But yeah, it's definitely one of those things that, if you want to have a - potentially more - you know, more capital coming in, if you want to make more money, if you want to make a name for yourself, you know, there's a lot to be said for going and working for a large tech company because you can actually talk about what you do because if you work for the NSA, CIA - pick your three-letter agency, and you do something super, super cool, you'll never be able to tell anybody about it, right? And you might go to work for somewhere, and they'll say, like, hey, what's this blank spot in your resume? And typically, you know, there's a pretty big back-and-forth when it comes to private - you know, private sector talking to the governmental sector. And you see that in all walks of military and - you know, that different life, you know, anywhere from - look at Boeing and Raytheon, you know, contributing, you know, information technology and tools to the governmental sector, right? Like, they're the only buyer source of that.
Eric Escobar: And I'd say, yeah, it's definitely one of those things that the world's best cryptographers don't all work for the government. The world's best hackers don't all work for the government. There are some exceptional hackers that work for the government. But I think it's pretty well spread back and forth between the private sector and the public sector for a variety of reasons. And I think everybody has their own reasons for where they end up. But, yes, you know, it could just be as simple as, like, yeah, I don't want to have to go move to Virginia, you know, to be close to the Pentagon, right? I don't want to have to live in Alexandria to live close to the Pentagon. I'd rather live in Cowtown, Fresno, Calif., you know, and hang out with my family here.
Andrew Hammond: (Laughter).
Eric Escobar: So there's a lot of different reasons. But yeah, it is definitely the case that it is no longer where all the best work for the government - it's definitely spread across.
Andrew Hammond: Yeah. Sorry, I wasn't trying to disparage the people that work for the government. I was more just trying to say that it seems to me that it's more distributed now rather than...
Eric Escobar: Yes, it is. No, I know you're not. I know you're not...
Andrew Hammond: ...Concentrated in one place. But yeah.
Eric Escobar: But no, you're absolutely right. It is not concentrated. And honestly, I think that's really good that it's not concentrated. I really like the thought and ability to - that anybody in my position could potentially go work in the private sector. We could go work in the public sector and that there's even, you know, back-and-forth and cross-pollination between those two different sectors to be able to, you know, potentially piggyback back and forth.
Andrew Hammond: Tell us a little bit more about DEF CON, Eric - so DEF CON 23, 24 and 25, you're the wireless capture the flag - on the wireless capture-the-flag-winning team, snagging a Black Badge along the way. Break that down for some of our listeners that aren't involved in this world. So start off with DEF CON. So DEF CON's a hacking conference that takes place every year in Las Vegas. Is that right?
Eric Escobar: Yeah. So DEF CON is the - I think it's the world's largest hacker conference 'cause I think this last year was something like 30,000 people, you know, go hang out at three casinos in Las Vegas for a weekend. And there's - you know, they have - DEF CON is broken out into what's called villages. So - and you can think of those areas of specialty. So there might be a lock-picking village where there's just a bunch of padlocks, a bunch of, like, you know, people trying to basically break into locks - all different sorts, right? I happen to have an expertise in wireless, so I'm part of the wireless village. And before that, the wireless village would put on a competition. There's - and there's tons and dozens and dozens of competitions at DEF CON. But this competition specifically tests, you know, hey, can you compromise wireless networks? Can you breach wireless networks? And all the contestants have permission to breach the specific networks here.
Eric Escobar: But one of the specific challenges in this is called a fox hunt. And the way the fox hunt works is somebody has a phone in their pocket, somebody has maybe a mobile hotspot in their pocket, and they're walking around all of DEF CON. And so your goal is to find that person, which is labeled the fox. So I happen to be just very good at triangulating, trilaterating (ph) and finding those signals in a sea of, you know, 30,000 people. And so that - it's basically - using that, I was able to - you know, it wasn't just me, obviously. It was our entire team that helped win these competitions. And yeah, it was just - at first, it started off like, hey, this would be a really fun thing just to try and find these foxes at DEF CON. And then it was like, wow, we found all the foxes, and we got a lot of points. We could win this thing. Let's do some other of the challenges to get more points on the board. And so that's really how it started.
Eric Escobar: Yeah, it just comes down to, you know, taking a problem, you know, and breaking it down, seeing what your limitations are and, you know, trying to get to that crown jewels. But yeah, it's - mostly it's just a ton of fun. And I love that aspect. It's also called hacker summer camp. So, you know, everybody flies in from their spot in the world, and you hang out for a couple of days, you know, hang out in the desert, hang out, you know, in Las Vegas. And it's always just fun to see everybody because I work remotely. Almost all my co-workers work completely remotely. So it's a good time for everybody to kind of congregate and meet up in person.
Andrew Hammond: And what's a black badge?
Eric Escobar: So sometimes competitions are - you know, if the competition is deemed rigorous enough by the DEF CON - what's called, like, DEF CON leadership, it will get assigned a black badge. So if you win an event that is a black badge event - and they're not always all black badge events. There's - it changes which ones are and which ones aren't. Basically, if you win that competition that year, you get what's called the black badge, and that basically gets you a free ticket into DEF CON every year. And it was kind of an accident, actually, how the DEF CON black badge became a thing in and of itself. It was meant to just give you a free ticket for the next year when it initially was created. And then, for whatever reason, it got messed up, and they're like, oh, no, you get free access for every year.
Eric Escobar: So how it was initially created 30 years ago was a bit of a mistake, I believe. But that's essentially what it gets you now - is it gets you free access into DEF CON for life, essentially. And it's one of those things, too, that - the thing that I really dislike about the black badge is - there was a lot of people on my team, right? And we won those three years in a row. And I don't like the idea that, hey; there's one person that - they get it. I would prefer that it's like, hey; let's split this out and distribute it, right? But, yeah, be that as it may, honestly, it's just a lot of fun to be able to hang out with all of our friends and just be nerds together.
Andrew Hammond: One of the things that I wanted to ask now was what - let's talk Hollywood just briefly before we come to the end of the interview. Is there a particular hacker movie that you're like - well, let's break it down into two parts. Which one do you think is most realistic? And which one do you - is there another one that you think, OK, this one's complete hogwash, but it's actually really good fun and a great way to spend a Sunday afternoon with a bag of pretzels and a couple of cool beers?
Eric Escobar: Yeah. So I think probably on the more accurate end of the spectrum - and, like, to make - like, to preface everything I'm about to say for everybody that's about to yell at their phone or whatever they're listening on, if you were to look at what I do, you're like, Eric is a hacker. Look at all the things that I do. And it's like, do I have some, like, Hollywood-esque (ph) moments every now and then? Yeah, I do. But, like, what they don't see is the 40 hours' worth of work that it took to be able to hit enter and watch passwords scroll on my screen, right? And so hacker movies are all limited by that same thing. So to say that some of them are complete hogwash is absolutely true because some of them are.
Eric Escobar: But to preface that, I think probably the best movie - and it's a cult classic - is "Hackers." "Hackers" is a great movie. It kind of embodies the hacker ethos of, like, you know, solving problems, doing it on the fly, you know, trying to work the problem, so to say.
Eric Escobar: And then more recently, because "Hackers" is pretty old movie, the TV show "Mr. Robot" - they did a pretty good job about doing their research, about, you know, using the correct terminology. And, sure, is it Hollywood? Is it, you know, made for Hollywood? And is it made to tell a narrative and a story? Absolutely. Are they going to explain the intricacies of a buffer overflow exploit? No, they're not. But nobody would watch it if they did. But they use a lot of, you know, legitimate tools. You know, it's like, oh, hey. I have one of those, like, sitting right here in my bag of tricks, right? Like, I have that. I have this. Like, did they do that a lot faster? Did that work out really easily for him? Absolutely. But, yeah, I think that they do a pretty good job as far as keeping it accurate and to the point for Hollywood, so to say.
Eric Escobar: And then I'm trying to think of the one that would be the like, OK, get out of here. You know what? I think probably "Die Hard 5" or "Die Hard 4," the one with Justin Long, where it's - like, the very technical "Die Hard" one. That one is like, OK, like, you're going to sneak into somebody's house and put, like, C-4 in their computer so that when they type in, you know, something - they hit enter, then their computer is going to explode. Like, yeah, a lot of that is very Hollywood and very, like, quick; hack that street camera. And it's like, quick; hack that street camera. Like, do we even know what network that's on? Do you have physical access to it? Is it wireless? Like, you just said hack it, and, like, it was done, you know? So, that one - I mean, it's fun. I like it. I like the Bruce Willis and Justin Long, like, back and forth of, like, you know, old, retired cop and, you know, like, young whiz kid kind of thing. Like, that's a fun aspect of it. But, yeah, I think the actual technical aspects of it are probably complete garbage.
(LAUGHTER)
Andrew Hammond: And you mentioned tools there. Help us understand some of the tools that we - that you would use or that you use for your job - so other than a computer. Like, people sometimes - like, here at the museum, when we bring up the term cyber, people think, well, it's just - it's so intangible. How do you even tell the story of cyber intelligence, cybersecurity? But then it also makes me think, like, radio waves are intangible. Telegraph messages are intangible, but we still use tools to tell those stories. So how - if we were doing an exhibition on you, what kind of tools would we use to tell that story or hackers in general?
Eric Escobar: Yeah. So from a digital perspective, the tools are - I mean, it's kind of funny because you think of - like, an example of something that I use on a day-to-day basis, probably for the incorrect purposes that it was originally designed for, is a really hefty graphics card. Like, I'm talking the top-of-the-line graphics card that you can, you know, use to play all your video games on three screens at, you know, highest graphics enabled. And you're like, well, Eric, how does that help out a hacker? How does that, you know, help out a threat actor? Well, graphics cards do a lot of calculations in parallel, so they can work on similar problems in parallel and do them all very quickly, whereas typical computer processors, you know, they're more powerful than some graphics cards can be, but they can only do one after the other - you know, things one after the other. So they're just not fast and parallel.
Eric Escobar: And so what we use that for is if I get something that's encrypted, a hashed user credential, which is commonly what we get in - you know, in any of our penetration tests or adversarial engagements, and what we need to do is, well, we need to somehow crack that, or we need to somehow brute-force and find out what the clear text version of that is. And so we use a graphics card to basically just perform trillions of calculations or trillions of guesses a second to see, can we basically brute-force that password? You know, something that would have made Alan Turing, you know, envious when he's trying to crack the Enigma code, right? And so essentially, we just say, you know - you could be as simple as, OK, I want to do A, A, A, A; A, A, A, B; A, A, A, C; A, A, A, D - and, you know, going through all the various combinations of potential passwords. And if I can do a trillion passwords a second, that's a lot of guesses. And then we apply more, you know, like, password lists, known passwords, you know, and then, say, add, like, 2022 for the year to the end of them to try and tease out what that potential could be. But that's something that is a tool of mine that I use on a daily basis that was not designed for those purposes. And that's, like, a digital tool, right?
Eric Escobar: I have other tools. So I'm looking - for those listening on the phone right now, I have other devices that are interesting and, again, repurposed. So this device that I'm holding up to the screen - it looks probably about the size of a credit card, maybe five credit cards thick. And there's an RFID reader in here. And so if you're trying to access a badge or gym, a gate, you know, anything, they typically have these little key fobs. You touch, and, you know, it does some mechanism to say, hey, I'm allowed to be here. And so what this device does is it's still a reader, but it's also a cloner. So it reads it, and it saves that code. So now if I'm walking by you in an elevator or an escalator and I were to wand your back pocket, if I were to wand - if it was across your neck, I would then have a copy of your keycard, and I could then replay that and get into the building just as you were. We used this on an engagement a couple weeks ago, and one of my co-workers was able to use this same tool to clone the cleaning lady's badge. And so now we had access to the entire building because the cleaning staff needs access to the entire building. But we had cloned her badge. We didn't steal anything from her. We just made a copy of her - you know, of her RFID badge. And that was it.
Eric Escobar: So that's, again - like, this is a very technical tool for a very specific purpose. But, you know, I use things that run the gamut of a graphics card that you can buy from Best Buy all the way to something that has to be purpose-built and purpose-made and sometimes even just made in-house to achieve that exact objective. But I have - I mean, you can see - for those of you listening to audio, my office is just littered in boxes that all have labels on them. In each of these boxes is a tool that I use to do my job, whether it's from a specialized USB cable or, you know, a special - so I'm a wireless nerd, so I have all my ham radio equipment, all my antenna tuners, all of that information, all, again, you know, to potentially try and compromise a client or a customer through any number of ways or techniques.
Andrew Hammond: That's pretty incredible. I didn't realize that so much tools were involved. I think that I just thought that it was, like, a computer. But wow, that's really amazing. For - like, for that as well, this is - you know, feel free to decline this question. But I'm assuming that if you wanted to - you know my name. You could probably, like, get into my computer, rake around my files, and - yeah, like, let's not make it me. Could you meet one of your friends or meet someone and just be like, yeah, I could - I wouldn't do it because, you know, it wouldn't be ethical. But if I wanted to, theoretically, I could definitely do it. I'm assuming that for most people on the street, you could do that. If you can break into these companies and defense - you know, aspects of the Department of Defense, I'm assuming that, like, just your average private citizen would be small potatoes.
Eric Escobar: You would think that. But the answer is, surprisingly, that to try and compromise you or, like, somebody off the street might oftentimes be way more difficult than a large company. And if you think about it, like, if you have a phone, well, you're holding on to that phone, right? So I need to maybe interact with it somehow. I have to get within proximity of you. You're moving. You know, your house is, you know, a standard, you know, house, so to say. And so your attack surface is not really that big. You know, you only have a couple devices to go after. And, you know, typically, phones are pretty, you know, secure depending on how old it is, whereas if you look at, like, a large company, if you look at, like, a Fortune 500 company, they might have 40,000 employees, and there's no way humanly possible that they could potentially guard against every known threat actor. Or, you know, if they have 40,000 employees, then at minimum, they have to have 40,000 computers. And so it's at scale that things get difficult to defend against.
Eric Escobar: You know, if I asked you, hey, you know, you have a BB gun and you're going to try and defend your house, you're going to do a really good job of defending just your house 'cause you know everything about it. You know where everything is. You're familiar with it, whereas if I hand you, you know, a bazooka and say, OK, now go defend Giant Stadium in San Francisco - OK. I mean, you have big - you have the big guns, but, like, there's so much surface area, and there's so many places that somebody could hide that, typically, compromising a company is often a lot easier than compromising an individual. There - now, there are certain things that it's like, oh, yeah, you know, that would be fairly easy. But overall, you know, if you keep your computer up to date, you have long passwords, you have multifactor authentication, you know, which is where you get a text message or you have to push a code on your phone to log into something, you know, you use encryption on everything, you know, you have a PIN on your phone and a password on your computer, you are going to be a lot more difficult to compromise than probably the top Fortune 500 companies out there just because the nature of - you know, there's only so many devices you need physical access or, you know, relative access to it.
Eric Escobar: And especially if you use a tool, if you use email services like Gmail or Outlook or, you know, any of the big ones out there, they're really good - they see attacks at scale. And so the amount of email that potentially gets filtered out, scams that get filtered out - like, trying to send a malicious email or a malicious phishing email is really hard if you're doing it through Gmail or through Office 365, through any of these suites of tools, which would probably be the main way that I would try and compromise - totally not Andrew. But, you know, it's one of those things that hacking...
Andrew Hammond: (Laughter).
Eric Escobar: An individual is often hard, whereas for a company, I only need to hack one of 40,000 computers, one of 40,000 employees, in order to get my way in the door. So yeah, that's a common question that I get. They're like, OK, well, hack my phone right now. And it's like, oh, my gosh, well, like, I'm not going to do this right now. I used to volunteer at a youth group, and all the kids would be like, can you get me, you know, more gold in Warcraft? Can you get me - you know, it's like, no. That's not how that works.
(LAUGHTER)
Andrew Hammond: I never thought about that. That's quite interesting - the attack surface. So your average private citizen is just presenting a much narrower front. So they're more difficult to attack. So does that reverse the old adage that if you try to defend everything, you defend nothing? Because if you're a Fortune 500 company, unless you defend everything, you're not defending anything.
Eric Escobar: Yeah, I don't know because...
Andrew Hammond: Does that make sense?
Eric Escobar: It does make sense. And it's honestly just - it's a really hard problem. Like, it's a really hard problem because - you know, what I always like to tell our clients and my family is - they're like, well, I want my computer to be as secure - I want my network to be the most secure network. And it's like, OK, if you had me design your network and your only goal was to make it secure, unplug everything from power, turn it all completely off and unplug it from the - and they're like, well, that's not practical. I'm like, OK, so you don't want the most secure network; you want a network that is secure but also usable. And so in that regard, you know, I take sympathy from the aspect of like, yeah, it's really tough to keep everything updated. And if you're running a large company and you're a staff of five people and you have tens of thousands of computers to look after, there's just not enough hours in the day to do it. And that's typically why things happen.
Eric Escobar: Or, you know, if, say, an employee left and their job duties weren't picked up by somebody else and that machine just went by the wayside because the person who was hired to, you know, keep it patched and keep it, you know, secure is no longer there at the company anymore and so it just gets left alone and nobody knows that it's there, it's really that problem of knowing what your assets are, knowing what devices are actually even in your network because if you - like, if I asked you right now, Andrew, name the number of devices currently connected to your Wi-Fi, it's not, like, 23, right? You don't know immediately. You have to think about it. Well, that's just you. That's just one person. Now, think you're a company, and you have - and, you know, you have to try and take into account all of these devices. And to make matters even worse, sometimes it's people logging in from their personal cellphone into their email, into their VPN, into their - whatever it might be, which is convenient from cost savings for the company. But as far as security, it's a nightmare because it's hundreds of different random devices that you have no control over that you have to provide support and security to.
Eric Escobar: So it's - like, I do not envy that problem 'cause it's a tough nut to crack. And that's why people are employed with it, and there's large, large security teams out there because it's really hard to keep the - essentially, try and change the wheel on the bus while the bus is driving down the highway. It's - you know, you can't have any downtime, but everything needs to be secure. But nobody wants to reboot their computer for updates. And so it's a tough problem.
Andrew Hammond: Wow.
Eric Escobar: Hopefully that answered your question. But yeah, I have no envy for the people that do that job. They are doing the hard work.
Andrew Hammond: It does. And have you - just a couple of final questions, Eric. Have you ever struggled - or have you ever failed or struggled to get into a network?
Eric Escobar: Oh, yeah. There's been more than my fair share of networks that I'm like, wow, you guys just did a really good job against this. One of the ones that sticks out in my mind is - so when you're trying to - and you're trying to like, compromise a network, or you're trying to compromise a company, one of the things that you try and do is you try and just do password guesses. Like, hey, is Andrew's password summer2022? Maybe it is. Odds are that if you have, you know, a thousand users, one of them is going to have the password summer2022. So that's why I try it. And what they did - and I thought it was really clever - is they had a bunch of, like, famous movie stars in their, like, accounts. And so, like, there's Tom Cruise and John Travolta and all these, you know, famous actors. And when you try and log in as John Travolta or as Tom Cruise, it throws up all the red flags 'cause they're not real users. So nobody should be trying to log in as them. And so immediately I was caught. Immediately I was quarantined...
Andrew Hammond: Wow, that's smart.
Eric Escobar: ...And evicted from the network. And it's just little stuff like that. I'm like, that was clever. I always got to watch for that now. So now I have, like - I compare my list of users on their network to IMDB to see, you know, what famous actors or famous people are included in there. But again, just one of those things that, like, yep, that kept me out pretty darn well because if you have a thousand users, you know, it takes you a lot of time to slog through that and see, you know, man, there's a - there's, you know, nothing I could do to find out who they were ahead of time. Other things that have kept me out - honestly, just companies that have really good password policies, you know, where it's just, like, 15-character password. You got to use a sentence. And they, you know, require multifactor authentication for everything. That's really, really solid. Like, it's really hard to try and guess a password when it's 15 characters long, and it's really, really hard to try and - you know, even if I have a password, if you have a cellphone that I need to have or if you have a code or a token or something else in addition to your username and password, it makes it really hard for somebody like me to break into your account because I don't have those things, right? So that makes it tough.
Eric Escobar: But yeah, more often than not, I'm successful at achieving some level of the objective, but there are definitely companies that I haven't been able to breach. But the other thing that I always like to remind our clients of - like, look. You have, you know, an adversary, a threat actor trying to attack you for a week. If I'm a true nation-state, if I'm a true adversary, I might just slowly try and breach your network over the course of weeks, months and sometimes even years, right? And so that's the other thing to keep in mind, too, that I always tell our clients - is, like, look. Just because I wasn't able to get in doesn't mean that no one is able to get in. I had 40 hours. Some well-staffed and well-resourced, you know, threat actors - if they really want to get in to you, you know, they have a lot more time on their hands to potentially breach your network.
Andrew Hammond: I'm just thinking about cryptography during the Second World War. Like, to get into Enigma, that was almost an industrial-scale operation that, you know, took many thousands of people hours to deal with. So I think that that's quite an interesting point. Because I can't do it in 40 hours doesn't mean that 4,000 people in, you know, four years won't be able to do it or will be able to do it. And a couple of final - penultimate question - if you could recommend one book for people to learn about hacking, what would you recommend?
Eric Escobar: So there is a book - and this might be a weird choice, but it's a book that I always reference, and it's called the Hashcat manual. And basically, what the Hashcat manual is is it is a book that's maybe 100 pages long, and it's, like, maybe $10 on Amazon. And what it does is it has all the known types of hashes and encryption functions. And basically, you have - say you have the word password. How do you mangle that? How do you encrypt that? How are the processes that it's done to encrypt and secure that?
Eric Escobar: And it's not, like, a - this is how you get started hacking. But it just shows you all the different methods that super, super-smart cryptographers and people have come up with to secure and safeguard cleartext information. And so while it's not, like, a - this is a get-started guide on how to start hacking, you know, "Hacking for Dummies," I just appreciate it, and I like it from the sheer fact that it is something that I reference quite often. And it is something that just goes to show that there are so many different ways to solve a problem.
Andrew Hammond: Wow. This has been so fascinating. Eric, I've really enjoyed speaking to you. I feel like I could speak for another hour and a half.
Eric Escobar: Oh, we could probably talk a long time.
Andrew Hammond: But to be continued, maybe at DEF CON next year.
Eric Escobar: Yeah, absolutely.
Andrew Hammond: Yeah. This has been a lot of fun. Thank you ever so much.
Andrew Hammond: Thanks for listening to this episode of "SpyCast." Go to our webpage, where you can find links to further resources, detailed show notes and full transcripts. We have over 500 episodes in our back catalog for you to explore. Please follow the show on Twitter at @INTLSpyCast and share your favorite quotes and insights or start a conversation. If you have any additional feedback, please email us at spycast@spymuseum.org. I'm your host Dr. Andrew Hammond, and you can connect with me on LinkedIn or follow me on Twitter at @spyhistorian. This show is brought to you from the home of the world's preeminent collection of intelligence- and espionage-related artifacts, the International Spy Museum. The "SpyCast" team includes Mike Mincey and Memphis Vaughn III. See you for next week's show.
