In this episode, we are joined by Scott Scheferman, a cybersecurity expert with a rich history in the field, from his early days in tech to his current role in a cybersecurity startup, Eclypsium.
Scott shares his journey through the digital transformation era, his experiences in both commercial and government sectors, and how he navigated through a layoff during the COVID-19 pandemic.
Scott delves into his early experiences in cybersecurity, his struggles with imposter syndrome, and how public speaking helped him overcome his insecurities.
Join us as we delve into Scott's journey in the world of cybersecurity and his insights on how to navigate it successfully.
“It's about knowing who to turn to and providing value when others are in need.
You can't always take, you have to give as well.”
Thanks for being an imposter - a part of the Imposter Syndrome Network (ISN)!
We'd love it if you connected with us at the links below:
Make it a great day.
Machines made this, mistakes and all:
[00:00:00] Chris: Hello and welcome to the Imposter Syndrome Network podcast. This is where we all belong, especially those of us who think you don't. My name is Chris Grundemann, and today due to a scheduling mistake on my part, I'm all alone. Uh, no, Zoe Rose today. A little behind the scenes we schedule in advance. And so she's actually at, uh, at BSides in Dublin, I believe today.
[00:00:30] Chris: Busy with other stuff, so it's just me, but I think it'll be good. This is the Scott Scheferman episode, and I can't wait to dive in. Scott is one of my go-to cybersecurity experts as he keeps a hyper current beat on the threat landscape and how it continues to fundamentally change cyber risk dynamics.
[00:00:50] Chris: Uh, hey Scott, would you like to go ahead and introduce yourself to the Imposter syndrome network?
[00:00:55] Scott: Yeah. Thanks for having me on, Chris. I really do appreciate it. I, uh, I think this is a really important topic. I live most of my career with the imposter syndrome in cybersecurity, so, uh, I very much relate to it.
[00:01:06] Scott: Yeah. I'm, I'm, uh, Scott Scheferman. I'm our, uh, office of the CTO principal strategist at a little company called Eclypsium. We do supply chain security, so all the threats and vulnerabilities that the bad guys are targeting underneath the operating system like Windows, Linux, Mac. So, All the firmware and hardware that those operating systems sit on, that's kind of the space we're in dealing with bad guys from Russia, China, around North Korea, et cetera.
[00:01:34] Chris: Yeah. Excellent. So you and I know each other at least primarily through a group called Woo woo. That's, uh, a little W zero zero little W zero zero. Since this is an audio format, you can't really see how it's written out. Anyway, I'd kind of like to start there today. Maybe you can tell us a little bit about what woowoo is and maybe even how and why you got involved with that group in particular.
[00:01:56] Scott: Yeah, so I mean, woowoo goes back to, gosh, I don't, you know, I, I didn't, I wasn't there at the very beginning, but late eighties, early nineties, freakers hackers and, and actually folks be not just hacking, just folks that like help create what we experienced in the.com era. Like everything from Napster to, uh, I mean, the founder of Duo Security is, is is a Woowoo OG woowoo.
[00:02:20] Scott: We've been around for a very long time and the group has really grown and kind of morphed and shaped into what it is today. So, I mean, there's a lot of era to cover in the middle, but like where we, that'd be a whole episode. Right. But like it's pretty phenomenal group. You know, it's, it's part trust group now.
[00:02:37] Scott: It's, uh, partly a group that works together to help, uh, law enforcement and other folks, you know, find who these bad guys are. We, you know, kind of do that on the side a little bit here and there. We, we do research, we collaborate together. We share threat intelligence to get together. We build things together, whether it's a tool or a framework, we need to solve a certain problem.
[00:03:00] Scott: We throw amazing parties, uh, at BlackHat, Defcon and elsewhere around the world and, and in local areas as well, where we all get together and share information and, uh, share a beer at Whiskey. It's, for me, the most profound group in, in, you know, my career, especially the last, I would say 10 years especially.
[00:03:16] Scott: I'd be on an incident response engagement, trying to help a victim of, of a ransomware attack, let's say, and I would need help from a friend. And I can dial in the folks that are the most connected in this industry, and not just in the cybersecurity industry, but like in many industries, you know, telco, backbones, people that have DNS telemetry, people that work in certain organizations that might have seen the same kind of badness too.
[00:03:39] Scott: And maybe they can help me navigate what's going on in my victim's, uh, environment. So it's a very resourceful group, but more than anything, it's a group of friends that have stuck around and kind of have the same mojo and mystique of. Of not being selfish with your information, just completely sharing all the time, completely helping anybody else out, and all of us would bend over backwards to help somebody else out in need.
[00:04:03] Scott: Whether that's a personal life need, whether you're having problems with like, just, you know, mental, uh, health. Just because in this industry, a lot of folks go through a lot of challenges in that regard. Uh, career finding jobs, all sorts of stuff. So, you know, I, I couldn't recommend a group like woowoo enough for anybody in this industry.
[00:04:22] Scott: At all. It's literally the, the secret sauce, if you will, of being successful.
[00:04:27] Chris: Yeah, I agree. I mean, it's really awesome. It, it's one of the best communities I'm a part of as well. And I think in general, right, that that idea of community in the internet industry, digital infrastructure industry is super important for all the reasons you shared.
[00:04:38] Chris: Right? And I think that's actually. Part of what you're doing in your current role in the office of the cto, right? You're, you're doing some thought leadership, understanding the threat landscapes, going out there and speaking. At least that's my outside view. Maybe you can tell us a little bit more about, you know, what does that job entail being in the office of the cto?
[00:04:55] Chris: You know, what, what do you do every day?
[00:04:56] Scott: Yeah, so it's a small startup, right? So, uh, we've been around since 2017, so no two days are alike. Um, a hundred percent. I do everything in the organization that somebody can do. All of us kind of work in the dotted lines between the, the org chart boxes to just get stuff done and focus on first things first to move the needle.
[00:05:14] Scott: I focus a lot on threat research, uh, threat landscape, research tools, tactics, techniques, the bad guys use. I do a lot of research in like the IT supply chain area as well, finding low level threats at the firmware level. The kind of stuff that can bring down an entire data center or an entire hyperscaler environment or the kind of espionage campaign that go four or five years before anybody in the entire industry discovers it as a victim or, or as a technology stack.
[00:05:41] Scott: To me, it's really, really interesting. If you look back in my career, I realized that, you know, I did like 17 years supporting mostly DoD and federal systems, and at the peak of that career, I was the, uh, technical lead for the whole Navy Certification authority. Which means my stamp of what the risk was for a given system, whether that's a million device enterprise like the NMCI, or whether that's like a standalone system on a submarine or a weapon system or a satellite system.
[00:06:07] Scott: Those systems would come through my group of folks that did security risk analysis on those systems, and if they weren't adequate, sometimes those systems weren't even able to go operational. So it was a quite a high level responsibility at the peak of my career around 20 13, 20 12. But then something bad happened.
[00:06:25] Scott: The, uh, Iranians managed to hack the N M C I, uh, which was the larger, one of the largest networks in the world, apart from maybe American Express at the time, with well over a million devices. And at the time we did not think the Iranians were very sophisticated threat. We thought they were mostly doing website deface, defaces and like political DDoS kind of attacks.
[00:06:43] Scott: But no, they had gotten into that network and rooted through the entire infrastructure and, and basically had keys to the kingdom for a period of time. That really upset me cuz I was responsible for like the security. How did, how did that unsophisticated perc you know, that was perception at the time.
[00:06:58] Scott: Actor succeeds so well and I realized we, the whole navy wasn't able to see what's called C2 or callback detection that malware would call back to, to phone home, if you will for commands. And so I did research in there in the commercial space and figured out at the time FireEye did a really good job of that as well as their sandbox detonation, cheaper kind of technology.
[00:07:19] Scott: So I went to work there. As a solutions architect and threat intelligence kind of person. And you know that the last seven, eight years I've been in the commercial space working for cyber vendors. And the reason I'm doing that is ultimately to bring that back to the mission, if you will, so we can all get better together cuz what the d o d does really well, uh, the commercial side does horrible lot and vice versa.
[00:07:39] Scott: The commercial side is really, really strong at certain technologies and advancements that the DoD kind of lags behind because they're just a large apparatus with a lot of red tape that has to move slow by definition. So I've always just been one of those people that tries to get ahead of the, uh, of the bad guys, if you will, whether that's shift left and application security, whether that's being where the bad guy is before they get there.
[00:08:02] Scott: When it comes to like predictive ai, when I was at Cylance, my, my greatest kind of, um, realization and contribution was research I did that. Showed after WannaCry hit that the algorithm that that vendor had that was 60 megabytes in size and ran locally in a box without any ability to call back, was able to predict that payload three years before the authors even coded it.
[00:08:25] Scott: So talk about being ahead of the enemy. That's, that's kind of what I mean. That worked out in DF/IR circles as well. And now I'm here at Eclypsium still trying to get ahead of really bad days that were, were right on the precipice of experiencing, given a lot of stuff going on in, in kind of the global climate of, uh, the chip wars, the race to quantum, the IT sanctions against Russia.
[00:08:46] Scott: All this stuff kind of converges to put a lot of pressure. And a lot of threats and vulnerabilities on the devices that are right in front of you right now at a low level that the rest of that whole security stack can't see. And that's why the bad guys are going down in lows. They're, they're invisible down there, and they also have omnipotence down there on our device.
[00:09:04] Scott: They're at the root of trust, right? So I'm trying to get ahead of that bad day. Just to keep the good guys ahead, uh, if, if that makes any sense.
[00:09:12] Chris: Yeah, no, absolutely. Uh, makes, makes total sense. That's great. And yeah, that, that really resonates too, that kind of, you know, maybe having a little bit of one foot in each sector, right?
[00:09:20] Chris: A little bit in, in the, in the public sector, government side. Still definitely focused on commercial, the last, you know, greater part of a decade. Um, but being able to kind of see both sides and seeing the advantages and disadvantages of working in both and trying to maybe, you know, pick the, the best pieces of, of each to, to move forward.
[00:09:35] Chris: You know, you've had your own, um, company, Armanda Intelligence. Is that, is that still active? Is that kind of on hold while or at Eclypsium, or still doing a little of both? How does that work?
[00:09:44] Scott: It's, it's, uh, it's, it's on hold now. I, I went into Eclypsium, so during Covid I was actually laid off because that my role where I was prior to covid hitting was public speaking, thought leadership, traveling around the planet on the stage.
[00:09:58] Scott: And when Covid hit, of course, all that came to a stop and I, I was. I was an expensive employee in that kind of a role and a very strategic role, and so I was laid off and I started to start Armanda Intelligence. Thank you for pronouncing it correctly. Most people say Armada, but it's actually named after my grandmother Armanda, and that was pretty successful.
[00:10:16] Scott: That got me through many, many months of, of Covid as an L L C, and I was able to consult for organizations and do board advisement and go to market stuff, I do some marketing too, how to monetize cybersecurity and, and improve your brand image with it and that kind of thing. But I've had to put it on hold because this space now is so hot.
[00:10:36] Scott: It's so fast moving. I'm working harder and faster and longer with more determination than I've ever had in my, you know, 25 year cyber career. And I just have just chosen to put it on the back burner and just completely let it not die, but like, I'm not doing anything with it at all.
[00:10:53] Chris: Yeah, that makes sense.
[00:10:55] Chris: And that's awesome that, you know, Eclypsium was kind of able to step up and, and take all of your time and energy and that you're able to, to do the things you want to do there, you know, that, that, that's obviously a great outcome. What I'd like to do is rewind a little bit and kind of go back when, you know, I always do a little bit of due diligence before I have a guest on and I noticed that, you know, all the way back to see like your first role, at least the first role that's listed on LinkedIn right now, which is, you know, over 20 years ago was in network security.
[00:11:19] Chris: Obviously had like a, a network twist there, but, but in security, and, you know, at least in my experience, that's fairly rare for, for somebody to kind of start their career, especially somebody of our generation of our age to actually start their career in cybersecurity. A lot of folks start in, you know, as a sysadmin or as a network admin or something like that, and then find security through the grapevine.
[00:11:39] Chris: And, uh, and you kind of have been in security the whole time. You've, you've been leading your career. That's interesting. So I'm wondering how that happened. Why did cybersecurity come on your radar so early in your career, and, and how did you even land that first job in, in cybersecurity without, you know, necessarily experience up before that?
[00:11:52] Scott: You definitely did your due diligence and, uh, it's something that, that reality that you just described is why I've had an imposter syndrome for so long. Because I got into cybersecurity not knowing anything like you said, even about it or how, what, what the O S I model was or all the kind of fundamental aspects of the stack and how technology worked.
[00:12:10] Scott: I was in sales prior to that and I was like building video game PCs for video, uh, games in my basement, making extra money on the side. I would build those in a thousand dollars apart and sell 'em for 3,500 bucks. And that was fun and it was hard to do, and it was kind of a puzzle back then to, to assemble RAM and C P U and all that stuff and make it work.
[00:12:30] Scott: So I, I was in the dentist chair one day and, and the woman cleaning my teeth said, you should talk to my husband. He's at this little company called International Networking Services. And for anyone who's been around as long as we have Chris, uh, they were kind of the mainstay of the.com. Their, their brand logo was the, you know, the knowledge behind the network.
[00:12:48] Scott: They were the folks actually building and doing and setting up ISDN lines and re, you know, replacing thick net with like, with ethernet and, um, token ring. Security and stuff, and we were doing SI cybersecurity before it was even called, anything like that. It wasn't even called information security yet.
[00:13:03] Scott: It was literally called like a security posture assessment. My first job, my mentor and longtime friend, now Corey White and I were in the office in Orange County and, and uh, our boss said, you're gonna install a firewall tomorrow. At a university and I said, what's a firewall? He goes, well, you dunno what a firewall is.
[00:13:20] Scott: I, I dunno what a firewall is. And uh, back then a firewall was nothing more than an analogy with the, you know, we all know now the castle and the moat and, you know, it's a, it's a blockade between the internet and the inside network. So I went to the library with Corey, where to, you know, there till it closed.
[00:13:32] Scott: And we looked at books and found a book on IP tables. And the next day we're on a Linux box on a, in a little. Makeshift dmz and we set up a firewall, right? And a week later I was dumpster diving into a global shipping company, doing a, what we'd now call a physical penetration test. I was walking through the front door with a clipboard, literally dumpster diving.
[00:13:52] Scott: They wanted me to sniff the network. I did that and I found out I couldn't because. At the time, Wireshark did not work with token ring. They had a token ring network. I didn't expect that. Um, I was getting nothing and didn't know why. But while I was sitting there in the office, there was a bunch of three ring binders with a bunch of dust on 'em, and I picked one up outta curiosity and looked at it.
[00:14:10] Scott: It was every global employee, like thousands of them around the world for the last 10 years. All of their social security numbers, addresses, phone numbers, the whole nine, and I'm like, I'm done here. This is the worst thing you can ever have is some contractor sitting in an office with nobody monitoring, and I have all of your employees information and all these three binders right in front of me.
[00:14:29] Chris: Yeah. Wow. Didn't even need the network.
[00:14:31] Scott: That was like 96 and 97 or something like that. I, I didn't know anything about network security. I, I, I learned networking through the lens of security. That's actually been a boon for my career because it's my primary. Perspective and everything I've done since is through the lens of confidentiality, integrity, availability and, and all those kind of things that we take for granted after we've been in the industry.
[00:14:52] Scott: But it also gave me that imposter syndrome. For example, I was not a CS degree or anything like that. I had never coded anything other than in seventh grade in the Caribbean when I did my first, uh, basic and pascal kind of programming exercise. And to this day, I'm not a developer. I don't script, I've never been a Linux admin.
[00:15:09] Scott: I've never, um, Tried to build a tool to fix a little problem. I've managed to go through 25 years of cyber consulting and pen testing and running D F I R teams and all sorts of things, you know, basically in a leadership role with folks that do know how to do that. My, almost my whole career, because I didn't have those fundamental skills, and that gave me definitely an imposter syndrome, that in many of my career moments kind of held me back.
[00:15:36] Scott: Uh, do you wanna go do this red team, like as a, as an operator? Yeah, but you gotta know, I'm a script kitty and I might, might hit the Hail Mary button, uh, you know, or, uh, run Nmap. And, and that manifested to an actual failure. I was, uh, at a little consulting company, the oldest one in the country called Booz Allen Hamilton, and I ran Nmap on a Navy vessel and brought down the operational network in the process and thought for sure I was gonna get fired.
[00:16:02] Scott: Had an admiral yelling at my boss, and I was in the room and I had to keep my mouth shut. And I was almost in the point of tears because I had so badly messed up with just one flag on the Nmap scan cuz I was in a hurry under pressure and, and I had that imposter syndrome. I was operating in a nervous kind of condition of, oh my god, you know what I mean?
[00:16:21] Scott: I'm in over my head. So I've felt in over my head my entire career. And I know I'm not alone in that regard. I think even people that are really well skilled almost always feel that in cybersecurity.
[00:16:32] Chris: Yeah. And I think it, it goes beyond cybersecurity, at least in my personal experience as well as, you know, other folks I've talked to, it's almost the other half of the Dunning Kruger, uh, paradox.
[00:16:40] Chris: Right. Where it seems like the more skilled people are, the, the more they worry about their skills. Right. And you know, I think it's related to that Dunning Krueger effect of like, the more you know, the more you realize you don't know. And it definitely causes some, some fear and trepidation there. There is another side to it too, which is similarly in the beginning of my career when I actually didn't know anything, I was very, very aware that I didn't know anything, and that was really hard.
[00:17:03] Chris: You almost, you know, at least in these kind of the creative class or, or folks who work with their brains every day, whether it's in IT or digital infrastructure, cybersecurity or, or maybe even something else. I, I think it's almost a natural piece of, of this type of work because we're, we're constantly judging ourselves against other people's intelligence and things like that.
[00:17:21] Chris: Really, really interesting. So what do you do when you feel that that imposter syndrome kind of kicking in? I mean, is is something that, cuz you mentioned that one of the reasons maybe that mistake happened was cuz you were feeling under the gun, you were feeling a little bit less than in that moment. Is that a feeling you have to guard against and do you have methods for getting away from it or, or is something you've learned to accept and, and use or, I don't know.
[00:17:42] Chris: Right. Maybe just tell me about that process of, of what happens when you're feeling that way.
[00:17:45] Scott: Well, it on the mental kind of how you frame it side and the insecurity side, it's definitely something you learn to manage and I think some people, they never get through that their whole career and for other people they finally do.
[00:17:56] Scott: I think I got through that. When I was finally comfortable, like getting on stage and doing public speaking and kind of working a big room for me, that was also like a, a great fear that almost all of us have as public speaking. But when I got there, I felt like I could judge by the audience's reaction that I was giving them value, and that kind of finally fixed my imposter syndrome for, for good, I mean, for lack of better words.
[00:18:19] Scott: I still have a ton of insecurities and, and I guess not insecurities, but like, um, blind spots. Like in 2016 and 2017, I was probably one of the most foremost, uh, people that were pushing forward with AI and trying to do thought leadership and communicate the value and architect solutions based on AI that would solve the cyber problem.
[00:18:39] Scott: Fast forward to 2023, and I'm probably at, almost in the back of the field already. You know, my prompt skills are very, very low. How, how well do you prompt ChatGPT is is a primary job interview question. At least it should be at this point, right? And so it's, it's so amazing how quickly this space, uh, changes because of technology and along with it then how your insecurities kind of manifest.
[00:19:03] Scott: The way I compensated for that is much like how we started this conversation with regards to woo woo. Back in the late nineties at International Networking Services, INS we had a pager system, and I remember on the eve of, uh, you know, y2k, uh, I had three pagers on my belt. Uh, Two of them were two individuals that knew how to program in cobol and one of them was to the one I always cared for those two or three years, which was to a system we called like the Wizard System, which was a giant forum where you could ask a question to anyone around the world who is also a network engineer within INS.
[00:19:38] Scott: And you would get a response back or a resource or a link or you know, if you're doing sub dating, can you help me, like subnet this or uh, this network cuz I'm trying to configure a router or firewall. You would just get answers back. So the answer has almost always been, it's who you know and how well you, you provide value to others and when they're in need, because it really does work both ways.
[00:20:00] Scott: You can't just always take, you have to really proactively find people you can help and you can't help everyone, but you can find somebody else for them that can help them, right? So even if it's just that secondary introduction that you can make. In a time of need. It goes the longest way. I mean, that's why we're all lifelong friends now after 25 years is cuz we've all been there for each other.
[00:20:21] Scott: You know, that's the best way to compensate for that.
[00:20:24] Chris: Absolutely. I agree. I think that, uh, the community and, and having those relationships and, and knowing who to, who to call and who to ask. It's definitely been huge for me. I know one of my first kind of big grownup call it network engineering jobs was at, uh, time Warner Telecom, which then turned into TW Telecom and then got bought by level three and is now part of Lumen.
[00:20:43] Chris: But anyway, you know, one of the things I did there was I joined a team of, of eight in the, uh, kind of top tier NOC where we had, you know, enable on the networks. And one of the things we did was build a lot of automation to kinda make that job a little bit easier. In doing that. You know, there was definitely all these times where I ran into walls of like not knowing what I was doing and, and a lot of things were new and being able to kind of swivel chair around.
[00:21:05] Chris: And luckily a buddy of mine, Ryan Privette, he's the guy who got me hired there and he was really smart. And just knowing that I had that kind of almost safety blanket of like being able to turn around and ask him a question was huge in, in, in the early days of, of my network engineering career. And then definitely since then I've found kind of bigger and wider communities.
[00:21:21] Chris: Sounds like you have as well. So I definitely want kind of underline what you said there, that. That give and take of, of helping people out and getting help is, is huge. We actually just had a guest on Jan Zorz, who's one of my friends. He's in, uh, Slovenia, and he was talking about that, right? He kind of explained, you know, the idea of these communities is this, this amazing thing where, you know, if you show up and somebody asks a question and you know the answer, you can answer that question.
[00:21:45] Chris: And people love it, and that's a good feeling to begin with. And then what you find is that later on when you have the question, you know, instead of spending three weeks doing research and digging through docs and, and trying to figure it out, you know, somebody probably pops up and, and gives you an answer right away.
[00:21:56] Chris: Which is, which is pretty awesome. Pretty powerful.
[00:21:59] Scott: Yeah. That Talk about being in over your head. The hardest thing I think I ever did in my career was in, uh, early two thousands for INS. Like 99, 2000. I went out to, uh, Qwest in Denver, uh, which had a ton of dark fiber as in, you know, fiber O optic, uh, ISP, and we had to do what was called a database reconciliation pro problem, uh, solving exercise.
[00:22:24] Scott: It was a four month engagement. We lived in apartments next to downtown on the 25. I managed a group of 20 folks that were there and we were trying to solve the very hardest problems that ISP had, which is like they had customers that were paying indefinitely that weren't even giving service. And conversely they had a bunch of customers that had been getting free service for years.
[00:22:43] Scott: And reconciling all that was just probably the bane of my existence cuz I was managing personalities and we had a bunch of personalities and it was, I mean, you know, all sorts of employee problems. And you know, we sat at these computers and the customers looking over our shoulders the whole time. They didn't trust us.
[00:22:59] Scott: We didn't trust them. They had some malicious insiders at the time that knew that we were there finding some bad stuff that was going on on the billing side of scam, you know, uh, basically criminal stuff that was going on at the time, which was not common for, on the call center side, as well as on the provisioning side of, of those, those businesses still as today, quite frankly.
[00:23:19] Scott: So that was definitely the hardest part of my career because it, it wasn't about cybersecurity, it was about like people management. It was about leadership, and it was about like, Containing chaos and, and keeping a customer happy and all that kind of project management stuff. If I could advise anything on people, that's definitely get like studied up on PMBOK and project management.
[00:23:38] Scott: If you're doing consulting at all, those basic skills will take you so far. Even if you'd like to be the person that's not customer facing. If you just wanna do red teaming or something and you don't normally present to a customer, don't even worry about that. Like understand project management. It will help you succeed tremendously in your career.
[00:23:56] Scott: I think that was probably when I really started to excel, is when I was forced to learn those concepts.
[00:24:00] Chris: I think that's great advice. I, I really like that a lot and that's something we haven't heard before, but I definitely feel the same way. I think that, you know, the little bit that I know about even, and also the other side, right?
[00:24:09] Chris: Like Agile and Scrum and, and kind of that stuff that I've picked up and being able to work with developers and, and even organize my own teams that way. Has been super helpful and just understanding those, those skills and, and even in self management, even if it's not even team, right? Just, just knowing a bit about project management and, and knowing how to kind of break down big projects into smaller tasks so that you can set goals and, and kind of work through it has been super valuable for me as well.
[00:24:30] Chris: Yeah. So we are about out of time here for today. I mean, time flies always. Scott, do you have any, any projects we haven't touched on that the imposter syndrome network, uh, should know about?
[00:24:42] Scott: Yeah, so I submitted a talk for Black Hat Defcon and I hope it gets accepted and if it does, I want everybody to show up, cuz it's gonna be quite the, not the mic drop, but the bomb drop, if you will.
[00:24:53] Scott: It's, it's really gonna be impactful for the industry to understand where the threat landscape has gone when it comes to this level of IT supply chain security, and. The, the specter of what we're looking at here with the vulnerabilities at this low level have been super exposed recently because a lot of ransomware actors have leaked a bunch of source code development, uh, framework and, uh, private keys for all of your top tier vendors like AMI and MSI, and.
[00:25:20] Scott: NVIDIA's been compromised and quanta, and it did. The list goes on of all these victims of ransomware who then leak through double extortion, all of the most sensitive IP source code for the firmware. That is the foundation of trust and compute itself. And so all the assumptions we've had about like managing the platform well that's up to the OEM or the vendor managing firmware updates.
[00:25:43] Scott: I don't really worry about that. Managing your baseboard management controllers. We better start looking out because there's ways now that we've found where you can bring down entire data structure centers indefinitely to the point where you cannot even restore them. Regardless of backups and regardless of you're using your baseboard management controllers to do so, which is usually your last line of lights out defense, because you're using that apparatus to actually bring down the box in a way that's unrecoverable.
[00:26:09] Scott: It applies not just to catastrophic and material impact situations like that, but also. To the espionage campaigns that go 2, 3, 4, 5 years when you have a U E F I boot kit or an implant, that the whole security stack and all of us in this industry have not been paying attention to cuz we focus so heavily on malware and callback detection and all the AI stuff and all the SIEM and SOAR and all the, the rest of the stack that ironically is built up from the bottom up of this foundation of trust.
[00:26:35] Scott: And if I have access to the CPU and the memory, and I'm pre-boot, I have all the power I can. I have my own network stack that the kernel doesn't even know about. I can exfiltrate data, I can do updates. I can deploy malware payloads, and wipers and everything else in a way that the rest of the stack just doesn't see.
[00:26:51] Scott: And I can get in from the internet through a pulse secure device and do all of that living off the land without any malware at all. I don't even need malware. Right? So like nation states. That is terrifying, right? It better be terrifying otherwise I'm not doing my job. But like, yeah, I'm excited about that.
[00:27:07] Scott: And the one thing I'll end with, the one thing I'll end with Chris is, um, it's a call to arms for the community. So anybody listening to this in this cybersecurity industry, you know, we, Chris and I have been around for a while. Maybe not everybody has, but one of the things that kept us together that we really need to revert back to is the sense that we are all one family.
[00:27:25] Scott: We're all cut from the same cloth. We need to put aside our political and bias opinions and, and divergence of community cultures and focus on the fact that we're hackers first here to do good in this world and to fight evil and fight bad. And if we don't do that, we're fragmenting and fractioning ourselves so much that we're losing are advantage to protect my child's future and this infrastructure and this freedom that we enjoy.
[00:27:53] Scott: And this thing called the internet that we, we kind of like. We're failing as a community doing that because we're putting our idealistic, orthogonal concerns ahead of just being hackers first and families first. Like any family, you have to stay a family. It's the one thing, if I could get up on stage at Def Con and talk about it, would be this conundrum we find ourselves in.
[00:28:16] Scott: And it's not to belittle or to reduce the importance of those political differences and your conviction in them, but to rather resurrect the critical importance of being one family that looks out for one another.
[00:28:28] Chris: Hear, here. I don't think I can add much of that. I, I love the message and I'm glad you pulled that out here.
[00:28:33] Chris: I agree completely. So with that, we'll be back next week.