Inside the Mind of the SUNBURST Adversary

Listen to SentinelLab’s Principal Threat Researcher Marco Figueroa explain how the SUNBURST adversary conducted one of the most impactful attacks in recent cybersecurity history, an attack whose consequences are going to reverberate for months and years to come.

Marco is speaking as a guest on the To The Point podcast series and goes inside the mind of the adversary, explaining how the attacker patiently lay dormant for months inside SolarWinds before using the Orion platform as a springboard to infect 18,000 downstream customers.

Marco discusses the magnitude of the breach, the attack timeline, and how the adversary prioritized government agencies. He also explains how important it is for security teams to hunt not only for what is already known about this attack but also what may have been missed.

Inside the Mind of the #Sunburst Adversary transcript powered by Sonix—easily convert your audio to text with Sonix.

Inside the Mind of the #Sunburst Adversary was automatically transcribed by Sonix with the latest audio-to-text algorithms. This transcript may contain errors. Sonix is the best audio automated transcription service in 2021. Our automated transcription algorithms works with many of the popular audio file formats.

Welcome to To the Point cyber security podcast.

Each week, join Eric Traxler and Carolyn Ford to explore the latest in government, cybersecurity news and trending topics.

Now, let’s get to the point.

Good morning, welcome to To the Point, cyber security. I’m Carol Lin for it here with Eric Drexler. Eric?

Hi, Carol. And it’s actually afternoon. We’re recording in the afternoon this time.

Do you know what? You’re right. It’s afternoon for me to this time.

And a sad afternoon. A sad afternoon.

Well, this is our last joint episode together.

Don’t make me cry. It is. Yeah, I am.

I am off for new adventures, man. I’m going to miss this.

So, yeah, I’m going to miss you. I know the listeners will miss you. It’s been a it’s been a quite an enjoyable ride. I’ve really enjoyed this.

It has been it has been fantastic.

And, you know, preshow show. We got to talk to our guest for a minute, Marco Figueroa. And I think this might be one of my favorite episodes ever, just based on our conversation. Marco, before we even started recording.

Marco, welcome to the show. Sorry, we’re tearing up a little.

Already know I’m tearing up with you guys. I didn’t know you didn’t tell me this.

It’s very special because I’m the last one is our last show together to the point will continue. Nice. We’ll figure out what the journey with the path looks like.

But Caroline is leaving the organization for unchartered better waters and you know, it’ll be good. I wish you the best. It’s been a it’s been an amazing time getting to know you these past three years.

Caroline, same Eric and I. I just have to say I’m going to a really cool company when I saw their technology. It’s something that every IT shop needs. The name of the company is dangerous. So go check it out and you’ll know what I mean when you go see what they’ve got.

So with that, though, let’s get to Marco Figueroa, who has a principal threat researcher at SentinelOne one.

His technical expertise includes reverse engineering incident handling threat intelligence.

He likes to do bug bounty on the weekend. I did not know this was a thing until just now, but apparently you can make a lot of money in this, right, Marco?

Absolutely. Go look up some of the people on the leaderboards, a hacker one, and you see the bugs that they are getting and the rewards and the payouts.

It’s this is what I’m going to miss, meeting people like you, Marco. So, I mean, I got to figure out how to keep this going.

So anyways, at least at least you’re not going to solo ends, right? Whatever, Chris.

Chris Krebs is there. I wouldn’t mind. I’m not going to lie. Yeah.

Yeah. They’re getting some needed help.

Well, and speaking of Selwyn’s well, let me just finish your very impressive bio. You also talk about hunting.

And before SentinelOne one, you spent seven years at Intel as a senior security researcher.

So what we want to talk to you about today is exactly what you just mentioned, solar winds.

I want to I want to get inside the head of the adversary. So I want you to be the adversary and tell us what you’re doing in there.


I think for me to to paint a picture for the listeners, I think yesterday or the day before yesterday, solar winds released a blog on the timeline. Right. And I think it it’s really critical to look at that. And I had discussions with other colleagues about the timeline. So it’s interesting. So what they reported was nine for nineteen. The actor actor accessed solar winds.

Right. There was about a year and a half ago. You’re saying twenty nineteen. Not twenty. Twenty, twenty. Nineteen. Yeah, yeah. Nineteen.

Eight days later, they inject test code and begin the trial run to see if they’re detected, how is deployed, and and that carries on to 11 for 19. Right. So let’s take a step back. Right. If I’m doing a pen test or I’m the actor. I need to know first of the software, how it works, how it does right, I can download the free trial, install it, take a look of how it works, reverse engineer it using IDEO, Pro or Gaja or something like that to understand or use a another tool of your choice to understand how it works. Right. What can I do? What can I replace and put in its place to to blend in and not stick out.

So and that’s really David’s right, Mark. I mean, as good as you are that I’ve known you a long time, you still take a little bit of time.

Oh, yeah. Oh, yeah. So for for me, if if I’m penetrating their network, I’m first getting a understanding where everything is getting the lay of the land, doing recon and just building a map of the attack surface and what’s going on.

So you understand it.

Yeah. It’s not like you just going to however you enter, you still got to figure out how where everything is. Right. I’ve worked on cases where the saw for all it did was a recon mission of the environment it was in. So it took what software was installed, what was the BIOS version, what kind of hardware was on the system? So they can tailor the next time they penetrated, they can tailor their their target for this specific environment.

And this doesn’t even include markka. This isn’t even including the the prep time thinking about the operation and the nation state level where which type of software are we going to try to penetrate and how do we want to do it in which teams are going to be oriented towards that? We’re talking an operation that was probably at least two years in the making, if not more.

Absolutely. The patients, you know, when when you get into an environment, you make potential mistakes, right. As an attacker, time favors the attacker. When they’re not when when they’re ghosts in a show where they’re not detected, once they’re detected, the time favors the defender because they have time. And that’s what we’re seeing now. You’re seeing trickling reports come out, right? Every week, so like last week, there was a report, this week there was two reports also there was another. I don’t want to mention the name. There was another firm that was compromised, their certificate that those secure emails. So you’re going to start seeing this over and over the hack that will keep on giving.

Well, as physicians, the patients look at and they just know, I guess it wasn’t really when they decided to strike it, when we finally noticed them.

What why did we notice them? I’m jumping ahead in the timeline. Keep taking us through the timeline.

We’re going to go there because there’s some juicy parts that I want to cover first. So just the test code was around two months, right? Just around two months.

So they’re just doing just looking back to understand, just seeing if anyone’s detecting what we injected into it.

Is it fair to say is it safe? Is it safe to say that it was at least two months from what we know?

That’s that’s what’s on the timeline from nine, 12, 19 to 11 for they’re just testing out.

Right. How do we get that exact injection date?

I know that’s kind of a dumb question, but it’s it’s not out there. And this is this is why for me, it is like you as solar wind. The thing to do is really provide solid evidence, backing everything up from logs to to show you have to show it. Because as an attacker later on on this podcast, I’m going to show you why. If you have the software, you need a worry, you need a carpet bomb your company and there’s no food here.

This is real talk. You have to understand the magnitude of what’s going on. So. Jumping forward to two, 20, 20 when Sunbus was compiled and deployed. So we’re talking about patients as soon as November happen.

Right, and they said, OK, there was no detection timeline shows to 20, 23 months, basically three months, all of November, all of December, all of January and most of February, short month, by the way, they just waited all they didn’t.

What do you think they were kind of waiting for?

They were there were waiting to get more into the election mayhem to as a distraction. And then maybe when it hit, they they were like, oh, this is even better.

We’ll go now.

I think potentially they were they were waiting and as an attacker, I’m waiting and looking right. Not only. Understanding the environment better, right, that I think that time, right, it’s it’s like the nine four initial penetration, I already understood your environment. I know where everything was. So the nine four and then the nine 12, that was like, OK, I popped in. And I already know where I’m going.

So this is in Windsor, Ryan, we’re not talking customers yet. We’re not talking customers. Yes, just into Solar Windsor, right?

Correct. Correct. And this is this is why for me, it’s there has to be more information and more transparency than ever because so many people were infected and they have to be more transparent talking about this, because a lot of times who keeps logs, it’s very expensive to keep logs. So. How did the how did how did they figure out nine for 19 was the initial did that three actors leave something on the box so you could understand that it was them? And these are all questions that all of us researchers, Brett Hunters, analysts, everybody wants to know. So Sunbus happens comp.. Then in three. Twenty six.

Twenty eight months later, hotfix. Yeah, a hotfix five. Dialo was available to customers. Now. This is all assumptions because they didn’t. Write anything about that? My guess is good. So Lauryn’s, they didn’t write anything on their report, what, three twenty six twenty is they just put Hotfix five Dialo available to customers. I’m guessing that that is the Sunbus implant was available to customers for customers to download. But again, that’s my assumption. It’s not facts, but that’s what I’m thinking.

So then.

June 4th, Tier removes malware from Build VMS. What the what is that they took out everything. My assumption that you have. Close to four months there that it was up and people were downloading. My guess is that the the scene, what they wanted to see and now they have access to the solar winds, customers that they wanted know. And they’re going to remove the evidence, scrub it, we’re going to scrub it is gone.

So when you say they have basically sweeping out footprints. Yeah.

And when when you say they have access to those customers, at that point, they’ve gone in and created possible fake privileged user accounts with those customers. So whatever they did with solar winds, they don’t care anymore.

They’ve got in the door and they and they moved laterally to other platforms.

Mm hmm.

And then you don’t need solar winds anymore right there on their main targets. Yes. Let’s let’s remove the fingerprints, the footprints, whatever you want to call it, so we’re less likely to get caught. And we’ll go to phase two of the operation.

So then that happened, fast forward 12, 12, 20. Solar winds notifies. R is notified of of Sunbus, so you have all that timeline now about this injection of code. Happening now, we’re going to put all of that aside.

And now I’m I’m I’m the red team or hacker actor. So let’s talk about the access permissions you just said. Right. If you had that Sunbus Orion DLO installed on Adewusi and or Zuhur. How can the attackers leverage these permissions, you know, for the setup contributor role, which allows you to start, stop, restart your VMS and then for Amazon you can do a little bit more, which is metric. You can look at metric stats and terminate instances, so. That that right there, that role is is really important. And then you have, you know, if you have knowledge of the cloud API and you have some excessive. Access to company resources, everything is unlimited to you, right, everything is there, you you’re completely own. Let’s say you had that. You know, Amazon s three bucket full access to everything that’s like logging in and seeing all your instances of you using Amazon across everything was to say with that access, they don’t turn something on. Inject something into. One of one of the eight of us, you know, servers or or it’s just unlimited, it’s unlimited, unprecedented access that I’ve never seen.

Britain as an attack to the other as an attacker, mark your choices, really, where do I go now? Like, where do I spend my time?

Because time is of the essence. I have no idea how long I’ll be in here undetected. What’s how do I prioritize, how do I stack rank and then what do I do?

Ok, let’s let’s put the AWB and ASER aside for a second. Let’s dig into exploiting the access permissions stored in Orion. So if you have the Orion platform, you have a database installed just by the because this is where stores installs everything and you potentially have all the information of identity and access management or I.T. asset management. So all of the Orion holds all the credentials, such as domain admins, Cisco routers and switches, ESX I v center credentials, AWB or any cloud route API keys and so database much, much more. All of everything. Yeah, yeah. It is. You personally targeted tool. Yeah, you must go.

Yeah, it is, I think it’s shut everything down like what you’re seeing right now. You’re telling me they have access to shut.

Everything now, what I’m saying is, if you had that software, whatever was in that database, whatever. They had or that company had stored, you have to have to realize that. You have to consider everything on the Orion platform compromise, not all you have to once you go to an asset that you found out through Orion that asset may have access to.

Other things, so so in essence, your whole network essentially is is burned or you have to at least suspect that Carolyn. Yeah, I was talking to somebody yesterday and one of the customers who was who was impacted by this. The first inclination was let’s just let’s just set up a whole new infrastructure and network and everything will burn it all down, burn it all down. And that was great thinking. You can’t do it.

Yeah, not easy when you’re thinking now when you’re an enterprise, right.

You can’t a government enterprise can’t burn it all down, but you almost have to think like every single thing out here is suspect now. And that’s the beauty of this attack.

Well, and so who has Orien? Tell me. Everybody in the world. Eighteen thousand customers.

They said eighteen thousand customers. And there were clearly dozens that were impacted to Marco’s point about, you know, the time is not on the adversary side. Once they’re detected, once they were detected, they had to. You know, they were running out of time. They couldn’t get to all 18000, not that they ever would, but they had to prioritize from the beginning.

But, you know, it looks like they prioritized government agencies, Deb, customers, telecommunications, you know, the key infrastructure of the United States and our and our allies.

Yeah, it’s. The hack is unprecedented, and you’re right, the one thing you have to think about, if you had. You know, Sunbus is that everything is compromised. But imagine if you work in a place that I know that has over seven hundred thousand employees.

What do you do, you can’t burn them all down. It’s Caroline, it’s almost like being invited into Willy Wonka Chocolate Chocolate Factory, like you’re in this amazing place, but you can’t eat all the chocolate. So what are you what are your choices?

So what do we do? Marco what do they do?

I’m the red team.

I’m looking at the VP over here and I’m asking you if you’re consulting someone, I’ll give my answer after yours. But if you’re going to a company and and they’re asking you what should we do? Even if we had ten thousand points, what do you say?

Hiya, Marco.

Immediate, I would say, and here’s here’s my thing, I would me I would say.


You know. OK, I like that, but that’s that’s that’s for another day, another story. But I mean, what do you tell a customer, though, right? Well, that’s what I just said.

So I think I had some good guidance here, right.

This week or late last week. I forget what it was on the 8th of January.

In the last about a week ago, they announced alert a 20 dash, three fifty two dash, which talks about compromise of buying and bypassing a federal identity.

Solutions, talks about using forged authentication tokens, tokens. So basically, you’re zero trust architecture, if you were heading down that path, is compromised also because the things that credentials, the core credentials were burned. So my my answer markka, without naming any products or any organizations, is I think you need to go back to a point in time along that timeline when you ingest it, when you uploaded the latest solar winds patch that would have allowed the adversary on your network. And you need to start looking at all user IDs and everything from that time forward. Now, could they play with system clocks and do things like that? Maybe, maybe not. But at a minimum, you’ve got to look at everything that was created from what was the date, March 20th. Maybe you’ve got to look at everything from from that point forward. March twenty six, I think. Forward and absolutely understand that Marco Figueroa is Marco Figueiro, and you’ve got to look at what those users are doing with their behaviors, where you’ve got to go back to logs, you know, if you have insider threat capability or some kind of EDR capability that was capturing information, either cash and or storing it in a database. Going back to your logs. And it is this is just grunt police work like forensic work digging through that. I think you have to do that, Carolynn, or you have to burn it all down and start over, which is unlikely.

But that’s what I’m asking. Like, in the meantime, while you’re doing all of this, like Marco is giving the scale here of seven hundred thousand point seven hundred thousand users, do you shut it all down while you check it out? You can’t do that because you don’t. Then they’re continuing to move.

Yeah, that continues. And I’ve seen Marco. I mean, he’d continue to keep moving. You can’t catch me. It’s you can’t catch me, Eric. I’m faster than whack a mole.

Yeah. Yeah, it’s a whack a mole mentality. You’re going to be whack a mole thing. And and this is the thing, you know. Initially when this happened, Microsoft stated that, you know, they weren’t hacked, right, and I think I tweeted something I retweeted something from someone from Microsoft. Right. Two weeks later, we found out, you know, there was no modification. But we we received the source code. Source code. Let me tell you. Access, right. So source code. We don’t know what source code. I haven’t seen anything that Microsoft stated except they accessed source code. But here, again, as a red or as an attacker, as a bug bounty hunter, what I could do with that is I don’t have to reverse engineer things anymore. I, I because if I access it, that means I probably copied it. And whichever way or we don’t know, again, transparency. This is why, you know, everything has to be open because now for me, I’m like paranoid to download stuff now from Microsoft, from everything. Everything is in a VMD that I install and then detonate it if if you know, it’s not good. So this is I think building trust with customers is is very important and being transparent, especially these days where we’re getting reports. You’re going to see so many more reports in the upcoming days, weeks, months. It’s going to continue to to to happen. And yesterday there was another report.

Yeah, this is the tip of the iceberg. This is this is what I would tell you is the tip of the iceberg, Carol.

And this is why I say this is beyond Snowden, buckshot, Yankee. Right. You name it. And imagine if the adversary wanted to actually cause harm. We’re talking sabotage. We’re causing damage, talking damage, as opposed to just espionage. And maybe they can in the future because they’re inside what I would question, the one thing I would question is anybody who says we’re clean, we’re good, we know we’re OK, who who was accessed? I would say, how do you know that? At this point, Sammarco, Murka, you get in through solar winds, you you clean up your footprints. You’ve now compromised three sixty five active directory, maybe some Eitam ICAM tools, Zira Trust is no longer trustworthy as an adversary. How do you think? What’s your next move? What do you do? How do you prioritize? You’re in the chocolate, actually. How?

Yeah, usually, you know, it’s to stay and and have access. Right. If you stole stuff like they were saying court records were where access and I guess stolen again, transparency is is really important because we we have to know because we have to as they share, like with Sunspot, we start to have a better understanding for future attacks. So people like if I’m the attacker and I penetrated a company, it’s to maintain access. And you’re so deep in the company, you could, like, pivot upon pivot like. Oh, yeah, you found that. But you’re not going to find me for another four months because I’m over here. You know, it’s maintaining that access. And, you know, supply chain attacks are going to be here to stay and this is. Something that that will go down as one that, like you said, it’s the biggest hack.

Of all time.

So so what’s your thought, I mean, as a hacker, I read T’mar, you know, all these cyber security companies are coming out and they’re saying, hey, here’s a patch, addresses all the you know. We can address all these Aoki’s indicators of compromise around solar winds. To me, it’s too late. I think it’s great that you’re doing it, but.

The horse has already left the barn or the adversaries inside the castle walls, if you will, and they look like you, they act like you and you believe they’re you. So the fact that you’re closing the the castle drawbridge or you’re raising it.

Yeah, but I think needs to be it’s correct. It’s important, though, for that to happen. You know why? Because if you have eighteen thousand customers do like all those customers can’t like, pay for EDR. Every incident response team right now is busy. You’re not going to hire someone. So you need tools. You know, we released the tool. We release blogs to help people that aren’t our customers, like, hey, oh, it’s it’s like running the tool. Right. And this is important. It is a community task. It’s not just one company. The community needs to help each other here because, like I said, eighteen thousand customers. You’re not going to. If a customer right now tried to get. Another company, another firm to try to do an investigation is going to be hard, it’s like, OK, you’re on the list, we’ll get to you when we get to you, because everyone is busy enabling to your point of why it’s so important that we’re transparent and that we’re sharing the information.

So you said that the supply chain attacks are here to stay. Which idea?

How what do we do to make sure that that kind of code doesn’t get injected again, like what? What could have solar winds done? To detect that before it went out or a solar orange customer.

Yeah, yeah.

So, you know, I always believe if you’re a large company, you need a team to vet. You know, your. The software you’re bringing in and really vet them, right, and understand a company that that is your I.

Yeah, if you’re a consumer of a software product, you need to have a team of people who actually look at in this case, it would have been solar winds. Look at the update process. You don’t have access to the source code. How do you do that? I mean, I’ve worked with some government agencies. I know you’ve worked with with also markka that they don’t have enough staff to do it. They’re they’re always behind. You know, you can do you can do selective, you know, pull even. They ask for the source code to do source code reviews. And even in that, I bet they miss things.

I don’t know that that’s feasible. Is it?

I think, you know, depending on the company, right, the last company I had, we did have that right. We had red teamers auditing code. Because this is a part of of.

The security life-cycle and a company, let’s assume the fortune one hundred can do that, did you find anything?


Password’s in the clear, probably, hey, why are you why are you lying back to a company with with update messages or whatever, but would you have found it?

And even if you could, even if the top one hundred companies, not the world, can do it and afford to do it and do it perfectly, rest of world can’t do it.

Well, do you think here’s a question. Do you think you know, the reason why solar winds came out was because they were alerted by who? Or fire first. Exactly.

Exactly. With the red team to us. But but you would as you would assume that fire. I would be better than most in this regard. Yeah. And turns out they were luckily. Yeah. So they went public on I think it was December 13th. They went public right away, which, which huge kudos to FireEye. A lot of companies would have said are my red team tools. That’s that’s a huge part of my business. Why would I ever do that?

They were they found it because they had already been compromised. Right. They didn’t find it before they got compromised.

Well, this is the they’ve stated that they were compromised.

And this is why, like, I wonder if FireEye didn’t come out right with solar winds have come out the way it did. I feel like, you know, fire. I put put them on blast and told them, hey, you know, you got to we’re going to tell our shareholders or whatever the case is. We don’t I don’t know the politics behind there, but I’m pretty sure we do the time frame. We know what time frame exactly was the 8th of December.

The Fiery Red Team Tools report came out. They put a report out on the 13th on solar winds and on the 14th, the very next day, solar wind security advisory was released.

And then the next day, Microsoft seized the Sunbus control and command and control domain. And things started to shut down from that from the initial attack vector perspective.

And that’s what I’m saying, it’s great, right, but the damage has already been done. You know, this was an operation ongoing for six months and maybe they six months were they were in for nine or 10.

What I’m saying is like three twenty six. And then when they initially got caught. Right. And they’re still like I said, they’re still catching a lot of things out there.

Microsoft reported to I think it was memcache yesterday. About their search being compromised so they can read secure email.

And it is it is, like I said, the tip of the iceberg, as people start digging more and more, you’re going to see more reports. It’s going to get scary.

So as a threat research, I don’t want to scare everybody. What do you do? What are you looking at?

How do you think through this problem if you are working for a compromised agency, what would your advice be right now?

I think back to Carol, this question, yeah, you see a lot of times, and this is what I believe, this is my belief a lot of times a lot of companies are reactive to a situation. Right. How do you become proactive? How do you go on the offense? Right. Which is start having your threat hunters hunt, but also start putting your rules out there on virus total so you can get more detection and build that detection rate. And and for me, a lot of times we wait for an alert. You know, that is, to me, the wrong way, especially now, because everybody is thinking of, yeah, it’s the reactive, we got an alert, OK, what do we do instead of being proactive? And what’s going to happen is. Forget about, you know, what’s going on with solar winds and the and what happened, it’s what else did they put in those environments? What else do they do that we don’t know? And that is where you’re going to start seeing the trickle down effect of of this hack. Yeah, right.

And that is where it’s at and it’s scary, Carolyn and right in all of our time together, we’ve had some amazing guests on the podcast. And when Dmitri Alperovitch crowd strike, former crowd strikes, CTO and founder.

Mentioned hunting.

Which is a conversation I had had with him before, and you get so wrapped up in things and and he took me back to early on and he’d been talking about that for years, like more than a decade.

It really it was one thing tangible that we can grab on to as cyber professional, cyber security professionals. We don’t hunt too much. There aren’t a lot of Marko’s out there who are actually reverse engineering malware, reverse engineering code, looking at things that are suspicious on the networks, going back to the cyber defensive teams and saying, hey, you’ve got some potential vulnerabilities here. As Dimitri said, ninety nine percent of the budget is spent on the perimeter or spent on tools to protect.

There’s very little on actually looking at what’s happening in your in your environment, on your networks, with your systems, with your users, with your people, and determining if that’s appropriate. The hunting piece. It was such an eye opener for me, EPP.

Yeah, and and I agree with that, right, a lot of my times I look at reports out there and one of the things here’s a recommendation for everyone listening is when you read a report, at least for me, a report from whatever company that has hashes.

I look at their report and I say, did they miss something?

And that’s what what I do as a hunter, I want to find something that they missed. I’ve worked on a case around twenty seventeen that. Affected the company I was working at at the time, but it wasn’t in their report and when we went on a call with them, I was like, look, there is a a a jump. You only covered this side. But this was more important to us, a specific pattern and code. And I was like, I think, you know, I had a reverse engineer to say, hey, this impacted us more than what they reported. So these are the little tricks that you can do or anyone out there as an analyst, as a hunter or even as a manager is like, what did someone else miss? And the show that I always tell people to watch when they are when they are in this field is watch the first forty eight. You have 48 hours to, like, get the bad guy right, so you start understanding how the scene is set up as as a hunter who shot the gun, where’s the bullet? Right. What kind what kind of gun? If someone die and it’s the same thing you do when you’re researching something.

So, Detective.

And as we wrap up here, what what Mark was talking about is reminding me a lot of what we just talked to Jared Quants, who is an insider threat program manager, and he’s he said the same thing, Marco.

He said you go into interrogation mode, you start asking all those questions and dig, dig, dig.

And that’s so I’ve heard you say. Get on the be proactive.

Don’t don’t be on the reactive side, start hunting. And then the other thing that you’ve brought up multiple times and has been brought up by many of our guests, Eric, is just share the information, be transparent, and then we all know to start asking those questions. Right.

I think one hundred percent you’re you’re right. But this particular. Hack, it needs to be transparent because you’re going to have people helping out. That’s not on the payroll, right? You release an indicator myself and about ten thousand other researchers are helped, are trying to put out reports or things that can help the community. So this is why transparency is super important.

And this one’s got crowdsourced.

What we saw with fire irate as soon as FireEye went public, boom, the the picture opened up and people started to see the extent of the problem, which they had been dealing with for nine to 10 months without even knowing it was impacting them. But I still see that issue of government. It’s really hard for government and and and industry to share information is going to call again yesterday, I assume, because covid. But where we’re still talking about the same things we’ve been talking about for more than a decade on information sharing, on how to get it out there, you know, we haven’t put protections in place for companies against lawsuits and and negligence. There’s a lot to do. I don’t see the government sharing a ton when they do. It’s usually late. It’s impartial. It’s it’s it’s a component of something.

So we have a lot of work to do here, but I agree with you, Mark. We’ve got to open up. We’ve got to work together because it just keeps getting worse.

Yeah, and like I said, it’s the tip of the iceberg. And also, you know, during this time, we’re in covid, right? What Beryl’s. Way to spend your time, then help investigating. So as these, you know. Hashes and indicators and everything, you have to share them, give you a good example, the report that came out this week had a hash. They didn’t share the sample. You need to share the sample, right? Put it up in VTI. It’s going to eventually get up there. But again, the hasher is there. You know, they’re not sharing and they have their own reasons. But this particular incident needs to be very transparent and you have to share.

Yeah. Marco, thank you so much for I.

I’d like to keep you for just a minute more. This is actually my favorite part of the show. Oh, yeah. We give you some rapid fire question.

So what is a show that you have watched recently and just love?

Besides the first 48.

Having watched the show, let me see you always bug hunting, aren’t you?

I’m always I want to see you to tell you you talk today. I feel like I was watching your show.

You’re going to have to skip to the next one. I don’t think Marco is right.

Don’t really just say YouTube, YouTube or sorry, there was yesterday I put on Aitel.

It’s OK by Donald Glover. Do you have Danny Glover? Do you have any guilty pleasures?

Uh. This being in front of my computer, I don’t know.

All right, what do you read?

Or maybe is a better question, I would say a lot of growth in self-help books. I love that really. I mean, it’s very entertaining.

It’s all life.

Yeah, so what are you reading right now, I’m reading there’s there’s three books I’m reading I just finished A Green Light by Matthew McConaughey. I absolutely love that. And if you guys going to read it, don’t read it by the audiobook because I read it and then I bought the audio book. I’m also reading Stephen King’s On Writing, which is interesting is how he writes and how he preps himself, how to write.

And the third one is TV 12 method, which is winning, having like a winning mentality like Tom Brady. So those are the three books I’m digging into now.

Do you have a cybersecurity must read book?


I have a few, actually, they’re over there, I would say.

Joe, I love Geyser’s, so that’s on the top of my mind, the GI Joe book. By no stretch, that’s for tools, let me give you a few for bug bounty, I would say go to website. They have a.. One, they have like their little books and four.

Offense, security. Misty.

I think. The art of exploitation, there we go.

Nice, nice light reads for a weekend.

Yeah, OK. Yeah.

All right. Marco, if you had a magic wand and you could change anything you wanted in cybersecurity, what would it be?

That’s a good one. I think there’s there’s sometimes a lot of drama, I don’t get into drama, but I hear through the grapevine, so drop all the drama. It’s all about love and helping each other and providing value to everyone.

Amen. Well said, unexpected and well said.

Yeah, all right, I think we already know the answer to this, but what would you say is the biggest cybersecurity impact in the last 12 months?

And we talked about it on this. I think we did. I think we got it.

And I think it I think for the next 12 months as well. And then 20, 20 to 10 years.

Right. Well, I don’t want it to continue. And there will be copycats. And the mechanism is is sound.

Yeah, well, it was a pleasure to be on this show and thank you. I’m so happy you know that. I got to meet you, Carolyn, before you exited stage. Right. So it was a pleasure, I hope. Good luck. Good luck. And I hope you stay in touch.

America, keep going. Keep keep the world safe. Keep doing what you’re doing with your research and reverse engineering and in getting information out there.

Really, really appreciate it. Glad you’re at central one right now. Making love a better place. I love it.

You’re one of my you’re now one of my cybersecurity heroes also. Like much Eric.

Yeah. Now Mark is a guy I got you. If I have any issues, by the way, I do have an IP address. I want to run by you, Marco. Anyway, with that being said, Caroline, it’s been so much fun working with you and so much fun doing the podcast. I’m really I really will miss you. But with that, the show is over.

It is about the show will go on, but yes, this has been the highlight of my yes, to be honest. Good. Wow. Well, that’s.

Now, this is a fun thing. So this show is over, I should say, today show. We will continue. So we will continue to the point. Cybersecurity, we have too many listeners and we cover too much good ground.

Eric, we need to have a follow up show, maybe in like six to eight months to see what plays out. Oh, don’t worry. We will have a collection.

We’ll still be playing the game, unfortunately. But anyway, Carolyn. Godspeed, Eric.

Same to you, babe, as. Thanks for joining us on the two of the Point cybersecurity podcast brought to you by Force Point for more information and show notes from today’s episode. Please visit w w w dot force point dot com slash gov podcast. And don’t forget to subscribe and leave a review on iTunes or the Google Play store.

Automatically convert your audio files to text with Sonix. Sonix is the best online, automated transcription service.

Sonix uses cutting-edge artificial intelligence to convert your mp3 files to text.

Transcribing by hand is no longer necessary; put away those headphones. Automated transcription can quickly transcribe your skype calls. All of your remote meetings will be better indexed with a Sonix transcript. Create better transcripts with online automated transcription. Do you have a lot of background noise in your audio files? Here’s how you can remove background audio noise for free. Better audio means a higher transcript accuracy rate. Easily share and publish transcripts that were automatically transcribed by Sonix.

Use Sonix to simplify your audio workflow. Colleges and universities use Sonix to convert their lectures, classroom sessions, and research recordings to text. Let powerful computers do the work for you; automated transcription in minutes. Transcription agencies are able to better serve their customers by using Sonix’s automated transcription in the back office.

Sonix uses cutting-edge artificial intelligence to convert your mp3 files to text.

Sonix is the best online audio transcription software in 2021—it’s fast, easy, and affordable.

If you are looking for a great way to convert your audio to text, try Sonix today.