How to become an APT hunter with Carbon Black
In this episode of Infosec’s cybersecurity podcast series Cyber Work, host Chris Sienko talks with David Balcar, security strategist at Carbon Black. They discuss a wide range of topics, from how David got his start in security to many of the ins and outs of being an APT hunter — which is one of the hot subjects in information security today and a dream job for many.
Strap yourself in and get ready for a fast-paced, information-rich exploration of how to become an APT hunter!
What should you learn next?
How did you first get interested in computers and security?
David was first bitten by the computer “bug” (pardon the pun) when he was about ten, experimenting with Apple II and IIe. This led to programming and working with the Pascal assembly language.
After graduating from high school, David joined the Navy and later began working for his friend’s computer repair shop. This experience gave him a great foundation, which led him to begin networking with a focus on Novell networks. He worked for an engineering firm building large-scale Novell networks and later began a company called NDI. This company had two sides, one focusing on security and the other on traditional integration.
How has the cybersecurity landscape changed since you first got involved?
According to David, it has changed a lot. When he first started, cyberattacks were mainly boot-sector attacks and screen locks, and moved into cybertheft and stealing money. This followed the age-old wisdom: people go for the money.
What are some of the job titles and responsibilities that gave you the tools you needed to excel in cybersecurity?
David has held many titles leading up to his current one, that of security strategist at Carbon Black. He has been a programmer, which helped teach him processes and began his self-described life of living in the 1s and 0s. His subsequent titles include network architect and network security engineer.
All of these titles taught him the responsibility of knowing what things are supposed to look like and other foundational learning that he still uses to this day. One of the most important things to glean is that you need to know where the data is and how to access it.
What’s one step listeners can take today to get closer to a career in threat hunting?
The biggest thing you can do is get training. Some say you need certain certifications, but many organizations will hire you without one. David says you should start from the ground up because without a solid foundation, everything else is a moot point. For example, you can’t reverse-engineer malware without knowing basic programming.
Another tip David forwarded is to know your OSs, and this means more than just Windows. Otherwise, you won’t be doing yourself justice.
What are APTs and how does hunting them differ from standard threat hunting?
A big difference between APT and standard threat hunting is that APTs are performed by nation-states or highly sophisticated cybergangs. Those behind APTs want to be on networks for a long time without being discovered and they change their tactics constantly.
A key thing about threat hunting is knowing what is at your endpoints and what “normal” is supposed to look like. You also need to be able to look at raw data and understand what it is telling you. For instance, Notepad.exe should not be communicating to the outside internet.
Another difficult aspect of APTs is that they have been observed using LOLbins and can be difficult to detect.
What set of skills, certifications and training will best prepare professionals wanting to move into APT threat hunting and analysis?
David offered three pieces of advice:
- Know your OSs, as they all have their different challenges
- Take a look at GIAC
- Set up your own lab at home. This will allow you to get malware samples, detonate them at home and learn from them
He is a visual learner and follows the “wreck it to build it” principle.
Are there any downsides to the kind of work you do?
What keeps David up at night is how fast malware and malicious tools are evolving. Every day, he thinks of new ways to break into a system because if he can, others can too. He also thinks about defense — meaning how can he stop himself from imagined attacks. This all boils down to him potentially working 24/7.
Do you have examples of some of the biggest and scariest APTs out there right now?
David, halfway tongue-in-cheek, says that the biggest ones are not known about yet. One known APT that is of serious concern is the supply chain attack. A real-world example of this type of attack was the ASUS updates operation which affected millions of machines that downloaded some malicious updates. Another big one is financial attacks which are, of course, after the money.
Do you ever go on the offensive, or is that outside of your purview?
This is out of his purview, as there are laws against reverse hacking. The problem is if you hack a hacker back, by that point they have bounced to another targeted company.
David’s main concern here is to block all he can, detect everything else and remediate as fast as possible. Knowing where your intellectual property is, where your data is and what is encrypted will help you in dealing with hackers the right way.
What do financial institutions have to do to fight off these cybercriminals?
Isolate! He says these institutions need to segment their environments and watch lateral movements, as attacks rely on them. Also, financial institutions should display a measure of proactivity by making themselves a harder target.
What are organizations looking for when hiring people with APT-hunting experience?
Those looking for APT hunters are all the three-letter organizations, penetration testing firms, incident response firms and MSSPs. David added that you should not rely on the job description requirements — they are often unrealistic.
What aspects of a security program should organizations improve if they’ve worried about APTs?
Go after the low-hanging fruit! Before you speak to your organization’s C-suite about APTs, you need to make it relevant to them. For example, conduct a survey about how much it will cost your organization to be shut down for 24 hours, or even one week. This will pique their attention and get them moving proactively.
What should you learn next?
Where can you find David?
David can be found on Twitter at @Network232 and at carbonblack.com. Additionally, he speaks at 50+ security conferences every year.
The biggest take-away, according to him, is to get involved in the security community and start networking. You will meet a lot of helpful security professionals and learn a lot in the process.
Conclusion
In this episode of Infosec’s Cyber Work Podcast, Chris Sienko chatted with David Balcar, security strategist at Carbon Black. They explored questions about one of the security dream jobs that many may have.
You can watch the full conversation with David Balcar on the Cyber Work YouTube page.
In this Series
- How to become an APT hunter with Carbon Black
- Top-paying cybersecurity jobs and salary trends for 2024
- The importance of IT certifications in boosting your career
- Understanding the role of a network engineer in IT
- The role of the chief information officer (CIO) in cybersecurity
- What is a network engineer and how to become one?
- What does a system administrator do and how to become one?
- Cyber security hiring: Tips and best practices
- Cybersecurity soft skills: Career benefits of public speaking
- CompTIA Data+ certification: Opening doors to new careers
- Surviving cybersecurity burnout: Tips from industry experts
- How to make a mid-career change to cybersecurity
- 7 top security certifications you should have in 2024
- The Changing Role of the Modern SOC
- Discover the top 5 information security management certifications
- CySA+ versus CASP+: Is the CySA+ good enough for a career in cybersecurity?
- The best cybersecurity jobs in 2023: Trends, roles and salaries
- Top 10 penetration testing certifications for security professionals (2023)
- How to land an entry-level cybersecurity job: Essential skills and certifications
- 133 cyber security training courses you can take now — for free
- Breaking down barriers: How to make cybersecurity more inclusive and diverse
- Computer forensics interview questions
- The digital security forensic analyst salary guide
- Applying linguistics to cybersecurity: The journey of Jade Brown, a 2022 Infosec Scholarship winner
- The Path to “Career 4.0”: Amy Bonus leverages humanities, FinTech experience to bring Cybersecurity to the layperson
- Security engineer: Degree vs. certification
- Cybersecurity engineer: CyberSeek
- Infosec Accelerate Scholarship winner highlights essential qualities of a successful cybersecurity professional
- Career skills, imposter syndrome and intelligence-led pentesting | From the Cyber Work desk
- Cloud security engineer interview questions and answers
- Prior preparation results in a big payoff for Jason Mondragon, an Army veteran transitioning into cybersecurity
- Infosec scholarship winner Kandice Kucharczyk salutes her mentors as she sets her sights high
- Which CompTIA cert is right for you: Security+, PenTest+, CySA+ or CASP+? [updated 2023]
- How VetsInTech and Infosec Laid the Path to Gaurav Panta’s New IT Career
- Infosec 2022 scholarship winner Anthony Torres: Bringing the Marine Corps ethos to the cyber domain
- Infosec Scholarship winner Chris Chisholm knows the power of service and diversity in cybersecurity
- Betta Lyon Delsordo, Infosec scholarship 2022 winner, is a true life-long learner
- A veteran transitions from military medical logistics to multi-national security analyst
- An Army National Guard member fast tracks his cybersecurity career transition with VetsinTech
- How a career harnessing Navy nuclear energy can power a transition to a Security+ certification
- What is a cloud administrator? Essential roles and skills
- Security control mapping: Connecting MITRE ATT&CK to NIST 800-53
- Should you take the CCSP/SSCP before the CISSP? [updated 2022]
- (ISC)² certifications: The ultimate guide [updated 2022]
- CCSP vs. Cloud+ [updated 2022]
- Data architect: The ultimate career guide
- The ultimate guide to ISACA certifications: Overview & career paths [updated 2022]
- I failed IAPP’s CIPP/C certification. Here’s how I recovered
- How learning to be "Always Flexible" helped a Marine in earning the Security+ certification
- How to learn and pass your next certification exam
- Mission accomplished: How one army veteran turned neurobiologist moved into cybersecurity
Get free resources in your inbox!
Sign up for our newsletter and get free cybersecurity resources in your inbox every week. Prepare for your next cert, learn new skills, increase your salary and more!
Professional development
Professional development
Professional development
Professional development
The role of the chief information officer (CIO) in cybersecurity