Blazing the Threat Hunting Trail

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 156 of the Recorded Future podcast. I'm Dave Bittner from the CyberWire.

Yolonda Smith is head of cybersecurity at Sweetgreen, a fast casual restaurant chain that focuses on salads, with over 100 locations coast to coast in the U.S.

Yolonda shares the challenges of securing the array of elements involved in a farm-to-table food service organization, from supply chains to customer credit cards. We’ll learn about her humble beginnings in the Air Force, her approach to problem solving and collaboration, as well her pioneering role in threat hunting — before many people were even calling it that. Stay with us.

Yolonda Smith:

I grew up in Houston, Texas and always was the kind of kid that was interested in breaking stuff, figuring out how things worked. I was that kid that broke our very first computer, trying to figure out what was going on with it and I got in a lot of trouble. I always knew that just figuring out how things work and really understanding assumptions, was something I was passionate about.

I was lucky enough to earn an ROTC scholarship and I went to the University of Notre Dame in South Bend, Indiana. And I studied computer science and, I will tell you, it was tough for me. It was really, really dry and boring, not because the monks and the nuns weren't thrilling, it was because it was very straight-laced, and very these two pieces together equal this third piece. I wanted to understand why we needed to put those two pieces together in the first place.

So I graduated. I did my thing. With an ROTC scholarship, what ends up happening is that you are required to serve, basically pay back that scholarship in service in the military. So I joined the Air Force as a Second Lieutenant and my very first duty station was overseas at RAF Lakenheath in England. No kidding, after the Air Force paid, I don't know, how many hundreds of thousands of dollars for me to go to school and for me to go get trained and to come out on the other side of it as a person who was ready to take on the world, my very first job was in the mailroom. I worked in the post office for the United States Air Force, your tax dollars at work.

Dave Bittner:

Wow.

Yolonda Smith:

Yeah. Honestly, that was probably the very best thing that could've happened to me because I had the opportunity to talk to people and to understand, really, their challenges. While it wasn't strictly a security assignment, it gave me an opportunity to figure out, and to really think through, how I could actually make things better, and again, what assumptions that we were making in our processes that were making it really, really hard for people to achieve their end goals, which is getting mail.

I'll tell you overseas, we had two days that we cared about, Christmas and Tuesdays. Tuesdays was Netflix day. That was back when Netflix was still sending out DVDs. I mean, it was like clockwork, Monday night at about 8 PM, we get this huge truck that came in and it would just be chock-full of Netflix DVDs. By Tuesday morning, at 8 AM, we had a line out the door for people trying to get their stuff. That was an opportunity for me to say, "Hey, we know this pattern. We know what it was going to be. We know that we have this huge demand. Let's figure out how we start to change that assumption, turn it on its ear and get people their materials without having to wait for this huge crush. Luckily, we-

Dave Bittner:

How did you do that? What was your approach?

Yolonda Smith:

We ended up having to work with our upstream distributors. So the mail doesn't just come straight off the truck directly to the final destination. It came to Feltwell, which is another RAF base, and then from there, it went down to Ixworth, which is another RAF base, and then it finally came to RAF Lakenheath where we had the vast majority of actual consumers. We were a service base. We had the largest post office, a large U.S. post office in the United Kingdom.

Yeah. We ended up working with our upstream distributor that was sitting at customs, and we said, "Hey, why don't you split this into two routes? You know that you're going to have smaller routes going into Feltwell and going into Ixworth, but you know that the big route's coming in at RAF Lakenheath. Why don't you just basically put another truck out and go directly to us where you can actually service your customers, the vast majority of your customers, quicker. They can get their materials without having to wait on Tuesday. And, oh, by the way, it means that we actually can lower the demand on other types of mail that we were expecting, especially around Christmas."

That was nuts. And it was a simple matter of, "Hey, we have one problem. Let's split that big problem into two problems, smaller problems and solve for that." That's really been the guiding principle of my career, take a big problem, break it into small problems and solve what you know.

Dave Bittner:

It strikes me that a lot of people would have been discouraged by coming out of their educational experience, being sent overseas and landing in the mailroom. I could imagine a lot of people just sort of going with the flow and not rocking the boat and just sort of marking out their time until their next assignment came, but not you. You took this as an opportunity to go in there and make a difference.

Yolonda Smith:

Yeah. Well, that's always been my style. I never want to settle for what's put in front of me. One of the things that ... I had a boss that would tell me, later in my career in the Air Force, who would tell me, "You know, the reward for good work is more work." And so, I got plucked out of the mailroom, I got put on the help desk. Again, it's another opportunity to ... Basically the network control center help desk ... Another opportunity to talk to people. Working mid-shifts at night when you have angry generals that call in and say, "Hey, how come I can't get ..." whatever weird software that they're trying to install in their computer working, that they weren't supposed to have in the first place, right?

That's an opportunity to really try and understand what problem they're actually trying to solve for. Again, throughout my career, it was a situation where people thought that things were all going to be set in stone and the path was predefined, and then it turned out that, yeah, we can make a difference. Yeah, we can turn our assumptions on their ear and rather than say, "No, you can't do that," or "No, that doesn't make sense," or "No, we're not going to try," We're going to at least entertain the question, and then from that point, try and figure out what steps we can take to actually solve that problem.

Dave Bittner:

How do you handle the diplomatic side of that? I'm thinking in particular in the military, when you have a chain of command, I can imagine not everyone responds with open arms to someone who's coming through and trying to shake things up.

Yolonda Smith:

Well, yeah, that is tough. Because at a certain point you have to say, "I'm a Second Lieutenant. The lowest rung on the military chain of command ladder." Most people are like, "Okay, LT, go sit in the corner and read a book." Honestly, my approach to that has always been in a partnership, like working to partner with people versus trying to use rank or trying to use a clearly established sort of power structure. Yes, you have a Major or a General or a senior officer who's really upset that they can't get something to work. It's not so much a matter of them saying, "I'm a Major and I want to get it done." It's, "I'm a person and I'm struggling, and I need help." That's how I always thought about it.

Even when I was the person that was in command and I was the person that was in charge, and I had someone that said, "Hey, Captain Smith, this thing that you want me to work on, it's too hard, it doesn't make sense, and I think it's stupid." They didn't say it like that, it was always more diplomatic, it was like, "It's stupid, ma'am."

But it was a situation where I was like, "No, it's not about Captain Smith and Sergeant so-and-so, it was Yolonda Smith and Bob Jones that are trying to work it through and solve a problem." And that's always been my leadership style, not so much to say I'm wearing rank on my shoulders, I have this fancy title, I have this title bar or something like that on my desk, it's, I'm here to help people and I've always believed in servant leadership in that way.

Dave Bittner:

Well, take us through the rest of your military experience and then your transition to the private sector.

Yolonda Smith:

Yeah. After being at RAF Lakenheath for a couple years, my next duty station was at Fort Meade, also known as the National Security Agency. I got to spend four wonderful years really getting to do the thing that I was desiring to do. When I first got out of school, when I joined Fort Meade, they wanted me to join this new little unknown outfit called The Advanced Network Operations Center. It was hunting and we had no one that was ever ... No one certainly in the DOD had codified it that way.

We had had blue team operations, certainly in the Air Force, but it was very ... It was almost a paperwork drill, if I'm being honest. And we had red team operations, but that was mostly wardriving and people that were patting themselves on the back that they could drive around the base with Pringles cans. But no one was doing hunting, not the way that we needed to. We had had some very, very significant events that had taken place that led the Director of the National Security Agency at the time, Keith Alexander, to say, "I want to know what our adversaries want to know about us."

I was the very first military hire in that office, and my job was to basically be the mission commander. I picked exactly what things we were going to go and take a look at. I sat on a watch floor with two other peers, they happen to be in the Navy, and we looked to see, hey, who was actually accessing computers in the State Department? Who was actually accessing computers on the Air Force networks? What do those things have in common? What are they actually pulling back, if they are pulling anything back?

We deployed sensors all over the globe in order to be able to get a better understanding of what our adversaries cared about as the cyber threat was becoming more and more real and people were starting to really stand up and pay attention and recognize that, yes, it can actually have a negative impact on our ability to do our jobs if an adversary can get certain information about us.

That's one of those weird nitnoid things that no one ever ... You're never going to find on a Wikipedia page, "Hey, who was the first one to do hunting?" I did that. I did hunting for the-

Dave Bittner:

It was you.

Yolonda Smith:

It was me. I did it. I did hunting for the very first hunting operations for the Department of Defense. And by extension, we took those concepts and we pushed them back down to the military services so they can do their own hunting operations. And then, if you were to fast forward the tape by four years, my next duty station was at Lackland Air Force base and working for the 90th Information Operations wing. That wing actually happened to have our blue team squadron who were very, very fired up and amped up to do this new thing that they were calling hunting.

Dave Bittner:

That's adorable, isn't it?

Yolonda Smith:

Yeah. It was like, "Oh, that's nice. You're doing hunting. Okay." But they took it further than I ever possibly could. They took all the things that I was seeing as an individual and they turned it into an actual competency that, even today, you look at companies even like Recorded Future, or you look at companies that have hunting as a mission. Those came from what we started in a little tiny office in the National Security Agency.

Dave Bittner:

What sort of lessons did you learn from that perspective of being a trailblazer? When you're doing something for the first time, what sort of things do you have to deal with?

Yolonda Smith:

You have to deal with a lot of doubt and you have to deal with a lot of people that just ... It doesn't seem like it's a valuable thing yet, do you know what I mean? You don't have the data to back you up. It really requires a lot of, and this isn't me being a humble bragger, but it requires charisma and it requires clarity of vision. I'm not a believer in FUD. I don't think that fear gets you very far, especially in security because it does eventually disintegrate and you're like, "Okay, well, it looks like you're full of crap." What I try to do, especially when I'm talking to … Even now as I'm talking to people who may not have a background in security or even as I'm talking to people who have a background in security but don't necessarily know exactly what I'm trying to achieve, I try to break it down to the assumptions that I'm coming to the table with, what I think is an approach to understanding the problem and solving the problem. Then I give ... Again, I partner with people to say, "Here's where I need your help in order to either dispel this assumption or to prove it out so we can actually start making progress on solving the problem."

When we had to get sensors deployed across Army bases, Navy installations, ships, Air Force bases, we wanted to put a sensor on an F-15, they didn't let us do that. We wanted to put sensors on planes. We wanted them everywhere. So that way, we could really say, "Hey, we want to see what our adversary knows about us."

I will tell you, walking in as a Captain into an Army base with, no kidding, we've got a Colonel, a General officer saying, "If there's a problem on my base, I'm the one that's going to know about it and I'm the one that's going to fix it."

Dave Bittner:

I see.

Yolonda Smith:

That was one of the situations where it's like, "Okay, well, what we're trying to do is help you know more." And it really came down to just, again, partnering with people and having clarity of vision, and really being able to say, "This is what we're concerned about and we think that you should be concerned, too."

Dave Bittner:

So how did you wind up the part of your career in the Air Force and then move into the private sector?

Yolonda Smith:

It's a funny story. Well, not really funny. While I was at Lackland Air Force Base, that was my last duty station, I had an opportunity to get involved in our cyber defense software capabilities flight. I was a flight commander there. One day, we read ... One of my contractors put an article on my desk from WIRED Magazine that said, "Hey, the Predator has been hacked. It's got all this malware on it," Predator drone weapon system, of course. I said, "Well, Eric, that's our job. We can fix that. That's what we do. We fix those things and we stop those things from happening."

Fast forward the tape and say nine months later, we actually fixed it. We did it. We deployed a capability that made it virtually impossible for someone to interdict and to deploy any sort of unknown software onto the Predator weapons system. That was one of those jewel in the crown moments. I was like, "You know what, I don't know. I mean, I've checked off all the boxes. I've done the coolest thing that I can possibly think of doing."

Dave Bittner:

Come a long way from the mailroom, right?

Yolonda Smith:

Come a long way from the mailroom. This is super cool. I wanted to do more of that stuff. And again, the reward for good work is more work. So I actually got pulled out of that opportunity into more of a staff role. As I got to that role, I like to think I was doing a pretty good job. And my commanders at the time said, "You know, Yolonda, you're Senior Captain now. You're going to be moving on to Major. Your opportunities to continue to do that niche, cool stuff like that, you're going to see less of that and it's going to be put into the hands of your folks, your people."

While I've always loved the idea of being a leader and making sure that people have opportunities to excel, I wanted to stay close to the work. That really was the defining moment for me. I was like, "Okay, it's time for me to step back." It was going to, for me, be many more staff roles and many more ... Probably a stint at the Pentagon where I was going to end up fetching coffee for some general. And I was like, "You know, that's not what I want to do. I loved my time in the Air Force. I'm thankful for it. I've learned a whole heck of a lot, and now I want to take what I've learned and move on."

That was really the time in which I stepped away. I decided that I was going to move to Boston. I got a role as an application engineer at a little company called Digital Lumens. They made industrial lights. I was like, "This is the weirdest thing I've ever heard of. What do they want a cyber person for? I mean, what am I going to do at a lighting company?" And they were like, "Hey, we've got this cool thing that we're concerned about. It's called Zigbee. Our lights communicate over this new weird protocol that people are a little concerned about, we're concerned about and we want you to break it." And that's exactly what I did.

I did. It was one of those-

Dave Bittner:

Hold my beer.

Yolonda Smith:

Yeah. It was one of those things where, again, I was like, "This is a cool thing that no one else is working on, that no one else is trying to do. We're going to have more and more networked lights. IoT is going to be everywhere. Let's figure out how we do it in a way that not just allows us to turn lights on and do that from the comfort of our homes, but also to do it in a way that prevents someone from waging in effects that we don't want." We don't want someone who's not supposed to have access to the lights to be able to turn them off in the middle of a shift on a factory floor. That would be a safety issue.

That's exactly what I got to work on. It's been a wild ride ever since then. I've had roles as a product manager for another cybersecurity company called Pwnie Express, P-W-N-I-E Express, as well as I worked as a business information security office analyst for Target. That was actually my last role before my current role where I was basically responsible for the security of their digital footprint, so target.com, the web app, those types of things. That was my job to say, "Hey, we want to really make sure that no one's installing key loggers. And, hey, that new crazy fun thing with digital skimmers, let's make sure that we don't let that happen."

We actually referenced a lot of the material that the Recorded Future analysts brought forth in order to help us to get our arms around that threat and prevent it from causing any problems for our guests. So kudos to Recorded Future.

Dave Bittner:

Now you're at Sweetgreen. That's really working with the supply chain for food. What challenges do you have there?

Yolonda Smith:

Oh my gosh. It's two-fold. The big challenges at Sweetgreen are that no one ever thinks that a salad company, or really that any quick-serve retail should have a problem with cybersecurity. A lot of the things that I deal with on a day-to-day basis are around changing mindsets. What you will find with technology, especially in quick-serve retail, whether it's Sweetgreen or any of your favorite fast food joints, is that technology tends to be cobbled together very quickly in order to get you to just swipe your credit card, get your food, and go. That's just sort of a paradigm. That's what it's been for the last, I don't know how many decades.

And what we're finding is that, yeah, you can cobble together all of these different technologies with these very haphazard APIs that don't really quite work. But once again, we make a lot of assumptions in doing that. And the assumption that we make is that if I put something in place that can take a digital order next to something in place that can take a credit card from a customer in a store, that those two things should just work together perfectly well. That's where the risk is. That's what I've been challenged to do is to say, "Hey, those two seams that you've got together, in order to make that digital channel work with that in-store channel, that means that I have to pass off some very sensitive data from one place to the other. Let's make sure that we are protecting that and not assuming that that API is doing all the heavy lifting for us."

So yeah, it's a massive challenge, I'll be honest. And a lot of it, too, comes down to, as you mentioned, the supply chain. Food itself is our life force, right? We make assumptions about where our food's coming from. We make assumptions about who's handling our food. We make assumptions about where that food is stored.

At Sweetgreen we're looking at new opportunities to track, no kidding, from the seed to the salad. And that tracking mechanism obviously is something that someone might want to exploit and that someone might want to interdict in some way in order to cause us harm as a company or to make it impossible for our guests to get the things that they want. We're concerned about someone changing the ingredients around so that someone with an allergy or something like that winds up with food that could really hurt them in their salad. That'd be horrible. We would not want that. We want to make sure that we have a good understanding of what's happening with food at every stage of its life cycle, including the point at which it leaves our store and gets to somebody's fork.

Dave Bittner:

Yeah, that's fascinating. I want to switch gears a little bit and talk to you about your perspective when it comes to threat intelligence and the role it plays in the types of things you do.

Yolonda Smith:

As a blanket statement, I would say the role threat intelligence plays for us at this stage in our history is that we are deeply concerned about commodity malware. We know that we have actors such as FIN7, FIN5, like FIN6 all those like big hunka-chunka threat actors out there that would just love an opportunity to find their way onto our point of sale systems and actually start doing some scraping or basically sell access to those point of sale systems.

That's really where threat intelligence has helped us, is in being able to say, "Hey, who's talking about us? Who's looking at us? What's happening with X, Y, Z actors and what are they focused on right now?" So that's one of the things that we're looking at Recorded Future to help us with, is to say it's not just a matter of who's focused on Sweetgreen, although that is probably the biggest thing that we're concerned about. It's the second of, and what's happening on the adversarial side that could ultimately cause us harm and how do we bolster our defenses against that? It's really two sides of the same coin, but we're looking at it from both angles.

Specifically what threat intelligence has enabled us to do is to start looking at things like our actual development pipeline and say things like, "Hey, how do we know if a customer has had an account takeover? Do we have our defenses in place and do we have our detections in place that will, A, allow us to figure out that that's happened, and B, see the other side of it, if it ends up on the dark web, and then be able to actually help that customer to recover in the event that it ends up being an account takeover that could harm them?"

Dave Bittner:

What is your advice for the folks who are just getting started in the industry? When you're mentoring people, what sort of tips do you have for them?

Yolonda Smith:

I get this question a lot. The answer is always to learn how things are supposed to work before you learn how to break it. I can't tell you how many people come up to me and are like, "I want to be a hacker." And I am like, "Okay, well tell me the TCP/IP stack." It's always sort of, "Well, what does that have to do with anything?" "Well, it's everything. That's all of it." So learn how things are supposed to work before you go off trying to break it.

I go back to my previous statement of I want to exploit assumptions. Assumptions come from the fact that people said, "These are how these things are going to be put together and this is how this thing is going to work." Learn what those assumptions were because all of those pieces come into play when you are trying to go off and say, "What does an adversary care about? How is it that an adversary could exploit this? How is it that we can defend ourselves against this?" You have to understand how things are supposed to work before you can even start down the path of going in and saying, "Okay, well I want to be Mr. and Mrs. Megahacker."

I think the other piece of it is that if I was going to recommend a starting role, honestly, make friends with people in IT. And if you can't make friends, go be in IT. Like, go be a SysAdmin for a little while. Go work on a help desk for a little while. You are going to get probably more experience and exposure doing a role like that in a very short amount of time, and just in terms of how things work and how people expect them to work, and how people are using systems. That's a wealth of knowledge that will carry you forward into security and throughout your security career.

Dave Bittner:

Our thanks to Yolonda Smith from Sweetgreen for joining us.

Don't forget to sign up for the Recorded Future Cyber Daily email, where every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you've enjoyed the show and that you'll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Monica Todros, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I'm Dave Bittner.

Thanks for listening.