Infect Others With Your Security Passion

October 1, 2018 • Amanda McKeon

Our guest today is Tod Beardsley. He’s director of research at Rapid7, a cybersecurity company providing technology, services, and research to organizations around the world. Tod manages software vulnerability research efforts at Rapid7, handles vulnerability disclosures, contributes to Rapid7’s data science-driven research projects, and serves as the primary spokesperson for Rapid7 on security and research topics in the media and on podcasts like this one.

Tod shares his professional journey, his views on the challenges facing the cybersecurity industry, his take on threat intelligence, and his belief that, as professionals, we share a responsibility for instilling our sense of passion for security in our friends and families.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and thanks for joining us for episode 76 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

Our guest today is Tod Beardsley. He’s director of research at Rapid7, a cybersecurity company providing technology, services, and research to organizations around the world. Tod manages software vulnerability research efforts at Rapid7, handles vulnerability disclosures, contributes to Rapid7’s data science-driven research projects, and serves as the primary spokesperson for Rapid7 on security and research topics in the media and on podcasts like this one.

Tod shares his professional journey, his views on the challenges facing the cybersecurity industry, his take on threat intelligence, and his belief that, as professionals, we share a responsibility for instilling our sense of passion for security in our friends and families. Stay with us.

Tod Beardsley:

I was a rapscallion as a child. I ran a hacker BBS in the San Francisco Bay Area in the late ’80s and kind of went from there. I was more into phones than computers, which ended up being a poor career choice later because phones all changed, so all my signal 7 stuff is useless. But now it’s not anymore, I guess, but now people are using that today for cell tracking and junk like that.

I guess my … I had a bunch of jobs in between, but I guess my first real IT security job was at Dell in about 2000, 2001 or so, where we sold a bunch of computers on the web. My job was to secure that. I was part of a team that ended up securing basically all of Dell’s internet-facing assets. Because it was Dell, it was a very Microsoft-y shop, so we were one of the biggest, if not the biggest, IIS-driven websites, so that was a blast. Everybody I knew was running Apache, but I got to deal with IIS, so you got your security chops pretty quick in that kind of environment. All IIS, all Microsoft SQL pack. It was a fun time.

From there, I jumped over to security proper, where I got a job at TippingPoint. Many acquisitions ago, it was an independent company, and we made intrusion prevention systems. I did a lot of research there, like malware analysis, exploit development, vulnerability research, stuff like that. Through a series of fortunate events, I ended up here at Rapid7. I’ve been at Rapid7 now for, gee, about eight and a half years.

Dave Bittner:

What is your day to day like there, at Rapid7? What are the types of things that you do there?

Tod Beardsley:

Well, I started here at kind of the tail end of the Metasploit acquisition, so I was into Metasploit. I liked Metasploit a lot, so I showed up here, and I worked on that for a while, eventually becoming the technical manager for the open source project, but then since then, I’ve now moved. I took a press release to the knee, and now I’m in marketing. I used to be an engineer, but now, alas, I’m in marketing. I now help coordinate, write, produce, and talk about all the security research we do here at Rapid7. So I work a lot on a project called the National Exposure Index, where we scan the whole internet looking for common exposures and chunk that up into country buckets, and then publish that.

We’ve been publishing that for three years. Our fourth one will be this next year, but more recently, we published a work called Under the Hoodie. That was the, I believe, the second Under the Hoodie that we published. That’s all about pen testing — what do penetration testers do, what kinds of vulnerabilities do they see onsite? Rapid7 has a pretty decently sized services organization, and so we’re able to perform a couple hundred pen tests that I have access to the results, and I end up doing this exit survey for pen testers and ask, “What happened? What’d you do?”

That’s a really fun paper to work on. I’m real happy to work with that, because I’ve done some pen testing in my time, and it’s real fun to hang out with pen testers, because they’re always breaking stuff, and they always have really good stories, and so I wanted to capture, like, “What is that, when they break stuff?” I quantify that in a way that’s statistically sound, and also I want to capture the stories, and so the Under the Hoodie paper really hit the sweet spot for me, because it’s both like science and statistics, and also we have these kinds of narrative sidebar stories of like, “This one time on a pen test,” so it’s the kind of stories you will hear at bars or at security conferences, which is great. A lot of fun.

Dave Bittner:

Yeah. I mean, it strikes me that not everyone on the marketing side of things has the technical background, the history, that you do. How does that help with the marketing stuff that you do to have that history?

Tod Beardsley:

It is helpful. I think I’m able to suss out what’s real and what’s kind of lame when it comes to doing research projects and producing research. I have a pretty good sense of what would be interesting. I have a good sense, I think, of figuring out what the audience is for a particular chunk of research. Like the Under the Hoodie report, for example, really speaks directly to pen testers who maybe don’t get access to a couple hundred pen tests in a year. Maybe your busiest pen tester in the world is only going to do like 40 engagements in a given year. I think it’s really useful for them, but we can write it in such a way that we can talk to CISOs. We can talk to IT folks who are on the pointy end of that penetration test and kind of explain what actually is going on and what kind of value you get out of it.

When it comes to vulnerabilities and exploits, I have this Metasploit background, which is kind of nice, and so I’m able to kind of pretty quickly distill out, “What does this mean for end users? What does it mean for IT people? What does it mean for vendors of this kind of stuff?” I mean, the technical background is certainly helpful and not … We have some technical people, for sure, in our marketing department. They know what they’re talking about, but it’s real helpful to have that very quick kind of BS-detector-slash-hype-detector, like, “Oh, this is a big deal, and no one’s talking about it. We need to make this a bigger deal.”

Dave Bittner:

Yeah, yeah. I mean, it’s interesting. You add that level of, I suppose, authenticity, to make sure that the marketing message doesn’t spin off in the wrong direction or amplify something that doesn’t deserve it.

Tod Beardsley:

Yeah, and all the research we produce, I like to think, is real. Right? It’s not just fluffy marketing research. We don’t do push polling. The kind of research that we produce is grounded in reality, has real statistical significance. We’re working on a project that we wanted to launch in the middle of this year, in 2018, but it looks like we’re not going to be able to do it, just because we don’t have enough responses for it. It’s a cool project, but if I only have 20 or 30 data points, this is not going to tell me anything useful, and so we have like … I’m real happy that I work at Rapid7, because I have that kind of freedom to say, “Well, yes, we would love to produce this, but unfortunately, we don’t have the data to support what we want to talk about, so we’re going to have to wait to collect more data on that.” Rapid7 has said, “Yes, that’s correct. Let’s do actual science, not just marketing science.”

Dave Bittner:

Right. Now, with the view that you have on the industry, on the cybersecurity world, what are the things that are top of mind for you in terms of the main threats that we’re facing these days?

Tod Beardsley:

I think for regular people, which is everyone except for this kind of rarefied industry of a few hundred to a few thousand security folks, probably the number one thing, the number one threat out there, is the simplest one. It’s the phishing email, where either you’re directed to a fake website, or you are tricked into downloading and running executable content. That’s still a huge problem.

We’ve made, over the time that I’ve been in security and IT in general, we’ve made huge progress on dealing with spam — Gmail has made spam really hard — but when it comes to phishing, that phishing problem is persistive. We see that over and over again in the kind of work that we do here at Rapid7, where phishing tends to be a very common entry point into any enterprise, pretending to be somebody you’re not, asking someone for a password, or just directly getting shells on their box. That, to me, that’s number one, and we have to do better at that. We absolutely have to do better than that.

I am all into The Shining, right? I will talk about Spectre and Meltdown all day long. It’s super interesting. All the speculative stuff in those Intel bugs and other processors are super fascinating, but that’s not the problem that most people have to deal with. Most people have to deal with phishing.

Dave Bittner:

Where do you sit on the spectrum of the solution, to that being a technical solution versus a training solution?

Tod Beardsley:

I think you need both, obviously. I do think that over the last, probably, two years, ever since the Democratic National Committee Chairman’s email got phished in a very splashy, obvious sort of way, people got real aware of it. I think people are at … I think we’re at a good place on awareness that we haven’t really been at before, and so I think now, we could use some technical solutions, and one of those is getting rid of these human-memorable passwords. If someone is phishing you and directing you to a fake login site, and you don’t know your password, it’s impossible for you to accidentally give it up.

If you have some kind of password manager that is watching and validating the URLs, it won’t automatically sign in to the fake one. That’s just not how they work, and so you’ll have to go … If you do fall for the scam, and you click on the link, and you go to the fake Google sign-in page, you will have to take a lot of extra effort to enter it, like, reauthenticate, fake reauthenticate, and log in. I think that would go a super long way.

I’m very interested in getting people out of the habit of having human-memorable passwords, because that’s … We see that come up in pen test reports all the time, where password strength still works. Like if it’s, I guess, a common password that I’ve seen on many other sites, I have a good shot at guessing correctly on this site for at least one or two users. That will help against phishing. It’ll help against general security problems. Getting these squishy human brains out of the password generation pipelines is, I think, super important.

Dave Bittner:

But also, I mean, I think there’s this notion in a lot of organizations to kind of shame the users when they make mistakes. You’ll hear people say, “This job would be great if it weren’t for all those darn users.” I don’t find that to be helpful. What is your take on that?

Tod Beardsley:

Right, and I want to get people out of the business of dreaming up their own passwords, right, so I don’t have to shame them anymore. If you’re picking dumb passwords, I can’t blame you for that. People don’t generally talk about how they come up with passwords in conversation, because it’s secret, and so everyone comes across a scheme or a system for generating passwords wherever they go, and they tend to think they’re very clever, but they don’t understand that they have rediscovered the same generation patterns and the password generation systems that everyone else is using, and so you end up with people thinking they’re very clever by using the password “autumn2018 exclamation point” because they can change it every 90 days, it has letters and numbers, it has special characters. If that’s your password and you’re listening right now, please change it, because you are not the first one to come up with this pattern, and —

Dave Bittner:

Hold on a second, Tod, I got to go change my password.

Tod Beardsley:

Yep. It’s a great password, and it’s a very clever scheme that rarely is talked about, and so anytime I have a microphone, I will talk about “autumn2018 exclamation point.” It’s my favorite password. I think that if we get … I’m trying to get the user out of the path of the shame hose. Right? I want to make that someone else’s problem. I want to make that security engineering’s problem. You’re not responsible for your own passwords. Everyone should be using password managers. I’m a little sketchy on the browser-based password management, but like a standalone password management system. I use KeePass, and I’ve been using it for years and years. I know it’s not for everybody, but there are bunches out there. There’s LastPass. There’s 1Password. There’s loads, and really, all of them are better than your brain.

Dave Bittner:

I want to talk about threat intelligence, which is the common thread in our show here, and I want to get your take on it. Where do you think threat intelligence fits in in an organization’s efforts to defend themselves?

Tod Beardsley:

I would say that picking up threat intel feeds is real useful once you’ve already hit the basics. Right? Once you already have your basic act together, if you feel like you’re in a good position with your password management, your asset management, with your password management and your network segmentation — so like, hit those four checkboxes first — once you’ve hit that, then it’s more useful to start talking about threat intelligence feeds.

Obviously, if you’re using these feeds, you have to have someone look at them, and so there are some upfront costs if you’ve never done it before, but once you get in … Once you go down that path and get a SIEM, or get user behavior analytics, or something along those lines, then, for sure, it’s super-duper useful, because now you’re able to see what other security organizations are seeing, and then we have this whole sharing backend where we can trade around. Our indicator is compromised, and we can see, like, what are the patterns that are emerging out in the real world? I think they’re useful once you hit that level two, level three kind of maturity.

Dave Bittner:

Do you have any tips for folks who might be beginning their journey of shopping around for threat intelligence providers? What are the sorts of things that they should look for, and what are the ways to align that to their own needs?

Tod Beardsley:

I don’t know. Buy Rapid7’s. Yeah, we have pretty ones, but I think what … I don’t know. Yeah, I’m terrible at marketing, by the way. I don’t know why.

Dave Bittner:

Yeah. I won’t tell your boss.

Tod Beardsley:

Oh, she knows. I think that once you start going down that path — like, tried-and-true solution, best-of-breed kind of stuff — it won’t steer you wrong. It’s real easy to kind of overbuy on this stuff, and then you end up, after a month, of just, the machine goes “ping” all the time. It’s real easy to get alert fatigue on a lot of these things. If you’re dealing with a vendor who doesn’t have a good sense of your capability to tune this kind of stuff, that can be a problem. You want to be able to come in to your enterprise with a threat, with some kind of threat intelligence solution that actually fits with your workflow, your skillset, like how many people you have, and how many hours you can actually devote to it — being realistic about that.

I say the same thing about penetration testing. Penetration testing is great, and actually, you must do it, depending on your industry. But you have a lot of flexibility in guessing, in figuring out, what do you want out of your pen test, beyond the checkbox? What you want to do is prove something to your CFO so you can shake free more budget, right? I think you can do the same thing with threat intelligence. We keep seeing the same kinds of indicators compromised, where it tends to be people opening email and running things with Word macros. Don’t just sit there and admire that problem. Actually try to go down that training, but turn that into something actionable you can do in training. Off the top of my head, that’s the best advice for shopping for this kind of stuff.

Dave Bittner:

Now, switching gears and getting back to some more broad topics, is there anything in cybersecurity that you feel isn’t getting the attention it deserves? Is there anything that you feel people aren’t focusing on when they should be?

Tod Beardsley:

I think security folks in particular are very guilty of it, of moving from shiny to shiny. Going from zero-day to zero-day tends to be … It’s just so entertaining to do that, and it makes you feel super smart when you understand something new. Kind of addressing these fundamentals of real basic things, like, do you have a reasonable level of cryptography throughout your organization? I think the encrypted internal network is something that kind of gets some handwavy … It gets hand-waved at. Right? I really like the zero-trust networking model where you just assume that there are bad actors inside your network, so why not crypto all the things? We’re living in a different time than we did 20 years ago, where your bandwidth constraints are much looser, your drive constraints are much looser. Everyone’s moved to the cloud already, so you kind of have to encrypt all of that stuff anyway, and so why not just extend that backwards back into your own network?

When we see things like a lack of SMB signing in a Windows network — which, by the way, is every network — when we see that come up over, and over, and over again on engagements, on assessments, even when we come in with the products … Like if we have a product that talks SMB, and you don’t do SMB signing, then we have to go out of our way to avoid that. That’s the kind of thing where it tells me we still have this outdated notion of, “There is an inside and an outside.” That’s evaporating. Right? I mean, we have mobile devices that move from network to network. We have farmed out a lot of what used to be internal to some cloud provider, and so why not just take that next step and just encrypt all the things? Right? Dot JPEG.

I think you go a long way, and I want to normalize that too. Right? I think it’s a little naïve to think that if you have something that has a TCP/IP stack, it won’t eventually end up on the internet, even by accident, because the “I” stands for “internet” in TCP/IP. If you were already encrypting by default, you’ve made that passive monitoring threat, man-in-the-middle stuff — you made that so much harder.

Dave Bittner:

Do you feel as though, as an industry, we’re gaining ground on the problem, or are we treading water? Where do you think we stand?

Tod Beardsley:

Things are so much more secure today than they used to be. I’m now rapidly entering into old-man territory when it comes to this kind of stuff, and so I remember when we had … Like before the days of NAT, like without network address translation, you had one computer in your house that talked on the internet. It was straight shot, and people were doing SMB all the time over the internet. It was a security disaster, looking back at it. It’s shocking that it all kept running, but now we have NAT pretty much everywhere. It’s like the best accidental security solution that we’ve ever come across, because you get firewalling for free.

You don’t get to talk to clients unless they talk to you first, and so I do think that things are significantly more secure. iOS is easily the most secure operating system that normal people interact with on a daily basis. Android’s getting better, but iOS is number one, and so I do think that we’re in a good position compared to, I don’t know, 10 years ago for sure, easily five years ago. If you’re a security professional, I think it’s incumbent upon you to help people do that one extra security thing. We’re recording this here in the end of September, which means that it’s almost holiday season. Apparently, holiday season lasts five months in the U.S., but you are likely to run into family members and friends that you haven’t seen in a while, and maybe have that conversation about password management, have that conversation about like, “Well, who do you share your accounts with?”

Just basic stuff like that. And try to do your own grassroots evangelizing for security, for security principles that at least you care about, because almost everyone I meet in security is super passionate about it, and so rather than just being glum and saying that the users are dumb, it’s doing things like I just said. It’s a miracle everything still runs. Go out and take that passion and infect other people with security news. That’s probably the best thing you can do, just on an individual basis.

Dave Bittner:

Our thanks to Tod Beardsley from Rapid7 for joining us.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinator Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.