Loading summary
A
Welcome to Cyber Leaders with me, Kieran
B
Martin, and me, James Line. Now, we're both from the SANS Institute, who are kindly backing this podcast. I myself am a techie, a massive geek who spent my life chasing cybercriminals around the Internet.
A
Less of a techie. I dealt with cyber security operations and policy and government and set up the UK's National Cyber Security Center. But together, James and I are trying to unpack the weird, wacky wired and wireless world of tech security and all the complications it involves.
B
That's right, Kieran. This podcast is a voice for security leaders. We want CISOs, security directors, and frankly, everyone beyond to build up their knowledge of what works, what doesn't, and ultimately secure their organizations more comprehensively and quickly, quite frankly. Ideally, make some cybercriminals miserable, too.
A
Well, first of all, James, good start to an audio podcast. Nice haircut.
B
Very aerodynamic.
A
Yes. You look like a thug. In fact, you look like a baddie. You look like a criminal. And I mean a physical one, not a cyber one.
B
A bit of cyber role play.
A
Yes. Now, let's go back to baddies. Let's talk about some baddies. So I'm gonna take you back to something you said at the start there.
B
Oh, so you were listing this time, Kieran. That may be a first.
A
I hang off your every word, my friend. All of them, even the ones I don't understand. When you, like, talk about computers and hacking and stuff, I listen then, too.
B
And which particular bit or byte did you want to haul me up on today, Kieran? I'm getting paranoid. I feel like I've made an error. I have to watch my words, or double words more carefully. That was a lot of data size puns in there.
A
It was. But I want to talk about baddies today. So, in that wonderfully spontaneous yet repetitive introduction that we both do, we always talk about chasing baddies around the Internet. And you've come today in character, you've come looking like one.
B
Well, yes. I mean, you've got to get inside their headspace, don't you? I've spent the last 20 odd years of my career chasing cybercriminals and their exploits and malware and frankly, trying to make their lives difficult.
A
Well, then, let's go back to data. How many baddies have you chased?
B
Well, it's hard to think, but it's a lot. I could probably more easily name the ones we've managed to deal with with law enforcement. But where are you going with this, Kieran? Are you trying to create a chasing baddies League.
A
That's exactly what I'm trying to do, as a matter of fact. James. Yes.
B
Can I ask why?
A
Well, I'm not really trying to create a baddies league table. I'm just trying to work out whether you've spent more time chasing baddies than our guest. Because we've someone today who spent more time in what I would call the frontline of the frontline of cyber defence than pretty much anyone I know, except perhaps maybe your good self. We've someone joining us today who's seen it all and done it all from a whole range of different perspectives and jobs.
B
Indeed we do. And I frankly would be quite happy to be beaten in the baddies chasing league tables by this individual. We have a guest today, folks, who started his career in the military. He was in intelligence, working on human intelligence operations, counterintelligence and in electronic warfare, obviously very closely related to cyber security and more so every day now without getting too much into, well, his age. He was in uniform at the time when the military started to worry about what we now call cyber security and started to specialize in that. Leaving the service in 2010, he founded his own company, which he still has, specializing in incident response, risk assessments, compliance and training. But he's done way more than that. He's built SOCs and threat hunting teams at various major organizations. He's a SANS instructor and a faculty member of the SANS Technology Institute. He led incident response and CSERT functions at Unilever, a massive organization. I can only imagine the challenges there. And he is the author of two pivotally important SANS courses on incident response and threat hunting, which means he's had thousands of students go through his classes learning these key concepts. And while supporting that general theme of trying to make life difficult for the cybercriminals, Kieran, we have to figure out if he gets credit for all those students by proxy, because if so, he's definitely got me beaten.
A
I think that might be the case,
B
but let's figure it out. There's some kind of tree there, isn't there? But anyway, look on the more friendly side, he's got an entire barnyard full of animals, which we'll have to ask him about. So my powers of deduction tell me he basically never sleeps and he's going to talk to us about a whole lot. And, Kieran, we're going to struggle to contain our lines of question and the length of the podcast, as usual, as normal.
A
Yeah.
B
So it is, of course, based on that introduction, you probably had it from the barnyard full of animals, the truly remarkable Tas Wake.
A
Welcome, Tas.
C
Hi, everyone. Hi, James. Hi, Kieran. It's an absolute pleasure to be here. And that was an incredible introduction. I am honored.
A
Well, it's fully deserved and I think fitting with your background and the mystique around everything you've done. James is looking like a thug with short hair and you're off camera. So this is good because I'm going to start with a question we ask everybody about your journey into cyber. But I'm really looking forward to your answer. There's as many different answers as there are guests. So you join the military in intelligence work. This is a pretty scary time, the beginnings of a pretty scary time that we're still in. The world starts to go on fire at the start of the century. And you emerged from this period when you come out of service in 2010, and you're ready to take on the world of cyber thugs and thieves in the private sector. So clearly you didn't go into the military in cyber, but you came out of it ready to go. So I'm guessing you're not going to be able to tell us everything about your early career and what led you to pivot to cyber. Some of that will probably be classified. So here's two options for you. One is you can tell me and James everything. Just go through all the classified operations, all the really cool stuff, and then we'll edit it out. It'll be like one of those government document releases, you see, where it's mostly black ink blotched over the words, and our listeners can just listen to that, or maybe something less high pitched, maybe just the sound of silence. So that's option one. Option two is you can tell us whatever you can about your early life and career and how you ended up fighting digital baddies, having started off fighting physical ones in the military. Your choice.
C
I think I will absolutely go with option two there. Oh, okay. The 35 minutes of silence isn't exactly a selling point, but. No. So, as you described, I joined the Army. I actually enlisted in 1993.
A
Wow.
C
I started off as what we referred to at the time as an operator, special intelligence. And that meant you go through a variety of different jobs. At the end of basic training, I was specialized in electronic warfare, signals intelligence, that kind of thing. Postings to Germany. Really, really interesting jobs. There's a whole range of things. The Cold War is over at this stage, but not quite. We still had occasional threats, Middle East, Africa, places like that. Throughout the 16 years, we changed jobs in the army or certainly my trade in the army. We changed jobs every two years, which meant I had the opportunity to bounce round a whole raft of things. Lots of secondments to other government agencies. I spent a of time working in tri service organizations, bit of exchange trips with the US which was quite fascinating. But a lot of it revolved around the terms intelligence and security. So we kind of look at it as a double pronged effort. We're attempting to. Similar as that we talk about cybersecurity today. As an intelligence operator I'm attempting to gather information from the enemy and as a security operator, I'm attempting to prevent the enemy gathering it from us. And that was kind of the big blow. Interestingly enough, in 1993 I was actually sent on a computer security officers course, which was kind of the first step into what we'd call cybersecurity today.
A
Someone was ahead of their time.
C
Yeah, it was very different to how you'd look at things today. That's probably the easiest way to describe it. It was very much we'd probably refer to as auditing today.
A
Right.
C
There was a lot more into just making sure the processes were followed, making sure the passwords were rotated, that kind of thing. There was less focus on the more direct technical cybersecurity we'd expect in the year 2026. But that did evolve. Absolutely. It evolved quite a bit. Until my last posting with the Enemy, I was on a second so a government agency. And I've kind of reached the point where I thought I've had enough. I've done some really interesting things. There aren't that many more new interesting things ahead of me. And that's the point which I decided to leave and basically because of a lot of background. Protecting organizations, that kind of thing. Yeah, Some very interesting investigations. None of them I could talk about, sadly.
A
No.
C
But if anyone ever wants to get down and sit with me, I've got some incredible stories that I can try and declassify a little bit.
A
I will bet you do.
B
Yeah.
C
That was kind of the point to which I thought when I left I was very fortunate. I formed my own company and the biggest advantage I had really was having lots of friends and contacts in the industry. So we've been managed to be successful and here we are 16 years later, still doing cyber security.
B
Love to see it. And of course. Oh, how things have changed as well. Taz.
C
Absolutely.
B
I was thinking back to those days you're describing and of course the roles have changed, but the nature of the problem, the scale of the problem, the Use of technology. I mean, it's just been a whirlwind
A
when you were there during that period towards the end of it, you know, there's still a very unstable world and so forth. How much were the military thinking about cyber and so forth at the point of your departure? And do you get any sense then if you're still in touch with people? You know, how much has all this changed now, given that quite a lot of all the things going on in traditional military circles. Where's it all at now?
C
So certainly by the time I left, the army had very much pivoted. We'd gone from the early 90s of a computer security officer. We had an information security unit in the intelligence corps who are very skilled. They do a lot of science training as a prime example around that. So the had very much. That kind of happened in the early 2000s.
A
Right.
C
I think when Stuxnet hit the news in 2009, that kind of made everyone really aware of the additional levels. And you might remember around about like 2007 when we had the fears about supply chain attacks and we could no longer talk about restricted information over the telephone network. Yeah, that kind of thing. They were the mindsets that people were very much going into. I think it's quite modern really. It's a world like James said, it's night and day difference to when I started. Yeah. I think the technical details will have enhanced today. I know the army still has a very strong dedicated cybersecurity capability. The technical details will have improved, but I think that real mindset approach probably changed in the early 2000s. Stay with us, we'll be right back.
B
Hi everyone, James Lyon here, the CEO of the SANS Institute. A quick thought for you. Cybercriminals have networks, dark web forums where they share what works, what doesn't, and where they're constantly sharpening their playbooks against us. So why shouldn't we do the same? That's exactly what the SANS Cyber Leaders Network is about. It's a place where CISOs and security leaders share what's actually working inside their organizations and what isn't, while getting access to world class experts sharing insights into the latest threats and trends. You'll find me in there surfing around, sharing what works. So come join us at go.sans.orgcln that's Charlie Lima November. And if you're enjoying the show, one teeny tiny small favor, hit subscribe. That's genuinely all we'll ever ask of you. And in return, we'll keep fighting to bring you the Guests and conversations that you want to hear. Appreciate it all. Now let's get on with the show.
A
Yeah, nothing like an exploding centrifuge to focus the minds, I guess. Anyway, I rudely interrupted James, so I'll hand you back to him now.
B
That's quite okay. We got to exploding centrifuge. That's a great start to the podcast, which is probably going to make my next line of questioning seem mundane, but I actually think it's really important, Taz. I don't normally read out bits of people's official biographies. Well, mostly because it makes people think I've just been lazy and that's all I've looked at.
A
And where would people get that idea from, James, that, you know, maybe somebody else did all the research? I don't know. I mean, any clues?
B
Well, I. Exactly. I can't even possibly imagine now.
A
Anyway. Sorry, I'm interrupting again.
B
Exactly. In a world of AI, we shall assume that Perplexity or ChatGPT did the work. Excuse me, I'm much cheaper and certainly better. Maybe, but there are a few bits of your official biography, Taz, that are so good I wanted to quote them and ask you about them. After all these incredible achievements and experiences, you're described as an incident responder at heart. I love that quote. And then you're quoted kind of talking about seeing individuals fighting the good fight every day and catching an attack in flight, responding quickly enough to get ahead of the exploitation to defend the environment. It means someone or some organization is better, more secure, and able to return to normal life. I just love that. And it takes me back to the first bit about how you're an incident responder at heart. So could you give us a sense of some of the buzz around incident response? I mean, why do you love it so much? Why are you so passionate about it? And insofar as you can, any highlights or cool stories that aren't classified and require beeping, Absolutely.
C
You've hit the nail on the head there, James. I think for me, definitely instant responses is where cybersecurity really gets its fun. And I think there's a couple of reasons for it. First of all is the slightly historic approach of the fact that it's always quite a nice feeling to do something good for people. I mean, when I joined the Army, I had lots of reasons for joining, but part of it is around that sort of being part of a bigger picture, protecting things, that kind of idea. There's a little bit of a cynical approach in some cybersecurity areas in that really what we're doing is protecting shareholder value. But incident response is a little bit different. There's genuine ways that we can actually protect individuals. Most of my work isn't really in like ICS OT environments, but if you look at those as an example, the incident responders there are genuinely saving lives. There's risk to life that their actions are preventing. The people dealing with a nation state attack in Ukraine, for example, are going to save lives. And that's hard to compete with, let's say, as an auditor that doesn't have that same kind of feeling for me regarding the kind of activities as well. The scope that we can get in IR is phenomenal. One day we can deal with a nation state threat actor gaining access to a critical database system and taking the entire NHS down and then in the next day we've got an individual who's had their bank account attacked and all their funds stolen. So for me, doing IR is a combination of an incredibly varied challenge. The saying no, two days, the same is absolutely true here. It really is the case of, well, sort of. There is a rhyme between events. They're always different enough that we have to use our brains, we have to think and then there's always that feeling at the end of it, you've actually made someone a little bit better. You ask for examples. I mean, that is always a little bit challenging. I don't want to get sued out of existence for an NDA or go
A
to prison or require bleeping. I actually thought James had said require beating. I thought that was upping the answer to a bit with his new haircut.
C
But anyway, absolutely, yeah. Both approaches aren't ideal. I'm scared of them both.
A
What can you safely disclose?
C
Well, some of the more common ones then I've dealt with an incident whereby, and this is kind of like almost feels trivial, but there was a user in Singapore, they'd browse to a suspicious website, a fake help desk pop up would come up, they'd clicked on it, they'd rang through and the attackers socially engineered them to connect in into their own personal bank accounts and they had all of their life savings extracted. Now, as an incident responder, that's heartbreaking. That's not just a company impact, because it was while the attacks started in the company device, hence I get involved. The actual individuals felt personal pain, of course. Now, we were quite lucky with it with the most recent one, although it's rare. We were quite lucky in that we were fast enough that we were able to engage with the bank. We could Speak to the banks at Council Fraud. And again, I'm just going to do a little bit of an advertisement for SANS here because the head of their counter fraud team knew me from a SANS class, which absolutely facilitated a lot of this. But we were able to stop the fund transfer in flight and this person managed to save their money. That's the great feeling at the end.
B
I love that. Oh, just seeing the cybercriminals not get money. Oh, so satisfying.
A
And that's an absolutely lovely example. And I do also feel obliged to point out that now that you've plugged SANS twice, that has is not being paid for this podcast. This is not an infomercial.
C
No, I don't work for sans. No, I don't work for sans.
A
No, we will come back, actually, because the more serious point is about communities of people who trust, trust each other, which I know is something you're big on. But look, before we leave, incident response. You've talked about some great stories and so forth, but give us some themes to take away about good incident response. You mentioned there's enough difference, but there may be some patterns too. So for people listening out there, working, what have you seen that makes for a good incident response?
C
So there's a hierarchy of skills that an incident responder needs. At the very base level, there's an absolute technical requirement. As an incident responder, there is an expectation that you'll understand technology well enough that it doesn't matter what you're having to deal with. If you're dealing with a compromised Mac device and then you're pivoting into a compromised Cisco firewall, as an intrespondent, you can't just say, that's not my specialization. You've got to be able to understand enough to keep going. This isn't about being the expert. So there's a slight difference when we talk about maybe digital forensics. If I'm going to stand up in court as an expert witness, I have to have a deep subject matter expertise. IR not quite that bad. Moving up from the technical level though, because lots of people manage that. Where it really becomes different are a couple of key traits that inconders have. You've got to be a good communicator. An intersponder absolutely has to be able to talk to technical people and victims. If you are a very technically focused person and you can't communicate with the victim, it's going to slow things down. Absolutely. If you can't communicate with the board, you're not achieving your recommendations, your remediation actions aren't going to work. You get a failing. There's. And the last but probably the most important element, you've got to be interested. You've got to look for the challenge. It's like you'll probably remember this from the olden days. It's like you've got to be the person who does crossword puzzles, who does logic problems, because you're interested in that challenge. And that's kind of what gears people towards being very good incident responders.
A
Excellent.
B
Yeah, makes a lot of sense to me. Years ago I heard this line that I think applies to what you're describing, that a great incident responder has to be the calm in the storm. They have to be kind of very Zen. They have this ability to follow a checklist and be repeatable and evidence based and methodical and calm whilst also pursuing all these completely diverse and different scenarios. And that's quite a fascinating intersection of style challenges for people who do this stuff. Well, isn't it?
C
Absolutely. I mean, James, that's probably the best summary I've ever heard. That's exactly it.
B
You can have that one for free.
A
Said it all. No, no, no, no, no, no.
B
Don't flatter em.
C
I've written it down, so I'm gonna, I'm gonna make a note of that. And from now on, that's mine. Just crystal clear.
A
You can see his head.
B
It's quite big enough we can attribute it to you. You can put it on a T shirt.
A
Oh, T shirts. We're back to T shirts. Sorry.
B
We haven't had a T shirt for a while, have we?
A
We haven't had a T shirt for a while.
B
I might be about to make another one. So, you know, hold on to your chair, Taz. Let's pivot over here to one of the other things that you're very well known for, very experienced in and a little related to this. That's threat hunting. Now one of those areas that's, you know, well understood by some and at a high level the term is pretty self explanatory, but not really. Actually, if you don't kind of know the details, it kind of stops at the I'm hunting threats level. So yeah, what is it to you and where and how do you think it works best?
C
Okay, so a very basic level threat hunting is the proactive approach where defenders are looking in their environment to see is there a problem that our security tools have missed. It's similar in physical security. We have similarities with security guards doing patrols inside the building. They're looking for someone who might have broken in and not set off any alarms. That's kind of the thought process that drives it. It is critical. I mean we look at lots of statistics like Mandiant and CrowdStrike. They're showing that dwell time, the amount of time an attacker can be environment before they get detected, has dropped dramatically from like a year and a half in 2010-15 days or thereabouts today. That's nearly all down to threat hunting. And as organizations get better at this, that's going to reduce because 15 days still a long time. As I'm sure you can imagine James, if you were active on a network for 15 days, they're not recovering, they're rebuilding.
B
I could cause all manner of chaos in 15 days.
C
It's absolutely game over at that point. There's no hope.
B
Isn't it just. And Taz, to your point as well, so wonderful the dwell time is reducing. So that's a huge improvement. One of the things on my mind though is of course AI and automation and agents coming into this space. That's going to have a very interesting impact on that dual time stat potentially in both negative and positive ways. Right. I kind of struggle to think through the next couple of years and what might happen there. I don't know if you have a profound realization for folks or more of a it'll be different and hard type summary.
C
The problem today is this is very much a definition of interesting times. I don't have anything profound. I think it is going to be a significant change. We are seeing attacker behaviors speed up. Absolutely. But most organizations that are deploying some form of LLM within their security boundary are also speeding up their response. So it could be that we are going to see them increase in lockstep. The main point around that though is ultimately the LLM is just a tool. For me, a cyber attack and its defense is still a very traditional, almost like spy v Spy sort of thing. It's a human at one end of the attack chain and a human at the other end of the attack chain. It's just about how we utilize these tools to our best advantage.
B
Yeah, I really subscribe to that viewpoint too and I know this is trivializing kind of different technology use cases, but I stand by the statement in macro at the end. That said it before, if both sides have AI, then once again the edge is human. But there is a very important of course threat hunting thing that I do have to ask you before Kieran follows up with what will no doubt be a more serious Question. Don't bet on it. There is of course this trend of the amalgamation or concatenation of threat hunting into. How do you feel about thrunting?
C
I'm not altogether sure where to go with that.
B
I think that probably describes it in of itself.
C
Yeah.
A
Is this where we finally put in the bleeps?
C
That's not a term I'm going to utilize on a regular basis.
B
I think we have a call on it. I'm with Taz.
C
You're silenced me.
A
I had no idea where that came from. I think I said earlier in this podcast about James. I even pay attention to the words that I don't even understand. And here we go. So that's perfect. But anyway, thank you for taking us to the humans because I want to ask about humans. So this thrunting. Oh my God, I'm doing it. This threat hunting stuff, Infectious.
B
I know, Catchy. Could be a T shirt God, could be a company. No, no, no, no, no.
A
That would get blocked. And rightly so. And breathe. Now look, threat hunting humans. You and James have talked before going back to the human, you've talked a lot about what you learn technically and so forth, what you need to do. What do you learn about the adversarial mindset and even the adversaries themselves? And James accused me of asking more serious questions, so I'd better trivialize that. As well as that I wanted to ask you, what about threat actors? I mean, you know, if you had to make a league table of threat actors as opposed to baddy catchers, you know, any particular groups that you've dealt with or studied over the time that you think, oh, they're a difficult bunch. So what do you learn about the adversaries and who do you worry about really?
C
Good question. All of them is the short answer. So there's a whole range of skills and things like that. Some of the, some of the ones refer to as, I mean we use the term APT quite loosely. But some of the APTs we refer to, like Shiny Hunters, they are always in the news, they are always doing very high profile, high monetary gain attacks. But they're incredibly low skilled. Yeah, nearly everything that Shiny Hunters do is down to a misconfiguration, basically default passwords being exposed to the Internet. Shiny Hunters make a few millions. I'm not trivializing that. But as it is responder, that's not really a threat actor you worry about because investigating them is not really that challenging. The defending against them shouldn't be that challenging. They're the high noise. Very, very profitable annoying criminal groups. The ones that create more of a problem are the genuine nation states. The pandas, the bears, that kind of thing. That's where we see more skilled trade craft. And they're also very often difficult to really get to understand what they're happening. Their techniques are a lot stealthier. There's a lot more required for our investigation. And that's where the problem really lies. The good news is they don't target that many people. We get a lot of noise. But when they do it's. It is a very difficult, annoying investigation.
A
Brilliant. Now let's develop this a little bit further and we'll get on to the state of our industry. Cybersecurity and so forth. Now you've been constructively outspoken I think is the way that I would put it about all sorts of things to do with this industry. And we're going to ask you about all of them. Well no. As many as we can fit in. So let's turn a bit to digital infrastructure and some of the myth busting you've done. So you've become quite famous and a bit controversial sometimes about this. Linux is a secure operating environment. Myths. And that's just one example of you taking on some of the structural problems about core bits of hard and soft digital infrastructure that seem to be at the root of so many of our difficulties. How are we getting on with all of this stuff?
C
We're getting better.
A
Yay.
C
There is definite trends of improvements would be the easiest way to describe it. But there is a genuine problem and one of the reasons why. I don't know if I like the term outspoken but I'll lean into it. One of the reasons behind that I like it. We've kind of allowed ourselves to get into a kind of static mindset. The key truth of cybersecurity is tomorrow you need to learn something that you didn't know today. This is a constant thing. The things that I thought were Gospel Truths in 2003 just aren't correct today.
B
Absolutely.
C
And if I'm not able to make that mental leap I'd be wrong.
A
Yeah.
C
The work that I do would be incorrect. And I think we struggle a little bit. So I will use the Linux one as an example. A lot of that came out. I went to a couple of conferences and I had reasonably senior people within cybersecurity making statements to me about Linux and Windows that will probably last true in 1997.
A
Right.
C
And I'm like we've got to have this constant learning mindset where we adapt and evolve relentlessly really?
B
Yeah. It's so funny, Taz, and I'm omitting some confirmation bias to your position and a love of a little bit of outspoken as well, so others could argue with us, but we love a story in cyber security. We love to introduce a concept or an idea, a quip or a trope, a slogan. And then once it's, you know, in the language of security professionals, we hold on to that idea for so damn long. So hard. To your point, on this kind of Linux thing, the relatively true position kind of back in the day, that a great deal of the general attack space was malware focused on Windows and that Linux enjoyed relative immunity to that problem. Very fair. But that, of course morphed into this. Well, it's secure and you don't have to worry about this stuff. Which is hilarious, because whilst Linux provides incredible frameworks for security and customization in the right hands, I mean, out of the box, it provides some ludicrously fantastic ways for attackers to hide information and compromise, just because they're not necessarily using a traditional piece of malware like on a Windows computer. And I still find people who hold to that idea today and will tell me there's no malware for Macs and iPhones and so on. We gotta slay these stories. We've gotta be outspoken 100%.
C
You've hit the exact nails on the head there. I mean, there's two kind of angles to this that I don't know if frustrates the right way, but there's two kinds of angles that I think as an industry we need to be a bit better at. First of all, the concept of secure is kind of meaningless without a threat actor. So you could be secure against an asteroid strike or secure against theft. And without trying to go too technically. But if we use, like, operating systems, as an example, the Mac operating system, its security model is based around someone stealing your Mac device. The Windows operating system, its security is based around malware. They've got two different threat models, so they implement security differently. If you say one's more secure than the other, you're kind of missing a significant element of a point.
B
Yeah, you've got to say against what?
C
Yeah, yeah, exactly that. What is the important bit? And then, as you said, James, the key point for me is Linux. Linux operating systems, I love them. I spend most of my life in Linux. They can be secured against most things we'd consider an attack, but they don't come out of the box that way. The exact opposite. When you first install it, no Auditing, often weak privilege escalation paths. Yeah. So it's about understanding and instead of just sitting back on our heels and thinking to ourselves, oh, 20 years ago I was taught this, therefore it must be true. I think it's about that we need to constantly understand that everything's changing and learn to adapt.
B
Yeah, constant reevaluation. I think that's exactly right. And be careful with those tropes and stats and challenge yourself against what? Against who type questions. One of my examples I'll share very quickly to kind of support your point, Taz, and then Kieran will no doubt come up with a better question. But you know, there's this often quoted stat that, you know, 95, 5% of breaches involve and are caused by humans. And you kind of go, well, that's kind of breathes. Well at the surface, it's quoted all the time. But it goes back to an IBM report in 2015 where they specifically said that that was true in insider threat cases. They weren't talking about the whole threat landscape and totality and all the API attacks, malware, web app, et cetera. It's very specific niche and people never quote that bit because it's not as catchy. And then in more recent studies that have happened over the last year, the great, you know, Verizon data breach report stuff is similar. They say that the stat is more like 68% the way people think about that, with humans clicking something they shouldn't and so on. And much of the rest of the delta is made up from credential theft, misconfiguration of systems and so on. Well, okay, but that's a bit like saying 95% of problems happen in a kitchen because there is a chef. Well, yeah, like of course, but you've got to be so careful on these tropes and stories. It can really cause resource allocation issues in security leadership, can't it?
C
Absolutely, that's exactly it. I think we do fall into this mindset and maybe it is a little bit, but there is a lack of data. I know getting reliable incident and intrusion metrics is always hit and miss. No one likes talking about them. For example, I don't think there's more than three cases I've worked in the last year that I could mention, let alone add into some kind of statistics thing. But without that, it's always going to be a little bit more cause and effect challenged. Yeah.
A
Well, let me jump back in here and I want to take you back to something you said a little while ago. And it was about the Linux environment, but I wanted to ask you about it because it's got wider applicability. So you said you didn't like or you might be completely comfortable with the word outspoken and that's fair enough because you're not one of these people who jumps up on a conference stage and says something outrageous and arresting. But you do challenge myths and you do try to put people right and make changes. But you told a really interesting story to get back to storytelling, but you didn't have time to develop it. So I wanted to ask you about it. You're talking about earlier in your career and there are some senior figures in the industry essentially talking nonsense about Linux to your face and you push back. How did you do that? What happened? Was it difficult? Were you nervous?
C
And very.
A
Did it change anything? Because these are the things that have to be done, but they're not easy.
C
Yeah, I don't. Nervous isn't quite the right word. I was ultimately unsuccessful.
A
Right.
C
I might as well lead with the failure first. So this was a conference, there was vendors talking about it and the vendor had basically taken the stance that the problem that you've got with cybersecurity is that you all use Windows. If you come to us as your managed service provider, we'll migrate you to Linux. Linux is secure.
A
Yeah.
C
In the questions part I said that's not really the case. Tried to ask it. And I did notice the thing that really stuck with me is almost all of the other attendees agreed with the vendor. I had people telling me that I didn't understand Linux, which I found quite entertaining.
A
Yes.
C
Lots of people telling me I was a Luddite. I didn't understand the future. I was just the Windows fanboy. And ultimately I don't think I convinced a single person in that session.
A
Right.
C
But it did inspire me to try and spread the word to everyone else who might be a bit more open minded.
A
And you did have some success in that respect. And that brings me on to another question and I'm going to try and stick with you now. Things that are slightly controversial now, having inadvertently accused you of shilling for Sans having done two plugs, I'd forgotten I was going to ask this question because it's a Belcher. So last year you write an article on LinkedIn and you know it's called Cybersecurity certifications, are they worth it? Well, that's hardly something Sans would have
C
paid you to do. Absolutely not.
A
So this is a Sans podcast. So cybersecurity certifications, are they worth it. Yes or no? All right, you can have the classic cybersecurity answer if it depends. But what does it depend on? And more seriously, how does this whole debate about certifications, which has been running for a very long time now, what does it tell us about the state of our industry and the whole battle to get an opportunity, enough skilled people into the fight that you've been in and inspired so many others to get into?
C
So I'm going to avoid doing the consultant trope and saying it depends, although that's kind of the answer I want to give you. Put me on the spot.
A
Yeah.
C
So I'll. I'll veer away from that. I'm going to say yes.
A
Okay.
C
I do think they are actually genuinely. And this has got absolutely nothing to do with any relationship with SANS or anything. I believed in them. The reason why I have a relationship with SANS is because I believe training and certifications are essential, not the other way around.
A
And why is that?
C
Well, ultimately, so certifications, there's kind of two ways of looking at them. There is a certification whereby you can demonstrate that you know something. So if I go and do something like the cloud security certificate, it's just a straightforward exam that shows I understand the cloud. That type of certification allows you to go to other people and create that sort of like selection of trust. So, for example, let's say if I want to be an expert witness and I want to present to the courts that have expert credentials, I can present to the court. Here is a certification by this recognized body that says, I know X, Y, Z. That makes my ability to be an expert witness much easier. If I'm applying for a job, it makes my ability to demonstrate to the hiring manager that I know something much easier. I'll come back to that because there's a little caveat there. That's where people get the most frustrated, I think. But the expert witness one is pretty useful. That's one type of certification. They are absolutely worth it. They allow you to demonstrate to people that you can do things, maybe an insurance company, maybe a hiring manager, et cetera. Where it really pays off, though, are the ones that teach you something as well. A training class followed by a certification, for example. And I think this is where the biggest advantage can happen for cybersecurity as an industry. Really, we've got lots of people, and there are a couple of caveats. We'll hold onto that for a second. There are lots of people who need to know more. I said early on that we've got an entire industry of people who maybe did a university class in 2004 and think the ext3 file systems, the default file system in the entire world, hasn't been true for a decade.
A
Yeah.
B
I do miss it, though. It's a nice file system.
C
The easy days. By doing training, we can improve, we can become better, that we can learn what the state is today. And that to me is the essential thing. We've got to learn new skills. Even if you think you've got a set of skills like the very first. I'll use the air quotes on this so you can't see them. The very first cyber investigation I did was like 1993.
A
Right.
C
The skills that I use today are completely different. So I have to keep doing training and learning to keep that improving. Yeah, but that's the value. The bit that I've kind of hedged away from that leads to a lot of discussions are people start to get a little bit focused on maybe the numbers, which I think is the challenge. We mislead ourselves. There's a couple of perceptions that people tend to have and a lot of it is that simply having the certification or the training isn't always enough.
A
Yeah.
C
So I could have, let's say, I mean, I've been an expert witness in the past. I have been eviscerated on cross in the past. Despite having certifications, it didn't save me.
A
Oh, sure.
C
But without the certifications I wouldn't have had the chance. And I think that's quite a significant thing. There's also the cost benefit trade off. And I think without drilling into numbers, the reality is we've got a lot of people who are in a very well paid industry. They should be willing to invest in making themselves better if they want to continue to be well paid.
A
Yeah.
C
That's the bit that creates the most arguments with people. I think we've got to understand this. And from an employer's point of view, there's the old Henry Ford saying about, what if I train my employees and they leave? What about if you don't train them and they stay?
A
Yeah, very good point.
C
That's the biggest problem. So for me, long winded, roundabout way.
A
Very good.
C
They absolutely are worth it to me.
A
And we'll put your LinkedIn post in the show notes because it's very, very good and very balanced. James, thank you.
B
It is indeed. And as you note in the post, you know, there's no silver bullet. One is in charge of one's own career and there are ways to do this without certifications. If you'd like to, and you suggest some of that too. But again, I admit confirmation bias in thinking that take is right from my perspective. But let's pivot to a couple of other spots before we run out of time. Taz, which I knew was going to be a problem on this podcast. Just a question here about people in cybersecurity, one about the community and mentoring. You know, it's very clear from, for example, your last LinkedIn write up that you're passionate about seeing people vicariously succeed in this industry. And you've done a lot of this. You've spoken and written very proudly and movingly about it. Tell us a bit more about that and what you think could be done to bring more talent through to face these future challenges.
C
We've got to help each other more ultimately. We've got to understand the fact that there's a little of a perception, a minority of the community for it to the perception that if you help people, they're going to take your job. So I see this occasion with instant responders. They're very reluctant to allow soc analysts to sit alongside them because they feel if the SOC analyst can do it, they'll lose the job. That's not how it works. Everything about cybersecurity is community driven. No one ever believes when I say this, but I am an introvert. And even if you don't like being around and talking to people, cybersecurity, you've got, you've got to find a way to make that work. You've got to share information. Our threat actors are doing it. Threat actors have very active communities, they have active knowledge sharing. As defenders, we've got to get more into this. We've got to be more active. We should attend more conferences, we should go to things like B sides, we should be talking more. And I don't want to get told off talking about SANS too much again. But as an example, pretty much every SANS class I teach, someone on the class says to me, oh, here is this great tool I've written, here's my GitHub, here's this thing I've got. And that's then something that everyone, me included, can take away and utilize in our future work. And just by simply being around people and sharing these ideas, that's where cybersecurity gets better. It is awkward. I understand that lots of people, we have certainly a stereotype within cybersecurity of not liking to talk to people. But we're amongst friends. This is the ideal opportunity to discuss topics that we've Got a shared interest in. I think this is really how we can make cybersecurity security better across the board.
B
I love that, Taz. And you know, look, I think the next few years of cybersecurity are going to be very interesting. Whether you're, you know, hands on keyboard, you're kind of in a SoC, you're doing malware reversing, you pen testing, you're in security leadership, AI as well as the eternal pressure of kind of threat actors will significantly reshape the profession. I don't think it will eliminate roles. I think there will be more of them, but the roles will be different. And, and you know, working through that disruption using these technologies so that we come out with more good versus bad just requires that type of community engagement and discussion and togetherness. And I just, I want to underline the thing you said. The bad guys are doing it. So if we don't, we are going to set ourselves up for failure. So a crucial and important point there, and lots of opportunities to get engaged in the community. And many of them don't even have to be expensive. They can be free. But Taz, I do have an important last question for you before we go to a close here, because I know we're burning through time. We mentioned in the opening your ludicrous collection of animals. We're reliably told at this time of recording that you have two pigs, four goats, two donkeys, a pony, a horse, six chickens and five cats. So three questions. One, why? Why? Two, how? Like, I only have the time. And three, perhaps most importantly, are they named after threat actors? Like extra excitable pony, a punitive goat. I mean, we could have great fun with this. But are they named after threat actors? And if not, why not?
C
So I'll go through three verses. No, they're not named after threat actors. Now you've said it though. That's a fantastic idea. I really like that. I think any new ones will be from now on. Generally, most of them have really boring names like. So, for example, the goats. Goats are registered animals. So they have a little tag in their ear with a number that's registered in like the council's list. So I just call them by their number, like 406 and 428 and stuff like that. I haven't actually named them even though they're 10 years old now. How do I find a time? With difficulty. I think the key is, like you said, early on, I just avoid sleep. Most of my work is actually done outside UK hours as well. Which kind of helps a little bit. And now we're getting into summer, it's a bit more daylight, but the big one, why? The interesting question about that is I don't really like being indoors, I find. I mean, let's say if you spend 12 hours working an incident and you need a way to decompress, going outside and trimming a goat's hooves, fighting the goat to let it trim you, its hooves, getting beaten up by the goat, that's a very, very good way to just kind of wash it all off.
B
Yeah, it sounds like a future incident response presentation that time I fought the goat.
A
Well, and it's also a pretty convincing answer because I can't imagine there are too many incident responses that you can lead from the outside. So dealing with all these things. But wrestling horses, a good way of. Of decompressing. I know we're running out of time, but I can't resist this. Given that James said, you know, there's endless potential fun in this game. We don't have time for much. But here's one bit. Okay, I'm gonna read out four animal related threat actor names, and you have to tell me which one is a real, actual threat actor named by a credible cybersecurity company. Is it mournful donkey, Indifferent pig, charming kitten, or resentful chicken? Which one's real?
C
The kitten?
A
Yes.
C
It's crowdstrikes.
A
A RAN nomenclature, isn't it?
C
Lots of works with crowdstrikes. Crowdsvikes. The demon conventions. I know the best. If you'd have said one of Microsoft's, I'm done.
A
You know, I thought mournful donkey was almost plausible.
C
Yeah, I like that, though.
B
That is good. Last season I suggested Erudite Badger, and no one has made that happen yet, so I'm quite sad about that.
C
Oh, I know.
B
We've covered. So we've got to stop. We got to stop. We're out of time, Kieran. I'm going to put the brakes on the threat hunter name, but no doubt we'll have Taz back with a terrified ferret.
C
Stop it.
B
Okay, we'll have him back for an update on his farmyard animals and presumably his new acquisition of several ferrets based on that suggestion. So, look, Taz, we are gonna have to bring things to a close, but there is a pretty key thing we like to do at the end here, isn't there, Kieran? My favourite bit.
A
Yes, yes, your favorite bit. Go on, tell them what it is.
B
So, Taz, look, as you know, it's only fair if we have people listen to us about our, you know, naming conventions and so on. We give them something really pithy and useful at the end. So we are asking you for your 30 second takeaway. So, Taz, this is a podcast about lessons for cybersecurity leaders. So if you've got 30 seconds with a cybersecurity leader, what would you advise them? Something to pay attention to, to ignore, whatever it may be. 30 seconds of brilliant wisdom.
C
Fully understand your network. Don't rely entirely on things like cmdbs or existing network diagrams. Understand the actual data paths. Understand where people can access things. Understand where the data resides. That's the 99% of every single intrusion I've ever worked. If you can know your land better than the threat actors, you can respond better, you can defend it better.
A
Oh, my God. I think that's the first one that's ever come in in under 30 seconds. That's the most Taz thing ever. That's fantastic. And very, very useful.
B
Highly efficient.
A
Maybe I'll have to slow it down on the broadcast version to overshoot 30 seconds like everybody else. Well, look, thank you, Taz. That was incredible. That is it. Sadly, it was brilliant. Tour de force. So much there and one of the best takeaways ever. So thank you, Taz. Thank you for joining us.
C
Thanks very much.
A
Thank you to everybody for listening and you can leave us feedback at the podcast site or you can email us@cyberleaderspodcastans.org tell us whatever you want.
B
And with that, thank you for listening.
A
Thank you for listening. Keep cybering. So for me, Kieran Martin, and me,
B
James Line, it's goodbye and I'm off to buy a ferret.
A
Bye bye, Sam.
Host: SANS Institute (Kieran Martin & James Line)
Guest: Taz Wake (Incident Responder, Threat Hunter, SANS Instructor)
Air Date: May 8, 2026
This episode explores the high-energy, high-stakes world of cyber incident response and threat hunting through the career and insights of Taz Wake, a seasoned security professional. The hosts, Kieran Martin and James Line, dig into Taz’s journey from military intelligence to the forefront of cybersecurity, diving deep into the skills, mindsets, and industry myths that define and challenge defenders today. The conversation blends expert advice, memorable war stories, industry myth-busting, and reflections on community and continuous learning.
“As an intelligence operator, I'm attempting to gather information from the enemy and as a security operator, I'm attempting to prevent the enemy gathering it from us.”
— Taz Wake [06:17]
“There is a feeling at the end of it, you've actually made someone a little bit better.”
— Taz Wake [13:47]
“A great incident responder has to be the calm in the storm.”
— James Line [17:27]
(Taz: “That's probably the best summary I've ever heard… I’ve written it down.” [18:00])
“If both sides have AI, then once again the edge is human.”
— James Line [20:55]
“The key truth of cybersecurity is tomorrow you need to learn something that you didn't know today. This is a constant thing.”
— Taz Wake [24:30]
“Without the certifications I wouldn't have had the chance. And I think that's quite a significant thing.”
— Taz Wake [34:44]
“Fully understand your network. Don't rely entirely on things like CMDBs or existing network diagrams. Understand the actual data paths. Understand where people can access things. Understand where the data resides. That's the 99% of every single intrusion I've ever worked. If you can know your land better than the threat actors, you can respond better, you can defend it better.”
— Taz Wake ([42:16])
The episode balances warmth, humor, and candor—mixing banter with actionable wisdom. Taz’s honesty about successes, setbacks, and the challenges of myth-busting, as well as the hosts’ recurring jokes about animal names, keep the mood light but serious where it counts.
For listeners who missed the episode:
You’ll come away with seasoned perspective on incident response, threat hunting, industry culture, and the importance of staying humble, curious, and connected. Plus, you’ll never look at goats—or CrowdStrike’s threat actor naming conventions—the same way again.