A

All right, what's up, everybody? Welcome to the party. It's Friday. Ric Flair, where you at? All right, it's Friday, May 8, 2026. Welcome, y', all, to Simply Cyber's Daily Cyber Threat Brief Podcast. As always, I AM your host, Dr. Gerald Ozier, coming to you live from the Buffer Osier Flow Studios here in the Low country. It's episode 1128, and over the next hour, me, you and the entire Simply Cyber community on are going to be absolutely eviscerating the top cyber security news stories of the day. Ripping the top off, going deep down in the well of the story, getting the surface level, you know, what's new and what's going on, as well as getting additional insights and value. So if you're looking to level up as a practitioner, give back as a contributor, or just be part of a sick community that's doing it right, you're in the right place. So get your coffee, get comfortable. We got a great show for you. Let's go. All right. Yes. How we all doing, everybody? I hope everyone's having a great Friday. Friday. Yesterday's episode of Simply Cyber Firesides with Matt Brown was an absolute heater. So if you missed that one and you want to learn about hardware hacking, penetration testing on IoT embedded devices, it was just amazing. Awesome, awesome, awesome interview. Go check it out. I think you'll really enjoy it. It is Friday, everybody, so we got a bunch of things going on. Of course we're going to be going through eight cyber stories of the day, maybe a bonus story. It looks like I'm getting this right now. Hold on, let me do my guy on the street thing. Yes, yes. It's coming in from the field reporter DJ B Sec, confirming that AWS data centers in Virginia are running hot and there is data center outages. We'll be reporting live from the scene, quote, unquote, live from the scene later on in the episode. Potentially, as CISO series stories are typically not that piping hot fresh. They're more like the bread in the aisles of the grocery store as opposed to the bakery section. If you're picking up what I'm putting down now, of the eight stories, do you know how many I've researched and prepped for? I'll give you a hint. Zero.

B

Ain't nobody got time for that.

A

That's right. I give it raw. This is the only. Listen, I did some research on this the other day. This is the only cyber security news podcast that exists that gives you practitioner insights, con context live and allows you to Talk back to the show. So we are one of one in that capacity. So I don't research or prep because I got 20 years of knowledge. I got a lot of hot takes and where I'm. Where I have gaps or weaknesses because nobody knows everything in cyber security believe that there's a ton. I don't know. I am fortunate to have you, the Simply Cyber community with all of our complementary skill sets. So no matter what the story is, it doesn't matter because we are going to derive value from it. Now, every episode of the Daily Cyber Threat Brief is worth Half a CPE. We're doing the. I'm doing the infrastructure change from 1 to 3pm today. Got a maintenance window. Oh, my God, what a nerd. Doing maintenance. Windows guy. Just. Just yolo it in prod. Nope. Nope. If you're gonna preach about the right way to do things, you've got to do them yourself or you're an absolute hypocrite. So I will be. I've been sending out emails to folks 1 to 3pm Doing the infrastructure changeover. The Simply Cyber website's gonna have a fresh, so fresh and so clean, clean look today. And then we'll be able to get the CPE capability implemented. So hopefully that will be in place for next week. But for now, say what's up? And chat, grab a screenshot. Happy Mother's Day to all the mothers. Yeah, exactly. Happy Mother's Day to all the mothers. Say what's up? A chat, grab a screenshot. That is your evidence that you are here now, if you're here for the first time. What's up, my friend? Holla, holla, holla, holla. Welcome to the party, pal. We have a little thing we like to do here for our first timers. Drop a hashtag, first timer in chat. Hashtag first timer in chat. We love our first timers. We have a special sound effect. We have a special emote. We've got all the special things for everyone here so you can be recognized. Hold on one second. I've got a. I got to do something here really quickly. Copy invite link, update calendar invite, add the location. Bra. Bra chop. There we go. Get Jessica Hyde in here for the Cyber Career hotline. That's going to be nice. All right, so if you guys see some first timers, holler at me, let me know and we can welcome them. How do. What do you do if you're a first timer? If you're listening right now and you're a first timer, if you're on LinkedIn, if you're on YouTube. What's up, what's up? Drop a hashtag first timer in the chat. Just get your fingers on the keyboard, Shift 3F I R S T T I M E R enter and then watch it rain good vibes. Now, every day of the week here at Simply Cyber's daily Cyber Threat Brief has a special segment and Fridays is reserved for James McQuiggin at 35,000ft. Dad jokes of the week. Now James, very similar to Dan Reardon's haircut fish with his memes of the week on Thursday, James always makes his jokes very topical, very relevant to the now you're not getting evergreen dad jokes. Nope. And this week it's Mother's Day weekend. James has got Mother's Day jokes. I don't look at the jokes that ahead of time again. So you get my initial reaction. I am, I am, listen, I am literally a consumer of the show. I just happen to be also the host of the show. I love this show. I love where it goes, I love seeing what happens. So stay tuned for the mid ROLL When James McQuigan is going to absolutely delight us. And then finally guys, as if the value train wasn't already amaze balls. At 9am Eastern we do another show. It's kind of a hidden gem called Cyber Career Hotline. So if you've got any questions around Cyber career certifications, job market, tooling, home labs, anything, stay tuned for that. On Fridays we do a panel. We're going to have a digital forensics very seasoned expert today. So if you have a question around that space, now would be the day to do it. Every single day or every single episode of the Daily Cyber Threat Brief is sponsored. Thank you very much sponsors for enabling me to bring this show. This sans podcast of the year award winning show I might add. Oh my. Did he just go there? Oh, he went there. That just happened. Right? Starting with Flare. Cyber Threat Intelligence Platform. Flare, Cyber Threat Intelligence platform is sick. If you want to know what dark web threat actors are planning. If you want to know endpoints and users that are compromised in your environment that you're tooling missed flares, Cyber Threat Intelligence platform can assist with that. Flare's team goes out on the dark web sock puppet accounts, impersonating things they data mine, all of that forum, all of that telegram channel traffic, bring it back, make it very, very queryable for your organization, VIPs, end users and basically you can find out if you've got a big problem in your environment. Find out before bad actually happens. Right? This is in 1995, where like push key go boom. Threat actors plan, they do recon, they get inside and then they execute. Get in line and stop that from happening. With Flare right now, you can check out Flare's cyber threat intelligence platform for free. Yes, free for two weeks, which is plenty of time to test the platform. All you have to do is go to Simply Cyber IO Flare, Simply Cyber IO Flare and you can put in your information and get a two week free trial. They will have to verify your identity first because this is too powerful for a threat actor. This would be like a threat actor, you know, Cadillac package for beginning to commit crime if they let them in there. I also want to say holler to Anti Siphon training. Anti Siphon training disrupting the. Hold on, we got some four years. Holy crap. Not only it. Not only it. Four year membership. My guy just become best friends.

B

Yep.

A

Happy Friday. Thanks for 4 years of info and learning. Hope everyone's well. Happy Mother's Day to all of us. Glum hippo with a 7.11 super chat. Thank you, Glum Hippo, as always. All right. Wow. Okay, so Anti Siphon training. Oh yeah. Al Dennis has got a anti cast coming up this Wednesday, guys. I'll drop a link to this in chat. I told you. Elth Dennis is the social engineering practitioners. Social engineer. She is awesome as a human and as a professional. If you want to learn the fact that you can learn from her for the $0 is insane. Go to Anti Siphon training. I dropped a link in chat. Register for this webcast next week and learn how to build a bulletproof pretext. I might add, as a defender, you can study these techniques to learn when someone is selling you a pretext. Oh my God. The value train keeps on going. Big fan of Elite, Dennis. She's just great. Really, really big fan of hers. You want to know what else I'm a big fan of? Threat Lockers applications and I by default. So security platform, application deny by default or allow only listing is a very difficult problem to solve. Threat Locker has done it and they've scaled it. Many, many enterprises, including JetBlue is using threat Locker to basically protect themselves from malware that's running for the first time ever. They do it on the endpoint and now they do it in the cloud. This product is legit, yo. And I got to tell you, when. When threat locker IPOs, because they're going to go public soon, I. I would imagine. You watch this thing explode, I guarantee you not financial advice. I'm just saying, usually If a product's not good, it doesn't get a lot of customers and financial support and everything, right? So the health of the company financially is an indicator of how good it is as a product. I'm telling you, I've looked at this product. It's great. I know people that use it, they love it. Let's hear from Threat Locker and then I didn't see any first timers in chat, but for all you long timers, we're going to rip the top off and just light this, light this candle. I want to give some love to the Daily Cyber Threat Brief sponsor Threat Locker do zero day exploits and supply chain attacks keep you up at night? Worry no more. You can harden your security with Threat Locker. Worldwide companies like JetBlue Trust Threat Locker to secure their data and keep their business operations flying high. Threats Threat Locker takes a deny by default approach to cybersecurity and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation is fully supported by their US based Cyber Hero support team. Get a free 30 day trial and learn more about how ThreatLocker can help prevent ransomware and ensure compliance. Visit threatlocker.com DailyCyber. All right my friends, it's that time. Do me a favor. Not only it sit back Brexy Brexy. Relax glum hippo. Let the cool sounds of the hot news wash over you in an awesome wave. I'll see you guys at the mid roll. Let's go.

B

From the CISO series, it's Cybersecurity Headlines.

C

These are the cybersecurity headlines for Friday, May 8, 2026. I'm Steve Prentice. Pan OS RCE exploit under active use enabling Root access and espionage this is a recently disclosed CVE numbered flaw that researchers at Palo Alto Networks are warning may have been exploited threat actors, if only unsuccessfully for the time being. The bug carries the new dual CVSS score of 9.3 and 8.7 and is a buffer overflow vulnerability in the User ID authentication portal service of Palo Alto Network's Panos software. Fixes are expected to be released May 13 and customers are advised to secure access to the Pan OS User ID authentication portal by restricting access to trusted zones or by disabling it entirely if it is not used. The company also said it was likely a state sponsored threat group behind all of this, stopping short of naming a country, but indications tend to point towards Chinese origin. Polish intelligence says hackers attack water treatment control systems Stop.

A

Yeah, okay, so Pan Pan Panos Palo Alto is A super uber enterprise grade legit networking solutions company. You know, they have a bunch of solutions, they even have a MDR service. You may have heard of unit 42. We have some simply cyber community members that are up in there. Very legit. Now when you are an enterprise grade company, you have lots of employees, you have lots of software in your technology stacks and occasionally bugs can happen. Now this is a pretty gnarly one because first of all, it is being actively exploited in the wild. Anytime you hear active exploitation, your, your head should come up, right? Like, hold on, let me do this one. Yeah, I know we covered this yesterday. DJ B sec our, our bleeding edge reporter at the breaking news desk broke this yesterday again. I have a call with CISO series next Tuesday. We're exploring, you know, community curated news stories. But what I want to show you is Leonardo DiCaprio and I'm spelling this out so people who are watching on replay, not replay audio only because you can catch this show on Spotify and Apple podcast. This is a meme, right, of Leonardo DiCaprio from Django Unchained where he's like, at first you had my curiosity, but, but now you have my attention, right? So that's the meme I'm looking at right now. This is, this is what you should think of as a cyber security professional. All right? When you hear vulnerability, you have my curiosity. When you hear that it's being actively exploited, now you have my attention. This, this meme is like how you should think about these things. Remember, vulnerability is like leaving your car unlocked. You're not, you're not, your car's not robbed just because it's unlocked. But when you hear that there's an active burglaring going on like Bilbo Baggins in your neighborhood, well, that's active exploitation. You have my attention. Okay, so always think about it this way. Now, Palo Alto, not only is it super legit, the Panos is the operating system that interfaces to the network solution stack. Most people are using Palo Alto for enterprise grade network infrastructure like firewalls, VPN concentrators, you know, back WAN backbones and stuff like that. So pretty important network technology, pretty important critical infrastructure for an enterprise. So when you get root access on it, that is not good. And when you have a nation state, allegedly like China doing it, China's got the resources, the know how and all the time in the world to exploit this. So what does that mean? That means, number one, I don't care if you're a small business that makes milkshakes and you just, for some reason you have Apollo Alto network device or you are Microsoft, you've got to patch it. Okay, first of all, ah, you gotta patch it. Second of all, you really got to go threat hunting to see if this is a problem. They, they do have some remediation stuff in here. What's bananas to me is that it is a buffer overflow attack, okay? Or buffer overflow vulnerability. Also essentially a buffer overflow attack. And I've heard some people say in the past couple years, I'm not going to name names, but one specific time I remember someone saying, oh, like buffer overflow attacks are, you know, not relevant in, you know, modern times. No one does buffer overflows. Like, I'm an offensive security professional, Nobody does buffer overflows. Well, I got news for you. Buffer overflows are very much real and very much being exploited by some of the most skilled practitioners, advanced persistent threats in the world, nation state, military grade people. Now Palo Alto's user ID authentication portal. Having the vulnerability is insane to me. Like literally the buffer overflow can happen through the login portal. My guy, that is something that has to get caught during QA testing. But anyways, the, the TLDR is whenever you can do a buffer overflow. For those who are not familiar with it, when you do a buffer overflow, you're basically able to control the instruction pointer and be able to write. Typically you can. Okay, I'm gonna, I'm gonna go a little deep on this one. But for the most part, most people don't need to know this. All you got to know is the outcome. When you run something on a computer, it has to allocate memory. It allocates this big chunk of memory and it has memory addresses, okay? And then it loads and it runs down the process that you're doing. Well, when you do a buffer overflow, you're able to run past the allocated frame of where the memory is and then you can get down here, which is in like overflowed over the stack, okay? Now when you're down there, if you can control it, you can write your own memory app, control the instruction pointer to go somewhere else. So a classic buffer overflow is you have it go down and then you, you tell the instruction pointer to go back up into that variable space where you write your own shell code, okay? And then basically it's game over because now, now the computer is executing the instructions of the shell code that you've stuck in that buffer. Okay? Again, the TLDR is, you take control of the processor's execution and start having it execute its own things. In this case, you can see here that there it's allowing them to execute arbitrary code. Of course, arbitrary code is your shell code. All right, let's see. By the way, modern, modern, like operating systems, because it's an operating system thing, you're controlling the flow at that point. Modern operating systems have come up with defensive mechanisms around this. If you want to get into the weeds on it really quickly, just for additional insights and for students who are like super into this stuff. The original one was dep, Data execution protection and aslr, which I forget what that acronym stands for, but it's like address layout, random randomization. I forget what the S stands for. But basically the preloaded Windows functions getting randomly allocated into memory, that way they weren't known. So a threat actor couldn't just point to that function. Windows function. They folks were able to get around that. And now you can look for a control flow guard or CFG was kind of the next thing. And if you want to be an attacker, look for rop, which is return oriented programming, and jop, which is, I think job oriented programming or jump oriented program. Okay, so getting back to Palo Alto's hot mess express here. The issue came out Wednesday. Today's Friday. So you've been riding dirty for two days now, hopefully. I feel like Palo Alto as an enterprise grade solution. Small companies aren't buying Palo Alto. Enterprise companies with dedicated networking teams are buying Palo Alto, which means Palo Alto very likely reached out and communicated to these individual customers on this problem. So chances are, if you have pa, you're already aware of this, you're not getting it from me. They've seen unsuccessful exploitations since April 9, which is a month ago. Gross. Yeah, once they get in there, it's game. I mean, they do persistence and, and additional payloads. Right? That's a standard practice. All right. You may have a big problem on your hands. Okay, so if you're running Palo Alto, definitely want to spend, I would say at least half an hour trying to figure out if you were compromised by this issue. So you want to run two things in parallel when it's a story like this, I don't care if it's Palo Alto, Cisco, Aruba, Microsoft, your EDR solution, it doesn't matter when you have an enterprise grade tool or solution in your environment, and a story like this breaks what you need to do. Here's the playbook. You got two parallel lines running one. Well, first of all, you got to qualify. Does this Affect us. Yes or no.

B

But.

A

But then if yes, the qualified lines is getting it patched as soon as possible and making sure that you know you're doing it in a appropriate, responsible way for your business environment. And then two, threat hunting and confirming or verifying whether or not you were compromised or exploited in that window. And if you are, you got to kick off ir. DJ B is reporting that the first patch is supposed to be the by the 15th of May, and there are mitigations until this patch becomes available. So you guys got a week of riding dirty. Put those recommended recommendations in the mitigations in place. Wow. You can go now. Computer.

C

The country's internal security agency, abw, said water treatment stations in six towns were targeted last year, with attackers gaining access in some cases to industrial control systems, posing a direct risk to the continuity of water supply operations. While not identifying any specific groups, the agency acknowledged intensified hostile cyber activity from the Russian Federation. Ianti warns.

A

All right. Polish intel warns hackers attack. All right, so, dude, the Russians. It's the Russians. Was that in red dawn, the 1984 one with. With Patrick Swayze? I feel like there's a line in there where they scream. The Russians, by the way, did not see the reboot of Red dawn that had Helmsworth. If anybody has a thought on in chat on whether or not the reboot of Red dawn was good or not, let me know. Also, yesterday I said that Sneakers, the movie Sneakers, which is a classic cyber security movie, needed to be rebooted. Daniel Lowry almost lost his mind. So there's a hot take for everybody too. All right, so the Polish are reporting that Russia is attacking industrial control systems. Russia's playbook has always been pretty good at attacking critical infrastructure to disrupt it, right? Famously. They've done it to Ukraine a couple times with their energy sector. You don't want to mess with water, guys. Okay? I know that Justin Gold is got. Still has like thousand yard stare from working in water, but, dude, water is important. Like, if we don't have water as humans, things collapse pretty quickly, right? Like, if you got up this morning, couldn't flush the toilet or turn on your sink. You ever had pipes freeze in your house? It's a bit unnerving, right? You're like, oh, my God, this has become an immediate issue. So what is happening here? It seems like Russia is just, you know, kind of cyber terrorizing Poland. More than anything, Poland is. I would assume the reason that they're doing it is because, yeah, Poland's became a major logistics hub for Western military Aid to Ukraine. So, you know, basically, you've become a friend of someone we're attacking, so now we're going to disrupt you in order to make it painful for you to want to continue. It's. It's no different. Okay, Imagine, if you will. This is, like, the most stupid analogy ever. But imagine, because this happened in college, right? Like, imagine that you're squaring up with someone. You're gonna. You're gonna fight someone at a bar, okay? Just hypothetically speaking, you're gonna fight someone at a bar, but then his. Like, his buddy over here. Like, you know, you're dealing with this guy, but his buddy over here is getting a little froggy, right? And you're like, okay. And he's like, you know, starting to circle right now. Now, this guy's a problem because he's helping him, right?

B

So.

A

So imagine you just, like, kind of give that guy a little backhand action. A little backhand action, right? That guy right here, this guy doesn't want any of the fight. This guy's the one who's had too many cores lights and has an issue. This guy's just protecting his buddy. But this guy right here, he's had a little bit of pain. Little. Little backhand. Little backhand, right? That's what Russia is essentially doing to Poland. Wanting po. Like, basically trying to get Poland to not want, like, what. What's more painful, having your wastewater treatment shut down and being able to help Ukraine or being left alone, but also leaving Ukraine alone. That is the. That's the decision that Russia is trying to do right now. Okay. All right. Marcus Kyler pointing out how easy the job is up here. All I got to do, Marcus, is spit obvious facts. Water's important news at 11. I'm joking. I love Marcus Kyler, your digital pastor. It just he. At simply CyberCon 2025, he made a. A light ribbing during his talk that I always bring up. All right, let's see. Several water facility incidents are linked to a Russian hacktivist group that posted propaganda videos of the intrusion online. All right, so here's the deal, guys. Number one, this is cyber terrorism. If you're looking for cyber terrorism examples, this is one. They are literally causing, you know, chaos and disruption for Poland. That's. That's essentially what it is. Okay? Hacktivists are gonna. Hacktivist, right? Let's see. Holy crap. Poland's incident response team has recorded 40, 000 reports. I don't know. Hey, the pain is the pain in chat. He wants to move to Europe. It sounds like Poland might be hiring. Jeepers, man. All right. A lot of espionage going on in Russia and Belarus as well. All right. Says Poland's responded with arrest, expulsions and diplomatic measures. Sure, sure, sure. But the thing is you can attack over the Internet, so I don't know how. Like Russia is not going to volunteer hacktivists that are operating inside Russia's borders to Poland for doing crimes against Poland because it helps. It helps Russia's cause. Right? All right, so this is the story. The TLDR here for everyone is that, you know, critical infrastructure is brittle. A lot of critical infrastructure is brittle and you have to be prepared to continue to operate even when you're suffering attacks. Now, the intrusions likely were through crappy access control mechanisms. Make sure you you tighten up the access control. If you're interested in learning more about industrial control systems and OT and protecting them, I would suggest ICS Village. That's a great place. And Mike Holcomb H O L C O m B on YouTube Bro of

C

new EPMM flaw exploited in zero day attacks Ivanti issued a warning to customers yesterday to patch a high severity remote code execution vulnerability in Endpoint Manager Mobile, that is epmm, which is being exploited in zero day attacks. This CVE numbered flaw stems from an improper input validation weakness that allows remote attackers with administrative privileges to execute arbitrary code on targeted systems running EPMM 12 and earlier. Ivanti is advising customers to review accounts with admin rights and rotate credentials where necessary. Internet security Watchdog Shadow Server currently tracks over 850 IP addresses with Ivanti EPMM fingerprints exposed online, most of them from Europe and North America.

A

All right, so Avanti. Avanti's had its turn in the barrel last year. If you remember Avanti's EOL or policy Orchestrator and their VPN solution got slammed in my. I've worked at an environment that had Avanti for its Endpoint management solution. It's to me Avanti. If you've never heard of it, it's basically like a middle tier, you know, middle tier, enterprise grade, like it centralized management solution thing. It can do software inventory, it can do endpoint management, stuff like that. And obviously they have other solutions that plug into their stack. Now this particular one is Endpoint Manager Mobile. So this would be like the. Your intune, if you will, you know, comparable. That is I would assume allows you to manage, you know, where devices are enrolling devices. Profile. Not profile testing, but what's the term when. Oh my God, I can't even think of it right now. But There's a concept that is pretty popular where like if the device doesn't comply with minimum standards Pro, like profile verification, you don't allow it on network segments or you don't allow it to access certain resources. Anyways, with a high severity RCE out there, super not good. As they said in the story, you can find these endpoints, these Endpoint Manager mobile servers using Shodan, right? Like you can find these and then exploit them. Now you have to be able to not just find it, but then execute the exploit, right? So how is it exploited? That would be the next question. Okay, first of all, first of all, this, this CVE's got to have a low, a, a low value. Oh my God. Come on, man. I'm gonna use DJ B sex EPSs tool really quickly. Unexpected response from API. All right, DJ B sec, I've got a, I've got a. I've got a fringe case, buddy. Not working here. But it requires the attacker to already have administrative privileges. Okay, all right, guys, so here's the thing. Remote code execution of an Internet facing asset is bad, real bad. When it's a security tool that manages your endpoint mobile endpoint deployment. However, you have to have admin privileges, which means either a, you have to chain this together with another exploitable vulnerability, or you have to fish admin creds from an A user in the environment, which, which I just want to point out, if I have administrative credentials already, I kind of own that thing already. Now this remote code execution may allow you to take over the server operating system underneath the Endpoint Manager mobile application platform. Right? Because that platform's got to be hosted on hardware somewhere and the hardware has to have an operating system, so it could be worse. But dude, you already have admin creds on this box. So the likely, I mean, if you're doing a decent job of cyber security, then your, your IT admins are not using crappy passwords. It likely has multifactor authentication on it. It better have multi factor authentication on it. So you do have a kind of a window of opportunity to get this sorted out before it becomes exploited. I just want to point out this is what defense in depth is like. If you, you, if you've heard the term defense in depth or you haven't thought about in a minute and you were looking for a concrete example, this is it. So if someone has admin privileges, they can exploit this thing. But if you make sure that you use good credentials, if you make sure you have mfa, then you'll be all right. Okay, quick shout out. Get your Kool Aid man ready. It is epmm that's exploitable, not epmd because they're rock solid. By the way, EPMD is like one of the OG OG modern hip hop, Godfather grandfathers. Right? Like they, they kind of brought onto the scene. Same with like Eric B and Rakim. They were around at that time. Let's see. Plus dude. Okay, so shadow services, 850 IP addresses. Now that's 850 businesses, right? So I'm not downplaying the impact, but this isn't like 3 million businesses. This isn't, you know, widespread. Everybody's going out of their mind today. Now most people are in Europe that are vulnerable to this. They do mention if you are exploited, rotate your admin credentials. Of course, because your creds are already compromised. It may be worth spending 15 minutes today just looking at your authentication logs today, just really quick and looking for any admins that logged into the Avanti EPMM platform and just see if there's any unusual logins. Okay.

C

DOD contractors, API flaw exposed Military data, user records and military training materials were exposed through API endpoints that lacked meaningful authorization checks. According to a report from Strix. Strix, an open source autonomous security testing project. The platform at the center of this is called Schemata. That is Schenata. It is an AI powered virtual training platform used in military and defense settings. According to Strix, an ordinary low privilege account was able to access data across multiple tenants, including user listings, organization records, course information, training metadata, and direct links to documents hosted on the Schemata's Amazon Web Services instances. The exposed information included names, email addresses, enrollment details, and the military bases where US service members were stationed.

A

All right, so I mean, this has a little bit of additional concern simply because we are at just, I don't care how you define it, we're at war in the United States right now. So, you know, your military service members having their locations doxed is not good. Okay, so here's the deal. This is third party flaw. Like the DOD didn't do anything wrong. They're using some third party in order to provide training. The, the. This company captures a bunch of information like every other company. And because of an API flaw, threat actors were able to query that API and dump the information including name, email, base assignment, course materials, etc. In, in my, I don't know, man. In my opinion, like, sure, I don't want names and emails and stuff to get dropped, but for the most part, like, I don't think that this is devastating, right? It's not like it's like their mission orders or, you know, national security secrets. Okay, I, what I do want to point out, I do want to point out that a low privileged account was able to access this data across multiple tenants. It was in aws. Now, whether it was an aws, Google, Compute, Azure, it doesn't matter. The problem was that there was a improperly programmed API allowing basically you to bang on the API. If you work in pen testing or you want to work in pen testing, understanding how to abuse APIs is definitely where you want to be focused. Also, Matt Brown, hardware hacking extraordinaire, yesterday said that, you know, when he hacks on embedded devices and everything, only 10% of the time is he getting his hands on the devices and getting dirty. The other 90% is spent looking at the software. And a lot of times the hardware Is interfacing with APIs with the company. And those APIs are oftentimes not really secured because, you know, it's not really the, the web app. It's like, you know, a different set of APIs. So there's a rich area of opportunity and vulnerabilities defined in there. Here's what I would say to you. If you work for a business that is a SaaS app, SASE, and you're using the APIs in any capacity, you're developing APIs in any capacity. And by the way, APIs are application programming interfaces. They're basically extendable functionality that allows anyone to query in and call that function in a controlled way back into your backend database. So think of it as like exposed functionality. Okay? If you are making a solution like this, one of the best things that you could possibly do, and I know it's going to cost money, but one of the best things you can do is pen test those. Hire a pen tester to do those API calls. I see people talking about the Canvas breach. We could talk about that before the show ends. We actually covered the Canvas breach a few days ago when it first broke. I know that the list of victims came out, but we did talk about that because it happened over the weekend, last weekend. And I teach at Citadel and we use Canvas, so we did cover it on Monday's show. All right, so TLDR, if you're doing APIs, get them pen tested. Thank you.

C

Huge thanks to our sponsor, Vanta. Risk and regulation ramping up and customers expect proof of security just to do business. Vanta's automation brings compliance, risk and customer trust together on one AI powered platform. So whether you're prepping for a SoC2 or running an enterprise GRC program, Vanta keeps you secure and keeps your details moving. Learn more@vanta.com CISO that is V-A N T A.com CISO

B

foreign

A

guys. Hey, shout out to all you. Thank you very much for being here. I hope everybody's enjoying it. We got some lower numbers today. 330 in chat. For those who are here and made made the time, thank you for being here. If you're catching on replay or you're over on LinkedIn, thanks for checking it out. Come on over to YouTube. The chat is lovely and the water is warm. If you're listening on audio Spotify, Apple Podcast, thanks for checking it out. I hope you are getting value. Thank you to the stream sponsors, Threat Locker Flare and Anti Siphon. Definitely appreciate them. Can't do it without them. Every single day of the week has a special segment. Fridays is James McQuiggin at 35,000ft. Jokes of the week, dad jokes. Mother's Day weekend right here. I don't read these in advance. Okay. James says it's Mother's Day this weekend. A very special, happy Mother's Day out there. And here are some special mom, dad jokes. Mom, dad jokes. Lol. All right. Hey, what do you call a small mother? What do you call a small mother? James wants to know on Mother's Day. My wife is on the shorter side. Do you know what we call a small mom here in the low country? A minimum. A minimum. What did the mommy spider say to the baby spider? You might not know this. Arachnids have their own naming convention. So what did the mommy spider say to the baby spider? You spend too much time on the web, you're gonna get brain rot. Too much time on the web. Oh my God. Why is a computer so smart? Guys, do you know why computers are so smart? We're talking about AI taking over. Do you know why AI and computers are so smart? It's obvious. They listen to their motherboard. Oh, okay. I do like the minimum joke. Shout out to all the moms in chat. I know there's a lot of mothers, grandmothers, you know, sometimes there's some moms who aren't biological moms, but they fill that maternal role. You get shout outs on Mother's Day too. Everyone out there, hey, even shout out to the dads that are filling double roles as a mom and dad because it's a single parent family kind of thing. Happy Mother's Day to everybody. I gotta tell you, Moms moms are the best. For those who don't know, this isn't supposed to be a wet blanket kind of situation, but just my own personal situation. If you did not know. I guess the easiest way to put this without making it sound depressing is I had more of a mom network growing up than a single mom. So I had an Aunt Dorothea and Aunt Donna and Aunt Kathy and Aunt Susan. That kind of fleshed out my mom role. So I was very fortunate. I had like five moms, kind of. So very, very cool. All right, guys, let's get our LA LA's on to all the moms out there. Just the moms. Just the moms. La la la la. Let's go. Will you come? All right, all right. And just really quick, I, I feel like I have to do this because I don't want to besmirch my, my, my, my mom. It's not. My mom had an accident when I was 8 that, you know, basically ended, you know, ended her life. So it's not like my mom just like went off the rails and you know, started traveling with fish or something and just like deuces to, to family responsibility. Okay, so my mom was a great mom while she was around. Okay, so that's why I had a network of moms. All right, let's go and finish strong, shall we?

C

PI PI packages deliver Xi chatbot malware via APIs on Windows and Linux Cybersecurity researchers at Kaspersky have discovered three packages on the Python package index at its Pypy repository that are designed to stealthily deliver a previously unknown malware family called Zai chatbot I.e. zi chatbot on Windows and Linux systems. Unlike traditional malware, Zai Chatbot does not communicate with a dedicated command and control server, but instead uses a series of REST APIs from the public team chat app Zulip Zulip as its C2 infrastructure. End quote. The researchers also said that the dropper shares a 64% similarity to another dropper used by a Vietnam aligned hacking group named Ocean Lotus Microsoft.

A

Okay, so a couple things here. Obviously not obvious. Okay, so I, you know, I always say like obviously and then it's like immediately I say, well, it's not obvious. Pypy has been getting hand right the last year or so with malicious software resulting in supply chain attacks. Okay, so be aware of that. If you're using PYPI at this point, you should absolutely have been talking to people who are developers in your environment and they should know about PYPI and being weary of it now this particular package is interesting because it does it. Modern malware has C2 or command and control. It's the way that like the threat actor interfaces with compromised assets. Okay? Now normally C2 can happen a bunch of different ways, okay, a C2 server, which is a really traditional way, but anything that can go out can happen, okay? So C2 can be done over Telegram, C2 can be done over Twitter. C2 can happen. Anyway, okay, this one is using. We've even, by the way, we've even seen C2 using blockchain. So get the crypto people out of the woodworks. This one's using a series of REST APIs from a public team chat app called Zulip. All right, like unusual but not innovative or groundbreaking, okay, because public team chat, you know, like I said, you can use Telegram, you can use Twitter or X. All right, Carefully plan and executed supply chain attack. Of course, this is the indicator that it's nation state, in my opinion, not financially motivated cyber threat actor. The packages have been taken down. So this is more of a post motor modem, post mortem, by the way, that was me trying to do modem sound effects. All right, the malicious code extracts a DLL dropper and writes it to disk. Let's see, it uses autorun for persistence and then it deletes and then it cleans up behind itself. So even if you tried to go threat hunting and look for this deliver, deliverable, look for this binary on your workstation, it wouldn't exist because it cleans itself up and deletes it. All right? They think it's Vietnamese because it's got 64% of similar code base. Sure, sure, sure. And now they go into the history of this particular threat actor, which doesn't do anything for us today. All right? So there's no indication on how this happens. The listen, the thing is with supply chain attacks, okay, it's a little bit of spray and pray, right? You don't know who's going to download the packages. Now of course, if you're targeting crypto software, there's a good chance it's people doing crypto. So you can kind of like increase your chances and likelihood of getting someone, but you can't guarantee someone's going to use your software necessarily that gets compromised. So Ocean, Lotus, it's their thing, whatever they're doing. All I would say is you gotta be careful of open source software. And hey, here is something important. I took this from my conversation with Matt Brown yesterday. Two things. One, when you talk to your developers, sure, if they're going to be doing something new and they look at a pypy repo before they implement it, good to go. But keep in mind, a threat actor can update software with malicious it could be super clean, super good, super useful, super not malicious for months. And then the threat actor adds malicious functionality and when you do update, it pulls down that additional functionality. So don't think that just because you reviewed the code before you implemented it initially means that it's good to go forever. It can be compromised later on, so keep that in mind.

C

Edge loads stored passwords in clear text, says researcher According to Norwegian security researcher Tom Joran Sonstebejsetter running Microsoft's Edge Internet browser will quote load saved passwords into memory in plain text even when they are not being used. This is due to the fact that when a user saves passwords in Microsoft Edge, the browser decrypts each credential at startup, storing them in process memory even when users visit sites that do not require those credentials. Yet the browser will prompt users to re authenticate before showing the same passwords in Password Manager ui, even though the process already stores them in clear text. Running Pointed out in a blog post, if an attacker gains administrative access on a terminal server, they can access the memory of all logged on user processes when running. Reported this behavior to Microsoft. He was told this behavior was by design.

A

Okay, so this feature is not a bug. All right, guys, the only thing I use Microsoft Edge for is to download Google Chrome, period. Full stop. I. I do not, I do not recommend. And we've got Jessica Hyde, who's going to be joining us on Cyber Career Hotline, who's a digital forensics expert who can give additional insights and probably validate what I'm about to say. Never. As a. As a policy, never save your passwords in the browser. I know that it's come a long way and it's a little bit more secure, but like, use a password vault, use a solution that's dedicated for it. I think that saving your passwords in the browser just introduces risk. Now again, we're going to ask Jessica about that, but this right here is proof positive that it's gross, dude, you shouldn't be saving sensitive secrets in clear text. And Microsoft Edge is like, basically, hold my beer, I've got this. Without any insight to the user. It's not like, hey, you know, you don't get a pop up that's like, hey, Microsoft Edge would like to really insecurely store your sensitive information. Are you cool with that? Yes or no, on the pop up. It's almost like if there was a pop, it would say like okay or yes. Like those are your two choices, like wtf? So shout out to this researcher, by the way. Not only shout out to the researcher, but his name is awesome. Tom Joran, Sonstein, Ben Set or Ronin. This like that's a triple word score on my Scrabble board, if you're interested. This is probably repeatable, so if you wanted to get into a little bit of research, do a blog post on it, make a little video showing the decryption or the the grabbing of the clear text password. Good to go. Microsoft says this is a feature, not a bug, which basically that translates to we're not going to fix it. Just add that into your mental model too. If you're not, if you're newer to industry or whatever. When it says it's a feature, not a bug, that means it. Things will remain the same until further notice. All right. Obviously passwords getting popped are not good. This is why defense in depth is critical. What is, what kind of defense in depth would we do here? All the GRC Mafia people unite. We're holding hands across America. GRC people don't reuse passwords, number one. So if they do get your Microsoft Edge clear text password dump, those passwords only work for your, you know, simply Cyber Academy login and your Hexordia Academy login and your Google Mail, which it wouldn't be great. But single, single serving passwords means that the exposure isn't as high. Multi Factor Authentication. Oh, I do declare the vapors my man is talking about. Multi factor authentication. Yes, if they get your password, they still can't log in without additional factor. So you get some awareness that hey, you've just logged in, but you haven't been able to verify through second factor, which is an indicator that you've got your creds compromised. Defense in depth guys. Period. Full stop. Let's go computer. Come on.

C

New PCP Jack Worm steals credentials, Cleans team PCP Infections A new malware framework called PCP Jack is stealing credentials from exposed cloud infrastructure while actively removing the team PCP's access to the systems. It targets services such as Docker, Kubernetes, Redis, MongoDB, RayML and vulnerable web applications by moving laterally on the network. According to Sentinel Labs, a PCP Jack is designed for large scale credential theft in order to leverage financial fraud, spam operations, credential resale or extortion. Sentinel Labs also believes that PCP Jack may have been developed by a former Team PCP affiliate or member who started their own operation.

A

Oh, all right. Hey man. AI is allowing one person businesses to go go wide. A very enterprising Team PCP threat actor starts his own and calls it PCP Jack. Very cool. Just really quickly, when I was work shopping names for the nerd show that I'm working on, that's we have to come up with a new name because Nerd Apocalypse and Nerdy by Nature are gonna get me sued. According to my lawyer, I, I did want to call it like, you know, the movie Free Jack. I think it was called Free Jack with Emilio Estevez or something like that. Anyways, a very throwback to the 90s. PCP Jack is stealing creds from explos exposed cloud infrastructure. Guys, if you are running cloud, you absolutely should be testing it. It's Internet facing a lot of times. Docker, Kubernetes, you know, MongoDB, which I haven't heard Mongo in a minute. For a minute. When Mongo first came out, I was getting exploited all over the place. Let's see here. All right, what are we doing here? It doesn't matter that PCP Jack is developed by a person who looks like they were affiliated with Team pcp. That doesn't matter for you as a practitioner to defend your own organization, you're like, whatever, what do we do about this? All right, it infects it with a shell script called Bootstrap. But how does infection happen? That's the question. What's the exploit? Right? This is, this is what happens once it gets in. But again you, if you can break the chain at the beginning, that's better. All right, I'm not quite sure mods, if you can see it in here on how initial infection happens, but one quick thing to note that's really interesting is when it initially gets in, the PCP Jack initially gets in. It looks to see if tnpcps already exploited this device and then deletes the team PCP tooling. This is, you know, threat actors fighting each other. Basically. PCP Jack is trying to like you know, rob a corner store. And if the the corner store is already under protection by Team pcp, PCP Jack kicks them out first. This is crazy. You don't see this very often, but it is not unheard of.

C

World Password Day passes into a potential obscurity. Yesterday was World Password Day. An article from Security magazine argues that it might be the last. And recognizing the day might actually signal the beginning of the end for traditional passwords. Cybersecurity leaders interviewed in the piece say passwords echo a common refrain that they remain one of the weakest points in digital security because people often reuse them, share them, or fall victim to increasingly sophisticated AI driven phishing attacks. Experts from companies such as Orca Security, Appfire, Improvata, and Ping Identify use the day to confirm. The future lies in passwordless authentication using biometrics, pass keys, trusted devices, and cryptographic identity systems. Remember?

A

All right, hey, listen, for the sake of time, I'm just gonna speed run this story. World password day was yesterday. Nobody cared. Guess what? This is great. You might, you might look at this as like, oh, no, don't cry for me, Argentina. But in reality, this is a signal that we are getting away from passwords. If you haven't been paying attention or you didn't like, take inventory of this. Microsoft has been on an absolute heater for the last 10 years trying to like, get rid of passwords, windows, hello, all the different formats to verify. Thumbs for biometric, face for biometric freaking. Oh my God, pass keys, right? Me and Ryan did a password, a video on pass keys. Passwords suck. People reuse passwords, they're difficult to remember. People write them on sticky notes. People share them. People give crappy passwords, they're easy to guess. They get involved in data dumps. We are trying to get away from passwords Also, by the way, I want to point out, I'd rather passwords die than we change the nomenclature to be called pass phrases. But I have been long on the, the side of the fence that we need to start normalizing pass phrases because passphrases are easy to remember, they're wicked long and they're not going to be reused typically, although it is not uncommon to reuse them. But passwords are dying sweet. Like, I'll be the first one to grab a shovel and start throwing dirt on the, on the, on the coffin of passwords in, in the graveyard. Not to get wicked dark or anything, but like, yeah, kill all the passwords. They've been, they've been, listen, you know, you know those like little burrs, like if you went walking through a field, it happens more in New England than anywhere else. But like, you know those like burr things that stick to your clothes or whatever. Passwords have been like a burr underneath a saddle of cyber security professionals for years. Yeah, we want you to use a password because it helps protect access to, you know, resources that you have to be authorized and authenticated into to access. But for the most part, they, especially Today like today, 2026 threat actors aren't hacking in. They're logging in because passwords are easy to get a hold of. Compromise. Reset all the things passwords like. Like I said, man, I'll. I'll be the first one to grab a shovel and throw. Throw dirt on the coffin. All right, guys, hold on. We got. We got pivot. Hold on. Here we go. Computer, play music. Man, why are you always doing this? Me when I'm live? All right, all right. You'll have to excuse me while I talk to my computer. I'm gonna have to give this computer a name. It's taken on a Persona. All right, guys. Hey. It's been daily Cyber Threat Brief podcast. This was May 8th episode. Episode 1128. We absolutely slayed it. Thank you for being here. I hope everyone has a wonderful Friday. But wait, there's more. Stay tuned. We're going to be doing Cyber Career Hotline on Fridays. We do a panel which is even cooler. We're going to be bringing on Robert Wetstein, executive ciso, tinkerer all around great guy, cyber security guy. And special guest, Jessica Hyde, digital forensics expert and an absolute delight. She was my guest on Firesides two weeks ago. We teased it out. No, no. She was my guest on Simply Cyber Skill streams on Tuesday. That's right. Anyways, we've got a banger of a show ready for you, so don't go anywhere. We're going to be coming in hot. Let's go. I'm Dr. Gerald Osher. This is the Cyber Career Hotline. If you're building a career in cyber security, this show is for you. Let's get into it. All right, everybody. Welcome to Cyber Career Hotline. Hold on one second. I. I can't believe I came out naked. All right, everybody, what's up? Welcome to Cyber Career Hotline. I'm your host, Jerry Guy. Coming hot off the heels of the daily Cyber Threat Brief, hosted by that nerd, Dr. Gerald Ozer. Oh, my God. Can you calm down about World Password Day, you nerd? All right, for real, though, I've got a banger of a panel lined up for you. Let's get them in here so we can get those questions. If you have questions, put them in chat with a queue so we know that they are for the panelists. First, we're gonna bring on a regular panelist, Robert Wetstein. Hey, Robert. How you doing, bud? Hey, Jerry.

D

I'm good. How about yourself, brother?

A

Doing great. And then big fan of. Of. I'm a big fan of her work. You guys know her? She's amazing. And she's a. She's a friend of mine. Jessica. Hi, Jessica. Come on in here. Get on the stage. Hey, how are you?

B

Great, great.

A

Jessica, some of us know you, but not all of us in chat. So can you just give us 30 seconds on, like, what your area of expertise is so the questions can be focused for you?

B

Yeah. Rock on. I specialize in digital forensics. I spend most of my time in mobile and Iot, both acquisition and analysis, expert witness testimony, all that good fun stuff.

A

There you go. So she is the digital forensics Expert and a U.S. marine. Yeah. How do you, how do you, how do you identify? Because if you say former Marine.

B

No, no, no, no, no. Marine Corps veteran. Marine Corps veteran.

A

Okay. A Marine Corps veteran. Okay. So I do love it. Happy, happy Mother's Day, Jessica. I know you are a mom. Also true.

B

Many hats, right? We all wear many hats.

A

Yeah. So, Jessica, let me kind of kick off the questions. I tease this. I know you were in the back room while I was doing it. Microsoft Edge is making passwords and clear text in 2026. How easy is it to rip passwords out of browser password managers?

B

I mean, when I'm doing a forensics exam, I love when people use it because it gives me all the other access. Right. And password reuse winds up being a major thing too. Right. So a lot of times something that I'll do is I'll go into a computer that maybe is easier to get into, rip passwords, and then create a dictionary to attack a phone to get into a locked phone. So, you know, I, I love it when people do it because it makes my job easier. But, yeah, you're making yourself less secure.

A

All right, there you go. So thank you for validating something that I've been preaching for forever 100 and all the browsers.

B

At the end of the day, if I've got the. If I've already acquired your computer, and a lot of times people are using their same browsers and their same logins on their work system. So their work systems we might be getting via the employer. We can pull all those in clear text once we have that. And then now I've got a dictionary attack for all your private stuff. And especially if you're just using a mutation of the same password. Right. That's super easy. You know, even, even open source. Use Jack the Ripper or something.

A

There you go, 100%. And it's so funny. I always like to tell my, my students to sit at home like you Think you're clever, but like your password, it probably starts with a capital letter, six letters, two numbers and an exclamation point. And they'll be like, like, like I just did like a magic trick or something.

B

Yeah, we know. You ended it in 1. 1. Exclamation point, exclamation point. Because you needed two numbers and two and. And like you were saying before, right, like pat. So we used to do like something you know, and something you have, and nowadays we've moved to something you have and something you are. And that is so much better. I'm a big proponent of biometrics. I'm a big proponent of. Yeah, we could go on and on and on about how people could be more secure with that. But I'm actually. I'm with you. Password is. Is something that's very 1995. Why are we still doing that?

A

Yeah, 100%. Question coming in from Chad Hall. If you have questions, put them in chat and I will grab them for the panelists. I'm happy to answer them if you ask me directly, but I do want to feature Robert and Jessica. So Chad hall says, do you ever get into cmmc? I'm in the space as a SOC analyst and it's growing like crazy. So for those who don't know cmmc, I forget what it stands for. It's an acronym that's used in multiple ways. But what Chad is specifically speaking about is in the United States, the defense industrial base is now being required to comply with cmmc, which is a minimum set of security controls before you can bid on government Department of Defense contracts. And it's basically a way to ensure that, like people doing business with the DoD have minimum security. Because it's way easier to attack Carl's consulting firm than it is to attack the nsa.

B

Can I, can I give some feedback on that as a government contractor who has to deal with this? Perfect. If you don't mind. So one of the issues is narrative non gown. So CMMC level one and CMMC level two, you can self certify by doing a self audit. CMMC level two, there's a second version called 3PAO, and that is being required by certain Department of Defense, Department of War, whatever terms you're using by a certain date in this year. And the problem is there are not enough companies that can actually do the certifications for the number of businesses that need it. So if you want to talk about why this is growing like crazy, there just literally aren't enough bodies that can perform the C3PA. Oh, certifications. And so there was this thought initially, well, that then you could sub under a prime who you could be level 2 self audited and then the prime could be C3 PAO. So let the bigs pay all the money and get it. And the estimates I'm seeing are about 50k even for a company my size to do a C3PAO audit and you can't get on the calendar quick enough to get it done in time. So it's a big mess.

A

Yes, it's a super big mess. And, and it's a lot of pay to play. Yes, unfortunately. Which was part of the pro. This is CMMC 2.0. There was a one.

B

Yes, there was a 1.0.

A

It was rife with alleged corruption. So 2.0 was supposed to be be the, the way to fix it, but it's still the same problem. So I, I've been telling people, Jessica, this you again. I love being fact checked because it, you know, I want to make sure I'm saying real information for GRC people. I said there's a huge area for CMMC because you, you can't do the audit. But there's a thing called readiness assessment where you get hired to come in and help people get up to get

B

up to speed for 100%. Huge field. Right Now I know so many other contracting business because when you're a small contracting company, you work with other smalls and you team together to actually make a proposal. And this is, this is all we're talking about is looking at this contract and what's the requirement date to be C3PAO compliant on that proposal. So yeah, huge opportunity for people to get into that work from a GRC perspective.

A

I love it. Legrat providing some information. By the way. It's an acronym.

B

Yep. November 10th, which by the way is the Marine Corps Birthday RA. Which is actually why I knew the date, but I didn't want to be that nerdy. So thank you for throwing that in.

A

That is why you know that because

B

it's your birthday, I'd have to dox you, but I remember that I put

A

it on stage because I knew it was going to trigger you. All right, so we got. All right, so next question is coming in from Nick Dixon. Are there any recommended e books or courses to get digital forensic skills to possibly get an entry level job in the field? What does a typical day look like for you, Jessica?

B

All right, so the number one thing I'm going to say to you is this website called D for Diva. D F I R D I V A. That's Elon Wright site. Best site because it has all the low and free cost training that there is. Free and low cost. They said that backwards. Silly me. Okay then I'm going to tell you about something that I've been building which was we have a free virtual machine with all free and open source digital forensics for tools. It's called devenovm. It's on my site. You can download that. Then the next thing you're going to do is you're going to go grab images, digital forensic images from Seafred's computer forensics reference data set. So basically learn, get familiar with tools, play with data. Now that's, that's like to learn. If you want to get a job, you're going to need to have what I love to call a demonstrative. That means you've got to demonstrate these skills. Luckily for you it's pretty easy because there's so much research that needs to be done. There are so many unsupported apps. I spend my time playing in mobile. I have a free little course on how to do mobile testing. Take that, then go create test data, then do research on an application that isn't supported. There's like 6 million apps out there between Android and iOS, maybe a thousand are commercially supported. Go research it, blog about it, write a script. There are some open source frameworks like iLeep and A Leap, you could write a Python script to go into there and then now you've got a script, you've got research. Now people know, you know how to deal with the unknowns. I can automate parsing things we know. What I need to have people to do is to deal with the unknowns. So that shows me how typical day I am. Either imaging devices, hacking into devices, getting data off of devices, analyzing the data from the devices, writing reports or explaining that stuff to attorneys or, or juries or judges. Right. It's one of those five things or teaching because I do teach but you know, those are the things I do every day. Where I am in that cycle and how many cases I'm simultaneously in that cycle on varies, you know, right after this I have actually have a call with the client because we're assessing the case. Right. So do intake calls too. Right. Just. Yeah.

A

It's not just digging in with ida. I mean not Ida, FTK or Autopsy. There's a lot more to it.

B

There's way more to it and digging into a lot of data structures. Right. So at the end of the day it's not just finding things in the file system that's like that, that's pretty basic and looking at Mac times, it's more of digging into nested data structures. So what's in a SQLite database? And then in the blob there's a property list and you unns key archive it and then you find the right key and then that key has another binary plist and then you go into that key and then where you find the data is actually in a protobuf and so now you've got to write a script to go ahead and do that for all of the instances of the records. You need to reconfigure that data and understand it. But then you have to do the most important part which is test, improve you understand what made that trace to begin with with. Because when we're doing forensics, none of that stuff was intentionally left for us. I hope that answers.

A

There you go. So basically you can't just ask Claude to. You can't just take the transcript of what Jessica just said and put it in Claude and then go to the beach. Yeah, you do have to do some validation and do that. I, I am, I am. Robert just DM'd me and said he's really enjoying listening to Jessica talk. I also am enjoying.

B

I want to hear what Robert has to say.

D

I mean I can talk forensics too. I did that during my incident response investigations. I will say one part that I want to kind of discuss that wasn't really talked about was how many companies actually can afford a full time defer. Like it's not that many companies that have opportunities and getting a job is like you said, showing that you're an expert putting out content, becoming the thought leader in that where people are like hey, did you see this research paper? Hey, did you? That's where opportunities come from. And normally it'll be from a D for firm. It's not going to be like a company because I don't see too many companies who can afford digital forensic person full time.

B

The Fortune 50 have internal defer beyond the Fortune 50 and the people who have those jobs. That's like, that's seen as like the secondary job. It's not actually not a good job to have out the gate because you don't learn much. You only have your environment environment. If you can go and work for a firm like I worked for ey earlier in my career and that's great because you're on a different customer site every single week. Right. You're you're handling somebody else's environment, somebody else's attacks, somebody else's problem, somebody else's insider threat or insider trading. Because you can do all of these types of investigations. So you know, going to a provider, you know, Mandiant, Crowdstrike, you know, all of these firms, Palo Alto, unit 42. Right. All of these firms are who it's providing. And then there's mid level smaller firms, more boutique firms and you have the Aeon Strausses. And so there's a lot of firms who are doing this work and that's where you're actually going to learn the most. So that's probably the best place. In the beginning, I will say there is some burnout that happens because it's everybody. When you're work in forensics, you only deal with people on their worst day. I don't care if you're in criminal defense, prosecution or if you're in corporate. No matter what you're doing, you're dealing with somebody on their worst day. Their, their company just got hacked or someone just stole millions of dollars from them. Someone's potentially going to jail for the rest of their life. Someone lost a loved one, someone's been abused or harmed. Like you're only dealing with people on their worst day. So the customer face and the professionalism you have to have in the times of dark and dank things and the respect you have to have that your client is going through something horrific is really paramount to being able to do that work too. So there's like a bizarre level of empathy and professionalism you need to portray.

D

And just the, just a great example is I was hired to go through somebody who had taken their own lives laptop to do digital forensics to because the family wanted to understand that is a hard job.

B

I have a hot take on this.

D

Yeah, please.

B

I have a hot take. And I've actually been contemplating should I write about this or not? Something I get frequently asked to do is to access people's devices who have passed away to get their pictures. And you know, I think this goes to privacy. And maybe this is where my role in which especially because of the work I do, that maybe I'm actually most privacy conscious. I believe in the rights of privacy of the deceased and a lot of firms don't. They will go ahead and unlock those phones and provide those pictures and photographs. But I don't that per. Look, I look at devices for a living. I know how personal those devices are. I know that sometimes I know the owner better than they do, better than their spouse does better than anyone, better than their parents, their children. And I know that that stuff is highly personal and that's a really large part of my ethics is not going beyond the scope of my examination requirements as well as not sharing or disclosing that information. And I really think that there is such thing as a legacy contact. If you have somebody who you want to have access to your device data afterwards, set them up as a legacy contact. But otherwise, personally, from an ethics perspective, I personally believe in the rights of privacy of the deceased.

D

Yep. I told them very specifically, I will provide you passwords to gain access to, to bank accounts and other critical things that you need to survive. I will not provide you history logging or any of the notes or anything on there.

B

Right. There's no reason that they need their browser history and photos is a big one. Right. You don't know what that relationship was. And people's pictures are extraordinarily private.

A

I've got a poll running right now on the chat on whether or not would you hack a phone of a deceased person to get the pics for the family, yes or no. So we'll get.

B

Oh, I'm really curious. Thank you.

A

Real time polling. We've got about two hundred and fifty people here with us right now, so we should get a pretty good, you know, like kind of vibe on, on what the, the, the, the, the deal is. All right, we got some questions coming in. Lazaro. Wait, hold on, Robert. J.T. gorman's got two years of help desk SEC plus, can they land a SOC analyst interview? And for bonus, what are your thoughts on AWS solution Architect cert. And you can give your opinion on that, but also frame it within the context of helping him or her land a SOC analyst role.

D

Yeah, yeah. So the biggest thing for entry level roles or even soc roles is that there are thousands of people going for it. So build some relationships, connect with some people, really put yourself out there and exactly what Jessica was talking about. Start putting stuff out there in content and kind of becoming that thought expert. The two years help desk is invaluable and I want everyone to understand that because you learn soft skills, you learn empathy, you learn understanding, you learn patience, those skills later in life. If you're doing digital forensics, if you're doing incident response like I've done for many years, they're critical in your success because a lot of your job is kind of taking a step down and kind of calming down for a moment. So as far as the AWS solutions architect cert, I think It's a great cert. There's a lot of knowledge you'll learn, a lot of great things that you'll learn. I always say make the company pay for your cert and just try to find an opportunity by building relationships. Don't, don't get a cert unless you're really passionate about it. What are your thoughts?

B

I have a question for you, Robert. I have something else I want to know, and it was because of the way you framed it, because do you consider a SOC analyst role an entry level position?

D

Absolutely not.

B

So this is really fascinating because people ask me if digital forensics is an entry level position, and I always say, no, start in the SoC, which is funny because now I feel like I have to tell them to go back two steps.

D

Yeah. So it's not. The help desk is a great entry level role, but if you're looking for entry level role security, there is no. No entry level role security, butt soc. It's as close as we get.

B

It's as close as we get. Right.

D

Because is it actually entry level? Not at all. You need a ton of knowledge, a ton of understanding of network topology. You need to know how network traverses. You need to know what a good packet looks like, what data looks like. Those are things you're not going to just learn off the top of your head, unfortunately.

B

Not to make people feel bad, but, you know, then it becomes the whole question is cybersecurity, even entry level? And, and, and then to be honest, addressing the other challenge, then you add in the layer of AI being able to do some of the basic things, and we're making it harder. We're not saying there's no hope. We're telling you the things you could do to break in. But, but it is, it is. Sometimes I think people over, over, over think that this is like, yeah, entry level.

D

Your relationships will get you a job, your resume, your certs will not. This market is no longer how smart you are. It's about who you know and what opportunities. Because there are so many people unemployed. There are people with my level of skill and 20 years of experience who would be happy to take that sock job because they literally have no money coming in.

A

100. So let's, let's do that. And Lazaro Rivera, I see your question. We will get to it, everybody. We'll get to your questions. But this is like, this question is like a natural segue. Ick. Echo Wick. I like that name. Icklewick says they're slowly putting out content building personal brand Getting your name out there more than just posting tutorials or try hacking rooms. Jessica, we talked about this on Tuesday for a hot minute. I'm a huge advocate right now. Like, I've. I've been preaching about the value of personal branding and the necessity of it. It's difficult for some people because they think they have to like boil the ocean in order to achieve it. Can you talk about building personal branding and you know how people can kind of do the thing that Robert just said, like stand out in a sea of sameness.

B

So first off, your spot on ICLEC in the fact, and I hope I pronounce that the way you like it, that building a personal brand is more important than just feeding content out. And the way that you build a brand is you stay consistent in one area. You become the niche, go to person person for that thing. So you pick a thing and you go deep in that thing. You can be wide generally. And actually I've had some people get upset with me for this because they think it narrows their job opportunities. Pick something where you're seeing openings. It doesn't narrow because all you're demonstrating is that you can get deep in something. When someone interviews you, they don't necessarily expect you to know their niche thing they're hiring for. They expect you to be able to learn and do things on your own. And again, everything we're doing, hopefully in cybersecurity isn't rote. It's something that hasn't been done before. Right? We're constantly seeing new attack vectors, new defense mechanisms, new technologies, and that's what we have to be deal with. So what I'm looking for when I hire, for example, is somebody who has that ability to dig deep and understand something. And you demonstrate that by doing a passion area and picking one area and talking about that and branding it. Consistency is what pays. If you are a coder, write scripts, share it. Get your tool out there. If you are a writer, write. If you are a teacher, teach. Do it in the way that you can share best too. So you have to know a little bit about yourself. Am I somebody who does good on video? Am I somebody who does good in writing? Am I somebody who can do a good voiceover? Am I somebody who does good video editing? Know yourself in your ability to portray content. Pick that one niche and go. Don't try to do it all. Like, if you try to do every single mode, you're not going to be consistent. You're going to burn out. It'll be too much. Pick one Lane of technical topic and one lane of delivery.

A

Robert Lazaro Rivera's got a question here. Lazaro is just so you guys know, in case you didn't, he's been a long time simply cyber community member, came in wanting to break into cyber broken as a SOC analyst, and we've been kind of monitoring his career over the last couple years is, is one of my favorite, like, case studies. So, Lazaro, thanks for sharing this question. He's looking to take the next step. There's an empty spot for threat hunting on his team and he wants it. How does he differentiate himself? Give him the secret sauce. Robert.

D

Yeah, Thread hunting is all about finding needles in a haystack and kind of never like just being able to identify anomalies. But when you're looking to get on a threat hunting team, it's all about, like, do they want to hang with you? Your technical knowledge is important, but threat hunters, red teamers, we're very specific about who we want on our teams because we're going to be in the trenches with you. Same with incident responders. Like, we're going to spend hours in the trenches with you. We want to make sure that we can kind of hang. So really, I would go, if you don't know the threat hunt team, go introduce yourself, talk about your passion for cyber, your passion for technology, and share that exact excitement that you were talking about. Hey, I, I saw this opportunity. I love threat hunting. I love this. I, I, you know what, what are some things that I could do to better prepare myself for this opportunity? I will tell you right now, they'll love that and they'll give you a ton of stuff and if you do what they tell them, because that is the biggest thing. And Jessica guarantee can tell you the exact same thing. We give advice all day and maybe less than 10% of people, maybe 5%, actually take advice, demonstrably change and actually make an effort. And when we do, we will do everything to be successful. Yes, we will burn mountains to get you an interview because you actually took advice and listened. I joked with one of my mentees, he's starting to mentor people and he's like, how do you deal with this? I've talked to 20 people and nobody's doing anything. I told them they're not, they're not engaging, they're not putting stuff out there. And I said, because the 1% that you reach is what you do it for. That's what it's all about. Like, you get that one person and you're like, yes, go ahead.

B

Yeah, no, I, I think you're spot on. So, so I have a lot of mentees too. But I will tell you, I give spec, we, we come up with in our mentorship sections, right like specific actionable things to do and if people aren't doing them and aren't meeting them, I'm not going to continue to meet with them. Right. Like it's a lot of my time that I give and so you wind up giving to your time to the people who are willing to do those steps. But it, you know, I start off with the same things I've got actually my mentorship process is been doing, I've been doing it over so many years that it's very, very, very specific and very, very routine. And we have a way of doing our check ins and establishing goals and establishing action items to meet those goals. And if people don't want to do them, right, like if you can't do them because something come out, great, let's postpone our meeting. But if you're not going to do them, it's been great working with you and I wish you the best of luck. But the people who do it, I will go to the ends of the earth. I will make phone calls on their behalf, I'll reach out to directors that come out. I will do what needs to be done to help them. But to be honest, those introductions mean a lot. But you have to do it for yourself too. You know, like if you can get out there and be sharing knowledge, people are going to start to see that you need to be putting content out, you need to be connecting with people and you know there's an easy hack to this. You've got three people up here who have tremendous networks in there like LinkedIn A. You need to have a good LinkedIn. That's where you get vibe checked, you get vibe checked on your LinkedIn. So you need to be putting content out there, even if it's reposting with context. Do not just hit repost, repost with context. Say why you're sharing what you share or you share things you find but in your niche area become the go to person for that. But here's the hack. You go to our networks, find the people we're connected with, connect with all of us, then look at our connections and connect with those people who do the things you want to do. Don't just do this broadly. All three of us are in different subspecialties. Pick the things and the people who you want to connect with there and then Start building that network that way. And then those people will start to see the things that you share. And you need your stuff not to just be out there. You need it to be seen. And if it's seen, if you connect with me and I see you're sharing things that are digital forensic related and interesting, I'm going to start resharing those. And then, and other people will as well. And when people see me reshare something and then, and so you get this snowball effect and that's how you get known and that's how you build that brand.

A

So, like, to their point, like, I see a lot of people who listen and then do nothing, right? It takes effort and execution's hard. But then I see people that get past that step and they'll, they'll like. And they'll do something for like two days and then they fall off. You have to make the commitment and be consistent. Even when it sucks, even when you don't want to do it, you've got to do it. Make it habit, make it routine, because it'll get easier and then you'll establish consistency and people will see you and then it'll be like, oh, okay, like I see Robert, like, I, I know what this content's going to be about, right? I see Jessica. I know what it's going to be about. Jessica, I've got a really specific technical question for you here. This is coming from Stirs poor. It's coming from a listener. How do you approach forensic analysis on a server or systems that are running PAN os, which is the Palo Alto OS that has very limited documentation and you can answer specifically to PAN os, but I'm sure you deal with a lot of technologies that don't have.

B

So you have two options. Number one is to, if it's a system that you can procure, develop your, you know, build up your own and then test on that. That is the number one choice. But, but obviously due to cost and sometimes like physical limitations, I'm not going to go get a MRI machine to test on. Right. Sometimes you can't do that. So then what you really need to do is reach out to your network and find out who has done exams on that and really work through that. And you know, I'm on listservs related to my industry, right. I'm on the HTCIA listserv, the IASIS listserv. So when it's something very niche that I can't technically get my hands on, this happens a lot of times with stuff skimmers in my industry, right. Credit card skimmers. If you're. You get one in that hasn't been seen before, then then you just ask, has anyone seen this model before, etc. So if you can't, if it's something where you cannot procure a test device, but a test device and doing your own testing on it is the most important. And as somebody who does a lot of Iot forensics, sometimes it's a very consumer available device, sometimes it's something I can't work on. And like when I worked, I spent a period of my career at the Terrace Explosive Device Analytical Center, I couldn't just procure an ied, Right. So in those times, right. So sometimes you actually have to start looking at the functionality and start digging into code. So your mileage is going to vary. But if it's something where you can create a test environment. Create a test environment.

A

Robert Anna Banana wants to know, she wants to go to school. And we've established already in this call that entry level positions. Cyber is not entry level in a lot of cases. So she wants to go to school, so where should she go? If she was your daughter, what would you recommend? IT or cyber degree? What do you think?

D

Yeah, I would say generic kind of network it that's not going to go away anytime soon. And understanding the core fundamentals will teach you more than a cyber degree. And I know there's a lot of people are like, that's crap. But telling you right now, I talk to mentees all day who have a master's, bachelor's in cyber and they don't know anything about basic troubleshooting. So learning those basic skills, understanding how network traffic flows, those are going to be critical for everything you do in cyber, whether you're working at a SoC, even if you're doing some deeper stuff where you're looking at logs, you're looking at network traffic, you're looking at web traffic. Understanding how things flow is critical because if you say, well, it was definitely coming from this device and they go, well, actually it was redirected through this. It actually, that's not the right IP address, then you just got destroyed on the stand, Right? So it's very important that you learn the fundamental skills. But go to school for something that you're passionate about, not because you think it's going to land you a job, it's. I just, I don't see education as the roadblock it once was within technology. The roadblock now is basically, do you know somebody and are you actively social and I'm, I have autism and adhd. I am an introvert by nature. And you see me up here, you see me on huge stages. It's a practice skill. But soft skills will get you a job more than a degree will in many cases. I'm a high school graduate as a Fortune 500 executive. I didn't get that job by accident. I got that job because of networking and connections, right? They said, hey, we know this guy knows his stuff, we don't care about the degree.

B

And I'll echo there that I believe as well. Engineering degrees, networking degrees, it degrees are the good fun fundamentals and then layer on top of that later in your career if you need it for the stepping stone that masters in something like digital forensics, cybersecurity, you need to understand, you need to know normal, right? And if you don't learn those fundamentals, you won't know normal. To piggyback off of what you were

D

saying, Robert Yeah, for sure. If you spend your whole career looking at things that are already broken and kind of analyzing systems, you're never going to be able to know what normal supposed to look like. So you're not going to be able to find anomalies for a hunt job. You're not going to be able to find anomalies for deeper. A lot of what Jessica does is she sees patterns, she sees things. She knows what normal looks like as if it's a fingerprint, right? She knows exactly what it looks like. And then she will go, that seems off. And then she'll go dig in. You know, that's exactly how all of us, who any do any forensics, we go, hang on, that doesn't make sense. Let's dig a little deeper.

A

One other element I'd like to add to Anna Banana and anyone who's here because it's a different dimension to this, but I think it's incredibly valuable. It's one that I did not know when I was going through my bachelor's and I was a knucklehead and it would have benefited me extremely. Anna, make sure whatever degree you go through, computer science, electrical engineering, whatever it is, it doesn't matter. Make sure that you're actively engaging with your professors and with other students that appear to be taking it seriously. This is an easy on ramp to a professional network because guess what, those professors, they probably speak at conferences, they probably get touched by private sector for guidance and stuff. If you're kicking at, if you're kicking butt and the professor knows I'm, I'm faculty at A citadel. Like, if a student's kicking butt and I get asked for any interns, they're the ones that I suggest. So take advantage of that. Don't. Don't miss that opportunity as a value in addition to the classroom education. Okay.

B

Also a professor. I teach at George Mason University. I've been teaching there for 10 years as an adjunct. And I will 100% tell you, go to office hours. If it is a topic you care about, go to office hours. Because do you know what I usually do? Usually I answer the question about the homework, and then I usually go, are you actually working. Working in the field today? What do you want to do? And I. I mean, you are going to. And those are the students who I know. Those are the students who I remember. And I'm going to tell you, you were spot on about also networking with your classmates who take it seriously. Because people who I did my master's with, for example, we are all now at the top level of our profession, you know, because now we're all 15, 20 years into the career field, and we now know all each other. How do you think I'm helping people find roles? Right. How do you think I know the people I know? They are people who I came up with. Also, I'm going to tell you the most important thing. Always, always, always be kind to those behind you. Okay. I cannot tell you how many people who I had as interns 15 years ago are now the lab directors at other labs. And I had great relationships with them when they were learning. And those relationships have served both of us well. Always be kind to the people behind you. You always have something to teach because you're always a day ahead of somebody else, but always do it with kindness.

D

Y.

A

Very great.

B

There's my mom advice right before Mother's Day because.

A

Thank you. Yeah. So, hey, Robert Mishik, 2512, says they just started a new role, Security awareness. Now, Jessica, I don't know if you know this, but we have a special sound effect that is only played when someone announces that they got a new job. So solid. Congratulations on the roll. It is hard to talk to OT personnel about cyber. Any advice? If you've worked in. Oh, and you've spoken to a field engineer, you know, I've done this.

D

Yeah, yeah. So. So when I worked at Disney, I went into our OT environment and, man, it was a rough bunch of people. They like the fun stuff. So, like, go in there and talk about why it's important, but also kind of sprinkle in, like, some of the cool things like, you know, teaching them about security and security basics and then make it about them. Don't make it about the company. No one cares about your company. Like, I cannot, like, please stop making your security awareness about protecting the company. No, make it about the individual. How would you feel if your account was compromised and every single person on your email Rolodex was emailed a phishing email. How would that work for your career? How would that impact future promotions? How would that impact. There's a lot of downstream effect to that which when I started teaching personal brand damage to executives at Disney, we got a lot more buy in because it made a lot more sense because then they truly cared about it. So make it about them and then also talk about some of the fun stuff and some of the fun breaches and kind of talking about security. And then I'll give you another tip. In, in bathrooms, I want you to put those same things right on the back of a bathroom stall. I want you to put them above a urinal because they're, they're gonna read it and you're gonna, yeah, like they have. There's nothing else that's going like. So do that and you'll get a lot more people who are engaged with your security program, your security awareness and start putting out content too that's small, like one to two minute shorts and things like that. A lot of people have short attention spans and your engineers and OT people are very like, I want to get it done now, I want to learn now. Like I don't really want to do this. You're forcing me to be here. So make it fun for them and make it interesting, make it a game, you know, really engage them at their level and then talk about what could happen, how it could impact things. Like I talked about, hey, you know, these huge chillers that we have here, like there's a serious concern if you do X. Here's an example of that, you know, and showing those things is really key.

A

Jessica Haircut Fish, who's a mod and a long time community member and just a really great guy, he's a SOC analyst as well. He says how has any of the panel or you know, and Robert, if you have a comment on this, but it is forensic so I want to give to Jessica. Have you ever used a bad box device and done any forensics testing on them? These are Android based streaming devices that stream free premium media. We've seen quite a few of these, you know what I mean? So have you done any work on

B

any of These, I haven't looked at any of them. I look at lots of devices that are Linux based, that are Android based, that are secondary. It sounds like Robert has. But I'll say the, the key thing is is anything that gives you anything for free, you pay the price with your privacy. But I'll, I'll kick to you.

D

Yeah, so the Babbox specifically I have not played with but Android streaming devices, I definitely have. I did mobile security for many years. The biggest thing like you said, is not only privacy, but I've seen miners that are installed on these devices. So there's like a small crypto miner that's installed. I've seen small C2 networks that I've identified that have been used. So really understand where your data is going. Make sure you lock that thing down. It is not going to the United States. It is going 100% to outside actors. And I've seen it coming consistently.

B

These resident proxies, they're being used as resident proxies. You know, I, I people, if people are aware, you can actually go and buy, you know, nodes in 195 countries. This is how you get behind firewalls. In countries that have very strict firewalls that we won't name. There are these concept of resident proxies and they're using devices like this to be the anchor points for which you basically are doing different. It's basically tunneling a VPN into a closed network because somebody's using a service that's free. What it is is those toss those terms of services for those devices specifically state that those nodes can be reused.

D

It's literally in the, it's in the writing and it's very clearly says that we can utilize this device for traffic or routing traffic for. It's like the legalese is really funny, but you are 100% right. They also do this to hide traffic. So I've, I've worked with people who have been investigated by law enforcement agencies because their home like IoT device was hacking another device. And they had to, they brought me in to prove that. Hey, I don't know anything about computers. Dear God, please help me. Like I didn't do this, but it came directly from their house, from their IP address and they had law enforcement knocking on their door. So I always say don't buy your IoT devices secondhand. Ever buy them brand new.

B

Yes, yes.

D

Yeah, it's so and then if you're using something and you're getting free service,

B

you're the product 100 you or your endpoint, right. Your IP, IP can be your intellectual property, it can be your, your personal information, or it can literally be your, your IP address, your Internet. That's right. IP can be a lot of things.

A

And keep in mind listener like chances, it's an illegal thing you're doing. So the chances of you taking any action in, in response to discovering that you are being victimized is zero. Because what are you going to plead? The fifth, like, hello, I'd like to report a crime, but just this crime, not my crime. You know what I mean?

D

Well, I've done overseas investigations. As soon as it crosses country lines, it becomes drastically more expensive. And then the cost benefit analysis is done by the business where I'm like, do you want me to keep tracking this? I'm gonna have to get local wall, I'm gonna have to get local forensics, I'm gonna have to get local teams involved. It's going to be another five, ten grand from what I quoted you. And they go, yeah, it's not that important. They're like, well, what would happen if we were able to figure it out? I said, we won't be able to.

B

You know. Do you know how many times I advise my clients when I get reached out to I just say, I mean, I could do this exam for you for $25,000, or you can just discontinue use and buy a new thousand dollar device. And I, I, I literally turn down work because it doesn't make sense to do it.

D

Yeah. All the time.

A

And, and that's a great, I mean like that's doing your client right instead of just maximize it, which has probably resulted in you getting work like you'd be, yeah, 100. So. Jessica. Well, excuse me, Robert. Since, well, I'll put this to both of you. Robert, executive at a Fortune 500 company, which probably means there's multiple layers of managers, multiple matrix people. Raymond wants to know, how does he, how does he please multiple managers? As a con, as an individual contributor, it keeps coming up. Different priorities, different goals, different agendas, upcoming deadlines. How do, how do you wrestle this particular nuance of corporate America or corporate life?

D

The biggest thing is burnout is normally caused by the employee continuing to say yes and never challenging what happens. Like, so I am, I am very much a dopamine seeker. So when you say, rob, do you want to do this? I go, yeah, yeah. And then I end up having nine or 10 jobs and six or seven bosses. And I have stopped that behavior because it leads to burnout and it leads to A lot of stress. The first thing I do when I'm working with a manager who may be micromanaging or I'm trying to keep multiple managers happy is I set clear deliverables for each of them. And then I tell them, hey, I am happy to do X, but it is going to take away from Y. And you need to talk to this person over here to tell them that their project is going to suffer. The biggest thing I want to explain to people, the days of burnout and killing yourself at work, working 70, 80, 90 hours have to die because employers are no longer loyal. Job stability is no longer there. Why are you going to kill yourself and take time away from your family to appease a bunch of leaders when you could really just sit down with them and say, here's what I have on my plate. Here's what I'm able to accomplish in front of 40, 45 hours. Which one is priority? And you guys kind of fight it out. Because there's so many times I see where people will try to please everyone at the detriment to themselves, and they're like, I'm working 110. No, you're not. You're like 30. You just don't realize how burned out you are. I know you got something, Jessica, what do you got?

B

I. I do. You know, and. And maybe I'm going to give a book recommendation here, but not, not the Four Hour Work Week, but a different Tim Ferriss book that I can't remember the name of was this whole book on basically how to say no. Okay. Because it is very hard. The funnest thing is he gave this interview to every single person who's in the book. It's just. And. And he asked him how to say now, but four people turned him down for the book. And what he did was he printed their four emails that turned him down because all four of those emails did exactly what you needed to do in learning how to turn something down. You thank someone for the opportunity, you say why you think it is a great project. You then, these aren't Tim Ferriss's roles. These are Jessica's roles. But then tell them. Unfortunately, right now I have this, this, and this going on. This is who I would recommend and thank you again for the opportunity. So you always recommend it to someone else and give them a new option. But you have to learn to say no. Tell them why, but not as an excuse. I think it's a great project. This is what's valuable about it. Unfortunately, I'm not available due to Priority X. However, I think this person may be able to assist you with that and I think they're skilled in this for this reason. Then you become a connector. People love connectors. And even within your big organization. I've worked in big organizations, I've worked in the DoD, I've worked in government orgs. Being able to connect people to the person who actually can help them at that time, you'll gain more, more respect than even if you were to say yes and do the work. Especially if you wind up doing it half ass because you had too much

D

going on well, and you'll end up. The difference between a top performer and a normal performer is normally 0.5% when it comes to raise time. So like, is it worth killing yourself for that? Like, if you're looking to advance your career and maybe this opportunity has a huge win for you for visibility or growth, that's a different story. Then you prioritize yourself, yourself and other stuff has to fall. But the biggest thing is you can't do everything and you've got to prioritize and make sure that you're doing it for the right reasons. And the right reason is you and your mental health and your mental stability.

A

All right, I have a question for the panel and I see some people kind of talking about this in chat. I saw this on LinkedIn. I think this is a very polarizing conversation. Okay, so here's the question. Traditionally you would give a two week notice when you're going to quit. This allows you to hand off your work, graceful handoff, prepare the business to be able to get ready for this, maybe even post your position in 2026. You will get laid off. There's no, there's no like here. You know, you're not guaranteed a two week paycheck. Even if they say you're left Right now in 2026, most people's stories are all of a sudden you get a 15 minute meeting with your boss in HR out of nowhere and then your, your crap is shut off and you're embarrassingly walked out of the building. So the argument is, if that is the case, it is no longer a professional etiquette to give a two week notice. Now I would argue if you want to do it right as you're preparing to quit, because you know you're going to quit. You know, spend a minute writing down what you're working on and kind of current state and stuff like that. That way if they fire you right then or you're quitting right then, you can at least Feel good that you left your teammates because that's usually who you care about in a good position. But I'm old school, so like I always gave, I, I honestly give like four, five, six week notices typically. What do you guys think? Jessica first, what do you think of in 2026? Is it okay to say I quit effective immediately?

B

It depends. I traditional forensic answer. But there's a lot of thing that depends. Number one, if you work at an organization where you know that the day you give your resignation, you get walked out, there is no reason to do it. And there are plenty of organizations that I know of and you've seen it. If you're in one where when somebody resigns, the automatic policy is to turn them off and walk them out the door. In that case, you, you know that they're not going to give you that credit. If you work in a role where you are completely aware, you work for a team, that, and you're completely aware that you are on a current project that no one else can replace you, you care about the project, you care about the team. I think it is appropriate to give notice. If you are not going to give a notice. I think what you said is the most important thing you should, the right thing to do for your team is to create a playbook, just like you would if you were going on vacation for two weeks for whoever is going to fill your shoes, your shoes, your shoes. And I say that's, that's really it. And it does depend on your environment. And you know your environment better than anyone. Talk to your mentor. If you are on this call and you do not have a mentor, get a mentor. I don't care if they're two years ahead of you, 10 years ahead of you, 20 years ahead of you. Go get a mentor. Someone who does not work in your organization. You need an external mentor. You have mentors inside your organization who help you navigate the hierarchy. Especially in big corporate world, you need a mentor external to your organization. And yeah, so it depends, you know that organization, that environment, it's going to vary. And also, also if it's going to affect your future career. DFIR is niche. Everybody knows everybody. If you screw somebody, you're good luck finding that next job after the one that you're quitting for.

D

I mean, cyber is the exact same way. I can't tell you how many times I bet, I bet you, Jerry. Also like we get messages, messages like, hey, you know this person? Have you heard about this person? It happens all the time. The way people talk about you, when you're not in the room is the difference between getting a promotion, getting a job, and then anything else. It. And that's the reality. Also, if you need a mentor, I mentor for free. Feel free to reach out. I'm happy to help. I'm happy to work with anyone. I will give you time. The more work you put in, the more work I put in. If you put in no work, I give you nothing.

A

So from Zaga, and this is a perfect segue as we kind of round out the show.

D

Yeah.

A

So Robert does mentoring. Where can he. How. How does he go from Robert does mentoring to now I'm gaining mentored by Robert. What's the. What's the sop here?

D

Yeah, easiest way is just connect with me on LinkedIn, send me a message. Don't be offended if I send you a backup video because I've already answered this question 100 times and that's why I started recording content. But I am happy to help you through your journey. I work with many people. I talk to them literally every day. I spend time with my mentees. You have direct access to somebody with 20 years of knowledge working at Fortune 500 and Fortune 1/00 who is willing to work with you and help you in your career. And I've offered this on every Simply Cyber I've ever been on, and I've had three people reach out. This goes back to exactly what we were talking about. You were given an opportunity. You have to take the opportunity and run with it. Don't feel like you're wasting my time. Don't feel like you. You don't know what to ask. Just ask anything. It's okay. Don't be shy. Like, I promise. And I bet you Jessica is very similar. Like, do you. Do you. I don't know if you have paid mentoring.

B

Oh, no, I don't do paid mentoring. I do all my mentorship for free. I 100%. It's usually what I do in my evenings. On the nights. I don't teach. I will teach. Tell you that when. When someone reaches out to me like you, I do actually send a lot of times videos, actually podcast episodes I've done where I've answered that exact question. But my big point is always ask a specific question. If you reach out to me and say, can you mentor me? I'm going to be like, what. What specific questions do you have? You need to come with me with a specific question. I would say to other people to reach out to in the community. Look for people who are doing the thing you're interested in doing who are one to five steps ahead of you and find people in those different scopes from that one to five. If you wind up with a network of mentors, even better.

D

Yes. And I have a network of mentors.

B

I do too. Right.

D

Like critical for just your way of thinking, the way you. The way you look at problems. When I'm facing a big problem, I go to my mentors and go, this is my career fork in the road. I need some. Some help kind of navigating.

B

And there's formal and informal mentors. There are people who mentor you who you. Who do not even know they're your mentors. And then. So there are formal and informal mentors. Both have value. If you are in school, do gain those relationships with professors after you complete their course.

D

Yeah.

A

One other thing that I, again, I kind of made the misunderstanding when I was young, was thinking that maybe I always thought, like, mentors had to be like a Jedi Padawan relationship. Like, long, very serious. And it's not. You could have someone to a goal, like, on a very niche thing. You could mentor. You could even have like. Like, I'm like, Jessica mentors me on business, and then I turn around and mentor her on a training or something. You know what I mean? Like, it doesn't have to be like this superior subjective relationship.

B

Yeah. We have. I actually. We ask each other questions regularly. And it's great because I'm getting that feedback. And if Rob thinks I'm not gonna pick him after this, he's wrong.

A

Yeah.

D

No. And I do the same thing. I message Jerry all the time, like, hey, how did you do this? Like, I, you know, how did. Like. And he, like, we. We bounce off of each other. There's so much that you can learn from others. I learned so much from my mentees.

B

Yeah.

D

That they don't even realize about myself. Because mentoring is the thing that has taught me to grow the most and give me emotional depth. Emotional intelligence that I have simply never had before. And it's so invaluable. I think, if you have any sort of knowledge, regardless, just help people when you can help people. That's it.

A

You know, I'm dropping Robert Wet Sting Wet Stein. I. I don't know why. I butchered Robert Wet Wetstein's LinkedIn account. If you're watching on replay or listening on audio only and you can't get to the chat, it is Robert Wetstein. W H E T S T I N E on LinkedIn, he's got a sick retro wave Synth wave background he is bow tie cyber security guy, or bow tie security. Is it bow tie cyber security guy.

D

All one word. Just search on Google, you'll find me.

B

Can I Critique your. Your LinkedIn in a positive way? So I just want to say, for anyone who's looking at their LinkedIn, I know who Robert is. I see his face and then you see that banner behind me. It tells me what he does. He's a leader, he's a mentor, he's an innovator in cyber security. That's what you need to do. Your banner should tell people subconsciously what you do. Sorry.

D

Yep. No, it's so critical.

B

So critical.

A

So also, people were asking in chat. This is Jessica Hydes LinkedIn. So Jessica Hyde, she's owner, founder, practitioner over at Hexordia. H E X O R D I A and they've got a ton of, like, courses and free content and training and resources and everything over there. So go check that out. I linked that in the chat as well. Jessica. H Y D E if you're listening on audio only, before we get out of here, I do like always to go around the horn and give y' all an opportunity. Robert, you want to start us off? Any anything coming up? Any anything?

D

Yeah, I'll be at hackspacecon tomorrow supporting my mentee, who's doing an awesome talk there. And so if you see me around, I've got swag, you know, happy to take photos and stuff. Don't feel awkward. Even though I am socially awkward. You don't have to be. And then bowtie security guy on all platforms. So feel, feel free to shoot me a follow comment. It's really important. I'm trying to help people and reach as many people as possible.

A

All right, so hack spacecon. And by the way, you can't tell on stream, but Robert's very tall and, and very identifiable, so you will see him at hackspacecon.

D

Yeah, I'm. I'm six seven, so I'm very short.

B

I'm five foot.

D

Oh, yeah.

A

Jessica, anything coming up? You want to share? So connect.

B

So I'll be at Techno Security doing a bunch of talks there. I have a booth there, actually. But even more important, for anyone who's looking to get into digital forensic space, one of my favorite events is coming up in July. That's dfrws, that's Digital Forensics Research Workshop. It's going to be in Arlington, Virginia. And that is where you can meet both practitioners and academics who are doing the coolest research in the field. I'll be doing a hands on CIS diagnosed log workshop there in July. And then I'm going to be at the DFIR summit. I'm not sending a talk and I'm on the advisory board this year, but I'll be at sans D for summit in October in Arlington as well. Apparently I'm just going to Virginia a lot.

A

I mean, those are a lot of things coming up. Jessica, do you, is there, is it like on your LinkedIn?

B

Just, just check, just follow my LinkedIn. I'll talk about what I'm doing.

A

Okay. There you go. All right, guys, this has been an absolute rock star panel. I want to say thank you very much to Robert Wetstein for being here, Jessica Hyde for making an appearance. Awesome to have you here. You're always, of course, you're always both welcome on the panel. If you got value from the stream, let us hear it in the chat and really, really genuinely appreciate that. Everybody, have a wonderful weekend. You've earned it. And for everybody else, you know, until next time, stay secure.

B

Sam.