At Bishop Fox's second-annual livestream from the 2024 RSA Conference in San Francisco, we interviewed special guest, John Hammond, Principal Researcher at Huntress. In this discussion, we'll dive into red teaming and threat intelligence.

---

Transcript

Tom Eston: Welcome to the Bishop Fox live stream from the RSA conference in San Francisco, California. My name is Tom Estin. I'm the VP of consulting and delivery at Bishop Fox. And this is my cohost.

Matt Twells: I'm Matthew Twells, a senior solutions architect at Bishop Fox. I'm essentially the professional nerd that we drop into sales calls. My job is to take the conversation and turn that into levels of effort, and kind of decide who we're going to put on the test. I always joke that everyone's bill's kind of my fault here at Bishop Fox.

Tom Eston: I love that you're a professional nerd. That says a lot about you, actually. I'm really pleased to introduce our first guest, John Hammond. He's the principal security researcher at Huntress. He's also the Mr. Beast of Cyber. John, welcome to the live stream.

John Hammond: Well, thank you so much for having me. Super flattered to be here. I feel like I always share the same intro. I try to be the professional nerd and geek, doing anything we can on the keyboard to have some fun.

Tom Eston: I said Mr. Beast of Cyber because you are a famous YouTuber, whether or not you want to agree with that. You have like 1.5 million subscribers. You've been doing YouTube for a long time. I think that's really set your career off in a new direction. I did want to call out one video in particular that I watched recently, about finding weird devices on the public internet. Can you talk to us a little bit about that video?

John Hammond: Oh, goodness. Thank you so much. Very flattered. YouTube is a passion. It sounds silly, but it's not always the best conversation starter when you say you have a YouTube channel, especially in the niche of cybersecurity. I try my best to get education, messaging, and training out there to help folks learn and get into the scene. It's a labor of love. Thank you for tuning in to that recent video. We were just trying to see if there are any IP addresses or devices that have things publicly available, like a camera feed or CCTV or billboards, and you can find some strange, silly stuff.

Matt Twells: Do you have any plans to turn the golden play button into a weird device?

John Hammond: That would be awesome. To be honest, I totally would like that golden play button. We're about halfway up the ladder now, but I think they're a little bit behind in churning those out for the Creator Awards.

Tom Eston: Well, congratulations on your success on YouTube. It's awesome to see a content creator like yourself doing great things for the community. Today we want to talk about red teaming and threat intel. From your experience, what do you think are the priorities that an organization has to consider when they align business goals with what they need to do in a red teaming engagement?

John Hammond: I'll admit, I'm a bit of an anomaly here. I don't always strictly do in-depth hardcore red teaming and pen testing. At Huntress, we're more focused on defense. But it's fun to have those conversations and see from both sides. The biggest priority is collaboration. When the red team gets together, does what they do, and emulates adversaries, what even gets seen, if anything? Are there things you can go to the stakeholders with and say, "This is the impact we were able to accomplish"? These are things we'd like to tweak and configure to prevent real adversaries from doing the same. Aligning both sides of the spectrum is absolutely paramount.

Matt Twells: It actually kind of leads into the next question. Red teaming is essentially consulting. How do you balance the business objectives with the real aggressive technical threat landscape that is evolving, especially with AI now involved? How do you see balancing that?

John Hammond: That's a super good question. I think they can coexist. It boils down to the practitioner. You've got to have a certain amount of sales expertise to be consulting and talking with the folks you're working with. You really do have to stay on the cutting edge. What are those adversaries that are doing real damage? Is there some new trick, some new novelty? Are those things we would put into practice for red teaming? Can we bring that to the red team engagement and add value to the customer?

Matt Twells: Do you think that the basics done well will get you further than the new ninja thing? It all lives and dies with risk management. Is that where you'd say you would land as well?

John Hammond: I think I would. The basics are the foundation. The reason we harp on it is because it's the right answer. You don't need all the high-flying hijinks, but you need to get the basics of security right.

Tom Eston: From a defensive perspective, how do you see threat intelligence fitting into all of that?

John Hammond: Threat intelligence is a fun conversation. When I think about threat intelligence and what genuine adversaries are up to, they spread out info that can be used and reused. Some red teamers might use leaked credentials and breaches that appear on the Internet. Threat intelligence of just knowing what's happening in the world, what the latest breach or incident is, that's stuff we need to bring into the craft because those are the real threats we're trying to emulate.

Matt Twells: Do you think people over-index on technical defenses or do you feel like basics like disaster recovery plans are more important?

John Hammond: Absolutely. We need to have that in the back of our minds and move it front and center. We like the technical work because it's fun, sexy, and cool. But do you know the phone number of the breach coach? Do you know who the insurance providers are if something really hits the fan? It's the policies, procedures, backup continuity, and disaster recovery work that we need to do. It isn't as sexy, but it's absolutely necessary.

Matt Twells: Red teaming as an engine for innovation itself. Do you think the next innovation is making sure the basics are done well, or do you see something else?

John Hammond: I don't think I could pinpoint one sweet case study, but red teaming leads to conversations you wouldn't have had otherwise. Is our network architecture as it should be? Are there certain topologies we need to re-architect? Do we need to build out more policies? Where's the place for AI and other new things? It's about having conversations you wouldn't have before, and that's the value of doing emulation and testing in red teaming.

Tom Eston: AI is a big theme at RSA this year. What's your take on AI in terms of threat intelligence and the defensive side? What does that look like for organizations in the future?

John Hammond: Speaking as John, I feel like I haven't drunk the Kool-Aid yet. AI isn't the big revolutionary silver bullet savior, but it augments the work we do. It works hand in hand with the operator, whether you're on the red team or the blue team. There’s a lot we can do about trying to find anomalies, benchmarking, and seeing the delta of what's normal and natural in our environments. If you're trying to build out an exploit or a new proof of concept for red teaming, tools like GitHub Copilot and ChatGPT can help. There's a lot of runway there, but it's always with a human in the mix.

Tom Eston: Well, John, it's been an absolute pleasure having you on the live stream. Where can our audience find out more about you and everything you have going on?

John Hammond: Thank you so much for letting me ramble. This was a ton of fun, guys. You can track me down online. You'll see my ugly mug and red hair on YouTube, Twitter, and LinkedIn, all under the name John Hammond. Please reach out, don't be a stranger.

Tom Eston: Awesome. Well, thank you, John. That's going to wrap up this first interview of the Bishop Fox live stream from the RSA conference in San Francisco. Thanks for watching.