Inside the Mind of the #Sunburst Adversary - Ep. 117

Marco Figueroa Cyber Threat Hunter takes us inside the mind of the #Sunburst adversary. The timeline and what he would be doing if he is the Sunburst adversary.

Episode Table of Contents

  • [00:40] The Last Joint Episode With Carolyn Ford
  • [08:40] The Magnitude of the Sunburst Adversary
  • [18:00] The Sunburst Adversary Prioritized Government Agencies
  • [27:31] What Solarwinds Could Have Done to Detect the Sunburst Adversary
  • [00:00] Did They Miss Something
  • About Our Guest

The Last Joint Episode With Carolyn Ford

Eric: We're recording in the afternoon this time and a sad afternoon. This is our last joint episode together. I know the listeners will miss you. It's been quite an enjoyable ride. I've really enjoyed this.

Carolyn: It has been fantastic. Pre-show, we got to talk to our guests for a minute Marco Figueroa. This might be one of my favorite episodes ever, just based on our conversation.

Eric: Marco, welcome to the show. Sorry we're tearing up a little already.

Marco: No, I'm tearing up with you guys. I didn't know, you didn't tell me this. It's very special because I'm the last one.

Eric: Yes, our last show together, To The Point will continue. We'll figure out what the journey is, what the path looks like. But Carolyn is leaving the organization for uncharted better waters and it'll be good. I wish you the best. It's been an amazing time getting to know you these past three years Carolyn.

Carolyn: Same Eric. I'm going to a really cool company. When I saw their technology, it's something that every IT shop needs. The name of the company is Dynatrace. So go check it out. You'll know what I mean, when you go see what they've got. So with that, though, let's get to Marco Figueroa.

Carolyn: He is a Principal Threat Researcher at SentinelOne. His technical expertise includes reverse engineering, incident handling, threat intelligence. He likes to do bug bounty on the weekend. I did not know this was a thing, until just now. But apparently you can make a lot of money in this.

APT Hunting and Getting Inside the Head of the Sunburst Adversary

Marco: Go look up some of the people on the leaderboard at HackerOne. You'll see the bugs that they are getting and the rewards and the payouts.

Carolyn: This is what I'm going to miss, meeting people like you Marco. I got to figure out how to keep this going.

Marco: Listen at least you're not going to SolarWinds.

Carolyn: Whatever, Chris Krebs is there, I wouldn't mind I'm not going to lie.

Marco: Yes, they're getting some needed help.

Carolyn: Let me just finish your very impressive bio. You also do APT hunting. Before SentinelOne, you spent seven years at Intel as a senior security researcher. So what we want to talk to you about today is exactly what you just mentioned SolarWinds. I want to get inside the head of the Sunburst adversary. So I want you to be the adversary and tell us what you're doing there.

Marco: To paint a picture for the listeners, yesterday or the day before,

SolarWinds released a blog on the timeline

. It's really critical to look at that. I had discussions with other colleagues about the timeline. It's interesting. What they reported was 9/4/19. The threat actor accessed SolarWinds.

Eric: That was about a year and a half ago, you're saying 2019 not 2020, 2019.

Marco: Yes, 19. So eight days later, they inject test code and begin the trial run to see if they're detected. How it is deployed, and that carries on to 11/4/19. Let's take a step back. If I'm doing a pen test, or I'm the threat actor, I need to know first off the software how it works, how it does.

Getting the Lay of the Land

Marco: I can download the free trial, install it, take a look at how it works. Reverse engineer it using IDA Pro or Ghidra or something like that, or use another tool of your choice. To understand how it works, what can I do? What can I replace and put in its place to blend in and not stick out?

Eric: That's more than a day. As good as you are, I've known you a long time. You still take a little bit of time?

Marco: Yes. For me, if I'm penetrating their network, I'm first getting an understanding where everything is. Getting the lay of the land, doing recon.

Eric: Almost building a map of the attack surface and what's going on. So you understand it.

Marco: Yes, however you enter you, you still got to figure out where everything is. I've worked on cases where the software, all it did was a recon mission of the environment it was in. It took, what software was installed, what was the BIOS version, what hardware was on the system. The next time they penetrate, they can tailor their target for this specific environment.

Eric: This isn't even including the prep time. Thinking about the operation of the nation state level, which type of software are we going to try to penetrate? How do we want to do it, which teams are going to be oriented towards that. We're talking an operation that was probably at least two years in the making, if not more.

Marco: Absolutely the patience. When you get into an environment, you make potential mistakes. Time favors that attacker when they're ghosts in a show where they're not detected.

Time Favors the Defender

Marco: Once they're detected, the time favors the defender, because they have time. That's what we're seeing now. You're seeing trickling reports come out every week. Like last week, there was a report, this week, there were two reports.

Marco: I don't want to mention the name, there’s another firm that was compromised, their certificate, their secure emails. You're going to start seeing this over and over. The hack that will keep on giving.

Carolyn: And the patient side of it. It wasn't really when they decided to strike, it's when we finally noticed them. Why did we notice them? I'm jumping ahead in the timeline, keep taking us through the timeline.

Marco: We're going to go there. There's some juicy parts that I want to cover first. So just the test code was around two months.

Carolyn: They're just doing recon for two months.

Eric: Just looking at it, understanding.

Marco: Just seeing if anyone's detecting what we injected into it. Nothing.

Eric: Is it safe to say that it was at least two months? From what we know.

Marco: That's what's on the timeline from, 9/12/19 to 11/4/19 they're just testing out.

Carolyn: How do we know that exact injection date? I know that's kind of a dumb question.

Marco: It's not out there. This is why, for me, it is like at SolarWinds. The thing to do is really provide solid evidence backing everything up from logs. You have to show it because as an attacker later on, I'm going to show you why. If you have the software, you need to worry. You need to carpet-bomb your company and there's no fun here.

The Magnitude of the Sunburst Adversary

Marco: This is real talk, you have to understand the magnitude of what's going on. So jumping forward to 2/2/2020 when SUNBURST was compiled and deployed. So we're talking about patience. As soon as November happened and they said "Okay, there was no detection." Timeline shows 2/2/20.

Eric: Basically three months. All of November, all of December, all of January and most of February, short month by the way. They just waited, all they did is they waited.

Carolyn: Then they deploy. Do you think they were waiting to get more into the election mayhem as a distraction. Then maybe when COVID hit they were like, "Oh, this is even better, we'll go now."

Marco: Potentially they were waiting. As an attacker, I'm waiting and looking not only to understand the environment better. It's like the 9/4/19 for initial penetration, I already understood your environment. I know where everything was. So the 9/4/16 and then the 9/12/19 , that’s like "Okay, I popped in and I already know where I'm going."

Eric: This is in the SolarWinds Orion. We're not talking customers yet. Just into SolarWinds Orion.

Marco Figueroa: Correct. This is why, for me, there has to be more information and more transparency than ever. So many people were affected and they have to be more transparent talking about this. A lot of times who keeps logs, it's very expensive to keep logs.

Marco: So how did they figure out 9/4/19 was the initial. Did that threat actors leave something on the box, so you could understand that it was them? These are all questions that all of us researchers, threat hunters, analysts, everybody wants to know. So SUNBURST happens, compiled.

The SUNBURST Implant

Eric: A month later.

Marco: Then on 3/26/20, it says, a Hotfix 5 DLL was available to customers. Now, this is all assumptions, because they didn't write anything about that.

Carolyn: Who didn't?

Marco: SolarWinds, they didn't write anything on their report what 3/26/20 is. They just put Hotfix 5 DLL available to customers. I'm guessing that the SUNBURST implant was available to customers, for customers to download. But again, that's my assumption, it's not facts, but that's what I'm thinking.

Marco: So then June 4, TA removes malware from Build VMs. What is that? They took out everything. My assumption that you have close to four months there, that it was up and people were downloading. My guess is that they saw what they wanted to see. Now they have access to SolarWinds customers that they wanted. No need to be out there.

Eric: Again, remove the evidence and scrub it.

Marco: We're going to scrub it, it's gone.

Eric: Basically sweeping our footprints.

Carolyn: When you say they have access to those customers, at that point they've gone in. Created possible fake privileged user accounts with those customers. Whatever they did with SolarWinds, they don't care anymore.

Eric: They've got in the door and they moved laterally to other platforms. They don't need SolarWinds anymore. They're on their main targets. Let's remove the fingerprints, the footprints, whatever you want to call it. So we're less likely to get caught and we go to phase two of the operation.

Marco: So then, that happens, fast forward 12/12/20. SolarWinds is notified of SUNBURST. So you have all that timeline now about this injection of code happening.

How the Sunburst Adversary Leveraged on the Access to Permissions

Marco: Now we're going to put all of that aside, and now I'm the red teamer hacker threat actor. So let's talk about the access permissions, you just said. If you had that, SUNBURST Orion DLL installed on AWS or Azure, how can the attackers leverage these missions? For Azure, the setup contributor role which allows you to start, stop, restart your VMs.

Marco: Then for Amazon, you can do a little bit more, which you can look at metrics stats and terminate instances. So that right there, that role is really important. Then if you have knowledge of the Cloud API, and you have some excessive access to company resources, everything is unlimited to you.

Marco: Everything is there, you're completely on. Let's say you had Amazon S3 bucket full access to everything. That's like logging in and seeing all your instances of you using Amazon across everything. What's to say, with that access, they don't turn something on, inject something into one of the AWS servers. It's just unlimited, unprecedented access that I've never seen.

Eric: As an attacker, your choices is really, where do I go now? Where do I spend my time? Because time is of the essence. I have no idea how long I'll be in here undetected. How do I prioritize, how do I stack rank? Then what do I do?

Marco: Let's put AWS and Azure aside for a second. Let's dig into exploiting the access permissions stored in Orion. If you have the Orion Platform, you have a database installed, it’s just by default. This is where stores install everything.

Time Is Not on the Sunburst Adversary’s Side

Marco: You potentially have all the information of identity and access management, or IT asset management. Orion holds all the credentials such as domain admins, Cisco routers, and switches, ESXi, vCenter credentials, AWS, Azure. Any cloud route API keys and so much more.

Eric: Database management?

Marco: Everything.

Eric: It's a perfectly targeted tool.

Carolyn: They could shut everything down. Like what you're seeing right now, they have access to shut everything down.

Marco: What I'm saying is, if you have that software, whatever it was in that database, whatever they had, or that company had stored, you have to consider everything on the Orion Platform compromise.

Eric: Not only that. Once you go to an asset that you found out through Orion, that asset may have access to other things. In essence, your whole network essentially is burned or you have to at least suspect that. I was talking to somebody yesterday. One of the customers who was impacted by this. His first inclination was, let's just set up a whole new infrastructure and network and everything. We burn it all down.

Eric:  That was great thinking but you can't do it. Not when you are an enterprise. A government enterprise can't burn it all down. You almost have to think like every single thing out here is suspect now. That's the beauty of this attack.

Carolyn: So who has Orion, tell me, everybody in the world?

Marco: 18,000 customers, they said, were affected.

Eric: 18,000 customers, and they were clearly dozens that were impacted. The time is not on the Sunburst adversary side, once they're detected. Once they were detected, they were running out of time. They couldn't get to all 18,000 not that they ever would.

The Sunburst Adversary Prioritized Government Agencies

Eric: They had to prioritize from the beginning. It looks like they prioritize government agencies, DIB customers, and telecommunications. The key infrastructure of the United States and our allies.

Marco: The hack is unprecedented. The one thing you have to think about, if you had SUNBURST, is that everything is compromised. But imagine if you work in a place that I know that has over 700,000 endpoints. What do you do?

Eric: You can't burn them all down. It's almost like being invited into Willy Wonka Chocolate Factory. You're in this amazing place, but you can’t eat all the chocolate. So what are your choices?

Marco: I'm the red teamer, I'm looking at the VP over here and I'm asking you. If you're a consultant, I'll give my answer after yours. But if you're going to a company and they're asking you, what should we do? Even if we had 10,000 endpoints. What do you say?

Carolyn: Hire Marco, immediately.

Marco: I would say, buy SentinelOnes. A pitch like that but that's for another day, another story. But, what do you tell a customer though?

Eric: I think you have some good guidance here. On the 8th of January about a week ago. They announced alert AA20-352A which talks about compromise and bypassing federal identity solutions. Talks about using forged authentication tokens. Basically your zero trust architecture if you were heading down that path is compromised also. The core credentials were burned.

Eric: So my answer, without naming any products or any organizations. You need to go back to a point in time along that timeline, when you uploaded the latest SolarWinds Patch. That would have allowed the adversary on your network.

You Have to Go Back to the Logs

Eric: You need to start looking at all user IDs, and everything from that time forward. Now, could they play with system clocks and do things like that? Maybe, maybe not. At a minimum, you've got to look at everything that was created from March 20th, maybe.

Eric: You've got to look at everything from that point forward, March 26, I think. Forward and absolutely understand that Marco Figueroa is Marco Figueroa. You've got to look at what those users are doing, what their behaviors were. You've got to go back to the logs.

Eric: If you have insider threat capability, or some kind of EDR Capability that was capturing information, either caching it or storing it in a database, going back to your logs, this is just grunt police work like forensic work, digging through that. You have to do that, or you have to burn it all down and start over, which is unlikely.

Carolyn: That's what I’m asking. Like, in the meantime, while you're doing all of this, like Marco is giving the scale here of 700,000 endpoints, 700,000 users. Do you shut it all down while you check it out? You can’t do that. Because if you don't then they're continuing to move.

Eric: I've seen Marco, I mean he'll continue to keep moving. "You can't catch me, you can't catch me Eric. I'm faster than you."

Marco: It's a whack-a-mole mentality. You're going to be whack-a-moling. And this is the thing. Initially, when this happened, Microsoft stated that they weren't hacked. I retweeted something from someone from Microsoft. Two weeks later, we found out there was no modification, but we saw the source code.

Eric: Source code is like accessed.

What a Bug Bounty Hunter Does to Hunt the Sunburst Adversary

Marco: We don't know what source code do. I haven't seen anything that Microsoft stated except the access source code. But here again, as a red teamer, as an attacker, as a bug bounty hunter, what I could do with that is, I don't have to reverse engineer things anymore. If I access it, that means I probably copied it in whichever way or we don't know, again, transparency.

Marco: This is why everything has to be open. Because now for me, I'm paranoid to download stuff now. From Microsoft, from everything. Everything is in a VM that I install. I don't need it if it's not good. I think building trust with customers is very important and being transparent. Especially these days, where we're getting reports.

Marco: You're going to see so many more reports in the upcoming days, weeks, months. It's going to continue to happen. Yesterday there was another report. This is what I would tell you, it's the tip of the iceberg.

Eric: This is why I say, this is beyond Snowden, Buckshot Yankee, you name it. Imagine if the adversary wanted to actually cause harm. We're talking sabotage, we're talking damage as opposed to just espionage. Maybe they can in the future because they're inside. One thing I would question is anybody who says we're clean, we're good, we know we're okay, who was accessed.

Eric: How do they do that? At this point, you get in through SolarWinds, you clean up your footprints. You've now compromised 0365 Active Directory, maybe I Cam Tool, Azure Trust, is no longer trustworthy. As an adversary, what's your next move, what do you do? How do you prioritize? You're in the chocolate factory now.

Transparency Is Really Important

Marco: Stay and have access. If you stole stuff like they were saying, court records were accessed and I guess stolen. Again, transparency is really important. We have to know as they share, like with SUNSPOT, we start to have a better understanding for future attacks. If I'm the attacker, and I penetrated a company, it's to maintain access.

Marco: You're so deep in the company. You could pivot upon pivot like, "Oh, yeah, you found that. But you're not going to find me for another four months, because I'm over here." It's maintaining that access. Supply chain attacks are going to be here to stay. This is something that will go down as one of like you said. It's the biggest hack of all time.

Eric: What's your thought as a hacker, a red teamer? All these cybersecurity companies are coming out. They're saying, "Hey, here's a patch, we can't address all these IOCs. Indicators are compromised around SolarWinds." To me, it's too late.

Eric: It's great that you're doing it, but the horse has already left the barn. Or the adversaries are inside the castle walls, if you will. They look like you, they act like you and you believe they're you. So the fact that you're closing the castle drawbridge, you're raising it. It needs to be done.

Marco: Correct. It's important, though, for that to happen. Because if you have 18,000 customers, like all those customers can pay for IR. Every incident response team right now is busy, you're not going to hire someone. So you need tools, we release the tool. We release blogs, to help people that aren't our customers, like "Hey it's like running the tool."

What Solarwinds Could Have Done to Detect the Sunburst Adversary

Marco: This is important, it is a community task and not just one company. The community needs to help each other here because like I said, 18,000 customers. If a customer right now tries to get another firm, to try to do an investigation is going to be hard. It's like, "Okay, you're on the list, we'll get to you when we get to you because everyone is busy."

Carolyn: To your point of why it's so important that we're transparent, that we're sharing the information. You said that the supply chain attacks are here to stay. What do we do to make sure that that kind of code doesn't get injected again? Like what could have SolarWinds done to detect that before it went out?

Eric: Or SolarWinds customer?

Marco: I always believe, if you're a large company, you need a team to vet, the software you're bringing in. Really vet them.

Eric: If you're a consumer of a software product, you need to have a team of people. They actually look at, in this case, it would have been SolarWinds, look at the update process. You don't have access to the source code. How do you do that? I've worked with some government agencies, I know you've worked with also.

Eric:  They don't have enough staff to do it. They're always behind, you can do selective pulling. They asked for the source code to do source code reviews, and even in that, I bet they miss things. I don't know that, that's feasible.

Part of the Security Lifecycle

Marco: Depending on the company. The last company I had, we did have that. We had red teamer's auditing code because this is a part of the security lifecycle in a company.

Eric: So, let's assume the fortune 100 can do that. Did you find anything?

Eric: "Passwords in the clear, probably. Hey, why are you reaching back to the company with update messages or whatever?" But like, would you have found it? Even if you could, even if the top 100 companies in the world can do it and afford to do it and do it perfectly, rest of the world can't do it.

Marco: Here's a question. Do you think, the reason why SolarWinds came out, was because they were alerted by who?

Eric: FireEye in this case, with the Red Team Tools. But you would assume that FireEye would be better than most, in this regard. Turns out they were luckily. They went public on December 13, they went public right away. Huge kudos to FireEye. A lot of companies would have said "My Red Team Tools that's a huge part of my business. Why would I ever do that?" They were awesome.

Carolyn: But they found it because they had already been compromised.  They didn't find it before they got compromised.

Marco: They've stated that they were compromised. This is why I wonder if FireEye didn't come out, would SolarWinds have come out the way it did. I feel like FireEye put them on blast. Told them "Hey, we're going to tell our shareholders or whatever the case is." I don't know the politics behind there.

Sunburst Command and Control Domain

Eric: But we know the timeframe. It was the 8th of December, the FireEye Red Team Tool report came out. They put a report out on the 13th on SolarWinds. On the 14th the very next day SolarWinds security advisory was released. Then the next day, Microsoft sees the SUNBURST command and control domain. Things started to shut down from the initial attack vector perspective.

Marco: That's what I'm saying. It's great, but the damage has already been done. This was an operation ongoing for six months.

Eric: Six months they were in for nine or 10 since March.

Marco: What I'm saying is like 3/26/20 and then when they initially got caught. They're still catching a lot of things out there. Microsoft reported to, I think it was Mimecast yesterday, about their certs being compromised so they could read secure email. It is like the tip of the iceberg. As people start digging more and more, you're going to see more reports, it's going to get scary.

Eric: As a threat researcher, I don't want to scare everybody, what do you do? What are you looking at? What do you think about this problem? If you are working for a compromised agency, what would your advice be right now?

Marco: This is my belief. A lot of times, a lot of companies are reactive to a situation. How do you become proactive, how do you go on the offense? Which is start having your threat hunters hunt, but also start putting your ROS out there on VirusTotal. So you can get more detection and build that detection. A lot of times we wait for an alert. That is to me the wrong way, especially now.

The Trickle-Down Effect of the Sunburst Adversary Hack

Marco: Everybody's thinking of, we got an alert. "Okay, what do we do?" Instead of being proactive. What's going to happen is, forget about what's going on with SolarWinds and what happened. What else did they put in those environments, what else did they do that we don't know? That is where you're going to start seeing the trickle-down effect of this hack. That’s where it's at, and it's scary.

Eric: Carolyn, in all of our time together, we've had some amazing guests on the podcast. Dmitri Alperovitch, former CrowdStrike, CTO and founder mentioned hunting. It’s a conversation I had had with him before and you get so wrapped up in things. He took me back to early on and he's been talking about that for years, like more than a decade.

Eric: It was one thing tangible, that we can grab on to as cybersecurity professionals. We don't hunt much. There aren't a lot of Marco's out there who are actually reverse engineering malware. Reverse engineering code, looking at things that are suspicious on the networks. Going back to the cyber defensive teams and saying, "Hey, you've got some potential vulnerabilities here."

Eric: As Dmitri said, 99% of the budget is spent on the perimeter or spent on tools to protect. There's very little on actually looking at what's happening in your environment, on your networks. With your systems, with your users, with your people, and determining if that's appropriate. The haunting piece, it was such an eye-opener for me.

Marco: I agree with that. A lot of my time, I look at reports out there. Here's the recommendation for everyone listening.

Did They Miss Something

Marco: When you read a report, at least for me, a report from whatever company that has hashes. I look at their report and I always say "Did they miss something?" That's what I do as a hunter, I want to find something that they missed.

Marco: I've worked on a case around 2017 that affected the company I was working at that time. It wasn't in their report. When we went on a call with them, I was like, "Look, there's a jump. You only covered this side but this was more important to us, a specific pattern in code."

Marco: I was like, I had to reverse engineer to say, "Hey, this impacted us more than what they reported." These are the little tricks that you can do, or anyone out there as an analyst, as a hunter, or even as a manager. What did someone else miss? The show that I always tell people to watch when they are in this field is watch the first 48.

Marco: You have 48 hours to get the bad guy. So you start understanding how the scene is set up as a hunter, who shot the gun? Where's the bullet? What kind of gun? Did someone die? That's the same thing you do when you're researching something. You're a detective.

Carolyn: As we wrap up here, what Marco’s talking about reminded me a lot of what we just talked to Jared Quance. He is an Insider Threat Program Manager, and he said the same thing. "You go into interrogation mode, you start asking all those questions and dig, dig, dig." I've heard you say, be proactive, don't be on the reactive side, start hunting.

Share the Information and Be Transparent

Carolyn: The other thing that you've brought up and has been brought up by many of our guests, is just share the information. Be transparent. Then we all know where to start asking those questions.

Marco: 100%, you're right. But this particular hack, it needs to be transparent, because you're going to have people helping out. That's not on the payroll. You release an indicator, myself and about 10,000 other researchers are trying to put out reports or things that can help the community. This is why transparency is super important.

Carolyn: This one got to be crowd-sourced.

Eric: What we saw FireEye, as soon as FireEye went public boom, the picture opened up. People started to see the extent of the problem. They’d been dealing with it for nine to 10 months without even knowing it was impacting them. I still see that issue in government. It's really hard for the government and industry to share information. Was on a call again, yesterday at Zoom, because of COVID.

Eric: We're still talking about the same things we've been talking about for more than a decade on information sharing. How to get it out there. We haven't put protections in place for companies against lawsuits and negligence. There's a lot to do.

Eric: I don't see the government sharing a ton, when they do it's usually late. It's impartial, it's a component of something. We have a lot of work to do here. We've got to open up, we've got to work together because it just keeps getting worse.

Marco: It's the tip of the iceberg. During this time, we're in COVID. What better way to spend your time than to help investigating.

Rapid Fire Questions With Marco

Marco: These hashes and indicators and everything, you have to share them. I gave you a good example, the report that came out this week, how to hash. They didn't share the sample. You need to share the sample, put it up in VT.

Marco: It's going to eventually get up there. But again, the hash was there, they're not sharing. They have their own reasons. But this particular incident needs to be very transparent, and you have to share.

Carolyn: Well, Marco, thank you so much. I'd like to keep you for just a minute more. This is actually my favorite part of the show. We give you some rapid fire questions. What is a show that you have watched recently and just love? Besides the First 48.

Marco: I haven't watched the show, let me see.

Carolyn: You're always bug hunting, aren't you?

Marco: Yes. I want to say YouTube.

Carolyn: Honestly listening to you talk today, I feel like I was watching your show.

Eric: You're going to have to skip to the next one. I don't think Marco is turning the television on.

Marco: Just say YouTube or ATL. Yesterday I put on ATL, its called ATL, by Donald Glover.

Carolyn: Do you have any guilty pleasure?

Marco: Being in front of my computer.

Carolyn: What do you read? Or who do you follow? Maybe as a better question.

Marco: A lot of growth and self-help books. I love that.

Eric: Yes. His whole life.

Marco: To me it's very entertaining.

Carolyn: So what are you reading?

Marco: I just finished Greenlights by Matthew McConaughey. I absolutely loved it. If you guys are going to read it, don't read it, buy the audiobook.

A Cybersecurity Must Read

Marco: I read it and then I bought the audiobook. I'm also reading Stephen King's On Writing, which is interesting. It’s how he writes and how he prepares himself how to write. The third one is TB12 Method. It’s having a winning mentality like Tom Brady. Those are the three books I'm digging into now.

Carolyn: Do you have a cybersecurity must read book?

Marco: I have a few. Actually, they're over there. I would say, Ghidra, I love Ghidra. That's on the top of my mind. The Ghidra Book by No Starch, that's for tools. Let me give you a few. For bug bounty, I would say go to a website. They have HackerOne, they have like their little books. For offensive security, let me see. I think The Art of Exploitation. There we go.

Eric: Nice reads for a weekend.

Carolyn: If you had a magic wand, and you could change anything you wanted in cybersecurity, what would it be?

Marco: That's a good one. I think there's sometimes a lot of drama. I don't get into drama, but I hear through the Grapevine. So drop all the drama, it's all about love and helping each other and providing value to everyone.

Carolyn: Amen. Unexpected and well said. All right, I think we already know the answer to this. But what would you say is the biggest cybersecurity impact in the last 12 months?

Marco: I think for the next 12 months as well and then 2020 too.

Carolyn: For the next 10 years?

Eric: I don't want it to continue and there will be copycats and the mechanism is sound.

Making the World a Better Place

Marco: It was a pleasure to be on this show. I'm so happy that I got to meet you Carolyn before you exit the stage. Good luck and I hope you stay in touch.

Carolyn: Thank you Marco.

Eric: Marco, keep the world safe. Keep doing what you're doing with your research and reverse engineering and getting information out there. Really appreciate it. Glad you're at SentinelOne right now making the world a better place.

Marco: I love it.

Carolyn: You're now one of my cybersecurity heroes. He’s like Mudge, Eric.

Eric: Yes, now Marco is a guy I go to if I have any issues. By the way, I do have an IP address I want to run by you Marco. With that being said, Carolyn, it's been so much fun working with you and so much fun doing the podcast. I really will miss you.

Carolyn: The show will go on but yes. This has been the highlight of my career to be honest.

Eric: We will continue with To The Point Cybersecurity, we have too many listeners. And we cover too much good ground.

Marco: We need to have a follow-up show maybe in like six to eight months to see what plays out.

Eric: Don't worry, we will.

Marco: We will have a collection.

Eric: We'll still be playing the game unfortunately. But anyway, Carolyn, Godspeed.

Carolyn: Eric, same to you. Bye, guys.

To The Point Cybersecurity was recently named one of the 30 top Federal IT influencers 2019 and 2020 because of fantastic guests. We are always looking for great thought leaders to interview. Please email me with guests you would like to have on the podcast cford@forcepointgov.com.

About Our Guest

Marco Figueroa is a Principal Threat Researcher at SentinelOne whose technical expertise includes reverse engineering, incident handling, threat intelligence, bug hunting, bug bounty hunting, and APT hunting. Previously, Marco spent the last 7 years at Intel as a Sr. Security Researcher.