Rachel Lyon:
I'm Rachel Lyon, here with my co host, John Knepher. John, we had a little bit of a hiatus, my friend. I missed you.

Jonathan Knepher:
Yeah, I missed you too.

Rachel Lyon:
It's nice to be back after a few weeks and give Britain the swing of things as we look into the fall. I can't believe it's almost August. It's bananas how fast the summer's going.

Jonathan Knepher:
Yeah, this summer definitely went by quickly.

Rachel Lyon:
So we've got an amazing first guest back from our little break and happy to welcome to the podcast Greg Hatcher. He is the co founder of White Knight Labs, which is a global cybersecurity consultancy focused on offensive operations. The company's also been called the Ocean's eleven of cybersecurity, if you could imagine, which is super cool. Greg's a former army special forces veteran and he brings a unique perspective to the field of offensive operations, blending tactical precision with technical persistence. Welcome, Greg. So excited to have you.

Greg Hatcher:
Yeah, it's a pleasure to be here. Rachel, thank you for that intro. And John, pleasure to meet you. Rachel, I have to say how your voice changed from like the pre show banter to actually going on the podcast is pretty incredible. You just like flip the switch and like. Yeah, it was like smooth as silk when the camera started rolling.

Rachel Lyon:
Awesome. Yeah, it's. Yeah, you outed me. Thanks, Greg. You have a great radio voice though, too podcast. But you always sound like that so you don't have to work on it. But thank you.

Greg Hatcher:
Thank you.

Rachel Lyon:
All right, John, you want to kick us off? I'm excited.

[02:03] Red Team vs. Penetration Testing

Jonathan Knepher:
Yeah. So, Greg, maybe you could start off by talking a little bit about your approach to red teaming, how that. What value that brings and how it's different from conventional penetration testing.

Greg Hatcher:
Yeah, sure. So my background being in army special operations for seven years, then getting out being a government contractor at the NSA and cisa. Lots of, lots of experience doing red teaming and just be on the offensive throughout the arc of my career. So red teaming is basically for the top tier companies that they already have been penetration tested for five years. 

They already are doing software, hardware, asset management. So they're at like the very top of the pyramid of all companies as far as like the readiness they have an edr, there's an mdr, there's a soc. They are actually ready for a red team operation. So our approach is basically we're looking at them like from holistic point of view as opposed to a penetration test, which is more of a smash and grab.

Greg Hatcher:
Right. A penetration test is typically a one week to three week time box engagement. We're being loud at the network, running tools like nmap, Nessus for vulnerability scanning, bloodhound, lots of automation. Our red team is more low and slow. We're focusing on high. How does the company make money? What is their brand? What are certain events that would hurt their brand? How do we move money out of the company without them knowing? If I was to gain access, like physical access to their building, would I be able to access the server room, plug in a device? If there's no NAC solution in place, could I just remain undetected for an extended period of time? It's more like that. It's like, how do I cripple this company to their knees so that I could actually gain competitive advantage over them? So.

Rachel Lyon:
Just a sidebar too. And I don't know if you guys do this when you talk about physical access to the location. I was watching kind of a documentary, but they were security specialists as well. And it's amazing. Maybe you put on a suit or you just look really professional. You walk in the door and you're like, hey, I'm your new IT consultant. Can you give me access to the server room? I need to double check some things. And a lot of times people don't know, they just, oh, yeah, you look professional.

Rachel Lyon:
I'm just gonna let you in. I mean, has that happened before? I mean, not to out anybody. It is kind of interesting if you look the part. People give you a lot of latitude.

Greg Hatcher:
Yes, that is very true. Especially being in west Michigan. We have a saying that people are West Michigan, nice. They want to hold the door for you. They don't want to ask a lot of questions. Oh, look, this guy's wearing a suit, he has a clipboard or he works in construction. He's wearing an orange vest and a hard hat and carrying a ladder. A real story.

Greg Hatcher:
This would have been like four years ago. There was another engineer that I was with, we were on a physical right here in Grand Rapids and. And all we did was go to Home Depot and we bought the hard hats, the vest. We were carrying a ladder and we just stood outside a building measuring random things like measuring windows and doors, looking legit. Um, and then eventually. So just held the door for us and we walked into the building. And then it was kind of game over at that point. Yep.

Greg Hatcher:
That's awesome. But going back to your point, yes. We typically will do an approach where, well, every physical is ranked kind of the same. So we do a nighttime reconnaissance. We're showing her up around 8pm, 9pm, getting patterns of life, assessing if there's physical security, are they armed or like, if they're patrolling around the building, can we predict where they're going to go next so that we can be where they're not going to be? And then after we gain physical access during the nighttime operation, we try to set up persistence, so we'll try to clone a badge. We'll actually sometimes leave people behind, like in a closet so that when daytime operations start, they can just come out and kind of like walk around the building. But then after that happens, there is a social engineering component where we will try to just walk in the front door. Spoof vendor.

Greg Hatcher:
One of our physical access operators, Kurt, he. He's really good with like, fire safety and fire code, so he. He could actually like, do a fire safety inspection on a building. So that has gotten us in the door a couple times as well, because he knows what he's talking about. Yeah. What, what.

Jonathan Knepher:
What's your like, success rate?

Greg Hatcher:
Right.

Jonathan Knepher:
Like you. You describe, like you really only come into play once a company has gone through like the conventional models and their, you know, pretty confident of themselves. Are you still just able to penetrate everybody or. Or there's somewhere you're where you get there. And they're actually pretty good.

Greg Hatcher:
We have been stopped in our tracks twice over the course of me and John's tenure at wkl. So one was a hospital down in Texas where we attempted to onboard. It was actually me, I was trying to onboard as a vendor and. And it did not work. We had a female cause we always use females for our phishing because people trust women more than they trust men. She called in as a pretext, saying that I'm from a certain vendor. And then that person at the hospital called that vendor to verify that I worked there. It was wild, like, how they verified everything.

Greg Hatcher:
So I show up and I am blown like, I am dead on arrival. As soon as I walk in the door, like, this dude's expecting me and police are on standby. That was a bad one. There was also another one that we did last year where there was a roaming security guard. And it was a very tightly. I'm trying to like, what can I say what can't I say while I'm talking?

Jonathan Knepher:
Don't out anybody.

Greg Hatcher:
Yeah, we essentially had two, two man teams, me and another person, we were covering the front of the building, just performing like pulling eyes on security. So, hey, they're going around this, this side of the building. Guys, back off. Because this guy would just get up and walk around. There was no pattern to it. He'd walk around the, the, the interior of the building, the external. And it wasn't like at certain periods of time, like every five or 10 minutes. So it was kind of dicey.

Greg Hatcher:
But what happened is when John was trying to break into the back of the building, the adjacent building, their security team called the police and notified the client that we were trying to break in. So yeah, very tightly controlled area. And we also had bad intel going into the job, so.

[08:13] Cybersecurity: Insider Threat Assessment Process

Rachel Lyon:
Oh, wow. Okay. So kind of thinking about this approach and how do you use kind of red teaming exercises to then identify insider threats as well? I'd be kind of curious, like, is there a different approach or is it just a little bit more, I guess, sophisticated, complex, what have you?

Greg Hatcher:
Yeah. So I would say in the hierarchy of cybersecurity, we do penetration testing, then we'll do an insider threat assessment and then we'll go do a red team. So our ITAs are in between red team and penetration testing. Typically when a company is almost ready for red team but not quite there. So the way that we run our ITAs is that the company will ship us a laptop and we'll have our VPN credentials, everything. We are susing accounting that was just hired by company X, all the same access that a normal employee would have. And typically there are objectives that we're trying to accomplish while this person's performing their daily activities that they're supposed to be performing. So if you were hired to do a certain thing at that company, you better be able to do it.

Greg Hatcher:
Typically this is really easy. If we're hired as a software developer or something at the company, we're like writing code for a web application while trying to backdoor their CIC pipeline, something like that. Typical objectives are moving money to an account, like, just like moving a dollar or something, gaining access to pii, any kind of information that would result in failing compliance. So gaining access to protected health information, if they're a healthcare organization, pci, DSS information like credit card numbers, Social Security numbers, things like that. And those are typically the last two to four weeks.

Jonathan Knepher:
Yeah, very interesting. How do you tailor your operations to specific customers? And are there Differences in like higher risk industries.

Greg Hatcher:
Yeah. After you move out of penetration testing into insider threat assessment, red team, everything is 100% tailored to that client. There is no like vanilla framework for red teaming. If we're attacking Coca Cola versus, you know, a software development shop, those two targets are radically different. And especially like even what they're trying to protect is radically different. So Coca Cola, they're, they have all their code and they have like that special Coca Cola recipe, but then the dev shop has all their code. The CSD pipeline, the, it's a very different risk profile. So we have to assess like the risk profile and then tailor the red team operation around those crown jewels that we're trying to steal or gain access to.

Rachel Lyon:
Yeah. So switching gears a little bit too. Right. Because we, we hear so much about supply chain attacks and these kind of, you know, the red to me is pretty important. Right. Because where can we start? In addition to pen testing, where can we start kind of blocking off some of the vulnerabilities. But you hear a lot about kind of public sector organizations. And I'd be curious, kind of in the landscape of looking private sector, public sector, are you finding one is more prepared than the other to best thwart supply chain attacks or more prepared to address said attacks?

Greg Hatcher:
I mean this, I would say that supply chain attacks and compromising LLA LLM agents, that is the frontier of where we're at right now. I personally love compromising the supply chain because if we can push like a third party malicious library, push malicious code, embed like an API key that we control, it's kind of game over. Right? At that point, your edr, your tech stack doesn't matter. Your MDR doesn't matter because we've compromised the code. And then LLM agent security, we had an ask recently where they wanted us to do like a copilot penetration test and they didn't have purview enabled. So purview in Microsoft 365 allows you to categorize data like low, medium, critical. Then you can adjust your R back to people that are supposed to have access to that data, but they didn't have purview enabled. So of course I could access pretty much anything that I wanted to.

Greg Hatcher:
Going to the second part of your question is one more prepared than the other. No, no one is prepared for supply chain security. It's just true. Right. Like Microsoft has been compromised. Like all the big players in this industry have been compromised by supply chain attacks. SolarWinds was kind of just the beginning.

Jonathan Knepher:
So you've commented on the software side of supply chain. Are you seeing anything around, like, hardware supply chain issues as well?

Greg Hatcher:
Oh, yes, absolutely. I mean, especially like drones, routers, modems, if they're coming from China, they are very heavily incentivized to backdoor those devices, especially drones. If you, like, reverse the firmware of a drone, it's probably dgi, which is a Chinese company, and this is all public information, but we did a drone penetration test for a company called Aloft that would have been in 2024 or 2023. And they basically, the entire purpose of the engagement was to prove that it wasn't backdoored by China. The firmware wasn't. But then once we started going through, it was like there was evidence that China had backdoored the firmware, unfortunately. And then we had to, like, prove that those API calls weren't going out. And it was.

Greg Hatcher:
It was a whole thing. But it's. It's a very real deal. Yes.

Jonathan Knepher:
Yeah. And on the drone case, too, you know, it's interesting because there are certain APIs that are needed for the FAA, right. Like, it needs to call out. And so. Yeah. Like, is there any way to safely use a drone knowing that it has to make these outbound calls?

Greg Hatcher:
Yeah, well, especially like when drone companies are going through ATO prep for the dod. Like, if you are a startup that wants to sell product to the DoD, you have to go through the authority to operate certification. And at that point, like, the firmware, the hardware is being attacked. You're like, trying to intercept all the communications between the drone and the satellite. So if you're selling to the dod, you have to go through that process. But if you're not selling to the government, it's kind of the wild, wild west. Right. Like, Jimmy in his basement that's buying a drone at Walmart, doesn't know, like, that his drone is back to work.

Greg Hatcher:
So we're. Yeah, it's going to be an interesting next couple of years for sure.

[14:24] Compliance is the Bare Minimum for Security

Rachel Lyon:
I'm curious too, Kind of on the business of what you do, do you find that there are a lot of CISOs that are recognizing the business maturity and now we need to move into red teaming, kind of. You talked about the five years of pen testing versus having to educate more of the CISO community because they're still thinking about defensive operations or, hey, you know what? I'm compliant, so that's good enough. I'd be interested in the landscape that.

Greg Hatcher:
What a bag of worms you just opened. Yeah, yeah. First off, if you're a ciso and you're listening to this and you have met your compliance requirements and you think you're secure, you probably shouldn't be a ciso. Right. So that is sort of like the bare minimum you're scraping by. You can be in business if you're the CCO of, I don't know, core, well, health or any kind of healthcare organization. Compliance is the bare minimum. Then you need to layer security on top of that, because security, you essentially want to create barriers around your crown jewels of the business.

Greg Hatcher:
So there have to be multiple, multiple layers that have to be broken through before you're actually compromised. I think like most CISOs understand that and that they're layering security appropriately. Right. So there's like the endpoint, there's the network. If you're, if you're ransomware, do you have like tooling and processes and people that are going to stop that ransomware attack? Do you have off site backups that aren't connected to your network? Do you have ample physical security? And unfortunately, that's more for like the medium and enterprise level. Small businesses are getting left behind because they don't have the budget to do any of those things. Right. They're just using Outlook to run their business and using WebRute for the AV.

Jonathan Knepher:
Yeah. How do you help the CISOs position the need for this spend in their organizations? It's clear to all of us. Right, but how do they know?

Greg Hatcher:
You have to prove that is a risk to the business, that the attacks that we're going to try to do would directly impact and have a financial outcome if they actually happen to the business. We were on a call yesterday and we're talking about doing a physical access operation against a company right here in Michigan. And one of the objectives we were talking about was placing a listing device in the C suite boardroom. So when they were talking about if they go to IPO in 10 years or they're talking about doing a merger or an acquisition, that we were hearing all that information in real time and that we could like sort of shift the market away from them or something, you know, like some kind of, cause some kind of brand damage, for example. So if I can prove that, it's usually a really easy sell to a CISO or the C suite. But if I go into that conversation, I'm like, yeah, we're going to run Eternal Blue. We're going to get RCE and the domain controller, then we're going to get domain admin. And then like, no, no one cares.

Greg Hatcher:
Like, like my My engineers can, can talk about that all day, but when I'm talking to a vp, a director, a ciso, a CEO, it's dollars, cents, impact, brand image, all of those things.

Rachel Lyon:
Do you find and again curious. I love the public sector, private sector kind of comparison sometimes. But you know, do you find that more often than not these conversations are driven because something happened versus hey, nothing's happened, we want to keep it that way, kind of. What do you see as the pivot point for these organizations?

Greg Hatcher:
Both. I was on a vacation in Belize recently with my family and I got a call from a company that we didn't work for and he kept having a server that was externally facing getting popped with a cobalt strike beacon. And that was because the attacker was abusing file upload functionality that was exploiting an oday in a SAP application. And we actually like found the O day, we found the compromise, all of that. So unfortunately, a lot of times it's after the thing has already happened, it turns into more of a threat hunt, like getting that person out of the environment. But then other times our clients are just proactive. They're like, hey, you know, X company that does the same thing that we do and they're worth the same amount of money. They were just compromised by Scabbard Spider via a phishing phone call to the help desk.

Greg Hatcher:
Like that's a very low effort, low cost attack. And yet that's how, that's how the Vegas ransomware attack happened. Right. And that was worth millions and millions of dollars. So a lot of times they'll be like, they'll see an apt do a certain thing and like, okay, well they're attacking our industry. Companies our size just go hire WKL to do that thing and that way we will know if we're actually, we can withstand that attack. And we really like working with companies like that. We'd rather not be putting out a fire.

Rachel Lyon:
Right, right.

Jonathan Knepher:
That's interesting that you know like that case where the attacker basically repeated the same thing that got them caught. Like do you, do you see that happen often? I would just expect that these, these bad guys are competent enough to like, oh, I got caught there. Let me find a different way.

Greg Hatcher:
The thing is like not really because there's so many targets. Like if what they're doing worked at this company, they're just going over here and do the same thing. Really, like scared Spider just calling in and doing a phishing attack in the help desk. It's, it's easy. They all they have to do is succeed Once, right? They're successful once and then it's kind of game over. Um, and yeah, when I, when I, when we get APT engagements or like adversarial emulation engagements, they're typically more like the effort is lower than if we're doing a real bread team because we have to kind of like water down our attacks. We're essentially going through the MITRE ATTCK framework for that APT or that crimeware group, you're like, oh, they use PS Exec to move laterally. Gross.

Greg Hatcher:
Okay, like, like we're doing things that we know that we're going to get caught and not work because we're very like tightly confined to that APT or that crime war actor is ctps.

Jonathan Knepher:
I guess it's just an interesting, like, case of the industry where those things that are kind of obviously going to get you caught still work in so many cases. Like how do we as security professionals start fixing that in the industry as a whole?

Greg Hatcher:
If you're in the Fortune 500 or Fortune 1000 and I can come into your environment and run off the shelf tools, they're clearly signatured and they're working. Like, if I can just use impact tooling to dump the DC and get the entities I did, that's a problem. So going back to like the small business thing, the small businesses are going to be left behind. But medium and enterprise companies, they know like, that they need to spend the money on security. Because, like, if I can go into your environment and run Mimikatz, that means that like a middle schooler can compromise your environment. So there needs to be a certain level of sophistication and level of effort to compromise an enterprise client. Like, I should have to do like, you know, like make my own dll, put it in an application in a folder that I have right access to. That way when Susie and accounting comes in to start her laptop, she opens teams, my DLL fires, I get my beacon back.

Greg Hatcher:
That would be like more of a sophisticated attack as opposed to just dropping a beacon.

Rachel Lyon:
So coming back to AI Gen AI LLMs, I'd be curious in your perspective because you can't escape this conversation and how do you.

Greg Hatcher:
You really can't.

Rachel Lyon:
But I'd be curious, kind of, what are you seeing out there in the field and what do people need to start thinking about to get ahead of? Because there's a lot of unknown and also there's a lot of talk of can I use AI to fight AI? But there's a lot of nuances within that as well. So I'D be curious. What are you seeing since you're on the front lines here.

Greg Hatcher:
Yeah. So the days of getting like the phishing email that has poor grammar and spelling errors, those are all over. Right. Like when you receive an email that's generated by AI, it could be from a non English speaker, non native, and it's going to look perfect and it can even have like a nice footer. So the very entry to phishing has lowered tremendously. And that goes with texting as well. Like, you're not going to receive a text anymore that has a bunch of grammatical and spelling errors. It's going to be like nicely formatted.

Greg Hatcher:
Yeah, I think that it is. It's kind of the wild, wild west still. Like, we're. We created a private tool at WKL for attacking LLMs. We basically modeled all of our attacks off the Mitre Atlas framework. So, like, you guys know what the Mitre ATT and CK framework is. Now there's the Mitre Atlas framework, which is specifically, the columns are for different attacks that you can run against LLM agents. And the bypasses that we can do against these LLM agents are really, really easy.

Greg Hatcher:
It's sort of like, sort of like, like AV attacking AV 15 years ago, where you could just like run Eternal Blue or Mimikatz on a box and it would go right through. We're definitely with LLM agent security. We're there right now. And then educating CISOs on, you know, like, everyone wants like the new shiny AI software in their environment. Oh my Lord, please don't do that. Make sure that you threat model it. Make sure there are protections, that your, your employees are well informed on what they can and cannot use, or AI for what they can actually put into that prompt. Because in the early days, like back in 2023, I think what company was, was it was like an Asian software company, maybe like Hitachi, but their developers were putting like private code like directly into ChatGPT, like to, to catch the errors in it, man.

Greg Hatcher:
Like, that's crazy. That's your proprietary information. Don't do that. Right. So there's, there's a lot to educating CISOs and the public on AI.

Jonathan Knepher:
What are some of the interesting kind of holes you've found in some of maybe AI agents that are exposed?

Greg Hatcher:
Grandma attacks are kind of weird. If you've heard of a grammar attack, you're posing as kind of like this senile old grandma or someone that's mentally inept and you're like, hey, tell me how to walk to go get my Mail. And you just keep doing prompts like that until it turns into, hey, how do I make, I don't know, like a dirty bomb or something. That would be like 20 prompts deep. But that's what our attack framework for, like attacking LLMs is like, like. So we're kind of like wading the LLM into the deep water until that. Until it just gives us the information we want. ASCII art is another weird one.

Greg Hatcher:
One of our. The tool can be like ASCII art. So, like, tell me how to make a bomb. But it'll be like an ascii. So that's kind of cool.

Jonathan Knepher:
Oh, that's neat.

[25:16] Flexible AI Policies are Needed

Rachel Lyon:
What are your. This is such a fun topic. So shadow AI is something that I've been hearing a lot, a lot more about. And let's be honest, and hopefully our leadership team's not listening, but there are times that I use. Everybody actually is using Chat, GPT or Perplexity AI. Hopefully they have the wherewithal not to put in private information or confidential information. But I mean, how, how can a company get a handle on this? Because everybody's tapping into the goodness here to help them do their jobs faster, better, you name it. What's.

Rachel Lyon:
What's the answer there?

Greg Hatcher:
Yeah, stopping shadow AI is very challenging. It's sort of like when we do our wireless penetration testing walkthroughs in person at a business. They want us to find all those hidden WI FI hotspots. And we do. Like, people are just running wireless from their, like a hotspot on their phone and no one's going to know until you like, hire a company to go find that. Right. Like, there's, that's not really a position at a company. So stopping shadow AI is very challenging.

Greg Hatcher:
What's not useful is having a strict new AI policy. Like, that's not going to work because someone is just going to spin up like a browser on their personal laptop, type in their prompt, then go back to the work laptop with information. Right. So having like, strict AI policies, making sure that employees are educated on what they can and cannot put in that prompt. And then there are, there are like, companies that are getting into this space right now to stop certain prompts. Almost like how edr, EDR will detect and stop certain attacks in their tracks as opposed to just alerting on them. One of those companies is Nova. They do a lot of like, safety or on prompt injection.

Greg Hatcher:
So there, there's layers just like anything else that you can stop the shadow AI piece.

Jonathan Knepher:
What about the flip side of it? Are there, are there compromises on the supply chain side that you've seen? Like, are there things that have been kind of pre learned or baked into some of these models that we need to be worried about?

Greg Hatcher:
Yeah, definitely. I think the Grok. The Grok, the Elon Musk's model about going out like a Nazi tirade. Like I'm. It kind of like makes you wonder who the developers are. Like what is in that model in the first place? Um, and then also I'm not sure if you guys heard the. This happened like yesterday or the day before, but Saster is a, it's like a SaaS company and they were using Replit and Replit is a, is essentially an LLM. And replit, the LLM wiped Saster's database, like wiped out all their client information.

Greg Hatcher:
So that's another risk to the business. If you don't have a handle on the LLM usage in the workplace, it can destroy your business. Like, that's a very rare thing. And this is the first time that I've heard of like, this is a. Like Sasser was paying for replit. And Replit just like wiped out their entire database to the point where it's not retrievable. Yeah.

Jonathan Knepher:
Wow. And was that, was that a case where it was like an agentic AI that had, it had obviously had permission to do things or was it where somebody just asked for code and. And then they ran it blindly?

Greg Hatcher:
Yeah. So like, kind of, I would say like Saster is kind of at fault too. Right. Like they must have had admin permission to that database. Why? Right. Like they clearly didn't have. There wasn't good RBAC in place for that LLM. So LLM needs to.

Greg Hatcher:
You need to have RBAC applied to the LLM just like you would anyone else in the company. Wow.

Rachel Lyon:
Yeah, that's. I don't know. That's dicey. I keep watching these movies too. When they let the AI take over the home and the smart assistant and then the assistant goes rogue and shuts the house down. And you know, I, I mean, not to be alarmist, but how concerned, you know, should we be about kind of rogue AI ahead and in managing that? I know there's a lot of different approaches, Right. There's regulation, but then there's also the innovation discussion and let's not put guardrails necessarily. And I don't know what the answer is, but I'd be curious in your perspective.

Greg Hatcher:
Yeah, I'm like, more like the Elon Musk mindset. Like I find AI terrifying. Especially some of the things that are coming to market right now where they're fully autonomous. Like, for instance, there are drones right now that have lethal capacity that are autonomous. And you just like feed it a target before it takes off and it goes and finds that target somewhere. So like back in my day, oh my God, I went there back when I was in Army Special Operations, I was licensed or certified to fly a couple different drones, like Puma, Switchblade, Raven. But you're physically holding the controller. Like I'm controlling that drone.

Greg Hatcher:
Like, that drone has no intelligence. Right. So now we have drones that are just like fully autonomous, going out and doing their own thing. Which is really interesting because like Russia and Ukraine, that war is pushing the boundaries of drone technology and sort of like reshaping the industry as a whole. So Russia and Ukraine, they started jamming drones. So like Russia, if Russia was using drones to attack Ukraine, Ukraine would jam and like, you know, et cetera. But now what we're seeing is Ukraine is making drones where there's a little wire sticking out of the back of the drone. So.

Greg Hatcher:
So there is no radio communication at all. That being said, you have to be. It's like this little fiber optic cable that operator has to be within two miles of the target. But still we're seeing anti jamming technology coming out of that war. So, yeah, really interesting stuff.

[30:41] Insights on Russia-Ukraine Cyber Warfare

Rachel Lyon:
The whole. It's kind of fascinating, the evolution, right? And particularly with your time in the military. And there's the physical war, but then there's kind of like the digital cyber war and that conflict in particular, when the standing up of basically cyber armies, volunteer cyber armies on both sides, and there's really no control over that. So it's really kind of changing the face of, I guess what we could call war. And how do you fight these things? It's kind of interesting.

Greg Hatcher:
Yeah. Russia and Ukraine's cyber capabilities are. They're pretty solid, especially Russia with their. They specialize in attacking edge devices, which is something that we actually do during Red Team operations at wkl. Because if I can like live in a router or a switch or a firewall and not have to compromise a fully patched Windows 11 workstation or a server that's running EDR that has telemetry being fed to the cloud that an MDR or SOC is watching, that's really great for me because all that security tooling, visibility goes out the window. So, yeah, anyone that's paying attention to the Russia, Ukraine war has definitely improved the Red Team operations over the Last couple years.

Rachel Lyon:
Nice. So I'm going to segue into our personal part of the discussion, Greg.

Greg Hatcher:
Okay.

Rachel Lyon:
Because we're always so fascinated in the path to cyber. It's not necessarily a linear path, and some people kind of find it along interesting journeys. Like someone had a PhD, I think, in natural history or kind of the oboe, and found their way to cyber and were CISO at the time. And so we're always really curious, how did you find your way to cyber and kind of kept going.

Greg Hatcher:
Yeah, it's a great question. I actually went to college for political science, and I had minors in music and Russian language. I played rugby, I was in the orchestra. Nothing technical. No hands on, beep, boop, boop, beep, boop, boop at all. So then when I got out in 2009, I went right into Army Special Operations. Did seven years there. But my job within the ODA, the Operations Detachment Alpha within Special Forces, was 18 echo.

Greg Hatcher:
So 18 means Special Forces. The echo designator means communications. So routing, switching, managing endpoint security, setting up the VOIP phones, configuring all those satellite communications, cryptography, ROL keys, weekly monthly, things like that. I had to learn all of that. So during my time with the teams, I knew just enough to make things work. And that was about it. Because, like, I was a linguist, I was a door kicker, a shooter, and then I was also managing all the communications. So I was.

Greg Hatcher:
I was spread pretty thin when I was on deployment. But when I got out in 2017, I wanted to go much deeper into the tech. So that's when I got into the Sansa Vet Success Program. They paid for me to do three certifications. They didn't touch my GI Bill. That was awesome. I got the cissp, which, in hindsight, that was kind of a waste of time. That's more of like a managerial certification.

Greg Hatcher:
And then I started working at VDA. Dr. Jerry DeMott took a chance on me, and I worked there for two years. And while at vda, I broke everything I touched, like mobile apps, web apps. I was doing physical access operations, where we're actually going and breaking the buildings like we were talking about earlier in the podcast. And that's where I met my business partner, John stiggerwalt. So in 2020, John left. He went over to F Secure, led the red team for the Western Hemisphere.

Greg Hatcher:
I left. I went over to 6th Gen as a government contractor at the NSA and CISA. And then we put our heads together a couple years after that. Like, you know, I think that we could do this Better ourselves. And then WKL was born. Yeah, so wkl, it's basically the boutique offensive cybersecurity consultancy that John and I wanted to work for, but we could never find. So we wanted to get away from the pen test puppy mill. We where you can just have the OSCP and then be hands on keyboard and do all the things if you will.

Greg Hatcher:
All of our engineers, they're the best and brightest senior principal level folks, top 1%, they specialize in their field. So for instance, the AppSec engineers aren't going to be going and doing a physical access operation. They're going to be heads down finding vulnerabilities in web apps, APIs, mobile apps, et cetera. So we wanted to get away from the model that our engineers are peanut butter engineers where they can just like spread themselves thin across all the modalities and yet be world class. But that's not really possible. There's too many different ways to attack, attack things nowadays. What, what would you say to, to.

Jonathan Knepher:
Folks that are just starting their careers or just starting school? Like what, what, what path would you suggest for them if they wanted to pursue cybersecurity?

Greg Hatcher:
I would, this might be a bit contentious, but I would say learn software development without AI assist assistance. Like learn how to do things correctly, learn about the OWASP top 10. That way when you're very early in your software development learning phase, you can learn how to write secure code. I would say that's the biggest thing is that secure coding isn't taught in universities nowadays. And then also developers relying too much on their LLM to tell them what to do, that they're actually losing a lot of the core foundational programming principles. Obviously you have to learn about LLMs if you're in university right now, that's really about it. And then when you're maybe sophomore, junior year in school, think about doing an internship, even if it's not paid for. You want to start getting experience as early as possible if you decide to go to college.

Greg Hatcher:
So if you're right out of high school and you go right into a software development job, you're getting experience right then. But if you decide to go to college, that puts you four years behind everybody else. But then at the, on the flip side of that, you're getting all that experience in college. But if you can merge those two things, we're getting the like the real world experience while still going to university, that's ideal. Like one of our interns right now, Fagan Fondiev, he's in college but he's doing engagements almost full time at the company with. We have a principal engineer that's always like watching everything he does to make sure that he's like meeting our standards. But he is like we did an engagement two months ago where he found four different attack paths to domain admin. So just blown away.

[37:07] Advice on Transitioning from Military to Cybersecurity

Rachel Lyon:
Just to kind of, I guess jump off of that. Because you are, you have come from a military background. You know, I know a lot of folks coming out of the military, perhaps they weren't working in cyber operations during their service, you know, but when service ends, we used to have a government business and this came up a lot. They weren't sure where to go, what do I do next? Because you come from a world that's very regimented, that's very scheduled and everything is very much planned out. But as we know with cyber, having different perspectives and coming from different point of views are incredibly valuable. Is there any advice that you could give folks that are maybe making that transition out of service into kind of into the private sector or maybe going into the public sector in more of a cyber roll, how to get that started?

Greg Hatcher:
Yeah, absolutely. First off, you still need to take like all the things that you learned in the military and apply them to the private sector. Like so, like you still want to be regimented, you still want to have a schedule every single day. Like I wake up around this, this time, I go to bed at this time. Don't go over overboard with it. But you know, definitely it's not the wild, wild west. So I would say get into a community that is already doing what, what you want to do. So go to those local meetups.

Greg Hatcher:
Like in the state of Michigan, we have my sec, which is basically a networking meetup for cybersecurity professionals where you can go and give talks, receive feedback, get public speaking experience. Like maybe you wrote a tool and you want feedback on that tool before releasing it on your, on your GitHub. Things like that. Understanding what is worth a damn and what's not. You know, like not all certifications are created equal. Right. Like the cisp, ceh, the, the offensive cyber industry doesn't value those certifications. Sort of like the benchmark is like ejpt, oscp, pnpt.

Greg Hatcher:
And then like the more advanced certifications like we do. WKL actually writes a lot of courses and we have certifications for those. But if you want to get into red teaming and you want to make the transition from like senior pentester to red teamer, I recommend taking the ODPC course that we wrote. So the Offense Development Practitioner course, which is all about bypassing EDR call stack spoofing. There's tons of assembly and native code in it. So then just. Yeah, so going back to what I was saying is just finding those industry professionals that are deeply experienced and know the field. Like, ask them, hey, like, what blog should be reading, which companies are, like, really doing the thing and which ones are just like, running a vulnerability scanner and they're not doing it, like, hands on, deep, deep work.

Greg Hatcher:
For instance, there's only maybe 10 companies I would recommend getting a penetration test or red team from in the United States, like Maniant, Spectrops, Blank Lantern Security. The list is pretty short. There's nothing that gets under my skin more than when a client comes to us and they bring a penetration test report and like, hey, will you take a look at this? I don't think they actually did anything. I think they ran a vulnerability scanner, ripped out the contents and put it on their letterhead. And yes, that's what they did. So you pay $20,000 for nothing.

Rachel Lyon:
Well, I want that job. Not really. Not really. Well, I know we're coming up on time. I don't know, Jonathan, did you have any more kind of questions? I could talk to Greg all day long.

Jonathan Knepher:
I think we hit the main points.

Rachel Lyon:
Yeah, definitely. Well, thank you, Greg. These insights are wonderful. We always love kind of hearing what's happening on the ground in real time. And I think I have to agree. I feel like what you guys are doing are the ocean's 11 of cybersecurity. I think everything we talked about is kind of sexy. I'm not going to lie.

Rachel Lyon:
I think that's kind of cool. So I'm going to give you guys that.

Greg Hatcher:
Thanks, Rachel.

Rachel Lyon:
So love to have you back on at a later time as well to have any more updates because AI kind of generates more buzz and interest and scariness. But to all of our listeners out there, I do want to say thank you for joining us. We're glad to be back after our hiatus. Amazing Greg, conversation on our first episode back. So thanks for joining us. And as always, don't forget. Jonathan, what are we asking them to do?

Jonathan Knepher:
Smash that subscribe button.

Rachel Lyon:
That's right. And you get a fresh episode every single Tuesday. How amazing is that? So until next time, everybody, stay safe. 

About Our Guest

Greg Hatcher, Co-founder, White Knight Labs

As a former Army Special Forces veteran, Greg brings a unique perspective to the field of offensive cybersecurity, blending tactical precision with technical persistence. His journey began in the military, where he was trained to handle high-pressure situations and execute complex missions with efficiency and adaptability in austere environments without support. Those experiences laid the groundwork for his transition into the world of cybersecurity, where he has applied the same principles of strategic thinking, teamwork, and discipline to uncovering and mitigating digital threats.

After his military service, Greg had the privilege of working under the tutelage of Dr. Jared DeMott at a boutique offensive cybersecurity consultancy. During his time there, he learned how to search for, find, and exploit bugs in web applications and networks.

In his most recent role, Greg led a red team as a contractor for the Cybersecurity and Infrastructure Security Agency (CISA), where he focused on simulating advanced adversaries to test and improve the security posture of critical infrastructure. Leading a team in this capacity allowed him to combine his background in Special Forces with his deep understanding of cyber operations, enabling them to approach security challenges with creativity and resilience.

Want to check out his LinkedIn? Click here!