Ever wondered about hacker psychology? How do they work? What makes them tick? After attending DEF CON for the first time this past year, this was something I wanted to explore further.
Wesley McGrew, Director of Cyber Operations for HORNE Cyber Solutions, has graciously given us a peak into the life of an ethical hacker. Known for his work in offense-oriented information security and cyber operations, Wesley specializes in penetration testing, network vulnerability analysis, exploit development, reverse engineering of malicious software and network traffic analysis.
Having presented on topics of penetration testing, vulnerabilities, and malware analysis at DEF CON and Black Hat USA as well as teaching a course on reverse engineering to students at Mississippi State University where he uses real-world, high-profile malware samples, I was honored to have the opportunity to spend time with Wesley at DEF CON this year where he was a excellent guide, mentor, and as I am happy to call him, a friend.
In summary, for Wesley McGrew the recipe for success includes the investment of considerable personal time, a genuine desire to build new relationships, to teach and promote the good work of others, and to serve as a mentor in support of the younger generation breaking into the cybersecurity industry.
1. What is your favorite aspect about cybersecurity? What keeps you going?
To me, my favorite aspects of cybersecurity—and the area in which I make my living—involve offense-oriented services. Put simply, I break things (or more often now, lead teams that break things). I do this to show clients the “devil in the details” where an attacker can take advantage of a mistake in their software, hardware, network designs, or processes. This takes the form of services such as penetration testing, red-teaming, social engineering, and application security testing.
I enjoy playing the part of “the bad guy” and thinking like an adversary. It feels very natural to me. This tendency also helps me out when I’m assisting with other services our company provides: performing malware analysis for incident response, and analyzing attack data from our managed cyber security operations center.
Having an offense-oriented mindset means treating everything like a puzzle to be unraveled, only the designer of the puzzle never meant for such a thing to happen. I look for the differences between a programmer or a systems administrator’s perception of how software and networks should work, and the reality of how those things actually work. Those misconceptions and inconsistencies are the basis of finding vulnerabilities, and it’s an endlessly varied and fascinating process that keeps me going.
2. How has the topic of diversity changed over the course of time you have been in the field?
I had an interest in hacking in the 90’s as a teenager. Back then, hacker culture on dial-up Bulletin Board Systems and Internet Relay Chat servers was unique and interesting, but immature and not mindful of diversity. Most of us probably thought of it as a meritocracy, as conceivably anyone of any race or gender could demonstrate technical skill under an assumed nickname and gain respect and standing.
In reality, someone demonstrating ability as a hacker under a name like “xD3athx”, would put an image in our heads that was a projection of ourselves: white teenage boys. By virtue of who was privileged enough in those times to privately own a computer, we were, more often than not, right. Anyone who “outed” themselves as a woman was immediately treated differently in all the ways you might expect.
I don’t recall there being any intentionally–hateful animosity towards non-straight orientations, but there was a lot of regrettable humor surrounding it that, in retrospect, was homophobic. Tasteless sexual jokes were part of the rebellious and anti-politically-correct culture of hacking, common in chat, gossip, trash talk, and imagery. I don’t recall a lot of racist jokes or themes, though they certainly exist through hacking history (see the “GNAA”, an acronym which I will not expand here), but it was probably because we were so homogeneous that we didn’t have much occasion to be overtly racist.
We remember the early history of hacking, and its culture moving forward to this day, as being a counter-culture, a band of rebels using technology as a weapon against the oppressive use of that technology against us. I remember it as a being a supportive (to me) group that shared my delight at finding and exploiting flaws in security. A lot of people hang on to a very rose-tinted view of hacking’s history.
As information security has become more of a “profession”, I believe we can discard immaturity and insensitivity—forces that work against diversity—while retaining the positive aspects of our culture. As a group that sees itself as thinking differently, it shouldn’t be hard as it seems to accommodate a diverse set of genders, races, and backgrounds. Frankly, we have to grow up, while retaining what’s important about our culture: supporting exploration of technology and its vulnerabilities, creative problem solving, and willingness to help each other that’s shown at hacker conferences.
As a professional industry, there has been a big improvement over the past several years in awareness of the problems of diversity-shortage in security. I know that I have developed in my understanding, personally. I see a lot more effort being put into programs, like mentorships and scholarships to conferences and training, that have the potential to help more under-represented groups get into the field. While there are those that still believe information security to be an even playing field of pure meritocracy, and fight for the right to arbitrarily offend without consequence, I think that the spread of awareness and programs for positive change have the potential to make this field a less toxic place for all genders, races, sexual orientations, and backgrounds.
3. What do you think are the most important psychological characteristics that security personnel should hold to avoid burnout?
I believe that the ability to coolly and logically detach from the stressful consequences of an attack (especially one that has been successful) or other security event, to focus on the technical details of investigation and remediation, is very important. The stress brought upon by the success of a ransomware attack against an organization, or even the unknown consequences of an IDS alert that hasn’t been sorted as being a false positive, can get in the way of effective response and thoughtful investigation.
We try to reduce the impact of stress on our decision making by designing and implementing incident response plans before incidents happen, giving us steps to follow in the event of a breach. This is an institutionalized mechanism of detachment! It’s effective, but It’s even more effective if the individuals involved can personally keep cool heads about the details and improvisation needed in response and investigation.
I believe, through experience (I have no formal psychology background to base this on), that stress from security incidents can have a cumulative effect upon an individual. Similar stress might come from push-back that users give to security measures implemented. Information security programs may lack support within an organization, or be in the middle of organizational in-fighting, adding to the potential for security professionals to “burn out”.
Those exclusively in offense-oriented security probably have an easier time with burnout than the “blue” team. Some may get frustrated, or bored, with continually being able to hack into target networks in the same ways, engagement after engagement. In practice, I’ve found enough variation in vulnerabilities and clever attacks to fight the boredom. Continual self-improvement and team-based approaches are key here.
For many in information security, their job is something that evolved from a hobby and/or a long period of spare-time self-guided learning. This can be a benefit, in that a professional is self-motivated: likely to enjoy what they’re doing, and know so going into a career. It can also, however, mean that the lines between professional and personal lives get blurred. Personally, it has benefited me to take up a hobby–photography in my case—that gets me away from my professional life briefly.
Ultimately, to keep things fresh, and simply keep up professionally, in this field, you must have a desire to continuously learn. Much of it has to be self-taught, as appropriate training may be expensive, or may simply not exist in the topic and depth you need. Those who learn well from reading are at an advantage. Much of the knowledge in this field is contained in books, RFC documents, standards, documentation, and source code. Supplanting this with kinesthetic learning, to build experience, is key. Unfortunately, those who prefer visual or auditory learning are going to be faced with a more limited selection and depth of learning material, and may have to adapt to other learning styles.
I believe that if you have the desire to keep learning, and the time and resources to advance your skills, it can be rewarding enough, and keep your work varied enough, to stave off burn-out. Ultimately, each of us has to self-care in whatever way works for us, and it’s probably best to seek the help of a mental health professional if we find ourselves not coping well with stresses of our jobs.
4. What excites you about the future of cyber?
Being focused on offense, the increasing size and complexity of software and networks gives me more and more attack surface on which to find vulnerabilities. Priorities are put on the rapid development and deployments of products, with security as a second (at best) priority. The cyber and physical worlds are converging, in the sense that if I control an organization’s network, I can often see (through cameras), hear (through microphones), and impact (through control systems) the physical environment of the target, not just their network-based resources. On top of all that, the “internal” networks of companies are more and more easily accessed by attackers through cloud-based services, internet-of-things devices, and end-users’ interactions with the public Internet.
All of these things ensure that I will have plenty to reverse-engineer, learn, and exploit for the foreseeable future. Secure development and operational practices can help, but there will always be errors and weaknesses to be exposed.
5. What scares you about the future of cyber?
As an offense-oriented professional, the very things that excite me, also concern me. “Scare” is probably the wrong word, though, in my case. In my position, I see things a bit more pragmatically: vulnerabilities, attacks, breaches, and malware are all part of the natural and expected order of things in information technology. I don’t believe they’ll ever be completely “solved”, nor do I think they’ll ever completely overwhelm us.
6. What tips would you give those looking to break into the industry?
Read voraciously. There are many good books in information security. Don’t limit yourself to this specific sub-field, though. A friend gave me the example the other day of attempting to learn how SQL injection attacks work. It never made complete sense to him until he grabbed a book on databases and became more familiar with how SQL is supposed to work. He was then able to revisit attacks on databases with a higher degree of success and confidence.
This may seem obvious, and it should be, but there is a strong desire in this field to take shortcuts in learning material and training in order to get just enough skill to get a certificate and, in turn, a job. Don’t skip the fundamentals. If you don’t have a formal education in computer science, looking into the textbooks that are used in a university’s program of study may be helpful. I’ve found that the best penetration testers are the ones that would have the capability to design and implement the systems that they’re breaking, if they were so inclined.
Along the same lines, learn a programming language. The ability to understand on some basic level what’s going on “under the hood”, and develop your own automation and tools, makes you valuable. Depending on your specific interest in information security, you might wind up learning two or more. Malware analysts will likely need to learn C, various architectures’ assembly languages, and Python for automation. Offense-oriented security professionals rarely have the luxury of choosing the language their targets are implemented in and will need the ability to quickly understand reading code in new languages.
Use your skills as you learn them. Go beyond the books and tutorials to test your newly-developed talents against virtual machines you’ve set up, malicious software you’ve found, or any other practical situation you can devise. If you see an opportunity for tool development, do it. Having personal projects on your resume will make you stand out in the interview process for a job.
Try to come out of your shell enough to network with others in information security. Attending the larger conferences may have to wait until have a job that can support your expenses, but often there are local hacker meetups and smaller conferences that you can make it to as an individual. Use the talks and discussion to identify the area or areas of information security that interest you, and learn from those that are further along on the career path you want. There is nobody at any security conference that is “too good” or “too important” to talk to you as a newcomer, and if anyone treats you that way, dismiss them as being the problem, not yourself. Use the connections you make to help you on your job hunt.
7. What psychological characteristics do you feel women add to the cybersecurity space?
There’s a temptation to point at studies that find more aggression in men and more empathy in women as a justification for targeting “harder” technical adversary-oriented training in sub-fields like red teaming, penetration testing, and malware analysis towards men—and targeting the “softer”, perceived less-technical, training in fields like human factors and social engineering towards women. We have to resist that. Individual preferences vary wildly from the “average” and the happiness and success of those individuals is more important than whatever favors we might think we’re doing an entire gender by this targeting.
I think that “nurture” (the environment and circumstances under which one is brought up) has much more impact than any “nature” (inherent traits) that women may have, versus men. For a woman to succeed in a technical field currently requires more effort and determination than that of a man. There’s not a wide awareness of it, but differential treatment and encouragement of girls with regards to toys, studies, and activities growing up have funneled women away from STEM careers for decades. Women are not yet treated as equals in cybersecurity. There’s nothing inherent about any gender that makes its members more, or less, suited for cybersecurity work. It’s all teachable if the interest is there.
The environment in which women grow up and gain their experiences has the potential to prepare them for the difficulties faced in protecting clients and employers. They’ve seen enough discouragement and preferential treatment against them that any technical challenge may seem, by comparison, approachable and “fair”. The same personal safety issues a woman faces in daily life (see Violet Blue’s The Smart Girl’s Guide to Privacy), that aren’t the same for men, may cause them to take a deliberate and thoughtful approach to analyzing threats and defensive measures for their clients and employers as well.
If a woman, in addition to all of that, happens to possess more empathy for those they protect than their peers, all the better. I hesitate to throw an entire gender into that category, though, as the same instincts about threats and determination to overcome obstacles can serve one well in offense-oriented services as well. I’d personally love to see more women breaking things by our side on penetration tests!