Share this
dnsUNFILTERED: John Hammond, Huntress
With his no-fluff approach, John shares how he got into the field, why hands-on experience is everything in cybersecurity, and the real risks that keep him up at night. He also explains how Huntress tackles threats head-on and offers practical advice to help you level up your cybersecurity game.
[00:00:00] Mikey Pruitt: Welcome everyone to dnsUNFILTERED. Today we have John Hammond, the, security researcher from Huntress YouTube following of nearly 2 million subscribers. You're like, oh my God, I can't believe it either, I'm sure. But it's really amazing and you're just a big proponent for cybersecurity in this space.
And just welcome to the show.
[00:00:20] John Hammond: Hey, thank you so much. Very excited to be here and happy to chat.
[00:00:24] Mikey Pruitt: Great to have you. John I'm very curious about your background, like how you got into cyber. So I've heard a little bit, but I'd like to hear it from you.
[00:00:33] John Hammond: Oh goodness. Thank you. And forgive me, hey, if I start to ramble or if I'm just a little bit too long-winded, don't hesitate to slap me in the face or anything, but no, I guess really the origin story here is I feel like I grew up like any kind of kid thinking, oh, I want to make video games.
I, I want to be like a. Cool computer person I can see in the movies, like the Hollywood Hacker with the projector pointed on their face and whatever, silly stuff. But I thought, Hey, that'd be pretty cool to, to make games or write software. So at a young age, I would Google and look around and try to see, oh, how to become a hacker.
I remember literally typing that into a search engine, how to become a hacker, and I think I stumbled across. Eric S. Raymond he's one of the big
[00:01:17] Mikey Pruitt: cathedral and the bazaar. Yeah,
[00:01:18] John Hammond: Yeah. Free and open source software kind of visionaries and all. And he had literally a blog post or an article writed titled How to Become a Hacker.
And I read through it a bit and it said, look, if you want to get into this whole thing, you need to learn at least a little bit. How to code, like, how to write scripts, how to program. And he had suggested at the time the Python programming language. So then I fell down a rabbit hole watching YouTube videos and trying to find tutorials and read and learn as much as I could on Python.
And at the start it was really just building things. It was making, oh, some toy trinket software or trying to make that cheesy video game idea that I might have. But it wasn't until I got to university I went to go study for my undergrad at the United States Coast Guard Academy. And that's one of the military institutions like west Point or an Annapolis, the Naval Academy, the Air Force Academy.
But the Coast Guard Academy really was interesting because it's. Not a huge focus in cybersecurity. Yeah. Not
[00:02:17] Mikey Pruitt: known for their cyber platform.
[00:02:18] John Hammond: They don't even have a, I think a computer science degree there. I don't know if it just went away some time ago in it's ancient history, but they have now I think, put together a cyber systems major, but that came after my time.
So fun and interesting to be on the ground floor there though, because. I had attended and as a freshman or what they call a fourth class or a swab, you. Have the cool opportunities to get into their INTERATION program, but I had uncovered, oh, they are starting to put together what would be a little competition between the other service academies.
So West Point, and again, the others, and they called this thing cyber stakes, which. I didn't know at the time, but that was and is a capture the flag, which some in the industry might know, oh, that's like this gamified cybersecurity sport to cut your teeth on this and learn all the skills for binary exploitation or web application security, cryptography, memory forensics, host forensics, network forensics, blah, blah, blah.
And that honestly. Opened the flood gates for me. 'Cause I, it's no surprise we were the underdogs. We were hey, really trying to learn and really get a feel for this and understand it. But that was just a whole new world opened up. When we get to see and understand, oh, this is something that is all about.
Security and vulnerabilities and exploits and understanding the tech behind all this and the implementation, and that had a lot more meaning to me. I think it was really fulfilling to say, okay, this can be the purpose. It's one thing to make. Something, but it's another to understand how can anyone break that something And that was just a cool way to get in.
So
[00:04:01] Mikey Pruitt: who won the cyber stakes?
[00:04:03] John Hammond: Oh, I don't know if it was Air Force that year or it was Army or Navy, but we had gone continued maybe a second year to compete in a third year to compete. But it was very cool to see that program handed off between DARPA and then I think eventually the Army Cyber Institute.
But it's interesting, they become good friends. They become good part of your network as you. Grow and learn and, I don't know, expand your own career in the industry but always putting on an incredible game and a great way to learn.
[00:04:29] Mikey Pruitt: Yeah, the gamification is a great way to learn. My father and brother were both in the Coast Guard, neither excellent studied cyber while they were there.
I think they were studying living in Key West and Oregon and California and Hawaii. Oh yeah. I was like, this sounds like a vacation. What are you doing? You're always on the coast at the very least. That's true. So you talked a little bit about, capture the flag. And I know you're really big into education, cybersecurity education.
You've mentioned Python learning a little bit about code to be a better hacker and be a better hacker so that you know what's coming against you. So what is your, like philosophy on educating? Ooh,
[00:05:11] John Hammond: yeah. I know I think I have fallen into and. Grown a lot more in that capture the flag sense, and I try to be a sweet ambassador and just sing the praises of that for as much as I can.
I think that practical hands-on way is a great way to learn because you get to be on the keyboard and solve these challenges and try to go after these tasks and really test your skills. But that does point you in more of the sort of adversarial like penetration tester or red team offensive security practitioner, when I think a lot of us probably folks tuning in and listening are more on the blue team.
We want to defend our networks and know how to secure all this stuff. I think when we can turn it on its head and really make it Hey, I wanna understand what the threat actors are doing and how they do what they do. What tactics, techniques, and procedures, or what are all the sweet things that those adversaries might be doing, and what does it really mean?
What are the artifacts that come from each step in the attack chain? What are the other indicators that compromise that come from this vulnerability or this exploit attempt? Those are cool things that do. Really help and arm you for defense. Like even just trying to see, oh wow I saw that inline C sharp compilation in the PowerShell living off the land trick they used when they tried to break through the VPN.
But we were able to catch 'em because we saw, oh, that would leave a couple fingerprints in the temporary directory. We've got the access control setup in there. We know the permissions on that directory aren't what they should be. Blah, blah, blah. I'm sorry, I'm nerding out. I'm having fun here. No, that's fine.
[00:06:45] Mikey Pruitt: You're you, by doing what the bad guy would do you're, you can determine what a bad guy fingerprint looks like and identify it.
[00:06:54] John Hammond: Absolutely. And you get into that, oh, adversary mindset and just know what comes next and what is the real order of operations here. So it, I hope, I think it really does give you a great visibility and understanding of what the landscape looks like.
[00:07:08] Mikey Pruitt: I looked at speaking of the landscape and what it looks like, I saw your, interview with, was it Michelle Khan? Oh, yes. Excellent. And he was talking about some of his OSHA osint tips, and I definitely want the the bookmark export if you ever get that. I was like, oh my gosh. But that was.
Frightening. And I believe even you, from what I could tell, were a little bit stunned at the amount of information you can get on, not even, OSINT websites, just like a car website he was using and voter registration stuff. And I was like, oh, this is really scary. You found the rocks address.
I even looked up his house and it looks like his house. I was like, oh my. So oh, and then another thing I saw was. A mod for a popular game. I think this video came out today or maybe yesterday. Oh yes. And it was a mod for a popular game with malware built into it. So like we are being, ascended upon by, in all directions.
So what does this landscape look like in your mind? Ooh,
[00:08:07] John Hammond: yeah. It's a tough question to answer but I. Honestly, I gotta think it's just because the field is so vast and because there are so many things that are part of the attack surface is not the right phrasing, but just the environment right is big.
Like we, we have made technology, computers, cybersecurity, all this. It's a big playground to play in. So the first story you were alluding to there with a quick context and crash course. I have a teammate Michelle Kahn, and he's putting together a course on like open source intelligence, trying to spread more education and awareness.
So we had a cool little live stream where he was doing some demos, just a couple magic tricks, some fireworks and cooking show magic, but it was phenomenal to be able to. Really genuinely see him take what would be a person's email address and turn that into with his detective work and investigation skills, like his car vin, the vehicle identification number, the actual make and model, and where that, that, where that thing was parked in his driveway at his home address, which was so cool.
But that's whole that's one end of the spectrum because you just mentioned even following that. Oh, the supply chain threats that came from a compromised, even silly video game developer or mod creator to make some cool little additions and things to tweak into cheats. Let's face it, cheats, but that's the native natural malware.
Components. We talked about the Osint piece just a moment ago, and maybe there's some social engineering in there, and we haven't even then opened the door for the identity space. Oh, hey, the passwords that could have compromised that developer's account, or that poor individual. Maybe that came from some Steeler logs.
We're traditional malware at the start, but then led to, oh, their Microsoft 365 account or their teams user and maybe then their calendar, their email, all the coworkers and employees that they could pivot to with business email comp. So we just get so, so much to talk about, and I don't mean for that to be overwhelming and like glass half empty doom and gloom.
I do think it just means, look, we can have a whole lot of strategy to think where are the hackers going? And how can we go after them and meet them where they are
[00:10:22] Mikey Pruitt: or maybe get ahead for once.
[00:10:24] John Hammond: Absolutely.
[00:10:26] Mikey Pruitt: So talk about your work at Huntress for just a minute. So your, I think your title was Principal Security Researcher.
So you like, tell, just tell us what that is about.
[00:10:34] John Hammond: Oh, thank you. Yes. Yeah, my day job is at Huntress as a security researcher there, and I'm very blessed and very fortunate, and I'm just grateful for all their support because I do get to, hey, spend time on the keyboard, do the technical work, help cut up malware, support our security operations center, and look into that hacker trade craft.
That's the most fun for me, truth be told. That's the really exciting and awesome stuff that I hope. Makes a real meaning and helps smooth the needle. But on the other side of that, I do wear a hat for a lot of the more public stuff. Whether that's, hey, getting on a podcast just like this, or talking to reporters, interview with journalists, doing a main stage presentation or just writing blogs or, oh, maybe being in a little webinar and livestream at the end of the day.
[00:11:19] Mikey Pruitt: So just a little webinar here, a little podcast there. A few million subscribers on YouTube. The content stuff,
And a day job. How do you manage this time? All topic, but how do you do this?
[00:11:30] John Hammond: Yeah. I, no one can see, I try to hide it off camera, but there's a like pile of energy drinks and maybe not a lot of sleep.
Not a lot of sleep in my schedule, but we get it done.
[00:11:41] Mikey Pruitt: Gotcha. So go ahead.
[00:11:43] John Hammond: No, if I may say Huntress is just really. Huge component of my life. And I hope that the work that we do when we bring it to the industry, because it has that same manifest and ethos of education awareness, trying to get the info out and still be very tactical in that some sweet threat entail that we released today.
Even just the time recording was on a obscure ransomware group. The name was Safe Pay. Wild. But we saw a couple incidents with that actor and we got to understand a little bit more of their trade craft share some of those indicators of compromise, attack, TTPs, blah, blah, blah. When we got to see their tour site, that onion link in URL, they.
Do still, and they did they, they still do, right? They have an endpoint accessible for the Apache or Nginx server status. So you can kinda look a little bit behind the scenes to see the server uptime, a lot of the connections and the other IP addresses that. Interact with that alongside the technology behind it, the version number of the HT TP service, the PHP code behind it, all the nerdy stuff that kind of spills their guts a little bit, right?
So that's always just something we get to poke and laugh at and say, oh man, cyber criminals and threat actors, they make mistakes too, here and there.
[00:12:56] Mikey Pruitt: They're still human.
[00:12:57] John Hammond: Oh yeah.
[00:12:59] Mikey Pruitt: So your work at Huntress just like. The work that Huntress does that you and your team and all of Huntress and DNSFilters in the same camp like we are, actively pushing against nefarious actors.
H how do you think. People in the normal space, like people in their personal lives and even IT professionals say in MSPs what would you recommend to them to stay ahead of threats? Or is it almost impossible? And you have to rely on teams like Huntress and DNSFilter.
[00:13:36] John Hammond: I would. Probably a test that, hey, it's absolutely still worth the effort. It's not for, oh, the layman or any individual to say, Hey, you know what throw my hands in the air. Rage quit. We can't do the cybersecurity stuff 'cause all hope is lost. No, we should still do those bare bone basics that you hear everyone scream and shout about.
But the reason security people say that over and over again is because it's. The right answer is, and it's that boring. Oh, use the see, it
[00:14:04] Mikey Pruitt: depends.
[00:14:05] John Hammond: Yeah. Digital password manager, antivirus patch updates, VPN two factor authentication. Don't plug in USB drives, don't click on emails, blah, blah, blah.
I know we hear it time and time again, but that's just the foundation. I think the next bet is when there is something. Very real when there is some incident or that big bad B word, a breach, right? A compromise. You can let those experts chime in, whether that's DNSFilter, whether that's interests, whether that's company, vendor A, B, C, X, Y, Z.
Look if they can make it relatable, if they can tell the story. So it's in a way, in a format that person understands and they can see and know the impact. That is really what helps convey and get them smart on this stuff. There was a big incident some time ago, I don't know if folks remember the log four J days, but I was really pleased and proud of myself.
And truth be told, I had a video and a showcase out to talk about it in. Minecraft, which sounds dumb. It sounds cheesy and childish because, oh, the video game, Minecraft, that's not like the coolest, most elite thing in the world. But then I had stories of people telling me, Hey, I got to understand more about this threat because my son was telling me about it.
My daughter, my kids. I know folks at school were discussing and. That led to the workplace just as well because teachers and hey, even everyone that was understanding what is this big doom and gloom, the sky is falling. Vulnerability. Yeah. This is luck for
[00:15:34] Mikey Pruitt: J thing.
[00:15:35] John Hammond: Yeah. But it got into a conversation that we were able to bridge the gap between what's normal in the world of.
Just the average person and then us nerds and geeks and all our techno babble and jargon
[00:15:49] Mikey Pruitt: that and that. It really is the beauty of what you do by educating people in a manner that kind of meets them where they are. That well, thank you. That then can filter out. Maybe it's a teacher or a child or whoever that is seeing your Minecraft video and then tells their parents or tells their teacher and their teacher tells their IT department and the IT team is wait, what is this?
Hopefully they get a little bit more notification, but understanding how it works for the, more people is I think really how we defend against the attacks that are coming all day.
[00:16:25] John Hammond: Thank you. I would absolutely agree, but it's a team effort. It takes everyone, it takes all of us kind of playing in concerts and our CEO, Kyle Hans, and he likes to call himself the chief janitor.
But he's got a cool quote that I really like. It's cybersecurity is something that we earn each and every day. You gotta earn it.
[00:16:43] Mikey Pruitt: That is a good way to say it. I think he I think I might have seen his like LinkedIn job title is janitor once or twice. Yeah. So when you're let's talk about the IT people, like in the trenches.
They're, combating evil, so to speak. And you're, talking about capture the flag, keeping your sh skills sharp, learning some programming languages. Maybe stepping out of the box a little bit what do you think is like some of the, like one or two things that will really help them understand all of this?
Like their Minecraft video. What are, what is the thing that really can help click in their brain, how important this stuff is and how to combat it? Ooh.
[00:17:25] John Hammond: I might, I might get a little bit fluffy on this one and if I need if you're able it maybe help point me in the right direction, but I think it takes.
Really a lot of collaboration between friends and coworkers. If you're willing to discuss this with peers and you're willing to make it a communal conversation and not just all in your head then you know, you can bounce ideas back and forth. You can check your understanding. You can both be scheming up.
What could cybersecurity stuff really mean? And I'm also tangentially driving towards some of the tabletop exercise ideas or just the understanding of, hey, maybe someday some way down the line there's gonna be an incident or a compromise. We talk about this a whole assume compromise idea.
It's not a matter of if we get hit, but when we get hit, and I know that's trite in overused, but it's real. There's a lot of fact to that. So if we can think up and scheme, okay, what are the defenses and things we can do ahead of time, how can we. Better prepare. How can we plan? How can we make sure we have people and processes all in the right places?
Then you're all better for it. And I think maybe the other little note that I'd add in there is just. Make sure it's written down documents. Have those notes, have something that is established and tangible and in its own deliverable. Make sure you've got those notes.
[00:18:46] Mikey Pruitt: Love that. So like communication.
Collaboration. Totally. And write it down when you're done discussing it. Oh yeah. I'm curious. So you've seen like a lot of threats. You cover them. I've seen you on CNN talking about threats. So congrats on that. Big get. Thank you. That was awesome. But what do you think, is coming next.
What are some things that we haven't seen that maybe have been hinted to Ooh, in the bad guy world?
[00:19:11] John Hammond: Can I give you, I don't know, maybe shooting from the hip. I don't know if it's a top three or a top few of, yeah. Those cheesy 20, 25 predictions. And let me add a caveat, right? I'm not Nostradamus, I don't have a crystal ball.
I can't see the future. But if I would think, and I'll dance with all the cheesy buzzwords and the hot topics that folks I know tend to like. But the first couple that I'd probably put out on the table are the info dealer malware. And that whole strain and variant of cyber crime is gonna ramp up more so than it has been already.
And I think that will. Potentially even overtake ransomware. And I know may maybe not in oh, facts and numbers and qual quantitative data, but like the impact and real stuff that comes from it, because that just opens the door and enables all those identity attacks I was alluding to earlier where you just swing from one cloud service to the next and that's.
Really at the end of the day affecting you, the person, the individual, and all your data and how that could still be abused and leveraged. So infos dealer malware I think is gonna start to take the throne maybe over ransomware.
[00:20:22] Mikey Pruitt: Can you tell
[00:20:23] John Hammond: me a little bit about what hip
[00:20:24] Mikey Pruitt: infos malware is?
[00:20:26] John Hammond: Totally.
And I'm sorry. Yeah, I should've colored that picture earlier. No, that's fine. No. So think of a raccoon very literally. Genuinely there is a good,
[00:20:36] Mikey Pruitt: let's go.
[00:20:37] John Hammond: There's a raccoon Steeler. In fact, that's a fun o cheesy name. But say, hey, whenever you log into your websites that you browse in your computer, whether it's Amazon, whether it's Facebook, whether it's the company portal, whatever you are, using those cookies in your browser, like you have your little, hello, my name is name tag on, so the server knows you are who you say you are with your username or password.
But this little scurry ring raccoon comes in. Steals it, it takes it, it tries to take all those cookies for themselves and grab the passwords and usernames whenever they can. Whenever you've clicked that button to cash or remember me or save my information that will locally store on your computer or the endpoint.
That is gonna be oh. The access that cyber criminals will then gobble up and try to take as many as they can for credit cards you have saved for address information. Your browser will auto-populate and fill in for you. All that stuff that they siphon up and then they start to sell out on the dark web.
And it becomes this cartel, for lack of a better word, almost like commoditizing and selling and shipping out all this stolen and breached information from any victim that's ever been hit by malware like that. But that again is the access to your online accounts and your services that really could open and make for a heyday for some threat actor that wants to do some damage.
[00:22:01] Mikey Pruitt: Yeah, that's really scary. I'm just thinking like in my brain, like I've done a little bit of development and I can just see how, not easy but possible it would be to combine that infos Steeler malware with Shaw's Osint stuff and you could build an entire profile on a person. Then just go log in, ask them, because you'll know from data breaches that people like try to gobble up and just.
Impersonating people and their identity. Oh, yeah.
[00:22:30] John Hammond: And with that, maybe I'll swing to, yeah, that cheesy hot topic buzzword, but the whole AI crap. I don't know if that Oh, leads to the deep fake, as you mentioned, impersonating. But I think at the very least, aI is not gonna go away. I, I know. I don't know.
Sometimes people have to just bring it into the conversation to check the box, and so forgive me if I've done that inadvertently, but hey I haven't drank the Kool-Aid yet. Just as a John opinion, I'm not totally sold on the artificial intelligence thing. I think it's cool. I think it's sweet innovation, but I think it's gonna become really an unchecked attack surface when.
Hey, just everyone's gonna try to rush to the gold mine and try to cram it into their product or in their solution. It's just gonna have no security bounds wrapped around it. So maybe very well you've got the prompt engineering where you can, hey, ask for a little bit more information, or try to interrogate the chat bot to get some secret sensitive data that maybe you never should have or work out a deal for some purchase that didn't need to have that.
Oh, price tag or effort on it, and now there's some other sensitive secrets left and lost.
[00:23:41] Mikey Pruitt: Yeah, absolutely. I think a, the AI space is a little bit misunderstood, like it's, it's good at regurgitating text. You can imitate people and people's voices and do a lot of things with it, but I think it.
It's not like you just say, Hey I want to hack John Hammond. Then it's here, do this. It's not quite that good yet, luckily for us. True. But it could give you the more security part is how. Scary it is for people to, to leave information, like you're saying, put information in there that they shouldn't, like we've done a lot of training here at DNSFilter about what to and what not to do if you're going to use those AI tools.
So that's very good. To bring up, it's very important to, to mention that AI is a tool and, not a, an everything, do everything for you type of thing.
[00:24:32] John Hammond: Yeah, no, silver bullets.
[00:24:34] Mikey Pruitt: What do you guys do about training your employees? Like I mentioned at DNSFilter, we have, some training set up.
Are you guys pretty cognizant about keeping all of your employees, because not everyone is a security researcher like at Huntress, for example. Are you guys pretty, I imagine you're pretty top notch in that realm. I'm just curious oh yeah. What we do as cyber vendors could help the audience understand like what they should do with their customers and themselves.
[00:24:59] John Hammond: Truth be told, we I think eat our own dog food is the phrasing where look, I know, yeah, it's no secret. Huntress offers a security awareness training as some of, hey, our offering. And that really is some effort that came from a previous acquisition. Curricula way back when, some time ago.
But they have a kind of interesting style and a certain flair to how they approach that training and just the education for employees, for everyone. As you mentioned, that isn't gonna be the nerd or geek in a security researcher closet, but Oh, the sales and marketing. Hey, maybe the accountants, the finance folks that still need to know all the threats.
At least to some degree. So it's fun. There's a whole world of animated characters and caricatures where it's cinematic universe in its own right. Didi is a little villain, hacker, a five-year-old kiddo that's always trying to make mischief. But that's a more fun, animated way I think, than a more.
Dry boring PowerPoints, I hope. So a lot of fun episodes and stories that we get to tell with that. Security awareness training and phishing simulations and stuff is what we do even internally. Not gonna lie.
[00:26:05] Mikey Pruitt: Yeah just like you do on your, your public persona, I guess is make it fun. Make it entertaining.
Yeah. Make it enjoyable. One last thing. One, and then we'll cut it off. Give me your favorite hacker tool like Burp. Sweet. Ooh, go fish. Evil. Jinx. What is your if you were gonna like hack somebody, what would you reach for?
[00:26:26] John Hammond: I'm gonna cheat, I think maybe a very hacker approach to that question.
My favorite is Python on its own because hey, it is an interpreted. So I can script and cut up code and hey, do whatever digging through data that I need to. And that's a sweet Swiss Army knife. But I dunno, maybe that's a hack. Maybe I cheated that. A question.
[00:26:48] Mikey Pruitt: Hey, cheaters win sometimes, so
[00:26:51] John Hammond: g hackers sometimes win.
[00:26:52] Mikey Pruitt: Exactly. Thanks so much. John, thank you for visiting with us today. I really appreciate it.
[00:26:57] John Hammond: Hey, thank you Mikey. Forgive me, I know I've been all over the map, but this has been a lot of fun, really genuine good conversation. So thank you so much for having me, my friend. I hope we talk again soon.
Absolutely.