Cyber Operations With Jonathon Canada

Transcript

Mandi Walls: Welcome to Page It to the Limit, a podcast where we explore what it takes to run software and production successfully. We cover leading practices used in the software industry to improve the system reliability and the lives of the people supporting their system. I’m your host, Mandi Walls. Find me @lnxchk on Twitter.

Hi, welcome. Today we are talking with Jonathon Canada, who recently joined me on our Twitch stream. Jonathon is a senior solutions engineer at Teleport and is also a cyber operations officer with the California Army National Guard. Jonathon, welcome to the podcast. Great to have you.

Jonathon Canada: Thanks so much. It’s great to see you again. Thanks for having me on here again.

Mandi Walls: Yeah. So when we were on the Twitch stream last week, you were like, it was your day job. We were talking about Teleport it was a super interesting application, but you also slid in there, that you’re also a cyber officer. And so we wanted to dig into that a little bit. So tell us a little bit, how’d you get into all of this? How did you get into the Army and how that led you to where you are today?

Jonathon Canada: Yeah, so I’ve been in the Army National Guard for almost 12 years now. I originally enlisted into the National Guard and the job I signed up for was not really what I expected at the time. So the recruiter who got the job for me and got me to sign up. All that, he was really talking up that I would be going to airborne school, which is jumping out of airplanes, parachuting out, that I’d be in a special operations unit. He said not even to worry about the job he was signing me up for. I would just be doing all this cool guy stuff all the time. And so I was like, awesome. Airborne school, special operations, sounds great. But the job he signed me up for was called shower, laundry, and sewing specialist.

So I got-.Something I usually tell people, especially Army people, because it can raise some eyebrows. Like what the heck is that? Not to discount those people that do sign up for that job. It just, at that time, not at all what I was expecting to get into and definitely caused some jokes while I was in basic training, when our drill Sergeant would ask me like, “Hey, what’s your job going to be?” “Shower, laundry and sewing specialist drill Sergeant.” I’m like, what the heck is that? So I learned how to set up showers, how to set up laundry machines and how to sew. The recruiter neglected that part. I mean, there’s valuable skills of course, in sewing, but it was true. I did get to go to airborne school. I was in a special operations unit. So we supported special forces units. We were like a logistics, a support unit for the special forces units. So that part was accurate. But you had to, did not expect to go to shower laundry and sewing school as part of that.

Mandi Walls: Yeah. There it seems like you say, important jobs, but not what you were, you were sold. So like what, what happened after that? It’s like, since then you you’ve joined some other things. How did you get to the next phase?

Jonathon Canada: Yeah. I enrolled in Army ROTC while I was in university. So I was able to get my degree paid for, I majored in computer science and upon completion of my degree and upon completion of ROTC, I commissioned as a signal officer into the Army National Guard. And a signal officer does a lot of stuff with communications. So radios, satellites, computer networking, just making sure that all the units are able to be able to talk to each other. At that same time, the Army had just come out with a new branch called Cyber and having been a computer science major with a background in technical stuff, that sounded really interesting. Really cool. So I was able to get in touch with the commander of one of the cyber protection teams here in California, which is where I live. And he helped me how to apply to be a cyber operations officer.

So I had to put together a packet. In my packet I had to have letters of recommendation. Proof of my transcripts. Any technical certifications might have attained. So at that time I had a few like AWS certifications had security plus certification. And then in addition to that packet, you also had to submit a technical test. And with that whole packet got sent off to national guard bureau or a board reviewed all the packets. And I was selected to be a cyber operations officer and upon selection, I had to attend this seven or eight month school called the cyber operations officer course.

Mandi Walls: That sounds like a commitment. Yes. Eight months of what? Just training all the time?

Jonathon Canada: Yeah. It was seven to eight months of pretty much 8:00 AM to four or 5:00 PM in a classroom doing technical stuff and homework also outside of that. So just like the year prior to that, when I became a signal officer, I had to attend the signal officer school, which was four months long. And that school was, I mean, it was a lot of fun. Like there was time to do stuff outside, like explore the area. It was in Georgia, which is also where the cyber operations officer course is in Georgia. But for the cyber operations officer course, I didn’t get that same able to hang out. It was heads down for seven, eight months just studying diving deep into cybersecurity, doing reports, presentations. It was a lot of stuff.

Mandi Walls: Yeah. That sounds super intense. So of all the vast range of things that they could possibly need, like what did they have, you focused on? What kinds of things seem like they are important for that kind of job? It’s like you have like a SIGINT (signals intelligence) like all that sort of stereotypical stuff is like world war two based like aren’t going to like spy on the Russians or whatever. And that’s not the case anymore. Like there’s a whole lot of other things that you would be looking at. Like what kinds of things did you end up having to, to study and to look at when you’re going through this process?

Jonathon Canada: The first like six months of that course are just purely technical. The last two months or more kind of operational, how it starts is the first seven weeks is you work towards Cisco certified networking associate. I think it was from CCNA. But it’s not just like a bootcamp kind of thing where it’s two weeks you take the test and you pass it. It was seven weeks, all day long. Each one of us had our own set of routers switches. So we really got to dive deep into networking and really learn all about OSI seven layer networking model, get a really good understanding of that, which was awesome.

I thought I had from my computer science background, places I had worked. A good understanding in networking. But after that, I feel really good talking about networking concepts. From there, went into C programming and then we went into CISSP module because as officers we’re basically like managers, the officers are the ones who create plans. And generally, then the enlisted who will execute on those plans created by the officers. And CISSP is pretty intense. I don’t remember what the acronym is, but I think most people know what is CSSP is a certified information system, security professional, something like.

Jonathon Canada: Something like that. Right yes After that, it then went into something called Cyber Common technical core CCTC. The purpose of that is for all services. And I think even the NSA to attend that same module so that if we’re all working together on some of joint operation, we at least have a common base of knowledge and expertise that we can all work from. So we can understand one another and know at least what the other person and that other service should know. And that covered a very deep dive into networking, but like really diving into how you might compromise those different systems and also how to look for compromises. So learning about how to get a good, solid baseline of those systems. So that if something deviates from that baseline, you are able to more easily spot something that’s potentially malicious.

Jonathon Canada: Sure. Okay. Gaining a baseline of what the usual processes should be. So then it suddenly, there’s some weird processes there or something weird connecting, you’re more easily able to spot it. And through that course, there were no like tools that were used. It was primarily just all the native tools within, or I guess when I say tools, there were no third-party tools that were part of it. So the purpose was to really understand the theory of the operating system. Just what is already part of it.

Mandi Walls: What’s there? Yeah.

Jonathon Canada: Yeah. So that meant like using PowerShell, using [??], using Netstat using bash scripting to discover and see these things or to create your own compromises as well.

Mandi Walls: Yeah. That sounds pretty wild actually. Like that, that sounds like a lot of stuff to go through. Because I figure if you’re learning that on the job, you’re probably getting it piecemeal and it might take years. So like having it all dumped into your brain at once seems pretty intense actually, for all that stuff. Definitely. S.

Jonathon Canada: It was.

Mandi Walls: So with all that, you stayed in the service and like, how does this, the stuff that you’ve learned, like all this intense training and all this stuff. How is that helping you then in your day job, in the other things that you do for work?

Jonathon Canada: It has helped so much. I mean, first of all, just being an Army officer for a lot of employers, they find that alone to be valuable, just like stuff I learned from that. But as a cyber operations officer, having gained this really solid understanding of technical theory, especially as it relates to cybersecurity and with cybersecurity, everyone’s always talking about it even more these days, things happening out there.

Mandi Walls: Important. Yeah.

Jonathon Canada: Yeah. There’s a few incidents that have occurred recently. They definitely appreciate that and appreciate that I actually know what I’m talking about. It’s kind of fluff that I learned, but really solid technical concepts that I picked up through that course.

Mandi Walls: Yeah. Excellent. And then your ongoing commitment to the service, like what kind of projects then do you get to work on? We’ve seen the commercials on TV, right? You’re two weeks a year. The one weekend a month. That sort of thing, like what kind of projects then, do you continue to work on as part of your service there?

Jonathon Canada: The minimum yearly requirement is one weekend per month, two weeks per year. It usually is more than that. That one weekend per month can be sometimes five days. So sometimes it could be Wednesday through Sunday, but there’s even times where it’s just like a Saturday. If we had a bunch of those five days consecutively. And then also the two weeks that’s a minimum. So when I went away for that 78 month course, that counted as my two weeks for that year

Mandi Walls: For that year. Not the long two weeks. Yeah. It was a very long time.

Jonathon Canada: So to fulfill that two week requirement, usually units will have a two week thing planned for the unit. If somebody is not able to attend that two weeks, it’s often because they’re attending some other course, like an example I just gave, I attended seven or eight months instead of doing the two weeks with my unit. But the kind of training that we get is really cool. I’m really happy that I moved into Army cyber. And it’s a cyber protection team that I’m a part of. So dig into that a little bit. Yeah. Yeah. So our, as a cyber protection team, our mission is, is largely incident response. So if there’s some usually state agency that has had some kind of compromise, we might be called into assist with incident handling incident response. So a big part of that is root cause analysis also baselining and identifying everything that is there in that network. So if there’s a network we come into, there’s been a compromise, there’s going to be some network owner who owns that network.

Mandi Walls: They think they do. Yeah?

Jonathon Canada: Yeah. I was redundant, but it really depends. Sometimes they’re reluctant to like, Hey, who are these Army people? I don’t know why are they on our network? Generally, they’re willing to work with us, but from their perspective can see, I can see the hesitancy.

Mandi Walls: Sure.

Jonathon Canada: Because one might think like, Hey, I have the expertise to handle this. Why do we need to call in these other people and make a big deal about it? But if we arrive on site, we’ll ask for a network diagram of what the network owner thinks is there. However, we always have to make sure that we verify what they’ve given us and really do a full scan to identify everything that is actually there because network diagrams they’re often not totally complete. And if there’s been a compromise, who knows if there’s rogue devices that have been added in there. And the framework that we generally follow for one of those missions is NIST cybersecurity framework. The first phase of that is identify. So that corresponds with what I just said, identify everything that’s there. So then once you know, everything, that’s there, you can start doing a root cause analysis. Seeing how that compromise first started. Trying to figure out the timeline, how it moves through the network and doing further forensics analysis across the network. And we try to do as much automation as we can, because if it’s a huge network, I mean-

Mandi Walls: Yeah. You can’t be there forever.

Jonathon Canada: Hands-on on every single person’s host machine. So we use open source tools like ELK Stacks, Security Onion, and scripts that we’ve written ourselves.

Mandi Walls: So you’re helping someone out. Who’s had a problem that they maybe can’t handle, or they had to be accountable to a certain degree that they’re not really prepared to do. Do you produce reports for them? Are you doing recommendations for them repairing or restructuring their networks? What other kinds of things, what kind of services then do to give them when you’ve dug down through all of their

Jonathon Canada: Stuff? It really depends on the terms that are agreed upon when we enter that. So we have to make sure before we go in there, there’s NDAs that are signed. That we’ve spoken with Army lawyers with their lawyers to make sure that everything is okay, that they know exactly what we’re going to be doing in there. What the scope of what we’re allowed to touch includes. So we can’t just start installing things everywhere, wherever.

Mandi Walls: Come on.

Jonathon Canada: I mean, I’m sure it’s all extremely documented, follow the process. And if we want to make a change, we always have to make sure that network owner is okay with any change. And it’s fully documented to cover us, to cover them as far as like an investigation goes, if it results in some kind of criminal investigation, you can have custody, you have like notes of everything that’s occurred. But the big first part usually is again, back to the cybersecurity framework, the identified phase is doing vulnerability assessments. So doing like Nessus scans, seeing what, like vulnerabilities exist on the hosts in the network. Seeing what programs or what processes are running. And once we do our, our vulnerability assessment, we create a report for the network owner where we say, “Hey, these are the top findings we found here is what we recommend you do immediately. Here’s what we recommend you do in the short term. And here’s like, long-term what you can do.” So immediate things we might recommend are turn on your firewall because we found that this firewall is not turned on or configured at all. It’s just allowing all traffic in, all traffic out. So definitely immediately fix that. And then other, like it’s not smaller. Things are important, but like immediate quick wins might be making sure that you have a proper password, complexities enabled. And you have like lockouts set on, on your machines so that if a machine isn’t used for like five minutes, it goes to, it locks itself, something like that can also include, like we’ll do an analysis of their cybersecurity policies or internal program that they have. And we can make recommendations that they improve that. So recommend that they have cybersecurity awareness training recommend that they have like an incident response process, a business continuity plan in place, all that kind of stuff.

Mandi Walls: Awesome. So when you’re working with these, you find like, is it still a lot of stuff that’s on premises or in a hosted data center? Or are you seeing more folks use cloud providers for some of those stuff? Like, is there more or less scary business going on in one place other other?

Jonathon Canada: For the agencies we interact with? It’s more on prem.

Mandi Walls: Yeah. Cool. As we wrap up, is there anything else you’d like to share with folks about? It sounds super cool. Like we’ll post some of the links for the program and like the NIST stuff for folks who are just starting out with like vulnerability assessments and like that kind of thing like that, there’s a lot of documentation in those programs for folks who want to look at that stuff. Is there anything else that you super enjoy about it that you’d like to share with folks.

Jonathon Canada: Yeah. For sure. And yeah, just, I guess an aside on, on the documentation if, if you are looking to start or improve your cybersecurity program, definitely look to NIST, look to those. A lot of those compliance frameworks, they are great reference points for improving your posture within your organization and to achieve compliance like SOC two type two, for example, there’s a lot of controls you’ll need to have in place to meet a compliance like that. As far as things that have been, I guess, fun and cool about being a cyber operations officer is the training that we get is all lots of technical training. So I’ve been able to get AWS certifications. As I mentioned before CCNA plus ch just certified ethical hacker. I’ve gotten several red hat certifications through it, sands certifications. And for the two weeks that we do per year, it’s usually like a, a blue team versus red team type exercise. So we get access to this whole range. Usually the first week is a planning phase. The officers will often come up with a plan, which is simulating that we’ve just received notice that there’s a network that’s been owned. So we need to plan out, figure out the NDAs interview, the network owner. And while we’re doing that, the people who are hands-on hands-on or enlisted soldiers are warrant officers. They can be doing training to get ready for what we’re going to be doing that second week, which is simulating that we’ve now arrived on site. And now we can start doing those vulnerability assessments, creating the reports, doing that root cause analysis. So it’s really, really great training for just overall technical knowledge and really diving deep into cyber security.

Mandi Walls: Awesome. Is there anyone like favorite tool or interesting little bit that you think people should, maybe they haven’t heard of before that you’ve come across? That would be super interesting for folks.

Jonathon Canada: I mean, Teleport is probably the…

Mandi Walls: Teleport is amazing. You totally check out our stream. I will post it in the show notes as like there’s some really cool stuff in there.

Jonathon Canada: Honestly, of course I’m biased. I will say if these organizations had Teleport, it would make our job of incident response much easier because you’re able to see the full recording of what somebody has done.

Mandi Walls: I love that piece. Yes.

Jonathon Canada: And it is all tied back to their identities. You’re seeing, Hey, not only is somebody SSH in his route, but you can see their IP address. What their identity is, as it is within your single sign-on provider and a full screen capture of exactly what they did in that session. So that would make our job a lot easier on the incident response side.

Mandi Walls: So much easier. No, I totally get it. No, yes. I will definitely linked to the stream that we did with Teleport and PagerDuty. So you folks can see that if you missed it, it’s now up on YouTube and yeah, that recording is awesome. So. Excellent. All right. Well, thank you so much for sharing this was super interesting. Really unique experience. Maybe there’s some folks out there that will be interested in it and following through with some of these programs, this is something we definitely don’t run across every day. So it was super awesome to talk to you and thank you so much for sharing your experiences.

Jonathon Canada: Thanks so much. I really appreciate you having me here.

Mandi Walls: Excellent. Well, thank you everybody. Thanks for listening. Subscribe for future episodes and we’re signing off. This is Mandi Walls and I’m wishing you an uneventful day. That does it for another installment of pitch to the limit. We’d like to thank our sponsor PagerDuty for making this podcast possible. Remember to subscribe to this podcast, if you like what you’ve heard. You can find our show notes at pageittothelimit.com and you can reach us on Twitter at @pageit2thelimit using the number two. Thank you so much for joining us and remember on eventful days are beautiful days.