Intro – Sofie [Host]:

What do autism and cyber security have in common? 

[Intro music]

Hello and welcome to this month's episode of the Disabled Scientists Podcast. 

I'm your host, Sofie, an autistic researcher, and I'll be introducing you today to Jonathan Machnee, an offensive cyber security analyst with autism and ADHD. 

I've opted for a slightly longer edit this time, I hope you enjoy. Let's get on with the show! 

Sofie [Host]:

What's autism and ADHD? 

Jon [Guest]: 

Yeah, good question. I mean, so there are a bunch of different ways that that question could be answered, right? 

There's like a clinical definition and then there’s a social definition and there are all sorts of different ways of describing it. 

I think the easiest way of describing it is: how you see it in most scientific papers that you read, which, I'll just start with autism.

Autism is a lifelong neurodevelopmental condition that affects the way that you process and think about social and sensory information. I think that's the easiest way to put it. I think it's a disability. It has disabling features to it, and it mostly changes the way that you think about and perceive social situations. That's the way it impacts me the most. 

And ADHD is, again, another way that your brain can be wired and configured that makes it hard to stay on task. Basically. 

I would say those- those are my quick definitions. 

Sofie: 

Yeah, and what does it mean for you? 

Jon: 

Yeah, I mean, that is a good question that I get asked quite a lot. 

For me, it means that I'm sort of fundamentally different from the average person that I interact with and I'm going to interact with and perceive the world in a way that is very different from them. 

And I'm going to sort of be immersed in a world that wasn't designed with me in mind and interact with the world on other people's terms instead of my own. 

And I- I think that's the easiest way I could describe what it is, and it's also why I, you know, consider it to be disabling, is because I basically have to navigate a world that - that wasn't particularly designed with people like me in mind and then navigating that world is often- is often quite difficult. 

Sofie: 

Yeah. Could you give me an example? 

Jon: 

Yeah, sure. So, I used to be an army officer and, as an army officer, you are expected to be very social, very socially outgoing, very socially competent. 

And, to put it mildly, I really wasn't. I really struggled figuring out what other people were thinking and interpreting their- the things they would say socially, and it made life just extremely difficult to deal with. 

I- I say something and I expect everyone understands what I've said, but they don't understand what I've said because they were interpreting nonverbal communication that they interpreted as something else that I was absolutely not intending to be interpreted. 

Everyone always thought I was angry at them and I- I wasn't angry at all, I was just very like direct and, and spoke directly, said- said what I needed to say in order to get the job done. 

And that got interpreted as, like, anger or I would be talking to someone else and they would be trying to communicate subtle information to me without saying the thing they were supposed to be saying. 

And I just simply wouldn't pick up on it at all and they would think I was picking up on it and I wasn't. 

And then there's also just, you know, there's an expectation of normativity in most places where there's an expectation that you will be a certain way, that you will act a certain way, that you will behave a certain way. 

And, uhh yeah, when you don't, you get socially punished for it, basically. When, when you fall outside of the norm, people want to make sure that you, you fall back into that norm. 

And so, yeah, that’s- that's basically the easiest examples I can think of. 

Sofie: 

When you say people want to make sure that you fall back into that norm, what sort of thing might happen? 

Jon: 

The easiest thing that will happen is basically constant aggressive correction. 

At least that's what I experienced. So constantly being like, stop doing that, that doesn't make sense, or you need to change what you're doing, you need to stop being the way that you are, and you need to start being this other way. 

You need to start adopting these mannerisms instead of the ones that you currently have. 

And it all felt a lot like playing a game of guess how many fingers someone is holding behind their back. 

Because I have difficulty interpreting social context and difficulty understanding what someone is going to say and no real way of getting access to that information and so it's sort of like a, well, guess how many fingers that guy's holding behind his back and if you guess the right number, you're fine. 

But if you guess the incorrect number, you get socially punished for it because for some reason everyone else is able to guess the number of fingers a person is hiding behind their back. 

But for me, that was a very difficult type of dynamic. 

Sofie: 

I guess it sounds like the sort of thing that would really impact your self esteem. 

Getting things wrong, all the time. You don't know why, all the time. 

Jon: 

Yes. Yeah. So I was fortunate enough to learn that I had autism at a fairly young age, like not super young, but when I was 16, I learned I had Asperger's syndrome and that really helped a lot. 

If I- if I didn't know that I had Asperger's, I probably would have been a lot harder on myself. 

But because I knew I would say, okay, I'm missing these things, but it's fine that I'm missing these things because I just have a brain that works very differently. 

However, I think it would have ended up much different if I had not had that diagnosis. 

If I didn't have words to express why I was experiencing the world differently, I think- I think things would have turned out much worse. 

Sofie: 

I received an autism diagnosis a bit later in life, in my 20s. 

So navigating adult life not knowing why you're getting things wrong all the time is very stressful. 

Jon: 

Yes, that is… So I, as a hobby I do autism research and, and look at the intersection between autism and, specifically autism and religiosity. 

And so I track a lot of people who are autistic and get diagnosed later in life. 

And I found that the people who get diagnosed later in life have significantly more self esteem issues and like significantly more mental health issues related to anxiety and things like that. 

It isn't that the people diagnosed early are having a good time, it's- it's that the people diagnosed much later often have a lot more issues because a lot of the sort of identity formation and- and self assessment that you do in your late teens, early 20s, if you do that not understanding you're autistic, it can have some pretty- pretty large knock on effects, I guess. 

Sofie: 

Yeah, that makes sense. Do you talk to your colleagues about being autistic? 

Jon: 

Typically, I don't. Well, I mean, it really depends. Right, so when I was working in the army, I was in cyber warfare. 

And in cyber warfare there's a sort of selection effect that happens where we are disproportionately represented in- in that field and so I would share it with other colleagues that I thought might be autistic as well, mostly so that they might understand that they're undiagnosed autistic. 

And oftentimes I like walked quite a few of my colleagues through the diagnostic process and helping them realize they probably had autism. And so I'd share it with those people. But, generally speaking, in the military I kept it quite close to my chest. 

Um, after I would work with a supervisor for like six to eight months, I would let them know I have autism, just so they could understand the quirks in my behavior. 

And a lot of times when I explained it to them, they would go, oh yeah, that, okay, this is, this is connecting a lot of dots for me. 

Sofie:

Yeah 

Jon:

So- so that happened a lot. But, generally speaking, I wouldn't share it outside of people who regularly interacted with me on a day to day basis, or people who I thought might have autism and might benefit from knowing that they had it. 

So after I left the military, I now work in the private sector. 

I typically didn't share it with, with anyone other than like the people who already knew me from, from my government life who already knew I was autistic. 

But then for autism awareness month, they were looking to do some sort of presentation about autism and I said, well, I, I'm probably the best person to do this. 

So I- I sort of outed myself to the whole company doing autism presentation. 

Sofie:

How was that?

Jon:

Ah, it went over really well. It went over really well. They were very understanding. The really fortunate thing about working in tech is that autistic people are sort of ubiquitous, especially in cybersecurity. 

Like you, you cannot work in cybersecurity without meeting autistic people. 

And often autistic people are really great contributors to the field. 

Like it's… If you go to a cybersecurity meetup or an event or something and you describe a person with autism like ASD1 or what used to be called Asperger's, everyone there is going to go, oh yeah, you're describing Dave or you're describing Alice. 

Right? And, and they immediately know who you're talking about. 

And you're like, “oh, there's a word for that type of guy? I just thought that was a type of guy that tended to work in our field” and I mean, to be fair, it is a type of guy that works in our field. 

But yeah, so, so giving that presentation and just sort of describing what autism is, I had a whole bunch of reactions. 

One of the reactions was, wow, this has been really enlightening. Like, I didn't, I didn't know this was a thing. But now that you say it's a thing, this is answering so many questions that I didn't think I even had and this is, this is connecting dots for me that I previously hadn't connected. 

Just because, like I said, you definitely know someone on the autism spectrum; if you work in cybersecurity, you probably know many people on the autism spectrum and you know, you've probably ran into many of the quirks that autistic people have and wondered what's going on with that guy? 

And my presentation sort of answered those questions. And so that- that was the majority response, and they were really appreciative, and a lot of them were really happy. 

The second response was a bunch of people reached out and said, I think my kid might have autism. 

Can- can you help me with that? And I was like, yeah, of course. So walked them through that, and walked them through how, like, what the signs were, what books to- to read, how to get your child diagnosed in Canada, and- and what the diagnostic process looks like, and pros and cons, and walk them through that. 

And then the next most common one was people reached out to me to say, I think I might have been undiagnosed autistic. Everything that you said in your presentation resonated with me in a way that I have never really resonated with anything in my life. 

Do you think we can get lunch and talk about this? So, overall, it went really well. And, like, my- my workplace is very accommodating. I'm. I'm very lucky to now be in the place that I am where, um, they- they don't really care if you're weird. They- they care if you get the job done. And I'm really good at getting the job done. So- so whatever- whatever they can do to empower me to hit the targets that I need to hit, they will do. 

So there's a lot of leeway given to me because I have autism and there are a lot of accommodations given to me and just a lot- a lot of understanding that might not be there if they didn't know I- I have autism. But because they do, they're- they're basically just willing to give me more slack on things that I struggle with. But also, they don't really care that they have to give me more slack on those places because I make up for it in other places. 

Right. So, 

Sofie:

Yes. 

Jon:

Yeah, it's actually been way more positive than I thought. 

Like, I- I was initially dreading outing myself to the entire company as having a neurodevelopmental disorder, but, uhh yeah, it went really well. 

Sofie: 

From what you've been saying, it sounds like it was actually quite a gift to the whole company. 

Jon: 

Yeah, I mean, I- I think it was. A lot of them thought it was. So overall, I'm very glad I did it. However, I- I would not recommend anyone else do it. 

As a general rule of thumb. 

Sofie:

No 

Jon:

A lot of- a lot of people. Just because of the autism research I do, a lot of the autistic people ask me, you know, should I, should I tell my co-workers? 

And I generally say, uhh no, probably not.

Sofie:

Really?

Jon:

Yeah, so- so I say that because most people simply don't understand what autism is or have really skewed versions of what autism is or really skewed understandings of what autism is. 

And so if you tell them you're autistic without any context as to what that is and what that means and how that affects you, it can often lead to, uhh, misperceptions. 

There- there are a lot of horror stories that I have- have recorded of people telling their coworkers they're autistic and then having that dinged against them in performance reviews and things like that. 

And, you know, they used to be getting completely fine performance reviews and then they let their boss know they're autistic, and then all of a sudden their boss is interpreting everything they do through the lens of autism and making them go on performance improvement plans to be less autistic. 

And things like that. So, 

Sofie:

Oh! 

Jon:

Yeah, you should- you should consider that before. 

But for me- for me it was fine. And, I think, for me it was fine because I work in a field that is so saturated with autistic people that everyone has a list of good experiences with highly competent autistic engineers and analysts, and so they often quite like us. 

Sofie: 

Would you have any particular advice in terms of disclosure? 

Do you think partial disclosure, saying, umm, traits but not a specific diagnosis, for example, would be a better way of going about it? 

If you're needing accommodations? 

Jon: 

Yep, so if you're needing accommodation- I mean, my best advice for disclosure is get to know people first. Right? Like, get to know them, get them to know you, and then slowly start disclosing, like, I struggle with this type of thing or this type of thing is hard for me. 

And then sort of test the waters. And if their response to that is like they- they're looking for ways to help accommodate you, you can maybe go a little more and tell them a little more, but if they're not responding positively to those types of things, I would recommend not telling them you're autistic. 

Just keep- keep going with, these are the symptoms I deal with, these are the difficulties I have, umm, so I just need more support or accommodation around that. 

Again, it will, it will largely depend on your career in your field. 

Right. Because so many places are different, different work cultures and expectations and things like that. Like I would say if you work in tech, it's probably fine, like, if you- if you, if you work in like, any- any sort of cybersecurity place, it is fine; you can, you can fully disclose and no one will care, at least from my experience. 

Sofie: 

Okay, I think now would be a really good time for you to tell us a bit about your work in cybersecurity. 

Jon: 

Yeah, so I started working in cybersecurity when I was in undergrad at the Royal Military College of Canada. 

The- the Canadian military at the time I was doing my undergrad was just trying to ramp up its cyber force development and its cyber warfare contingent. 

And I was at the Royal Military College of Canada, which is our service academy, doing a undergrad in computer engineering. 

And during this time there were needs to find good, qualified, competent people who could do this type of work and I was identified as one of them. So I did my, my undergrad thesis on a project that still gets a lot of use today, which was discovering DNS covert channels and figuring out ways of- of detecting and discovering a DNS covert channel and shutting it down. 

There's a very popular post exploitation framework. 

So like, you can think of it like a malware or Trojans that- that people use especially in ransomware cases these days. 

It's called Cobalt Strike. So, Cobalt Strike has a feature where in order to get information out of the network, you have to choose some path to get information out of the network. Right? Usually it's, it's over the Internet via HTTP, like through the way that you would access a website or web application where the malware pretends to be a browser, pretends to go to a site and then transfers information to that site that's controlled by- by a threat actor. 

You don't necessarily need to do this though. This- this can be pretty open and it can be pretty blatant and it can be more easily detected and so sometimes threat actors will switch to other channels. 

And, and the one that this tool uses and the one that I, I was researching with was like the, the protocol used was DNS. 

So, domain name service, when you type google.com into a web browser, your browser doesn't know where google.com is, like it doesn't have a google.com IP address and so what it will need to do is it will need to use domain name services. 

So it will need to go to a domain name service and say what is the IP address for google.com and then the domain name service will say, it will have a list of IPs associated with it and it'll say this is the IP and it'll pass it back to you. 

Now DNS covert channels work by- you know how when you go to Google, there's maps.google.com. 

Sofie:

Yeah, 

Jon:

Maps- maps is a subdomain. But- and so it works the same way. Like you type maps.google.com into your browser, you press enter, a DNS request goes out for maps.google.com it will hit your DNS server and then if the DNS server doesn't already have maps.google.com in it, it will go to Google's DNS server and ask Google's DNS server, “where is Maps in the Google domain?“ and then the Google DNS server will tell it, and then it will tell you. 

Now you don't actually need to put maps in that subdomain. You can put any information and you can chain subdomains together. 

And so what this like post exploitation malware framework was doing was encoding information in DNS subdomains and then using that as a way to exfiltrate data off the network and receive commands from- from the threat actor server. 

So it was sort of a low and slow channel designed to evade detection. 

And yeah, so my- my research there was to build a very fast and reliable way of detecting DNS covert channels and then differentiating those from the just regular background noise of the Internet, which was a very fun thesis project to work on, and we, we built basically a tool that within three communications would effectively shut down any DNS covert channel, which is- 

DNS covert channels are very low bandwidth, so you can't get much information out in three requests. 

Sofie: 

Okay. 

Jon: 

And so shutting it down within three requests is huge. 

We built that and then that sort of kickstarted my career in research in cybersecurity. 

Unfortunately, a lot of what I did was classified, so I can't really go into huge amounts of detail about, about what I was doing, but I started my master's degree also at the Royal Military College of Canada and I worked in a field called counter forensics. 

So that was my specialty. So digital forensics is after a network gets hacked or something like that, you pull all the data off of a network that you can and then you try to reconstruct what happened. 

What did the threat actor do? What sorts of things did they touch? What sorts of actions did they perform? Did they steal information? Did they leave behind traces and things like that. 

And counter forensics is all of the processes that you take as a threat actor or as- as a red team to frustrate that process to, to try to hinder the ability of people to reconstruct your activities. 

Sofie: 

Ah, I see. 

Jon: 

And so- so this is needed research for, for two reasons. 

One, if you are doing offensive cybersecurity things and trying to break into other people's networks or trying to break into your own networks, you need to have these capabilities to evade detection, and then not only evade detection, but deny people the ability to figure out what you did, because if they can figure out what you did, they can make a better plan to stop you in the future. 

But it's also really important because we know that people will do that to us, and we sort of need to figure out what sorts of things are they going to do to us so that we can prevent them from doing that to us in the future. 

And that was mostly the focus of my research, was sort of counter forensics for blue team defensive purposes, where my- my whole goal was to think about, okay, what are the potential threat spaces that we can be facing in, in this sort of world as a defender? 

And then how would, how would someone break this? Like, how would someone deny us the ability to see inside our own network and defend that network? How would they want to hide from me? 

And so I- I did a lot of research in that area. I found quite a few novel techniques for- for hiding on Windows domain systems and communicating on Windows domain systems in ways that were difficult to detect. 

And, like, a lot of this job is figuring out how to make this trade off that we have. 

So most of the research, you can- you can do most things on a computer pretty easily, but you can't do most things on a computer very easily, silently or quietly. 

Oh, and so- and so you have, you have a sort of speed and volume trade off. 

The metaphor I use is every action you do sort of increases your volume on the system. 

And you need to keep yourself at a whisper, because if you keep yourself at a whisper, you get droned out by all the other noises being made on- on the computer or on the network. 

But you need to find a way to balance that. And so a lot of the work was doing that, that sort of balancing act and figuring out where- where the- the break points were, you know, where those things were. 

And so that's, that's mostly what I did my research in. 

And now when- when I left the military, now what I do is I do a combination of penetration testing where I am hired by a company to hack their network. So to be a- to act like a threat actor, to act like a bad guy trying to do malicious things on their network and see how far I can take it. 

And then- and then after I see how far I can take it, I give them a report saying, this is Every place I broke in, this is how I broke it, and this is how you need to fix it. 

And so I- I do a lot of that, and I'm quite good at it. 

And then I also do the other side, which is when other people's networks get broken into. 

I'm the guy who- who does the forensic analysis, who takes all the data sources and processes them and figures out, okay, with this broad range of information that I have, how can I best reconstruct the most likely sequence of events that took place on this network? 

And that in and of itself is a very complicated issue, because proving what happened versus what's likely to have happened are very different things. 

But, yeah, so that's- that's sort of the- the broad overview of my- my work and my research career. I was, I- I did most of a master's degree. I almost finished the master's degree. I basically did all the technical work. And then I got to the point where I had to write up my thesis and at the same time, Covid hit and- 

Sofie:

Ah, okay

Jon:

and I got a job offer working for the company that I work at that was way better than any money that I would make as a master's student, which, you know. 

Sofie:

Yeah! 

Jon:

Yeah, not- not that hard to beat. But it was- it was a very generous job offer. And I thought, okay, does it really matter if I finish this master's degree? 

Or- or is what mattered, the stuff I learned during the master's degree. 

And they said, look, we- we don't care if you have a master's. That won't change your pay or your progression in this company or anything. 

Just, you know, show up and do good work and you will be rewarded for it. 

We- we don't really care what's on paper. It's like, okay, sounds good. I guess I'll do that. So I- I dropped out of my master's program and then just started working full time. 

I- I did not like academia. I did not like the- the environment of academia. You would think it would be really autism friendly, but I found that it is- it is very much not and so I much prefer work in the private sector, where they sort of just lock me in a room and throw problems at me, and then I solve them. 

Sofie: 

It's surprising how much of academia is communicating with other people, is being social, is networking, is those skills which perhaps aren't… 

Jon: 

Yeah. 

Sofie: 

My strength… [Laughs]

Jon: 

Yes. 

Sofie: 

As an autistic person!

Jon: 

It's- it's a lot of that. And, and it's not just that. 

Sofie: 

It's. 

Jon: 

I'm- I'm cool with communicating. Like, I'm fairly good at communicating information to people, but it's- it's ingratiating yourself to other people, like making, not- not just communicating to them, making them like you, that- that I have difficulties with. 

I- I don't think I'm like a particularly caustic person or anything like that. 

I just, I don't know. I'm- I'm- I'm there to research, not make friends and- and unfortunately you- you have to be there to make friends and research and- and that doesn't always- always go well for me. 

But yeah, I've- I've also like worked a lot with autism researchers, just with my- my hobby project which is- which is studying autism. 

Uh, and people have told me, oh, you should- you should take your research that you're doing and, and get a PhD with it. 

And I always have to be like, nope, nope, I am-  I- 

Sofie:

[Laughs]

Jon:

That is, that is not, that is not a field that- that I am interested in pursuing. 

That is not a course of action that I have any interest in pursuing because my- my brief time doing that as a researcher, like a full-time researcher and a master's student was not a particularly positive one. 

So I'm just like, yeah, no, I'm not going to do that. 

Sofie: 

I know you exist because you have a podcast explaining… 

Jon: 

I do, yes. 

Sofie: 

A lot of the results of your autism and Christianity research. 

And it sounds like you use a lot of computing skills for your autism research. 

Jon: 

Yes, umm pretty- Like, I mean I, I joke a lot about this. It's not just my computer skills, but my- my former work as a- as a signals intelligence and cyber warfare officer, um where, you know- say- say what you will about the government, but we're- we're very good at collecting information about large groups of people. 

That's a- that's a joke! 

Sofie and Jon:

[Laughs]

But a lot of- a lot of the- a lot of the skills that I was, I was using in my career as, as a computer engineer working with the military, I basically used to help assist my research. 

So I've- I've collected over 26,000 autistic Christians and ex-Christians who are posting about Christianity and autism and basically put all their social media posts in a database and then used a whole range of analytic tools to figure out what it is they're saying and what it is they're doing and, and how they're thinking about things and what they're thinking and- and basically just doing a lot of data science on those types of things. Try to figure out dynamics and- and how things are working.  I also put out surveys and I do long form interviews and things like that. 

But I, yeah, I, I come at this from a, a very heavy data science perspective, I would say rather- rather than like a classic disability studies lens, which puts me sort of at odds with some of the people who do research in my field. 

I mean, it's like, to be clear, it's a hobby. It's- it's just something I'd like to do for fun. I've built quite a bit, quite the operation finding and then collecting and reading the posts of autistic people. 

Sofie: 

I would really love for somebody to do the same for STEM. 

If somebody could do an autism in STEM uhhh… thing, that would be great. 

Jon:

It would be!

Sofie:

It would be, I think, one of the things that I really value about listening to your podcast. 

In addition to the fact that a lot of the difficulties that we faced in religious environments are almost certainly going to be seen in other environments. 

Jon: 

Yeah. 

Sofie: 

In the episodes where I explain your methodology, you talk about finding people who aren't explicitly saying that they are autistic on their social media. 

And that's really important in terms of the sort of person who would explicitly say that they are autistic on their social media is a different sort of person. 

Jon: 

Yeah. So I think this is sort of like an issue with autism research more broadly. 

And like, I'm not like pointing fingers or blaming anyone. 

Like, this is- this is sort of just a difficult research problem to solve that I have only been able to solve from years and years of working on the same problem. 

And I understand most people working in academia do not have the luxury of just studying one topic for 10 years and just only focusing on that and never having to publish papers or anything! 

So I'd say this from a place of, I guess, academic privilege, but I- I find a lot of autism research has a pretty significant selection bias in a lot of the ways that it selects the people that- that it looks for for autism research. Especially when I look at papers that do online autism research, one of the examples I give is a lot of papers will look for autistic people and what they're posting by looking for the, the term hashtag actuallyautistic or the term actuallyautistic. 

And if you just poll people on Twitter or Bluesky or any social media app that allows you to have a bio and you look for someone who has the term actuallyautistic in their bio and then you look at their- their political orientation, it's going to be almost exclusively left and progressive. 

There are some exceptions to that. But, like 90- 90-95% are going to be left progressive. 

And that's not to say these are, these are bad people to survey. 

They're- they're not like I'm very much in- in that group and in that subcategory. 

However, autistic people exist in pretty much every place on the political spectrum and exist all- all over the place. 

And the- the type of person that identifies themselves with the hashtag actuallyautistic is the type of autistic person who's interested in advocacy, who's interested in being visible, who's interested in talking about autism and autism related issues, and that is not every autistic person by a very long stretch. 

And so if you only select those people, you're going to get a very skewed sampling of what autism is and not a sort of accurate representation of the full breadth of autistic attitudes on things like neurodiversity or things like, you know, what, what does it mean to be autistic? 

Or how should autistic people respond to various issues? 

And so yeah, this is- this is a problem that I- I see coming up quite a bit where I look at other online autism research and their methodology for selecting people and their methods are usually using like self-identifying characteristics and those self identifying characteristics rarely work for- for finding non biased sample sets. 

And so you sort of, you accidentally create a- a situation which you've, you've given your data set a massive survivorship bias because the only people that you will catch are the people who are the ones who are the type that will publicly identify and not the ones who will maybe say in a comment, you know, “oh, I'm autistic” or something like that, but not say it anywhere in their bio or anywhere easily identifiable. 

And unfortunately the only way to overcome this sampling bias is to do a lot of data- like capture a lot of data and have lots of data that you can train algorithms to identify other people with by using reinforcement learning and things like that. 

But yeah, that's my short explanation. 

Sofie: 

The short one! [giggle]

Jon:

Yes.

Sofie:

Oh… I've gone off topic a little bit and I want to go back to asking you about your work. 

So what sort of incidents do you typically respond to? 

Jon: 

Yeah, so the company I work for, we- we primarily specialize in small to medium sized businesses and small to medium sized enterprise. 

We do a lot of other stuff, but that's the- the market that we try to service because it's really underserviced and they- they are getting attacked a lot. 

So, most of my work is counter ransomware. So most of my incident responses are: ransomware has hit a network and we have to go figure out how the threat actor got in the network, if they stole data from the network, and how they encrypted the systems and how we could recover the systems. 

Ransomware and the sort of cat and mouse game that has been played over the years is really sort of fascinating because, first ransomware started off as just, you know, you- you get a file onto someone's computer and then you encrypt it and you encrypt all their files and then you hold them for ransom and you say, “unless you pay me, you're not going to get your files decrypted.” 

And this is a really effective tactic. However, there's a really simple solution to counteracting this, and that's just to have regular backups. So have, have weekly backups of your network. And if they ransomware it, you just restore to last week and oh no, you lost a week's worth of work, but, you know, worse things have happened than losing weeks worth of work, better than losing all your work. 

Sofie: 

True. 

Jon: 

And so then threat actors started targeting backups and targeting the backup strategies and, and knocking those out of, out of commission or they stay on the network for a really long period of time. 

And so they stay on the network for 30 days before they start the ransomware, so even if you back up, you back up to a place where their malware is still on the system and they can just come back and ransomware you. 

So we've, we've seen a few cases of that exact thing happening where a network gets ransomwared and then they revert to backups, but the backups they revert to still have the threat actor’s malware on them. 

And so the threat actor just comes back and re-ransomwares their network and over and over and over. 

And now- now we see what's called double extortion. 

And so- so ransomware is, is single extortion, but double extortion is they go on your network and then they steal as much company data as they can. 

And, and then after, after they steal the data, they put it online in an encrypted format and say, if you don't pay the ransom within, you know, seven days or whatever, we're going to publish the decryption key. And so they get put in this double bind where they have to figure out, okay, what am I, what am I going to do? Am I, am I going to just restore from backups and be safe? 

But then if I do that, all my data is gone. Like, everyone will have all my, all my sensitive company client data. 

So they, they get put in this really unfortunate situation. 

And most of the time when I get called- so my, my company stops a lot of these attacks from happening. 

That's like what we get hired to do. We have like a service monitoring, and as soon as the network gets compromised, we basically shut the compromise down, shut the people down and restore the network back to its safe state. 

But often after a company gets ransomwared, they don't know what to do. 

And so they come to us and that's, that's my job. I typically see them after the ransomware hits and then I have to go in and I have to figure out, okay, how did the threat actor get in? 

And this is often really difficult, right, because the systems got encrypted, and- and if the systems are encrypted, system logs are often encrypted or they're deleted and so a lot of the forensic data that you would normally use just isn't there anymore. 

And so you- you have to, you have to sort of try to fill in the blanks in a way that's very, very difficult and very hard to do because you're- you're in this situation where you are trying to- there are just so many unknown unknowns, and you really have to understand threat actor methodology and things like that. 

And so, so the whole- the whole ransomware game, I think, is very interesting. 

And it's, it's a whole economy in- in and of itself. 

And people don't realize this, but they, they think that ransomware is basically a team of guys, you know, from Russia or something like that. 

That's, that's where we see most of them coming from, is Russia and other Eastern European countries. 

They- they find a vulnerability in your network, they punch a hole in your network, they get their malware on, they spread it through your network, they take over your administrative accounts and then they ransomware your domain. 

And that's not actually what happens. What happens is there are- there's a whole economy and a whole ecosystem where you have, like, what's called ransomware as a service, where you have teams that will find initial accesses to a network and then they'll say, okay, I have an initial access to this network, I want to sell it on the dark web, I want to sell access to another- another group. 

And so then they sell access to a different team, and that team does the post exploitation and privilege escalation where they- you know, once you have a foothold in the Network, they try to- the whole, the whole name of the game is once you get your foot in the network, you get admin creds and then as soon as you get admin creds, you, you exfiltrate data and you ransomware the network. 

That- that's sort of the- the, the kill chain in most ransomware incidents. 

But for, or in these particular cases, the people that do the exploitation often don't have the ransomware themselves. They buy the ransomware from a ransomware group or- or they will be subscribed to a ransomware service where the ransomware developers will be constantly modifying and changing their malware to get ahead of security researchers like myself. 

So then they- they do that and we're back there trying to figure out what they did and how their ransomware works to see if there are any ways that we can circumvent it or stop it. 

And so it's actually like four different groups of independent people all selling things to each other in order to extort and get financial leverage over companies. 

And that's, that's actually what it is. Instead of just one team, it's- it's a whole group of different teams doing individual parts and then selling those parts to each other in order to make a successful ransomware attack. 

So we'll, we'll often see someone will get initial access and then not do anything for a week. 

And then in a week, another group comes in using that same initial access to ransomware the network and, you know, sometimes they can do it in like two hours, sometimes it takes them a couple days. 

But yeah, that's, that's basically what we see going down on these networks. 

Sofie: 

So the- the double extortion, that sounds like it would be harder to respond to. 

Jon: 

Yeah, if that happens and it's already happened… 

I mean, the best case scenario is we're already on the network before that happen happens, so we can find it and stop it because it's actually- it's actually fairly easy to find that data exfil piece. Right? Because networks, networks typically don't pull huge amounts of data off of their network to a foreign server. 

Sofie: 

Yeah, [laughs]

Jon: 

Right! Like you- you typically don't see gigabytes of data leaving your network at 2am and so as soon as you see that, you can basically cut network access and stop exfiltration from happening and- and usually that's- that's sort of good enough. 

But after it's happened, a lot of times our job is to damage control. 

Right. So the analogy I use is the house is already on fire- like, your house is burned down and, and what we need to do is we need to put water on the house in order to make sure it doesn't spread to other houses and, and in order for you to build another house back up in the same place, you need this one to not be on fire anymore. 

And so often, often that's my- that's my job at that point. 

Like once again, a lot of, a lot of times after it's already happened, there isn't much we can do to, to revert what's already happened, but what we can do is make sure that it doesn't happen again. 

And that's- that's my side of the job. 

Like I said, my company also does continuous monitoring. So, we sit on the network waiting for these things to happen and like the things I find, we feed back into our analytics to detect people and then the things they find, they feedback to my team and so we have a lot of fluid communication between the two teams of figuring out what threat actors are doing and sort of trying to- trying to stay two steps ahead of- of the threat actors so that we can stop them before these things happen. 

But like recently there was a SonicWall vulnerability that- that dropped. 

Sofie: 

What was that? 

Jon: 

SonicWall is a VPN provider. So for- especially with like remote workers and things like that, they'll have VPNs that allow users to access their network. 

And there was a vulnerability that was found in Sonicwall and a lot of people don't patch their VPNs and so as soon as it was released, ransomware groups just jumped on it. 

And that has basically been the last two weeks of- is just trying to- trying to respond to these various incidents. 

But we, we try to do proactive defense where we go, okay, you have a sonic wall thing, please patch it before this becomes a big problem. 

Or if they, they do have it, then we pay extra close particular attention and then as soon as something comes up, we smack it down pretty quickly. 

So- so things like that, that's, that's sort of the, the day to day life. 

It sounds very exciting and it sounds very cool, uhh but- I think it is. I think it is. But like if you looked at it from a, like, if you were watching me do my work, it's just a lot of writing code and writing scripts and doing data analysis. 

It's- it's definitely a nerd job, but I love it. 

Sofie: 

We need nerds who love nerd jobs. 

Jon: 

We do, we do. I'm a- I'm a proud advocate for- for our people doing doing interesting work. 

Sofie: 

So were you headhunted into this position? 

Jon: 

I mean, kind of, sort of. So basically I put my notice in that I was leaving the military. 

As soon as word got out that I was leaving, all the guys that I had previously worked with who also had left the military called me up and were like, Jon, do you want to work for, for my company? 

Please come work for my company. And so sort of- sort of headhunted in that as soon as my friends knew I was, I was gone from the military, they- they all jumped at the opportunity to try recruit me. 

Sofie: 

Presumably because you've shown that you are very good at what you do. 

Jon: 

Yes, yes. Basically the- the guys I worked with either in intelligence or military in the- in Canada, the UK and the United States all- all thought quite highly of my skill set and wanted it for- for their teams. 

And I mean, I chose this one because a lot of the guys that I had previously worked with that I looked up to- that I looked at and was like, these are the types of people I want to be like, this is sort of where my career aspirations are and they work at this company. 

And so I'm going to join that company. I- I don't want to be the smartest person in the room. 

I want to be- I want to be one of the guys who has the ability to build and develop in pretty significant ways and so I figured this would probably be the best place to do it. 

And, uhh, it's worked out pretty well. 

Sofie: 

That sounds really positive. 

Jon: 

Yeah. 

Sofie: 

What are you hoping to do next? 

Jon: 

Luckily, my company offers a technical career progression where you can, without going into management or anything like that, you could just stay in a technical path doing technical things. 

And I recently was promoted to the highest rank there, so- so I'm- I'm now a principal security analyst, which is very fun. 

But my, my future work is- is mostly just continuing to do the work I'm doing, but do it better, faster, more efficiently. 

So figuring out how to use LLMs to speed up my work or to do things that I normally wouldn't have done, but now that I can sort of outsource a lot of the grunt work coding to an LLM, getting that to do a bunch of things, figuring out faster automation, more accurate, better analytics, better development, those types of things. 

So more of the same essentially, but just being better at more of the same. 

Sofie:

Yeah? 

Jon:

You know, it's, it's, it's a continuous iterative process of improvement. 

And so I'm mostly just focused on continuing to iterate that skill set. 

Sofie: 

It's been really wonderful talking with you. Is there anywhere that people can find you? 

Jon: 

Yeah. I mean, professionally, not really. I keep a low profile. But if you- if you're interested in any of the autism research that I do, you can find me on Twitter or X, I guess it is now, at christianityon, you can find me on Blue Sky, christianityon.bsky.social, and you can find my podcast, Christianity on the Spectrum wherever you get podcasts, if you're interested in a sort of sociological analysis of autism and religion and I guess, other things now! That's- that's where you can find me. 

Sofie: 

Great. Thank you so much. 

Jon: 

Yeah, thank you. 

Outro - Sofie: 

I hope you enjoyed listening to that as much as I did. 

I was super nervous because I've been listening to Jon's podcast, which I really enjoy. 

It's called Christianity on the Spectrum and you can find that wherever podcasts exist. If you want to find Jon on social media, he's at christianityon on X and Bluesky. 

If you want to follow this podcast on social media, I'm at disabledscientist.com on Bluesky. 

And if you want to contact me, you can email podcast at disabledscientists.com 

Thanks for listening, bye! 

[Outro music]