Allie Mellen: Code War

and we ended up hacking the square reader and turning it into a credit card skimmer,

which was really, really fun and really interesting. And so we presented it.

And our professor was like, this is really cool. You guys should submit to Black Hat. And I was like,

what's Black Hat? And so we submitted it to Black Hat and it got accepted. And so my first real

experience with the cybersecurity industry was flying out of Vegas and speaking on it and

getting on CNN and CNBC and all of that.

Welcome to the Philip Wiley show. Take a look behind the curtain of professional hacking

and hear compelling discussions with guests from diverse backgrounds who share a common curiosity

and passion for challenges and their job. And now here's your host offensive security professional

educator mentor and author Philip Wiley.

Hello and welcome to another episode of the Philip Wiley show. I'm really excited

today to be joined by Ali Melon. Ali and I first connected during the pandemic. There were a lot

of virtual conferences going on and that's kind of where she first came on my radar. We were

connected on on X then Twitter. And it's just been really interesting and amazing to watch your

career. And so this is going to be an interesting episode. One of the reasons bringing Ali on,

she's got a new book that's coming out. So I want to make sure that we got to word out on that

and to learn more about the book. So welcome to the show. Thanks so much for having me. I'm thrilled to

be here. So before we get started, if you would mind sharing your hacker origin story kind of how

you got started up until what you're doing today. I'd love to. I actually got started in the

security industry in kind of a fun way. I was getting a degree in computer engineering. That was my

my bachelor's degree in college. And I took the one cyber security class that you had at the time.

And it was all about hacking and defending and really, really hands on. So we were hacking a

server for our midterm, hacking and defending for our final. It was, I mean, all things considered

looking back. It was really, really cool. Just thinking about the work that our professor had to

put in to set that up for everybody to be doing that like the lab and everything was really neat.

And at the time, one of the things we had to do was we had to do a midterm project because either

replicates someone's research or create research of our own. I, uh, with a couple of friends,

opted to create research of our own. And we ended up hacking the square reader and turning it into

a credit card scammer, which was really, really fun and really interesting. And so we presented it

and our professor was like, this is really cool. You guys should submit to Black Hat. And I was

like, what's Black Hat? And so we submitted it to Black Hat and it got accepted. And so my first

real experience with the cyber security industry was flying out of Vegas and speaking on it and

getting on CNN and CNBC and all of that. So it was a really cool introduction to the cyber security

industry. And after that, of course, I was, I was stuck. I definitely fell in love with it immediately

and wanted to continue to continue on it. So that's kind of the origin story. And from there,

I was a hacker for a while before becoming a security practitioner and then an industry analyst.

It's been a fun journey. Yeah, that's really cool because I, I see some folks that

get into security research that are not really doing the hands-on kind of research. They kind of

researching in the old school way that you research for like some type of college paper or some kind

of article, but to get the actual hands-on experience is really good. I think really, especially to

be a security researcher, to really be good at, I think you really need that background because

so many cases when people don't get their hands dirty and do some hacking, they really don't

understand the risks of some of these things. All of they can do is depend on what CVE they read

or whatever research that they read about it. And hopefully they understand it well enough,

but it's good that you actually got the hands-on hacking part of it.

You know, it's so true because it also, one of the things that I really loved about it is

it's so different being on that like hacking and tinkering side of things compared to the

business world that I now spend most of my time operating in on the defender side. And I think

that this is so funny because like one of my favorite things to do is go to Defcon because it

feels like everybody there is immersed in that hacking and tinkering and just like having fun

and experimenting aspect of it that I really love that I think in some ways once you get more

into the business side, it's really easy to lose. And that's the true joy of what we do here. So

it is, I'm really glad that that was kind of where I got started with it.

I think that, you know, just kind of reiterating, I think that's really great that you got the

experience away because one of the things I run into, because my background's offensive security

in so many times the people that haven't worked in that area at all had done any kind of

research are hacking. They really don't understand the risks and they underestimate things like

security research, bug bounties and pen testing some cases. Because, you know, so many cases

like nowadays, when I think gaps I see these canned tools to do fishing campaigns that they

send out the emails at least once a month. And it's really testing for security awareness is

someone clicks on something. There's no repercussions. They really can't test anything beyond

security awareness. And sometimes they feel like that's good enough, but it's not. You really

need to be testing what happens is someone clicks on malware or ransomware or something. You really

need to test for that. And it's just really underestimated. I think because so many people

don't have the exposure, you know, having the background like you or, you know, working in

offensive security, I think that really misses out a lot. Yeah, it's that second order thinking

of what comes next after this, like not just the first step, but the step after that and after

that. It's like chess. You have to be thinking one step ahead, two steps ahead. And I completely

agree. Like you can miss so much from the defensive side if you don't take that kind of approach.

It's like once you develop that hacker mindset, the world's a different place. I mean, I remember one

time I was in Minneapolis, St. Paul for a pen test. And I remember waiting at the luggage area to

pick up my way from a bag to come through on the conveyor. And I saw USB stick laying on the ground.

And automatically I thought there's malware on it, probably innocent and not. But, you know,

once you get used to it, and you really need that mindset, because then you think of what's possible.

You know, there could be certain vulnerabilities that you had experienced with. And you know where

it could be taken from there. So I think that's that's really awesome. Very true.

So what really motivated you to evolve your career in the direction that it went in?

So that's a great question that I actually haven't been asked that often. So I'm kind of excited

about this. It came really naturally. To be honest, a lot of it was, especially as I like

transitioned into becoming an industry analyst, just wanting to break down complex things and

explain them in a way that makes sense. And also just wanting to like cut through a lot of the noise.

I think one of the biggest challenges we have in cybersecurity is we spend in the broader

business sense, especially we spend a lot of our time focused on things that are kind of

pipe dreams or snake oil, or aren't really going to go anywhere. And I don't love that.

Like I want us to be focused on the things that are actually achievable and actually possible. And so

I find that like, especially in my role as an industry analyst, I've been able to to cut through

some of that and try to give really balanced and focused perspective. But more than anything, like,

I my focus is on detection response of cyber attacks of nation states. And of course, like,

AI is a part of that because no one can escape that today. And what I really love about that is

just the dynamic nature of it. I think that there's so much that is interesting about why nation

states choose to do certain things, how they go about it, how that's evolving, how it fits into

the broader picture of like geopolitically, how our world is changing. And so it's been a very

natural transition for me and a natural form of growth for me when I feel very fulfilled by being

able to to help people in that way. And especially like all the work that I do, I work very closely

with a lot of enterprise security teams that are trying to improve their detection and response

strategy that's by far the most the best part of my job. So how is that area like the EDR,

XDR and scenes and so on all that? How has that really evolved since you get started

covering my kind of content? It's a great question because I have a I have a slide that I have

kept for a number of years now, which is just of a dumpster fire to kind of like showcase just what

I messed it is because there's so much happening, especially on the sim side from like an acquisition

standpoint changes in the market that it's been really fascinating, but also put customers in

really difficult spots. And I think there's a lot of potential in the direction that it's heading

right now, particularly with like how XDR vendors are trying to take on the the sim market and how

a lot of the sim vendors are evolving to be a little bit more targeted and useful. But the thing

that I come back to is like, unfortunately, in a lot of cases, unfortunately and fortunately,

to be honest, the sim is a tool that is designed to be built flexibly and to change to what the

practitioner needs it to be. And so that means it's a lot of work like in a lot of the conversations

that I have, I hear the same thing over and over. It's like any sim, it's a lot of work to use.

That's just the reality, but a lot of the teams that I talk to don't have the staff at the time

to be supporting that. So it's really challenging, but I think both of those markets are moving

in a good direction. And especially like, I'm a huge skeptic of AI of technology, but I really

am starting to see a lot of value add with AI that goes beyond like, oh, here's an incident summary

into, hey, we're automating investigation and parts of investigation in a way we couldn't do

before. So I'm pretty excited about where that's going to go in the next five years.

Yeah, I think that's a good mindset to have, have open mind, but still be skeptical because I think

people get too caught up into AI is going to take care of everything and just rely on it blindly

and not being skeptical about it. So I think that's a good, healthy mindset to have.

Yeah, it's very true. It comes back to what we're just talking about about trying to get down

to the truth of it and not just like lean into the flowery language, but what does this actually

look like? And I think it comes back to the hacker mindset. I mean, the way that you do that,

like, you don't have to be a hacker to do this is just like, how does it actually work?

What are the things I need to know about how it works to make sure that it can actually work

the way that I'm expecting? And so part of what I love about writing and about a lot of the work

that I do is that I can give or try to give that underlying layer, that lower level of like,

this is how it works and this is why it can or can't work the way that you're expecting,

which unlocks a lot for people. Yeah, and I think that's such a value that we need is with all

the products out there in the vendors, sometimes the people writing the marketing materials,

sometimes don't understand the topic they're writing on because I've been on some marketing teams

before and they're writing something up and I would say, no, this doesn't do that. This doesn't

replace pen testing, but it replaces this. So it's really good to have a resource where you can

get the facts because, you know, at the end of the day, they're trying to sell their product

and you can't blame them or try to, but not always are the people marketing it or the people selling it,

always, you know, have a clear understanding and maybe it's misinformation or either just,

you know, overhyping something and not really truthfully sharing the capabilities.

Yeah, I mean, when I, so I was a security strategist, which was focused on the security team side

of things at a security vendor, but I would interact with the marketing team a lot because

they knew that they could come to me and ask questions and that I would give them honest answers

and that I would give them perspectives that they couldn't necessarily get in other places because

the other people didn't have time or didn't want to talk about it at such a high level and things

like that. And so I do think that there's such a huge opportunity to be more approachable and

useful for people who don't necessarily understand cybersecurity but want to. And one of the things

that I try to push in a lot of the work that I do outside of my role as an industry analyst is

like, anyone can understand this. This is not something where like cybersecurity is only for

the technical people. We can, we can all understand this and there's a role for every person to play

and the question is, how do we get there? And so in your role, how do you able to break this down

to where people that aren't super technical can understand what you're, you're riding about?

It's a good question. I mean, a lot of times it is about like truly knowing a subject. I mean,

everybody says like, you don't really know something until you can explain it to, um,

in very plain language. And I think that's extremely true. And so I think the hardest part is

a lot of the people I work with are extremely technical. And I think we see that throughout the

industry where there are sea sows that are extremely technical. There are other sea sows that

are not. And finding the balance of like, how do I explain this in technical depth? And at that

higher level becomes very important. And so typically what I do is I try to give both. I try to

give that high level and then kind of progressively disclose what's the deeper thing, the deeper meaning,

the deeper perspective, the lower level details of what's happening technically here. And give

everybody what they can use and what's helpful for them. It doesn't always work. I mean, there are

some things where we're just not going to be able to get to the technical depth that I necessarily

want to. Or vice versa, we can get to the technical depth, but it's hard to bring it up for,

for that business-minded person. But we talk a lot about the importance of having like a very balanced

team. And I think that this is very true for the role of the sea. So like you have to

not just be technical and understand things, but also have that business savvy and business

perspective. And if you don't, that's actually okay. Just make sure you have someone on your team

that does and they can push back on you and be the person to give you that perspective.

And recognizing in yourself where your strengths are and where your weaknesses are is another

really important part of that. Yeah, that's such a great skill to be able to explain things

in a way more people can understand because you, you know, you're a sharp person yourself,

but you work with a lot of you. I'm sure you've worked with some of those people. They're just

super intelligent. And it's just kind of hard for them to speak on level of us normal human beings.

And then try to explain that to, you know, business folks or, you know, management types is, you know,

a skill that's not always held by technical people. Very true. Very true. It's also just very

difficult and not everyone should spend their time doing it. Like there are some people who just

they shouldn't be doing it. It's okay. They got better things to do. So what are you, some of your

advice for someone is wanting to get a product because it kind of mentioned earlier, you know,

the marketing out there is not always accurate. And what is a good way for someone to be able to

find a product, do some personal research or some resources that they can go to to get a good idea

on what kind of product to implement in their environment. It depends on the use case and what

they're looking for. But to be honest, like one of the things that I say a lot is,

cybersecurity is a word of mouth community. A lot of it is what peers are you talking to?

What is their advice? What are they seeing in their environment? Because

there are a lot of tools that have really great demos, but it operates very differently

in your environment. And so identifying what exactly you need, what the resources on your team

are prepared to use or capable of using what they have experience. And then being able to sit down

with your peers and with people who talk to your peers on a regular basis and get a better understanding

of what it's absolutely like to work in the tool is, unfortunately, like where a lot of these

decisions start and where they get a lot of perspective for these decisions before you get to

things like the POC stage really think that conferences can be really helpful for this and

getting to connect with other CSOs and security practitioners. Of course, like I regularly talk to

people about the decisions that they're making from a technology standpoint, what it's like to work

with the vendor. Because I think it's really unique in cybersecurity, just how much it matters if

you're a partner with the user. And if the user feels like they have a partner in the vendor,

like it's very partner forward, trust forward industry. And so a lot of times that requires a

conversation of like, is this vendor a partner to you? Are they respectful? Are they able to bring

the right people to the right call at the right time? Especially once you start to work with like

smaller companies that maybe they don't have the same pull or sway as some of the largest in the world.

Yeah, that's also nice too. You get some bigger companies that may have a bigger budget and they

don't have to be as careful with it. So if you can learn from them, that's a great resource to have.

Totally, that is so true. So one of the main reasons we had you on today is to talk about

your new book. If you wouldn't mind telling us about your new book in the title.

Yeah, I'd love to. So my book is called Code War, How Nations Hacks Buy and Shape the Digital

Battlefield. And it is all about the intersection of cybersecurity and geopolitics. So

specifically, that gets into how the histories of Russia, China, and the US have led to the way

that they use cyber attacks and defenses today. And I explore that both from the standpoint of like

the attacks that they're perpetrating on other countries, but also some of the attacks that they

perpetrate on their own citizens in the way that they use the defensive measures that they've built

to target their own citizens. It's been really fascinating. I pull themes back from like

Zarist Russia, Imperial China, and I pull those through to give context why they're using cyber

attacks the way they do today. There's a lot tied up in like the history of these countries

and how it relates to their present decision making. And then also on the other side of that,

I look at the modern context in each of these scenarios. So even when I'm looking at something

from 2010, I'm saying, what was going on in the world that made this the reality for that present

moment? What was so important that was happening then that led to this outcome? And it's been really

fascinating because I've had this premise for a long time that these things are incredibly

interrelated and that I'd see a lot of ties, but I did not expect it to be tightly tied as it is.

So it's been really cool. I've really enjoyed writing it and I'm so excited for it to come out.

That's very cool. And the geopolitical thing is more important now than ever. I mean,

things are going on now that you would have never expected. So it's a good timing to be putting

this book out. It's so funny because it's like last year, I've been working out for two years.

And last year as I was working on it, I was like, man, I really wish this could come out right now

because there's so much change happening, but I couldn't have even anticipated how much change

would be happening right now at this moment. Like there's no other moment for this book to exist

then right now. And I think that's so important because one of the things that I do is I book

what's happening in the book between the Gulf War and the Russia's War in Ukraine. And I

liked to start the book with the Gulf War because I see it as this inflection point for hybrid warfare.

We saw that the coalition forces relied on these joint operations between individuals,

between the electronic warfare and they were perpetrating between all the different divisions

to come together and really have a successful and decisive approach. And it was so fascinating

at the time because it was a big sign for China like, hey, we need to start thinking more holistically

about what we're doing from a joint warfare approach. Russia had already been doing that,

but it was validation that, yeah, this is the right direction, this is the direction that we need

to continue on in. And to contrast that with where we are today, where we're at this inflection point

with Russia and the war in Ukraine, we're really seeing this hybrid warfare take off and be used

in very unique ways, especially with cybersecurity. In a way that it couldn't have been used,

cybertext couldn't have been used in 1990 just because of the timing, but now there's such a

fundamental part of joint operations. It's been really fascinating to see the change over that

time period. And you combine that with what's happening and the changes that are happening with AI,

it's just it's a major inflection point for hybrid warfare in a lot of different ways.

Yeah, it's really scary with the deep fakes and just what people can do with informational warfare.

I mean, just let you just go look at some of the stuff on on social media and some of these social

media platforms aren't really filtering for false information anymore. So there's a lot of

information out there that is causing divide that is just totally not accurate at all. You see

this stuff and you would claim you would think that that site was a that social media account was a

satire site for some because some of the things that they're saying. It's so true. It's unreal.

There are some things that I see and I'm like people must know that this isn't real, right?

But then I see all the comments in there. They are totally in it. They believe it. And to your point,

like one of the other things that I talk about as I reference tech companies, especially some of

the huge tech companies in social media companies as kind of the fourth power if you think of

the three powers as China, Russia and the US and their role in this where we've seen them just stop

restricting the things that they allow people to post whether it's actually accurate, whether it's

disinformation and it is changing society in a lot of ways. And so it's interesting to see that too

of this inflection point with a lot of the tech companies where they're like we don't actually need to

do all of the work we were doing to maintain a healthy digital society or they're starting to kind

of push away from that in a way that is causing real harm. And also we're seeing that it actually

does have a major impact on the way that the things that a lot of people believe. So I think that

kind of to round down like all of these shifts that are that are leading to this inflection point

is it's a it's a weird time. It's a very weird time. Yeah, we're we're at in scary time because you

think about how how easy like deep fakes are because I remember back years ago, Alyssa Miller was

one of the first people doing talks on deep fakes and doing demos on it and it used to be a really

complicated process and now it's just getting ridiculously easy and you hear about the one I forget

the company that a while back had a zoom call and they were able to do deep fakes to convince

someone to transfer millions of dollars. So it's getting really scary what I could do from that

standpoint and just from a actual physical security standpoint really scares me if you're able to

convince someone this is going on. What kind of reaction are you going to be able to elicit from

that false media that you create? Very true. I mean, one of the things that I

talk about in the book is in the chapter that focuses on Ukraine, the like competing deep fakes

that were made of Zelensky and of Putin and and how they kind of went back and forth on trying

to convince the populace that one side was giving up or the other side was giving up and those

that was at the time where they weren't even that could have deep fakes yet but now they would

look so much more accurate. So it is like we need multiple layers of authorization and enforcement

to make sure that beyond just like seeing the person you actually have multiple layers of

authentication to prove that the person is who they say they are and even in those scenarios like

if you're talking about new hire it might not be something that you can necessarily do effectively

to prove that that person is who they say they are. So it presents a whole different challenge

when you get into the the whole hiring aspect and the fact that like you might not know this person

and what do you do in those circumstances where you don't know them from the get go and so you don't

know what to expect or if they're actually going to be the person that you think they are.

Yeah, this very scary stuff. I'm here where a lot more people are requiring for new hires if it's

a remote job to actually come into a physical location during the hiring process because you hear

some of those those schemes where people would have all these different computers set up and one

person be working for multiple organizations and it was for a nation state so it's pretty crazy.

It's really crazy. It's definitely I think that that actions like having the people come

in in person are one of one of the better ways that we can defend against this are obviously like

I'm sure that you were doing the same. My mind goes to a million different ways you could circumvent

that or make sure that that isn't a problem but at the same time it is one of the most effective

ways that we can do to to try and at least limit the the spread of these being effective.

Well, I appreciate you taking time on your busy schedule to join me today. So when does your book come out?

Absolutely. Thank you for having me. It comes out on March 17th St. Paddy's day. So it's a good

moment. I'm very excited, but it's available for pre-order now. Yeah, so giving more reasons to celebrate

the holiday. So absolutely. We'll be sharing in the show notes a link to your book as well as I see

that it's on pre-order too, but not long to come out. So someone pre-orders it won't take you

long to get your book. So how can people get your book? Yeah, so it is available anywhere books are

sold. So Amazon Barnes and Noble books.com you name it. You can also go to my LinkedIn and I've

posted a lot about it. Of course, so there's definitely links there that you can use to find it.

Very cool. So is there anything you'd like to share before we close out the episode?

I think just this is a really important moment and one of the things that I did when I

wrote this book was I tried to make it accessible for anyone. We kind of started the conversation

here and so I want to highlight that like this was not necessarily written for a technical person.

This is written for anyone to better understand cybersecurity and why it should matter to them

as a person and why they should be thinking about the privacy of their data and their responsibility

interacting in an online ecosystem. So I hope that you have that thought as you go through the

book and definitely share it with people who are not necessarily in cybersecurity, but you want

them to know about cybersecurity. I think that they'll enjoy it. I include a lot of like one of the

things I was thinking as I went through was oh, how can I have little not gossip because it's not,

it's all real, it's all factual, but little things that would be interesting or funny to people

or keep them engaged and not have it be so dry. So be on the lookout for those too.

And definitely anyone who does get it, please let me know what you think I'd love to hear from you.

Very good. Yeah, that's much needed resource because just there's so many books out there that people

can get on, you know, the basics, antivirus, firewalls and that type of stuff, but you know,

as you mentioned, you get into the geopolitical stuff, you get a better understanding of the risks

of the different threat actors and most people think about just the person in the black hoodie

in the basement, you know, realize it, you know, some of these nation states, it's a business,

you know, and a lot of people helping them run business and, you know, scamming people out of money,

you hear a lot of times of people that are less technical or older that don't understand,

you know, technology that get scammed out of their life savings.

Yes, we've got the number of stories that I've heard from people who I know,

who are friends of mine, where they've had this happen to their families is just it's terrible.

It's especially once you get into the older population and how they target them, it's despicable.

So anything we can do to raise awareness and to help promote and understanding the ecosystem

better. Well, thanks again, I appreciate you joining. Thank you so much for having me. This was fun.

Yeah, thanks everyone for joining and I hope to see you on the next episode. Make sure to check

out the show notes so you can connect with Ali as well as pre-order her book and make sure to share

and subscribe to the podcast. Until next time, take care.