Rachael Lyon:
Welcome to To the Point cybersecurity podcast. Each week, join Jonathan Knepper and Rachel Lyon to explore the latest in global cybersecurity news, trending topics, and cyber industry initiatives impacting businesses, governments, and our way of life. Now let's get to the point.

Rachael Lyon:
Hello, everyone. Welcome to this week's episode of To the Point podcast. I'm Rachel Lyon here with my co host, Jon Kneffer. Jon.

Jonathan Knepher:
Hi, Rachel.

Rachael Lyon:
Hi. So I have a fun fact for you, and I don't know if you know this. You know, there's still the groundhog, you know, that kind of predicts if we're gonna have, you know, six more weeks of winter. Apparently, there's an alligator, like a 20 year old alligator and an armadillo that will also do predictions. And this year, all three of them predicted six more weeks of winter. Although, here in Texas, it's in the mid eighties. So I'm not quite sure when that's gonna kick in, but, I'm just jealous of you in San Diego with your perfect weather all year round.

Jonathan Knepher:
Well, that's interesting you mentioned that because we've had an incredibly dry winter here. And, and just today, it started raining. And, we're we're expecting a whole lot of rain over the weekend, which we're we're very happy about. So that's great

Rachael Lyon:
news. Everybody wins. Everybody wins. So I'm really excited about this week's guest. We're gonna delve into a topic we really haven't touched on here in the six years of the podcast. Please welcome Steve Kain. He's an adversary emulation manager with the Maryland Department of IT. He's worked on both the offensive and defensive sides of security across the media industry within government, including the DOD, as well as sports teams like the Baltimore Ravens.

Rachael Lyon:
He believes security goes beyond firewalls and policies. It's about culture, behavior, and mindset. Couldn't agree more. Welcome to the podcast, Steve.

Steve Kain:
Hi, Rachel. Hi, John. Thanks for having me.

Rachael Lyon:
Definitely. So, John, kick us off.

[02:02] Cyber Threats in the Sports Industry

Jonathan Knepher:
Yeah. So so, Steve, you know, we don't we don't often think of sports and cyber in the same, in the same instance. But given the high profile nature of the industry, you know, it seems like cybersecurity is vital. What types of cyberattacks are sports teams most at risk for?

Steve Kain:
I think the most honest answer I can give you is that sports teams tend to share the same risks as really any other business right now. You can spend a lot of time doomscrolling LinkedIn and look around and see the the things that keeps everybody up at night, third party risk management, business email compromise, data breaches, AI deepfakes. Those those are a lot of the same issues that I think we we face in the sports industry.

Rachael Lyon:
Yeah. It's kind of amazing all the proprietary information too. Right? I mean, very, sensitive information that sports teams hold. And and then I think of, you know, like, formula one racing. Right? All of that data that they use to, you know, manage the car, manage the race, and it's it's all top secret. You've gotta lock it down. And, I just can't even imagine, especially with something with so many sensors and so many inputs, like a formula one car. I mean, security must be quite quite an interesting task.

Rachael Lyon:
But kind of piggybacking on that, you know, today there's a lot about, you know, online impersonation of athletes or, executives or, you know, you name it. And with the AI deepfakes, right, it's it's kind of muddying the ground of how do you know if if it's a fake? How do you know if it's not? You know, particularly when you have, like, a sponsor that wants to engage or, you know, kind of an executive that wants to reach out and and approach you for talent, to sign you or whatever that might be. I'd be interested in your perspective there.

Steve Kain:
Thanks. That's a that's a great question. I'll go back to your first question too. I think something that does make it a little different and something that I learned really early on, with with the Ravens was that we we're obviously in the sports industry, but we're also in the entertainment industry as well, which is something I really hadn't considered until I got there. I was having a conversation with somebody, and they said, well, you know, we're also in entertainment as well. And it kind of shifted my mindset a little bit. So to come back about the online impression stuff, that was actually a I spent more time with those kinds of problems than I thought I would. And I found that there is no perfect technical control you can put in place for a lot of that.

Steve Kain:
Part of it comes back to investigation, just putting as much pressure or trying to impose cost as much as you can on the actor, and and really teaching good OPSEC. I could think of a handful of instances. There was one that acts I was so I was so, like, offended by by what the person was doing. There was a scammer that was posing as one of our cheerleaders. They approached a young man who, was disabled, and they were trying to sell them some, like, fake autographed, stuff. And the person's mom reached out to us and was like, hey. Is this real? And so we started doing some investigation, and it was it was pretty obvious we were able to come back and say, no. No.

Steve Kain:
It wasn't. So then presents the problem, like, well, you know, who do you go after? Right? And it was a major social media platform. And what I found in my experience is that unless you don't have, like, a bat phone where you can call somebody at one of the big three, you're not going to get a whole lot done other than complaining. And there's not there's not a whole lot of contacts there. There's that they don't have, like, a, hey, call us and tell us that there's something bad happening. Right? So it was going after you know, I went to the company that they scammer was using to get paid, and I actually did get to report them pretty easily. And then I just kept going back and complaining to the social media company about these folks masquerading as cheerleaders. Because there was more than one account, doing that.

Steve Kain:
And then another way to look at it, there was a group of scammers who had set up pages on a large social media platform, where they were just posing as a fan page, but then posting these really, really salacious headlines. And, you know, I don't wanna make too many analytical leaps, but if you follow the clicks, right, it takes you to a website that they control. It was loaded full of ads, so they're probably, you know, generating some degree of revenue. But they're also using salacious headlines to redirect people to a site they control. Right? So the man take the days of popping browsers all the time is probably getting past us the way a lot of the browsers are getting patched in your daily. But that you know, that's an issue. And it's hard. You one of my big missions, I had this board, up on my wall, and it was, like, six really basic high level strategic concepts.

Steve Kain:
But number one was protect the franchise. Right? So I always had in my mind, like, I have to protect the franchise, and I have to protect the people within it. Because, you know, without that, like, it's it's it's a lot of damage to the reputation. So, anyway, it it was it was a big challenge. Going after big social media companies and trying to get these takedowns done, was a challenge. Thankfully, I was able to reach Upward into, the the league, and they had contacts there. And, you know, when you communicate Upwards to them, they're able to communicate out to the other clubs and say, hey. Here's this issue.

Steve Kain:
Is there a problem with you all too? And if enough people say yes, then that kind of helps sway leverage. And with respect to AI and deepfakes, which you brought up too sorry. I didn't mean to cut you off, but with with the AI and the deepfakes, there was a time when, I, you know, I had a physical security counterpart who had also come over from the government at the same time. I had come over the Ravens. Great, great, great person. And we were, over time, figuring out areas where our paths crossed. And we went to go brief the rookies, one day. And, you know, really, we did a parlor trick, but we thought it would be fun where, you know, you download some lame app to change the caller ID on your phone.

Steve Kain:
And, you know, I called him posing as the president, and then he showed the players. And they were like, oh, wow. We both know. That's, you know, that's a that's a $5 app, and, like, you know, you're probably giving up your personal data to this company the minute you put it on your phone. But I was so impressed. One of the rookies immediately spoke up and was like, well, yeah. But that's why I always validate with, FaceTime. And I was so proud.

Rachael Lyon:
Oh, I like that answer.

Steve Kain:
Right. Like and and it's just a reminder. Like, all you have to do, all you have to do, is practice good OPSEC. Right? Where, like, if you try to bake OPSEC into your day to day decisions, like, it it tends to make it, hopefully, easier. I think a lot of the AI and deepfake threats, they call and they try to come and bring this, like, very harried, like, I need you to respond right now. And, you know, Billy's in a well, and I need 50,000 Bitcoin and, you know, whatever, staying. And and, and if you just stop and take a beat and you're like, alright. We'll FaceTime me from the well, maybe.

Steve Kain:
You know? Yeah.

Jonathan Knepher:
That that's a good question.

Steve Kain:
We got no calls about Billy in the well.

Jonathan Knepher:
Yeah. And I think too, like, that's becoming a problem, just across the board. Like, you know, I get I get those same hurried, like, texts of, you know, we we we need you right now from the CEO. And it's like, well, it's not the CEO. So, yeah, that's definitely good advice there on, you know, you know, validating who it is. And, you know, I think your point of using FaceTime as validation is a great, suggestion.

Steve Kain:
Mhmm. And and not engaging. Right. It can be another thing. Like, there was a Friday afternoon where the whole company got texts from someone. And, obviously, they just don't engage was the message, and it didn't get very far.

Jonathan Knepher:
Yep. And and kind of this leads to, like, as as you know, like, you know, this is, you know, a high profile, you know, in, entertainment adjacent, like, area here. Right? Like, you have a lot of high profile individuals, and they're obviously prime targets for not only these kinds of attacks, but other data breaches. And what what kind of measures do you put in place kind of on that side to protect the employees and the players and and potentially, like, how far out does that scope go to protecting, you know, their families and so on from from hackers and other social engineering threats?

Steve Kain:
Another great question. Another problem I face there, which led me into a really great amount of research. And it it lends back to the prior problem. If you have scammers posting information about people, you know, one of the security outages, right, if you lean back on your core fundamentals, it's reduce your attack surface. So how do we reduce our attack surface there? You've got all these third party data brokers. And, you know, you could Google somebody's name. And this can happen to anybody, whether or not you're, starting offensive lineman or, you know, it's me or your neighbor down the street. Like, you can Google their name and pretty much get their address and, you know, send, you know, take a Google Maps photo of their house and send them you know, everybody's gotten that form letter now where it's like, I know where you live, and I've seen you do things and scan this QR code and send me Bitcoin.

Steve Kain:
And, like, whether or not, you know, you're a football player, or an accountant, like, you're you're a target for that. And the easiest way to remove that is to get your data out of these third party sites. So you start researching it. Right? And you try to think, oh, well, there's gotta be some great services to do that. But there's kind of a bleak market, because the minute your data gets taken down from one place, it may go back up into other places, or it might go back up in the original place. So when I was looking at solutions, I was trying to look at a multi tiered approach. In a perfect world, I get an opportunity to treat everybody the same way. Realistically, you're not.

Steve Kain:
And you're gonna have some super high value targets, where if if you've got the, the means to be able to do it, the most effective way might just be hiring a third party private intelligence firm, who will manually take care of that stuff for you and actually help build OPSEC practices and to protect those super, super high level folks. And then you tear down the approach. There are a few, commercial services that you can subscribe to, and it's kind of like you you hit or miss. You get what you pay for. Mileage may vary. And when I researched those, few seemed very effective and non intrusive. There were one or two I looked at, and they wanted my power of attorney to do stuff on behalf of me. And I was like, no.

Steve Kain:
I'm absolutely not going to do that. In that research, I actually wanted to give a shout out. I was at SchmooCon a few weeks ago. We will miss SchmooCon. And one of the presentations there was by I I'm gonna I hope I get her name right. Yael Grauer, I think, is her name. She's a researcher. She's a independent writer.

Steve Kain:
I think right now, I found her by way of consumer reports, good old reliable. And she actually hosts this amazing, big ass data broker opt out list on GitHub. And if you if you search for that, she actually gives ways where you can remove your data from the third party broker sites. So, yeah, that was tough. Coming in, in my prior life, when I worked off fence, you would look at a target and, you know, you would try to personify them and try to understand, like, how that would work. And as an attacker, it it it helps you if you could personify your target. As a defender, you wanna try to understand the risk landscape of who you're trying to protect. And me, where I'm at in my life and my age, it's very hard to relate to a 20 multimillionaire.

Steve Kain:
So it was it was a very different risk calculus to try to wrap my head around at first. But, yeah, the the privacy piece reduced that. Sorry. I'm I'm having an ADHD moment. Yeah. You know, reduce reduce the threat surface. Threat surface. Yeah.

Steve Kain:
Thank you. Reduce the threat surface and, you know, that that helps. Right?

[14:59] Navigating IoT Privacy and Vulnerabilities

Rachael Lyon:
So digging in that a little bit more and talking about privacy, you know, this sports in in particular. Right? There's a a tremendous reliance on IoT devices, you know, particularly for things like performance monitoring. And, you know, no doubt there's a lot of BYOD. I was gonna see BYOD happening. You know, and and how do you mitigate those kind of vulnerabilities? Because a lot of it is gonna be outside your network. You know, but I have to imagine. Right? I mean, any kind of health information or performance information on an athlete getting out that is not favorable can very much damage a team and, of course, that athlete's future. So that seems like that would be really, you know, high high value information to lock down.

Steve Kain:
Yes. Yes. I would take a multi tiered approach to that. Part of that is just physically separating that environment, from the Internet as much as you possibly can. Part of that is also really part of that is third party risk management in the beginning, where, you can collect a whole bunch of data on a subject, but you don't necessarily have to tie it to their persona. Right? Like, I could collect we'll pick a retired player. Right? Peyton Manning. You know, you could have all this information on Peyton Manning.

Steve Kain:
But if I just tie it to an ID, right, like a like a random GWT or something like that, like and not to their name, like, that helps anonymize it. Yeah. So anonymize the data, keep it off the Internet. And then you're right. A lot of these IoT devices, the vendor's not looking at the code for vulnerabilities. They're not doing a lot of code review. They're not doing a lot of patches or updates. So that was something that would you know, it's concerning.

Steve Kain:
Like, you just you have to go into your risk calculus and ask, do I accept this risk for the business? Then if it's code based that's not getting patched, like, what other means can I do to keep it segmented from the network? And sometimes, that just means you go back to the nineties, and you have a machine that's not on the Internet, and you plug a thumb drive into it. You put the data on it, and you take it out, and you go somewhere. And that five minute that that five minutes of, of an easy solution saves you from architecting or over architecting, a solution, that might not be as effective.

Rachael Lyon:
I love that because we were just talking last week, Greg, John, about, you know, my my answer to the critical infrastructure problem is just unplug everything.

Jonathan Knepher:
Right. Exactly. Right? Like

Steve Kain:
Right.

Jonathan Knepher:
Do does everything need to be connected in the first place? And if it doesn't need it, why do it? Right?

Rachael Lyon:
I love that.

Jonathan Knepher:
And so does kind of the same strategy, apply though for, like you know, I I expect there's a lot more data than just, like, you know, as Rachel was talking about, like, the IOT connected data and the, you know, that kind of biometric stuff, but, like, larger data, like your, you know, potentially fan engagement metrics and player performance data. And I'm sure there's, like, aggregations of those data that might be interesting. Right? Like, we saw several years ago where, you know, Fitbit trackers were able to to release a lot of information from just aggregate data even though none of the the individual data was was interesting. What what can be done, in in to protect that kind of information?

Steve Kain:
Well, just stick it in the cloud. It'll be fine. Exactly. I every everything everything now is the SaaS app. Right? Everything now, everyone wants to move the infrastructure out from underneath their responsibility. Everything is a SaaS app. And, no, I I I take shots, but, like, from a strategic perspective, it's essentially easier, right, to do that as well. Because if you need to pivot products, it's easier to do because you just move your data.

Steve Kain:
So a big chunk of that for me is ensuring you're doing third party risk management correctly. One of the projects I had the opportunity to work on was, updating and revamping the surveys that we would give out to potential vendors, and I completely redid the sections for cloud and absolutely added in a a section for AI. And, you know, there's a way to approach a vendor and, like, be nice about it, but confirm, like, you need to validate that, like, I can export all of your application logs and all logs about metadata immutably into my own container. I need to ensure that you're encrypting everything everywhere, where at all possible. When you're looking at single tenant versus multi tenant SaaS apps, like, you know, in a perfect world, I would just be in a single tenant, and I don't want my data mixing with anybody else's data. Because, you know, you look at the architecture, a lot of these applications, and, you know, there's a lot of shared infrastructure pieces like, web front ends, CDNs, load balancers, things that you might be willing to accept the risk. But when it comes to the back end, like, not everybody gets the warm and fuzzies about certain data being the same database with other customers' data. And as much as somebody can promise, oh, well, you know, I've I've got you linked to this ID or linked to that ID, It doesn't mean that there isn't a kid at home right now creating, you know, a new SQL injection technique that is gonna go past that.

Steve Kain:
Right? So, yeah, the third party risk management, because it was a big thing that that

Jonathan Knepher:
Yeah. You touched on

Steve Kain:
the capital a little bit. Stuff. Mhmm.

Jonathan Knepher:
Yeah. I I wanna dig a little bit on your AI bit there. Right? Like, we're seeing, you know, this huge push for AI in everything. You know, what what's your opinion on where to use AI for, you know, analyzing security and and how much stress do you put in it?

Steve Kain:
Great questions. I'd be a liar if I said I didn't use AI. Right? I think I've proven in answering some of your questions. I could be a little wordy. So it's worse when I write you know, you'll write something, and you get into page two, and you're like, oh, gosh. This is supposed to be a paragraph. Alright, AI. Smash this down.

Steve Kain:
But I have to you know, you have to be mindful of everything that you put in those systems. I feel like there should be a there should be a game with the podcast where every time I say third party risk management, take a sip of coffee. But it goes into that. Right? Unless you're rolling your own AI and you know exactly what's happening with the data and the metadata, and you're keeping it all in house, then you're putting so much trust in these other vendors. Right? So I can look at it two ways. If if you're taking your data if if you were gonna, like, take your football data or take some kind of, sensitive proprietary data and stick it in somebody's, product and they're processing it, I wanna know where is my data going. I wanna know especially, you know, some companies just build a front end and pump your data off to some other company, and I don't want that. I want control over my data.

Steve Kain:
I wanna know exactly where it's going. So for me, that would be a red flag. Companies that are taking the data and showing me exactly how they're doing to protect it and not shipping it off somewhere, then then I think that's that's great. So when you're taking your data and you're prioritizing it or you're doing some kind of analysis on it, I I I care about where it lives, and I also care a lot about metadata of that processing. With respect to day to day activities, also, you can look at AI so many different ways for security. You know, if I wanna write a script, I am not a professional programmer. You know? If I wanna write something, I will ask OpenAI to write it for me, and it'll do it. And I'll say, thanks.

Steve Kain:
Now can you do it in Python three? And it'll do it. And, you know, that would have taken me way longer. So, absolutely, as a productivity tool, it's amazing. Now I don't think it's ever gonna replace me. I don't think it's ever gonna know that the the code needs to be written. Right? And, also, you know, we see hallucinations. We see things happening. Like, we were having we were interacting with AI, and it referenced a player's Super Bowl win when they had never played in a Super Bowl before.

Steve Kain:
So you know. Right? Like, there's there's problems there. You're not gonna trust your data that way, or you're not gonna, you know, you're not gonna trust the output of that of that system. So, like, you need a human being to validate every time.

Rachael Lyon:
I agree. I agree. There's, there's, there's ways to really weave it into day to day, particularly with their productivity tool or automation. But, you know, there's still got a long ways to go, I think.

Jonathan Knepher:
Yeah. For sure.

Steve Kain:
But, John, did I get way far away from your question on that one?

Jonathan Knepher:
No. That that's that's kind of exactly, you know, where where I was going. Right? Like, because because we see too this huge push to use AI not only in, like, creating, like you mentioned, creating the scripts. By the way, I do the same thing. It's it's been wonderful. But, you know, there's a lot of, use cases where it's like use the AI to to analyze, like, what happened and analyze Mhmm. The logs and come up with with what happened. And, yeah, in most of the time, it gives you very good results.

Jonathan Knepher:
But sometimes, you get an answer that, you know, to your point, it's a complete hallucination. It's completely disconnected from the input. And you're kinda like, well, how did that happen? And now how much can I trust? How much do I have to review? And I think that your takeaway of it can't replace having an actual competent operator in front of it, who who is an expert in their field still. Right? Like, you you can't offload it to somebody who doesn't understand the output. And so, yeah, I completely agree with that.

Steve Kain:
Yeah. There's a lot of keeping up with the Joneses, I think, in the vendor space with AI, where, like, if, you know, your competitor is offering it, you then have to offer it. And the hopes are that, whatever that product is, that it gets improved, and it's not just like, oh, AI is now baked in. Right? I have seen improvements like a lot of anti spam solutions. They're doing some really cool learning where they can dynamically change email banners and say, like, oh, like, your organization's never received an email from this person before. Is that safe? And I think that's that's neat. Like, that's a that's a cool analysis. And there's a way to, like, programmatically prove, like, I have never seen an email from this center before.

Steve Kain:
So, like, is it safe? Yeah.

[25:57] The Role of Adversary Emulation in Cyber Defense

Rachael Lyon:
Okay. Can, I'd love to shift gears a little bit. And I actually have a two part question, Steve. You know, first, could you share a little bit about, you know, adversary emulation? You've not really dug into that, you know, at a high level on the podcast. And and then and then, you know, how does that help shift defenders, right, from a reactive to the ideal state of proactive security posture?

Steve Kain:
So I'll be very upfront and say adversary emulation is very new for me as well. I'm I'm very, very new to my role. I'm pretty excited about it, because there's there's a lot we can do with it. From my point of view, where I sit today, right, that that might change six months from now. But when I try to separate, you know, pen testing from red teaming, from adversary emulation, and how they're all kinda cousins, but just just just different enough. Right? I can take the TTPs from APT 29. Right? Pull out their playbook, look across, you know, MITRE ATT and CK framework or look across reporting or whatever and decide, okay. I'm going to take these very specific steps to emulate this actor and apply that to our security stack, and I expect to hopefully catch them here, here, here, and here.

Steve Kain:
You know? And are we doing that? And so I think it's a it's it's definitely a way to absolutely proactively test because it's it's very controlled that way Mhmm. Where a red team, you know, it may necessarily just be goal oriented. And if, you know, I really want them to scare me, I'm just gonna say, okay. Like, have at it. Point at me. Go. Get go get my playbook. Go get my sensitive data.

Steve Kain:
Maybe I'll see them. Maybe I'll know everything that they did from the reporting. But at least in adversary emulation, like, you can sit side by side with the defenders almost in a purple team fashion, right, and say, okay. Like, today, we're gonna do this, this, this, and this, and let's let's see if we catch it.

Jonathan Knepher:
And that that's a good point. I I like I like that kind of purple team thing. Right? Because most most SOC teams today, right, they're accustomed to just looking through their SIM, looking at all of the logs and alerts that have come in and, you know, searching through Kibana for, like, what's happened today. But, you know, I I expect you're seeing a lot of new a new a lot of new strategies that folks are using to bypass those. And, what what kinds of things can you adopt to kind of get from to kind of, like like you said, that purple team mindset to to better recognize these threats?

Steve Kain:
Sure. That's that's tough. Right? I don't I don't know how new that is about attackers blending well. I think, you know, if I were a SOC analyst right now, I'd be focusing on my efforts on trying to understand, like, good pattern of life and then working really hard to see what living off the land attacks look like and how it compares to a good known pattern of life. And I say that because I think most of the sophisticated, adversaries are probably less and less being reliant on bespoke malware. I that's the trend that I think I see from my purview. Right? You're you're seeing less and less reports with I say that less looking at a crime actor perspective, right, is more of, like, your your traditional APTs. And I think a lot of folks have shifted over into using living off the land techniques, and I think those are way harder to find.

Steve Kain:
When you're looking at, like, curb roasting, like, trying to find that legitimate computers look for legitimate services. Right? It happens. It happens all the time. It's an easy thing to blend. Right? So can you emulate an adversary a few times on the network to see can I create that behavior and make it in a way that I can signature it? You know, I I think hopefully, that kind of gets you where you wanted to be.

Jonathan Knepher:
Yeah. Well, it's definitely it's definitely tough. Right? And I I agree with you that a lot of a lot of, you know, the the folks are living off the land. There are lots of tools available on every system these days. So that, that makes a lot of sense.

Rachael Lyon:
So speaking of SOX, right, I'd be really interested in your perspective, you know, based on your experience with offensive activity. What what's something that you would change about SOX and and and why?

Steve Kain:
Oh, gosh. That's a great question. You know, I don't know. To be brutally honest with you, maybe this is one of those moments where we added this one out. I I, you know, I I don't know, because I, honestly, I've never really been a SOC analyst.

Rachael Lyon:
Mhmm.

Steve Kain:
So I really wouldn't know what to compare that to. Yeah. Like, I at the Ravens, I was the kind of sole cyber person. Right? So I did live in our scene, and I did do a lot of IR. I need to do a lot of investigations. But I can't say I was a SOC analyst anywhere else to compare it to to something else. I don't know if I necessarily I don't know if I feel armed to say here's what I would do to change the the land of Saki. And

Rachael Lyon:
then staff.

Jonathan Knepher:
Yeah. You know, what about some of, like, the other, like, areas that you may have seen attacks. Right? Like, we we know that you know, we've seen where attackers come in and they try to fly low, and they just kind of keep testing, like, how far can I get away with certain types of exploration, certain types of lateral movement? How can you use the the tools you've learned kind of both in your past experience and now in your in your newer, adversary emulation area to to try to recognize those early signs before they start triggering, like, their actual exfiltration or large scale attacks?

Steve Kain:
Sure. I think, really, I think it lends back to a problem that's been around for a long time, which is just, like, alert fatigue. I think the reason why attackers fatigue. Yeah. I think, you know, attackers, get successful with, low and slow, enumeration techniques because of alert fatigue. Right? Because you don't know is, you know, is it some kid boring is is some bored kid, like, end mapping your network, from home, or is it something else? And, you know, you're you're probably not gonna freak out over a network scan. Right? So you don't know where it's coming from. I think that might actually be a decent use case for AI to to parse all the alerts you would typically, like, cast off to fatigue and have them come back around and say, no.

Steve Kain:
Actually, maybe this is an issue. I'd be curious to see how that works. I know some of the larger companies, right, like Microsoft, they have their Sentinel product. And if enough of their customers log into it or, you know, opt into it or buy it, like, they'll have a massive dataset to work from. You know? So, hopefully, they could improve tools like that. Sorry. AI Yeah. Could improve tools like that.

Rachael Lyon:
Nice. So now we get to my favorite part of every conversation. I like to go a little personal, Steve.

Jonathan Knepher:
Mhmm.

[34:03] Steve Kain’s Pathway to Cyber

Rachael Lyon:
And, I'm always so curious, the pathway to cybersecurity because it's, it's always, you know, very different for, every, every person. We've had someone with a PhD in, I think it was like historical studies or something and, and somehow found, you know, the way to cyber. Others were, you know, a music PhD found a way to cyber. So I'd love to, to get your perspective on how you found your way here, but also what advice would you give someone who's looking to enter the cyber industry?

Steve Kain:
Oh, gosh. I would foot stomp getting a mentor, especially really on early on in your career. It was something that I didn't so I'll start with the advice, and then I'll go back to the how did I get here. Okay. Yeah. Later in my career that I I'd like to admit, I discovered the the value of mentorship. And I, have a model where I pick someone that terrifies me. You know, I there was this person, who you know, they had just left my leadership chain.

Steve Kain:
I I suggest not getting somebody in your leadership chain. They just left my leadership chain, and they were this perfect, polished, brilliant leader, who just terrified me because they were so amazing. So I asked her, I'm like, hey. I thought it's so funny. It feels like you're asking someone to, like, professional prom. You're like, hey, if you had time, if you had two minutes every six months, would you be my mentor? And, of course, you know, good leaders are gonna say yes because they wanna give back. Like, they they were absolutely, like a service oriented leader. She was amazing.

Steve Kain:
And then I had another mentor, who, like, I went to that more, like, fed my soul. I think there's there's room for both. Right? So I'd say pick a pick a few mentors for sure. I think in the industry right now, you'll have people that immediately dive into a specific vertical without giving themselves an opportunity to be a generalist. Mhmm. I don't know if that's, like, akin to the argument of saying you gotta work in IT before you do security. Like, I'll disagree with that. Like, I think you can work in security, but do more generalist roles for a while and get exposure to a lot of verticals before you deep dive into something.

Steve Kain:
Because you'll meet somebody at a conference that, you know, in their in their freshman year of college and, like, yes. I'm a reverse engineer, and you'll watch them whip out Ghidra and just do a bunch of amazing work. But I worry, like, if you pigeonhole yourself really, really early in your career into a single vertical, it makes it harder to pivot later. But if you give yourself an opportunity to be a generalist upfront. So I used to think generalist it was hard to accept. Generalist is not a dirty word, and I am absolutely a generalist. But the cool part about that is it's given me an opportunity to be able to pivot and shift between different technologies and roles. And then, gosh, when I when I was a a government civilian, I would use sports analogies when I would train people, and it would frustrate them.

Steve Kain:
But then I worked in sports, and I could use sports analogies, and it was great. So I always use the sports analogy when training, a new analyst, which was, you know, you're not always gonna go out on the field and throw a touchdown every time. You're not always gonna go out on the field and rip off an 85 yard run from from scrimmage against the Bills on a Sunday night. That was an amazing play. So, but but what you can do is you can look at the field and you see the players that play through the whistle. Like, my my you're not supposed to have favorite players, but now that I'm not there anymore, I'll say, you know, my favorite Raven's, Pat Rickard, and he's a a fullback. And, you know, they'll he he isn't always necessarily hitting every highlight reel, but when you do see, a a certain quarterback or a certain running back doing some of these brilliant plays, you'll find there's, an amazing support system around them of of blue players or people that are doing their job and playing through the whistle. So you're not gonna go out on the field and bring it back around.

Steve Kain:
You're not gonna go on the field and throw a touchdown every time, but what you can do is play every play and play through to the end of the whistle, and be the best you could be every time, and then that will build up to a pretty amazing highlight reel down the road. Definitely. Take risks. Do things that scare you like this. Go on a podcast. It'd be scary. It's my first first podcast experience. You know? And, the origin story, gosh.

Steve Kain:
I can't tell if it's cool or lame. I was 19 years old when I got my first computer, in the nineties. Within hours of having it, I had opened it up and installed a card. Later that night, it was online. I was a sociology major at the time, and I did not wanna ask, do you want fries with that for the rest of my life? So I thought, wow. This computer is amazing. And then later, I was walking through the halls of, Howard Community College, proud community college graduate, and I saw this exploded diagram of, just an old, like, beige box CPU that you would see with the motherboard and the CD ROM and all that stuff. And I was staring at it and was just kind of enthralled.

Steve Kain:
I I really got caught up with, like, what happens when you press the power button? Like, when you do that, like, how does all of this work? And I just badly wanted to learn. And I think, if I just stay in that mindset where I'm a perpetual student and wanna keep learning, that, you know, I'll keep going. And with respect to security, it wasn't wasn't long after that. I was a barista at a bookstore and was staring across the magazine rack, and there was this little zine called 2,600, which I had never seen before. Right? It's it's still in print. There was a handful of zines back then. There was, like, blacklisted four one one and, 2600, and there there's another one I can't think of. Frac still exists online.

Steve Kain:
Go go read old Frac. Yeah. I discovered this stuff, and I was like, I have no idea what any of this says. But I think this is the absolute, by far, coolest thing in the entire world, and I want to know more. And so in 2023, I went to my first summer con, in Pittsburgh. I probably had no business being there. Mhmm. But I just got exposed to this this amazing, subculture that I just thought was, you know, the coolest thing in the world.

Steve Kain:
When you get somewhere and you feel like this place is home, and these are my people, that's a really, really good feeling. Yeah. And and I made some friends there that I'm I'm still have those friendships today. So so yeah. I I, just became enamored with the culture and the tech and everything, and I love that feeling, and I've just continued chasing that feeling.

Rachael Lyon:
It's I love that you said that because it's it really is true for this industry. I mean, interest and, of course, aptitude are really the the key driving things. Right? I mean, if you wanna get in the industry and you're hungry to learn, there's so many opportunities. And having people from these different backgrounds, you know, be it music, you know, you're gonna approach it a little bit differently. And and that's how we, you know, come to have really awesome technology, come forward. So I I I love that. I love that you said that.

Steve Kain:
Thank you.

Jonathan Knepher:
Yeah. And I have to agree with you on having that kind of basis as a as a generalist is is really important. Right? You know, and, like, as as you've talked through, like, all of your experience here. Right? Like, civilian DOD, sports, and now now state government, well, you know, what what are kind of some of the biggest lessons that you've found between those things kind of as being this generalist, but yet in very specific and very distinct areas? Like, what types of things have you learned from each each one that have helped you in the next?

Steve Kain:
Oh, gosh. I feel like I'll probably repeat a couple of the things that I've said. Of course. And that's okay. But, you know, lean into your mentorship circle when when you wanna make a change because sometimes you might get, a different outlook that you didn't expect. Mhmm. Absolutely take risks and do things that scare you. I to when I got my job at the DOD, my interview experience was so weird.

Steve Kain:
I was at this hotel, in this ballroom, and there were a whole bunch of people, and it felt like speed dating interviews. And I came with my carefully crafted list of questions and my carefully crafted resume. And my interview is basically like, hey, draw network. And we were just talking about it. Mhmm. And we had some more conversation, and they got up and left. And I was like, oh, no. I didn't ask any of my carefully crafted questions.

Steve Kain:
And, and I was terrified that I didn't get it, but I walked away that day with a conditional job offer. And I had no idea what the job was. None. Oh, wow. No idea until I showed up. And it but it was such a blessing to get there professionally, because I learned so much in my time there, and it got to be part of such amazing things. And had I not taken that risk, and did something that was really scary, I would have completely missed out on that. And then a few months ago, it was a big decision to make a choice to leave the Ravens.

Steve Kain:
Right? I had made it to a place in my career where I'd kind of, in theory, have my own shop, have my own practice. And I read this job description. I was up on LinkedIn one night looking at this job description in Maryland and read it, and I was like, oh, man. That's me. I really want that. And so I took that risk. And without, gosh, without sounding too cliche, I think, you know, seek beautiful truth. And what I mean by that is, you know, I was asked at one point to speak to a group of folks just about my career.

Steve Kain:
It was like an internal meeting, and I was having a conversation about it. And I had this odd epiphany that in pretty much everything that I've done, every job I've had, whether or not it was working as in a data center, doing sexy things like backups,

Jonathan Knepher:
or You have to do

Steve Kain:
the backups. Yes. You've got to. You've got to do the backups. You know? Or, like, learning about patching or trying to solve a problem or anything. If I tried to simplify everything down and distill it down, it was that I was always really trying to seek that that truth to understand, like, no. The answer is this. Mhmm.

Steve Kain:
Right? So if you find yourself in a in a place in your career where you can continue seeking that, like, I think that that's a good thing. I know it's a little woo woo or whatever, but that's that's me.

Rachael Lyon:
Well, it's it's so true, though. It feel even, you know, twenty plus years in a career, it feels so good to learn something new.

Steve Kain:
So good. So incredibly good. Amazing.

Rachael Lyon:
And I cyber I've been in technology a really long time, but, you know, cyber, every day is a new day. I, you know, I feel like I'm almost learning something new every day in this industry, and it's almost like a drug. You know? You you kinda need that hit. And, Absolutely. Just can't imagine being in any other industry right now.

Steve Kain:
Oh, absolutely. It's amazing. And it's funny, though. Right? Sometimes, like, people say, like, what's old is new again, and that's that's absolutely true. Like, you see, like, old techniques get recycled and improved, which is good. And those core fundamentals, like, I could tell you it wasn't that long ago, I was firing up Wireshark and pulling down a PCAP and, like, really staring into some packets and trying to figure out what a problem was. And and it felt it did. It did.

Steve Kain:
It felt great, to just do that. Yeah.

Rachael Lyon:
Love it. Well, I know we're kind of on time today. So, Steve, thank you. Thank you. Thank you. This has been such a wonderful conversation. Thank you for

Steve Kain:
your time. Thank you. This was definitely doing one of those things that that, scared me, but you absolutely made it, a really welcome environment. So I really appreciate it. Thank you.

Jonathan Knepher:
Yeah. Thanks for talking to us, Steve.

Rachael Lyon:
And to all of our listeners out there, thank you again for joining us, for another week of of yet, you know, more awesome insights from, you know, people who are, you know, truly steeped in this industry and have so much to share. You know, we'd love your feedback. Please always give us comments. And, of course, don't forget to smash, Jonathan, smash that subscription button so you get a fresh episode every single week. So until next week, everybody. Stay safe.

About Our Guest

Steve Kain, Adversary Emulation Manager

Steve Kain is an information security professional with experience in media, government, and sports. He has worked on both offensive and defensive sides of security, covering compliance, privacy, risk management, incident response, and offensive operations. His recent work focused on defense, including endpoints, cloud, policy, and privacy.

Steve believes security goes beyond firewalls and policies—it's about culture, behavior, and mindset. He simplifies complex topics for executives and balances security with usability.

Outside work, Steve enjoys exploring new tech, volunteering with environmental groups, and spending time with family. He aims to share insights and show that good security can be straightforward.

Check out his LinkedIn