Kicking EDR Out of the Kernel

Episode 306 –

This week on the podcast, we discuss Microsoft's recent Windows Endpoint Security Ecosystem Summit and what it means for the future of endpoint security on the Windows platform. After that, we cover a research post on a malware campaign using Google Sheets as a command and control channel before ending with a chat about the US federal government's push to classify cybersecurity as a national service role.

View Transcript

Marc Laliberte  0:00  
Hey everyone, welcome back to the 443 security simplified. I'm your host, Marc Laliberte, and joining me today is Corey

Corey Nachreiner  0:07  
Voorhees, Nachreiner.

I didn't know if you would get it, and our listeners may not either, but look at the recording day Marc. This comes out on Monday for our listeners, but we are recording this on Friday the 13th. I assume you have some pretty scary security stories for us go with.

Marc Laliberte  0:31  
Today's a happy episode. We're gonna start with we're gonna start with how Microsoft hopes to turn the entire endpoint anti malware ecosystem on its head with removing kernel access. We'll then dive into a phishing campaign that used a super interesting, and maybe not super interesting, very interesting command and control method. And then end with the US Federal government's latest push to try and employ as many people in cybersecurity, I'm sorry, cyber as possible

Corey Nachreiner  1:05  
with that, I think we should put on our hockey masks and go AX our way in.

Marc Laliberte  1:17  
So let's start with the first story today, which is a follow up from that. No, good, very bad day back in July, when a EDR vendor took out a several million windows endpoints with a software update, unfortunately, oopsie, yep. So if you remember, back in July, CrowdStrike put out a update that affected or triggered a vulnerability, maybe not a vulnerability, a bug in their kernel module, which caused Windows machines to blue screen in a way that was basically unrecoverable without hands on keyboard access back to them. So in the wake of that, it kind of restirred the hornet's nest on folks having discussions about is giving kernel level access to Windows really the best approach, because, in comparison, Mac OS with Apple is significantly more restrictive on the level of access they give both on macOS and iOS for the mobile devices too. And so it really caused people to step back and have a discussion or thoughts on is that type of model appropriate for windows now also. So Microsoft, to their credit, just hosted a summit on September 10, which they called the windows endpoint security ecosystem Summit, which they said was to discuss the resilience improvement strategies in the wake of that event back in July, and they just published a blog post a couple of days ago where they went over a few of the main discussion points for the event in the name of transparency, they started out by saying that there was a key consensus, consensus points that everyone agreed on, that there are benefits to customers and the ecosystem when there are options for Windows and in choices of security products. I think this probably has to go without saying, it also feels like I don't think Microsoft is wanting to get bit by the the FTC again, or FCC, FCC, FTC, Federal Trade, FTC, on antitrust by locking down anti malware on Windows. But it's good that they at least affirmatively acknowledge that, yes, we should have a choice for endpoint protection on Windows. They then said the summit went into discussion of Microsoft's own safe deployment practices for defender and windows themselves. They went through a few examples from them and other vendors on how they handle development, certification, testing, beta and phased release with rollback controls along the way to try and limit the opportunity for a July like incident from occurring again. But then the discussion shifted to what is the elephant in the room, which is kernel mode access for third parties. So if you remember from all the discussions we've had on the podcast, from this kernel level access is driver level access above what a typical user would have on a machine, even above what a an administrator would have on a system. Historically, endpoint protection tools have had this level of access because malware can potentially get this level of access, and in theory, the only way to detect and prevent that type of activity is to be on the same level as them, to put it simply, but it comes with risks. If there is a bug that causes a crash in a kernel level program or a memory issue in a kernel level program, it has to blue screen the whole machine, because otherwise. You could potentially impact memory of the entire operating system, which would be catastrophic, potentially. So some of the things they discussed were basically first off saying, both the customers and partners in the ecosystem have called on Microsoft for additional security capabilities outside kernel mode, maybe to remove some of that necessity and then focus on a few things like performance requirements for tools that interact outside of the kernel mode, anti tampering, protection for security products, security sensor requirements, development and collaboration principles between Microsoft and the ecosystem and just general, secure by design initiatives. And I think a few of these are interesting and important, like it would be very easy for Microsoft to say, okay, endpoint malware no longer gets to no longer gets kernel level access, or, sorry, endpoint malware protection no longer gets kernel level access, they have to go through our API's here. But then, what if Microsoft gives their own tools like slightly better API? Can see why? That would be a an important thing to discuss.

Corey Nachreiner  6:14  
I'm also glad that they're considering in the ecosystem partners probably brought the this to the highlight, things like anti tamper tampering, I think you and I at the highest generic level are okay with non kernel level access, as long as all security controls have equal APIs to more securely, have the access they need to do what they want, but you also have to Protect the endpoint product, and might be I bet you that problem will be interesting, because making something of a kernel mode privilege is one of the easiest ways to protect against anti tampering for things that aren't of that level. So I'm glad they're thinking about that, because malware already is trying to disable security controls, let alone users. So the anti tempering part is good that it's part of their consideration.

Marc Laliberte  7:04  
And then I think, like, even the performance thing is an important feature too. Like, right now, if you'd have to go interact through a like operating system API that introduces additional latency and that can cause issues with detection, then if you're going slower than what the malware has access to, yep, but man, this is I don't envy Microsoft and all the other people, including the folks internally at Watchguard, for our endpoint tool, that are absolutely trying to have these discussions and figure out a plan for the future. This is going to be a substantial overhaul of like how Microsoft Windows works in order to lock down some of this in a way, while still allowing access for endpoint protection. Yeah,

Corey Nachreiner  7:50  
it is a good thing to do, but as you say, I suspect it is actually a long bowl of work, and all the endpoint companies will have to reprogram a lot of things to work a little differently, but it'd be interesting. Hopefully it's the opportunity to increase, I don't know, maybe introduce new mechanics into the operating system that will make it easier to del good processes from bad processes, too. We'll see. Generally, I think it's a good step to take, though, we do not want that sort of CrowdStrike crash to happen to any of us. No.

Marc Laliberte  8:24  
But they also, like, even at the end of their discussion for like, okay, maybe we pull stuff out of the kernel, they did turn back and say there's actually some things that, like, customers and vendors need to do in this space as well, too. Like for customers, they talked about the necessity for a good business continuity plan or an incident response plan for a major event. And so while, yes, this was one vendor causing a bad day for a lot of people, like some companies responded and recovered way better than others, like crap. I know we've beat this under the Bush, but look at like delta compared to American Airlines, or, I think it was united, that was also impacted by this, where two of them recovered relatively quickly over the course of the day, and delta took them a week. And you could point to, I mean, maybe we'll get an after action report on why that was the case. But if I had to guess, I'd say a lot of reliance on this type of tool, not enough hands on keyboard available to go recover from it, and probably just not a business continuity plan in place that anticipated all your Windows machines crashing and becoming

Corey Nachreiner  9:33  
and you've heard us talk about business continuity before. It's a it's a hard thing. No company's perfect at it. I'm not going to throw stones, and we do have good business continuity here, but there's always little things that you have to figure out and exceptions. But regardless of what we're talking about, I think a lot of security experts need to focus more on business continuity than they do on prevention. Frankly, at least if they don't have a mature plan. Because at the end of the day, we're definitely here to prevent attacks. But I don't think it's realistic to ever prevent every attack, let alone disaster. By the way, there's lots of other things that could take down a lot of computers that aren't cyber attacks. So the most important job I think a CISO can do, or the security professional organization is make sure their business has a solid plan to survive if any of their infrastructure goes down, or, more importantly, making sure their infrastructure has enough backups at other places, etc, etc. So now I agree with you. I thought that it was good customer advice. They do have a link that we showed on the screen for a second to a Microsoft blog page that talks about cyber resiliency, or in this case, Windows resiliency, but the industry has been calling this cyber resiliency that has a lot of best practices. I would say if you're a security person, you probably know all of these best practices. But I think what happens in our industry is business continuity plans get deprioritized for things like prevention and immediate firefighting. So just a reminder that you should take, you know, anytime you take for this planning, even though you know you may not use this plan for the next four years. That's why people deprioritize it and forget to maintain it, because, yes, it's not something that has happens every day, but the second it happens, being without this is going to be your biggest problem. So take a little time to do that as well.

Marc Laliberte  11:32  
And definitely, yeah, like you said, tabletop exercises are a great way to make sure that your business continuity plan will actually work when it matters too. You don't need to go into the server room and unplug everything to test the plan. You can walk through an exercise of, if this happens, what would we do? And find

Corey Nachreiner  11:51  
it doesn't have to be technical. It can be more scenarios and making sure the leaders walk through their playbooks of who to call, what they would say, Yeah,

Marc Laliberte  12:00  
yep. My favorite example was one of our business continuity tabletop exercises where the scenario was Godzilla came out of the ocean and ate our data center in Japan. What do we do in that situation? And even something extreme and funny like that can still lead to good discussions on how do you recover from a catastrophic incident like that in an entire region? That's obviously a little more applicable for global companies like us than you know, the small organizations or smaller organizations that may listen to this, but either way, take nothing away like test your business continuity plan with an exercise is critical. So moving on, a couple weeks ago, Proofpoint published a research article about a new malware campaign with a pretty novel command and control layer. And I had this thing bookmarked forever, and finally got around to reading it, and it turned out to be pretty dang interesting. We're now even a couple weeks after the hack. I think it's still worth talking about. So this whole thing started in early August. I think they said August 5, when Proofpoint, who's the email security organization, saw around 20,000 messages impacting 70 organizations globally involved in this specific campaign, they noted it started with a few 100 messages daily, then spiked on August 17 to 6000 daily messages. And these messages claim to be from tax authorities, including those from the US, UK, France, Germany and others. And it was they were used to deliver a malware campaign, or malware payload that the threat actors themselves seem to have called Voldemort in both strings throughout the malware and file names that it uses throughout it. And so we'll get into the command and control in a bit. But going through like the actual technical analysis was pretty interesting. Like, first off, it started as a phishing campaign. This is how proof point saw it. And one thing that stood out to me, they were using tax authorities as the hook, basically saying, here's some document related to your attacks, something. And they were picking their victims. So, like, individual

Corey Nachreiner  14:15  
or it was global, though, so it wasn't global, like, yeah. So they were

Marc Laliberte  14:20  
picking like, let's say Marc at Watchguard. And they were even crafting these messages to be towards the victim itself, their region, versus, like, the global company. Like, for example, certain targets in a multinational European company were receiving emails that were impersonating the US IRS, because the publicly available information for the victim, said that they were in the US, even though their company was in Europe. That was, I mean, that happens probably all the time, but it's interesting seeing it tailored towards the victim, and not just the organization.

Corey Nachreiner  14:53  
It just shows the fish, the spear, part of the fish that they are doing some work, although I'm sure you'll get to them. Next part, whereas it was interesting that they that also might have helped tell people it was fraudulent, because they occasionally made mistakes, it mentioned

Marc Laliberte  15:07  
that in a few cases, the public information for their victims seemed to have been misassociated with a more public presence that was incorrect, and so sometimes they did get the wrong tax authority as the hook, when they looked at the victim verticals, the around 50% of them in total were made up of insurance, aerospace, transportation and higher education, with the rest being a whole bunch of other verticals. Insurance was the largest by volume at like 25% so the hook itself was a phishing email with a link that used Google amp as a caching layer to then ultimately redirect the victim to a the free web hosting platform called infinity free. That link contained another link to view a document when clicked that, when you the victim clicks on it, it fingerprints their browser like the user agent, IP address they're connecting from, and then, based off the user agent, does one of two different things. So if it contained windows in the agent, meaning they're most likely on a Windows machine, it redirected them to a search, dash, MS, Uri protocol handler. Obviously remember protocol handlers. It's the way you can launch something in an application. It's like HTTP launches in web browsers, Zoom launches in the Zoom meeting application, in this case, search, dash, Ms launches in Windows Explorer on the desktop, the little pop up if they would so actually, behind the scenes, it would also like load an image to be able to fingerprint even more from their browser, too, based off the content loading, if it wasn't windows, it would redirect them to a Google Drive URL that had that same image together info. But so if the user accepts opening windows explorer, so it pops up that shortcut saying, This wants to open in Windows Explorer. It would use a built in, like saved search that resulted in a file in there that looks like it's sitting in your Downloads directory. It looks like a PDF, but in reality, it's a dot lnk shortcut file hosted on some remote web file sharing service like over SMB. It's pretty nuts. They were using WebDAV, which is a like HTTP protocol extension for file editing, to host a lot of the dependencies on this. But basically, if you click that shortcut, it would kick off PowerShell, load up Python, download all the Python dependencies required from a WebDAV endpoint that script would execute. Gather information about the endpoint. It downloads a decoy PDF that it then opens so it looks like you actually opened a PDF. But behind the scenes, it downloads a password protected zip file from open drive, file sharing service extracts two files, one called Cisco collab host, dot exe, and one called Cisco Spark launcher. Dot DLL. That executable, it's just a legitimate copy of a Cisco application, but it's used to side load that DLL, which is a malicious DLL. That DLL has some exported DLL names like Voldemort, G Drive DLL, that's where the name comes from. It's got some anti sandboxing detection in there, including sleeping for a bit with a little bit of jitter to evade sandbox detections. But it ultimately beacons back home off a really interesting command and control channel using Google Sheets, so basically hosted spreadsheets on a Google's office platform, where it would use built in credentials to authenticate to Google and then look for a specific spreadsheet effectively read through the cells on it to see, to find an open cell, and then start writing data back to it that it exfiltrated from the host. It would also look for specific cells to get commands to execute. For example, it could like ping or download a file or upload a file, run a command with exact copy, move, sleep, exit, anything all through Google Sheets as a command and control interface for this, they went into some more details on that saved search, which was interesting. So that search.ms protocol handler, you can pipe, like a whole bunch of parameters through it, and the parameters basically like modified the Windows Explorer window to really hide what was going on behind the scenes. So the reality was, this was a link that pointed to an SMB file share out there on the internet. Was actually quite a few different files on it, but in the Windows Explorer view, it manually edited it so it looked. Like you're in just the Downloads directory. It even manually modified the view for the file itself, like in the little window, so that it would hide all the artifacts that would show it was hosted on another site and just show the file name itself. It modified the search condition to only show a single file on that share, even though others existed, and it even changed the author name of that file to match the name of the individual that was the victim from this actual attack. So when you like, hover over it, it shows your victim name as the author, meaning it does look like you just downloaded something into the Downloads directory, as opposed to how you're connected to a remote file share with something hidden in there for you to access that was almost as critical from a perspective, like a dangerous, scary perspective, almost as cool as using Google Sheets as a command and control channel.

Corey Nachreiner  20:53  
It's, it's definitely some very sneaky social technical social engineering techniques. I mean, it's technical techniques to allow this, but that whole pop up looking like it's your directory is really a social engineering in a technical way. In my opinion, it's pretty cool. The Google Sheets for the c2 is on one hand, I bet you it's easy c2 for researchers to find once they know about it, but it's non standard c2 so kind of from security, for security in the threat actors standpoint, it's, I do always find it interesting where, when they use novel C twos, because a lot of security controls aren't really going to pay attention too much to what's going on in Google Sheets. I don't think, I mean, maybe some organizations

Marc Laliberte  21:40  
aren't going to exactly block docs.google.com, yeah, exactly. It's a way to at least guarantee that as long as your account as the threat actor remains active, you could really keep using this channel, because it's going to be extremely difficult to like. You can't just block that. You would have to.

Corey Nachreiner  21:58  
One thing I found interesting, by the way, was early on proof point. Thought this looked like maybe some red teaming, maybe some custom red teaming, and they obviously changed their mind on that eventually. But for attribution, they suspect this is apt ish, but it doesn't seem like they have enough to really attribute it yet. They

Marc Laliberte  22:17  
said strictly based off like the volume of messages, the 20,000 messages, and some of their analysis the malware itself, they that changed their mind that it wasn't an apt, and it wasn't a red team, and now they think it was an apt.

Corey Nachreiner  22:31  
I think there was, what is it? Cobalt strike payloads associated with it, which I think at first might make you think red teaming, but it's also interesting to me to see cobalt strike being used more in malware. I think we've talked about it before. It's like a pay to really get it. It's a very paid for community commercial package. I wonder if there's any way to fingerprint people through it eventually. But I do know there's been pirated versions of it in the past, but my understanding is it's much harder to find updated versions that are pirated. So it's, it is interesting to see potential real threat actors using paid for pen testing, or at least considered good guy tools.

Marc Laliberte  23:13  
It's because it's effective, like it's probably, oh yeah, cobalt strike is great red team like engagement tools you can have for setting up a command and control beacon, and that is why threat actors use it. But either way, I mean, at the end of the day, they still relied on a phishing lure that someone had to fall for. They had to be tricked into opening Explorer, which is abnormal behavior from your web browser. Generally, your browser does not try and prompt you to open Windows Explorer. So that should, should have been another red flag the icon, even though the icon looked like a PDF, it still clearly said shortcut. So there's enough red flags that with a good enough like training program, you can probably have a chance at catching this. But at the same time, like relying on users not falling for a fish is a losing game, and that is where good endpoint protection will help out too, because at the end of the day, this executed a malicious PowerShell script, downloaded a malicious library and ran it, and all of those are easily detected by any EDR worth its salt,

Corey Nachreiner  24:23  
interesting, very cool. It'd be interesting to see if they learn I mean, we don't want anyone to be affected by this, but we do find it kind of interesting when they use new technical techniques that are effective, and it's very cool to learn about them, because then you can be aware to protect them. But it'd be interesting to see if any other organizations or proof point continues to learn more about this threat actor agreed.

Marc Laliberte  24:46  
So moving on, though, for the last story. Earlier earlier this month, the White House unveiled its service for America campaign with a goal of connecting more Americans to jobs in. Cybersecurity, both federal jobs and even private sector jobs as well, too. And this was basically just a giant announcement and campaign slash program built around a whole bunch of smaller initiatives that are all happening in a pretty short period of time. It includes some career fairs for federal jobs through the end of October, a bunch of seminars for job seekers on how to navigate the federal government job application process, which is a nightmare from what I've heard, workshops from NIST and other education institutes on exploring cybersecurity careers. And then like hundreds of individual events from just other organizations, entities, education, places and everything. So Corey can pull up his screen real quick. We've got, they have, basically, they point to 500,000 unfilled cybersecurity jobs globally. Is like the main driver for this, actually 500,000 unfilled cybersecurity jobs, just in the United States itself as the main driver for this. And the challenge about filling those jobs was what they're really trying to address they lean pretty heavily on. So NIST has their nice program, which is their national initiative for cybersecurity education program just basically a way to help guide people that want to get into cybersecurity through paths to get there. They point to this really cool tool that CISA has that I hadn't seen before, that Corey is showing right now on the video, which is their nice framework for work roles. And it's basically this giant, like interactive matrix of five different areas leading from like it, including cybersecurity itself and other adjacent areas like intelligence and it maps out like all the different relations between different jobs you can have. So for example, if you're currently a systems administrator, what are good jobs and like cybersecurity or governance that are in an easy transition for you, if you're doing like incident response, what's the next step for you from that role? It's a pretty cool matrix to show you, like different paths you can take based off of specific like job roles, not just in cybersecurity, but in related fields as well, too. I really like this type of content. Like, I think it's cybersecurity can be a pretty confusing and complex field to navigate in. A lot of people just think, you know, I want to go hack stuff and without realizing there's, like, you know, does that mean you want to do penetration testing? Does that mean you want to do red teaming? Does that mean you want to do, like, vulnerability analysis? Like, there's so many different niches to find your way into.

Corey Nachreiner  27:43  
There's a for the people that don't want like to read. There's a video that the White House National Cybersecurity director koker has up there, and one of the things I noticed, he said, that is something we've talked about, folks getting more people in cybersecurity, getting diversity in cybersecurity, schooling about it. But one of the things that he said is something I've said before, is not all the roles are technical, like, there's this, probably this myth that to be in cybersecurity, you probably should either be a coder or no networking down to a super level or endpoint forensics. But there's a lot of you know governance and communicate. I mean, anyone that moves up in cyber security, whether it's someone like Marc a director of SOC or a CISO, it ends up being those communication role very heavily too. So I thought it was good that Coker reminded people that it's they are certainly looking for the technical roles. There's no doubt that there's a lot of technical that that we want to fill in, cyber security too, but there's other types of roles you don't necessarily have to be technical only for. It. Is this like the new recruiting though, Marc, it's like, in the future, instead of recruiting for military? Are we going to have, like, draft videos of, I don't know, showing gamers and how playing games can relate to I remember when they started using first person gaming to try to get people to sign up for the army or something. When

Marc Laliberte  29:13  
I first saw this whole campaign and then trying to label cybersecurity as like a national service, my first thought was, Does this mean I get to discharge the rest of my student loans because I've now done 10 years of national service?

Corey Nachreiner  29:25  
That would be cool, actually, if a particular White House wants to start giving away or start helping pay for education, this is a good kind of win win situation, where they get something forward and maybe have avenue to pay for it,

Marc Laliberte  29:41  
as much as I joke like it makes sense that the federal government wants to focus on filling cybersecurity roles like it seems like every single week, the FBI points out that other hostile nations are beating us, like 50 to one in terms of just raw headcount in the cyberspace. And I think they. That even said, like, if we had literally everyone in the US federal government that works in cybersecurity focused specifically on China, for example, they would still have us beat 50 to one. And obviously not all of them are focusing on a single country or a single thing. And you know, raw headcount doesn't always equal raw output, but there is a huge number, not just in the federal government, but in the private sector too, of like, unfilled, skilled jobs. But that's what

Corey Nachreiner  30:27  
I was going to say. I even I agree with you, from the national perspective, why the government wants to do it, but I bet you a lot of just normal private organizations that aren't even considering global or national security are feeling like they don't have enough expertise here. So it's a win. Win for everyone. Win, win for Go for it. So I like hot take when

Marc Laliberte  30:49  
it comes when it comes to the technical roles. I don't think that there are any entry level technical roles in cybersecurity. That's my hot take. So let me expand on that. So a lot of, in my opinion, has changed on this, like over even just recent time too. That's where I'm at right now, where, you know, a lot of folks will go get a certification in something, or even, you know, go through four years of university, yeah, and then think they can jump straight into something like a even an incident responder role, or like a professional penetration testing role. And what I think is missed without experience, and even just an IT field that you can transition into is some of the soft skills that do not come along with those types of education paths, and also just the real world. So what

Corey Nachreiner  31:39  
I was going to ask is is, so let me follow. I should let you finish first. But like I would assume, you at least need to know about network let's say you don't have a ton of experience using security controls. You at least need to know how networks work, or how Windows works. Is that what you're saying they don't have and are not getting an education? Or do you just not consider that? To me, I control that technical and it's not, I agree with you. It's not security related, but it's a base knowledge you have to have, if you have if you're going towards a technical security role, you have to know a lot about networking and computing beyond security.

Marc Laliberte  32:16  
This is where I think my my own opinion, has evolved over recent times where I think cybersecurity is less and less about finding and fixing a problem, because you can't fix every single problem, and it's more and more about prioritization and just managing risk and doing what you can. And that is what I feel like, coming straight out of a certification you're not going to have that level

Corey Nachreiner  32:41  
of so you're saying they're missing kind of the business side. It's not just, I was going to say business, but I'm not sure if it's just that, but I do agree you at the end of the day, there's a lot to do as a cybersecurity expert, and some has actual value to protecting the business, and some might just be busy work. So I agree that they may not. That is something that I find a lot of technical roles, even in it, probably don't know, at an entry level position, and that is really the kind of experience you mostly only learn at the workplace. And I would say the people that move into leadership in it are the ones that understand, you know, the ones who move into leadership. They might also be very technically adept, and ones that move beyond others technically but I think it's more important for them to have that as a skill of knowing how to prioritize what's important to whatever organization you're working for, which isn't necessarily what you would per you know, like if I were that person, I might think this is the most important security thing to do, but you're not doing it for you. You're doing it for the business. So that is not taught, but I think that applies to a lot of technical roles, yes, but

Marc Laliberte  33:58  
even having a couple years of just professional experience in a company, not even necessarily cybersecurity, but like in something like it, even, yeah, as like a starting point where you can understand how a organization works beyond just ones and zeros is, I think, a requirement to move into an actual cybersecurity role at this point, like at least a one, where You're going to have a meaningful impact from Day Zero, moving into it makes sense to me, and I think that's the main limitation for why we have so many unfilled roles, because the majority of those are ones where you do need experience, like the role. It's a skilled role, and that is why I think we're having such a hard time, because it's very difficult for fresh cases,

Corey Nachreiner  34:43  
you need to find a way to be able to sign, bring set like the thing is, at some point, no one has experience until they work for their first business. So there needs to be some business that has a way of onboarding and getting people up to speed on those skills. As they're doing their day job. This is why

Marc Laliberte  35:03  
I actually like one of the big approaches that, like the White House, is taking with this whole initiative, is they're focusing also on internships, and more importantly, apprenticeships, where maybe you can get a worker subsidized, and so the lack of experience is a little more palatable, because you can afford to train them up thanks to like, subsidizing that subsidy subsidies, and that is a way to build that experience with someone that is fresh green, out of school or out of a certification, and that's cool. So those types of programs I think are important, like, I'm firmly believe that like, experience is more important. Like education is important. I agree, don't get me wrong, but I think experience is more important in a professional setting and getting that experience, I

Corey Nachreiner  35:50  
think the difference is, like education can educate you about one topic, but no matter what job, there is things that you can only learn with experience. So experience. But meanwhile, on the flip side, as you're getting experience, you're also can be educated about just about anything, like if you know how to really think, to me, like college, I it almost matters less what your major is. It just shows you're able to take a topic, learn, pass it to some degree of understanding and do some work associated with it. So Ed, like, I don't think of the experience you get in college as necessarily having to apply directly to the job in some cases, you know, for technical stuff. That may be overstating it, but I feel like it just shows you can learn. And that way, when you do get a job, I mean, most jobs, you're going to have to learn something on the fly. And so to me, things like college and education are just more proof that this person is able to take a topic and learn enough about it to do some work that passes muster. Yep. So

Marc Laliberte  36:57  
either way, like all that was a long winded way of saying, I really like that we've got a program at least a focus over the next month and a half from the US federal government to try and do what they can to fill some of these jobs and get people in a spot where they can fill them.

Corey Nachreiner  37:15  
On the joking side, now that the government's actually doing what we think is a respectable job of paying attention to cyber security and information security, I do have to say the amount of time in the video or in all of their documents. They just say, cyber, cyber, cyber. Cyber. Like as an industry, I remember when people used to gag and drink at Black Hat and DEF CON every time someone used the word cyber. 10 years later, I think the security industry itself is using cyber so the government won. Language is fluid,

Marc Laliberte  37:49  
yeah, 100% so we'll see, maybe on October 15, once this is all said and done, maybe we can get some stats on how much of an actual dent it made on even like federal employment and cybersecurity. I'm sorry, in cyber, not cybersecurity. It's just a single word.

Corey Nachreiner  38:03  
You gotta shorten it. People on wall in the White House and in the Congress don't have time for the whole word. And just so you know, cryptocurrency is now officially crypto, even though cryptography has many meanings. So no cryptocurrency. Just say crypto.

Marc Laliberte  38:20  
Sometimes I hate a profession that I work in. I actually, you know, I'm not going to put that on us. Crypto is not our problem. That was a It's all thanks to the crypto bros ruining them, but

Corey Nachreiner  38:32  
it affects us, man, because we, I do think people need to understand cryptography. What it really is, not just related to different digital currency anyways, at least there wasn't too much depressing news on this podcast. Yeah,

Marc Laliberte  38:47  
everything's great, except for those poor people that got fished. Hey everyone, thanks again for listening. As always, if you enjoyed today's episode, don't forget to rate review and subscribe. If you have any questions on today's topics or suggestions for future episode topics? Again, reach out to us on Instagram at Watchguard, Watchguard, Watchguard, underscore technologies, words are hard on Friday the 13th, thanks again for listening, and you will hear from us next week.