.gif)
Unspoken Security
Unspoken Security is a raw and gritty podcast for security professionals who are looking to understand the most important issues related to making the world a safer place, including intelligence-driven security, risks and threats in the digital and physical world, and discussions related to corporate culture, leadership, and how world events impact all of us on and off our keyboards.
In each episode, host AJ Nash engages with a range of industry experts to dissect current trends, share practical insights, and address the blunt truths surrounding all aspects of the security industry.
Unspoken Security
Know Your Enemy, Know Yourself
Ransomware gangs aren’t faceless shadows. Jon DiMaggio knows—he’s talked to them. In this episode, A.J. Nash sits down with the Chief Security Strategist at Analyst1 to pull back the curtain on the hidden world of cybercriminals. Jon shares how he builds detailed personas, infiltrates ransomware crews like LockBit, and navigates the psychological toll that comes with living a double life.
Jon breaks down the tactics behind covert engagements—how ego, language barriers, and criminal alliances can be used to gain access. He also talks through his storytelling process in The Ransomware Diaries and why long-form, evidence-based intelligence reporting still matters. This isn’t just threat research—it’s human behavior under a microscope.
The conversation also dives into attribution, burnout, and the personal risks Jon has faced. He opens up about being targeted, leaning on mental health support, and using fear as fuel. This is a raw, unfiltered look at cyber threat intelligence from the inside.
Unspoken Security Ep 33: Know Your Enemy, Know Yourself
Jon DiMaggio: [00:00:00] I'm very obsessed with my work and I do a lot of rewrites. There's been times where I haven't had time to do those rewrites, but for the most part, I do a lot of rewrites figuring out the structure, the flow, how to make it flow so that when you have a surprise or you don't know something, you don't see it coming.
I, I, I don't wanna start presenting too many hints before that. Um, so I, I really focus a lot, not just on the content, but on the way that tell the story behind the content.
[00:01:00]
A.J. Nash: Hello, and welcome to another episode of Unspoken Security. I'm your host, AJ Nash. I spent 19 years in the intelligence community, mostly at NSA, and I've been building and maturing intelligence programs in the private sector for, uh, about nine years now. I'm passionate about intelligence, security, public speaking, mentoring, and teaching.
I also have a master's degree in organizational leadership from Gonzaga University goes Zags, uh, and I continue to be deeply committed to servant leadership. Now, this podcast brings all of these elements together with some incredible guests to have authentic, unfiltered conversations on a wide range of challenging topics.
This is not your typical, polished podcast. My dog makes occasional appearances, although she's not around today. We'll see what happens. Uh, people argue and debate. We even swear here. I certainly do. Uh, and that's all. Okay. Uh, I want you to think of this podcast as a conversation, much like one you might hear at a bar after a long day, at any one of the larger cybersecurity conferences that we all attend.
These are the conversations we usually [00:02:00] have when nobody's listening. Now, today I'm joined by my good friend John DiMaggio. John is currently the Chief Security strategist at Analyst One and a cyber crime hunter who doesn't just follow ransomware gangs, he infiltrates them. He's a former US intelligence analyst with a background in signals intelligence, which we have in common.
Of course. Uh, he spent his, his career going deep undercover inside some of the world's most dangerous cyber crime syndicates. This is where he and I differ. Uh, he investigate. He has also has an investigative series, the Ransomware Diaries, which expose lock bits, inner workings, and it earned him widespread recognition.
Beyond that, he's the author of the Art of Cyber, uh, warfare, A two Times Sands Difference Makers Award Winner. He's appeared on 60 Minutes and been featured in the New York Times, wired in Bloomberg, and he's a regular speaker at all of the major security conferences. But clearly this is gonna be the peak of his public appearances, as you can tell by that list.
So, John, anything you wanna add to all that?
Jon: Uh, you did a pretty good job, aj. Thank you for, uh, the wonderful intro and thank you for having me, uh, on today.[00:03:00]
A.J.: No problem, man. I'm glad to have you here. Uh, what I didn't mention there, John and I have worked together before, uh, previously. Uh, we come outta the same agency. We've worked together in private sector, uh, and actually, uh, spoke together at RSA. John was on a panel that I, uh, moderated at one point. So, um, I'm, I'm thrilled you were able to make the time, man.
I really appreciate it. Your whole career has sort of just blown up, uh, since those days. You're, you're a big rock star now, so thanks for, for finding time to chat with me. Um, and so today the discussion, you know, we're gonna talk about, uh, the title is Know Your Enemy, know Yourself. Right? So. You know, capitalizing on, on some of the things we just talked about in your background, you know, about going undercover, for lack of a better word, you know, going into these ransomware gangs and infiltrating 'em.
And I know you've made some friends along the way, I'm sure. I'm sure there's all sorts of foreign, uh, a, uh, assets that are really excited, uh, about you. Uh, but I, I kind of wanna get off to a start here and say, okay, if you're gonna do all these things, like, let's go to the very beginning. Like how do you start an, in an investigation from scratch?
How do you start, how do you, what's the first steps? What do you do to get going?
Jon: Yeah. So I mean, before you do anything, the, honestly, the most, uh, important part of research, [00:04:00] especially research where you're gonna engage with criminal adversaries is to do your homework. Uh, you need to profile them. You have to figure out where they live, where they spend their time. Uh, and I don't mean like.
Adversarial infrastructure, which of course you need to, to, to know and be aware of that as well. But I'm talking about like the forums that, or, or social media places, whether it's Telegram or, you know, some underground forum, uh, or dark web form or whatever it might be. You need to know where they spend their time.
So there's a lot of preparation and that means, you know, not just profiling them, but profiling the people they work with, the people they buy attack resources from, but more importantly, the people they're friends with. And the reason that's important, uh, is you learn more about them and you need to know what makes them tick.
So you wanna identify whether there's, you know, strong political beliefs, whether there's, uh, cultural, religious beliefs that they have, or, or what often really important is to identify who they don't like, who are their competition or adversaries. And then you have to figure out the [00:05:00] approach. There's multiple ways to do that.
Um, but one of the, the most, uh, effective ways I found with, with a lot of criminals is playing on their ego. Uh, and again, sort of com building a comradery based on who they don't like or who their adversaries are. So you have to put all this together, come up with a game plan. Uh, make sure you have the resources, the, like, for example, if there's a language barrier, that's something you need to figure out, uh, ahead of time.
Uh, all of these are important. Um, it's, and whether you're gonna do something covertly or overtly, uh, I've done both, but most people don't. Do you know overt engagements where you're directly communicating as yourself? Uh, I've had, I, I have, and, uh, and, and, but my situation's a little bit different, but either way, both of them still require a lot of planning, understanding the person, what makes them tick, uh, and, and then you, you actually do the engagements once you've done all your homework.
A.J.: Okay. So that's, I mean, that's a lot of background information that you've gotta go dig into these guys. Right. And you mentioned a couple things I wanna kind of follow up on. Uh, let's start with languages, right? So, uh, most, I know maybe most, I'll say most, [00:06:00] most cyber criminals don't, they're not native English speakers, right?
There's, it's us is not the number one country for cybercrime. Not that we don't have our own, uh, but if you're dealing with, uh, Russian or Romanian or, uh, I could probably name a bunch of other countries. So, you know, nobody accused me of picking on anybody. You know, picking an Eastern European language, I suppose is the place to start.
Um, how do you manage that? Like, do you speak 28 languages? Do you have good translation software? Do you have a lot of friends who are linguists? Like how are you managing through that?
Jon: You gotta use the Duolingo app on your phone, man. No, I'm kidding. Uh, I do use that, but that's not, not for work.
A.J.: Duolingo. No, I wish I were
Jon: Right.
A.J.: ao Learn everything or something like that.
Jon: No. Uh, but you do have to have a plan with that. Uh, I can tell you some of the things I've done, but, but one thing to keep in mind, at least, you know, with the past five years I've been doing, uh, a lot of, uh, work with, you know, Russian, uh, underground crime, uh, cyber crime. And the thing about that, especially with ransomware, is it's the one of the very few [00:07:00] attack vectors where victims always have to talk to their attacker.
So most of them can at least speak in broken English. Uh, so for example, what I did with, with lock bit, when I began the covert part of the operation, um, I approached them, uh, speaking a language after doing my homework that I was pretty sure they didn't speak, which was German. Uh, and when they said, I don't speak that I was, well, we both speak a little gue in English.
Why don't we, uh, why don't we try and communicate like that?
A.J.: You sneaky bastard.
Jon: I.
A.J.: You sneaky bastard. You tricked them into leaving their language. You sneaky bastard. No wonder they don't like you.
Jon: Right, right.
A.J.: That's, that's brilliant though. I mean, I, I, listen, I've been doing this a long time. I've been in the industry, you know, forever. I'm old. That's still brilliant. Like, that's the thing.
I was like, oh sure, of course you did. That makes great sense. 'cause a lot of people speak some English, so just pick something they don't speak either, and then find a middle ground. And that middle ground of course is actually your ground. 'cause English is your language. But, um, that's, I mean, that's, that's interesting.
I hadn't really thought about that. Is that, is that just a locked bit thing or is that a common tactic you've done with other groups?
Jon: So I actually got [00:08:00] that tactic, uh, from, uh, James Val, uh, ni I'm probably saying his lap bass name, BA ba uh, incorrectly in in bastardizing it. But he, he will be upset. But, you know, he's a former recorded future guy, brilliant pen tester. And, uh, he had done a bunch of work with, uh, black Matter back in the day and we were talking about this, you know, before I, I, I started this and, and he's the one who gave me the idea.
Uh, and it, it, it was effective. So, you know, it just like, you know, you have to have a, a good Rolodex of, of criminal entities to, to who knew you would, can vouch for you and things like that. You have to have the same resources with security researchers 'cause you're always gonna need help along the way.
A.J.: Yeah, it's a, I mean, it's a small industry, uh, and you know, I tell people a lot of times like, you're gonna make your reputation. And there's a lot of things that come with that, right? If you have a bad reputation, eventually you have a hard time finding a job. Nobody wants to work with an asshole. Uh, but also good reputations.
People want a team, like people wanna help each other,
Jon: Why you work for yourself, aj?
A.J.: because nobody wants to work with an asshole. I'm cutting that shit out. Uh, no. It's, uh, it's maybe true. Uh, but I'm a good example, right? There's a lot of things I don't do well. There's a few things I do okay, but I know a lot of people who do a lot of things well, and I've convinced them that I'm a good guy and [00:09:00] they're easy to trick, apparently.
And so it's that teaming thing, right? Being able to work with other people. And it's, that's an interesting thing in the industry is we're all looking to do good things, most everybody at least. And so if you, if you build that network, you know, of, of colleagues and friends and you know, respected people who are like, Hey, I do this, you do that, that's cool.
We can team up. Bad guys do the same thing, right? I mean, they, they team up on things too. Somebody writes the code, somebody you know is, is better at, uh, you know, uh, at, I don't know, getting into a system. Somebody's better at the egress process, somebody's better at cash outs, whatever it might be, right? So we do the same thing on our side, but it's, um, going back into the, into the forms of the discussion.
So you mentioned. In this, in the case of Lock bit. Right. That, uh, and we're not gonna talk a ton about Lock Bit 'cause frankly, you talk a ton about Lock Bit already. Um, and it's, it's a cool topic. I'm just gonna give you other things to talk about. Uh, but yeah, no worries. But I mean, you talked about, you know, moving to English, right?
Were you emulating a victim at that point, or, 'cause when you're emulating the bad guys, if you're trying to partner with these guys, you're trying to get in these forums and try to partner like that seems like, in my opinion, you'll tell me I'm wrong, uh, less likely to work. Right. So how [00:10:00] do you, how do you do that?
Or is it, when you're investigating these groups and, and infiltrating, you're not trying to be infiltrating as a, a criminal, you're infiltrating as a, as a victim.
Jon: well, actually I took a different take. Uh, I approached them as an upcoming eager hacker who wanted to join, uh, their ransomware group. And they, this was back, uh, you know, 2021, uh, maybe early 2022, I can't remember. But, but that's where I started doing this. Uh, and, you know, I, I, I, they had, they had posted, you know, a bunch of things, recruiting, propaganda and things like that.
So, uh, and I was again, talking with a lot of their, their, their members and again, people who were friends with them, not just working with them. So, uh, I came up with this plan. I, I knew I wasn't going to get all the way in because at the end of the day, even if I did get. Get in and they gave me access. Uh, you only have a certain amount of time where if you don't produce, uh, victims and gain a, a decent amount of money through extortion, they, they boot you out anyway.
Uh, so, so I was doing it more just to, [00:11:00] sounded like a fun idea at the time and I wanted to see what I could learn and where it would take me.
A.J.: It's nice to know that they have corporate KPIs. You have to, you know, to produce. Right. Otherwise, we're not keeping you around. Like, it's, it's good to know that even in the criminal world, it all comes back down to profit margins, right? Like, you know, we're not, we're not carrying you around. You, you know, you gotta make some money for us.
So when you're doing this, like, two things that that come to mind, uh, first we talked about some of this prep work, right? So for this, uh, this ruse that you put on of, you know, being a German native German speaker and, and moving. Are you building like the full persona, a full sock puppet? Like how deep do you go and how deep do they challenge you?
Are they, you know, they, they, are you challenging, you know, physical locations, education, background, like how, how deep do you go and how long does it take to build, you know, a really good persona that you think's, you know, virtually Bulletproof? Um, is, is the first question. And then, uh, the next piece that goes along with that is the infrastructure to go with it.
You know, so if you're building this persona that says, you know, you're a German, you know, native German speaker, and you gotta build all the things, the age and the, the gender and the location and the background, all this kinda stuff, right? I assume and tell me [00:12:00] I'm wrong. You have to build the infrastructure to go along with that or something that at least emulates it in case they check, right?
I mean, they may, they may wanna know that. So how, how does, how long does it take to do all that stuff?
Jon: Uh, well, so depending on the operation, there's different answers. But for anything where I'm gonna do like covert engagements, uh, I built myself a, a, a template that basically has everything a real person would ha would have. Uh, I kinda shopped that around with some other folks that do the same type of work, make sure I didn't have any holes.
And what I do is I just spend time creating those accounts, building out those profiles, building out history and a backstory. Uh, what I do or what, what I did. I don't have the same time today, but what I did for several years was I would have five accounts going, uh, I'd have three that were in development, and I'd have two that were operational.
One would be a supporting account. Or a backup account, uh, for if I lost access to still have some sort of access into the group. Um, and I would use that also to support that, that, uh, primary account. Um, but it was a, it's a lot of work. It's constant [00:13:00] development, but at the end of the day, that's what keeps you safe.
So you have to put the work in for that. It has to be believable, has to be a history. Uh, and there has to be, uh, you know, um, a lot of supporting accounts and details. So if they do check you out, it does look real.
A.J.: And then what about the infrastructure? Are you building? You're building a full virtual network. Are you using like, you know, virtual, you know, browser software, things like that? What are you doing?
Jon: No, that's a great question. So I, I used to build out my own, uh, virtual network. It's a lot of work. Uh, I used to be an engineer that was like 20 years ago. I don't have the time or the patience for that. So, uh, I use a great resource. Uh, it's, it's, it's from a company called Authenticate and they have a tool called Silo.
And it's, it's the, the, and I, I don't get anything for saying this. It is the best, uh, resource for this type of work, uh, or any type of cybersecurity research that exists because it keeps you safe. Uh, it takes care of, um, uh, you have hop points, uh, all, all over the world. Um, and it also, like, for example, on forums, if an administrator goes and looks at the logs, they can see that you're [00:14:00] translating everything as you go.
Uh, what silo does is it, it does all that outside of the session and, and presents it back to you. So in other words, there's no log or trace, uh, of evidence to, to follow you, to figure that stuff out. And you know who, who, who is the time to try and figure all that out on our, on their own. I know. I don't,
A.J.: Mm-hmm. No, and, and for those who are listening, like it, listen, I didn't know that was gonna be John's answer. I I know people are gonna go, wait a minute. Now AJ works with these guys, you know, at Authenticate, right? I've been a user of their tool. I've used Cy for like nine years, uh, for Oh, yeah.
Yeah. I, I've, it's one of the few tools, like, I've been in sales meetings and conversations while working for other companies. I'm like, oh, you gotta see this tool. Like, I, I love it and I don't use it as often or as well as you do, frankly. I, but it was one of those things that's the easy button to the dark web.
So, um, but for anybody wondering, that wasn't intended to be a plug, John just uses it. And that's just a, a convenience that I'm certain I will make sure the folks that authenticate here about, because they'll be happy to know,
Jon: the reason, if I could just interrupt real quick. The, the reason I plug it or, or talk about it, well, one, you asked me, but the reason that, that I, [00:15:00] I, I don't mind mentioning them because I don't normally mention vendors, is because it is something that keeps people safe. And there's a lot of people who do this type of work who don't necessarily know what they're doing, um, or they're, they're new at it and think they know what they're doing.
And this will cover your ass a lot more than you trying to do it on your own.
A.J.: Yeah, a hundred, a hundred, a hundred percent. Uh, when I, I was introduced, I, I saw it briefly when I was still in the government space, but I really got a chance to play with 'em when I was, uh, in the bank. And because, you know, we had some brilliant people and I'm not an engineer. I can't build shit, really.
And we had this guy who built this dirty network and it was, you know, hopping and VPNs all this stuff. And it was like, oh my God, this is a lot of work and a lot of energy, and it was slow. And so I, uh, was introduced to the tool and I was like, all right, this just solves my problem. Like this is, I don't need to worry about the engineering stuff, it's, et cetera.
So anyway, we're not here to continue to talk about it, but in case somebody's wondering, it is a very cool tool and I'm happy to talk about it at length. And the CEO was just on a couple episodes ago, so. But the other question I had besides, yeah, besides the, the front end of, okay, all this research you have to do, which is a, a ton to build, to [00:16:00] build this persona, build these personas, these profiles, and obviously the engineering piece cut down 'cause you use an app at this point, but in some cases people do build these big networks, but then you got the back end, right?
You do all this work. Like these projects sound like they take a long time to, to run out. And then so how long can they take or do they take? And then what do you do at the end? Like what kind of, how long does it take to put together reports? What kind of output do you have? And, and who does that go to?
You know, besides writing books and doing public things to make yourself super famous and awesome, like, you're almost as cool as the Batman sign behind you at this point. But, um, but I mean, how long does it take to put all these things together? Like what's, what's the backend for all this stuff?
Jon: Uh, it so that the, the, the first, uh, ransomware diary is where I did the, the co, the, the covert part of that operation, or the most of the covert part of the operation. Uh, that actually took about about six months. Typically though, um, usually I, it takes me about, I. I put out like four reports a year with the ransomware diaries, or I did.
Uh, and so it's about once a quarter, but yeah, it, it takes a lot of time. Um, and not a lot of employers, you [00:17:00] know, would be on board for that. And um, that's one thing where I'm glad that, you know, my analyst won the company work for, was patient with me because. While everywhere I've worked long form reports don't do well.
My, my, my, my ransomware diaries, each one, each volume is like, you know, between 50 and 70 pages for the most part. Um, but they, they trusted me. Uh, and that was a story. And I'm a storyteller. I, I love to make cyber work interesting and, and not just have a report with IOCs and details. I, I want to tell the story.
That's why I wanted it to get to know the, the humans behind it. Um, but, but doing that, you know, it, it's had a ton of success. Um, and it wouldn't have had that when we, when I've written short blogs, they have not done well. Uh, so there's exceptions to everything. And when content's done well, I think even if it's lengthy, uh, you can still have a lot of success with it.
But they definitely take time, a ton of work, uh, to answer your question. But the writing phase, yeah, that's, that definitely. Uh, honestly, that takes me anywhere from one to two months. Uh, I'm very obsessed with my [00:18:00] work and I do a lot of rewrites. There's been times where I haven't had time to do those rewrites, but for the most part, I do a lot of rewrites figuring out the structure, the flow, how to make it flow so that when you have a surprise or you don't know something, you don't see it coming.
I, I, I don't wanna start presenting too many hints before that. Um, so I, I really focus a lot, not just on the content, but on the way that I, I, I tell the story behind the content.
A.J.: Well, and that's, and that's interesting and kudos to, to analyst one's leadership. 'cause like you said, that's a challenge. Most organizations don't, don't wanna buy into that. They just want things quick. Right. Everything, it's fast. And, you know, ROI, you know, return investment's a really big thing and you know, if you say, Hey, I'm gonna do this thing, it's gonna take months.
And, you know, don't know for sure what we'll find, don't know what the output's gonna be. It's hard to get somebody to see, to see that strategically and say, oh, I, you know, I trust you. This is gonna be very cool. Let's do it. So, um, you know, it's pretty awesome. Go ahead.
Jon: On that with Ransomware Diaries one. It's funny, uh, because I, I wanted more time. I was unhappy with it. Uh, they insisted. 'cause that one, I had [00:19:00] spent so much more time than any other report on. And, uh, I had just come back. I had won the, uh, sands Difference Makers, difference Makers Award for my book. And it was just before Christmas.
And all I wanted to do was take some time off and relax and come back to this. And they were insistent that I finish it. And I just, I was like, okay, well, you know, I just won this award and it was like. You know, it's one of those things where you, you can sit and, and be like, oh, pat yourself on the back on how great it was.
Or you can just get back to work. So I was like, let, let me just do this. And, uh, and we put it together and we got it out. But I was, I was, I remember I, the first person I shared it with was, uh, Dina over at Click here, uh, the podcast. And, uh, she's a former NPR reporter and I'd sent it to her and, um, she, she came back to me and she was like, she said to me, you have no idea what you have here.
You're really underselling this to me. It was, you know, just another report that I'd written and, and it will ended up being what will probably be the best work I've ever done in my career. So,
A.J.: That's incredible. Well, and it sounds like, like you said, you, you. [00:20:00] You didn't want to release it that soon. You wanted more time. And I have a hunch not to speak for you, but you know, I've seen this, and I've seen this a little with you as well. It's that whole, you know, perfect as the enemy of good enough, right?
And, and caring so much about the work and being so diligent, which is, you know, what, we're all raised to be in the agency. Frankly. You also get to the point where it's like, it's never good enough to publish, right? So it's sometimes it's nice to have somebody kick us and go, listen, it's gotta get out the door, right?
You, you can't continue to shuffle words forever. Uh, you know, it's that balancing act. You don't wanna rush it bad, you know, bad intel, you know, rushed Intel's bad intel, and you get bad results. But, uh, but it's good. In this case, it sounds like it was the right balance of you. You were in a good spot and somebody had to push it a little bit.
And, you know, as you said, it sounds like it's some of your best work, which is, which is saying a lot at this point, frankly. Mm-hmm.
Jon: know, 14 years in the intelligence community where everything has to be timely, quick. It's not about telling this story and having the layout, but I. At my current job, that's what, you know, this is a different process.
It's a different end result to different [00:21:00] audience. So that's the reason that with this, I'm different. You know, when I'm writing something that's for intelligence purposes, that's about time, speed, and accuracy. Uh, so there is a difference. And you do, for people listening, you do have to, 'cause I've worked with people that never make their deadlines, uh, take forever.
You know, it, it all depends on the dynamic of what you're writing, the purpose of it and where it's supposed to go. And, and obviously your handlers on when they expect something to be done. I think I've only missed a deadline at Analyst one once. Um, but for the most part, I always try to make my deadlines and it always involves me working like the month before, seven days a week, crazy hours, because I obsess about my work.
But that's on me, not, no one makes me do that.
A.J.: Yep. And I get that. I mean, I, I, I'm also somebody, a lot of my stuff comes outta the last minute cramming that has more to do with a DD and, and poor planning sometimes. But, but also it's a, it's a forced thing. And there's a lot of people in our industry who have, you know, a DD or a DHD and part of that is you don't perform well until you're forced to.
Uh, you know, and so I don't, I know if that applies to you necessarily in this case, but it, it applies to [00:22:00] me a lot of times. So you're gamifying it. What's that?
Jon: I always perform well. I'm just kidding.
A.J.: Look at you. That's well done. As I'm gonna, I'm gonna keep that in. That's gonna actually be the clip that I'm gonna use to promote this show.
John DiMaggio. I always perform well. Uh, I'm actually gonna pull back, we did mic check before this all started, and John also went into the microphone and said, I'm Batman, so I'm gonna take that and I'm gonna say I, I'm gonna put those together and, and we're gonna have fun with that, but
Jon: I can't
A.J.: maybe, maybe we can get it as like a mix.
So listen, I wanna move on to, to another, you know, piece of this, another big topic when you talk about, you know, the research and putting all these things together, and it's a bit of a shift, but we run into this a lot, is I. Attribution is a big challenge, right? So now again, you're in these spaces, so in some cases I'm sure it's less of a challenge as to which organization is involved 'cause you're there, right?
But it's really common that we run into challenges. I've seen a lot of, I know you have too, of there's this rushed attribution who did this. And sometimes it's important to know, like people ask, you know, why do you care? Well, attribution matters. If you want to know, you know, if it, what might happen next, what their motivations might be.
There's a [00:23:00] lot of reasons to want to know who did it. Some organizations like, I don't care. Just stop it. Just make it go away. And that's, you know, are, are we likely to see it again, that may have to do with attribution as well, but there's also a lot of challenges with attribution. So I'm curious about your thoughts on how do you get to the point of attribution on adversaries when you know isn't direct access like this, and what do you see as a lot of common mistakes that, that others are making in this area?
Jon: Yeah, I, I am a, a stickler for attribution. You know, I, I learned how to do it, uh, with an intelligence value. I was trained how to do it, uh, in the government. Um, transitioning to the private sector, uh, I sort of learned how to apply it, uh, through cyber a little bit better. Um, and in my book, I wrote a whole chapter on it, uh, with covering pitfalls and what to do and how to use case.
Uh, and I'm gonna answer your question, but, uh, in that, in my book.
A.J.: book.
Jon: Uh, which I should, yeah, I don't have it right here in front of me, but, but yes, I should have. Uh, but, but in the book, uh, I did a whole chapter and I had a use case. The use case was great for teaching because everything fit perfectly, but that's not what real world, uh, work usually is for [00:24:00] attribution.
So I got a paper coming out. My next one, uh, is on the 22nd of April. Uh, and it's about how to do evidence. It's the same model from the book, but how to do evidence-driven, uh, uh, attribution, applying weight, uh, making assessments, uh, having a hypothesis, being able to defend that, all that stuff before you actually make attribution.
The reason I spent and, and then I do a use case with, with Black Cat, uh, because I, there was a lot of people out there on social media, even in actual reports that, you know, were making comments about how Black Cat is this group or another group and, um, that there was sort of, take my word attribution and that's becoming more and more popular and it.
It, it's a problem because you're not providing evidence. Uh, people get it wrong. Other people run with your attribution, and it's sort of a snowball effect. And I have a, I have a big issue with it. Uh, I want you to be able to give me evidence if you're gonna make that statement, otherwise, it's your opinion and qualify it as that.
Um, so, but, but the pitfalls that people make are, are just that making an as, uh, letting their human bias or their assumptions lead to attribution, not [00:25:00] supporting the attribution. Or, um, using either too little evidence or the incorrect type of evidence to make that assessment. And I'll give you an example.
You know, a lot of people make at that, with this Black Cat thing, a lot of people made attribution as to whether they rebranded or not based on a group having, uh, code overlap in their ransomware payload. And people are like, Ugh, black Cat is, you know, they're, they rebranded into Ransom Hub. Uh, and then, you know, about four months later, another group appeared, uh, Cicada 33 0 1 and magically they also had, uh, a lot of source code overlap, even more so than Ransom Hub had.
Uh, and people made attribution to that. Well, here's the thing. You should never make attribution or rarely make attribution based off of sort of one, one vector of the, the diamond model or, or, or one piece of evidence. You wanna have a well-rounded, uh, uh, balanced, uh, uh, attribution, um, evidence to support that.
So, so you wanna have multiple vectors and then you wanna qualify it. You wanna say, okay, I, I believe this with either this is low, medium, or high [00:26:00] confidence. Um, you wanna put weight to each piece of evidence and you wanna have somebody besides yourself help to, to qualify that. And what I mean by that is you get too close to it.
So, uh, what I do is I have my team, or when it comes to me, or, or with them, but for like, for me, with, with it, we'll, we'll sit down and I'll have somebody take the, the other side that, that I'm wrong and do their homework and try and poke holes in it. And if I. Uh, and support what I'm saying with, with, with the evidence, then, then we don't go with it or, or we'll give it a, a lower confidence rating.
So if something has a lower medium confidence rating, often I won't go public with it. But internally I'll, I'll put that assessment there and we can continue to work it. Sometimes I'll say publicly, okay, I believe this with medium confidence and here's why. But if I have high confidence, that's where I go with it and I run with it.
Um, but again, you'll not see me, uh, at least not very often. I'm sure I've made some mistakes out there, but not very often when you just see me say, oh, such and such is this group. Without providing evidence with those exceptions, obviously, where it's, you know, the, [00:27:00] the group has, has said that they did it.
They've got the, they, they've provided the evidence, they have the data. You, you've checked, it's not out there. There's samples of it. You can validate it. Uh, the victim may or may not have, have acknowledged that this is it. You know, those are those situations where it's a little bit easier. But when it comes to something where someone's trying to deceive you and they don't want you to know about it, like.
Rebranding, for example, it's not gonna be that easy.
A.J.: Well, and it's good. You made a lot of great points and a lot of 'em that, I mean, I, I'm sitting here smiling 'cause it reminds me of, you know, the old days, like for those who don't know, the diamond model, it goes back a long ways. Kinda gives away how old we are. I remember like Diamond model was created at the agency.
I was there when it was being authored. And uh, the purpose of the diamond model, which I'm trying to try to remember the four sides of the diamond model now. I know infrastructure was one, uh,
Jon: Infrastructure and malware. Uh, yeah.
A.J.: There's a couple others. I, I'll look it up. I'll figure it out. Somebody will, will figure it out.
But the reason we came up with it at the time was because, uh, this was, this was, uh, we were trying to explain to leaders, to executives how all this does, how all [00:28:00] this gets done, and put it in a, in a visual form, but also some justification of saying why attribution, how do attribution, why it's done this way, et cetera.
And you had to have multiple points, you know, it gave you better confidence, as you said, confidence rating straight out of, you know, intelligence, community directives, low confidence, you know, maybe is kind of, kind of, I mean, there's statistics to it, you know, moderate, you know, medium confidence, you know, more likely than not 50 50, that kind of a thing.
But, um, but it was putting that out there. And I think one of the challenges that I've seen at least is, is in the private sector, listen, there's still, there are a lot of people who came outta the government space of the private spec sector. They were born and raised and trained in this stuff for years and years and years.
And I'm not saying that you can't be. An intelligence professional if you didn't go through that process. But I am saying if you did nothing, if you were a, uh, nothing intelligence related to be clear, if you were an incident responder and maybe a great one, you're not suddenly an Intel person. Right?
There's processes and standards and procedures and it's easy to fall into those traps. 'cause every junior Intel person did. That's why we were trained out of that stuff. And even if you get, you know, the Sands course, which is a really, really good [00:29:00] course, it doesn't give you the experience, it doesn't give you that, that knowledge, that background.
It doesn't give you the, the hump, the humility, frankly, to have been in a bad position. So you realize, Hey, I gotta peer review this. You know, you gotta have somebody set up, like you said, the challenge. It's, you know, one of the analytic techniques to somebody take the opposite position and try to push as far as I can there and see.
If they poke holes in it that you might not have seen, 'cause you're so close to it that you, you have that bias, even if you're trying not to, you, you've come to believe this is, this is something right. And those are things that you only experience through a lot of effort, through a lot of training. And also, like I said, the humility of being wrong, uh, and being so determined to say it was definitely this and then somebody proves it's not and you're like, oh, it's terrible.
But I fear that part of it is, like I said, part of it is people that have intelligence titles but weren't put through these process. And it's not necessarily their fault. Companies said, Hey, I wanna go into Intel. And suddenly they took a team and said, you're the Intel team. Now, that's not quite how it works, but also this push.
Sometimes in the vendor space, I suppose, or, or sometimes through marketing of wanting to have the big splashy thing, right? I, I've worked with marketing teams and I've written stuff and they go, Hey, can we get rid of this low confidence thing? And [00:30:00] just, you know, just say it's that. I'm like, no, you can't, you can't do that.
There's a reason low confidence isn't really flashy, you know, it doesn't, it's not a good marketing piece. I'm like, well then don't publish it. 'cause it's low confidence for these reasons. You have to educate people that confidence matters, right? Uh, but it's challenging I think. 'cause you see people that either are, are.
Misattributing things and they, and they don't have enough evidence as you pointed out, and they're either doing it 'cause they don't have the experience and the knowledge or worse yet, uh, it's intentional. Like somebody, somebody's told 'em to do it. It's for marketing purposes, it draws attention. Um, and it's sad because as you said, it, it snowballs.
You know, we're at a point now where that gets out and somebody else echoes it and repeats it and next thing you know, you got hundreds of people saying it, and now it's circular reporting that people are saying, well, that supports it. Well this guy says so too. This. And it all came back to the same thing.
It all came back to one flawed analysis, assessment based, you know, assessment based on one piece of evidence. You know, recycled code is far from, you know, conclusive. Uh, bad guys are great recyclers, you know, they do more recycling than I do at the house for sure. Um, so like, it's a terrible way to decide.
This must be them. Right? It [00:31:00] could be, but must be is a, is a far away from that. So it frustrates me. Go ahead.
Jon: You hit, you hit on a point there. Uh, you know, when, when I, I spent years trying to, uh, to get my book published and, uh, I really wanted to go with a big publisher. Um, and when I, when I began talking to, uh, to no starch press about doing this book, I, I remember when I had, I just had an outline at that point, and I had a sample chapter, but I remember, uh, having a discussion about the, an entire, the, the, the, the publisher said, me, you wanna have an entire chapter about attribution.
And I was like, absolutely. And I just remember having to explain to them. Almost like this conversation, but what you just said to me, not everybody comes from an intelligence background. Uh, but on top of that, through all the many, many years of experience now, you know, I, I, I, I altered sort of that process and I made it more applicable to be used in the private sector.
And that's why I wrote that whole chapter is so that there would be a resource out there that tells you how to do this sort of, you know, analytically driven attribution, um, because it didn't exist. You're right. Uh, and I [00:32:00] think that's one of the reasons the book is done as well as it has.
A.J.: Yeah. And, and that's, I mean, that's a service to the whole community. And if anybody hasn't seen it, uh, and you don't have the intel background, please read it. Please. And please understand, I'm not trying to insult people. I, I realize, and I'm also not trying to be a gatekeeper. I realize I get passionate sometimes about, if you're not an Intel pro, don't lead Intel teams, et cetera.
I'm not saying that these are things that can't be learned. They can, like there's, I know lots of people in the Intel community, uh, that aren't special or brilliant, um, you know, myself included, frankly. But, uh, we, we were, we were in it. Like we learned it, you know, I I, we went through years and years of school in training a lot of times through the military or whatever it is.
And it is a set of, you know, it's, you know, Liam, me, a certain special set of skills or whatever, but, um, but it is, you know, there's, there's something to it. I think a lot of people have lost that or didn't know to begin with. They think, well, Intel is just, you know, smart people using Google. And that's, uh, sometimes true.
But, uh, a lot of times there's a lot more to it. And you get into structure analytic techniques and you start talking about intelligence, community directives, and you start talking about JP two dash zero and people go, well, I don't, I don't know any of these things. That's 'cause you're not an Intel pro. I mean.
Don't feel bad. I'm not trying to insult anybody. I'm not an [00:33:00] incident responder. Uh, I, you know, I'm not a malware analyst. There's a lot of things that I don't do. I think it's important that people understand the difference. And it's great that you have, you know, this book, uh, is one of these good resources where people go, okay, I get it.
I can, I can learn these, these nuances. Uh, and then teaming with other people, as you said, which is always good advice. I, I don't know anybody who's good at this job who doesn't do that. I don't care how long you've been doing it. I, I've been doing it for 20 some odd years, whatever, it's now I'm old. You gotta have somebody, you have somebody to peer review.
You got somebody to team up with, somebody to challenge you, somebody you, you respect to challenge you. Uh, you know, the best intel teams I worked on, there were fights, like, not physical, but there were arguments and passionate fights. And you're like, well, okay, you need that, right? I mean, that's how you find out what, what's real.
'cause this shit matters.
Jon: And, and it's better to do that. And, and, and if you're right, some people do get upset about things like that, uh, because they're so close to it. But it's much better to have that bad day in the office with your peers than on a very public level where the whole community sees it.
And, and you're proven wrong there. That's a lot worse. Uh, I remember, so my book [00:34:00] hadn't come out yet. It was getting ready to come out. And there there's a, uh, there, there's a, he's a good friend now. Uh, will, will Thomas. He, uh, he, he goes by Basto token on, on, uh, on X. But, uh, even after everything I just said.
I had put something out there without just human bias. I had said some, this, this group is, is X. And um, it did it, I mean, it ended up being accurate, but I didn't do all the things I just said to do. And he again, was a public level and I didn't know him. Then he challenged me and he kind of backed me back down and, and I went to him offline and I was like, Hey man, I, I thank you for doing that.
Uh, you know, I am a stickler for attribution and I literally did what I always tell other people not to do. And we became really good friends after that. But, uh, but it can happen to anybody again, it's just you, you have a bias. You don't even know what, it's so easy to say that group, group A is actually group B, and, and, and you might be right, you might not be, but if you don't provide the evidence, other people shouldn't use that as attribution and you should get in the habit of not doing that.[00:35:00]
A.J.: Well, and you hit and you hit it on the head. I mean, that was the big piece is that you had the humility, like we see this all the time on social media, whether it's, you know, whether it's our work or anything else. People having a position, it's not a supported position. And then you challenge them and they just dig in and, you know, throw a bunch of slurs at you or whatever it is.
Right. They give, and, and I'm a sucker, I admit it. I should stop being on social media 'cause I. Again, it's, it's ingrained as an intel person, somebody has something and I'm like, well, this, there's no logic to this conclusion. I should just go, yeah, there's no logic and move on. 'cause they don't wanna hear it anyway.
I'm sure. But sometimes I jump in like, well, hold on a second. What about this, this, this? And then suddenly I'm, you know, accused of a lot of things. Some people have the humility, but most don't. And I, I guess it's, you know, I've been doing this so long, like I said, you have some of those bad days in the office, but everybody also understood we were all on the same side.
It's all to get to the right answer. Um, you know, if I ask you a challenge, a challenging question, it isn't meant to be personal. I'm not trying to challenge you. Uh, you know, I'm trying to get to the thinking and, and I've also found, by the way, I'm, I don't know if you have, I. I'm sure others in the industry have, at least, it's not always well received by friends and family as a way to live.
[00:36:00] Sometimes people do get tired of that shit, and they're like, why is he constantly questioning me? I'm like, it's not, I'm not questioning you. I think there's a lot of pieces missing in this. Help me understand why you believe this, or why I should believe this. Because you do it so long, it becomes who you are.
Right? It's ingrained, it's a habit. It is not necessarily the greatest way to win friends and influence people. Uh, so I've, I've found you, you kind of have to massage that in the rest of your life. Be like, you know, temper how you ask these questions, but it's very hard to just accept things at face value, uh, and it's hard to watch other people do it.
Um, so I, I'm sure you've seen some of the same stuff.
Jon: Well, you gotta check your ego at the door as well. Uh, I mean, I don't care how long you've been around, I don't care how good you are. There is gonna be somebody, regardless of their experience, that's gonna be able to teach you something. And it's when you put your ego above that, that you stop learning.
Uh, and it's also where you make the biggest mistakes. Uh, and that's very difficult to do, but it is very important to remember that, uh, we're all human. We all make mistakes, and none of us are perfect. And, uh, and to back, get back off that ledge, you're not the greatest out there. Uh, there's always gonna [00:37:00] be somebody smarter, uh, that sees things differently, uh, and, and can provide a, uh, an angle or a view that you didn't even think of.
A.J.: Yeah, usually it's you, but who's the smarter guy? Usually it's you. But, uh, but no, I, I'm with you. So we've sort of leaned into the, the last question I wanted to ask on, uh, on this topic, but we've already started, started, but I'm curious, other thoughts on it. So you've been doing this a long time, like I said, uh, we both have at this point.
And so you've seen a lot, you've done a lot, you've done a lot of really amazing things. But what do you see as like the hardest part of doing the kind of work you do that people may not realize?
Jon: Yeah. So there's a couple of things, uh, for one, when you're doing work with, uh, that involve engaging actual human beings, regardless of the being criminals or not. Um, there's two things. One, it takes a lot out of you. Uh, there's no nine to five, there's no taking off on the weekend. There's no taking your vacation and just leaving work.
Uh, you know, I, I don't know how many vacations I've had to bring, uh, my, my research laptop and, and, and do work because I'm pretending to be somebody. Uh,
A.J.: Who's [00:38:00] not on vacation? The fictional person hasn't taken a
Jon: right. And they're in a different time zone, and I have to be available at certain times. And you've worked so hard to get there, you can't throw it away because you want to go chill at the beach with your family or your friends.
Um, but, and, and it's a lot of late, late hours. And then you've got your corp regular corporate duties on top of that. And what ends up happening is, is burnout. Uh, especially because a lot of companies don't understand what goes into doing that type of work, uh, and, and, and the toll that it takes, uh, in addition to the, the time and the resource toll.
The other aspect is, and this is something I I, I really have struggled with, um, is sometimes, you know, there's bad, well there's, let me just preface it with this. There's two types of, of, of criminals out there. There's the ones that are just. Born bad. They're just bad human beings. And there's the others that are, have good in them and have chosen to make, uh, have chosen, made poor decisions and chosen the wrong path.
Um, and some of those people are likable. And if they weren't criminals and you just met 'em under different circumstances, you'd become friends with them. And I have become friends [00:39:00] with some of these guys. That does not stop me from doing my job, but it, it is hard. Um, you know, when you've made a relationship with somebody, you, you, you do have, um, an understanding of them and, you know, then I gotta go write a report where, you know, I'm, I'm making their lives a lot harder.
I've written reports where after the fact they've been like, you know, why did you do that? Uh, the FSB came to talk to me today, or people know who I am now, or things like that. And it, and it makes it really hard, uh, because, you know, I'm, I'm a human being. And again, when you actually get to know some of these people, it's, you can't control who you like or you don't like.
You can control what, how, how you feel. You can't control, you can, can feel, you can only control what you do with that information. And the day that I either stop doing my job or I don't do the right thing because of any influence or feelings I have will be when I stop doing this type of work. Um, but I, I've always, I've always done what I need to do.
I, but yeah, it, it, there's times where I felt bad. The other aspect is. You get some with other people, the really bad [00:40:00] ones, um, you can't tell them you're, you know, oh, I don't like what you just said. Uh, and I'll give you an example. A lot of the, the Russian bad guys are really racist. Uh, they're also very homophobic and they'll be times where they'll say things and it, I.
Definitely bothers me. But if I were to say, Hey, man, what the fuck is your problem? What kind of, what, what is this like, you know, in the 1920s, like, who, who thinks like that? And, uh, or, or, you know, what, what is being hateful gonna, how is that gonna help you? What did this person do to you? I can't say any of those things.
And over time, seeing that, seeing the crimes, and again, pretending that you're one of them, it, you just feel like crap. You feel like a horrible human being. And again, um, you just get to where it, it's hard to get up and do your job every day. Uh, for the first time in my career, I took off, uh, like six weeks last year.
And I was just at a point where I was just so burnt out. It was just, I mean, mentally, physically, uh, I, I just, I, I couldn't do it anymore. And, uh, I just needed a break from all of it. And fortunately, you know, the, this two [00:41:00] year lock bit thing had had. Come to a close and I was able to do that, but if it hadn't, I would've had to keep going.
Um, and, and again, a lot of employers don't get that. Um, and, and, and that's where it's really tough with this job. High burnout rate for sure. When you do engagements with human beings that are, that are, that are bad guys.
A.J.: Well, yeah, I mean, it's, it's hard on the family obviously too then, right? So you're, you're buried, you're doing work. Like I remember going back to Intel days at some, you know, some similarities, right? You can't tell people what you're doing necessarily. Um, they have to trust you. You know, if you have a relationship where somebody doesn't trust you, if you're working late, at least you know, you work from home now, which probably helps, but it was worse when you weren't.
But if you have to work late hours or odd hours, you know, maybe they don't trust the activities you're, you know, online, et cetera. It can really play havoc on, I know relationships, uh, family, you know, friends, et cetera. Um, and there's a secretiveness that's required, so there's a trust factor there. So, and then what you're exposed to, as you said, you know, there's, there's lasting effects to some of that.
Some, you know, some things in Intel, you get exposed to some just horrible things, whether it's attitudes, whether it's words, whether it's visuals. Uh, there's [00:42:00] some, some terrible things in the world, uh, that really eat away, you know? And I know, I know lots of people who, who do really well to take advantage of, you know, support systems therapy and, and, and other things where they have outlets that they, I.
Use, uh, as opposed to just, you know, staying on the computer all the time. But a, a key piece that we didn't talk about yet that I kind of wanna hint on, but again, only as you're
Jon: real quick before you jump?
A.J.: Mm-hmm.
Jon: one more thing. Uh, though it's older, one of the best, uh, portrayals of, of, of what I just said about doing all this human stuff and, and pretending to be somebody else is, especially when you do it for a long period of time, all day, every day.
If you remember the movie, Donny Brasco,
A.J.: I was thinking that.
Jon: he guy acts, you know, he's pretending to be a gangster, gets in with these guys lives and breathes it. And when he comes out, he struggles and he still acts like a gangster that, not not the gangster part, but, but whoever you're trying, like that literally happens where you, you've made yourself this person and you start to become that and you start to adapt a lot of these traits that aren't good.
And it's because you're consumed by it. And, uh, that movie portrays it [00:43:00] really well, uh, in, in the effect that it has on you and the real you in, in how it can change you and, and make you become somebody you don't wanna be. And I don't mean committing crimes. I mean your, your personality, your home life, the way that you act, your friends like it, it can change you.
A.J.: Yeah. No, it's a good point. I know, uh, in like the human circles and law enforcement I think also uses it, but we used to talk about going native, right? Uh, where you do get to a point where you lose yourself, and sometimes it even includes like committing crimes and doing things, uh, that aren't even authorized as part of the work.
Right? And you just lose yourself, right? You get so enmeshed. Uh, yeah, it can be really, really challenging. I know there's a lot of work that goes into to, that's why humans agents have handlers. That's why undercover agents have handlers, you know, somebody you have to check in with occasionally to make sure you don't go over the edge.
You know, the, the human psyche is not bulletproof. Um, and you can find yourself going bad places. Um, so I mean, that's a really
Jon: is I don't have that. I, it's just me. I'm the only one in my company who does this. I don't know many. I, I do know people who do it, but I don't know a lot of people who do this work. So I, I don't have that. And that was one of the things I had to kind of learn [00:44:00] through the experiences I needed to find people who I could talk to and vent to.
And, and I do have a good circle of, of people from government agencies as well as the private sector who, who do, uh, similar types of work for a different outcome. Not necessarily to infiltrate ransomware group, but they spend their days talking to criminals, whether it's buying malware or data or whatever it might be.
But I do, I have those people to bounce things off of now, but I didn't for a long time. And that's also important to have that outlet, uh, as well.
A.J.: Yeah, that's a good point. You can feel free to add me. I know we're on signal. You know, we chat occasionally. Like if you need somebody, nobody else is available. Like I, I can do that for you as well, man. I mean, we're in the same circle. So I, one thing I did wanna ask, and again, this one, it's up to you as to how much you answer.
'cause this, I don't wanna put you at risk, I don't want you to put yourself at risk, not you would for me. But what about the, the far end of the sketch? You know, when we talk about, you know, the, the things people don't think about, you know, the dangers with this job. What about just straight up threats, you know, to you from adversaries, you know, we've talked about obfuscation, you talked about all the things you do to, to keep yourself safe, et cetera.
But eventually you go public with these [00:45:00] things. So as much as you did all that lock bits, whoa, aware that you exist. Like, these guys know who you are and these guys are criminals and there's a lot that goes with that. So, you know, do you wanna talk, and you don't have to if you don't, but do you wanna talk at all about how that, how that impacts you, how you mitigate that, how you, how you deal with those kind of things?
Jon: Yeah, I, I'm willing to talk about it. 'cause I think it's important for people to understand, especially people who want to kind of go this direction, uh, within the field. Um, you know, the Lock Pits one's a good example. 'cause that's one that's, I've written, it's public, but there are even more crazy stories that are not public on similar, uh, things that I've done.
Uh, but with the lock bit one, uh, specifically, you know, um, when things kind of took, took a turn there towards the end. Um, you know, when, when lock bit, uh, well first off, when I wrote the Ransomware Diaries, they started using my, my avatar. That's been talked about a lot already. But, but, but that, that, that's kind of a, an oh shit moment when you, when you see a bad guy on a forum and your face is there, uh, and then they're getting in arguments with other ransomware crews and they're staring at your face at some point, these guys are like, what the fuck is this guy staring at [00:46:00] me?
Uh, but, but you know, the, the, the thing about it is, um, I. When I, when the St. Anthony's hospital breach happened and, uh, I, I was very close with, with the leader of Lock bit. Um, and I had, I was naive, I honestly believe, because previously he had hit this hospital called Sick Kids, which was a cancer hospital for children.
Uh, he, he, not initially, but eventually he gave them the decryption key for free so they could get their systems back online. I believed I could get him. To do the same thing. And, um, he had such a, a, he had no empathy. He didn't care. He, all he wanted was the money and didn't care that he was hurting children.
And I got so upset. Um, and, and, you know, it, it, it led to the, to my falling out. But, but once, and I started going after him trying to figure out who he was. I, I, I started working with, with law enforcement, uh, the F-B-I-N-C-A. It wasn't known as this at the time, but what's known today as Operation Kronos.
Um, and, and I, I was. I, I, I was putting myself on the line a lot more to try and, and get lock bit. At that point, I wanted to figure out who he [00:47:00] was and wanted to help with get him indicted and as well as some of the people who worked for him. And they had picked up on that. And, uh, I still to this day don't know exactly how they found out some of the information they found out.
But yeah, they started, uh, making threats and I got the official, you know, notification where, where federal law enforcement shows up and said, knocks at the door and says, Hey, um, there's a viable threat against you. Um, someone's trying to hire people to, to harm you. Uh, you need to be, be careful. We've got eyes out there for you, but you need to be aware of this.
Um, and, you know, my family's home when this happens and everything else, there's no, there's no hiding it, you know? Um, and you know, I mean, I, I'm, the, the only good part about my job is that I, I am divorced and my kids don't live with me. Uh, so, so there, there's less of a threat to, to them. Um, but, but I still have friends.
I still have family and, and you know, there's, people have to be aware of it. The neighbors see stuff going on, they wanna know it, it just affects you. But, but the amount, it gives you a lot of anxiety. Um, you know, I don't go anywhere ever without a gun. Um, and I'm not, that wasn't the case before. I mean, yeah, I used to work in law enforcement and [00:48:00] I did once do undercover work and things like that, but, you know, my normal day life in doing cyber, that's not, not how I have felt.
And, um, and, and now I never go anywhere, unarm. Unbelievably paranoid, but, but it's the weight on your shoulders. Um, it's the anxiety, the paranoia. Not everybody can handle that. And you have to learn how to handle that and use it to keep you safe and not let it tear you down. And if I didn't figure out how to do that, I, I wouldn't keep doing what I'm doing.
Um, but it's tough. It really is something that, uh, you know, mental health is a big thing. Um, you know, I go every two weeks and have, uh, for about 12 years now to talk to a therapist. I was there this morning. Um, you know, they think I have the craziest life. I tell them things that nobody else even knows, but, but it's like something out of a movie.
But it's the same time. It's real life. So you have to be able to stomach it. And if you can't, you gotta stop doing the work because you can't let it destroy you or your family or your relationships or take a toll on your, your health and things like that. All of those things happen.
A.J.: Yeah, I mean, that's a good point. And I'm, I'm glad to [00:49:00] hear you mention, you know, uh, mental health, you know, and, and taking care of ourselves. That was a challenge, you know, growing up in the agency, you know, in the generation we did, like, I remember when you didn't do that, you didn't, we sure as hell didn't tell anybody you'd lose your clearance, you know, and it
Jon: tell anybody. That's right. That's right.
A.J.: You had to keep it to yourself. And if they ever found out, if you saw a therapist and they ever found out, you'd lose your clearance over it, you know, and which was super dangerous. It just made people. Endure more things and, and possibly end up with poor results, you know, in their lives that could have been avoided if they just had somebody to talk to.
Uh, but the thinking was if you needed help, then, you know, you were flawed or broken or whatever. And, and obviously we've matured past that. I think for the most part, as a society, because you do have to talk to people. You have to unload some of this stuff and quantify this, you know, some of the stuff and, and, you know, make sense of some of it.
I'm not a bad person because I'm following bad people, you know, and, and, and dealing, like I said, with the far end of it, if they're mad at me now, and, you know, people can, can hurt you. You know, I know lots of people who at least at one point in time have been on lists. Um, you know, I'm not as serious as yours, but once for myself.
But, uh, you, you and, yeah, like I said, you gotta manage that and then [00:50:00] you gotta manage it with everybody around you. As you said, your family was home when this happened. It's very hard to, to help other people be like, it's okay. It'll be okay. I think, uh, and please don't run away from me as a result of this, but the work's just so meaningful.
Right. Um, so I, I appreciate you sharing it. I know that's, you know, that was when I was like, huh. Yeah. Yeah, absolutely, man. Anything you want.
Jon: You have to know how to channel that energy. As I mentioned, uh, for me, the way I channeled that is I, I went taken on those motherfuckers. I doubled down. At this point, I'm already at risk. I'm already threatened, you know, I'm coming for you. And, and I know that makes, I'm not trying to sound like I'm a macho and other stuff, but I'm telling you that that's what got me through it, is they came after me.
I wanted to, I wanted to make sure they knew who I, that I knew who they were. I wanted them to have so many problems that I was gonna be the last thing they were worried about. And the world knew who they were as well. Uh, and, and I doubled down and, and I, and I told them that, I told 'em that I was coming.
And, uh, that was sort of the, the, the, the end of our relationship. Um, but, but when that indictment came out, and, you know, [00:51:00] minutes later I released, you know, a 30 page paper with where the guy lived, all his information. I mean, I had stuff I didn't even put in there. I had his door codes. It was building, I, it was hard to not call him.
I had his phone number long before he was indicted and all, all that stuff. Um, but I, but that's what I did. I, I used that sort of anxiety, uh, you know, I don't know what I guess you'd call it. Yeah, fear. And, and, and I used that to channel to a good purpose. I put on, we, the Batman thing back there is funny.
I, I, I, I, I'm like a half boy scout, half Batman. That's not necessarily who I really am, but. In my work. It is because you, you, it's not that you have to be fearless. You have to be, you have to be v vulnerable and, and, and understand your feelings and understand how to channel them in a direction that's gonna make it better.
So not just sitting in your room and letting all that stuff eat you away, but channeling that back and using it to motivate you, to make them feel the way that they made you feel. And that's exactly, uh, what I did and, and what I, what I continue to do when I find myself in these situations.
A.J.: Yeah. [00:52:00] Well, that's a good point. And it's empowering, right? Like you said, you're already at risk. So, you know, do I just stay in fear and cower or do I say, okay, I'm at risk, but I'm gonna, I'm gonna make this difficult because not always, I'm not gonna encourage how people wanna act in these situations, but sometimes that's enough.
Like people will back down sometimes if, if it's no longer worth it. You know? It's the whole concept of is, is the juice worth the squeeze? Hey, you're mad at me, I've outed you, I've damaged your, your business or, or whatever. But if I can also inflict more pain, if you bother me, maybe it's time to just pack it up and go on to the next.
You know, there's a, there's a long life, there's a lot of other people out there to victimize. There's a lot of things to do. Maybe this is no longer worth it. And, you know, criminals do tend to be a path of least resistance group. Yes. There's a, there's a code and there's, you know, there's retribution for some things, et cetera.
But criminals also, successful ones, long-term, successful ones tend to be path of least resistance. There's a point where you just go, Hey, it's just not worth it. The noise isn't worth it. The hassle's not worth it. I can mad if I ever run into that person, whatever, but I'm not gonna burn down my entire world over this.
And if they feel like, if anybody feels like this could cause me a lot of harm, or more harm or [00:53:00] more trouble, there's, there's a benefit to that. Now, for most people, I wouldn't recommend it. Most people don't have your skillset. Uh, but I, I get it. If you're already at risk anyway, just saying the hell with that.
I'm gonna, I'm gonna lean in. I'm gonna, I'm gonna make it clear that this is gonna be painful and then see if you still want to go.
Jon: I may not be, uh, a able to kick your ass in a, in a cage fight UFC style anymore. I'm 48 years old, but god damn, I'll fuck you up with a keyboard.
A.J.: There you go. I mean, I've, I've, I've had lesser experiences. You know, you get the bar fight type of thing. Somebody gets mad and they're upset, and you just look at, they go, listen, you're gonna win. You're bigger and stronger than me. Do you want limp though? Like, you know, do you want the pain that's gonna take look?
Yeah. Listen, I, I've had those discussions. I'm like, clearly you're gonna kick the shit outta me. There's no debate. You're big, you're strong, you're young, whatever. Do you want a limp? Do you want have to get a tooth replaced? I'm going to take a piece of you. Is this worth it to you? And if it's, let's go, I mean, you're gonna kick the crap outta me.
I guess I'll, I'll deal with those consequences. But I will take a piece. And sometimes that's enough for somebody go, yeah, it ain't worth it. I don't wanna limp, I don't want, I don't want whatever's gonna happen. 'cause reminding people, [00:54:00] you're gonna inflict pain in return. And they go, yeah, maybe it's not worth it.
Please, if anybody runs in, into a bar, let's not challenge me to a fight. I'm not really interested in going down this path. So I'm not, I'm not a tough guy either. I'm not advocating for somebody to go pick a fight with me or whatever. But, um, but yeah. Sometimes you just gotta, you know, let people know. And, and, and I get it again, backed into a corner.
Like you said, it's not about being macho or whatever this is, you didn't have a choice. You were already being threatened. You were already at risk. It's not like you went outta your way to say, I'm gonna go take on guys. It's, it's not about being, you know, fearless or foolish. It's about, you know, the courage to, to try to defend yourself.
And sometimes a little bit of offense, or at least showing the possibilities is, is a really good defense. So listen, we're, we're running out of time. This is, I mean, I could do this all day. You're fascinating. Uh, but I do wanna get to the end of the show for everybody else who probably wants to do something else at some point.
So let's close this one out. Like, the name of the show is Unspoken Security. And you know, with that in mind, I ask every guest the same question and you don't get a pass either. And the question is, you know, tell me something you've never told anyone. Something that you know so far has been unspoken.
Jon: I have been, uh. I've been fired five [00:55:00] times in my career. Um, you know, people see where I am today and, um, make some assumptions. Uh, I've been fired quite a few times, um, struggled in my career. Uh, I've had, you know, mental health struggles, uh, dealing with things. Um, you know, that's why I'm a big advocate for it, you know, like, like you said, uh, when we work for the government there, you're not going to talk to a therapist.
You're not able to do any of that type of thing. Uh, you know, in, in, in the private sector, things get, get too stressed. I can light up a joint at the end of the day. You can't do that in those worlds. Um, and, and, you know, s so, but again, to answer your question, you know, like I said, um. It's really tough.
I've, I've talked about one, one event where, where I had lost a job, um, which, which kind of set my path forward with writing a book. But, uh, but, but yeah, even people think, oh, you're at the top of your, your game now and, and you're doing so great. Well, I got here 'cause I made a lot of mistakes. I. But I learned from them.
Uh, and one of the biggest things I learned from those experiences was to put my ego aside, um, and then to take the, what, whatever was behind it. A lot of times I, I didn't agree with things that, that led to [00:56:00] that, but you take that and you use it to make yourself better and use it to inspire yourself, uh, and use it to motivate yourself.
You know, the one that I have talked about publicly, uh, I still, I'm not gonna say who the company was and it's not on my resume, but, but when they, they, I was only there for like two, two months and it was one of the great, it was supposed to be one of the greatest jobs I, I could have gotten. And I was surrounded by really smart people.
And I, and I, but I, I'm very creative. I'm not like scientific in the way I do things, and it didn't fit with their flow. And I remember they told me I couldn't write and that I wasn't a good analyst. And, and it motivated me. And, and it's why I, what it motivated me to prove that to, to write a book, to get, to be better at being a researcher and analyst.
But I, but I had to put my ego aside with that, uh, and, and not just be like, you know, screw you guys. You know what you're talking about. I'm the greatest in the world. If I had done that, we wouldn't be sitting here talking today. Um, so taking those and, and learning a little bit about yourself, uh, feeding out what's, what's, what's not true, but, but actually being open to the fact that there's a reason that this happened.
So some of it must be true, uh, and, and trying to make yourself [00:57:00] better. But, you know, I, I got fired. Uh, it was in the DOD early in my career. I got fired because I had taken a job. I was there a week. Uh, I got the flu. I was out a week. I came back. I had not met the program manager 'cause he had been out that first week I was there and I walked in and this guy had his feet on my desk.
I didn't know who he was. And, uh, when I was younger I was very, I was in the power lifting. I'd come outta the military. I was all overly macho, if you will. I was, I was a pretty angry dude. Uh, had a, had a rough up upbringing and I was angry about it. Anyway, this guy had his feet in my desk and I'm like.
Who? And he's like, we don't, we don't call out sick here. And I'm like, who the fuck are you? Get your feet off my desk. And I pushed his feet off and we started exchanging words. And it literally ended with me putting the guy in a headlock in, in front of the, the, the government customer. Everybody. I was escorted out by DODI was fired.
Like it was a whole thing. Uh, but people, you know, I don't share those stories I did now. Uh, but that doesn't make me cool that, that showed that I, I allowed my emotions to get the best of me, and I ended up costing myself a job. Uh, you know, it was, I was an engineer back then, you know, it wasn't like I [00:58:00] had, you know, the namesake that I've now, where, where it's easier for me to get a job, you know?
That was stupid. It took me a while to get another job. You know, ego, man. It's, it's not, it's, it's not worth it.
A.J.: Yeah, I mean, that's, that's a, I mean, I was gonna say it's a great story. It's, it's, I mean, it's an amusing story. I dunno if it's a great story, but, but it's a great lesson, right? And I appreciate you saying that. I've had some amazing people on the show. You know, you're right up there, obviously, and I always appreciate, I listen, anybody who gives anything at the end of this, I appreciate.
But when it's somebody who, who reveals something like this, where you go, oh, like, okay. 'cause we get to a point, I think, where we start putting some people on a pedestal and you think, well, they're, they're amazing and they're perfect, and I could never be as good as them and whatever. And I've, I've done this thing so I could never overcome it.
And you're like, listen, most of us have some kind of junk in the past. Uh, it's, it's, sometimes it's, it's what led us to be. I don't, I shouldn't say us 'cause I'm not in the category if you, frankly, but it's like, it's what leads people to be better sometimes is to learn from that or worse. It's how you react to it, right?
Um, but it can, it can lead you to be better. It can lead you to find, you know, uh, how do I do this better next time I could find, find humility or find peace or, you know, get some learnings out of [00:59:00] it. Like I've been fired. Uh, I don't know any, I probably do, but I, most people I know I think have been fired at least once.
Uh, a lot of us have, you know, it may not say that officially it's, you know, there was a mutual agreement. Uh, yeah, sure. There was, there was a mutual agreement right after I was told I was no longer gonna come in anymore. I agreed not to show up. Uh, you know, the, some of those happen or you, you, if it's a negotiated thing, you can choose to resign, uh, or you're gonna be let go or, you know, we'll give you a couple weeks to find something else to do.
That kind of a thing. It's a nicer way of saying fired, but, uh, you know, it, it is what it is, right? And everybody I know has run into that at some point. And so I appreciate you mentioning that so that you know anybody who's watching, like, Hey, listen, you can overcome all sorts of stuff. Just learn from it.
Figure out what it is. If you're getting fired repeatedly, 'cause you're an asshole stopping an asshole, uh, you know, or it'll keep happening. Sometimes you run into bad people and it happens too. But, you know, I appreciate you sharing that. It's, you know, for somebody who's done so much and is so well known now and is really one of the leaders in the industry to say, Hey man, I was, I was far from perfect and I made some bad choices and learned from it and overcome, you know, and that's, I mean, [01:00:00] that's a's a sign of just what kind of a person you are.
So I really appreciate you taking the time, uh, to come on the show, man. I've been wanting to have you on for a while, so I'm glad we were able to sort this out. Um, you're fascinating. Your, your career is fascinating. Uh, you know, I, I'd love to have you on again somewhere down the road. We'll see, you know, what comes on as you publish more things, uh, I'm sure I'll see you at, at some of the upcoming events and we'll get a chance to hang out.
Is there anything, any last words you wanna say before I close this out?
Jon: just, just remember, we're all people. Leave your ego at the door. Learn just to, to learn what empathy is and, and, and try to understand that the better that you understand people, whether they're colleagues, whether they're criminals, whether it's your neighbor, uh, the better human and the farther in life you're gonna get.
I truly, I truly believe that in a world where we have a lot of, uh, a lot of hate, a lot of, uh, bad things that happen out there, you know, we just need to stop with that shit.
A.J.: good words, man. I agree. Like, I, I can't add more to that, so I won't even try. I think those are, you know, strong and powerful words that people should, should take to heart, you know, it's a, it's a tough world. So, again, thanks for, for coming on the show. Thank you everybody for watching and listening. Uh, if you like this, please, you [01:01:00] know, live feedback and, and subscribe and tell everybody.
If you don't like this, shut up and go away. Uh, no. But tell people, you know, and tell me. If you don't like it, we'll make it better. But I, I really appreciate it. We need more, more followership and more sharing of this information so we can have more of these great conversations. I can get more people like John to come on and talk about such important, you know, interesting conversations.
So, with that in mind, I'm gonna go ahead and, and shut her down for the day. Uh, I really appreciate y'all being here. Uh, this has been another episode of Unspoken Security.