The Power of Mentoring in Threat Research

As I took the stage at DEF CON 27, I looked out into the crowd. My close friend and mentor of more than 10 years had flown out to Las Vegas to watch me present my newest research and was sitting in the front row. I looked to my left, and my co-worker and mentee, who was only six months out of college, was preparing to present with me. My mind took a quick detour: How did we get here?

In threat research, there are many different resources to learn and grow from. Some researchers start their journey with formal schooling. Others find their way through capture-the-flag events (CTFs) or online forms and tutorials. Many, like myself, have used all of the above. While these are all vital places to build a strong foundation and fundamentals of the trade, over the course of a project there are inevitable questions that can’t be answered in the typical fashion. Questions such as, Where do I get started? What is the right attack vector? Is this path realistic outside of the lab? These types of questions can only be answered through experience earned over time—or by a mentor.

Where Do I Start?

Through mentorship, lessons that can only be learned through experience can be absorbed by a mentee at an accelerated rate. One of the most common questions I am asked by new threat researchers is “Where do I start?” Looking at this question in the example below can demonstrate the power of mentorship.

Here we have an unknown network packet in Wireshark. Through schooling, playing CTFs and online tutorials it is easy to understand how to use Wireshark and identify the basics of this packet. Most junior researchers in security can identify the header, protocol, IP address, port number, etc., with relative ease. However, when asked to reverse-engineer this unknown protocol and identify important values in the unknown payload, everything stops. Where do I start?  Google provides no additional information, there is no documentation or request for comments (RFC).

In reality, there are many valid ways to approach this but for now, let’s focus on basic static analysis. An experienced researcher may be able to identify the source IP address in the very first bytes of the payload, solely based on the fact they have seen this before. They have learned through experience.

By helping a junior researcher see this information—and, more importantly, explaining why this may be occurring in the real world—you have accelerated their learning. This is unlikely to be in a textbook or online tutorial, yet next time when asked they now may look for additional network data in a payload. You also may have given them a completely new outlook on what types of data to look for and provided a mindset on where to start. It is always possible that a junior researcher would find this completely on their own and still be successful, but now time has allowed for more learning to occur by both the mentee and the mentor.

The Student Becomes the Teacher

Mentorship, done correctly, is never a chore or a burden but a necessary growing opportunity for both parties. A curious mentee will start to ask questions that will spark more in-depth conversation. Generally, I have found this leads to learning occurring on both sides. Teaching or mentoring prompts me to look deeper into concepts and I usually will pick up on a nuance I hadn’t considered before, gaining a new perspective.

The technology and security world are constantly changing. The concepts I worked on early in my career have evolved or changed.  Now that my mentee is working on these same topics, new aspects are brought to light that I can learn at the same time. As my mentee says, “The great thing about hacking is that it’s always new, each new target requires you to learn at least a few new things you’ve never encountered before.”

Impact of Generational Differences in Threat Research

The earliest generations of threat researchers learned the craft before there was formalized schooling such as computer science degrees. The internet was in its infancy; therefore, CTF competitions and online tutorials were limited, if any. This created a different perspective on how to approach challenges. There was no Google or stack overflow code to depend on, forcing a different way of thinking.

Newer generations have a lot of access to resources and data, which shapes their skills in different ways. Consider memory management during coding in this context. My mentor learned to code on computers that had sometimes only 24KB of memory (for context, these days I would complain if a computer had less than 8GB of memory). This caused his shellcode to be very efficient, clean and concise—yet also very limited. I could be caught making sarcastic comments when he would change his code to save just one byte of memory.

In my schooling and experience, I was never met with such a harsh limitation. My shellcode was still effective—not always as efficient, but could also accomplish more tasks. When faced with a vulnerability that only presented a very small space for shellcode, I was able to learn from him; however, in contrast, when faced with more space, he was able to learn from me how to accomplish more in less time. When threat researchers of different levels can work together to teach and learn from each other, it’s a symbiotic relationship with wide-reaching and positive consequences for the community.

At DEF CON 27, I presented my research uncovering a vulnerability in a globally utilized industrial control system (ICS). My mentee partnered with me on the project, and less than a year out of college earned himself the right to present on one the stages coveted by researchers around the world. He earned this right by taking small concepts from me to accelerate his understanding of a theory and apply this to portions of the project. On this project, he wrote the shellcode, and since it was an ICS system the space in memory was very limited. Just like my mentor taught me, I was able to quickly explain the roadblocks and challenges to him he was about to face in having a small amount of space in memory. He was able to take this information and, while never had written ARM shellcode before, researched it, learned and then created efficient and effective code, cutting the project development and testing time down drastically while advancing his skillset. As a side effect, he was then able to learn even more concepts since his time was free to assist with the next task.

Great Acts Made Up of Small Deeds

“Young grasshopper, come here and tell me what you see in these packets,” shouted my mentor from across a crowded lab. The tone in his voice and the use of the name “grasshopper” meant I was about to learn something, whether I felt like it or not. Initially, I hated this nickname, especially the way it spread like wildfire across the senior leadership of my division, however, today I embrace this nickname, for now I understand its value.

Over my decade-long career, I have been truly blessed to have some amazing mentors guide me along the way, which has shown me the immense value of mentorship. As I took a breath to begin my DEF CON 27 presentation, I looked out among the crowd and thought, what is this “young grasshopper” going to learn today?

Douglas McKee

Avatar photo

Douglas McKee

Douglas McKee is a Senior Security Researcher for the McAfee Advanced Threat Research team, focused on finding new vulnerabilities in both software and hardware. Douglas has an extensive background in penetration testing, reverse engineering, malware analysis and forensics and throughout his career has provided software exploitation training to many audiences, including law enforcement.

douglas-mckee has 1 posts and counting.See all posts by douglas-mckee