February 21, 2024

David joined Cosive in 2021 after five years with the Australian Communications and Media Authority (ACMA) and eight years with the Australian Federal Police (AFP).

David’s career has spanned many areas of cyber security, from fighting spam and securing the Australian IP address space all the way through to cyber crime investigations and assisting with the prosecution of cyber crime offences.

Outside of cyber security David is an avid chef, producing home made charcuteries, ferments and all things delicious.

In this interview we learn more about David and cover many different topics, like:

Whereabouts are you based?

I’m based in the Dandenong Ranges in Victoria. I’ve been here for about seven years. Currently looking to sell up for a larger property so I can get more of what I already have and enjoy. I’ve been around the Greater Melbourne area pretty much all of my life.

What’s your professional background?

Roving sysadmin

I’ve been doing IT related stuff for about 25 years. Before I got into cyber security I was out on my own doing roving sysadmin stuff, looking for customers and assisting them in a general sysadmin capacity. After a few years my client base started drying up a bit and I thought that it was a good opportunity to go and hone some skills that I hadn’t had much of an opportunity to use professionally.

Australian Communications and Media Authority (ACMA)

My first port of call was e-Security Operations at the ACMA with Kayne, one of Cosive’s co-founders, and later with James Garratt, who now also works at Cosive.

I quickly brushed up on my cyber security skills there and decided that I really enjoyed the work and wanted to stay in this industry. There’s a lot of potential to learn new things, and a lot of greenfields work, and it’s just genuinely enjoyable and there’s a lot of demand for it. I was able to make myself useful pretty quickly.

At the ACMA, there were two primary projects that we ran. The first was the Australian Internet Security Initiative, where we gathered data about general badness occurring in Australian IP address spaces and we disseminated that to the parties who needed it (like if those IP addresses belonged to a specific ISP). They’d receive daily reports about bad activities occurring on their networks. And similarly, if it was indicative of criminal activity we’d send it to the police, and that’s how my involvement with the Australian Federal Police eventually came about.

The other project that we ran was called the Spam Intelligence Database, as the ACMA also has a remit with anti-spam legislation. We basically built a system that ISPs and individuals could forward spam to us on. The system made the spam indexable for investigators to leverage for investigations into breaches of the Spam Act.

Australian Federal Police (AFP)

As I mentioned earlier, the AFP knew me because of some of my work at the ACMA. My knowledge of the methods, motives and tooling of cyber criminals, as well as the Australian cyber crime landscape was useful to them. I assisted them on a number of jobs, and they thought “This bloke seems like he’s pretty good at this sort of stuff.” They eventually asked me if I’d join them.

I was at ACMA between 2008 to 2013. I was at the AFP from 2013 until June 2021 when I joined Cosive.

My first role at the AFP largely revolved around keeping an eye on cyber criminal groups. My role eventually broadened into doing a lot of the technical heavy lifting in cyber crime investigations. I’d examine evidence of a technical nature and identify further avenues of inquiry for the team to pursue, analyse large datasets, assist with search warrants, etc...  I also developed a lot of training materials to assist in the organisational uplift of cyber skills.

It probably won’t surprise you that a lot of areas within the AFP aren’t highly technical. Many of the people there have excellent skills in policing methodologies and related disciplines, but are not so great at computing. That meant I was able to provide expertise and assistance to other areas as well, like missing persons, child protection, and many other areas of the AFP.

For quite a while we were seated with our local child protection operations team. I was able to assist them in getting the most they could out of the data and technical capabilities they had at hand.  My efforts resulted in a number of children being saved from awful circumstances, and the conviction of a number of offenders.  I have a great sense of satisfaction from the outcomes of my assistance in this area.

I was very fortunate to be able to leverage my cyber skills at the AFP to help people. It was a very rewarding and fulfilling time. But after hanging around at the AFP for about 8 years, I was falling behind my peers in industry in a number of ways, and decided it was time to move on. Kayne (Cosive’s Managing Director) got wind that I was looking for a job and managed to pull me back into his fold. That’s where I’ve come from, and that’s where I’ve been.

What is it about cyber security that you find really enjoyable compared to other technical fields?

The breadth of skills that it can utilise. Everything I learn seems to amplify my skills in cyber security, particularly sysadmin and data analytics skills.

I also enjoy the adversarial aspect of cyber security, where you’re responding to an incident and figuring out what the bad guy did, how they did it and identifying their tricks and traps. But also when I was at the AFP it was directly adversarial. I found that challenging and a lot of fun.

I also enjoy assisting victims, helping people who’ve been popped and are not enjoying life anymore because everything’s gone wrong. Being able to assist them and make sure everything gets back on track is highly rewarding.

Am I right that you’ve got a bit of a reputation in Australia as a MISP expert?

That’s largely due to my work in the Cyber Threat Intelligence Sharing (CTIS) project out of the Australian Cyber Security Centre (ACSC). CTIS is basically a way for Australian organisations to consume and share cyber threat intelligence. Effectively, it means participants are able to gather intelligence on what other Australian-based organisations (often in the same industries) have been seeing, including intelligence that the ACSC has gathered and wants to disseminate for the advancement of the security of Australia. Participants are also able to create their own threat intelligence that they can share with the community so that others can benefit from their experience.

CTIS and the participating organisations use MISP in a variety of ways. I was CTIS’ MISP SME, assisting the project itself as well as the organisations leveraging it with MISP related matters.  Some of this work also resulted in me addressing issues or adding features to various MISP and MISP-related software projects, and submitting pull requests.

I also assist the general cyber security community in Australia. I’m a co-founder of an incident response group called IRATE, which is Incident Responders Australia Technical Exchange (the acronym came first). It’s a non-profit that provides training, conferences, tooling, social events, and a general community for its membership of cyber security incident responders. I frequently assist members with MISP issues, which is beneficial to me as well because I get to see how MISP is used in different industries. IRATE also runs its own MISP, which is quite popular. So yeah, I’ve got quite a substantial background with MISP and those who use it.

What appealed to you in particular about joining Cosive?

The people. Working with people that I know to be technically excellent as well as leaders in the industry. Our C-suite (Chris, Terry and Kayne) are well-regarded in the industry and I’ve known them for a long time. I’ve also known many of the other staff members for a long time, having worked with several elsewhere.  It made me feel very comfortable coming in, knowing I was going to be amongst people I could learn and grow from.

When I was at the AFP there weren’t really a great number of people I could lean on to sharpen my technical skills, though I learned an enormous amount from them in other matters. It’s great to be surrounded by people I can learn technical stuff from again. I’m thoroughly enjoying that.

Which area of cyber security do you find the most interesting?

In my work at Cosive, definitely threat intelligence engineering. Previously I’d been a consumer of threat intelligence but never really had to think too much about how it all hangs together and how to make it do what I want to do. Being able to apply my skill-set and knowledge of how things should work based on the other stuff I’ve done has proven to be fairly valuable and I’m really enjoying exploring that side of things because I hadn’t done much of it before.

What’s involved with threat intelligence engineering?

Usually the problems revolve around deciding what intelligence is needed, and figuring out how to get that to analysts so they can effectively leverage it to help solve their business needs, without it being too noisy.

A lot of people fall into the trap that they want to ship all of their data straight into their system. Their analysts have to put gumboots on and wade through heaps of muck before they can find anything worth using.  A firehose of data without context isn’t intelligence and tends not to be particularly useful as a result.

Threat intelligence engineering also involves looking at what technologies are required and whether there’s a better way to do things.  Sometimes this involves changing what format structured CTI is in.  This can be pretty difficult, and can result in a loss of fidelity when two structured intelligence formats are based on different philosophies, for example STIX and MISP.

Another area that I am still not happy with is the expiry or decay of intelligence.  When is it OK to throw something out or archive it off?  Why should we keep something for longer than something else?  How can we use age to lower relevance?  Every use case tends to differ and it is not always obvious what is best.

Standing up the infrastructure, keeping it fed, watered, up-to-date, keeping the taxonomies and tools in-line with what is actually happening in your threat environment is another pretty big challenge.

There are patterns that we’ve repeatedly found out in industry, such as people not wanting to maintain MISP and having to spend a lot of time upgrading it and all that sort of stuff. One of the things that we’ve decided is worth pursuing is CloudMISP, because it alleviates a lot of issues that organisations are having.

What’s something outside of work that you’re totally geeking out about at the moment?

Some of David’s recent cooking - Peking Duck.

I’m a mad cook. I cure my own smallgoods, I make sausages, salamis, and bacon. I pickle veggies, as well as make my own chilli oils and chilli powders to be used as condiments and in cooking. My partner grows a lot of herbs and veggies out in our garden, and I love producing stuff I can share with my friends. Some of my friends give me their chilli peppers so that I can turn it into chilli oil or smoked chilli powder for them.  Another mate gives me pork and I turn it into bacon for him.

I’m looking forward to doing a kitchen reno, developing my kitchen from the ground up, getting to choose exactly what I have, and where it goes.

I’ve also done some technical stuff where there’s been a crossover between my cyber skills and cooking.

Sous vide is a method of immersion-based cooking. There’s a sous vide immersion circulator you can get that connects via bluetooth and wifi to your network. I was able to get the circulator connecting to Amazon Alexa and turn it into a voice controlled device.

You could basically say “Alexa, help me cook a ribeye steak” and it’d go “How thick is the steak?” - “Two inches” - “How well do you want it done?”-  “Medium rare.” It’d set the appropriate time and temperature and let you know when it was done.

I also did a big burst of home automation stuff when I bought my house. I know when any door is opening and closing in the house. If the garage door is open for too long it alerts me. I turned dumb garage doors into smart ones so I could open them from my phone. Safety things, so if the smoke alarms go off, all the fans in the house stop circulating. Flashing the lights so that everyone is aware that something’s wrong. Similarly, if the carbon monoxide alarm goes off, turn the circulation on. All sorts of things.

Anything else you want to get across?

I enjoy helping people where I can, which is sort of shown by the works that I undertook at the ACMA, the AFP, and also in IRATE.

Similarly to Kayne I used to be part of the Shadowserver Foundation and also the Australian Honeynet Project, both cyber security centric non-profit projects focused on upskilling practitioners in the space as well as sharing data, making sure it gets where it needs to go, and generally attempting to secure the internet.

I’ve also run training for many Australian police forces in cyber crime investigations, and many others around the world.