Lesley Carhart, principal threat hunter. PHOTO: Guidance Software.

Creative Hacking, Detective Work, And Stopping Bad People

Lesley Carhart talks about safeguarding civilization

Di Freeze, Managing Editor

Northport, N.Y. – Aug. 5, 2019

Lesley Carhart has a title at Dragos that should make her feel like a super hero: principal threat hunter. Her job description confirms that.

“Our motto as a company is ‘Safeguarding Civilization’ and our mission to protect civilian infrastructure around the world is really what sold the job to me,” Carhart said.

Her current role is primarily consulting — performing threat hunting, incident response, and forensics on industrial systems in industries such as electrical power, oil and gas, manufacturing, and transportation. “In layman’s terms, if the power goes out, and somebody thinks that it may have been due to digital tampering, I’m one of the relatively few people in the world who may be called in to figure out what happened.”

Carhart says that ICS is a fascinating space to be in for a lot of reasons. “It encompasses a huge range of proprietary and open standard technology that spans decades and vendors,” she said. “There are unique demands and hurdles such as high-risk and remote environments, sensitive critical systems that must stay operational, and undocumented and obscure technologies. Performing forensics on industrial systems involves all these concerns, and more. Much of it is uncharted territory.”

Carhart decided when she was a kid that she wanted to be a forensic analyst. “Computer science and technology was a very different hobby in the ‘80s and ‘90s,” she said. “Much of our exposure came from magazines, books, and BBSes (Bulletin Board Systems) — instead of the constant stream of information the Internet provides. I subscribed to popular tech and gaming magazines at the time, and they introduced a parade of new and exciting concepts and technologies.”

Carhart found reading about the early years of digital forensics fascinating. “It was a totally new field and combined creative hacking, detective work, and stopping bad people,” she said. “What wasn’t to love?”

She started programming when she was about 9. “I grew up on a farm and my dad leased a computer to perform inventory,” she said. “It was either pull weeds, or learn to code, using the BASIC programs in the back of my math textbook.”

Her skills were noticed when she was 15 and she was hired on to a web development firm to write SQL code. “The 1990s were really a different era for employment! That gave me a leg up into the corporate world.”

Carhart thinks mentors are important, but she didn’t initially have the benefit of having one. “It was a tremendously obscure field with very few practitioners,” she said. “Also, everyone was kind of caught up in their own world in the dotcom boom. I made a concerted effort to find mentorship, but nobody had the time or desire to help.”

That changed a few years into her career when she got her first real mentor. “Bogdan was a 30-year veteran employee who had moved into cybersecurity and managed our tier 1 security operations team. This meant training a perpetual stream of mostly 18-24-year-old security analysts, and occasionally making sure we ate, slept, and didn’t die. Then, he had to watch them move on to ‘bigger and better things.’ He was everything I aspire to be as a manager — a mentor, a parental figure to every employee, an honest and honorable person — and he worked utterly insane hours to keep corporate bureaucracy from disrupting our work. Despite all of this, he always managed a fantastic sense of humor.”

Bogdan passed away suddenly a few years ago. “It was like losing a family member. He was only a couple years from retirement. It was a heartbreaking lesson to always practice self-care and never allow a job to work you to the point of illness, no matter how much you love it.”

Carhart says it’s always been a bit tricky to get into digital forensics, but it was even harder a decade or two ago. “Many of the industry-standard hardware and software tools in common use are incredibly expensive for an individual,” she said. “While one can learn the theory and fundamentals through books and classes, most employers still expect experience and certification with those tools. This is changing somewhat due to the growth of memory forensics and the large number of open source tools used as industry standard in that area of digital forensics, but it’s still not the cheapest field to get into.”

It took her quite a long time and a very “circuitous route” to make it into digital forensics and incident response as a field. “Many people still choose to start in a security operations center or intern position in order to gain the necessary tool exposure,” she said. 

Carhart says that the educational requirements for cybersecurity positions are an unending debate between practitioners and pundits. “After being involved in the hiring of dozens of analysts, I can’t say that one route is better than another. I’ve seen excellent analysts made out of prior help desk personnel with zero college, and interviews utterly bombed by people with master’s degrees in cybersecurity. Conversely, I’ve seen college grads do quite well in the field with a wealth of gen-ed and project exposure.”

She acknowledges there are certainly roles that require some technical degree to acquire a position or to be promoted — especially in government and contractors. “There are many employers who simply look for sound fundamentals and a desire to learn,” she said. “I think college can be very beneficial — typically more because of the liberal arts classes and life skills it teaches than any specific technical curriculum. However, it’s absurdly expensive, and not for every personality. Regardless, the most successful analysts I’ve seen have had a strong desire for continuous learning and an intense curiosity about the field.”

Carhart holds three degrees, primarily thanks to her military service (she also serves as a senior non-commissioned officer in the Air Force Reserves). “I certainly feel they were worth the effort and made me a more well-rounded person. Years later, few of the technical skills I learned in college are still relevant, but the classes in writing, management, ethics, and psychology will never stop helping me in business.”

She spent the last nine years of her 19-year IT career specializing in information security, with a heavy focus on response to nation-state adversaries. Previously, she served as the incident response team lead at Motorola Solutions, performing security monitoring, digital forensics, and incident-handling services for both enterprise and public safety radio customers.

Carhart regularly speaks about security education and career development. The fact that she couldn’t find any mentorship for a long time encouraged her to try to help anyone she could break into cybersecurity. She does that through one-on-one mentorship, and she also runs resume and interview clinics for cybersecurity applicants at information security conferences. “I find that incredibly rewarding,” she says.

For anyone who’s curious, Carhart explains why she chose “hacks4pancakes” as her Twitter handle. “There are a couple approaches to speaking and instructing in cybersecurity. On one hand, there are big corporate conferences that offer high profile engagements and excellent honorariums. Conversely, there are community conferences which operate on a shoestring and welcome volunteer helpers and speakers. Both are equally important to our industry. I simply prefer to expend most of my time and effort on the ones that reimburse staff and speakers in food.”

As a woman in the field, Carhart says she doesn’t think she can be detached enough from her own experiences to fairly say what hurdles she’s overcome because of her gender. “There have been plenty of times in my civilian and military career where I’ve had to bite my tongue at pretty astoundingly tactless comments and behavior. I’ve certainly adapted my personality, hobbies, and lifestyle to fit into a male-dominated field. Today, I see young women speaking out against dubious things I took for granted and had no choice but to accept at their age, and I think that’s great.”

Carhart offers advice for young women entering the field. “Remember that you are a human being first, and human beings are multifaceted. You can like malware reversing and makeup. You can like sports and coding. Don’t let what society expects of you constrain your life beyond what’s absolutely necessary. Regardless of your gender, try to be well-rounded, adaptable, and self-sufficient. Heinlein said it best: ‘A human being should be able to change a diaper, plan an invasion, butcher a hog, conn a ship, design a building, write a sonnet, balance accounts, build a wall, set a bone, comfort the dying, take orders, give orders, cooperate, act alone, solve equations, analyze a new problem, pitch manure, program a computer, cook a tasty meal, fight efficiently, die gallantly. Specialization is for insects.’”

She adds that “the world will expend an absurd amount of effort trying to convince you about what you cannot be or do.” She’s glad to see the attitude changing about one thing. “There’s a feeling today that one can succeed at the highest levels in tech, and also have a family.”

Since Carhart travels quite a lot for work and doesn’t have much of a regular office environment, she finds it tremendously important to have a stable routine for social interaction and maintaining fitness. She does that through being a volunteer martial arts coach.

“I enjoy many aspects of martial arts, from the mental and historical, to fitness and self-defense,” she said. “I’ve been studying Tang Soo Do for about a decade and hold a 3rd degree black belt, and I also study Arnis and Kung Fu. I’d recommend the martial arts to anyone — everyone can gain something from it based on their own unique needs and interests. It simply requires dedication to the journey.”

Carhart says teaching is especially rewarding. “In only a few classes a week, I get to watch marked improvement in young people’s attitudes, self-confidence, and physical skill. At the pre-teen age I teach, that’s so incredibly important. I’m honored to be a small part of their lives and growth as young adults.”

Carhart is featured in “Women Know Cyber: 100 Fascinating Females Fighting Cybercrime.” To learn about more women fighting cybercrime, pick up a copy of the book.

Women Know Cyber Archives

Di Freeze is Managing Editor at Cybersecurity Ventures.