Headline
Ryan Pentney reflects on 10 years of Talos and his many roles from the Sourcefire days
Pentney and his team are threat hunters and researchers who contribute to Talos’ research and reports shared with government and private sector partners.
Monday, August 5, 2024 08:00
As the adage goes: “You don’t know what you don’t know.”
For Ryan Pentney and his team, they know what they don’t know. And they wake up every morning trying to figure out how they can answer those questions about emerging threats and some of the largest state-sponsored actors in the world.
Pentney is Cisco Talos’ threat intelligence lead for the Asia-Pacific region, and it’s his job to lead investigations into active malware threats, international threat groups and anything that’s on defenders’ minds.
“We’re always thinking about, ‘What do we know, and what do we not know?’ And we try to start with the ‘What do we know?’ part,” Pentney said. “What do I need to answer these questions? Do we need to look at other methods or new tools for generating information? Are there partners we want to have discussions with?”
Pentney and his team are threat hunters and researchers who contribute to Talos’ research and reports shared with government and private sector partners. He is specifically focused on the tactics threat actors used to perform these attacks and their potential motivations.
“How can we figure out how to identify the actor in the future if they’re involved in other attacks? Do they have specific targets, or is it more widespread?” Pentney said. “At the end of the day, we try to figure out what we need to do to keep our customers safe.”
But this is only the latest stop on Pentney’s journey through Talos and its predecessor, Sourcefire. In fact, Pentney joined Sourcefire almost immediately after graduating college, his first “real” job in the cybersecurity field.
Over the past 17 years at Sourcefire and Talos, he’s done everything from vulnerability research and discovery to Snort rule writing and application development.
His first role at Sourcefire was working under Lurene Grenier. At the time, it was only a group of six people working on detection inside Sourcefire’s Vulnerability Research Team (VRT) writing rules and signatures for the Snort intrusion prevention system and ClamAV anti-virus software. Pentney attended college studying in the broader field of computer science, learning how to write in the C and C++ languages, but at the time, “cybersecurity-focused programs weren’t common,” Pentney says.
Pentney (second from left) was once part of a hockey team with some of his Sourcefire/Talos colleagues.
So, much of his education had to come on the job.
“When new vulnerabilities came out, we would sometimes need to reverse-engineer the patches to figure out what changes had taken place, and from there figure out what the original vector might have been,” he said.
Eventually, he moved to the vulnerability research team, where he spent years searching for vulnerabilities in a wide range of products and software and disclosing potential exploitation vectors to vendors so they could be patched.
Then, in 2015, he joined the threat hunting team under Matt Olney, who was also one of Pentney’s original Sourcefire colleagues.
Pentney speaking at a conference in 2016.
During his Sourcefire days, Pentney says he is most proud of working on Razorback, an open-source framework inside Snort that enabled the advanced processing of data to protect against client-side attacks.
His work on Razorback deepened Pentney’s interest in how exploits work and how adversaries write exploits in the first place, all things that Lurene helped teach him. Pentney even ended up advancing to the point that, for many years, he taught Talos’ in-house Exploit Development Class for customers and employees.
“I still very much enjoy teaching whenever I get the opportunity,” Pentney said.
When Pentney joined Sourcefire in 2008, he was only part of a team of less than 10 people where he was a solo contributor. Now, Talos is made up of more than 500 people and manages a team of 10.
“We’ve greatly expanded our areas of focus, we have a lot of varied teams that specialize in a lot of different things, and we have our own branding and our own set of folks in charge of that,” Pentney said of Talos’ growth over the past 10 years. “It feels normal now, but I think I would have been overwhelmed if you had told me 16 years ago that we’d be working on the kinds of things we’re working on now.”
Several things have kept Pentney at the company for almost 17 years, much of which centered around his ability to pivot between different roles in the company and learn along the way. Even today, Pentney says there is always someone at Talos he’s looking to learn from.
From day one on the job, Pentney joked that “there were so many experts, I knew they were speaking English, but I didn’t recognize how the information was put together.” And now he’s advanced enough to the point that he is working on major international events and incidents, and now is the one disseminating that information to partners, customers and users.
The key to Talos’ success over the years while expanding in scope and size is that management has always encouraged everyone at the company to learn and grow, Pentney said. He also fondly looks back on the many opportunities to bond with the original team at Sourcefire who are still at Talos today, including many people on the Network threat Detection and Response team who taught Pentney how to write Snort rules in the first place.
“The overall level of expertise you can find anywhere at Talos, the openness of people in terms of wanting to share that with you if you’re interested, the teaching mentality that people have, has always been amazing,” Pentney said. “Management has always been very supportive of that, of personal growth, and expanding your mindset.”
Looking forward into the next 10 years of Talos, Pentney said he plans on learning more about state-sponsored activity and researching new ways to track larger threat actors.
“We are looking at leveraging our telemetry in ways that we had never considered before. There are mathematical and statistical methods we may be able to use to uncover some insights that may not be obvious,” he said.
Outside of the office, Pentney is an avid skier and tries to take one trip out to the Rocky Mountains every year with a group of friends. And, he joked “like most of us at Talos” he enjoys playing video games.
He also enjoys studying and learning new languages (a common talent among the Talos Threat Intelligence and Interdiction team) and speaks four languages fluently.
Pentney (second from left) and other Talos threat hunters gather for a team offsite in 2023.
One thing many of his teammates, even the original Sourcefire ones, don’t know about him is that he likes to play the piano.
“That’s something I find really relaxing and I don’t get to show off enough. It’s a really nice, meditative activity,” he said.
If you’d like to look at some of the work Pentney and his team have completed recently, they regularly contribute to the Talos Incident Response Quarterly Trends reports and conduct intelligence on-demand requests through a Cisco Talos Incident Response retainer.