The Airman Hacker

For six years, Dennis Wilson built cyber weapons for the U.S. Air Force as part of a covert program. Now in the private sector, he is more aware of his impact than ever.

Written by: Dan Kaplan

Dennis Wilson is a U.S. Air Force veteran, but every day he uses the skills he learned during his 12-year stint as a non-commissioned officer. And it has nothing to do with piloting F-16s.

The Air Force is known for protecting air and space, but Wilson, now 39, spent more than a decade in a lesser-known domain of the military’s aviation branch: cyber. Specifically, he was part of the Air Force’s Information Warfare Center, where he stood post for six years as a network warfare specialist, helping build a repository of cyber warfare capabilities, such as hacker tools, and searching for and compiling exploits that could be used against a variety of targets.

He left in 2014, after serving an additional four years as an Air Force cyber warfare instructor, to join Trustwave SpiderLabs as manager of global threat operations and now as senior manager of cyber threat detection. He oversees a team of people who are embedded in a global network of Advanced Security Operations Centers as the frontline supporters of a threat detection and response program – an advanced service that combines threat intelligence and managed security to correlate alerts and events, identify and remediate malware attacks, and feed critical information to incident responders.

In a way, the career change was a total role reversal for Wilson, who parted the offensive realm of security to help organizations stay protected against today’s ubiquitous and pugnacious cyber assaults. But Wilson believes his military vocation perfectly groomed him for his current-day responsibilities on the defensive side.

“It’s a whole lot easier to be defensively mindedly because I already know what the attacker is trying to do,” he said. “I can think of all the ways someone can get in there. It’s easier to visualize that way and predict their next moves. Once you know how the hacker thinks, how the adversary thinks, it’s a whole lot easier to defend against their actions.”

A Military Pedigree

Both of Dennis Wilson’s grandfathers were aviators during World War II. So was his great uncle, whose fighter jet was shot down during combat, landing him in a Nazi prison camp, from which he made a daring escape.

“I grew up on their stories,” Wilson, 39, said. “It seemed exciting.”

But when Wilson enlisted in the U.S. Air Force in the summer of 2001 – following a couple of years as a technical director for the CBS news affiliate in Grand Junction, Colo. – he had no plans of manning any aircraft. Instead, he hoped to put his patriotism to use in a digital way, while earning some cash and financing a college degree (ultimately earning a master’s degree in cybersecurity in 2012). His 99th percentile score on an Air Force aptitude test cleared the way for ample opportunities.

“At that point, you can basically pick and choose what you want to do,” said Wilson, who began his military career as a programmer in the now-defunct Air Force Intelligence, Surveillance and Reconnaissance Agency.

Wilson relished his time in the U.S. Air Force, but welcomed returning to civilian life. “It gave me a stable, personal life again,” he said.

What may have begun as a more quixotic endeavor changed in a flash when the Sept. 11 terrorist attacks happened, immediately reshaping the priorities of the U.S. military, and Wilson’s mindset. A year after joining the Air Force, Wilson volunteered to deploy to the northern Iraq city of Kirkuk, an insurgent hotbed.

To this day, Wilson isn’t exactly sure what propelled him to step into a chaotic war zone and temporarily abandon his safety as a database applications software engineer back in the States. He remembers dealing with relationship turmoil at the time, had some friends who also had volunteered and figured he’d earn some extra cash. But most of all, in the spirit of the generations before him, duty called.

“Everyone is an airman first, and their specific technical job is second,” he said.

Wilson wouldn’t be doing any active fighting – he was tasked with working in an armory and tracking munitions accountability – but his base was an active target of mortar attacks, so the assignment wasn’t without risk.

Wilson recalls lots of downtime, enough so that he kept his IT skills sharp by building in his spare hours a database to help better track weapons and ammunition that were issued to soldiers at the base. Before his creation, the transactions were tracked by pen and paper.

His 163-day tour ended in April 2004, and Wilson returned to San Antonio, where an opportunity emerged in the Commander’s Action Group that would significantly punch up his resume.

“I basically went to the hacker’s squadron,” Wilson said. “At the time, cyber warfare was just getting off the ground. It seemed like the coolest stuff – creating network warfare capabilities and writing exploit software and rootkits.”

At the time, cyber warfare was just getting off the ground. It seemed like the coolest stuff.

The squadron served as part of the foundation of the military’s cyber weaponization program, which is so shrouded in secrecy that Wilson didn’t even know the end-game of some of his work.

“You could create an exploit and you didn’t know if the Air Force used it or if it was shared with the Department of Defense and intelligence communities or somewhere else,” he said. “It was kind of a bummer you couldn’t always know the fruits of your labor.”

Speak with a Sales Specialist

Our sales specialists are ready to learn the needs of your business and connect you with the cyber heroes who can help make your security story shine.

Taking the Fight to a New Enemy

Eventually, Wilson sought more stability than a life in the military provides (he and wife Lynn have four children – ages 6, 8, 13 and 14) and longed for the familiarity of being back in Colorado. But a transition to the private sector didn’t signify a step back in his career – in fact, it was quite the opposite.

At Trustwave, even though he isn’t building classic offensive capabilities, Wilson is helping to spearhead a transformative way of confronting the enemy through advanced monitoring, detection and response. When he first joined the company, this end-to-end approach wasn’t feasible. The furthest these capabilities went was to generate alerts and send them to a centralized location, where a threat analyst would either determine it to be a false positive or issue an incident notification to the customer. No eradication occurred. Imagine knowing an intruder is in your home, but having no ability to force them out for days, weeks or even months.

This approach didn’t truly solve the problem for overstretched organizations trying to battle a foe who was likely several steps ahead of them, Wilson said. “Once we told the customer we detected a threat on their network, they’d have to figure out what to do about it.”

Enter Managed Detection and Response (MDR), which allows Wilson’s team – which relies on real-time threat intelligence – to remotely help organizations anywhere in the world kill malicious processes and seal holes, especially those businesses that lack the in-house competencies to perform such tasks themselves.

“We have so many resources at our disposal,” he said. “It’s very expensive for an organization to run a security operations center themselves, to build it and staff it, especially when you need to find people who are capable of doing incident response. For a fraction of the cost of setting up your own SOC, you can outsource it and transfer that risk and responsibility to someone else.”

MDR focuses on the endpoint, the place where a disproportionately large number of today’s attacks target.

“If I’m monitoring the network, I might see some network activity that tells me someone is breaking into a computer,” Wilson explained. “But when they’ve got that initial foothold, they can start laterally moving behind the IDS (intrusion detection system), and we wouldn’t even see that from a network perspective. But you can it follow it across endpoints.”

Ransomware, a high-visibility threat flummoxing even the most mature businesses and filching them of billions of dollars, is a notable example of where MDR can step in and curtail the menace. “If you detect ransomware and stop it before it gets very far encrypting your files, it’s not a threat anymore,” Wilson said.

He recently leaned on the teaching methods he used during a four-year stint as an Air Force cyber warfare instructor in Biloxi, Miss. to help a Trustwave customer understand how a robust defensive posture, one that puts detection and response front and center, can flag and impede a real-life hack.

Through a “cyber range” exercise, Wilson illustrated a mock scenario in which a SQL injection attack attempts to infiltrate a web server, but is identified by the web application firewall as it dumps usernames and credentials. Next, an alert sounds as the attackers attempt to use the credentials to access an endpoint located behind the firewall. A SIEM solution then correlates the alert, which initiates the MDR service to quarantine the compromised endpoint.

Wilson (center) stands with students from one of the Air Force cyber warfare classes he taught in Biloxi, Miss.

Trustwave planted its roots in compliance, but over the last decade has steadily grown its security portfolio, quickly filling voids to meet the needs of security professionals, as the threat and data breach landscape has evolved to an acceptance-level that compromises are an if, not when, proposition.

Charles Arnett, director of product management at Trustwave, said someone like Wilson is perfectly emblematic of a culture that continues to thrive by answering the biggest challenges customers face.

“When we first started endpoint detection and response, he and his team were willing to step up and look at the technologies we were considering and spend time with those and give us guidance of how we should craft a service around it,” Arnett recalled. “His concept of how to do that service was the blueprint of how we went to market with it.”

Arnett credits Wilson’s military background with supplying him with poise and character, while instilling a certain panache that is necessary in a role where you must be willing to stop at nothing to disrupt the bad guys.

“His background was not compliance, his background is keeping organizations secure,” Arnett said. “When you’re trying to create a world-class security organization, you need somebody who has been in the trenches. You tell him we have to take the hill, and he takes the hill.”

As Wilson grows the threat intelligence and machine learning proficiencies of the service he oversees, he also will tap into the soft skills he developed through his exposure to superiors in the Air Force, including motivation and inspiration. That is evidenced by his desire to make cybersecurity as much about the people as it is about the technology. For detection and response to work, humans are needed to hunt for threats, orchestrate the reaction and integrate the many moving parts.

“Being a nerd is sexier than it was 10 years ago,” Wilson said. “To get the best people, you have to make it seem cool, because it is. And it doesn’t hurt to let them know there are great career opportunities in it.”