Zach Wikholm is a research developer at Flashpoint and has been with the company since July 2016. His work leverages his 10 years of data center system administration, network engineering, and incident response experience. In his previous position as the director of security at cloud service provider CARI.net, he managed all cyber and physical data center security concerns, maintained core networking infrastructure, developed security-aware network monitoring, and created the company’s incident response team. In his work as a freelance networking consultant, he designed and installed networks for small businesses and advised larger organizations on network restructuring.
Q: Why Flashpoint?
I realized I wanted to find a position where I could be heavily involved with the security research process in a significant way. I wanted to be able to dig deeper to understand why problems arise and understand the motives behind these attacks from different perspectives. I was familiar with Flashpoint and knew a lot of people at the company, including Allison Nixon, who I previously collaborated with on botnet research. It felt like the right opportunity to take my career in the right direction.
Q: How has your past experience prepared you for your current role?
I know what it’s like to handle incidents under a service-level agreement. In my previous position, I was working in front-line defense, on call 24/7/365 dealing with everything from DDoS attacks to spam complaints. I was putting out a lot of fires, and that required me to be able to quickly assess an urgent situation, identify intelligence requirements, and gather research efficiently. In the process, I developed skills that enable me to work effectively with clients, as well as our own analysts.
In the time I spent working in a data center, I learned a lot about how the internet works on a technical level. Seeing how threat actors target and compromise websites and servers from the side of the hosting provider has provided me with a unique perspective that helps me better understand our customers’ needs. It also allows me to serve as a resource to our analysts by helping them understand the intelligence requirements of data centers. For example, if a network engineer asks an analyst to investigate a suspicious IP address, I’m able to help the analyst understand what information is important from a data center perspective.
Q: You’ve been with Flashpoint since July 2016. How has your role evolved since joining the company?
As the first research developer at Flashpoint, my role was initially created to enhance technological resources to help the analysts gather research more effectively. In essence, I came to understand the analysts’ day-to-day responsibilities and identified opportunities to use automation to eliminate some of the more redundant tasks they were doing. This enabled them to spend more of their time producing truly meaningful intelligence for our customers.
In many ways, my role has stayed the same, though it can vary from week to week, but I’m still trying to make the analysts’ lives easier in any way I can. At the same time, I make sure our processes are scalable and won’t ultimately create more work for our engineering team.
Q: Do you have any particular research interests?
I’m very interested in monitoring botnets, specifically IoT botnets, because they don’t require human interaction to exploit a device. As such, they tend to target set-and-forget devices, which are things that people have in their homes or offices that you just don’t think about, such as Wi-Fi routers or DVRs. For example, the Mirai botnet, which we reported on in October 2016, spread due to poor password hygiene on the part of the manufacturer. The affected DVRs had a default password that couldn’t be changed because the devices already existed. As a result, the botnet was able to grow by capitalizing on this past mistake, rather than relying on social engineering to get people to make a mistake in the present moment.
Q: What’s the most valuable lesson you’ve learned as a member of the security community?
Community matters, and cybersecurity is everyone’s problem. To do our jobs efficiently, those of us on the white-hat side need to collaborate, share information, and help others defend their networks. Flashpoint does a lot of work to facilitate information sharing, from FPCollab to work with other organizations to respond to security incidents.
Cybercriminals and other threat actors collaborate and share information within their communities to find and develop new schemes and attack vectors, and defenders are putting themselves at a disadvantage if they aren’t doing the same. One thing I love about Flashpoint is the company’s willingness to working with other people in the security community to do the right thing when security events occur.
Q: What’s your favorite thing about working at Flashpoint?
The culture, and the fact that I believe in what we’re doing. It’s important to me that I believe in a company’s mission if I’m working there, and there is such a strong dedication to doing things right here at Flashpoint. People don’t want to fear monger or publish clickbait, they want to put out meaningful research and make a positive impact within the security community.
Q: What are your interests outside of work?
Birdwatching and photography are two major hobbies for me. I live in San Diego, and the nature out here is amazing. I also am very involved with community volunteer organizations, because as I mentioned earlier, community matters, not just within the security space.
Q: To wrap things up, can you share a random fact about yourself?
I started doing tap and ballet when I was five years old, and I was a dancer for 20 years before getting into cybersecurity. I started doing lighting design for theaters, and then somehow I got into computers and really loved it, though I still teach dance lessons.