John Hammond Interviews Cybersecurity Expert Johnny Johnson on EDR and Telemetry

In this video, John Hammond interviews Johnny Johnson, a cybersecurity expert working at Huntress. Johnny shares his journey, current projects, and the Endpoint Detection and Response (EDR) tools he has developed. The discussion begins with a warm introduction where John expresses his admiration for Johnny's work and his enthusiasm for the conversation. Johnny recounts his unconventional path into cybersecurity. Unlike many of his peers who started with games like World of Warcraft, Johnny grew up playing Halo on Xbox. It was during his high school years that he stumbled upon cybersecurity while exploring interesting university programs. He then pursued a cybersecurity program and completed an internship at a major accounting firm, working on Privileged Access Management (PAM). There, he met Andrew Schwarz, who introduced him to detection engineering by challenging him with tasks like analyzing network captures and using Chris Long's Detection Lab. Johnny later worked at Spectre Ops, where he collaborated with renowned experts like Jared Atkinson, Matt Graeber, Roberto Rodriguez, and others. This is where he began exploring Windows telemetry mechanisms and reverse engineering Sysmon, an EDR monitoring tool. He explains that understanding the operating system is crucial for effective telemetry data collection. Johnny then introduces two of his main projects: Johnmon and ETW Inspector. Johnmon is a lightweight EDR tool he developed to better understand telemetry. He explains the differences between versions 1 and 2 of Johnmon, highlighting improvements in stability and data collection. Johnmon uses kernel callbacks to collect events and sends them to a user-mode component via ETW (Event Tracing for Windows). Johnny demonstrates how to install and use Johnmon, and how to configure events to collect via a JSON file. ETW Inspector is another project by Johnny, designed to be an improved version of James Forshaw's ETW Object Manager. ETW Inspector allows for the inspection of various ETW components and interaction with them. Johnny shows how to use ETW Inspector to enumerate ETW providers, capture trace sessions, and obtain security descriptors. He also demonstrates how to search for specific properties in ETW providers, which is useful for identifying telemetry. Johnny shares valuable advice for those looking to develop their own EDR tools. He emphasizes the importance of understanding the operating system, being proficient in programming, and mastering debugging. He explains the challenges and frustrations of developing kernel drivers, including blue screens and long debugging sessions. In conclusion, Johnny Johnson shares his enthusiasm for telemetry and detection engineering, encouraging everyone to explore these fields. He invites viewers to follow him on Twitter and LinkedIn for more updates and discussions.