Watching students have a light bulb moment in class, then take that new skill back to their jobs and apply it right away, is one of the reasons David loves to teach. An area of professional focus for David is helping others get their security careers started and learn the technical skills necessary to shine. "I still remember how confusing it sometimes was to have to learn all this stuff for the first time, and I hope that shows in my teaching," he says. And due to the caliber of SANS instructors, "being able to call myself one is a useful benchmark for my own development as well."
In his classes, David teaches students to understand their work beyond the tools. "A good analyst knows how to use their tools, but a great analyst has the knowledge and experience necessary to understand and compensate for their tools' limitations," he says. As an instructor, David's goal is to give each student the technical skills and experience to approach any forensic challenge with confidence.
The biggest challenge David sees students encounter is the sheer number of different protocols and data formats with network forensics, many of which are undocumented (especially the malicious ones). He reminds students that the most important thing is to become comfortable not knowing what you're doing when dealing with many unknowns. Treading the same ground over and over with a spirit of curiosity gives investigators incremental context along the way to find a solution.
David contributes to the security community outside the classroom as well. A number of years ago he created a slide called "The Pyramid of Pain," for an internal presentation, then turned it into a post on his blog: https://detect-respond.blogspot.com. Today, the Pyramid is widely cited as a model for applying Cyber Threat Intelligence (CTI) to detection and response. "I feel really lucky to have been in a position where I had the support to formulate and distill my ideas about CTI into an easily-consumable form, and that they have resonated so well with the security community at large," he says.
In addition to blogging, David is the principal contributor to The ThreatHunting Project and active in the DFIR and threat hunting community, speaking and writing on the subjects of detection planning, threat intelligence, and threat hunting. He has written course material for the SANS Institute, served as a contributing editor for Information Security Magazine, and holds the GIAC GNFA certification.
Still an avid reader, David has a particular interest in the history of technology. Two of his favorite books are The Soul of a New Machine, by Tracy Kidder and The Victorian Internet, by Tom Standage. He's also been known to play the Great Highland Bagpipes on occasion.