Threat Research Blog

Career Paths in Cybersecurity Interview Series: Willi Ballenthin, Consultant

Recently, I caught-up with M-Unition bloggers Willi Ballenthin and Jed Mitten to discuss their career paths in cybersecurity. Today's blog post focuses on Willi, a consultant at Mandiant who has done remarkable things for the industry in just a few short years.

Helena Brito: Willi, how did you get started in cybersecurity? What got you interested in this field?

Willi Ballenthin: When I was approaching my graduation from Columbia University, I saw a job listing written by Michael Sikorski looking for malware analysts. The position involved reversing executable binaries, which I thought sounded really cool. Once I realized people did this type of work, I began studying some of the background materials and eventually found myself at Mandiant.

Helena Brito: What classes did you take in college to prepare for this career?

Willi Ballenthin: I took a particularly interesting course on compiler design, which has come into play when reverse engineering. It has helped me to understand how executable binaries are put together and why the compiler generated the assembly code it did. Another relevant course I found myself referencing was my Information Retrieval course. In that course, we learned how to organize and fetch lots of data --- effectively building a search engine. I've used a lot of these same techniques while at Mandiant to identify evil in a large domain.

Helena Brito: I see that you have been with Mandiant about two-and-a-half years now, and in that time you've written a few open source tools. One tool in particular that I wanted to discuss is your most recent one, INDXParse. Can you give us some background on this tool?

Willi Ballenthin: My initial inspiration for this tool actually came from a blog post that John McCash put together on the SANS blog. In the post, he mentioned a pretty cool forensic artifact called Index Records, which are components of the NTFS file system. He wrote that he was unaware of any tools besides EnCase that could potentially parse these structures out. I took that as an opportunity to get involved in the community. So I researched the artifact in depth and then developed a tool that could parse these tools out to make it extremely easy for a forensic investigator to identify evidence of deleted files.

Helena Brito: And you've written some blog posts on this, correct?

Willi Ballenthin: Yes. Just recently, Jeff Hamm and I completed a four-part blog series in which we dive into the motivation for this type of tool (, how you can do the operation by hand, and then how to use the tool effectively during an investigation. You can find this on the M-Unition blog, of course.

Helena Brito: You were a presenter at MIRcon™ this year. How was the experience for you?

Willi Ballenthin: MIRcon was very exciting. I enjoyed being able to talk one-on-one with some of my audience members after my talk. They had some great ideas that augmented the content of my "Painting Data" presentation.

Helena Brito: Can you tell us a little bit about your talk?

Willi Ballenthin: My presentation focused on using visualizations during the incident response process. In my talk, I covered three tools that can make a responder a little bit more productive during an engagement. These were TimeFlow (, binvis (, and Gephi.

Helena Brito: Earlier you talked about giving back to the community. Are there any forums or websites that you would recommend folks get involved with if they are interested in a career in cybersecurity?

Willi Ballenthin: I've got a huge blog roll with probably 150 different blogs that I follow. I'm also fairly active on Twitter (@williballenthin) and use it as a way to contact people who are doing cool things with respect to infosec. Attached to this post is a current blog roll that I have exported from my RSS reader. Please let me know if I'm missing your blog! [File: Willi Ballenthin Blog Subscriptions]

Helena Brito: I see that you've recently joined the M-Unition blog team. Do you have any blog posts that you're looking forward to writing in the near future?

Willi Ballenthin: Yes, I have a few ideas for upcoming posts. I like my posts to be pretty technical and introduce topics and concepts that I enjoy studying. Some topics I want to tackle in 2013 are machine learning, malware analysis, and even more NTFS forensic artifacts.

Helena Brito: Any final advice you want to leave our readers with who may be reading this and are trying to find ways to get more involved in the community?

Willi Ballenthin: I work out of Mandiant's New York City office, and I enjoy attending local infosec meetups within the city. The New York infosec scene is very exciting, with lots of opportunities for people to get involved. Anyone in the area is definitely encouraged to join groups such as the NYC4SEC meetups (

Helena Brito: Thanks Willi for letting our readers know your career path into cybersecurity. I know you'll continue to make great strides in this industry!