UnitedHealth Group, Minneapolis Public Schools and the city of St. Paul have all fallen victim to hackers who make a living through theft and extortion.

People like Alex Johnson, a security system manager at Minneapolis-based Ascent Solutions, earn theirs by acting as the first line of defense between those online criminals and Minnesota organizations.

The key to the job: Know the enemy.

“If you want to be a good incident responder, you kind of have to think like a hacker,” Johnson said, adding that computer hackers are highly organized and advanced, especially as tools like AI come on the scene.

Johnson, 26, of Chanhassen, Minnesota, didn’t go to school with this cybersecurity career in mind (he studied financial history and economics at Gustavus Adolphus College in St. Peter, Minnesota). He joined the field through an Ascent apprenticeship program meant to address a major skills gap facing the cybersecurity industry. The program brings on talented people who lack computer backgrounds but are adept in areas like analysis and reading.

Now, Johnson is a service manager in the firm’s security operations center, which provides around-the-clock security services for the firm’s customers, which are often small local businesses. Members on Johnson’s team constantly monitor the red flags that pop up on their security platform, which tracks the fine details of thousands of computers in real time.

But as hackers catch on to the tactics meant to catch them, many have learned to tiptoe around the common traps. Cybersecurity firms like Ascent engage in a practice known as “threat hunting,” acting as detectives to stop the most elusive computer wrongdoers.

It requires outside-the-box, creative thinking to follow a breadcrumb trail of clues and halt malicious actors before they can wreak havoc, Johnson said.

In an interview edited for clarity and length, Johnson shared what it’s like to be in his shoes:

Q: What’s the most challenging part of your job?

A: We always have to be one step ahead of the hacker. And it’s an unlevel playing ground. Something that we say a lot of the time is, a hacker can send 10,000 emails in a couple of seconds. They only have to be right, just once. They only have to get that one click. They only have to guess that one password. They only have to be successful once for them to make a bunch of money.

For us, in the security operations center, when we’re seeing thousands of alerts a week, and we’re dealing with all this noise and cloudy areas that we’re dealing with, we have to be right 100 percent of the time. Because if the alert that we receive, saying that Bill logged in from Malaysia, if we close that as benign positive or false positive, and we don’t do our jobs and make that right, that results in untold financial loss or whatever it might be. Maybe it’s a hospital that’s going down, all because one person made one mistake.

Q: Who are hackers most frequently targeting?

A: Any places where there’s a lot of leverage being placed by society. Hospitals are a big one. Manufacturing centers are also really common targets, because a lot of the time, they have kind of critical misconfigurations in their IT environment that open themselves up for risk like that. And so it’s really easy to target a manufacturer and then shut down completely their manufacturing plant because they haven’t updated the software in 20 something years.

Q: Who are the hackers, particularly organized ones like the gang ‘Scattered Spider’?

A: It’s one of the gangs. And it’s funny, because they work in a corporate environment almost exactly like we do. They have bosses, they have analysts, they have finance people. They have a lot of the structure that a normal American company would have, but they’re just on the flip side of the token in enacting crime for money. They’re all money focused, and so just in the same ways that we try and navigate these industries and changing trends and whatnot for our own money-making purposes, hackers do the exact same thing.

Now AI, for example, lets them have all sorts of new capabilities. It’s really interesting. And then you see sometimes the FBI will go in and they’ll take down one of the big gangs, they’ll somehow make it into their network, and they’ll get all the chat logs. ... And they’re having the same work conversations we are. You know, “baby’s crying,” “going to the bathroom,” “need to run the wife to the hospital,” whatever it might be. Or “Your number of hacks is down this week. Pick it up, otherwise we’re going to have to move on.” It’s the same stuff, man. It’s unbelievable.

Q: What might a layperson find most interesting about your job?

A: I’ll be talking to my friends about what I’m up to or what we do, and they might be surprised at the level to which their data and all the things they do is collected. It’s not only the websites you’re going to and the other things that your company might be collecting. But it’s all sorts of things. For a layman, they may not think about what some back-end computer or person is doing when they open up a certain website. But usually there’s something going on that these systems and processes are looking at.

And I think a lot of people would probably be surprised by the way we make ourselves available and interact online. And things like that can be used for poor purposes, like putting your phone number and stuff like that on LinkedIn or making personal connections outwardly available.

Q: Why do you do this job?

A: There’s a lot of reasons. It’s vocational to a certain extent. Like a lot of industries will have an inherent facet that you’re helping people. And sometimes, it’s hard to see when a customer’s maybe upset or whatnot, but I truly do think that we are helping not only companies, but people. A lot of our customers are small, Minnesota, Midwest mom-and-pop shops who hardly have any of their own expertise, let alone any kind of hired-on additional help.

It’s also continuously evolving and changing, like the ways that hackers are adjusting, the ways that they hack companies and extort companies. That keeps us all employed, right? And so as long as there’s new technology that companies are buying that’s eventually made vulnerable, and as long as hackers are finding new ways to breach that technology, we’re always going to be employed. The game is always changing.

©2025 The Minnesota Star Tribune. Visit at startribune.com. Distributed by Tribune Content Agency, LLC.