Ethical hacking careers vs. cinema: What it's like to work as a hacker

Chris Sienko: 0:00

Happy 2024 and welcome to a new year of CyberWork Live. This is an ongoing series dedicated to asking and answering questions about cybersecurity certifications, training and careers, with a goal of separating fact from fiction when choosing your career in cybersecurity. As for this series, we're really going to be looking closely at the fiction aspects of this. First, if you don't know me, my name is Chris Sankow and I am the CyberWork Live host and Infosec Online Content Acquisitions Editor. I'm very excited to welcome you to the second installment of CyberWork Presents Media Fiction Cyber Realities. Today, we're going to be talking about hacking versus ethical hacking and how they look in movies and TV. If you haven't seen our previous episode from July 2023, we covered depictions of digital forensics as seen in TV shows like the Rookie and In the Dark, as well as from the John Wick films. You can find it at infosecinstitutecom slash podcast or by subscribing to the Infosec YouTube page. With that, I would like to introduce you to our esteemed panel of guests. Today, our first guest is going to be a familiar face for Infosec regulars, and I think you know who I mean. Heetron Evans is a cybersecurity and workforce development expert with over 17 years of experience in penetration testing, incident response and information security management for federal agencies, fortune 500 organizations. He's the principal security researcher at Infosec Institute, where he empowers the human side of cybersecurity with cyber knowledge and skills to outsmart cyber crime. Heetron is an established researcher, instructor and speaker, as well as the lead author of the bestselling book Chained Exploits Advanced Hacking Attacks from Start to Finish. Heetron holds a Bachelor of Science in Business Information Systems and dozens of cybersecurity certifications, including Certified Information Systems Security Professional, cssp, certified Ethical Hacker, ceh, certified Cloud Security Professional and License Penetration Tester. Next, I would like to introduce returning cyber work guest Snehal Antani. Snehal is an entrepreneur, technologist and investor. He is CEO and co-founder of Horizon3.ai, a cybersecurity company using AI to deliver red teaming and penetration testing as a service, which is why I would really want to be on the panel today. He also serves as a highly qualified expert for the US Department of Defense, driving digital transformation and data initiatives in support of special operations. Prior to his current roles, snehal was CTO and SVP at Splunk, held multiple CIO roles at GE Capital and started his career as a software engineer at IBM. He is a master's in computer science from Rensselaer Polytechnic University, a BS in computer science from Purdue University and holds 16 patents. Rounding out our illustrious panel today are two guests with real-world experience and something that a lot of these movies and shows tend to exaggerate, namely, large-scale competitive CTF competitions. From this year's US Cyber Games team, I'd first like to introduce head coach Dr Josh Brunting. He's an associate professor and director of the Cyber Forensics and Security Graduate Program at Marshall University in Huntington, west Virginia. He also serves as the research lead for Marshall's Institute of Cyber Security. Prior to joining Marshall University in 2012, he served seven years as a digital forensics examiner and technical leader within both state and federal government sectors. He has a PhD in Information Technology from Middle Graduate State University and BA in MS degrees in Criminal Justice and Criminology, marshall University. Since 2013, josh has served as faculty advisor and coach of Marshall's highly successful collegiate cyber defense competition team, competing in a number of CTF and our Red vs Blue competitions. Finally representing the US Cyber Game team in seasons 2 and 3,. I'd like you to please welcome Cyber Games athlete Josiah Stearns. Josiah is a cyberspace operations officer in the US Air Force and the CTO of Backslash Technology Solutions. He graduated from the US Air Force Academy with a BS in Computer Science and Cyber Science and is currently earning an MS in Computer Science at the Air Force Institute of Technology. Josiah has over 10 years of cyber competition and programming experience, competing in CyberPatriot in high school and later competing on the USAFA Cyber Team, afit Cyber Team and US Cyber Team. He specializes in tool development, in addition to expertise in web application security and reverse engineering. Over his career he has had jobs as a system administrator, web developer, penetration tester and network engineer. So, ketron, snehal, josh and Josiah, hello and welcome to CyberWork Live. Thank you all for being here today. So we'll be taking questions from the audience as they come in throughout the event. But to give our discussions a bit of structure, I and Jeff Peters, infosax Director of Content and Brand Marketing, have compiled some short clips depicting the way that entertainment has depicted the art of hacking whether positive or negative, accurate or laughable and we'll be deploying these throughout the event as a means for reframing and clarifying our conversation. So enough prologue, let's get started with CyberWork Live. So to get us ready to get down to business, let's look at a few of the more colorful examples of hacking you might have seen on movies and TV. This is some of the most accurate hacking depictions you'll ever see, this is accounting. Sir, you inquired about an employer of ours agent, richard Gill. Yes, our records indicate he's deceased.

Josiah Stearns: 5:43

I'm what? Quick, quick, quick. Thank you.

Snehal Antani: 5:47

We turn Three, two one. Gill, come on, come on. Yeah, oh baby.

Chris Sienko: 6:28

Oh baby, what the hell.

Josiah Stearns: 6:43

Oh, you are good but I am better Cat videos. That doesn't seem like lockset. Who would do that? I'm not about to find out that barely slowed him down. I'm sorry, but he's going to find us in less than a minute. Should we abort?

Chris Sienko: 6:56

No, we've only got two of the blinky boxes left to go.

Josh Brunty: 6:59

Blinky boxes, just hack, hack. Come on, got it. That's Castle's office.

Chris Sienko: 7:12

Well, I hate to show you guys videos that I know will be so familiar to your everyday existence here, but you know, for our viewers I figure we might as well be a little repetitive there. So it's no great leap of logic to hit the writers of films like Hackers and Swordfish, who are more interested in telling a compelling and thrilling story than representing the practice of hacking in any realistic way. Or maybe they didn't know what the real tech looked like, or they might have just taken a look at the real thing and said, ah, too boring, who wants to see that? So I want to go around the panel to get your own experiences growing up and seeing things like this. So I'm going to start with Snehal. Tell me how you first got into cybersecurity and pen testing and red teaming, and did seeing films or things like this influence your interest in tech, or was it just sort of something that was happening on the side?

Snehal Antani: 7:52

No it was a great question. It's kind of a blend of a few things. So my dad is an electrical engineer and got me into just computers and hardware at a very young age. I was six years old. He was bringing home toy robots for me to learn how to take apart and debug and troubleshoot and fix, and so it was this curiosity of breaking things and then figuring out how to get them fixed that got me excited about tech in general. And then when, when AOL was like the only medium to get into, get online and you were metered by the number of hours whenever I got in trouble, the first thing my parents would do was brown me and take away my AOL account. And so I started digging into various bullet board services and got access to a couple of AOL hacker tools that allowed me to do phishing in chat rooms at scale, looking at punting users and all that kind of jazz. I think I was 12 years old at the time and or maybe 10. And suddenly my parents couldn't take AOL away from me because there's always a way for me to get access to a set of accounts. So I learned about phishing chat rooms and I think the statute of limitations is over, so I'll talk about it, but. I know it's all years 30 years ago, 30 years ago but but I really got into that and my dad pretty quickly said hey, look, if you go down this path you're going to end up in trouble. And and so get your, get your head straight, which is nice wake up call. But I've always had this curiosity of breaking things, rebuilding things and being methodical and doing it. And when I saw hackers come out and then sword swordfish was entertaining and and then die hard for and so on and so forth, it was kind of cool to get back into what my life could have been had I not decided to go straight.

Chris Sienko: 9:35

All right, josh, I want to ask you about your own experiences. You know, did you see films like this and have you ever drank wine, spun around in your chair and played your keyboard like a piano while conducting a pen desk?

Josh Brunty: 9:44

No, no, I would have been about five or six years old if I did that. So but no, my my beginnings a lot like the last story you heard, you know, back in the 1980s at a Commodore 64C and C64, I'm sorry, you know one of the old, old models and learning on basic from that you know. And and getting modems you know. You know old dial-up modems, dialing in the old BBS services, learning different scripts to work out just how things worked, you know, and going out and chatting and you know bypassing certain things. So that kind of parlayed into college. You know as more as I kind of got more into programming, computer science and started competing, you know, with just different teams there, of course. You know went out and started a career in digital forensics and then you know kind of came back to that love when I came back to the university of starting a, you know, cyber defense team, getting involved in collegiate cyber defense competitions and things of that nature. So you know it's completely different than that I always kept. It wasn't as dark, I didn't work like that, the lights were always on and it took me a lot longer to pick out a basic script than these folks in these clips.

Chris Sienko: 10:58

Yeah, as I say in the slide here, I mentioned these things because I think you know they can serve two purpose. You know one people who may have seen that at the time might have gotten an impression of it being a much more fast-paced and kind of edge of your seat and thrilling thing than it can be when you're slowly going through. You know various tools and whatnot and, conversely, you know, for someone who was, you know, more of a security candidate, could have a built-in intimidation factor where you think if I'm doing this kind of work, I'm going to be a constant target for cyber criminals or, as Snehal said, you know, go on the right, wrong side of the law or whatnot. And so you know I want to do these things that you know to sort of break down the idea that security is only the purview of people who've been tech obsessed from birth, rather than, you know, intuitive problem solvers and planners with accessible upskilling plans and stuff. So I want to talk to Josiah next and you know it was kind of a generation younger than some of the folks here Is the newest entry in the cyber security space. Were things like this in the backdrop of your youth while you were learning this kind of tech? Does this stuff even have sort of like an effect on you in your own studies?

Josiah Stearns: 12:10

Yeah, I think to a certain degree. yes, I did a lot more reading than maybe watching movies or shows or things when I was younger, and so there were a couple books, one in particular, the genius series, which is a trilogy that covers the life of a young prodigy hacker that had some, I think, more realistic elements to it and just some ideas in there, and there wasn't a lot, but there were just those couple moments of things where he rewrote the firmware on a laptop so that he could turn the microphone into a speaker, something like that, and these little things that are like oh wow, yeah, you can, you could do things like that. It kind of sparked my interest. And then I think two really key moments that shaped my journey were when I was I think it was eight I actually learned how to code from a library book. I checked out a library book on Visual Basic that came with a CD-ROM in the back with an IDE, and spent the summer learning that. So it started with coding first and then, when I was a couple years older, was working doing just some system administrator type work for a small company and was just messing around one day with our database system, which we contracted out, and I don't even remember exactly how I knew about it, but I had seen something online about cross-site scripting and so it was just kind of playing around with things and noticed oh, I can change, I can make my name really big on their screen or I can actually make things pop up on their screen and do all these things Right. And then I got a call from my boss saying, hey, you've made stuff pop up on everyone's screen in the company. You need to take that off place. And so then got my first penetration testing internship that way, doing a lot of testing for that bigger database company, which is really good, so anyway. So I have to say there was a lot of different sources of media there. The books that I read, I think, were probably the most impactful thing in my journey personally. But then I really want to echo this I heard already in terms of just the importance of troubleshooting in that too, and just that ideology of how can I take this apart, how can I break it and fix it and put it back together, and that process has applied to many different things.

Chris Sienko: 14:43

Yeah, as someone who doesn't have your particular set of skills, I can't even imagine the thrill of doing something that you've seen in a book and then suddenly seeing oh, it actually works on my company's network and my company's system. That just feels like it's a whole next level, especially for I also had a C64 growing up and never even thought to much go beyond games and basic programming and so forth. But that's really cool. So, keith Rana, I've talked with you a few times on here about your cyber origin story, but many of our listeners they may not have heard some of that. But how did films like Hackers or sneakers or books like Neuromancer or Snow Crash color your perception of real world hacking either ethical or criminal when you were coming up?

Keatron Evans: 15:28

Yeah, tv didn't really have that much effect. I mean, I grew up in rural Mississippi in a very poor household so we had three TV channels NBC, abc and CBS. So I didn't get the catch a lot of that but I did. In Study Hall in high school there was a book called Popular Mechanics of Magazine that I would, you know, in Study Hall I would read that every week and they started talking about computers and you know I had a family member that worked at Keesley Air Force Base in Biloxi in Mississippi. You know they gave away a bunch of computers and you know she bought one of them home and I got hands on it. I was only interested, found out about something called Net Zero, which is like around the AOL days, where you could get internet for free for a certain amount of time and then you'd have to pay and if you were lucky enough to get your hand on a bunch of those CDs you could just keep using them and keep getting free internet. So I did that, got on. As you know, as pointed out by Study Hall earlier, back in the day the internet used to just be like a black screen with text on it, like you had to type things, bulletin boards. So I got into some bulletin boards and started talking to some people and you know they were telling me well, you know, if you got Net Zero you can get free. And again to Study Hall's point Statue Limitations passed here. So I'm admitting this, these guys in the UK were telling me how I could get free internet. You know, if I ran these commands and they were showing me how to use Unix commands, like I was getting introduced to Cat and Cat Etsy password, because back then there was no such thing as shadow. So if you got the Etsy Pass WD file, you got username and password. So they were showing me that and they were like yeah, just pick any one of these thousands of accounts and use that to log in and then you don't have to ever pay for internet again. So that was what got me interested. It's like man, just by knowing that one thing it empowered me to where, even though I couldn't afford it, I could get it, you know, by using these other accounts on there. So that was my. That piqued my interest in it and I started looking at NASA and like some other stuff that I shouldn't have been looking at back then, because back then nobody really had security, like everything was just wide open, you know, because the assumption was, if you're here, you're supposed to be here. So that's that got me interested in protocols and understanding TCPIP and Noville networks and stuff like that. And really my foundation and hacking just came from understanding as was just pointing out a second ago by Josiah, was just understanding how things work. Right, like it really was just figuring out how does how does this message get from my screen to somebody else's screen on the other side of the country? And I really got deep, deep in the network protocols and IPX and SPX and how Noville networks work and things like that. And on top of that the foundation for hacking just kind of came naturally as I got introduced to different opportunities.

Chris Sienko: 18:33

Yeah, fantastic, so thank you for that. So, now that our team's been assembled and showed us their very specific set of skills and origin stories, I want to broaden out to discuss the misperceptions that hacking has been fed to the public over the years and, as you can see in the slide here, this entire series was kind of birthed by an email that we received on an early Cyberwork Live episode. We were asking for the most basic cybersecurity questions and if you see in the in the right side there one person wrote can I still be a penetration tester if I can't type fast? And so which you know, it's easy enough to sort of you know, smile at these, these, these videos, and how unrealistic they look, but it's pretty clear that they do make some kind of a of an impression on people who are watching them. So I want to sort of reframe this by talking with our educators first. So, josh, as someone who teaches security and in higher ed capacity, can you tell me about the types of students that come to your class in 2024 wanting to learn ethical hacking and related skills, like? What are their perceptions about the challenges they'll face in the industry and what they're there to do?

Josh Brunty: 19:37

Well, I mean, their perceptions are a lot different than they were, and especially what you see in Hollywood. A lot of our students are coming in they want to legitimize and learn a craft. They want to learn how to do this and parlay that into a career. So a lot of the students coming in are really wanting to be a white hat or an ethical hacker, if you want to refer to it as that way. You know, and they come in with different interests. You know we. You know what we refer to. You know as as a bunch of different terms is now called open source intelligence, which is a subset of hacking. So, want to get into intelligence, open source intelligence. We have people that want to specialize in red teaming or blue teaming or even digital forensics now. So, Compared to what we saw a long time ago, you know there was just this, this hacker, and it was this blanket term for everything. I'm seeing now that people want to specialize, they want to learn specific things and maybe learn multiple. You know different specialty areas and you know, pick from those specialty areas for their career. And I think, as as this continues to evolve, you know we're going to see, I think, out of our students and I'm seeing this, students as a whole is a more active engagement in. Students want to put their hands on the keyboard and they want to learn these and more in an active environment. You know, obviously there's the standard protocols and standard bedrocks of computer science. You absolutely have to learn in order to understand what you're doing when you're typing and that's that's not going to go away. You know it's good to learn those things, but it's also good to mix that in, to put that into an active engagement. You know Seeing, you know what you're doing and seeing the effects of it. That's the different student that I'm seeing today, compared to when I was a student years ago, where you know you would code out, you know 200 lines of code before you got to see exactly what it would do, and it's just not that case anymore. It's a little more active and engaging than it was.

Chris Sienko: 21:44

Yeah, I have to imagine that just there's there's just so much more info about you know what's available out there that you can sort of already be thinking about your specialty before you even step foot in the classroom, whereas maybe when you started 15 years ago that was not as much as the case.

Josh Brunty: 21:59

Yeah, and it's. You know we have Google, you know we, and now we have a I, so you know I am. I was going to change, I think, over the next year of how we learn, how we prompt. You know, if we're stuck on this portion of Of a script or something that we're working with, we can actually prompt a ML to say, hey, you know, can you help me through this? Can you show me what? Where I'm going wrong? That's something we didn't even have two years ago. We also have Google and that that compendium of knowledge gets bigger and bigger and bigger every year. That's something I didn't have when I was in college. So you know it was a lot different. You know we were. There was a lot of struggling, and I don't think even me now. You know I like those assistive technologies to kind of help, kind of what we call cognitive offloading, to make things a little bit easier and move on to the bigger things we enjoy more.

Chris Sienko: 22:51

Yeah, yeah, he tried. We talked in the past about how your cyber foundations course can bring people with nearly no tech background into a strong baseline of experience in cybersecurity fundamentals, so can you tell me a little bit about the people that are taking your cybersecurity basics class and or your your pen testing classes? I'm guessing not everyone you've taught was changing their grades in the school database by age 15, right?

Keatron Evans: 23:15

I mean, they might not have someone and we're paying somebody else to do it. Right, okay, to do it. They knew in existence, yeah, yeah, for sure. I mean, essentially, the cyber foundations is really for people that are that have zero experience. Right, like nurses I've had nurses, airline pilots, you know people that have no technical background that are trying to move into a cyber based career. But one thing we have noticed over the last, I'd say, 15 years is the people coming into, like a penetration testing course or an ethical hacking course. The skill levels are much less technical than they were 10 years ago. Right, because I remember when I would teach a class 10 years ago for pen testing, everybody in there would have at least 10 years experience doing hardcore network engineering, a hardcore coding, right, whereas now I'd say 50% of those classes, those people have never done anything like that before. Right, it's they're trying to fast track into the industry and to the, to the point that Josiah just made one of the most popular courses on skills right now is that chat GPT for sock analyst that I wrote, where, instead of saying you know IP, that ADDR, equal, equal, whatever to do like this complex filter and wire shark, you can just say, hey, chat, gpt, what's the filter? To look at Josiah's traffic and and Josh's traffic, you know, if you know their IP addresses, and then it gives you the filter and then it tells you, like the logic behind, why each part of that filter works. So it's almost like having an expert instructor standing over your shoulder. What these tools and to just I, as point to Josh's point, we didn't even have that two years ago. You know, and that's something that's going to revolutionize. And even with just you know the learning curve for people to get into it. I mean no free marketing here for a say, how would it like if you look at the product that they have like it? You know, like we always say, you can't do hacking as fast as we see the movies, but with their tool you can almost do it that fast, you know, but not quite. So the the evolutions are happening. It's going to rapidly accelerate how fast the bad guys can get up the speed, and we've even seen evidence of them using AI for fishing, where their efficiency and how they fish goes gets exponentially better every minute, versus them having to learn over a period of months about that organization. So we on the defensive and on the blue team side, we have to be able to get people up the speed faster to be able to kind of counter that and defend against that. And I think a big part of that is, you know, leaning into the AI tools and not only that, empowering people to create their own, you know, ai chat box and things like that.

Chris Sienko: 26:05

Yeah, ok. So before we get into our next set of questions here, we are getting some good questions in from the live audience. Thank you for for writing in. I wanted to throw one out here because it seems like it's a good place for it. So Justin Armstrong writes at what point is someone qualified to perform a penetration test of a network? This is what I ask myself. It is when I can, is it when I can pass the OSCP? I have used some tools but I'm not an expert yet and I don't want to charge someone for a penetration test until I believe they are getting their money's worth out of me. So that's, I think that's a really interesting point. And you know, josiah, you talked earlier about that sort of like that breakthrough, where you went from sort of learning to doing and is this, is this something that one of you or all of you want to sort of jump in on? Where do you think the the sort of proficiency point comes? When you're ready to go out and use your talents for other people?

Keatron Evans: 26:55

Yeah, I can take a first stab at that. I mean I think that's kind of tricky. I mean, you know I do run a firm that does that, but like it's, you know, really, if are you able to go and show value, right, like, can you go and show that customer where their vulnerabilities are, can you do a proof of concept, improve that these vulnerabilities can be exploited, and can you write them a report that communicates in a way that gives that customer actionable items, things that they can go and do something about? If you can just hack systems, that's only like one fourth of being a good pit tester, right. So if you, if you can do all those things and present it to a customer in a good way and they accept that and they can come back and turn around and tell you that they got value from it, then I think you're ready to start charging. And I think a good way to get to that point is volunteering some some services to nonprofits and places like that and let them and give you critiques and feedback on you know that pen test that you did for them and just straight, I would straight up ask like, would you pay for this? You know, if I did this again in a year. Do you think the value you got is worth paying for? I think that's a good way for people that are trying to decide if they need to start charging or not. A good way for you to kind of give yourself a gauge as to where you are. Some people will tell you. You know what, if you go do the work, just charge for. It. Doesn't matter how well you think you did, and I don't really agree with that 100%, but I can also see some value in that perspective as well.

Snehal Antani: 28:28

Alright anyone want to add anything to that, I would probably go back to something that just I said earlier, which is, you know, 10 years ago when you mentioned that a lot of people going through his courses were very strong technically and I found the best, the best offensive security folks have very strong network engineering skills. Just in general. Some of the best security folks that have been on my team came from a very strong network engineering background. But I think there's an interesting reckoning that's going to occur and we already see this in the software engineering, software development side. So Probably three to five years ago it became very popular for people to pursue software engineering boot camps as a way to change careers, and so you're doing something. You go to boot camp for eight to 12 weeks and now you're a software engineer getting into a level position. But if you look at what copilot have done to the boot camp graduates, they're actually wiping them out because it's copilot is good enough or or even better, at cranking out production ready code, whether it's Microsoft copilot or get copilot or so on and so forth. I think that's putting a lot of pressure on people that that have boot camp experience but don't have that deep subject matter expertise to move up the value chain. And I think the other thing is having is putting pressure on senior software engineers to be much better at reading and troubleshooting and integrating other people's code, which is a very senior thing to do. I think we're going to see the same thing happen from a pen testing standpoint, just like we're going to see it happen legal as GPT comes out and so on, which is for those that are dabbling or very entry level. There's going to be a tremendous amount of pressure for them to upskill very quickly and become as seniors you possibly can, because algorithmic capabilities like what I've built and what other people are building and so on are going to give a senior pen tester unlimited to the, give a senior pen tester unlimited interns right to some degree, and and so I think we have to really rethink the way that we're educating Pen testers going forward and make sure that we're giving them a path to understand how human machine team in in this world is going to become the new model, just like we're seeing in software development.

Chris Sienko: 30:47

All right, so thank you for that. So now that we've looked at the fiction, I wanna sort of look more at the less glamorous but more accurate version of our industry here. So I don't wanna be too hard on Hollywood. I mean, I realized that, along with the lives of painters and authors, there's probably not a lot less visually compelling than a realistic cinematic depiction of a penetration test or incident response analysis. So, but I still don't think that that means that we have to sort of make this sound dry and boring. So to jazz up our listeners who are considering getting into cybersecurity, who are working on it, who are writing in right now but might be feeling a little deflated about the distinct lack of Hugh Jackman or Angelina Jolie they'll be experiencing. Ken, I wanna have each of you tell me about a real life security threat, attack or incident that you've dealt with in your professional life that was fun, interesting or cool enough to make you feel like your own movie icon. So yes, they how. I wanna start with you again here. I feel like we just scratched the surface in our last conversation on cyber work about some of the interesting things that you got to do while you were doing red team operations. Can you give us an example?

Snehal Antani: 31:47

Yeah, I'll actually give you examples from two perspectives. So the first perspective is my time as a CIO and the CTO having to purchase penetration testing services, and that experience the technical term is sucked because one I had to go off and explain like I would be asked this dreaded question are we secure? And the answer is I'm not sure I have to wait for a breach to find out, which was absurd if you're a business leader, hearing that answer from your CIO or your CTO, and that I have to go off and justify contracting somebody who take eight to 12 weeks for them to show up. When they show up, they would take us over pretty quickly couple of hours or whatever else. Get to main admin. They had us to report and this year's report looks almost exactly like last year's report. And then I have to go off and explain what happened. Why did we spend all this money in security, where we're still getting pwned as quickly as we could? And then we go off and fix a bunch of issues. We're like, all right, man, can you come back and verify that this thing's been fixed? And like, yeah, you got to pay us another consulting, engage them to come back and verify. And so this whole notion of having to sit there once a year and get punched in the face by an ethical hacker to show how bad my team is was not something that I look forward to doing. And so how do we shift that model to being more collaborative? And this is where purple team culture started to emerge, especially in those forward thinking security organizations, which is, the red and the blue team should be working together to proactively secure the environment, versus having show up with a brown paper bag lit on fire in a doorstep saying ha ha ha, which is kind of the mindset of a lot of ethical hackers. So that was kind of my experience as a buyer and that was just unsustainable. On the flip side now, as the CEO of Horizon 3, last year it took us seven minutes and 19 seconds to go from unauthenticated user with initial access to domain admin. Seven minutes, 19 seconds this year, or that was 22. In 2023, it took us four minutes and 12 seconds, and by this time next year we suspect that's under 60 seconds. And really what's happening is and these are large, complex environments the more training data you build as you run pen tests, the more you're able to tune your models, more able to better stitch together high probability paths of achieving a technical objective. And so, if you think about it, in 60 seconds or less to go from unauthenticated user to domain admin, that's a game changer for both an attacker as well as defenders, because how quickly can the defender characterize those alerts, get permission to take fixed actions and actually do something to stifle it? And so I think we're in this really interesting fundamental transition from the getting punched in the face experience of the last 25 years to algorithmic warfare, where you've got 60 seconds or less because the attacker is blitzkriegging your network.

Chris Sienko: 34:40

Yeah, yeah, I mean, that doesn't get more cinematic than that, so I want to bring it around the table here. Josh, in addition to your esteem time with Marshall University, you've also worked for NIST and worked in cyber forensics. Do you have any cool experiences or projects you could tell us about?

Josh Brunty: 34:58

Yeah, so I came out of the forensics environment. So I was in law enforcement for a long time and when I originally got into that it was hard drives and just basic phones and video and things like that video enhancement. As my career progressed, we started working breaches and working around bypassing devices. So I was really at the forefront of what we're seeing in law enforcement now being able to bypass Android passwords or wipe them out completely, get into the device. So there was a lot of hardware, computer interaction that we were working with. So the fun part of that and I say this much is no one was working in that space at that time so you couldn't go out and Google and say, ok, here's this database, what data is in this data blob here and what's it trying to tell us? So there was just no one to ask and so it was fun that you were at the forefront of figuring out and decoding data and taking this SQLite database and saying, ok, what value in an investigation does this have for us? And then decoding that and then publishing about that so other law enforcement and investigators and agents could use that. So I really was loving that at the time because it was just such a challenge to me and this is why I love cyber games now, because you get to feel a lot of that same adrenaline rush when you're in competition and you're trying to carve through that and figure that out. But starting to work breach investigations and things like that where we would see server compromise from nation states it was fun because you had to pull from so many different sources and you're learning on the fly. So you don't know what this log is trying to tell you and the techniques and tactics of your threat actors. You don't know if they're coming in from different countries or if they're within your borders, but you figure that out real quickly. So I think when I was getting into that, I had this mindset. I did not know really, I was learning on the fly, but I carried this mindset that I knew I could figure it out. And I say that to a lot of people out there, because there's this fear of like imposter syndrome, if you want to call it that. I have it. I've been in this for 20 years and I still have it but the ability to say, ok, I know people that can help me figure this out, I can figure this out, and there's never been a challenge where I've just set that down and said, no, I have no idea what's going on here, and been able to plow through it. That's the most fun, that, I think, most fulfilling thing that I've ever experienced in career.

Chris Sienko: 37:47

Yeah, fantastic. Thank you, Josiah Kietron. Do you have any stories you would want to add to this?

Josiah Stearns: 37:53

Yeah, of things that I can talk about. I think probably the most cinematically interesting thing that I've worked on, that I'm actually currently working on, is a project that began about a year ago in which, essentially, I am building an attack on airborne collision-wide systems in which the protocol that planes use to talk to each other is unencrypted, and so I'm building a payload that allows you to create fake aircraft and then cause planes to rapidly climb or descend in response to that, and so that's kind of the background of my project. The thing that's cool about it is I actually the initial payload for that and almost the entire code base that now exists, for that was written in about 72 hours. I had a three-day weekend, one weekend at the Air Force Academy and basically just locked myself in my room and worked all weekends and knocked out a lot of the code. But I say that to highlight the fact that all of that code and that work that is, I guess, sort of like this cinematic thing that we're talking about was built upon 10 years of prior coding and learning about these protocols and learning how to write code and how radios work and how all of these things interact with each other, and just this, this big background knowledge that I had on the subject that then allowed me to, in that moment, just plow through and and write this payload. So I think, a lot of these, these projects and things, it's possible to have some of these moments that they they show in these movies? Obviously, we're not. I have I've never once Cracked a crypto problem by visualizing a bunch of spinning cubes on this thing.

Chris Sienko: 39:47

Yeah, that's a little bit out there.

Josiah Stearns: 39:51

Yeah, yeah, but this idea of it is possible sometimes in the moment to be able to, to Get through things really quickly. You just have to understand that it took years and years to build the tools and the knowledge that actually let you do that. And that's the part that they don't show on screen, but that's the part that actually matters, because when you're building those tools, those are things that then can carry forward and that other people can use, that you're actually contributing to the rest of the community you can provide there. So, so, anyway, that's that's one example of something that I think is is a cool like Pretty gets, gets pretty close to the plot of you know, maybe die hard to or something like that, but Is realistic. And so the other thing just that I want to bring out from that is that's an area where you know, just like Josh was talking about, nobody else had really done stuff in, and having that mentality of Nobody else has done this and I want to go there is, I think, what drives a lot of people in this area and is a Really important thing to foster of. I have no idea what I'm doing, but that excites me and I want to go further.

Chris Sienko: 41:06

Love it.

Josiah Stearns: 41:06

That's really been a driving force.

Chris Sienko: 41:08

Yeah, that's a that's. That's great. So we're we're coming up on about 20 minutes left here. So I'm gonna and we were getting a bunch of really great questions in here, so I'm gonna kind of speed through a few of these slides here. But I just wanted to sort of point out that, you know, it's moved from the fantastic of the practical. It's interesting that we're starting to see some more realistic examples of Hacking and hacking consequences and so forth, like this, this clip here from the TV show Mr Robot. You see what I mean. I feel bad for poor Bill Heisman. He's just doing the best with the budget he's been given. But you know, I don't know if we can justify that company photo away, though, but you know, I think it's. It is interesting to see things like this on TV and things like, you know, trinity using a semi realistic looking version of NMAP and max matrix reloaded to infiltrate and take down the city's power grid at a crucial moment. Or, you know, references to homomorphic cryptography in the James Bond movie Skyfall, even if To, as you said, josiah, that interface here is is is wild looking. It's a big, spinny, glowy ball thing here. So I mentioned this just briefly because you know we're seeing real life ransomware attacks, shutting down hospitals and even emergency rooms, and we're seeing breaches like solar winds and old smart Florida's water treatment plant. Can you anyone want to talk about some of these things that are? Have these more realistic hacking conceits Starting to show up and, like maybe war games did for a certain generation, do you think things like this might fire up younger people to get Stoked about sort of like the real, like problems in the world and so forth? I'm just gonna sort of pass it around the room to see if anyone has any thoughts on this, but yeah, I can.

Keatron Evans: 42:50

I can start Briss. And one thing I want to say is like so this, the scene you just saw from mr Robot these things may be possible but to Josiah's point earlier, it's not gonna happen nearly as fast as they showed in that show. Like he might work against that target for a year and maybe get to the point that he has a kind of control, that he's a, he's ingrained himself in that organization enough to be able to do some of those things. But the part they don't show us how long it takes to to get to that point. So I think people that are trying to get into it should be encouraged by the fact that, like, yes, you can have some power, you can have some ability to affect real change and help organizations with their security. But while he, we saw 30 seconds of him doing stuff on the screen. You know, what you don't see is like the, the eight to twelve weeks of Reconnaissance and other stuff that he did to get to the point to be able to get even a Foothold into that environment, to start exploring internally, to get set up to do something like that.

Chris Sienko: 43:55

Yeah, yeah, I mean, I worked in healthcare back in the day and and the whole Windows 98 thing is, you know, can confirm like it Was. A lot of these systems are very slow to update. You know some very antiquated you know, you know systems and whatnot. So I understand that. But yeah, at the same time it's still gonna take some work to get in there. So I just wanted to mention that briefly, but I want to move on to another clip here, also for mr Robot. This is a Later episode of the series in which our Protagonist, elliot, is hence something that I think everyone on this panel has taken part of in some part of their lives, thing that no doubt will look Familiar to Jose and and Josh here. It's a very aboveboard, very well lit and not at all sketchy and in no way illegal capture the flag competition in some basement. So let's start with Josh here. Tell our listeners about your work coaching the US cyber games, like. What level of skill and proficiency do athletes come from, and can you give us a little sense of what types of challenges they have to work through?

Josh Brunty: 44:51

Well, you know, back up and talk about the program in general. So so the US cyber games program we're in our third season of it. We start out every year with the US cyber open, which anyone can sign up, anyone can get involved in, and I recommend Anyone that is even getting into this sign up and, and you know, player CTF, play, player competition and learn from that. So that's our whole goal, you know, to try to to bring cyber games, you know, as an introduction to individuals that are age 18 to 25. So from that cyber open we invite back roughly about 90 individuals from that cyber open back to our combine to be assessed once again and a little bit tougher challenges, to look at their skill, look at their experience. We evaluate them wholly in the in the combine and then from that combine we select a team of 30 which we take into international cybersecurity competitions, specifically international cybersecurity competition, I ICC, which will be in Chile this year, and the European cybersecurity competition, which will be in Italy this year. So we try to select individuals based upon their different skill sets. So Josiah, for example, very strong in tooling and attack and defense. So we look for individuals that complement our competition areas. But there's individuals that are strong in CTF, there's individuals that are strong in forensics, strong in crypto, strong in web and PON. So we try to round out our team. So, when we're dropped into these competition environments, we have this rounded, holistic skill set. And this is where the mr Robot clip does show some relevance. You know where Elliot drops down and, you know, tells this guy if you tried this, this and this. Those are things that we do, but we do that at a very deep scale. So you, you know, you have seven or eight people that could potentially be looking at a problem, talking through things try this, try this, try this, and and eventually, you know, we come up with a with the skill that will work and then do write-ups on that, that post game. So I, you know, this is one of mr Robot, that clip, you know, even though it's a shady and CD as it looks, yeah, there's a lot of truth to that in that interaction. I think that that that both Josiah and I've seen in competitions, though, that that holds some truth to that. So that's, that's the fun part of it for me.

Chris Sienko: 47:19

Yeah, no, absolutely. And I mean even as someone who is, who is not, you know, at anywhere near Any year level, like you can feel that it it feels different. Like you feels like there, you know it's coming from a sort of an authentic place and I know that they've had actually said that they have, you know, consultants to make sure that this stuff actually sort of Goes as it's supposed to. So I want to turn to Keith. Run real quickly. You know our infosec skills Cybersecurity skills learning platform has, from the beginning, included strong hands-on learning elements. Similarly, through realistic practice lab simulators and cyber ranges that require hands-on acuity to solve, you know. So what is? How does the process of moving beyond book learning and imagining real-world problems and getting into the guts of it Sort of help yourself improve learning and retention?

Keatron Evans: 48:05

Yeah, I mean it's. It's almost just like if you, you know I've seen people you know, my daughter included, that you know to get her driver's license. She absolutely mastered that drivers manual. Like you could ask her any question Theoretical about what you should do if you know how far do you need to be away before you turn your signal on, like she had up. She knew all that stuff cold but you know I take her out and put it in the car and it's, you know it's immediately wobbling all over place. You never it's. You have to get your hands on the keyboard and start doing things, because until you do that you're always gonna have those that nervousness and that lack of confidence that you can do it. A Big part of what I've noticed over the years of training people is when you give people a technical task like, let's say, find the vulnerability and break into a machine, it's never the really Complex cyber stuff that hangs them up. It's the basic things like oh, what was the command to do this? Or how do? How would I get this? Now that I've gotten into this machine, how am I gonna get the data off this machine back to my machine? Like, just setting up basic back hauls and just doing the very basic things. Those are the things that usually hang people up and it's because they haven't actually set down and did the foundational hands-on stuff. Before moving on to the, I want to break into a box, you know, because a lot of it really is taken a lot of your foundational engineering, how to knowledge and String it together in a way that leads to you compromising something or leads to you being able to get to something. So I think the main way to get from book knowledge to Actually being able to go out and do it is you got to get yourself into an environment that you can practice safely and start practicing Like that. I think that's the only way.

Chris Sienko: 49:56

Yeah, okay. So yeah, we're coming down on on time here, and so I think what I'm gonna do in, I think we pretty much know the conclusion that a Realistic hacking on TV is not really something that we need to necessarily concern ourselves with. We have plenty of People coming in who already know kind of what they want to do, and we're, you know, doing our best to increase outreach of, you know, future cybersecurity professionals of tomorrow. So I want to just kind of turn off the overhead projector and put the chairs in a circle here, because we have a lot of questions From our audience to get through. So I want to just kind of go through these In order. So I want to start here first one. Jeff Peters writes oh, it's Jeff Peters that said that. Paul men's writes I am searching for the optimal training platform for cybersecurity training slash search, but ideally I want a career jump from a system admin to a cyber analyst. I wonder if anyone has any thoughts on that.

Keatron Evans: 50:59

Yeah, I can take that obviously. Um, so in our skills platform there is actually we have defined role-based training so you can say I want to be a cyber analyst or a cyber security engineer and pick that and it shows you to recommend it. Learning path for that that includes. You know you need to watch these videos and get some of the theoretical knowledge, which you also need to go do these labs that are directly related to the cyber security and you can do these labs that are directly related to that to get the hands on. But I think anything you can find out there that you know that has the ability to map what your goal is to an actual hands on exercise is going to be valuable to you. The problem with a lot of the platforms is it's just a collection of stuff and you'll spend 20 hours doing something that you think is helping you get to a goal and then you talk to someone that actually does that job and you find out that thing that you spent 20 hours doing is not really going to help you get to a goal with you know the job that you're actually trying to get. So I think the key there is finding platforms that allow you to do that kind of mapping and communicate with people that already do what it is you're trying to do and they can kind of help you cut a lot of waste of time out, alright, if I build on that real quick.

Snehal Antani: 52:11

So when I was the, when I was the CTO of Splunk, there's something a really interesting pattern I saw develop amongst our customers of Splunk started off as an IT operations tool and platform, eventually became security. But you know, in that question interesting background, I started as an IT admin and trying to get into security and what I saw was that when a server crashes, in that initial period of triage you don't know if it crashed because of an IT issue or because of a cyber attack, and so those that were on the IT op side, they were able to master that initial triage process of characterizing is this an outage, is this a security issue? We're able to quickly evolve their career path, not just being really good at troubleshooting incidents but then also being able to investigate security breaches, because there's a lot of synergy and overlap of expertise and skill sets to do both of those things Go from IT admin to almost like DFIR and then from there you start to understand TTPs and so on. That's an interesting path that I saw amongst the Splunk community. It became a pretty consistent way for a person to start with an IT background and master or enter or break into the security background at even a mid-level position or even higher.

Chris Sienko: 53:26

Thanks, Caitlin Scott has a question and she's specifically directed it to Josh here. So I have a BS in Criminal Justice with a little bit of knowledge of cyber slash computer forensics. What career paths would you recommend, especially in a corporate slash enterprise environment? We have a-.

Josh Brunty: 53:43

Goodness, that's a good one, because I transition out of law enforcement as well. One of the things I recommend and to anyone out there getting into this especially if they're transitioning from, like LEO or investigative into private sector or cybersecurity as a whole differentiate between education and training. So you may not have an educational background. In that it may be something to consider because the educational background is going to give you the bedrock to build on, not just for a career or otherwise. So look at programs that build that bedrock, or that good foundation for you of learning the protocols, learning how networks work, and that doesn't matter if it's at the community college, the bachelor's level or master's level or even doctorate level. Look at that good educational foundation. Ketron brings up an excellent point. Look at trainings that map to certain pathways If you're transitioning out of law enforcement. A lot of people they just look at the blanket of cybersecurity, but there's areas like incident response where investigative mindsets are very well-valued. That's really where forensics and red teaming meet in certain areas. So value the skill set that you have, but build upon that. Incident response is a great area to look at. There's a lot of legal fintech firms that are looking to hire those individuals, legal tech and even private sector, your Fortune 500 companies they're all looking for individuals that carry that investigative mindset to the table. Just know that when I got into this and I was making that transition myself, I felt like I had to know everything. You're working on teams, so you're working with teams of people and build that skill set, knowing that your specific skill set that you're really good at might be the right fit for that team. Whether it be incident response or crypto or whatever the case may be. You're going to fit in that organization if they value that skill set that you have. So don't feel like you have to know everything, but at least get a good foundation on it and then start to practice and look for areas that map, or trainings and simulations and exercise that map to what you want to work in, I think, with that playbook in mind, I think you set yourself up very well to make that transition without a whole lot of grief.

Chris Sienko: 56:22

All right, Thank you. So I have one more. Here Again, questions very near and near to my heart here for our people changing to this career later in life. Ethan Rotman says I currently work as an IT support specialist for a public school district and I've only been here for a year and a half, but I eventually want to transition to a cybersecurity career path. Are there any good starting points or things I should work towards doing? Slash getting besides finishing my BS program? Is finishing a bachelor's program even necessary or helpful?

Keatron Evans: 56:55

I can jump on that one. I think the most important thing is, again, look for some platforms. If they don't offer a free option, you should be able to get 30 days free or something like that. The reason that's important is because it gives you a chance to go in and explore all these different paths so that you can figure out the answer to that question. Because when people ask me, how do I get in cybersecurity, the first question I ask is well, what do you want to do in cybersecurity? Do you want to do offensive, defensive? Do you want to do high-level management? Do you want to do audit work? Do you want to do in-the-weeds technical work? Because the answer to that question they all have different paths that you should take to get to a proficiency in that area. So I think getting into some platforms that you can get into for free to just play around and see what it is that peaks your interest, because I have this story. The best pen tester I've ever hired was a young lady that was a liberal arts major, that was a piano player that I met at the Kennedy Center here in DC because I was playing piano there and she was playing because piano was like a side hobby of mine. She had no background in technology or cyber, but she was just interested in doing something for some work and she had a knack for technology. So I say that to say it doesn't matter what degree you have, what your background is. If you think you have the interest, go ahead and feed that, go ahead and explore it, see where you fall with it. Because again, out of the 25 years I've been in this industry, the best person I've hired was someone that had no background or no degree in cyber or technology at all. So don't be discouraged by age or whatever it is you have as degree. Just jump in there today. Whether you finish the degree or not, I don't think it really matters that much. If you can finish it, I would say, go ahead and finish it. It can only help you. But don't let that stop you from taking some action today as far as getting into some platforms so you can see kind of where you are.

Chris Sienko: 58:57

All right, I think that might be a really good place to wrap things up. Does anyone want to add anything to any of this before we start to understand? Okay, all right. Well then, I think we're coming close on time here, and so I'd like to thank all the people who are still here and actively engaged. I'm told that we still have a very hot chat out there, and so if we didn't get to your question, we will answer it in the next couple of days. So thank you again for writing those in. And with that, I'd like to just say thank you to everyone at home or at the office or listening and watching today's episode of Cyber Work Live. So if you enjoyed today's event, I hope you'll keep watching for future installments of our Media Myths, cyber Reality series, which will likely include episodes on red teaming and physical breaches, confidence tricksters and social engineering, depictions of the dark web and many more. For anyone new to our program, I'll also point out that new episodes of the Cyber Work podcast are available every Monday at 1 pm central. You can just go to infosecondstitutecom. You can see all our past episodes and links to ketrons and snails past episodes in the resources section in there, as well as in this presentation here, and you can also click on individual bios for more information on each of our panelists. Also, keep the fun going by checking out infosecondstitutecom To check out all of our free resources, including work bites or security awareness series, our Cyber Security Talent Development eBook, which has training plans for the 12 most common roles, including SOC analysts, proud security engineer, information risk analyst, privacy manager, secure coder and yes, pentester. So, lastly, I know we're coming up in this very quickly, but I just wanted to thank you all once again and thank our wonderful panelists, snehal Antani, josh Brunti, josiah Stearns and Ketron Evans for joining us today, and thank you to all of our guests for attending and submitting great feedback and questions. As we end the presentation today, a very quick survey will appear. If you would just take a moment and share your thoughts, it's very appreciated and it will help us produce more great content in the future. So thank you again, everybody, have a great day and, once more, please leave Bill Highsmith alone. He's doing his best out there. All right, bye now. Thanks, guys. Thanks guys.