Adam Compton - Finding Your Home in Infosec: To Specialize or Not

it's going to be Adam Compton over here talking about finding your home and info set specialize or not so please give it up for Adam [Applause] [Music] I never specified so go for it that's fine yeah all right all right so first of all I want to thank you for all of you that who have stuck around until five o'clock today to come in here I appreciate it thank you very much uh but yeah as it says um hopefully this is what you were expecting I'm going to be going over just talking about picking up a career path stuff like that in infosec figuring out where you want to fit uh where you belong things that

nature uh we're gonna go over all this as we're going through it so first of all let's go over like what are we going to be talking about today uh what am I going to be talking about what are we going to be doing here first I'm going to go over a little bit of the various foreign [Music] you want to take over now we're going to be going over some of the different career paths things or areas that you might want to move into in infosec it's not going to be an all-inclusive we don't have time for that we'll go over some of the the more common ones that I've encountered uh we'll share a few personal stories I'll

ask you all if you have any stories you'd like to contribute things of that nature and um yeah we'll just see how it goes through there with a few Lessons Learned things of that some good pointers along the way and we'll see how everything works out um uh hopefully this doesn't go overly too long and get everybody out of here on their way home today but we'll see how it works out so who is this talk targeted toward it can actually be used by anybody who wants to use it obviously but I wrote it in the mindset of somebody wanting to get into infosec wanting to do a career change from one area of specialization

in infosec to another things of this nature it's somebody who's wanting to see other options other opportunities within infosec to figure out where they want to move to where they feel they might fit better whatever the case is uh in order to do that I'll share some um personal experiences with the different career paths I'm talking about my own experience on jumping back and forth between some of those and um as I said before if you have anything you want to contribute as we're going through I'm not gonna mind that if you want to speak up raise your hand whatever or at the end there'll be a q a if you all want to wait until then not a

problem for me a little bit about me yes I got a new picture this time thank you uh AI art generation you can get amazing stuff I put in what was it like uh slightly overweight hillbilly in a uh what was it a a lab in a 1940s art style or something like that that's what it came up with I'm like hey I like that one I was just gooping around with it at home one day so who am I I am a principal security consultant for trusted SEC um you might have heard of them thank you yes yeah he's a good guy I like him I've been working there for going on five years I think

I think that's right it's been a while now but over my career I've been doing pin Testing infosec Research what have you for well over 20 years now 20 going on 25 probably in that time I've done a little bit of everything the code development research pin testing of Windows uh social engineering uh web app design web app testing a little bit of all of it I've tested a lot of it over there I've contributed to some incident response I've caused some incident response um yeah this it's true I have I didn't mean to but um I pointed out where there should be incident response because I've been on a system when I realized it was somebody

else already on the system there's all kind of things happening there over 20 25 years you come across a lot of odd things out there but this is all just to say that anything I'm saying is built on my experience you get somebody else up here with more or less the same experiences I do they might have different views of it even it's this is built on what I've experienced and what I've seen in my time so the main premise of this is trying to find your place in information security in infosec and the question is is why is this important why is this something that you should be concerned about I'll go ahead and get it off top of my

head if you're really just looking after the best paycheck possible find the field that is easiest for you and that pays the most and go with that now if you want something that is going to be challenging thought provoker to get you engaged and possibly cause you to be more happy with your job then you start thinking about some of these other aspects that we're going to cover as things that are going to challenge you things that make you want to get up in the morning and go to work things that are going to make you enhance your skill set use your skill set make use of what you have and make you want to work

harder at it um there's all kind of different things in there like I've done I've picked both paths over the years I've went the easy route when I was on burnout and then I went and revamped in there and got hard into it again and it's easy to fall into one or the other definitely fall into the complacency which we'll talk about but it's really you want to find something that's challenging and it's going to help Stave off some of those possible side effects down the road um and if it's something that you really enjoy you're going to try harder at and if it's something you're trying hard at you have more chance potentially of

improvement of job opportunities uh promotions and things like that because you're actually wanting to try in the position and if you're just doing what it takes just to get by you're just going to get what it takes to get by for most times so so as I said at the beginning the landscape of information security is massive we're not going to be talking about everything out there these are the areas that I've had the most experience with over my career things like penetration testing some red teaming or adversarial engagements or how you want to phrase it incident response defensive security or blue teaming a lot of people call it and finally research and development there's

going to be all kind of other areas in there whether it is I don't know um policy or auditing or any number of other things or just system administration or what have you there's lots of other categories in there and subcategories of these penetration testing for one is a massive collection of a lot of different small ones in there it's just a generalized term that we use for it but we're going to try to dive into these in particular talking about them just to give you a feel because I think they give a pretty good breadth of the field for what most people think of when they come into infosec especially at conferences looking for getting that

challenge dealing with hackers either being the hacker or defending against the hacker things of that nature so let's say you're doing that oh he's not in here I'm gonna say I get to use our own stickers we came up with those years and years ago but so for penetration testing what is penetration testing this is not going to be a hard fast definition up here this is more or less what me some of the team members I have all right that work with me we just kind of came to an agreement like this sort of feels right um you ask 10 different people you're going to get 12 different definitions of what pen testing is it's across the

board but effectively it boils down to penetration testing is simulating an active attack either from an external entity or a Insider threat that is trying to exploit and leverage company resources to some end whether that's to get data off of it compromise the systems maintain presence whatever you're trying to gain access from that perspective but you're also trying to get as many different paths along that way as possible within a set time frame this is what separates pen testing a lot from red teaming which we'll talk about in a minute is a lot of times pin testing is uh well majority of the time is set it has a Time boxed engagement or generally it is saying over the next two

weeks you're going to be testing this web application you're going to be testing this internal Network this external set of IP addresses whatever you're going you have a set time frame and the go there is to not just test it from a attack active attacker perspective but try to identify as many actionable findings as you can in there can I get across that scripting that allows me to get some cookie information off of a browser can I do a SQL injection that allows me to get remote shell execution on the mySQL database back in internally can I guess a password that allows me to get access to active directory certificate services to find an exploit to get

domain admin it's these actionable things you're doing and it's not just can I get to domain admin and I'm done it's how many ways can I do this within the time allowance so that I can hand this back to the customer and say look this is what we did this is how you can improve good now with that there's a few things that go hand in hand in there one of them is that or some of the responsibilities are I threw ocean in there because I harp on this a lot make sure that you know the target you're going after is the target you're supposed to be going after that definitely follows within osin yes you can use ozin for social

engineering and a bunch of other attacks but just for an external assessment too many times have I been given an external set of ranges and the customer says that's it and I look at it I'm like you're a legal firm these are Elementary School addresses this doesn't match up oh I typo that or I'll copy and pasted it wrong you do some level of sanity check oh sent that's where that comes into play a little bit plus it does help with password guessing and all that it's just something you should be comfortable with doing internet research effectively um you should be good at doing checking for misconfigurations and vulnerabilities both manually and scripted if need be exploiting them

where possible doing a lot of manual testing this isn't a vulnerability assessment those typically are type in IP addresses hit go give report this is more a much more manual much more interactive process where you're doing the task as opposed to just trying to report on it and then of course finally reporting is going to be across the board on all these you have to be good at reporting whether that reporting is writing this massive report uh 100 page 200 Page report that you give into the customer that talks about here's what we did here's all the findings how you can reproduce it all that or it might just be a memo you're giving to your boss

because you're doing an internal audit or something whatever it is you got to be working toward those those are some good responsibilities as well as skills that it's going to come into play with pin testing what are some of the skills I'd have to go along with that you have to be curious you have to have determination things that you're wanting to find out why like you're looking at a website and you think that something's not quite right on there but you don't have an easy fit for it easy fix or easy finding do you just quit and move on or do you dig at it a little bit and see what you can come up with

generally speaking you do need to have that determination that Curiosity to figure out what is going on there how can I exploit it and move forward having some understanding of various protocols I'm not talking about like are you talking about um what is it um token ring and stuff like that well yes that does come into play I mean more like uh various chat protocols VoIP protocols um just standard communication protocols on the network level how does the handshakes work things of that nature you need to understand to some degree how all of that works you don't have to be able to break it down to the byte level and reproduce it yourself but just

understand the concepts of it um here's a big one across the board on Ollies which will apply is accuracy and integrity accuracy be able to reproduce What You've Done be able to minimize the number of false positives and false negatives that you're reporting to the customer because if you're just giving them a bunch of data and you don't know if it's very accurate or not it's not going to be worth their money so you have to be a little accurate on that and integrity if they do catch you on something that was wrong don't try to pass the blame off somebody else just just say yeah I did it I'm sorry this was the data I had

this is why I thought this I was wrong move on with it have some Integrity about it accept the blame where blame is due accept accommodations otherwise or yeah scripting thank you programming is not required for pin testing it will make your job a lot easier and in a lot of ways if you can do at least basic scripting whether that is in bash or whatever the case is for you in.net or what have you if you can do some level of scripting that makes your job significantly easier in a lot of ways it helps reduce a lot of the mundanity of what you're working on but now if you do have some good programming skills you

can write out some nice new tools to help automate stuff but it's not a requirement I'm not a huge one for certs in general I don't think they're necessary I don't necessarily have any myself but if you do want to go after assert for pen testing and for a number of these the oscp is a good one it's not going to be a perfect representation of pin testing or red teaming or anything but it does show competency in some of the core skill sets as well as the determination to work through it same with gpn to a certain degree and there's a number of other ones out there from a managerial perspective getting your cisp

is a big one does it show that you have competency in actual the technical aspect not really but does it show that you have the determination to sit through and study that for the four to six hour test it is yes it does and you do get a breadth of knowledge in there but it's not a really overly used one but it is something that managers and corporations do look for so keep that in mind with that out of the way we're moving on to Red teaming any questions on pin testing before we move on awesome red teaming regardless of what you call it you want to call it an adversarial simulation uh Tao red team

it's all effectively the same thing this definition was given to me in some form by Jason Lang our in-house red team lead so blame him if that doesn't make sense naturally it's my fault for copying and pasting it over here but it's effectively it's a go oriented targeted adversarial simulation against a given scope generally a very wide scope that is trying to obtain a specific goal while also validating their defenses and capabilities there's a lot of it in there a lot of it can be packed into that one sentence but it's effectively that now wow what are some of the responsibilities that come along with red teaming well as I said before you have accountability you have integrity

you have all that stuff that I talked about before same thing but here a lot of what is going to be key to a good red team is not just your skill set but your communication skills your soft skills your what people call us off skills your personal skills interpersonal your human skills because a lot of this is also going to be trying to focus and guide the customer into what would be an appropriate scope an appropriate tasking for this engagement yes you want to have a red team but you don't want to have any social engineering you don't want web apps you don't want physical you don't like if you want a red team a lot of this

gets included if you don't want this you're looking at something more like an assumed breach or a pin test so you kind of help negotiate that you work with them to understand this and a lot of times also you're having to have that interpersonal because you're going to be telling the customer that their baby is ugly so you have to do that in a pre in a nice way possible without them getting mad at you so there's a lot of this back and forth um along with that does come to full management leadership there engagement where the you're going to have to help set expectations for the customer you're going to tell them like oh you want the

Fool's Gambit you want all this but you want it done in three days not gonna happen we're going to do this over the course of this month or we're going to do it over the next six weeks and we're going to work on this and you're going to expect to see some of this you're going to possibly expect to see some fishing us on site trying to get into your building you're going to expect a lot of you're working with expectations of what the customer can and can't um allow what you're wanting to do and you're trying to work with that even after it goes past sales you're still negotiating that to a little bit because

the customer always has what they want and then you have the team that says what we can do and there's a lot of that back and forth and as I said at trust a sec in particular among another other companies red team e is considered more full scope than very targeted you are going after all these other aspects if I can get in through a web app great but maybe I have to use social engineering and get a pivot to the inside where I can set up a beacon and I can start going that way maybe I uh break into their data center or sneak my way into the data center or set up a remote

access device in there that allows me access there's all these different components that work into it that facilitate that full scope a lot of that comes into hand comes as a responsibilities and tasks that you might have to do during a red team here coding is much more critical to a certain degree you have to be able to on the Fly modify some scripts edit some scripts create some scripts if necessary obviously you do need the same pin testing skills as you did before they're just done slightly differently in particular much slower pin test you have one week to test 5000 systems red team I need to get access to that data and that table on that

database on that one system I have six weeks I take my time I live within the noise I live within the expected Communications of the network I don't want to get detected if I do get detected now that's fine I don't mind getting detected I try not to get detected but if I do get detected what are we here sorry but they're getting ready to do last call and you got a bunch of tickets to give out all right oh my gosh really no worries no worries um yeah I'll come to this in just a second here um it's okay man don't worry don't worry I Blame You um but no really it's you're dealing with

all these different aspects of it then comes also to like that Curiosity the fearlessness you're going to have you're going to come across situations where like I have no way to go further unless maybe I exploit that VoIP device well do I have a something that I can do with that I don't know let's try it there's this new technique I want to try out you got to be willing to fail but try to fail quietly if possible I guess but yeah there's a lot of back and forth the goal is to get the end result but anytime you can tell the customer that they have security precautions in place that are detecting and alerting or

preventing you that's a great finding for the customer it's justification that their efforts are working but you're still going to work to get around it and what have you um yeah there's a lot of more that can go on in here uh need to move on more slides I was told that some of the best search for this are OSAP again osep both of those are from offensive security osep is what is it a offensive oscp makes sense offensive security professional got it osep stands for offensive Advanced Invasion techniques and breaching defenses that really spells oscp I don't get it but hey that's what they call it and uh CR to certified red team operator uh so all of those work well I

agree with it I do defer to laying on that but I do agree with every one of those those are good certs to have are they requirements no capability is the requirement search just help illustrate it if you don't have much uh background history things of that nature to work with so incident response it's what happens when you don't get the pin test and the red team and somebody does come in and break your system so incident response is uh as it says there is the process of detecting analyzing and responding to security incidents in an organization it is reactive meaning something happens they come in and fix it or come in and diagnose it

as you would expect responsibilities here are being able to read logs being able to understand how certain attacks happen which means you have to be familiar with many of the ttps at the red team pen testers people like that make use of you have to understand that so you can piece together attack chains understand how it works understand what other systems might be involved things of that nature you need to be able to contain eradicate and perform recovery as well as give recommendations on how to do that most of the time you're given recommendations a lot of times also the customers are going to say well can you help us with this neither that team will help or you

might have another team in-house that can help with it what have you um I do like that next the bottom line right there that um was given to me you need to be able to at this level in particular because you're dealing with really angry sea level people trying to figure out why there are hundreds of thousands of dollars of training and equipment and all that didn't stop this so you're trying to explain to them in friendly terms in sea level Tech speak why this happened you're trying to translate the very technical to them and vice versa to make sure that everybody's on the same page everybody's understanding everything many times as pen testers we get bogged down in that

and we're like and we say that at the very high level we might just have a very short executive summary where it's like okay yeah we did this this and we compromised it and then we'll have a lot of really detailed stuff in the report incident response has to balance that a lot more because of the nature of it and the money involved in a lot of cases um stay calm Under Pressure obviously it makes sense be good at computer network forensics again good skills it's incident response what would you expect um again Communications you have to be able to do that communication you're a lot more customer facing than the red team than the pin testers are most of the

time you're wanting to talk to the customer or if you're an in-house in-house incident response need to be able to talk to your c-level and talk to the other branch managers and the division Chiefs and all that to figure out what's going on to get everybody communicating together speaking of which teamwork you have to collaborate with not only your team maybe The Blue Team maybe the development team maybe a bunch of other people to get everybody talking together and not wanting to kill each other and point blame on everybody else so you have to sort of be that ringleader the mitigator many times also you've got to be that um person that you're just letting the

system invent to because they're like I knew this was going to happen I told them 100 times like yeah it's not having the case right now but get it off your chest so we can move on you have to be sort of that bar manager sort of guy there Anna or gal and let it go on and um as far as certs go on this one I was Tyler mentioned uh any the Sans forensics and IR certs programs he said we're good ones to go after as well as pretty much anything from this cisa.gov or U.S certs be aware of those go down that way as with a lot of these certificates aren't required as I said

before a lot of companies will look for them but appropriate experience and capability outweighs the certs now it might get your foot in the door get you past that first filter of resume filter but I've had one certificate one carried sir over my career and that was a cssp and that was because I was mandated it when I was at the Department of Defense that was it I haven't maintained it and I'll let it slip and all that so with appropriate experience and all that you can get away with it if you are just starting out you might want to get you know I said oscp or an appropriate one to get that foot in the door at least

here's one that doesn't really fit on in-house stuff too much but it's more for um consulting services and that's usually going to be your research and development this is your team that is if you're a consultancy they're the ones who are building out the tools building out the uh payloads the attacks the exploits that your red team or your pen test or whoever's going to be making use of they're the ones doing that and um it's really it's their job to make your guy your other team members be able to do their job more efficiently and more consistently and technically better than the other person down the street is the differentiator in there responsibilities as you'd expect it's

going to be tool development exploit research exploit development the ability to go out and research multiple Technologies understand how they would fit in or replace other technologies that you're already aware of to fulfill better a new or different ttps how they're going to work in this whole architecture space skills that you're going to be aware need to be aware of are as he says critical thinking and a word in here I copied and put in here because I've not seen it in use anywhere else and uh Carlos definitely wrote it himself which is funny because I have never heard him say it himself either but have developed Auto Didact skills I had to look it up I'm a

hillbilly I'm sorry I don't know what that word means I'm like really I'm gonna look that up it's basically the ability to do it on your own be a self-starter be a self-educator so be able to go out there and look for new technologies look for new attacks look for all that and be willing to put in the effort yourself without being pushed by your manager to do it you need to have that drive to do it that's a critical skill in researching and development of course being able to develop be flexible across multiple languages you're not always going to be developing just in C you might want to have it a handful of languages under your belt maybe see

maybe go dot net what have you a few of them in there would be good we're almost done with this this is the last one I promise and then we'll get into the other fun stuff defensive security blue teaming you are the anti-hacker which means you have to be a better hacker than the hacker what do I mean by that well in order to stop something yes you can be sort of that proactive and like well I locked all my doors you can't get in well what if I come up with that ax well maybe I want to be able to do this or what if they come in with this you have to understand the different attacks within

reason you don't have to be a complete expert but the more you know the more you can defend against you have to understand how the hackers how the red team how the pen testers are going to come in and try to exploit you um it might just be as much as I need to take all my internet presence offline or I need to Outsource it and not have it connected to my internal Network or I just need a split DNS whatever it is in your scenario whatever it is be aware of that be aware of what how everything in your environment can be used against you and how to defend against that make sure that you have proper logging you're

you're the one responsible you're the guard dog you're the guard dog who's trying to predict trying to prevent the bad guys from getting in and then once they get in it's also your job to try to fix what they did against you so a lot of times the blue team will work with incident response um from a consultancy point of view we were uh when a red team or a pen tester works with an in-house blue team we usually call that a purple team and that's where we do a simulated red team where we're like okay we're going to try this attack can you detect that does your CM detect this are you getting these alerts and it's sort of an

educational process there great benefit great use I've been on several of those it's very useful and then once that's done you might go back and have another red team actually actual red team happened to see how well your team learn from that how much has that improved your response capability things of that nature but among all of these personally I don't think blue TV is the most exciting you might say differently but is one of the most is probably the most important one because if you can prevent something bad from happening then the rest of it doesn't matter incident response doesn't need to be there if you can prevent their red team from getting in then great if you're

locked it down to the point where no one can do anything you're doing an amazing job and my hat's off to you it is an insanely difficult job because you're always on an uphill battle trying to prevent everything where the attacker is just trying to find that one thing so much different scale of attack and capability there a great defender great blue teamer in my opinion would make an amazing offensive person as well so keep that in mind skills being able to analyze traffic knowledge of os internals whatever your os's are in-house are those just are you purely a Microsoft shop do you have Mac OS X do you have or Macos do you have

Linux what do you have understand what you have understand how you can report on it how you can make detections how you can log how you can secure you have to understand a lot of this I'll let you read the rest there uh incident you have to be able to perform some level incident response before you Outsource to a somebody that's on a retainer for you or something that's going to do a more invasive and Senate response but you have to be able to do some of that yourself as well so all of that said I think we have yeah we're down to the last 15-20 minutes we're doing good um I have just a few slides left here a

little bit about my journey where all this comes from from me and definitely to tell you that your journey is going to be completely different than mine some of you I mean this is also to illustrate that it doesn't matter what your background is you can always find a place it might be completely by happenstance it might be by Design either way you have the room to move you have the room to expand I started out when I was way little parents for whatever reason had a stroke of insight and bought me a computer a little Commodore 64 when I was a wee little guy loved it got into it you did computers all the way through school college did

an internship at a Department of Defense facility loved it got experience in there when I graduated I got a job offer from them I'm like great I'm going to go there and I'm going to be a developer and a system administrator that's what I wanted to do I show up and they're like great you're here that office doesn't exist anymore it got reorged anybody who's been in the military or government agencies knows that reorgs happen quite often and my office got reorged out of existence so I had a job offer I had a what they call what is it a I can't remember the term now it's uh a Billet I had to Bill it so I had

a job I just didn't have an office to go to they're like okay you can stay here for about two weeks while you interview around inside the agency here to find you a place and one of the first places that responded to me did an interview with me and I liked them was what was called the in-house this particular blue team it's what we call pin testing now but they called Blue Timmy I'm like sure that sounds fun why not so I went over there and I sat down the first month was here's all these systems install them build yourself a lab okay here's all of our tools take those use them against your lab

two or three months in it's like okay we're going out front on pin test you're coming with us and I was really just thrown into it I knew how to build the lab I knew how to do all that but I never honestly before this I didn't even know pin testing was a thing so I kind of fell into that and then I loved it but over the years I've learned that sure I might be doing some social engineering not a biggest fan of social engineering it just isn't my cup of tea I'm sorry so I try to Veer away from those web app testing I'm okay at it not my greatest strong suit I'm more on the

pin on the internal and external pin testing not really the web apps I can do it but there's definitely people better than me so I try to fill that out and whenever I'm switching jobs as I say yes I've moved jobs five times since then um that is something else don't be afraid to move jobs if you need to if you feel that you're stagnating in a current job a current position um ask if even it doesn't have to be to a new company if your organization and you're on the blue team and you're thinking that yeah I've done this not really it's not really filling my need anymore we do have a in-house assessment team

pent test team whatever talk to your bosses talk to their bosses maybe they'll let you just shift over and uh spend some time over there to see if that's really what you want if it is great move full timer do what you need to but yes during this time I did spend way too much time at certain companies out of a misplaced sense of loyalty to the company and the company wasn't necessarily loyal to me so that's another thing I would say as a lesson learned be loyal to yourself and your future it comes before whoever the company is and that's a whole nother uh talk I won't get into that right now but it's basically you're responsible

for your own future your own guidelines and all that and it's never too late to switch now I guess if you're dead it's too late but that's a it don't really matter then but either way um overcoming challenges stay open to Opportunities is the main thing I can tell you here um is the first one um there's always going to be new challenges coming along there's always going to be new things that pop up maybe some new I don't know AI pin testing AI tax are going to be a next big hot thing your your organization might be standing that up if that sounds interesting do you ask if you could be part of that fledgling

team maybe that's going to be the thing that really sets you apart the thing that you really like um maybe do research on it yourself and try to set yourself apart from others whatever it is be open to any new opportunity that comes out there it might not be the thing for you and to just be aware of it don't close yourself off to it flat out one of the other things I'd say is and I don't have a solid answer for this one do I diversify or do I focus I try to hedge and say do both within reason like do I want to be a jack of all and like try to learn

everything I can about everything out there you're going to fail because you can't learn everything about everything but you can become knowledgeable to a certain level about all the different uh disciplines all the different fields and all that or you can be this person who says I'm going to learn everything there is about attacking reverse engineering exploiting Nokia phones and just Deep dive on that I'm sure there's a position for that person out there somewhere and they're going to be extremely well paid but you don't have much lateral movement at that so personally the way I go about it is I try to be as knowledgeable as I can about the other disciplines while still trying to get very focused into

pin testing and certain aspect of pin testing at that which is external and internal pen testing and working with that if others attack new attacks come out in I don't know um well new reverse engineering tool back when gehedra came out or I think that's pronounced right I went and checked it out I looked at it tried it out so I'm familiar with what it is if somebody mentions it I'm not going to be using it on a day-to-day basis but I still wanted to know about it if a new attack comes out that is not something that the customers I typically see are going to have but I still read it just in case

the attack techniques the concept behind it might be applicable to my environment I still go out and try to read about it if it's not 100 accurate relatable to me just in case I can glean something from it or if I'm talking to somebody later and they bring it up I can be knowledgeable of it um dissecting job postings and descriptions if you're looking for a job out there be able to a critical skill is to be able to look at that job posting and figure out exactly what they're wanting out of that um being able to dissect some of their language there's whole seminars on this whole classes on being able to do this I'm not going to cover

it here there's books on it there's other conference talks on it by all means go out see if you can find some of those watch those uh but it basically boils down to there are certain kind of keywords that you'll see in a job postings that are red flags that might be things that you might not want to be part of that company based on the way that they phrase certain things or it might be that we're definitely looking for somebody that has.net framework experience if you have no programming experience whatsoever that might not be the best job for you to apply to if you have C plus plus experience maybe some Visual Basic experience in there it

might be something that you can piece together something that you can work with maybe it's something you can negotiate with the customer that map you might get a training class right up front to get you up ramped up maybe that's something you can work with there are certain leniencies in there on a lot of these it's important to be able to read a job description and try to figure out exactly what it is they're wanting and where you might be able to fit in and if it's even a good job fit for you um I'm a huge proponent of that last one I I spent the first 10 years of my life doing pin testing for the federal

government when I get done with the end of the day I go home my day is done I work my eight hours I'm home I have to be government won't pay me anymore so then I see all these young guys out there and anybody out there anybody getting into the field they're like I have to work 60 hours 80 hours 100 hours a week to show my worth I'm like do a good job and show your worth show your determination show your eagerness don't show them that you're willing to die for the job you have to find that work life balance or you will burn out you will get sick you will start to hate

your job after a certain point of time you have to give time to yourself if you're wanting to be in the field for any bit of longevity pace yourself it's not a race you can treat it as such and that's on you my personal recommendation is pace yourself try to stick to a reasonable number of work hours fluctuate as you need to but I definitely say people who are working 80 to 100 hours probably working a few too many hours unless it is your company and you're the CEO or you're the startup president or whatever more power to you but you're gonna your body's gonna feel it and the older you get it's not healthy you're not going to

last long Lessons Learned I just have a few slides left here um stay open to new possibilities one of my jobs I was on the brink of burnout I was actually burned out at this point already I was out at Defcon ran into a somebody I knew from many many years ago who now was a co-owner of a company told me that hey he just ran into me he recognized me and we're talking he's like are you still doing pin testing are you still doing coding I'm like yeah you know we talk for a little bit we're on the escalator at this point he's like shoot me an email later and I'll point you toward a job opening that we have he

didn't give me the job but he's like hey we have a job opening that might be something that you'd be interested in right now it's not pin testing but it's development for pin testers I'm like I'll check it out it did I ended up did apply I did get the job offer I did accept and I was there for a year and a half before I realized that the managerial situation there was not best for me so I moved on but it did give me that break from pin testing I needed because after that I came back got into a new team of pen testers got to experience new things and started kept rekindling that love of pin test it

gave me that break I needed that's just purely because I was willing to talk to somebody that I half knew from years ago on escalator and it just kind of it just pointed me in the right direction um that's going to be something else I want to say is networking just go out and talk to people conferences meet people talk to people it can be me it can be the person beside you it can be whoever just talk to people um watch out for Burnout I've hit that one on the head I was already and not everyone is good at everything you might absolutely want to be the best incident response person out there in the world

but I'm sorry not everybody's cut out to it you can do some stuff with it but it might not be enough to get you that position think about it I mean you can definitely try it you can definitely get better at it but it might not be the thing for you just be realistic not everybody's good at everything you're going to be good at something and it's going to be good at something that's going to make you some good money and you're gonna be happy with it but there again choose your battles networking mentoring find somebody at a conference that's doing something that you want find somebody on a video that's doing something that you want reach out to

them talk to them they might give you some advice some pointers they might sit down and just talk to you they might you might build up a sort of a mentorship with them official or unofficial where they might talk to you periodically and help guide you in a certain aspects of your career or they might be able to just be a sounding board for you where you can ask them ideas and they'll give you their opinion whatever it's just somebody else out there that is willing to take the time to talk to you this industry is huge you're going to have all kind of people in it some people who won't give you the time of day some who

would love to be a mentor some people who just are willing to talk to whoever's out there and share their information you'll find all kinds of different people out there that's why the more you can meet and greet with people whether it's at a conference it's uh on webinars whether it's on Discord servers whatever just get out there and talk to people you're going it's going to open up so many other opportunities possibilities um knowledge paths that you're not uh seeing normally yeah going back identifying your personal skills your interests your passions figure out where they overlap go after that uh path forward uh talking about that doing blogs uh reading blogs going to Discord servers

go to webinars uh infosec meetups your local Defcon group your uh ISE squared groups whatever it is your OAS groups whatever it is local you might have something at your local University who knows let's go and meet and greet with people talk to them Set uh realistic expectations of a career plan for yourself don't say like okay in three years I'm gonna be CEO of my own corporation like no more power to you if you can do that I can't but maybe you can but say like okay I want to go in I want to get my feet in there I want to get experience I want to build my way up if you're gonna shoot for that and more

than achieve it great finally the last one I was going to say here is some of the major Recaps in here are there are so many different career paths out there this was just a tiny sampling of it I've only experienced a tiny sampling of it I've been doing this for 25 years so there's so much out there not everybody can experience it all that's why you need to talk to people get their experiences figure out what works for you your path is going to be different than your path is going to be different than yours and mine no two people have I ever met who had exactly the same path even that went down that started the

same they ended up diverging yeah there's so much out there just look for it um talk to people find what makes you happy see if you can make a job out of it q a and contact and then of course does anybody have their own experience with trying to find a job maybe finding the wrong job going having to reapply moving in-house does anybody have anything they want to share of Their Own if not not a problem not a problem any questions then

slides anywhere I'm sorry will you be posting the slides anywhere uh hopefully yes it won't be right now I have to drive home but uh check my Twitter over the next day or two there should be a link on there where I've uploaded them to SlideShare or something like that so thank you all right uh anyone else somebody pick a number any number huh okay here you get two strings I don't know if there's anything left back there or not I'm just handing the I know here they are I was supposed to hand these out I didn't anybody can have them I don't need them so anyone else any other questions there we go I have a stack of them in my pocket

already I'm like I don't need these [Music] come and get them I'll set them over here so this is kind of an open-ended question um do you reference like the the breadth and depth of knowledge that there is in cyber security and trying to learn everything is just completely impractical which I totally understand yeah and um no worries I think also like one of the sort of major sources of burnout relates to feeling like you're never doing enough whether that's on the job or off the job just kind of improve your own knowledge um so like I said kind of open-ended but could you talk a little bit about how you kind of balance like maybe it's a

work-life balance thing but how you kind of take some free time and as you're also you know contemplating what direction you want to go with a specialization um you know how many hours do you spend a night on hack the box or whatever right right oh it's going to be different if you're just starting out if you've been in it for a while and you're wanting to get Improvement or you've been in it for a long time the amount of time you spend is going to be varying in there how old you are is going to vary as well on how that is um generally speaking I would say I try to shoot for that 40 to 45 hours of work

a week in there just work now outside of that if it's something that I'm trying to like occasionally I try to do video YouTube videos and all that I'll jump onto hack the box to try out some new technique or if there's a new box on there I just want to try it out I'm not treating that as part of my job it's not a requirement for it it's me just trying something out just for the fun of it if you want to now you generally don't do that until after the kids are asleep maybe my wife is watching her show on TV I'm like okay I'll sit down pick out my laptop and I'll play on it for like an

hour it's really varies on there generally speaking I do have a home lab I test things out on all that but I generally do that during work hours testing out things for a customer I'm going to be trying something out on but for like hack the Box reading up new blog articles uh reading all that I generally do that between everybody else going to bed and me going to bed but I try to also get I try to get that eight hours of sleep I usually get six hours of sleep but I'd shoot for that eight and it's it gets harder and harder the older you get but I just it's don't feel like it you have to do that

in order to show your relevance it's more of if you want to do it fine if you're wanting to do it for fun fine but don't feel like it's a requirement and you'll lose your job if you don't do it now if that is part of your job that you have to do it if that's fine or if your boss says whatever that's a discussion for you and your boss but that's a different thing altogether but what you were describing for about feeling like you're not doing enough you're not doing all that that's what is generally referred to I'm thinking is what you're describing is imposter syndrome a little bit like I'm doing this job but I don't

feel like I'm doing as much as my co-worker I'm not as doing as good as my co-worker or what have you I would say probably a good two-thirds or more of the people in the industry feel that at some point and it's always it's just part of human nature because typically we see the good things that other people do we see the bad things that we do so there's always that dichotomy you're not comparing Apples to Apples generally and you always view yourself in more of a negative light than you do other people when it comes to accomplishments most people not everybody but in general that's how I've understood it so I don't have any advice on you on how to

not do that there are talks on that there's hope webinars there's books there's all of that but just be aware of that that is something that is fairly common and it doesn't mean that you really are not as accomplished as the people next to you it's just that that's the way that our human brain our human psyche tends to view things like that like you look back on time you think like oh that's why oh it's the good old 80s or the good old 90s well there's a lot of horrible stuff went on there we just kind of wipe it out and just think of the good things that make our memories happy it's sort of the opposite when we think of

our own accomplishments so many times so I don't know if that really answered what you're going for but yeah anyone else if not I think we're done then oh [Applause] all those tickets they're gone [Laughter] thank you all for so much um thank you for sticking around uh hit me up on social media on email and whatever and uh love to talk to you