Adam Compton - Teaching an Old Pentester New Tricks

uh welcome back here to the i guess the second talk on track one uh my name is adam compton um some of you probably know who i am some probably don't uh by the end of it you'll know way more about me and my career than you probably ever wanted to but either way uh today's talk is going to be on teaching an old pen tester new tricks staying relevant in the changing world of infosec uh as adrian was alluding to at the beginning there by the first impressions you're probably thinking that this is going to be like oh the latest and greatest hacks no it's i'm in infosec i'm a pen tester for most

of my career it's just my path about how i stayed in infosec as well as how i kept myself relevant and some of the mistakes i made along the way that actually hindered me at times and um it's just another one of these lessons learned sort of talks where i'm going through my career the choices i made that was both good and bad and hopefully well it can resonate with a few people maybe it's something that uh it'll help some leave some headache and heartache that i had to go through but um hopefully i can add a little bit of humor in there as i go along as well but let's go ahead and get started here

oh and i apologize already if i talk a little fast i've had way too much caffeine this morning and i'll try to take a couple breaths in there and slow down as i go but uh if i do start to get too much uh just deal with me and when you watch it back later on youtube you can put it on like 0.75 speed and it should be fine so all right so thank you all very much for coming out this morning so let's can i technology there we go uh the obligatory bio slide who am i my name is adam compton i've been doing pen testing i've been in infosec for a better part of 30 years i've been in

pen testing itself for about 20 22 years something like that give or take a year or so in there for sabbatical but uh so yeah i currently work for a great company called trusted sack um this is gonna that'll they'll come back uh later on in the presentation i'll be talking about them a little bit just as part of my career path but yeah in that time in infosec and what have you i've been a programmer i've been vulnerability researcher system administrator pen tester um a little bit of all of it i've done most of the types of pen testing at one point or another in there whether it's application testing it's reverse engineering incident response

um physical pen testing wireless you name it i've probably done it at some point not to say i'm an expert at any of it but i've been there and done that for a lot of it so i have a little bit of an understanding about a lot of things that's going on in infosec enough just to nod my head and go on as other people are talking but uh so yeah and of course as adrian also said i'm from i'm a fellow hillbilly here but i'm from eastern kentucky originally i did spend a good six or so years down in knoxville and i love my time down there but time and change happens everybody and we ended up

moving back up to kentucky so i hope to make it back down to besides next year and see everybody in person all right yeah this is a little bit looks like a busy slide but this is in one screenshot my career uh i'll briefly touch on this and then we'll start walking through it in a more uh just fluid manner after this but started out at university of kentucky and a cs and mathematics degree got some unix admin experience in there got into unix pen testing uh there was some programming in there as well ended up moving getting into some windows pen testing getting burned out like many people do after i think that was what that was

probably a good seven years in pen testing at that point i got a little burned out went and did some uh non-pin testing stuff got back into pen testing uh saw some changes in the environment things i needed to re-evaluate i got back in there and that's where i'm right now moving into the future that is a very brief survey of that but we're going to be touching in here and in there there are some definite areas like i started out in one thing moved into pen testing um moved into a different type of pen testing and due to various circumstances got a little burned out wanted something different to do got back into it and as i said i started

realizing my career path where it led me to where i wanted it to take me to and what i needed to do to get there and how i had to do some course uh adjustments to get to where i wanted to be and all this we'll touch on as we're going through uh keep in mind um at the end of this talk i'll have time for some questions i'll be in discord afterwards if anybody wants to chat with me there um you'll have my contact information at the end i can be reached twitter email what have you you can reach out to me so let's go ahead and move on down here as i said

around 1994 or so i started at university of kentucky as an undergrad i went into computer science and mathematics mostly because there was no computer engineering or computer security or anything like that at the time the closest thing actually when i first started they told me there was no computer science degree which i quickly found out was a big lie but that aside i got into computer science mathematics went through that loved it by the time i ended up finished and graduated there was a computer engineering degree but i didn't want to go back and change majors at that time the one of the first major um stepping stones for me in my career though was as i was at the university of

kentucky there was a lot of universities have this i believe it's called a cooperative education program it's where you sort of intern with a various cup with various companies to gain on-the-job experience things of that nature uh you do like one semester at the company one semester back at the university bouncing back and forth it adds like a year year and a half to your degree i was willing to take that at the time because all i knew i wanted to do was something with computers i didn't know what i didn't really have any background yeah in classes i was doing programming i was working in the unix environment just some basic stuff but i wanted to do

something with computers i've been in computers ever since i was a little boy but so i signed up for the co-op program and the co-op program was with the department of defense i actually did four different tours with the department of defense as a co-op um bouncing back and forth through there i graduated at the end of 1999 or something like that honestly i don't remember i really should but i don't remember but um in that time as a co-op i would spend three to six months there at each time depending on how it was laid out i did everything from real-time software development like development of real-time software that had to run in near real time to

analyze various things i did some unix administration i did some uh what else was there a database administration one of the great offices i worked in was a real-time or quick turnaround uh co-development the office i was in partnered with another office they would get various pieces of data that they needed to be analyzed so they didn't have anything to do it they call over to my office and say hey we need something that can process this and you would have under an hour to get some piece of code software written to do that they didn't care what language it was in long as it worked in their api i mean their api structure it would work so i got really

good at writing quick turnaround coding that way but one of the things that this whole process taught me was focus um i know it doesn't seem like it but what it was is in university i was learning that oh yeah you need to document your code you need to um learn all these these different algorithms learn all these different ways of doing things and i'm like yeah yeah that's great i'll go through i'll do it for class and that's it it wasn't really sinking in but doing this on the job training on the job real world experience like this really made it sink in that okay i can see the relevance of that and this is one one of my life lessons

is for myself is i can learn as much as you want me to learn by reading and going to classes all that but until i actually put it into practice it doesn't really sink in for me and i will say that my professors actually noticed a difference when i went back after each tour especially the programming ones that my programming became much more structured and more professional if you want to call it that but yeah it's just one of those life lessons that to me helped me grow as a professional none of this is pen testing this is all just intro to my uh infosec career so i graduated i was offered a position by the

department of defense i interviewed around a few different offices this is prior to graduation a couple months and i found an office i wanted to go into i think it was like a mainframe or like large cluster unix administration systems uh i'm like great sounds interesting i want to go into that there was going to be some programming scripting involved i was all gone hope for that so i graduated i showed up at the new hire office at the dod and they're like great you're here your office doesn't exist sometime between the time i applied there and got accepted and i showed up that office had been reorganized reorganized out of existence so they told me you had

to find a new office i've told the story other times various things so i started looking around and the one office i ended up in uh they're the ones that was the most interesting to me at the time and the one the first ones that responded to me saying i could work in their office was a pentest group it was uh an office that was broken down into three groups it was a unix team a windows team and an infrastructure team that infrastructure team included everything from routers switches to printers to uh voip devices to anything that wasn't unix or windows fell under infrastructure i saw that grab bag because i had some background in unix

i fell into the unix category there and uh yeah it was there i spent a good six seven years in that office deep diving into unix i learned as much as i could about unix unix was my life while i was there and this was my first trap for my career for myself looking back at it because i spent so much time in unix at the neglect of everything else i wasn't very familiar with everything else i had a windows desktop at home that i did i played some games on all that but that was it i didn't do any security for that i didn't concern myself with windows security i didn't concern myself with

infrastructure security because in my job we had other teams that did that i was concerned with unix security unix pin testing i did a breadth of knowledge in unix whether it was irix or 264 or sko or sonos solaris hpux we tested anything that was in existence in the dod environment and some of them i deep dived into like solaris or hpox things of that nature that was more common but i lived in that world i got really good in that world i could uh break into most systems at that time most not all but most given time given availability all that but keep in mind this was up through about 2006. it was a different world too we couldn't

have as many uh or as tools as we do now yeah metasploit it was written in pearl and it had like a dozen exploits in it originally n map had been around uh but you're still using tools i remember that like satan and saint and sarah were big ones for the unix environment you had cops and cyber cop and red button where the exploit it was an exploit and things like that it was a different world and different time uh one of the most common operating systems we came across was like i said solaris the windows team i think was like windows xp and windows 2000 maybe 2003 as the years went on but it

was not the kind of exploits and attacks that you see nowadays but at that time i was learning as much as i could about unix i thought i was doing really good at it at least my ego made me think i was doing really good at it and i thought i was a good pen tester because i was good at that not realizing i was not good at the rest of the world or windows and all that so as happens to everybody life happens and i got married and everything else and we wanted to move away from the dc area so we started looking around and we found uh east knoxville east tennessee knoxville area because i

had some friends that lived in the area and i applied at various places there including oak ridge national labs and a few others and through word of mouth and interviews i ended up working at a little security company there in uh east kentucky east kentucky east tennessee uh called uh sword and shield it doesn't exist anymore got bought out by another company a year or so back still have lots of friends in the area but while i was there one of the first things i noticed was they don't just test a unix environment and they didn't have just a unix team everybody was sort of a grab all for everything i mean that was fine

i was good at pin testing so it wouldn't be an issue until i realized i wasn't good at pin testing i was good at unix pin testing so i had to give myself a crash course i went over my standard process at this point i learned from this point forward was i look at previous reports or the reports that are going out to customers that team members have done see what they're doing what they're testing if there's any internal documentation at the company i would look at that see what's going on there um having a good time with that um see what kind of tools are being used uh talk to my co-workers uh try to learn

from them things of that nature and i started out a rather uh noob on um or newbie on a windows pen testing i could still use my unit spin testing here and there but i got into the windows started learning more about it got into some application testing got into some mobile apps at the time i think we even tested things like blackberry os and stuff back in the day but so i started going through there and as time went on i started learning i started getting better um and whatever going on i started getting up to speed and before too long i was up there i was a senior i was doing my job doing the windows testing

doing everything so i was feeling pretty good with myself not too much uh bad going on i did start to feel a little tired after a while and starting to get a little burned out this was mostly because while we did have a semi global reach at a that company and i did get to travel a bit for it most of our customers were still in that east tennessee area and no offense to east tennessee by any means but there's not a lot of um at that time a lot of companies to really pick from to do pen testing in that area so we kept seeing the same customers over and over and over so instead of me seeing new environments

new customers new experiences on a weekly daily monthly basis i've seen the same ones reoccur over and over from a company perspective that's great that's recurring income that's great but from somebody wanting to learn more you kind of get a little tired of that and that's what was happening to me i felt like i was just going into work doing the same thing over and over again and doing it again the next day i was starting to feel like i was in a rut i wasn't enjoying going to work anymore so i was getting a little tired uh one thing you'll notice i haven't talked about throughout this whole thing was training yet when i was back at the government they

were all gung-ho about training long as you wanted to take it and there was a schedule available you could take the training um most of it was in the form of like a sans training or uh vendor training that would come on site and train you there or i don't know how many of you were in the government world in the past or uh has heard of a company called learning tree learning tree was probably the number one training source that we had otherwise named killing tree because of the amount of paper waste they provided everybody i promise you sign up for one of their classes one time and every month you'll get like a ream

of uh paper showing up in your mailbox from new classes they're doing advertisements they're doing stuff like that they're catalog they killed they killed the rainforest themselves i'm pretty sure at this point but that's facetious and a joke but that was just what we called them was killing troops but so there was that but they did not focus on train iona certifications they would pay for your training they'd pay for the class they would not pay for certifications and because no one required certifications from us at that time in the middle in the dod acknowledged since then they became more certification um focused than they were at that time but at that time it was you could take the training

but they wouldn't pay for the test or for the certification things of that nature and that so since my bosses didn't require it and they weren't going to pay for it i didn't get it the only certification i did get while i was there was my cssp and that's because my whole office decided to go get their cssb at one time and we had something like 80 or 90 success rate uh something beyond that i think but not even to this day that was the only certification i've ever had so yeah that shows you my path through there with certifications i i've had one certification and that was it really so so that was the government going back

into east tennessee here um something i was working for they would occasionally pay for uh training if you uh give them a good justification or you're going to be there presenting as well things of that nature uh but it was more so that if it was something that would um this if the way it felt at least the way it felt to me was if it was something that would benefit the company they were they would be more than willing to uh provide it the certifications that we were asked to get were ones that would help them sell new products help leverage them with other companies things of the nature not necessarily things that would help

us as pen testers but it would help the company and at the time i thought that was normal i didn't see anything odd with that i didn't think anything bad about that and then again that was just that time period for that company i'm not saying that's how everybody else was or how it is today what have you but all that added up and i was just feeling like i wasn't progressing i wasn't learning i wasn't innovating i wasn't advancing myself any and i just kept getting burned out so i started looking for a fresh start um actually let me go back one uh going back the wrong way sorry there um so i got burned out and it just so

happened that i ran into uh someone i knew from tenable at the time who said that they had an opening for a developer slash vulnerability researcher at tenable i'm like sure i'll go and take care of that and i'll jump on that i got a job at tenable for about a year and a half loved doing the development work i was doing uh software development vulnerability research automation development things of that nature love that kind of work uh this is really when i first started getting into a little bit of uh conference presentations that was one of the few ways i actually was interacting with the industry more so now was i was going to conferences i was

giving presentations i started a blog back at the time i've started like 10 blogs over my life and they keep dying out because i keep forgetting to maintain them but but yeah i started going into that and but after about a year and a half i started getting the itch to go into pen testing again i've loved pin testing i've done piston testing most of my career uh i put to that point this was somewhere in the realm of 2000 what 2012 2013 somewhere in there so i've been in pen testing for a good 12 years prior to getting burned out so i'm sitting there i'm like okay i want to get back into pen testing so i

started looking around and i ended up with a little company that again no longer exists it was called knowledge consulting group and i think it was somewhere out of texas a great group of people there loved the people i worked with loved the other pen testers one i still have friends from them i still have friends from back in east tennessee as well adrian is a great example of that but yeah so i'm sitting there the reason the company no longer exists it got bought out by another company and i'll talk about that in a moment but this company was a primary subcontractor for rapid seven as such they had lots of work and lots

of different uh targets that they would go after lots of different customers so i had a wide breadth of customers and experiences coming at me and i felt that re i felt re-energized new information coming at me new things coming on uh had i stayed at my previous position i would have still been stuck in that rut is how i failed now i got the momentum going in i started going in and i'm going and they will pay for some training as a schedule allows but because we were so much gig oriented there that there wasn't much time in the schedule you might get one training a year um but we did try to share information

internally through internal blogs confluence stuff like that just get information on sharepoint just trying to share information internally and because i worked with a great group of people i was learning from them and all that it was that standard mentality of learn from your co-workers uh read the write-ups and the reports that they wrote see how they did things what tools they're doing and then try to better yourself through watching videos through watching uh other conference talks that's what i was trying to do at that time because i didn't have a lot of training opportunities well and i thought i was doing good again here i was i was learning i was being good i only i was a senior

in pentester still i was going on um i wasn't given an opportunity to move up to a principal or whatever mostly i think because i told them i didn't want to manage people and the only people who were getting moved up were people who were managerial and was gonna end up managing other teams at least that's the justification i give to myself to make myself feel good uh but yeah so i was working there for a good while there's a couple years i forget how long it was actually uh year two years something like that and then lo and behold the company got bought out you got bought out by another company with um somewhat draconian uh policies in place

and they told the entire team that you have to sign this document uh sunny over your life basically uh so you can stay employed by them and we ask them what happens if we don't sign away our life and everything we own and our firstborn children like well you won't have a job with us so over half of the pentest team didn't have a job at that time because we didn't want to sign it and so we all left uh the place i ended up at was uh rapid seven the people that i had indirectly been working for already as a subcontractor let me take a step back and go back to the government i'm gonna go back and give you another

view of my career up to this path i was back in the government i learned what i needed there to do my job did i go out and try to learn windows no did i go out and try to learn architecture no did i accidentally pick up some stuff sure i picked up some stuff as i was going along just from working with other team members but i was focused on unix i was focused on my job making my job as best as i could um satisfying my customer my boss things of that nature when i went to east tennessee and started working in windows and unix and other things did i go there and try to

innovate was i trying to um lead the pack was i trying to do that no i got good at what i was doing i was good at the targeting my customers but that was sort of it i was going for the good enough sort of mentality sure i was i would admit i was probably good at what i was doing but was i a leader in the field probably not was i an expert in any one of those fields again probably not i was doing what i needed to to keep my customers happy keep my boss happy and keep myself employed so i was doing the getting by i still wanted to sort of like in a

elementary school high school whatever you're doing just enough to get that grade you want but you're not going to kill yourself to get that perfect score that was the mentality i was going through sort of thing and that for some reason that's just the way it fell into my lap as i was going through that's the way i was dealing with it same thing at knowledge consulting group but the people there had knowledge i hadn't seen before so i had to wrap myself up to stay up on par with them but then again did i try to go beyond that no but i did expand my boundaries i did expand everything just to get to where i needed to be to be

what i considered a senior in that organization it got it went away i went to rapid seven i repeat the process a much larger group of people again great people to work with got to travel the world with them again to seeing different environments doing all that testing but one thing that rapid seven provided me that other companies did not was they were flush with money you want a piece of you want some training go take the training you want to do x y z go do that um and we definitely made use of that i took lots of training while i was at uh rapid seven went out did all kind of training started really diving down into doing

conference talks as well attended a lot of conferences i was doing upwards of seven or eight conferences a year at one time there i was there for a number of years and while i was there again i made my way up the ranks as uh one of the considered the senior people there uh whether title or not i was titled senior but i was still one of the people who have made my way up the ranks at times and it was great they had internal sharing we were sharing information we do internal seminars internal conferences internal to the company uh just one day sort of events would share nice things that we'd seen all that and

i really felt that my knowledge had leap again because i was seeing so many people of different experience levels of different environments i started taking on more mentoring roles at one time and i started doing all this and i started teaching one of their internal classes or classes they were uh offering out and i was doing all kind of things so i really felt my career had advanced again but i still had in the back of my mind that all right subconsciously that i got good enough i got to where i was on par with them i got to where i was where i felt i was good enough i want to think that i was better than

i'm remembering i was but i want to but how i viewed it was i was good enough i was happy i had a good job no there's no complaints customers were happy giving good reviews everything seemed good so at one point another it happens in everybody's career mine more than others i think it's something i would say it happens over time it might be the person's fault but if it happens over and over it's probably probably need to look in a mirror well i keep having issues with management or upper management staff decisions things of that nature probably it's me i don't know but here again there are some managerial reorganizations going on uh the flow of the company had changed a

little bit some staffing changes had happened reorganizations happened and i just didn't really see the company i had been working for anymore it was shifting i didn't see a future the way i wanted it to be at reference 7 anymore so i started looking around just so it happens i saw a tweet from martin moss come out from from trustedsec at the time saying hey if anybody's looking for a change of career you might want to consider trusted sex i'm like great so i hit them up i applied sometime later after interviews and interviews i got accepted i started working for trusted sec yeah it's one of the companies i've always wanted to work for since i knew

i knew of many of the people in the past it was great great group of people i'm like yeah i'm going to get up there i'm going to be working with them and then i realized that yeah there's a different type of uh knowledge that up until this point i've been focusing and i've been working with people for the most part who were generalists it felt like um it was everybody was good across the board and had some in-depth knowledge in some areas that's fine absolutely that's how i view myself for the most part is i'm a generalist with some expertise in some various areas but i wouldn't call myself a subject matter expert on anything really

first of all i don't like the term and secondly just because i don't feel i really am a subject matter expert but when i started working here i ran into people like ashton and bollinger and um lane and ended up with advar and all these guys all these great people who were just amazing at what they do and the amount of knowledge they have like yeah i'm sitting there like i know what i know i'm doing good i oh you they mentioned something like oh yeah i know about that and then they're like oh yeah here's what i know and i'm like yeah i only know that much because they've done the time they've done the effort they've done

the work to learn it in a much more detailed manner than i do yeah i have the history i have the experience going back into the 90s learning how everything works all that but i didn't deep dive into any of these uh exploits to the way they did they understood the deep workings of everything all the way down to levels that i'm like yeah that's nice um my hats off to you but i started feeling away from that i'm one of the group i'm a leader in the group too wow yeah i um i smiled a little thing down here seeing all these giants up there doing their job obviously i must have known what i was doing to

some degree because i was hired but it was definitely a instance of imposter syndrome on my side i definitely and to a certain degree i still do feel that i can do my job i know what i know and i know i'm pretty good but i don't feel i'm on the par with some of these other people definitely do i ever think i will be probably not because they've spent the time and effort and energy to deep dive on these that i probably won't but i'm sitting here i'm like either i quit my job and go find something else or i have to buckle down and get back up to speed to be on par with them so that's what i

started to do i took a deep breath and then i started uh learning forcing myself to learn going back to the way it was i jumped into their internal uh documentation read through everything it was extensive they had lots of tools techniques all that started reading through that started watching shoulder surfing shadowing other members of the team to see how they're doing engagements working with them i always love partnering on engagements because otherwise you're just doing your same thing over and over if you're partnering with somebody else you get to see how they're doing it and maybe it spans your repertoire i started reading the reports again at most companies that i've worked for there's a peer review process you write

the report somebody else has to peer review it then it goes into final review then it goes to the customer well as somebody new on the team i wasn't asked to peer review at this point but i decided to start reading as many of the reports as i could why because of the same thing i've said before you learn from seeing others do it as well uh like i know one way to check for um smb signing not enabled then i see somebody else doing it a different way and somebody else checking a different way i'm like oh that's great which way is the best and we have a discussion and then we say okay well this way is best but if it

doesn't work you try this you do that with as many uh findings and techniques as you can and you start building up your repertoire again and i had to do this and i had to knuckle down and just do it

because [Music]

is i have family i have a career i have a farm i have things of that nature that take my time so yeah i think so i have to find time in there so when i have a lot of time or if i'm not sleep sleepy at night after everybody goes to bed i'll jump up and i'll go through and read these things and i'll watch other videos and then i started doing stuff like hack the box and vaughn hub and i've yet to get in the capture the flag competitions i love von hub pawn to own sort of things i love hack the box for whatever reason that's just one of those things i don't do capture the flag

competitions i know a lot of people will love them and i recommend them to people because it's a great way to learn not necessarily pin testing but learning security and various things to do same thing with hack the box and all that um so yeah i've been going through this and here again this is a company that is pushing training they want us to go to training i've taken some training while i was there just for whatever reason life and all that i haven't taken as much training as i should i definitely want to and as we're going on with all that so after i'm going on my third year i'm almost done with my third year here

i believe oh well that's a look at i think this in july will be my third year at trusted sec i think i'm finally up to where i can say that i'm one of the team members now um i definitely hope i am because they just made me a principal i hope my imposter syndrome doesn't kick in too much with that but so i've been trying to go through this process of doing this and it's one of these things that i've had to go back and play ketchup so many times that i felt that this can't be the only i can't be the only person doing that so i wanted to have a talk like this one to go over my career my

struggles the changes and the absence of the issues i've had in my career that my career has basically been reactive as opposed to proactive for the most part up until here recently i get into a new situation i feel i'm not up to par i will force myself to go out and try to get up to par but do i go beyond that to make myself better than what i have to be unfortunately in the past i haven't been doing that i've tried to force myself to do that now um unfortunately now is the time that it's harder for me to do it because i have so many responsibilities but i should have done that earlier on but

because i didn't do it then i have to do it now oh so here we are we're in um so what do i do to keep this going what does it look like going into the future um let me see here what is that one yeah so going into the future how i'm going to keep myself going is i'm going to keep doing heck the box hack challenges vol hub things of that nature i might get into ctfs a little bit i'm going to try to take some more online training at least for the foreseeable future until uh conference training and all that has opened back up and we're in person but so virtual training online training

things of that nature self-paced training through books through videos through uh wanting to learn something new see somebody at work mention something else try to dive into it probably not into the full degree that they did but enough so that i have a better understanding of it uh interfacing with other sharing experiences maybe get some certs at the moment i have none i let my cssp expire because i did not want to keep paying that a fee also i've never been in a situation i know my experience is going to be different than others but i've never been in a situation whether it's hiring or otherwise for a company that i've worked with where they said you have to have xyz

certifications they're very they were always asked me to do some sort of test do a virtual pen test i sat down and talked with their team some of that to go through and judge my ability and my knowledge and capabilities but i've never been in a situation where they forced me to have searched i know some people getting into the field absolutely certs are a great way to show experience without having experience i was lucky in that i worked for the department of defense doing pen testing after doing a co-op experience that got my foot in the door and that gave me the experience that got me moving in the career but i was never forced to get searched i was

never encouraged to get certifications thus i don't have certifications and i never felt that was something i had to have your mileage may definitely vary on that so what are some lessons learned from this um you're in charge of yourself don't let a company don't let somebody else tell you you can't have training that um you can't go out and better yourself that you don't need to know something if it's something you want go after it yeah sure you might not be able to get the train that you want because it may be thousands of dollars and if the company isn't going to pay for it that can be a little rough on some people but

there's lots of free training out there there's a lot of discounted training out there especially if you're still a student at places there's an entire online library on youtube a video out there there's online training uh is it like a code academy with even our uh what did i have here hold on a second where did i put that at i had a couple notes here i was gonna show but yeah uh our ctf we have going here they also the company also offers up uh training there as well get out there and do things like that there's a lot you can do for free or low-cost training videos knowledge that's out there try to get

into one of those if you have a like a gi bill some of that that can go that can be used to pay for like some sense training stuff or that i believe so you can use you can get help on some of these things but if you can convince your company to pay for some of these classes great otherwise there are other options out there for that are free and otherwise uh cheap that you're going to look into and don't be like me don't do good enough don't become stagnant in your knowledge don't let your knowledge atrophy your abilities atrophy um because you're gonna be playing catch up like i did and that's not fun

it's a lot of work a lot of stress a lot of lost nights when you're wanting to get some sleep and your kids are sick and all that you still have to go out and force yourself to do some training and learning do it young do it early maintain your ability so that you don't have to play catch up if you want to deep dive into some topic go for it become an expert in that but maintain your knowledge in other places a breath of knowledge is always good you don't have to have a breath and depth of all knowledge a breath is good deep knowledge of some areas is great as well you can become a subject

matter expert if you want to if you want to use that term but always be looking to better yourself in the things that you know um so that's basically the talk i know i didn't add as many uh funny moments in there as i could have but this ended up being one of these talks where i'm just going through telling you that bad things that i've choked and done the mistakes i've made yeah yeah i've bounced from company to company i have tried to better myself along the way every time i did but i did it as a lock and step i get a new job i'd better myself i get a new job i'd better myself

i wouldn't ever get a new job better myself beyond that job and then start looking onward and trying to do that um it's a failing of my nature i guess i don't know but it was something that i've had to deal with going through hopefully if other people are going through the same thing or you're in the same or you have the same tendencies as i do maybe this is a wake up call maybe it's something that you can learn from my mistakes and make yourself work harder if you've went through all this and it didn't affect you at all and you've done all that great for you um this isn't necessarily for you in that case

so this is just the flow as i went through it's not my most like hearted of talks i've ever done but it is just something that i wanted to get out there and share with people so any questions comments concerns uh just the standard uh just a sec logo there if you want to reach out to me i'm on twitter at tatannas i have a blog out there at hillbilly story time i'm on youtube i haven't uploaded a video in a while i really need to get back into doing that isolation in the house and all that really cut into my desire to get into that you have my emails both corporate and personal there

thank you for your time if there's any questions let me know i'll be in discord sorry for a depressing talk when i was hoping for it to be more entertaining we got a few minutes there's still a few minutes yeah some funny jokes in there but oh one thing i will say is to know that a good judge i've found in my experience of if you know something have someone who doesn't understand it and someone who does understand it both ask you to explain it you can explain it to the person who doesn't understand it enough for them to go oh i get it then you can also explain it to the person who understands it already for

them to go you're right then you understand it otherwise go back and review it because that is something that's come back to bite me on a report readouts i've written reports handed them out to the customer the customer was like i really understand can you give me some more insight in this vulnerability i'm like um yeah um hold on a second i go look it up real quick i'm like okay here it is because i didn't understand it enough to explain it to them you should ever put something in a report or try to explain or tell customers they have a finding if you don't understand it yourself that's just an experience of mine if you

could teach somebody something you understand it so that was just a lesson learned as well pentest fail thrown in there but go ahead speaking of fails uh it has been pointed out that you misspelled your own gmail address the last letter in your last name oh my god wow we get a sharp crowd yeah yeah yeah yeah and and yeah we we do have some questions um yeah i just want to say if if you have never gone there i corrected it thank you there we go if you if you've never checked out adam's um hillbilly story time on on youtube it's uh it's fantastic there's some great stories he's got um the uh don't take yourself seriously don't take

yourself seriously you're going to make mistakes deal with them that's the video yeah but yeah yeah learning from errors um you know and just uh funny stories from our our travels and stuff like that i think i think the uh the king state story is in there somewhere yeah yeah yours is in there yeah yeah yeah and uh i don't know if the coat hanger story is in there going through customs oh yeah that one definitely is in there i don't know which video it's in but it's definitely in one of them um that was in one of the earlier ones i believe so yeah but yeah there are some interesting stories in there from our travels

both when i was in east tennessee and before and after that just dumb things that i and co-workers have done that were either put us in danger put us in a questionable situations or just made us look like you idiots at times so going onward all right so we've got about a half dozen questions so let's see if we can get this all right so um first one if you had to start over where would you begin what type of job

probably system administration into uh now migrating into sort of a blue teaming environment because personally i'm getting i've been doing more of a purple team environment testing as well where it's uh blue team and red team working together to try to better an environment i'm getting more and more um i respect more and more the blue team and the defensive side of the environment and i'm wanting to go in that route myself but i probably started system administration going into blue team slash maybe pen testing as well right there but i definitely go into i feel a system administration background is a key asset myself so so you'd still be in security though oh yeah yeah okay i'll still be in

security i've i've been doing this for 25 years not everybody not everybody would uh would answer that the same way you know some people might might go into a different field entirely yeah my only other career i go into would be woodworking or farming and neither one of those are going to pay my bills so i'll stick with pen testing yeah yeah good point um any good webcasts to listen i i think this person might mean podcasts they said do you recommend any good webcasts to listen to uh well if you're going to watch videos one of the ones i would say suggest would be hillbilly story time contest fails or uh if you want to see how other people

do things one of my favorite ones is watching ipsec go through hector box challenges and stuff like that on youtube he does an amazing job going into deep detail on why and how he does certain things it's great choice there as far as podcasts go i have to fully admit i don't find time to work on podcasts i need to listen to podcasts as much as i should i know there's some great ones out there like dark neck diaries and i know uh trusted sec has our own podcast and other companies have theirs but the only ones i've ever really listened to would be a paw.com back in the day as well as um uh darkneck diaries those are the only

ones i listen to on any bit of a regular basis or have in the past so cool in your experience which operating systems are the most difficult to infiltrate aix because i hate that and sco no uh uh which would be the most difficult um honestly i'd probably say a well-configured unix dedicated unix system but that's because it has little footprint low number of services low number of users on it it's tailor made for that if you can find that that's going to be hard to get into outside of that i would say it really depends on the environment and what the purpose of that system is if it's a standard desktop user system maybe mac os i don't know

um it really depends on the situation i don't have a solid answer for you i apologize blackberry os there that was the hardest one to get into okay yeah just waiting for it to boot up is is uh yeah yeah um for those working in ocean and physical pen testing how would you suggest they start towards a more hard skilled slash tech path is a university degree required in your opinion uh touchy cedric on universities at the time i was getting into it there were no other real easy paths to go into infosec other than just being what at the time would have been more of a black hat a black hat hacker sort of

mentality or government um so i went into uh the university route do you get a good benefit from the university yes you can is it expensive absolutely are you gonna be in bed for the rest of your life possibly but i wouldn't personally i would not suggest going into one of like the infosec or computer security um curriculums i would go for more like the engineering computer science just generalizes get a good knowledge of a bunch of it and then focus more on whatever your job is needing at the time to figure out which path you want to go down um so uh i sort of answered the question i'm sure i skipped half of it i

apologize but is influence is a educa university required no can it be beneficial yes are there some back drawbacks to it yes um any experience you have is going to be beneficial go out uh very info if you're in osan or physical how can you do it try navigating into a more if you're doing physical see if you can get a dropbox on the internal network if you can see what you can do from there connect into that and go from there if you break into the internal system via ocean through if you're doing oceans you can get into social engineering see if you can get into something like that see if you can leverage it to get access

onto a system what can you do from that perspective and start training yourself shadowing people that do that if you're in an organization that you're doing the fiscal or ocean and there's people in there who are doing the uh internal or external pen test start shadowing them see what they're doing until you get your feet under you and then see about migrating into it what i suggest just jumping in feet first it might work i wouldn't necessarily go that path so also uh what are some of the considerations uh before you decide to start writing a tool uh i would definitely say the ascii art and the name that is a desire to create ascii art well no no no

i have to say that otherwise martin is going to get mad at me no well no the thing is is find something that you have a need for something in your daily life in your pen testing environment or your co-workers that they have a need for that isn't being satisfied with the tool that's out there already if there is a tool out there that sort of does it maybe look to see if you can modify it it's going to be too much headache to modify that sure write your own or if you just want the experience and knowledge of how to write it go through and write it yourself but what drives you to do it

is it what drives me to do exactly i'm gonna have to build it i might as well share you know like i'm tired of doing this thing manually uh sorry yeah i for any of the toys i've written uh whether it's scripts or whatnot i'll write them for myself because i need it done if i see a coworker that needs it i might try to go in and clean it up and put some better ascii art or better a help menu something like that and give it over to them and let them try it once a few people have tried it and they're like oh this is good then i might try to release it out there

and if you're really a masochist you might try to release it out there and do it at like a tools arsenal at black hat or whatever the one is that um um def con a lot of these conferences have sort of the tools that you the symposiums where you can present your tools and then you get lots and lots of people looking at it and critiquing it and laughing at you and all that but it's a growing experience you can't let it get you down just take it and go and sometimes people are like well yeah you wrote this fantastic tour but why can't it make coffee i'm like because it's a fantasy tour it's not a

coffee maker shut up right so you always want to have people come back with just inane questions but i do it just because it's something i need ultimately and i want it done the way i want it done right right um another question uh seems like having strong peers is critical any ideas to foster that kind of environment uh yes strong peers are definitely uh a strong something i found very useful how to foster that um well first if you are in a group and you find that you're the most knowledgeable person there either become a mentor and a trainer or find a new place where you're not the smartest person in the room get yourself surrounded by people who

are as knowledgeable or different experience space than you or knowledgeable in other areas of you people that you can learn from and then try to set up some sort of inter group sharing whether it's every thursday you just have a set down for an hour where everybody goes around something cool they found that day or some piece of software or exploit that they came across that they want to share talk about that maybe once a quarter see if your company or your office can get together and do like a mini conference or mini one of these where everybody gets up for 15 minutes and just talks about something whatever they want to don't restrict it just get up

and talk for 15 minutes you make it so anybody can get up and talk about anything they want you're more than likely to get people starting to get involved and get all that going and once you do that for a few times people are going to be looking forward to it and it really works well and of course just document everything put it in confluence but didn't share point but in whatever so that uh video writ whatever so that people can go back and retrieve it later if they want to get the knowledge and they weren't present for it but see if you can just force not force but open the opportunity for people to share

through some sort of public medium even if it's internal to your company it goes a long ways and you can't do any of that if you're 100 billable all the time absolutely absolutely just going to throw that in there i fully agree better yeah yeah i know i know um so an interesting question here um how long did it take you to realize you were burned out and then how long did it take you to start taking action to look for the next thing oh i'd say how long did it take me to get burned out i was probably getting burned down to realize that you were burned out because i i guess those might have three

points right right um i was probably starting to get burned out about four years prior to me leaving about three years it took me about a year of me just sitting there going i'm not really enjoying this um yeah i'll keep doing it because i'm good at it but i'm not really enjoying anymore six months to a year of that and then to do something about it probably another couple months three to six months i actively started looking around um i would have taken longer to find to do something about it but it was just happenstance i ran into ron at um vegas when i was looking and he's like oh i might have a position for you are you

still doing xyz and we started talking and ended up a little while later ended up going over there that was a bad day for bill dean but that was another day yeah i i do i do i i i bought him a bottle of good scotch i know you didn't and and some good beer he got a lot of bad news and and just uh yeah in a very short amount of time so yeah all right well that was excellent adam it's it's time to bring our next speaker up i i really appreciate it and uh i can't wait to get all this uploaded on youtube so more folks coming alright let me stop showing

turn off my video and it's back to you all right great