Breaking Into Infosec or, How I hacked my way out of poverty - BSides Portland 2022

so my name is Ben Kendall and this is my presentation about breaking into infosec or how I hacked my way out of poverty uh so a little bit about my I'm an associate Security consultant at NCC group I'm a former journalist a former filmmaker and former wage worker so I've done all kinds of different kinds of wage work like I was a janitor and I've made several different kinds of pizzas in sandwiches and coffee and I've I've dug trenches and made roads and all kinds of stuff so it's kind of the wages of ADHD I suppose and I had no formal I.T experience so back in 2016 I had a life change and I was kind of the guy on the couch with my friends um but kind of all over Oregon and um that will come in later in the story but uh to suffice to say it's not fun especially doing that for several years so let's talk about a little bit about where I work uh NCC group it's the largest penetration testing consultancy firm in the world and it's a fantastic place to work everybody is very knowledgeable um and just fantastic bunch of infosec people um a little a little claims to fame uh the the CSO exploited the first buffer overflow um the chief scientists also created the the time delay SQL injection and Patrick has passed the hash excuse me was discovered by next NCC employees so um coming into their uh it's pretty intimidating to be honest so let's talk about me being poor and trying to get into infosec so the way I wanted to run this talk is I wanted to give somebody that's trying to do the same thing that I did some actionable advice because uh perhaps my situation was an outlier so um I'm going to go through kind of what I went through and see if it applies so I do pen testing I'm part of the the offensive part of cyber security so uh I'm a hacker for hire I break into stuff for money and it's a lot of fun um that's not only what I do I also do some uh some consultancy about policy and stuff like that um that stuff's interesting but what really gets me going is breaking into stuff um for instance the other day I had a very successful engagement and I owned their Network rightly as you could say and when it happened um I had so much adrenaline hit my heart and I was shaking for two hours no other job in my life has done that actually I feel like that when I had to go to work the last thing I want to do is uh go take care of uh Karen and Ken screaming at me about why their latte is too cold or too hot or whatever so say you want to break into infosec what do you need to know well programming's like number one in my opinion these these these opinions will will differ from other people but I think that just kind of having a good a good hold on a scripting language like python it's an excellent way to start some basic Network networking knowledge because it comes into play all the time especially for what I do you're going to need to know the command line you're going to need to have familiarity with basic pen testing tools like stuff like Metasploit or msf Venom or burp Suite SQL map stuff like that Hardware Basics like it's probably best that you build your own computer it's just more secure that way A and B it's fun hopefully that you'll you'll get the opportunity to do that if you haven't the fundamentals in Computing stuff like memory addresses how CPUs work um and there's so much more in fact there's an endless amount uh the uh during my time as a journalist it was the very end of my University career doing that and I was walking around OSU and it was this big uh it was a an incubator for for startups and it was all science and health related and they had a whole bunch of just giant cool science stuff like like liquid nitrogen and tanks that were cooling something that I had no idea what it was and and I was looking around me and I thought I think I picked the wrong career this is way cooler than what I do I love journalism and it does serve a purpose it's the fourth estate's very important however uh it's kind of shallow it's very broad but very shallow whereas technology is Broad and deep you can just fall into a rabbit hole and never come out and that's actually what's so fascinating about it to me so when I first started learning python actually I really liked creating stuff and I thought well maybe I can be a Dev and so I started trying to figure that out and it came to me that like oh God like it's it's almost impossible to get work as a Dev even if you've got like a GitHub repo it's uh you need something more tangible uh to at least get in front of somebody so I went out and got some pen testing certs so I started with the uh the ejbt and I went on to the ecppt that was with um e-learn security their INE now and both of them were very good and then there's the oscp which I bought the course for um and still have to take tests but [Music] um again but uh it's it's in my opinion I I liked the ecppt better it was uh it was just more instructive um it just depends on your learning style though they're both great so when you're doing Ole Miss when you're really poor uh it's kind of difficult to find time or space especially when you don't have much space and you're probably a wage worker and you're doing stuff for minimum wage so uh that's usually part time as well because they don't want to pay your benefits so you're getting these weird hours like like clopins like you'll close one night and then you open the next morning brutal um so having any kind of energy to do pretty intense study especially if you're not familiar with the with the subject matter that you're working with it can be brutal um so it's going to take a lot of time uh and it's you you've got to understand that it's might take longer than you think and it's has nothing to do with you uh it's just your kind of your situation is going to affect the way you're you're apprehending this information so um remember that just various sources like if I didn't get something from a course I would go read a book if I didn't get it from the book I would give watch a video on it or just walk or read a blog post or do something that to somehow take that information in and make it more tangible to you um and so when you get burnt out sometimes you just don't want to look at any technology at all you're just like I don't want to read any more code I mean I love it but I just I've been doing this for 12 14 hours a day for several months and I'm just kind of over it I would just like to relax instead like you can listen to a podcast like dark neck Diaries like it's just kind of fun entertainment but it's still within the realm and you're still kind of educating yourself in an oblique way and so and it's it's still fun I mean it's it's supposed to be fun at least the offensive side it's fun hacking is fun so we got to remember while we're doing this so um after I got my certs um I was helping people uh to get theirs I would coach them through techniques problems that they were having um one of the things that I notice is a lot of people were having problems getting in front of people for new interviews um and they it's because they did they just didn't stand out very much um like they don't um they don't share their work and so no one can tell if they're actually full of it or if they know what they're talking about so one thing that you can do is stand to stand out is to share your work online somehow I would highly recommend the book steal this uh steal like an artist by Austin Cleon and his other two books I can't remember the middle one but the last one was show your work um so the middle one's about like when things get really difficult and uh hacking is art we're very creative people we have to be we have to find a different way in somehow um it's it's part of the game and that's what's so exciting about it so you can start a blog that's what I did uh I was falling back on my journalism skills when I did that or like a YouTube channel if you're more into production um definitely compete in CTF events like maybe your place and people that you'll get your name out there that way bug bounties are good like if you've got a bug bounty to your name uh usually that's something to recur about you would you would call and not call out and say oh I got this bounty on I don't know X company and got 500 bucks or more or less but it doesn't it like the money is great but really it's it's the trophy that's part of it at least for me um I haven't gotten any bug bounties myself the trophies for mayor are getting fruit or domain admin something like that um so also I got hired at NCC this is my first infosec gig and I got hired from LinkedIn and it was uh sight unseen it just kind of came out of the blue which was fantastic I had applied to many places before and usually it's thank you but no thank you um uh because of course I don't have any requisite experience um have a GitHub repository if you know how to code it's interesting to me that a lot of pen testers some of them just don't know how to code not necessarily I haven't met them in NCC but I've met them at other places and there's no judgment there but I think that it's it's I can't heartbrone it enough you definitely need to know especially if you're using an exploit like that you pulled off the internet you need to go through that code and make sure it's safe because you don't want to drop some making exploit onto the uh onto a client's Network and then it owns their Network and you didn't do it but you did do it if you know what I mean so contributing to open source projects that's a standard Dev advice right but it's there's still lots of development and tools that's in hacking tools that we're using all the time and or you can just make your own because there's always a need for something you might not know what it is but eventually you'll find something you're like oh I wish I could do X and I can't I have to do it this long way I'll automate it figure it out and definitely help others the best way to learn something is to teach it and so when someone asks me oh like I can't do uh what is this I can't do something I can't I can't come up with a scenario and but you if you research that and and then you find out the the answer to their their problem then you too have uh shepherded this person forward in their knowledge but also you've improved your own and that's fantastic so I started learning I started learning python in 2018 and then I started doing aiming at infosec stuff in 2020 I ended up getting uh an interview to be a um uh a teacher's aide for some infosec some infosec Boot Camp or something like that and I I thought oh wait a minute this is a possibility well maybe I'll just dive in and do infosec instead and it's going to take a while I mean courses take a while uh it's learning all this information it's going to take you some time and it's going to probably take you some time to pass the test and it's probably going to take you some time to get a job and the the tales that you hear on the internet there's like oh well I passed the oscp after only studying for a month and I have no experience and then I got a job right away and I'm just like um did you though I don't believe you I mean if they did awesome that's great but those people are definitely outliers like they're not the bell curve like they're like on either side of it they're not in the middle uh probably in the middle you're probably gonna wait at least six months or if not longer and that's okay it'll just give you more time to uh to level up and in the meantime unfortunately you'll have to work your job that you dislike or maybe you don't like it or maybe you do like it you're just wanting to change so so how did I do this um like I said it I I kind of leaned on my friends um and I was lucky enough to have that opportunity I know that if I were to slave away on uh like a barista position for minimum wage or minimum in the Metro whatever it will be very difficult to survive and also to do study and add on to that maybe this person has a kid I do not but in this hypothetical scenario perhaps they do that's even less time and less energy and you're already exhausted wage work is very difficult it's grueling and it's taxing physically and emotionally mentally it's it's not ideal especially to survive off of that's that's your main means of survival it's really difficult so uh here are some resources uh I'll also be putting this up on my blog here at the uh eventually here in the next couple of days so you can check it out there and I'll probably be spreading it out as well hacking the art of exploitation that book is from 2008 so pretty old considering but it's still great for buffer overflows um it's I highly recommend it for that the operator handbook's got like a tons of really cool commands that you can just kind of flip through and find out uh stuff you didn't know about whatever Linux windows and different different ways to get around things or query for information all of pretty much all of those search press they rule so I'm just going to jump to the courses uh the the Cyber Mentor uh Heath Adams his courses are fantastic I actually took those before I took the agbt or egpt I I couldn't love them enough they're they're just fantastic and I love them uh they definitely got me started so uh over the wire.org Bandit that was my first love uh I loved that I loved that CTF and there's like 30 40 levels or something like that and it teaches you a little bit about Linux it's great for beginners a little bit about Linux and networking little by little every level highly recommend it um hack the Box try hack me all those are great offsets Proving Grounds I really like those they're really good to gear up for the oscp because all those boxes are made by the oscp folks so you're going to see similar stuff on the test and the pen tester Academy I've tried them a little bit I don't have too much experience with it but it's more kind of CTF boxes that you can attack and definitely take advantage of YouTube ipsec epsec rocks and it's true that's this website but it's also true that guy is awesome um John Hammond these are all the guys that that I watched and when I just didn't want to look at a screen anymore I just kind of like would listen to it sometimes and it was enough so uh let's talk about just getting a job here in the last couple of minutes um so I was falling back on my journalism skills like I said and I asked Rob Fuller AKA mubix he runs the red team over at United and asked him a couple of questions because I just didn't want to come at you with my experience and so I asked him what the common issue facing unsuccessful candidates uh was because like I mean naturally there's going to be more unsuccessful candidates than successful right there's only one person that they're going to hire or a few maybe if you're lucky but he says like lack of maturity empathy and drive are common themes among the candidates and uh if if the the damage is done it's it's pretty bad it's this huge trust or sorry there's a there's a lot of trust that's inherent in what we do um so and I also asked him some advice this one hit me hard actually dropped the Imposter syndrome um he wasn't talking to me specifically but like I I was really happy that he said that because I totally have that foreign everybody I work with is brilliant and talented and it's shocking to to come in and just like oh man I have no idea what uh what this colleague said um and it's uh but that happens to all of us everyone has that experience so it's not just me uh it's not just you um so Tyler Russ she is uh the one of the HR people at NCC she hired me she's fantastic she was quite the champion for me and uh so she's basically said uh kind of roughly the same things that I did you need to have something to show your work if you're if you're in academics so um something that you did for like a project or like a club that you were running so on and so forth and soft skills are very important for both people that are in academics and not um and for Tyler she also mentions that uh that's kind of what uh that's often what peop what gets people um out of consideration is they have no soft skills and uh roughly that's what Rob Fuller was saying as well if you if you can't speak to people kindly and respectfully there's no way you're going to be able to speak to a client especially if you just own their Network and they're irritated you need to fall back on those customer service skills as retail skills and diffuse that situation because you want them to come back these people have paid a lot of money for you to show up and if you show up and wreck their Network and then you're just like whatever that's you're probably gonna get fired or at least talk to and they're gonna lose that client and that's it is a great deal of money so uh something to think about so uh unfortunately it's not the tldr but it kind of is just for the end so you need a good Baseline of knowledge you're never going to stop learning you need to stand out and you need to help others and you've got to remember those expectations it's there's there's no reason that you should stop don't stop not stopping don't quit that's all thank you questions it's gentleman in the back uh unfortunately currently we're in a hiring freeze but hopefully we'll be getting to start hiring again soon yes what kind of labs and stuff did I set up in home um I you like to use virtualbox and I'll just you set up a Virtual Lab because again going back to like I was quite poor right so I had like a middle of the road laptop for 2017. um and I would just set up a virtual Network on that I just threw as much memory as I could get into it and to so I can run as many virtual assistants as I could run my own virtual Network and try and pivot from there so on and so forth practicing techniques usually I'd throw it together like a couple of vulnerable boxes maybe one or two that I made myself that are just crap just just a practice pivoting because pivoting is kind of a pain sometimes yeah for people trying to learn uh scripting language like you said is super important how do you recommend they find ideas for like their own valid projects that are Beyond just the paint by numbers tutorials but like a real idea for like something useful they can use to demonstrate your skills sure so um for people that didn't hear it he asked how do you discover ideas to to create your own projects that's kind of a golden question um usually the ideas that I have uh that I've that I've had that I haven't even acted on as because I've been so busy but usually you're it's it's it comes out of it comes out of The Ether just it comes to you uh because you have a problem usually it's like oh God I can't I can't keep doing this stupid command over and over and over again I mean that's just like simple bash scripting right but if it were like python uh for instance when you're doing buffer overflows you're reading you're writing your own your own Python scripts just to interface with that uh with that binary and then you you're usually also exploiting it that way as well um so uh you can if you're using your own your own scripts for instance maybe you found like maybe you found like an old an old app that people don't use anymore or maybe they do use it and you decide to just kind of uh um reverse engineer it could be one thing yeah anything else just a quick comment thank you for your talk I appreciate it um uh if you're if you want to hack on someone else's computer a lot of these uh Cloud platform providers will provide you free credits now without a credit well some without a credit card but others with and I would recommend that if you want to just Tinker around and you don't you don't have a lab at home that you can afford that's a good idea yeah they do give out free credit to students I believe yeah that's awesome that's a good idea anything else right well this was my first talk ever