BSidesSLC 2021 -- Hacker Panel -- Speakers: Sn0w, Grifter, L34N

we're just going to kick off on this uh panel i had who are you mike i'm marv most people know me if you don't meet me later um let's start off with mike closer to your mouth let's uh start off with grifter you might know grifter from such hits as uh trevor forget the documentary thank you um also runs the black hat knock defcon goon for a million years 20 20 years yeah black hat aficionados and actual black cats i don't think i've ever seen them with any other color hat no you also might know him from the zcmi food court 2600 meetings depending on how long bro dating me real hard there and snow snow is a black badge winning

social engineer and you may have seen snow asking for entry into your data center because she forgot your badge and uh i guess lean you might know ian probably not i know he loves that so this is just going to be a kind of rambly conversation a bunch of friends up on stage more than anything um overall uh our our goal with b-side salt lake city is you know trying to lift people up bring them in things like that so we'll touch on that but also story time with grifter snow and lane so it's good stories or doesn't matter okay it doesn't matter okay all right cool i mean your stories are always a little sketch anyway my

story yeah that's what they want to hear they want to hear this guarantee it they want to hear the sketchy there's a podcast for that i'm not signing up all right fire away mark oh yeah uh so first uh yeah what's the last 21 months been like for you guys let's go who's going for all right i'll go first um it's been sad i think that's the easiest way to put it i'm a people person i like traveling i like being around co-workers and and things like that so being stuck at home um is it's it's changed a lot right so i'm so excited to be here today that things are opening back up a lot to look forward to

but i think in general it's it's sucked right i don't i don't know how to spin it in a good way honestly but yeah that's my take i think uh yeah for me it was the same thing so i also i'm a road warrior pro traveler or whatever right in 2019 i flew over a quarter million miles and then in 2020 clearly everything stopped right so it was really weird one for my family to see me and be like shouldn't you go like somewhere don't you have a plane to get on um so yeah it's been really interesting um but like you said things are opening back up in the last two months um i've spoken at four conferences saintcon

just right here um black hat in london and then uh i just got back from riyadh for at hack um last night so i'm really tired what time are you on right now i yes whatever time yes exactly and i now play 30. so things are open and back up which is nice so it's good to see people and and reconnect yeah the same thing it's it's been interesting to to realize how much we took for granted our interactions and conferences most of us go to conferences multiple times a year see a lot of people interact in the community and when that stopped initially it was nice because it's like oh hey my family i get

to see them again or get to actually do home projects but then it slowly started to kind of break down where i wasn't progressing as much as i had previously because most of my career progression has been networking and community and connections and so i started stagnating and realizing like oh man i'm i need to get out and talk to people again i feel like i'm losing my my mind and my education and so being able to even just sink on this year has been such an a relief to be like oh yeah i feel that knowledge just absorption again is really nice because the way i've always seen it is just surround myself with

people who are really really smart and i might be able to grab like five percent of that that's how i've kind of grown my career so yeah i totally agree because that's the that's the thing is like getting out i i feel like that's how you level up right is you find yourself around people who know more than you which is what i've done essentially my entire career and i highly highly recommend that for all of you as well um if you are the smartest person in the room that's the wrong room right find the next room with smarter people because they will lift you up whether you realize it or not just from the conversations that you're

having you'll hear somebody say something and so you're like wait what was that what is that thing and not having those interactions has been incredibly difficult and i think yeah a little bit maybe mentally stunting so i can tell you from my own experience in the last uh uh two years that as a security professional our job is to talk to people and when you're not in the room those conversations take on a very different tone how did you guys that i mean especially somebody who travels you know professionally as much as you do i wouldn't say so um so with my role i would go out to organizations so um i just do threat hunting i'm a threat

hunter right and so i would go on site to organizations and i would sit down with their security team in a room and say okay let's talk about one how the network is set up or like how what what do you have deployed those types of things and we'd have those conversations face to face right so you're sitting there looking at somebody and you're discussing what their security posture is they're telling you about the different technologies that they have all of those things are happening in a room the problem with zoom and things like that is one not everybody turns on their camera so you don't see body language that kind of stuff all the time

either but also at least i have found and i realized how valuable it actually was to be on location is that you'll hear somebody say oh yeah we do that and then like someone two seats over starts getting real uncomfortable like in their seat right and over zoom you don't notice that as much or you will take that like oh okay we're going to take 10 minutes for a bio break during your conversation and everybody runs off and pees and then you're standing around in the hallway or you get back to the conference room before things kick off and someone says in reality it's more like this those are invaluable bits of information that don't happen when you're not

sitting in a room together and so not having that that's yeah i didn't realize how important that was until it wasn't there and and so face to face still does matter because there's an a significant amount and especially someone i mean you're a professional social engineer so you know body language like reading body language and micro expressions in people's face like you'd see this like really fleeting like this cringe when somebody said something that just wasn't true you know like from other people in the room and you don't have that over zoom yeah i don't think you can replace that even if everyone had their camera on there's there's just that that aspect that you can't replace

so that's been a struggle and then from a testing or consulting point of view um not being able to actually do physical assessments has been um not fun because you can't go in that's like the best part of your job it is it is the most like tangible right like actually stealing things but yeah i can't do that right now you can't do a data center social engineer over no i like i like how much that tells us about you is that you're like the thing i missed the most was stealing pretend stealing have you guys seen community where they have um the robots the show community um they had the robots in the screen they had like

remote um students i don't know you gave me an idea do you have a idea a shelf of trophies for your from your engagements no unofficial trophies okay my mom asked me that once she's like what do you take i'm like i don't take anything i mean i don't really talk of their hair i'm not a serial killer i take a little bit of the siso's hair well and i guess that uh when you do get those physical engagements and you don't have anybody working on site you don't have anybody to piggyback or steal their creds it makes things difficult for sure yeah you know lean and i were actually working on a project together professionally

at the very beginning of this and it certainly went off the rails when we weren't meeting together and we weren't doing things so it definitely affected us the hardest part was not being able to just whiteboard like digital whiteboards don't work um and even when you get into a room of you know five six people there's multiple conversations going on at the same time and so uh the interesting thing at the start was everyone was like oh i get to have more meetings because i go back to back without drive time or you know any of that but that quickly turned into quite the psychological trauma where you didn't even have five minutes between meetings for to go grab water

and so uh while most of our management thought we were being more efficient it was actually more psychologically draining and burnout happened faster for a lot of people now with all that said uh there has to be some wins in the last two years yeah i think that people started realizing the the uses of technologies could be um there were many different uses that weren't being utilized i do like being able to communicate with teams in other states that would not talk to me previously and they had no choice um and also when you start not being able to go on on site you start coming up with creative ways to stay connected so virtual lunches just to sit and talk we

have more of those than if i were to go on site and talk to different customers because i work in the consultant side of the house and so being able to just connect with more people across the country faster without having to hop on a plane as much as i love traveling was really nice and so really creative uses of technology yeah i echo that for sure definitely team members that i normally don't get to talk to as much we do a lot more happy hours and things like that so it's it's been a beneficial from a team building perspective um especially for remote people so um that has been a win i think yeah same thing i think it's just the uh

the overall getting more comfortable with things like like people seeing into your office or whatever at home like i have a home you don't blur that out no i don't i let people see it you actually presented very yeah like i have what is essentially a shrine to adhd behind me like i have shelves of like all the random crap that i have collected over years and like i collect these mini arcade machines and those are on and flashing and there's all kinds and i love harry potter stuff because i'm a giant child and there's all this stuff like movie props and i but the favorite is i have a working a functioning pay phone like in my office and people are

like is that a pay phone like and i'm like you bet your ass it's a pay phone you just got to find that work i'm like yes it works what would be the point find the number column when he's on his next the hard part is if you're on the other end of that where you're talking to grifter and you can only see the things in the background the 80d on my side yeah is fun you're like what people are always what is that what's that thing over there i was like i'll do like a cribs of my office at some point you need to because what ends up happening is it's 15 minutes of

actual conversation and then 45 minutes of cribs yeah it's like it's like talking to pope like he's hiding behind the camera there but when you're on with pope he's got like dinosaur teeth and like whatever it's like looking into like a museum you're like what is that did you get a new tooth like you know i do i like that i don't know i'm creepy i like it like that i guess it's like oh look at how nice your living room's decorated or you love the pottery barn can your kid hear us because this is a pretty heated conversation no they're fine go back to peppa pig actually that is a nice thing i know you're saying that

like as a joke but also um that like life happens around you while you're working as well right and so things like like my office happens to be below the kitchen so sometimes it's it's the worst place for an office but it's what i got and so sometimes it'll just be like crash you know like in all of the pots have fallen out of a cabinet or something above my head while i'm on a meeting and i'm just like sure what happens is you're you're mid-sentencing and you pause and everyone on the call knows why and it's do you hear any crying nope all right we can continue our meeting right so it's kind of cool it

like humanized like your co-workers and everything like it's like oh that we all do have lives outside of this we're just dogs barking and stuff like that i love seeing animals like just on screen like behind people like i don't know what you're saying anymore i'm looking at your animals is that a bird yeah it's a bird yeah just let them fly around full-on parrots yeah and it's it's fun because you get to see some of the more personal sides of of people's lives and that maybe their choices and 3d printers might not be the best and so you get to talk smack about that i feel seen i blur my camera for that reason

but it's it's very interesting to see you know that side of the the coin but one thing that it did do uh because it was just an expectation that you know you're remote and you're on on virtual meetings it opened up the job market in a way we've never seen before for better and worse so you're able to expand outside of the the place that you live so people that were living in remote areas were able to get different jobs because now companies are saying well we have no choice but to go remote so we might as well try and and poach from the best um that also comes at the downside of you're losing candidates to

out-of-market [Music] opportunities you know i'll actually i'll comment on that really quickly if if i may um yes thank you so so that i changed jobs just recently only a few months ago and for the first time in the company i was with i was with for for nine years um so which is an eternity right in our industry um but during the like it was like oh they were like oh we want to send you an offer and all this stuff and they talking about salaries and things like that they i said well here's what i want and they said well based on your region this is what we do and where and i had to

like and i'm talking to the recruiter and i said it's 2021 like does it does it matter where i live like i don't like it's not that's not relevant anymore right is the data that is in my head that you're interested in paying me to get worth less because of the region that i'm living in versus if i lived in san francisco or whatever they're like well cost of living and blah blah blah blah and i'm like that doesn't matter i'm still on the same meetings talking to the same customers i will be on the same zoom regardless of whether i'm in la new york oklahoma or salt lake city and they were like fair play right but it took having that

conversation and that's a conversation that's easier to have now so when you are looking at new jobs and things and they come at you and say well you're in utah and so the cost of living and i'm like one you don't realize how much the cost of living has gone up in utah in the last several years thanks california for all moving here during the pandemic but also again companies are interested in what you know it should have nothing to do with where you live so negotiate you know with that in mind that changes monthly too cost of living in in salt lake specifically is going up monthly and i don't think that recruiters and hr teams are even able to

keep up with that data and so um the biggest aha for me during the pandemic was what are you really worth i don't think anybody knows what they're really worth until you start having these conversations it's not a comparison of you versus the engineering your peer and your organization who knows more or even where you're located it's what are you providing to the organization and if they don't value that someone else will and i'm not encouraging everyone to go jump ship and why not but understand go only like for if you have talent like right now like seriously the skills gap is so immense that like if you have marketable skills like you can just you

can go where if you're unhappy and you have marketable skills you don't need to be unhappy go somewhere else like you can get a job that brings up something that i did want to talk about which is you know there very much is a skills gap in our industry and you three each are in kind of unique positions that aren't the standard this is an infosec person job what are the resources what are the ways that you would encourage people to get a starter skill up if that's where they want to pivot i can do you want me you you had your microphone up before i did i have a lot of thoughts so you're going to need to inject

we're at a different stage of our careers where what worked for me is not going to work for anybody else the industry has changed i was very fortunate to be in a very unique position and that honestly is what propelled my career that doesn't work today um the skills gap is creating such an employee market that you have any specialty any skill set you should be able to find a job um it since there's such a shortage of infosec skills even general i.t skills that it wouldn't take long for you to focus on a particular skill get very good at it and find an opportunity that wasn't the case 10 15 years ago you had to prove your worth you had to come

up and be the junior and then learn all of the fundamentals i also think that's creating a whole different problem that we'll get into in a little while but um the thing i always say is if someone says well is it too late to switch to security no just pick the next technology that's coming out that no one else knows brain dump the heck out of that and you'll have a job because no one else is able to keep up with the pace of change that is happening in our industry and so whether you feel like you might not have the fundamentals or the education or the experience to get a job there is enough out there you can if you

want to stay local find all of the opportunities that are local find what they're looking for and there's likely a shortage in that position and you should be able to go find a ton of free resources whether it's you know github awesome lists or youtube or even pay for for things like pluralsight or cloud guru or any of those if you want to go to the cloud just it's not too expensive you don't need to go through a four-year degree to just get in not saying that that's not valuable because it is but you can break into the market very quickly because what happens is once you're in if you are job hopping every few years

not that that's recommended you will constantly be going up every time you switch positions um whether it's your experience is growing or your skill sets growing and you are now no longer providing value to your company or you feel overqualified you can go find another opportunity i wouldn't recommend chasing the money because at the end of the day you're going to end up in a position where you have just gaps everywhere and you're not going to have a well-rounded skill set but for the first few years to break into it it's find the next greatest technology that someone is is coming out with and just brain dump it that's probably the fastest way to get into it

yeah i think that's that's a great point something you mentioned is right now you shouldn't have a hard time finding a job right they're they're everywhere they're it's easier to get but folks that i talk to that tend to have issues getting jobs i think they're getting in the way themselves they're looking at job requirements which colin talked about uh the sorry the presentation before this i haven't qualified 100 for any role that i've had but that doesn't stop me from applying or from talking to hr so that's one of the things i wanted to make sure you all think about is if you're looking at jobs don't let the requirements stop you still apply

because i think people get in the way themselves unfortunately way too often yeah i think actually pope offers a service called the old bald white man service where it's what would an old bald white dude do and uh they would just be like yeah i can do that yeah this is how much i want like with that old bald white dude confidence that only comes from being that right so if you're not an old bald white dude reach out to pope he will give you advice on how to to go forward in your career with that that level of bravado um there is something to say about and this is going to sound really bad

the fake it till you make it does apply but i don't like that it leads to the the imposter syndrome problem that we have don't fake it till you make it and then cause problems and pretend that you know more than you do be humble and be honest about it but just you do need to have a level of confidence of you know no i don't know i'm gonna go figure that out but yes you kind of need to lead it on as yeah i can i can solve that problem i don't know the answer but i can solve that problem and pope actually gives quite a lot of good information because a decade ago i don't

know how long i've known you um he looked at me and he was like you know if i want to go look for a job i just you could search a certification and how many results pop up on indeed and we had this conversation the cissp and this is when we were talking about what certs are relevant he says it doesn't matter if the start is actually good it's just matter who's looking for those certs because that means that you are a better candidate for those positions so it's a very interesting perspective that i got so i started doing that i'm like you know a lot of the search that i didn't really think i valued there were there

was high demand for and whether i valued it or not that means that there are people out there looking and seeking for these these roles whether they understand the certs or not is a whole different problem but at least they're out there and so if you do have a challenge getting into a position maybe it's start with some of the certifications that people are asking for and just go get those whether you think you're going to use them or not break into the organization because what will happen more than often than not is once you're in people realize how good you are at just solving problems and then it doesn't matter what the search you have they're just going to ask you

to go do these things and you'll likely be pushed into other positions just because you're able to solve complex problems not because you have the certification that says you can uh you said break in and snow was like yeah break let's go where we going once you're in they can't make you leave like unless they push the uh epo button and fire suppression system comes is that how they get that you out of the building how do they get you out she's in the data center well just sorry i know i know mars is moderating but yeah how do they get you out once you're in i'll leave on my own terms [Laughter] can we get a definition of my own terms

so yes lunch uh that that brings up um a couple of things for me because a lot of this resonates with how i've gotten roles though i've tried to move into when i when i'm looking at a new role what do i get out of it and the role that i recently took i learned more about routing in linux just to pass the interview than i ever thought i would need like what's the most left-field way that you've learned something new relevant to your job recently it's i i think that's a very valid point really quick to touch on that what are you going to get out of the job um a lot of people don't ask themselves that most

of its people say oh i need a job so i can get money and i'm chasing that that figure in my head and that's how i want to grow my career i've been a big fan of if you feel stagnant or that you're not growing in a position it's time to move on whether you're benefiting the organization or not that's great if unless they're compensating you heavily for it you should be always growing your career your skills um even into retirement listening to a podcast this morning where someone says you know the average retirement age 60s but our life expectancy is in the 80s what happens people still want to provide value in their 50s and 60s so it's never too late

to continuously grow and if you're stagnant and you don't feel like you're growing in a position it's likely time to move on the flip side of that is if you're new to the industry finding career opportunities that are going to propel you exponentially whether they come at a lower salary or entry cost keep that in mind don't just go in saying i need x number of dollars to pay the bills think about the the other variables that that might apply where this position gives me opportunity to learn so many different things and that's worth twenty thirty thousand dollars of schooling right that's a variable that needs to be applied to your calculation that that i

can sit here for two years and the exposure i get in this organization is going to net me a 2x on my salary jump in the next position yeah i think also like that's an important point is to find something that challenges you you could go out and find something that is just easy to do and pays well or whatever but at the end of the day you will find yourself unfulfilled i i highly recommend and what's cool about where security has come in in the last you know 20 years or whatever it's like when when i started out um you were just a generalist right you had to do all of the things there wasn't

siloed as much as it is today the fact that we have those those specializations is fantastic because there were parts of security that i just hated right um and now you can say okay here's the thing i want to do because that's the thing that challenges me that's what makes me want to do this job and so you gain satisfaction from that if you are if you're just doing something that's easy you can only do it for so long before you're like okay well now i'm getting up and i'm just pushing the button like over and over every day and that um it kind of crushes your spirit after a while like regardless of whether even if

it pays well if you don't have anything out of it yeah so i don't know for me find the thing that you're excited about that challenges you and then and do that and it's one of those like you get paid not i feel like i get paid to to do what i love anyway so yeah and i think one of the ways to avoid even getting in that situation is when you're looking at a new company and you're interviewing with them don't let them interview you you interview them that's such a big part of it i think a lot of people might be missing is you need to make sure that you know it lives up to your standards

you're going to be challenged you know what progression career progression looks like so i think you could actually go into a career with avoiding some of these issues um just by kind of setting things up front um so everyone's on the same level yes please do that like understand that i because i literally i had this experience before um before i came into the new role um that i that i'm in now with ibm xforce like i another company reached out to me and where they were like oh we want you to like build out our security program do this they um and we were having discussions and at one point they said to me um and this might be the like old

balding white dude like confidence or whatever but um like they were like oh well we'd want to see how you handle this that or whatever and i'm like yeah well that's really getting into the area of consulting and i if you want to pay me to do that we can talk about it but and they're like well we're we're interviewing you and i genuinely i literally said oh no i think you misunderstand i'm interviewing you to see if i want to come work for your company like this is not like i'm not just going to do something because you're telling me it's part of the interview process i'm trying to decide whether i see value in

working for you um again i don't i don't know if that's some of that pope confidence or whatever but um but i i had to i had to draw that line i was like you're coming to me and asking me to come and give you a significant amount of my time and what is really just your waking hours in your life i want to make sure that this is a beneficial thing for for both of us and so so don't go into interviews being like oh no i really i think i got to get this they go no they've got to get you and go in there with that attitude and and hopefully you'll find the thing that

works for you this is what happens when you're in an employee's market right i feel like infosec specifically is negative unemployment right now sure and if when it is don't be the millennial that's like i gotta have my 10 a.m coffee break i'm gonna start work at noon like that's not what we're talking about we're talking about when you're interviewing a company it's okay what is your career progression path do you have one do you have a junior training program do you have certifications that you cover every year what's the dollar amount can i go take a sam's course or am i going to get compensated for the comptia exam yeah what does that look like we had that

stuff up there on the slide where he's like oh yeah you know what's your experience and it's like well okay well we hope to help you grow that that's one of those things those certifications are up there um make them pay for it how many organizations are there like find the one that's willing to pay for the sans course right don't drop that six grand yourself have somebody pay for that i have yet to pay for a cert yeah and keep going i don't know i mean i don't know what your experience as that i am gesturing to the previous speaker he's he's off camera he's over here yeah we need him but but i mean would you agree like

finding an organization that yeah get them to pay for it even if that's going to come at a cost of you having to sit there for a year or two right some of them say you know for every 2 500 that we're going to contribute to your education you need to give us one year back that's fine because now you have in your in your head i am getting this out this this is the value i'm getting back for contributing to this organization for two years and i've done that as well i've had to go two years for sanserts etc and and that's that's another variable of if you're going up against a couple of companies

that are all looking to hire you you could say well this one's going to offer it that i have to stick around for two years maybe you could do it for a little less you can play those games a little bit but definitely make sure that you're interviewing them you're asking for what certifications are going to cover if there's other opportunity to move laterally within the organization if you're uncomfortable you know if it's a i come in i don't like this job don't necessarily just leave just see if they have the appetite to move to a different position also very valuable because that's how you you want to build that relationship with your employer that you're going to

give them as much effort as possible if they're going to take care of you as you grow your career and often you'll find they'll help you grow as much as you want even paying for for full degrees all right that didn't actually answer your original question yeah i think so i feel like this is like i feel like this is like the hacker job fair what else what do you got for us what do you got what do you got outside a bunch of questions that actually gave me i was just joking on some of those but let's go for the worst ones uh starting with snow uh i'm just kidding no the one that

i liked uh is he didn't like the rest why i don't want to be an ex like um why why wouldn't you want to be a pen tester or a consultant or a threat hunter like let's hear the the dirty the to to qualify or to provide some backstory here we all work in different areas of the industry so i i have very uh uh my perspective of your side of the house is very different than your perspective of mine so this will be fun why i don't want to be a pen tester why i don't want to be a sock analyst that's kind of where i was going with the intent of that question because

i feel that what we've run into now is a lot of people entering into the market jump into the i'm gonna hack i'm gonna be a red teamer why have you thought that through do you understand the complexities of that okay fine i wanna be a sock analyst are you aware that's not a tier one position like that's not an entry-level position there's a lot of these things that the industry as a whole we can't agree on and so i was hoping to have a dialogue on um why wouldn't we want to do a specific job over another as we're growing our careers or getting into the space okay so i'm going to take that but i'm

going to take it a little bit of a different approach so i'm going to look at it more from a consulting versus working in an internal organization kind of pros and cons of both now i have seen people that start off with internal working internal whether it's red or blue side and then they move to consulting and it is a game changer right it's not the pace is completely different you have one client you normally have a couple weeks months whatever it is you have to pump out a report and next you're going and if you're a consultant right now it's key for like thoughts and prayers i'm so sorry for you you shouldn't be in this

room yeah you should be working yeah i'm not like they're not emails right now yeah um but i think that there's definitely pros and cons i think entering into the field i honestly think consulting because it's in my opinion a little bit more stressful um would be a good way to start right you're kind of getting in there and you're you're being put to the test and then moving more towards an internal role that's that's just my thoughts i can see both sides honestly but that's kind of yeah i think i think like as an example to that is like being an incident response right so i'm on the blue team side of the house now

i come from a red team background well to be fair my intro to the industry is that i just committed crimes for a decade um and then uh and then it turned into a career that was more savory but like but the um let's say your incident response if your internal incident response then your task with making sure that all the mitigations that your organization has put into place are effective in keeping um the bad guys or threat actors out right that's incredibly stressful when you think about like okay um did we do everything right today did anybody get in today did all of the alerts fire that should have that kind of stuff where if you're doing consulting as

incident response you get a phone call that says such and such organization has been breached friday at 4 pm yes of course always but such and such organization that has been bri uh breached we need you to come in and like either like supplement that organization or you are the incident responders now and you have to come in and figure out more investigatory like what happened and how do we get back to normal now you weren't responsible for that breach or part of the responsible party for that breach so your level of stress is a little bit different right because it's not your organization so somebody's not like oh you work for xyz organization oh you guys got popped now

you're saying like oh no i was on the team who helped them get right so you can be in incident response but the roles or whether you're in consulting or sitting behind the keyboard in that organization become totally different now as a consultant though you go into an organization after a breach and this is where for for me oh by the way hi i'm grifter i am the global lead for active threat assessments for ibm x4 so that means essentially our threat hunting for for companies um going in and seeing if an attacker exists within an environment without evidence already that they're there right so we go in and do threat hunting we're going to check

to see if if somebody's in that environment having the responsibility at the end of that engagement to say there are no attackers currently persisting within your environment is incredibly stressful because what you're doing is putting your name down and saying we have done everything and we have used our resources and skills to determine that there is not an attacker within this environment or after a breach the attacker is no longer within the environment and we have shored up your defenses so that they will remain out um for nebulous time periods i'm like sweating listening to you right exactly nerve-wracking so it is stressful in different ways um that i think that piece of it is why

if i was like playing devil's advocate and being like don't go into incident response or don't go into like threat hunting or whatever unless you can say i can handle the stress of going this house is clear right like that that man that's heavy that's heavy when you do that and you tell a customer yeah you're good why i don't want to be x just turned into why i don't want to be grifter yeah you even though my bio says otherwise if you read it that's exactly right though it's on the consultant side of the house is not the backup you gave me an interesting perspective i came from the customer side i should say the the

institution side and grew up in 15 years in that space and i'm now on the consultancy side and i don't know if i'd want to go the other direction that scares the heck out of me but to your point that stress or that expectation when you come in as a consultant you are expected to be the expert that's very stressful i wouldn't necessarily want to do that out of the gate but that also means that you're pushed every single day to learn so the whole it's a whole other level of growth on the consultant side where you usually get access to resources to learn and grow because you are expected to be the expert and to say your house is clear

and in order to do that you have to have a constant state of development in your own personal skill sets and so it's a very interesting and exciting side to be in but why i don't want to do that would be the stress um because you at the end of the day have to be the one that puts on paper with your name whatever the report that you're delivering says and if that's not accurate they come back in six months and says actually uh plot twist they were in our environment for another eight months after that like whoops you know that's on you so and that that's not just with ir really any engagement you do in the consultant

side of the house if you don't deliver it right can lead to problems later on because they are expecting that whatever you put in the report is exactly what happened or is in place or is architected or is configured so be aware of that we also get into a scope issue right you're doing a pen test and half of their ips are out of scope and you say they're good to go you know you don't find that many vulnerabilities they think they're good they don't remember that they have that outscope or you have a certain amount of hours to test in right attackers don't so yeah you have that working against you like there's a lot you only have

like a 40 to 80 hour engagement and you're like yeah you're clean for the 80 hours that i tested you no one puts that in the report or tells that to leadership they just said we had a pen test we're clean even though you might actually have evidence that the out of scope and ips have information that is easily accessible but you just can't touch it because of the scope so scope is always fun there is never any scope again probably didn't answer your question yeah that's fine this is a entertaining it usually is we're just gonna give this thing now we all stressed ourselves out now i'm just like completely stressed out now grifter's gonna beatbox all

right so let's pivot a little bit um what is what is the uh the way that you make your jobs have fun like we all need something that keeps us involved that is you know not exactly what we do for our day job isn't it snow breaks into companies for a living what's not fun about that these two found jobs that i actually really enjoy no matter what because at the end of the day they could say uh yeah you're vulnerable or here is your data center badge or yes we we found this have a nice day and at the end of the day after you've done your job in the consultant world you kind of move on to the next problem

you don't have to drag that out and so that's fun it's fun that you don't have to think about it for six months yeah i yeah i agree another way that i make my job more enjoyable is i love training so we have interns apprenticeships co-ops externships a lot of ships um but i love being involved and training new people it's like one of my passions so that's definitely a way where i'm able to knowledge share and then see people grow so that's one of the ways i absolutely love it's a good way to put it like mentorship as you're progressing your career find a mentor and and be a mentor is really critical because you can be both

at the same time what i really enjoy about my job is or how i keep my job fun is when i find an area that i don't want to work in i can hopefully try and bring someone else into that that is really excited about it so i one of my skill sets is finding people finding opportunities and connecting them i don't need to do the work and so i that's what i feel i'm really good at and as a result i get to work on things that are enjoyable from like a high level architecture perspective but i know that there is an engineer that really wants to get into the details and i can say there you go

and i get to move on and back to the next happy job or net project so that's how i enjoy my job and keep it fun i just i just really like finding attackers who are hiding really well right and then when you have that that kind of like aha moment when you see something and you're like i got you sucka right like i don't know like i i really enjoy that like there is that um i don't know like you you feel you're an investigator right like and i mean in the nerdiest way possible but you're an investigator so i get that like sherlock holmes moment where it's like you see that that breadcrumb that you start to

follow and and it leads you to an attacker hanging out in an environment um i i just i get a rush from that what about probably always will bad attackers with like i mean bad upset like really obvious oh yeah well that's that's fun too like i mean finding stuff where you're just like how like where you go how did no one see this right like they're literally just stomping all over the place um you know i'm just waiting for a grifter takedown video where he joins the fbi on a raid i found you and i'm going to knock on the door so i mean uh pope and i were hunters together at rsa before we've gone on to to different

places but um but one of the most like kind of moments where you just go like that just happened um is when you're and i know you've had this experience just in the last couple of weeks because we talked about it but where you go to demonstrate what you're about to do like you're trying to explain to somebody like what a threat hunt is right and and what the actions are that you're going to take to hopefully find whether or not an attacker is within the environment and so you give them an example of something really simple where you just go like let's look at this and there and you're like okay and then you go

well that's weird and then you start to go and you find an attacker within moments of arriving on site like there's so so that happened pumping those roi numbers right yeah so so like so there are times where it's like blindingly obvious um and i'll just i'll story time with grifter for like you know um you know no you know i won't let's we'll save story time for the let's do hallway con yeah the the common theme there though is the best dopamine hits come from a lot of stress so to keep your job exciting and interesting it may be counter-intuitive to say this really sucks i'm going to keep pushing through but once you get that aha moment

or you get over that hump that's the best endorphin it's yeah and it just keeps you going so don't avoid the stressful or the the difficult just because it's boring or monotonous or not fun because it will get you to that next level of oh man that was amazing where's the next one well we we've got about uh probably five more minutes what's that that's a time check because we'll keep going um we've got three great storytellers up here does anybody have questions for these people i was like don't raise your hand pope because there's a mic right behind pope so this is a question for all of you but particularly for snow what is the most absolutely wack you

didn't think it was going to work thing that you tried that ended up working okay so this was actually the last physical pen test that i did um right before covet hit it was the first week of march in new york city i was in the county i was in it was like during the when everything their first case broke out so everyone was freaking out but the thing that i did i didn't think was going to work so i was breaking into this building and i found online they had a form to print out and fill out information to get a guest badge you didn't even have to go through um any any like logins or anything it

was just online so i printed it out i filled out my information and i show up to the security guard to see if you give me a guest badge and he did i was really excited so i kind of thought that might work and it worked but this is the cool part the next day what i did is the pass was it was just a paper um so i did the next days i just cut out a piece of paper from my hotel room like the little cards and i was like i'm gonna see if this works if i just flash this to him nothing is on it and see if he'll still let me in i'm like okay he's gonna catch

that and he didn't so i still got to go in so that was that was a pretty exciting one like psychic paper like you were a doctor yeah the doctor who tricked yeah yeah um yeah i guess so so mine also comes from um so i still do consulting like red team stuff because it's just fun um so while i live on the blue team side of the house most of the time i still like to break into places and in this one particular engagement we had um essentially access to not only their surveillance system but also all of the electronic locks and we thought that we thought maybe we could trigger this remotely and open a door and in

this situation we were in a satellite location where we had like it was very it was very um hollywood-y right like we were like we had to jump over a barbed wire fence and do all whatever moving the security cameras all this stuff and when we got to the door we called back uh you know on radio to to overwatch and we were like okay we're we're at the door and like the the guy sitting back behind the keyboard you know goes all right opening the door and it went beep and it went green and we just kind of looked at each other and we were like no way no one got this on like

that just happened like i mean it was the most like hollywood nonsense that that we'd ever done and um it just it was really really satisfying to be like somebody three miles away just triggered this door and it let us in and so yeah we were just like i can't believe that actually worked and we had cloned badges so we were ready to go in anyway right but just standing there going open the door and then boop we're like no i told you we should have bought the gopros yeah totally somewhat insulted i thought you were gonna go for the fingerprints you know i thought about that right after i said that story because that's my story not

the fingerprint one because it wasn't me so um i can't provide too much backstory because that'll take more than five minutes or two minutes now if that um at st con there's a contest called the vault in the first year that it was run by nate and chunk you had to break in and you got into this box and you got a tamper evident bag out of it you didn't know what was in it so then the idea was to try and open up the tamper evident bag without someone noticing and you had to return it and inside the tamper event bag was a usb stick and the usb stick contained i think it was a dump of etsy shadow or

something like that and you had to grab that crack it and provide the password to win well we didn't want to open the bag because we weren't very good at tamper evident and so we said well why don't we just tap the usb stick through the bag like is that possible i remember that we didn't know if it was possible so we're like what would it need well probably some like lancing needles where can we get those walmart okay we got a strip apart a usb cable and what wires do we even use we should have read the usb spec prior to doing this by the way um so we're able to do it we had to

create a jig to like get through the tamper evident bag and find out how to like tap the the contacts and without you have to find a spot in the bag that wasn't gonna be noticeable because it was probably to burn the bag and when we're hooking it up we're able we're getting usb connectivity and we didn't know how long we had or or how much we had to stay on the contact so i'm trying to refresh it and trying to copy down the data off the usb stick and and henry who was with us he was holding the needles and and of course dark matter was was involved as he usually is and he's over there um

screaming at all of us actually well what we didn't realize was usb has um a gauge of wire requirement spec i think it's like 26 gauge or whatever and the lancing needles were not that so as we're communicating with the usb stick trying to pull this data off the lancing needles are burning hot and burning is henry's fingers and so he's still holding them trying to maintain contact i refresh it it pops up as a usb device i mount it and extract it and we get the the password file off the usb through the tamper evident bag before we burn the cable and we and dark matter was able to crack it in like five seconds so

that's probably the gangster yeah for a contest for a contest but the point of that being that aha moment we had no idea we everyone just you just pushed yourselves to just what can we do and that's where you get the biggest aha moments i can't believe that worked try things you don't think are possible and you'll get that anybody else have any questions well i think we can adjourn i'd like to thank all three of my friends for uh being up here it's good to see you all and more conversations in the hallway for sure thanks thanks for having us how we can next thank you [Applause]

you