Are you curious about the world of offensive security and the role of red teaming? Get ready to unravel this complex realm with our guest, Phillip, an expert with deep insights into these fields. We take these intricate topics head-on, and together we dissect the unique tools used in pen testing, explore adversary emulation in red teaming, and highlight the key differences between them. This thought-provoking conversation underscores the essentiality of ethics and timing in pen testing, as well as the necessity of responsible bug reporting.
Embodying empathy and following best practices in pen testing can make a world of difference, and Phillip sheds light on this vitally important aspect. We discuss the need for proper documentation and the cleanup of any backdoors, accounts, or tools used during tests to ensure optimal security. As we delve deeper into the realities of ethical hacking, we shed light on potential pitfalls, the importance of comprehensive testing, and the high stakes of staying within scope during a pentest.
As we near the end of our riveting conversation, we touch on the transformative potential of AI and Machine Learning in offensive security and red teaming. We discuss the impact of AI-generated malware and the challenges that come with it, all while giving you resources to stay engaged and informed in this ever-evolving field. We even manage to squeeze in a discussion on the security environment of Apple AR devices and how it stacks up against others in the market. Tune in and join us for this enlightening journey through the world of offensive security and red teaming!
Merch: https://cyberwarriorstudios.com/store
Youtube: https://youtube.cyberwarriorstudios.com
Twitch: https://twitch.tv/CyberWarriorStudios
Twitter: @CyberWarriorSt1
Discord: https://discord.gg/eCSRzM6mJf
Are you curious about the world of offensive security and the role of red teaming? Get ready to unravel this complex realm with our guest, Phillip, an expert with deep insights into these fields. We take these intricate topics head-on, and together we dissect the unique tools used in pen testing, explore adversary emulation in red teaming, and highlight the key differences between them. This thought-provoking conversation underscores the essentiality of ethics and timing in pen testing, as well as the necessity of responsible bug reporting.
Embodying empathy and following best practices in pen testing can make a world of difference, and Phillip sheds light on this vitally important aspect. We discuss the need for proper documentation and the cleanup of any backdoors, accounts, or tools used during tests to ensure optimal security. As we delve deeper into the realities of ethical hacking, we shed light on potential pitfalls, the importance of comprehensive testing, and the high stakes of staying within scope during a pentest.
As we near the end of our riveting conversation, we touch on the transformative potential of AI and Machine Learning in offensive security and red teaming. We discuss the impact of AI-generated malware and the challenges that come with it, all while giving you resources to stay engaged and informed in this ever-evolving field. We even manage to squeeze in a discussion on the security environment of Apple AR devices and how it stacks up against others in the market. Tune in and join us for this enlightening journey through the world of offensive security and red teaming!
Merch: https://cyberwarriorstudios.com/store
Youtube: https://youtube.cyberwarriorstudios.com
Twitch: https://twitch.tv/CyberWarriorStudios
Twitter: @CyberWarriorSt1
Discord: https://discord.gg/eCSRzM6mJf
And we're back with another amazing episode of Security Happy Hour coming right at you, and I am the Cyber Warrior. This is Cyber Warrior Studios, and I know you're all here, you're all ecstatic, you're all ready to get started with your weekend, and what better way to get started than right here, right now, tonight, because that's how we do. I promise, if you hang out for just a little bit, as always I'll be right back and I'm back. And, yes, you'll notice my guest this evening is missing. He's a little MIA. He might be running a little bit late trying to get ahold of him, but that's okay. We're still going to talk offensive security, because that's what this show is all about today. But, without further ado, let's discuss it a little bit while we wait for Phillip to get here. Before we do hold on, let's see if the bottle has the same sound as the can. I doubt it, but we're going to try. All right, close enough. That's a kickoff to Security Happy Hour. So I say that because I don't know where Phillip's at. I messaged him on LinkedIn and hopefully he gets here soon. But as we go about things and we look at offensive security and we look at the ways to get into the field and all the different things that go about it.
Speaker 1:I got to ask, and I ask people all the time. So I want to hear in the comments I do, I want to know All right, hey, what are your questions about offensive security? Because when Phillip gets here we are going to inundate him with a ton of questions, all right, so I want them there. The other thing is what are your opinions on red team, offensive security and things of that nature? Because when I think about it I have my own outlook. I've been a pen tester, I've been on red teams, I've been on blue teams, I've worked very closely with GRC teams, so I have a vast array of experience in all areas. I've just never been fully ingrained in GRC Blue team, red team all day, grc not so much. So I can answer a lot of offensive security questions, but I would like to know your thoughts and opinions on offensive security, team red attack.
Speaker 1:Go forth and break down the barriers. Yes, you nailed it, that is what it is. It's go through and screw it. Let's just break it all down. Let's get in any way we can. Let me put this up real quick. There we go, and I'm going to yell out Phillip for being late. That is, my beer overflows. Welcome all newcomers. Did I really put that up?
Speaker 1:Oh, you're awesome, andrea, I didn't even know. I shared that I am interested in red team. Does it mean, hold on, wait, I am interested in becoming very bad? Does that mean I am interested in red team? It really depends. I mean, as long as you're doing it legally, then yeah, if you're doing it illegally, that means we have to have other discussions, not on air, where everybody can hear what does offensive mean to you? What is red team? Oh, I love that question. So offensive is I don't even want to say ethical hacking, because hacking is a mindset. Well, hackers, hacking, it's a mindset.
Speaker 1:Offensive is breaking into things, it is doing things in such a way that you are exploiting weaknesses, vulnerabilities, things like that. And it could be physical, it could be social engineering, it could be you name it. There's a ton of different things. It could be software vulnerabilities, coding, a bunch of things go along with that. So that's offensive, it's attacking, it is being on the offensive. It's a straightforward meaning Red team versus pen. Testing is a whole different can of worms, because when you look at a red team and this is my opinion and other people may have a different opinion and actually Phillip has showed up, he's here, so there he is what's going on, phillip? You're a little bit late today. Man, you're killing me, smalls.
Speaker 2:Sorry about that. Yeah, I had a call from someone and I didn't want to be rude and get him off the phone and then I'm joining from the road. I'm here for B-Sites, san Antonio, teaching a web app pen testing workshop. So having to use my laptop, using I know the pain.
Speaker 1:I know the pain.
Speaker 2:Using my janky gear.
Speaker 1:Actually, I'll be doing that next week at New Jersey Cyberfire Sites with Alex Wainstrop Wainstrop, I forgot I pronounced the last name, but Alex, he started it back during COVID. It's his fourth year doing it, so I'll be going up there and doing a live show on the next I believe it's actually this Tuesday. I want to say it is the 13th. So, yes, there will be two security happy hours next week One live from a conference and then one next Friday. But anywho, phillip, since we have a question up here already, I'm going to finish addressing this red team versus pen testing, but then I want your take on Griffin's question and I'll flip you to the top once we get to that point, because it's on your face right now.
Speaker 2:Yeah, that's, yeah, one of my biggest pet peeves working in offensive security when you know the difference, yup, and you hear someone using it wrong. But I mean it's just a matter of just generalizations, because some people call all defensive stuff blue team and some people generalize all offensive as red teaming, when red teaming is actually more adversary emulation. So you're saying yeah.
Speaker 1:That's what I was going to get around to is, you know, pen testing is using the tools, being loud and obnoxious and just trying to see if there's any vulnerabilities that you can get into. The point is to get caught. You want people to see you. And then the red team is you're trying to be more adversarial, you don't want to get caught. You want to be as quiet as possible, you want to be able to use tools as minimally as possible, you don't really want to trigger signatures and you're trying to see if you go bypass things. So that's my take on red team versus pen testing is one is quiet and adversarial, one is I'm just going to be loud and obnoxious, find the low hanging fruit or as many holes as possible and as a short amount of time as possible. So that's my take on the two. But I'll let you address this question while I got you here.
Speaker 2:Yeah, no-transcript. Yeah, the difference is with a pen test you're looking for all the vulnerabilities that can be exploited and exploit them. With a adversary emulation or red team you're going in, trying to emulate a real world threat actor. So you're going through and with red teaming you're going to leverage things like phishing and social engineering, even some physical security assessments. But with the pen testing and they're both important because all you did was red teaming your company needs to be mature, your security posture needs to be mature before you move to doing the red teaming. Because with you're trying to find all the exploitable vulnerabilities and exploit them and see what you can do.
Speaker 2:From that red team operation you're going to look at one or two ways in emulating an APT or just cramming up with your own type of attack path. And you hear a lot of times about people maintaining access. This is really where you use that more in the adversary emulation or red teaming, trying to maintain access, trying to be quiet, trying to go undetected. So you're also testing the detection capabilities of the people and the systems. The founder of Dallas Hackers Association has one of the best descriptions of most simple that I can think of is the red team tests, the blue team.
Speaker 1:And that's what I was going to get to, because someone said something about purple team here in the comments somewhere and I'm sure I'll address it, but I want to address it now. In your opinion, what do you feel brings more together a purple team, a pen test with a blue team, or a red team with a blue team? So, if you were trying to be quiet, that's more testing the blue team and you should be able to say, hey, do you see this? Do you not see this? Or do you find more penetration, testing, running the tools and being like, hey, if you see this, like this is what I'm doing. These are the logs that you generate. Are you tracking it? Are you catching it? So which do you feel fits more into a purple team engagement?
Speaker 2:I kind of think more of the pen test team because you're going to not use as many of the tools I would think as a red team would, because you're trying to execute everything, whether it's noisy or not, to see if it's detected. Because, for instance, you don't need to be able to run mimicats on a system and a lot of times people are running red team exercises. They're not using some of those tools. So I think it's kind of good to use, you know, kind of like the pen test team to execute those, and it really doesn't have to be the one. Because whenever I was a red team lead as a global consumers product company, we did some pen testing and red teaming. But during our red team or purple team exercises we brought people on or had the blue team trying to see if they could detect what we're coming up with, what we're testing. And it's very important you do that because I used to work I did a pen test one time for a company and the CISO I knew there was really sharp.
Speaker 2:They had a lot of tools and stuff, but they didn't have things really refined enough to catch stuff because there was just so much noise they missed stuff. So we were going in there. We had we're down, we had it was kind of like a full scope pen test. They were kind of wanting us to try to go undetected. We got in there and we were running so short on time I was running Nessa scans, in-map scans, running responder, run them all. Yeah, just like a network Armageddon, and I wasn't even detected. It. I wasn't even detected.
Speaker 1:So that's crazy. And the weird thing about that is so, when I look at it right, and because you've been doing the red team thing longer than I have, I did it for a little while. I had studied it for a while, got into it for a little while and then moved out of it and gotten to more consulting. What do you think gives? Do companies give a longer range of time, a red team engagement or a pen testing engagement? Because from my experience usually get about a week for a pen test, maybe two weeks if you're lucky, and then two weeks to write a report. I've never been able to do a quiet red team assessment just because the companies I've dealt with that they weren't ready for it. There was no way that we could, you know, sell that to them. It just made no sense. Your security was not in the right spot.
Speaker 2:Yeah, to do those right you need more time and just a good example is Jason Haddick's just went to work not long ago for Budobot.
Speaker 2:They're a company that specialized in red teaming and some of their engagements are year long and that's really when you're getting more into emulate a real world threat actor.
Speaker 2:They're trying to be quiet. They're doing this for days, months. They could be even in your years because, like one of the video games that was hacked, that they were hacked by China and they were farming credentials or farming stuff from that environment. They were in there for years before they got caught. So you're trying to emulate a real world attack and you're wanting to try to be quiet and trying to use some of the tools that more mimic what the real world people are using the threat actors and one of the things if you look at like ransomware or some of the stuff these ransomware gangs are using, or tools that you need to kind of test in your environment because you know they're depending a lot on the living off the land binaries and tools that are installed and different resources are installed by default in systems that you see without having to throw off. You know, throw red flags by running Mimicats or Metasport.
Speaker 1:You too, baby. You too. It is an amazing tool. Actually, I thought about that one. I found out about that one, I think, like a year or so ago. They were like you start you too, because I was trying to work on something and I was like, what do you mean? You start you too. And then you do a little bit of research and it's like, oh, it can download an entire payload and do all this stuff. I was like, oh, my God, this is so bad.
Speaker 2:Yeah, it's pretty crazy what all you can do with that. And it's kind of funny going back years ago through like a vulnerable VM there was, like there used to be a version of in map that was was exploitable, that you could use it kind of like a lull bends pretty much.
Speaker 1:I still. I still use that version of end map because it has the dashy for execute. It is an older version. The newer versions they got rid of the dashy. You can't execute a binary or any XE or any command with the newer versions of end map, which kind of sucks. So I have to always go out there, find the older versions and use them. But I do have another question here, and then we're going to let you talk a little bit about the Philip Wiley show, give a little bit more of an introduction about yourself. But Griffin Infosec, which was a follow on to this question, how about the ethics when it comes to being offensive? And there's a lot of ethics that go into it, because there's a lot of things you can find. But I'll let you address this.
Speaker 2:Yeah, you definitely need to be ethic about it. When you mean being ethic, you know one of the things if you're a pentester, you're making sure you're staying within the scope and the rules of engagement. As far as doing things on your own, you want to make sure you're being careful with that, because if you're doing bug bounties or those sort of things or maybe you find a bug on someone's website, make sure you're reporting those responsibly and staying within scope. That way you don't get get in trouble. But yeah, you just want to make sure you're ethical. Another thing that I think helped me because I come from a cis admin background, so I knew if I went in and blew up someone's environment, some poor dude was going to, or a woman is going to have to go through reinstall their, reinstall their OS, you know, restore it from backup.
Speaker 1:Rebuild the active directory infrastructure, because I've been there before I had that stuff break and you just kind of have empathy for them.
Speaker 2:You don't want to. You know, and one of the things too is you know, when you're finishing up the pentast, make sure you document any back doors, any accounts and stuff you have, or any tools or install where they're at so they can do a proper cleanup. Let them know that, because when you do that you're going to get return customers. When you're if you're ever working as a consultant, you get paid your bonus on billable hours and you want to be the one that they ask for back. And so you want to make sure that you're not disruptive, you're not overdoing the scanning speeds on mass scan or something causing disruption.
Speaker 1:Making sure not to use any of the DOS modules and metasploit yeah definitely, and not just that, but I think it comes down to you know, even as a pen tester, you should be trying your best to clean up your own tools, clean up your dirty work, cause you don't want to leave the holes there for somebody else to get into. You know, especially if you're testing things like ransomware and want to cry and things like that, you don't want to leave those payloads there that an actual ransomware group would go out there and be able to utilize. So I do know there's like metasploit modules out there and stuff like that that allow you to test for these things. You don't want to leave the exes there. You really don't Just saying, yeah, bad idea, yeah.
Speaker 2:Cause the bad thing you leave that under someone else with you know a threat actor comes in, they got access to it. You're leaving the company vulnerable. I heard a while back it's been probably last year I listened to the black Hills podcast a lot and we're talking about how they've had, they've done, engagements behind someone else and found that someone had a shell open running there for who knows how long.
Speaker 1:All bad things, all bad things. So I got about six more starred comments here. But before we get into it, because I gotta say I'm excited for you, I am, I am utterly and completely excited for you for the new show, because you're going out on your own, you're, you're separating yourself from others control. As good as you know, a ITSP magazine has been to a lot of podcasts. How's this? You've made the decision to kind of go out, market yourself and go out on your own. So give us a little rundown about kind of. You know what the Phillip Wiley show was going to be and you know what it means to you and why you're doing it.
Speaker 2:Yeah, and just to go back to say to back to ITSP magazine they're doing a great thing. They've given people a lot of opportunities to start in podcasting. So, like for me, the first podcast I did over there was with Alyssa Miller and Chloe Mistagie. We did the uncommon journey and then it was, you know, trying to coordinate. You know it's enough to try to coordinate one schedule and a guest schedule to get on your show, much less three people and a guest. So they reached out to me about doing my own and it's been good and it's been a good experience. But one of the things I kind of thought, and at the recommendation of some others that are much more successful to me in content creation and podcasting, even when I was on David Bombal show, he told me I should do my, do my own thing, and part of that is it builds in more seamlessly with my brand. I do workshops and I've done streaming before. I was running the Pone School project and these are just things I can do all seamlessly under one brand and it's not confusing If you're doing this, what is this? And people don't know what you, and it's just makes it easier for people to find you and the recommendation was even just use my name to make it easy to find. They said you want to build a brand you're trying to resell or you just want to build your own brand? I said I just want to build on brand. I'm not really concerned about, you know, creating this different thing, because I've done that with Pone School and other things. So so yeah, it's.
Speaker 2:One of the things I want to do too is I'm going to keep some of the same formats where I like. When you're on the show I interview people, ask them their background advice on how to get in, their thoughts on certifications, degrees and coding that stuff. Those are really similar shows in those formats. But I wanted to also expand where I have some episodes that are more technical in nature. I had someone on that created this project called Pone Cube. I had him on itsp magazines, the hacker factor. I do for itsp magazine, but I want him to get on and talk about his project. So vulnerable Kubernetes install so you can practice pen testing.
Speaker 1:Oh yeah, oh, my old boss, my, the owner of my old company, would like love that. I got to send it to him so he knows about it. Because that's that's utterly amazing, because I haven't seen that yet. I've seen like vulnerable Docker containers. I've seen phone machines and labs not with Kubernetes. So I'm going to have to send that. Do me a favor in the comments, if you're, if you're on YouTube and can leave a comment, drop a link to there. Also, send it to me on DM. I want to send that to my old boss or my boss's boss.
Speaker 2:Okay.
Speaker 1:The last company I work for because he does all Kubernetes and cloud and everything I want to. I want him to listen to that one, because that'll be a.
Speaker 2:Yeah, yeah, I'll send it to you. But yeah, it was a good episode because it's interesting the story of the person that did that, kenny Parsons. He used to be. He was like a project manager and he had kind of like an IE background and he left. He was working at SES solutions. He went somewhere else. I think he was a project manager for them but he got more into the technical side of things, got into containerization and and all that. So he's spoke at our DC 940 meetings a couple of times, he's done Docker talks and and so, any rate, he came up with that. But another thing is to like a during on it SP magazine for the hacker factory I had harmjoy on. Oh yeah, he was sharing about some of his research and it really didn't fit into the format of the show. But I'm going to have more stuff like that. Okay, coming on talk about their tools. I have the creator of trickest.
Speaker 1:So one of the ones I would suggest, if I and I'll see. So I think he shut down his project because I'm not in a slack anymore Lee Baird, who had created the bass script for the discover tools. So I don't know if you had ever used the discover script. I don't know if you've ever heard of Lee Baird.
Speaker 2:I've heard Lee Baird.
Speaker 1:Yeah, I was in his slack channel for a while, helped him out a little bit along the lines of his gift repo or things like that. But I never really understood open source coding and the form of like get, pull and request until I worked my last job. So I wasn't able to really. I'm on, I'm doing my show, I'm going to talk to your mother, so I wasn't able to do all that.
Speaker 2:She's probably in the garage Bryce. Word with your mother.
Speaker 1:Right. So I wasn't able to do all that, and so I don't know if it was just like well, he's not helping anymore, or if it was, you know whatever, but but either way he'd be a great person to have on, because his discover scripts are fantastic for the open source. Intel like that type of offensive security, your your initial recon and things like that.
Speaker 2:Yeah, speaking of the trickest, they have a really cool platform where they automate workflows, because Nanand or if I guys I may be butcher his name, but anyway he was a pentester and he still does bug bounties, so he was automating his workflows, and this is not just these scripts. He came up with a GUI interface to set this up, so it's a really cool tool. But another, another one I wanted to have back on because they had Jeff Foley, the creator of a mass on the hacker factory, but I want to have him back on to talk about a mass and reconnaissance and attacks, so has gone above and beyond what they were originally designed to do.
Speaker 1:Because now correct me if I'm wrong, and then I want to get into this question from Peter Lee but a mass, when it was originally created, was just supposed to be like a mass scanning tool where I could like scan the entire internet and like I don't know less than a day it was like maybe less than an hour even how quick it was designed to do these scans and now it is an almost full fledged like phone suite where it'll find a ton of shit and in little time compared to like safe running and map across an entire, you know, internet scope.
Speaker 2:Yeah, it's originally a reconnaissance, but it's really turned into a full fledged attack service management tool.
Speaker 1:Yeah, that's and that's that just amazes me, because I loved what it was and then I went and looked at it and was like Holy shit, what is all this?
Speaker 2:Yeah, it's pretty cool. There's some companies that are using that for some of their their products, using that as a background, as one of the tools.
Speaker 1:Yeah, definitely. So we got Peter Lee. I'm gonna throw this up. Do you find that offensive has been too glorified and getting inundated with new people?
Speaker 2:I think it's. It seems super attractive, it is glorified. People, in some cases people don't know about other areas of cybersecurity. So this is the only thing you're really hearing about if you're outside, and I'd say, if you're not an IT or security then the only jobs you hear about they always think about ethical hacking. So I think there's a lot of people trying to get in and get the job. So it's one area because it seems fun and everyone wants to do it. So I'd say, on my opinion, I think you're probably gonna get a lot more people trying to get those roles than maybe some of the other areas because it seems sexy and fun.
Speaker 2:But whenever and not to discourage anyone from doing it, but a lot of times people don't realize you have to write reports. Sometimes you have to work some really messed up hours. I had an airline that I used to test when I was consulting and I had to test between 6pm and 6am and I would be on site out of state like two weeks in a row. So I had to get all that wrapped up. So a lot of times I was spending 12 hour days. Some people that doesn't bother, but some people it does, and so those are some of the things writing reports. Sometimes when you're doing the debrief with the customer, where you're reading the report out, sometimes they get offended because sometimes you got these Linux administrators that this is their baby and they don't believe this is vulnerable and it can't be. But you show them you have to make sure you really document this stuff well.
Speaker 1:It's Linux. It can't get any malware or get reached or anything.
Speaker 2:And then you got people that's like don't, they don't want to report, they try to negotiate the risk of it, try to talk you out of it, try to talk you out of things on the scope of the pentest and negating the real reason for a pentest. You want to find the vulnerabilities. We're not trying to eliminate stuff and trying to give you a nice looking report that doesn't accurately depict your environment, because you need to remediate these things to prevent a breach.
Speaker 1:And that's been the biggest thing for me, right Is when I look at it and when I was doing pentesting and stuff, listening to some of these scopes. Some of these scopes would do one of three things. They'd either eliminate the production environment and like only use test and dev, or they'd eliminate test and dev and like only do the production environment. I'm like, if I can access any of those through your network or through the outside, you might want them tested, because, guess what? The attacker doesn't give a damn if it says test or dev, that's probably the first one they're going to go for. And then, on top of that, if you have a link between test and dev to production, well now I'm just going to run ham because test and dev is going to be production, or at least it should be.
Speaker 2:Yeah, so it's rough. A good example of that is one time I was doing external pentests back when I was still consulting, and through a SQL injection vulnerability I was able to get command line access. They had XP command shell enabled on the server. I was able to get on there dump credentials. This is back in 2014.
Speaker 1:So was it really running server 2000?
Speaker 2:Probably I don't remember, but I was able to get on there, dump that password hash and crack it with John the Ripper in less than 20 minutes using like all the default stuff, and now it would take you back. It's 30 seconds and so it's password, all lowercase and the number one. And whenever I submitted the report to them they said oh, we knew about this. It's a development environment. I got into that from the internet. I am sure that you're not segregating that off from anywhere else.
Speaker 2:So if this was been like a network pentest, then I could have pivoted to other servers, but it wasn't. I was following the rules of engagement and staying within scope. But this is some of the cases there. And then, when you mentioned if it connects on the same network a lot of times too, you got to look at if they got how many times a people's dev environment identical to prod. They're going to update or fix something here and they don't fix it across. Everything is to be tested and I really don't like the idea of doing a sampling of an environment, because how are you going to guarantee it's all the same If you're sampling 10 percent of it? I guarantee it's not identical. So that's just.
Speaker 1:Yep, and you're going to have different software. You're going to have different things. You're going to have different patches and updates. Maybe somebody didn't reboot their Google Chrome that day, so now I've got a Chrome vulnerability that I can exploit. Or they didn't, you know they didn't update something else. Or, hey, I know you said to restart my computer, but you give me a month. I'm going to wait my month and it's just not going to happen. Like these things matter, and if you're not willing to test it and test your entire environment, there's an issue and that's been my biggest issue with offensive security. And one of the reasons I'm happy not to be a pen tester anymore is because I got tired of the check the box attitude behind these engagements of look, I just need something to give my auditors. Can you please just go do this for like five grand? Like for what? Like, no, like. That's a bone assessment. That's me running Nessus and saying, here you go. That's really all it is. So that's the way I look at it. It's just it's.
Speaker 2:I'm so glad not to be a pen tester anymore, it's interesting too, because there's there's a guy that is really well known. He's a SANS instructor. I'll think of his name here in a minute but he started out as a pen tester and he got burned out on it because he'd perform a pen test. He'd come back next year. Another remediation was done, so he felt like he was wasting his time. If you're not going to fix it, I'm wasting my time. So he went into just doing digital forensics and he's happy there.
Speaker 1:He's teaching stuff for SANS, I might be Ted Demopolis. Ted Demopolis is one of my instructors for one of my courses, so they can be. I don't know. I'll take him like eight SANS courses, something like that.
Speaker 2:I don't know, I forget how many, so trying to think of his name because he runs. Yeah, it's, it's. He's local here to the Dallas area. I can't think of his name at the moment, but he, I'd be Ted. No, it's not Ted, yeah.
Speaker 1:No.
Speaker 2:Okay, it's not Ted. I know Ted, but no, I said different guy. Yeah, it's a David Cowan.
Speaker 1:Never had him.
Speaker 2:Yeah, david Cowan.
Speaker 1:I've had. I've been through anyone who came up to like the military army to teach their SANS courses. I met like Mark Baggett is amazing. You ever want to learn Python? Talk to Mark Baggett. That man will put you through to Ringer and I have been able to send that man code and like what am I missing here? And he'll be like oh, you forgot to do a return. Fuck, okay. Like genius dude, I love him. When it comes to scripting in Python, that dude knows his shit. Hands down. I do have a comment here from not applicable not applicable, I love it.
Speaker 1:I like that I would like to do all sort of stuff I have enrolled in school, but I feel like they are teaching nothing about bad stuff. I would like to know and I hope you comment later on down, because I got to get all the way down the stream I want to know what do you mean by nothing about bad stuff, Cause that's all I was taught. Going through certifications and trainings in school was hacking. That's all I ever learned was the offensive side. I don't know, Phil, what about you? Have you learned anything other than the offensive side in any of your trainings or anything you've done?
Speaker 2:Yeah, it's like this. Well, I think when you're trying, if you're going to a college, it's kind of difficult to find the offensive stuff. They may offer one class and sometimes it's based on the CEH or something like that, but I think there's not enough offensive stuff in the courses. And then sometimes not to reg on the teachers. But if you're looking you can look at a lot of different courses and if someone but there's certain courses you really need someone that's got a background in it to teach it. You know digital forensics, pen testing, you know some of the firewall stuff.
Speaker 2:People can learn the content and teach it. But you know, I think you really need to understand the area of work in it to be able to explain to the students and show them some different things. And go outside and just the textbook or whatever training labs you have. But a lot of cases for your good training you've got to go outside of the colleges. I mean, it's what they teach in the colleges is good stuff. But when you get into the good, into the weeds, hands-on stuff, a lot of times you've got to find something outside with the college to learn from.
Speaker 1:Yeah, even me, going through my master's program I dealt with that. So my very first intro to cybersecurity class is a master's program, which why there was always blows my mind. Why there's an intro to cybersecurity class in a master's program to this day will always boggle my mind. But my instructor was like oh yeah, I worked for all these three letter agencies and done all this stuff and me and her went rounds because of the one day I said, hey, look, so I'm looking if I have an IDS and IPS. I said you got an IPS in line. It's blocking all traffic and I'm an attacker and I'm getting stops from being able to do anything. Will I not know that there's an IPS in line that's stopping me from doing this? Her response every time was it depends on how much money you spent. I got in that.
Speaker 1:She ruined my 4.0, as I was. I never finished my master's because they PCS me. But she ruined my 4.0 because I taught the class out in the smoke pit. I'd go smoke. Everybody would come out there. I'd tell them about firewalls and all the other bullshit that goes around with security. But when I wrote my paper she gave me a bad grade because she must have read my review prior to and knew it was me Because I was the only one that had the balls to stand up and like she doesn't know a damn thing. And she knew that because I was the only one to argue with her.
Speaker 2:Yeah, that's-.
Speaker 1:And so I got a bad grade.
Speaker 2:That's the case a lot of times is students come in here. It's like that's kind of like another. I won't call it, would never mention the person's name, but there was some other professor teaching another campus while I was teaching my class. You know, I was the one that started teaching the pen testing course there. He was teaching some other stuff like A plus, network plus, maybe security plus, and all these people were coming to class.
Speaker 2:My wife actually had him and before I even started teaching he was talking about how this guy would go on and on about himself, how he's such a ninja that you know he does pen testing, he's got a company doing pen testing, and then here's all the stuff he's talking about. And what's kind of funny is I kind of knew the guy was, didn't know what he's talking about because I looked at his LinkedIn profile, was able to figure that out pretty quickly. But I was in class. I remember like the first month of my class. Dr So-and-so is so good, he does this, this and all this. You can't hack his system because he does this, this, this, going on and on again. But by the end of that semester they thought that dude didn't know what he was talking about. They just kind of seen and I wasn't trying to disprove him, but they heard what I was lecturing about and what I was showing them demonstrating. Based on what they hear from him, they kind of found out the guy was full hot air.
Speaker 1:Oh yeah, I mean I even had that, even going through CS courses, like you'd have people come in and be like oh yeah, no, no, no, no, and I kid you not. So I was in a class, for I think it was the GCIH.
Speaker 1:I want to say it was the incident handler, so it might have been just one of the regular hacking classes without a certification I forget which one, but we had warrant officers, we had majors and, you know, lieutenants and captains and a bunch of people that weren't actually going through the MOS training. They were just there because it was a sans course and they were allowed to take it and by the time the first two days was up, I owned everybody's computers for the most part, I'd say probably about 75% of the computers in the classroom I had full control of. And I had this warrant officer come up to me and his I want to say his buddy, was either a major or maybe a colonel. No, not a colonel, lieutenant Colonel. So it was either major or Lieutenant Colonel, I can't remember what it was. He came up to me and he goes what the hell are you doing? I said, oh, you see all these red little lightning bolts, cause I was tired of using Metasploit. I started using the GUI for it and I can't remember the name of it.
Speaker 2:Armour tension yeah armour tension.
Speaker 1:So you saw the little red lightning bolts and it was like, what are you doing? I was like, oh, you see all these. Yeah, I own all of those computers.
Speaker 2:Did you do a hell of a thing. It was like huh, did you do a hell of a thing.
Speaker 1:No, didn't have to. They all. They set all the default passwords to the exact same thing, and people in the class that you're going for cybersecurity that have all these offensive tools on them. These assholes didn't change the default password.
Speaker 2:Oh, wow.
Speaker 1:So I literally went in and just was like and you're mine, and you're mine, and you're mine, and the warrant was like you don't have mine, do you? I was like nah, you were smart enough to change your password. I didn't.
Speaker 1:And I don't feel like going through trying to figure it out right now. So fuck it, I don't care. But there was a kid in class that literally would always on Facebook and doing other stuff. He was failing a class, but he was also on Facebook all the time doing all this other shit. I'd be looking at his monitor as he's doing things. I'd close out of his browser, he'd open it back up and do it. I got tired of it so I just started shutting out his computer and he literally look up like what like, and you're done. If you started to back up, go on Facebook again and you're done. Started back up, get on, that, you're done. I do that shit all the time, just for shits and giggles. But that's the beauty of the offensive, especially in a classroom environment, you can do that type of shit. I had been studying it for years by that point, so I was literally just looking there, going fucking with tolls, just having my final people A. Adrienne does have a question. Can OSINT be a career path all on its own?
Speaker 2:Yeah, I would say so. People are doing it, using it for different areas. I mean collecting information on people. Yeah, I.
Speaker 1:Would. I would say so too Slowly, because when you're looking at things like the FBI, when you're looking at PIs, when you're looking at all these other you know areas Even if it's not a you work for a company you can start your own company and OSINT because then you sell that data to or give that data to private Investigators and the FBI and your local PD and things like that. They call you in and pull you in on a contract to be able to do these certain things because they don't have the, the manpower or the time or whatever to be able to do it. So I agree, I think OSINT definitely has its frame and its ability to really I Think it has its specialty to really just just go, because not everybody can do it.
Speaker 2:Yeah, I'd say one of the things too that I've seen over the years too, because you know some of the the narrow scopes of PCI pentesting a lot of Pentesters really don't believe in.
Speaker 1:You said PCI.
Speaker 2:Yeah, how has kind of hurt the industry is. There's a lot of pentesters that don't do OSINT and I've done Pentests where before that, like the one I was mentioned, it was a full scope pentest. I was running all the tools and no one detected anything like what I was doing. The external pentest, you know, I found all the network blocks, domain names, did sub domain enumeration and then I went back and used A show Dan and I went in there, found that they had like an FTP server in Indonesia that wasn't coming in with network blocks. Just so happens, the little login warning banner that is on the FTP server it's like any other system you log into had the name of the company. That's how it was found. So if I had done OSINT Then that would have been uncovered. You know this is a FTP server using clear text authentication across the internet.
Speaker 1:Yeah, and and OSINT is one of those things I learned about that. You know. It's one of those things you learn for a while and don't realize you know it. I've actually got a friend in chat right now Her name is Amanda that is very good at finding all types of information and you know those things that the FBI wishes they could do. That's awesome. I'm just saying, like her ability, I'm just trying to get her through the technical aspects of it so that she can actually get a job in it. So, yes, amanda, if anybody wants to hire someone that knows OSINT and able to dig up dirt on anything anybody anywhere Go to her. She's fucking amazing.
Speaker 2:Don't make, don't make Amanda mad.
Speaker 1:No, don't do it, don't do it.
Speaker 2:She'll find her dirty laundry oh yeah, all of it, let's see.
Speaker 1:So I got a question here and I'll bring up false ranges because you know it's you're my guess it's your chef. If I want to start off in GRC, is there a particular way I should lean towards, ie offensive, defensive, pen testing, etc.
Speaker 2:For me. I'm not really experiencing this area, but if you're going to be in GRC, then more of the Defensive stuff would be would be helpful, although if you understood the offensive side it would help because it's it's a much different, less technical area the compliance GRC stuff because when I worked at the company as a red team lead, we had a I Was doing a pen test against active directory. At the same time the internal audit team was doing an audit against active directory. So some of the things act direct active directory did and windows. They didn't understand that.
Speaker 2:So, honestly, a lesser Skilled path or less knowledge as far as the technical side would be something like like GRC. But I mean, the more you understand security, the better you're going to do with it. For instance, like working with the, the GRC folks. Not knowing some of these things about active directory would be easier for them to overlook. But yeah, you would more. The defensive side is what you're going to to use, although if you knew the offensive side it would would would probably make you better at GRC and I think someone that came from a GRC background Into pen testing would be from their auditing background, would be able to offer some things that may be. You know, a typical pen tester wouldn't.
Speaker 1:But yeah, it's yeah, and she says here, is it just jumping in on anything I know or is it just jumping in on anything I know could contribute the GRC? So if you know, misha, I may need you to to elaborate on that, because I'm that continuation is is kind of Confusing me at this at the moment, so I'll wait on you to elaborate. I'm gonna hide that. That, that continuation I do want to bring up. Sorry, in AR's question, and this one might take you a while. Phil, just pay it. My man loves my man loves his AI and his. Okay, so what is?
Speaker 1:your take on using AI and ML for red teaming or pen testing. Yeah, I think it.
Speaker 2:I think it's awesome, I think it's gonna be very helpful and, and back before chat, gpt Came out and it was accessible to people. Everyone was always asking is it gonna replace pen testers? And I don't think any time in the foreseeable future. But what it's going to do is it's gonna help us do our jobs better, because one of the things with Pen testing once upon a time there weren't vulnerability scanners, there weren't meta-sploit you had to go out and manually do all this stuff right scripts or your own tools to do this and you didn't. So Nowadays, if you're performing a pen test, it'd be difficult to do a thorough pen test without running a vulnerability scan. What it's gonna do is it's gonna take some of these tools that we have and it's gonna and it's gonna help with making us more scalable, make these vulnerabilities more accessible, make these vulnerability scanners better, maybe even some of the evasion techniques and stuff from like meta-sploit. Hopefully that'll evolve to make it easier for for people to learn.
Speaker 2:You still need to know the manual stuff, but so many companies aren't really doing the level of a number of pen tests that they need to because they don't have enough people in enough time. So I think it's really gonna help. I mean, the bad guys are using it. We need to learn how to use it, and one of the things I've seen about it is, if you're gonna write scripts, you kind of have to understand a little bit about the scripting language to use it. But I know some companies are using AI and machine learning in their external attack surface management programs and stuff. So I think it's awesome. It's a a good opportunity. I Love it for writing. I use it for my podcast.
Speaker 1:So so I have an issue now, because I knew this was gonna happen. Did you see the latest blog or article or whatever it came out? Chat GPT or opening, I forget what I think was. Chat GPT actually created a Malware that can transform.
Speaker 2:Malleable yeah yeah.
Speaker 1:It created. It wrote code for a Transformer to malware. That yeah and just change itself as it goes, and it's not supposed to be able to do that. It's not supposed to be able to write offensive code. Yeah, but wrote offensive code.
Speaker 2:Yeah, it's pretty. Yeah, it gives you all the warnings and stuff. You're not supposed to do this, but you can get around it pretty easy. And then people say if you use the AI I mean the API with it then you can get around those warnings even easier.
Speaker 1:Yeah, yeah, if you know how it works. Yeah, definitely.
Speaker 2:Yeah.
Speaker 1:You just get loud until they hopefully see a catch. Oh, how about starting out quiet and if nothing is detected, you just get louder until they hopefully see it or catch it.
Speaker 2:Sometimes you do that. There's there's been pentests. I've been on before. That really wasn't Wasn't really a red team operation, but they asked us to try to go Undetected for so long and then initially get louder to see if we're detected, so that way you can kind of Figure out the detection point. I think really when you're trying to go Undetected, I think that's kind of a better method than just trying to go undetected, see kind of progressively get louder and see at what level they're able to detect you.
Speaker 1:Yeah, definitely I. I agree with that completely. The doing system administration help when you got into the offensive side big time.
Speaker 2:Yeah, I would. It made it helped a lot easier. Yeah, because what one of the things too you know, if you get access, you get a shell, you know a command line to a Linux or Windows system. If you know how to administer those systems, it's gonna make your life a lot easier because you get command line and you get the right permissions. Sometimes you can shut down things like firewalls. Then you can get certain types of tools of work that may not been able to work at your opening up more ports. So otherwise, if you don't really understand the operating systems that well, you're gonna be doing a lot of googling and research trying to figure things out. So really, my opinion, when you're becoming a pentester, you don't have to be a sys admin, but you kind of want, like sys admin level, knowledge of the operating systems.
Speaker 1:That's always been my biggest thing, right. So a lot of people talk about foundations Kev Tech, I have, you have, a lot of other people have, I think, whether it's blue team, red team, purple team, grcu, name it having a foundational knowledge of operating systems, systems, administration, network administration, things like this do nothing but help you in your career. You don't have to have done the job per se, but having that base level knowledge of okay, how did GPOs work, what is a domain, what is a forest, what is what is all this other stuff, so that if logs come in, I know, okay, well, this user account, it failed authentication, so it should do this log. Alright, I get it because I've under. I understand enough about active directory, where the authentication goes, and the kind of frame of communication along the line, or if someone's doing a sequel injection. You have a web application firewall. You have all the stuff. You understand the different logging in the different Technologies in place.
Speaker 1:If you have no clue about any of that and you're like I'm gonna go be a security analyst, for what homie you're? You're literally what are you looking for? Because you have no background in anything and have no clue what you're looking for Now. If you could tell me you have a base level knowledge of all these different communication vectors? 100%. Go be a junior analyst, learn more about correlation and things like that got you. But if you have no aspect of knowledge on Active directory, on authentication, on operating systems, on firewalls, on any of this stuff, I'm not bringing you in a junior as a junior analyst with a certification. I'm just not because you're not. If I can't get that foundational knowledge out of you of, okay, what is port 443? Oh no, you might want to know that before you go be an analyst. Yeah.
Speaker 1:I'll say it. So, yeah, n A N A, not applicable. Not applicable. I know. I put it in the chat just so you know. Philip Wiley show. His link to his show is in the description of the YouTube Videos so you can check it out there. I have all his contact information there so you can find him on LinkedIn, youtube, twitch no, not twitch YouTube, twitter, instagram, linkedin and his show. So all that information is there. Let's see, man, there's so much stuff here, so much stuff here. Oh, here we go. The GitHub link. Griffin and Vosack put it in there, kubernetes go. I don't know that's for your, the guy from your show, but yeah, that's.
Speaker 2:That's something different, but that's good to get to know about. That's good. I have to share with my friend about that to you.
Speaker 1:Let's see, have decided to switch gears and I'm getting further on the AWS cloud path and I was wondering what tools I could use to help me. All right, all right, you might have a better understanding of this than me because you're more offensive and talk more cloud. I hate the cloud, it's just someone else's computer. Have decided to switch gears and I'm getting further on the AWS cloud path and I was wondering what tools I could use to help give me a deeper understanding for maintaining security.
Speaker 2:Yeah, for me, cloud is just not one area I know but but I would say whatever native tools to that platform AWS, knowing the windows tools, how to use that. I know there's some third-party tools and some pen testing tools that you could use, but yeah, I would focus on on those built-in tools because I know a lot of people that do cloud pen testing that Leverage a lot of the built-in stuff when they're testing those environments.
Speaker 1:Yeah, definitely For anybody watching on LinkedIn. Understand I cannot, nor can Philip, unless he's logged in the link in Chat with LinkedIn itself. So if you're not asking questions or pulling up comments something that I'm gonna show Philip directly we're not gonna see it. I see it in my chat, but I have no way of talking back to you. Streamyard does not allow it, just so you're aware. So if you want to get in on the chat and actually be able to converse with people, youtube is the best place to go, which is why I always put it in the comments preferred is YouTube because I could interact with everybody.
Speaker 1:Let's see, man, so many comments that I'm like missing Because there's a lot of people actually talking. That it's crazy. I think I'm caught up. No, no, I have to tell my wife to shut down her meeting all the time. Jason, I did the same thing for my wife's computer. Don't worry, it happens. Let's see. How do you recommend, how do you recommend those who were news stay up to date on events, concerns, etc. Happing and cyber, while trying to also learn from the beginning. Go ahead, phil. I thought with that one well, one.
Speaker 2:One of the resources I like to use is Twitter and and find some people have follow there, because at one time you were just back when I was getting started you were just reliant on blog posts and different vendor websites. But yeah, just that's a good place because people that create new tools are putting out there, people doing research, so people like Sometimes John Hammond figures out how to exploit things and he posts up his research and stuff. So that's a good place to look. But one of the things that you mentioned that's a good thing to keep in mind is something that you can do.
Speaker 2:Keep in mind is something I don't do enough of is keep up with the latest news of what's going on, look into it, understand it, because when you're going through an interview, there's a good chance, especially when you're talking to like a hiring manager that may not be as technical, they're gonna ask you questions about current events in the news, because that's what they're kind of keeping up to know what to watch out for and, you know, guide their team. So I would make sure to try to keep up with that. There's different good resources on News out there, but I would keep up with understand it. So that way your forever and what was interviews you can, just you know, you can explain how you know this. Certain malware works, or whatever, ransomware.
Speaker 1:Yeah, definitely now, and I agree with that right keeping up with current events.
Speaker 1:So when you're just getting in, those current events are gonna guide you, because it's gonna guide you to kind of what's what you want to look into as far as offensive, defensive, grc, what that guiding rail is. So, um, recently CMMC 2.0 came out, so understanding that and how it relates to this and how that comes into play. As far as offensive security, I'm seeing Lazarus making a comeback and doing hits and things like that and trying to try to Drop ransomware and things of that nature. So understanding Lazarus IOC's in terms of offensive security and and and what they're using, so that you can help your clients by saying, okay, I'm gonna drop these palettes, I'm not gonna drop ransomware, but I'm gonna drop these things and see if I would be able to exploit ransomware via some other script or something along those lines. And then, from a blue team perspective, knowing all of Lazarus's IOC's knowing want to cry as IOC's Knowing how to detect these things, these are all huge. So keeping up with current events Really really helps. When keeping up with everything else it's really does. Let's see.
Speaker 2:Yeah, someone was asking about API, oh, API. So I shared Corey Balls API secure API sec University. Okay cool link. That and Corey Balls hacking API books. Let me look at a really good, good course.
Speaker 1:All right, so we're gonna drop that up here. Api pentesting and training API, sec university slash dash course or hashtag courses. So that's for API. And then I did have a question from Where'd it go? Where'd it go? I had another question. I lost it. It was up there. You saw it up there, don't do. That question is not just of our host. She has Twitter things to follow aside. Oh, the Twitter one. Where'd it go? There, it is All right. Any chance of getting a Twitter list of people or companies or other entities to follow for info on keeping up to date All of the Twitters?
Speaker 2:Good, all of the Twitters? Good question. I've got some. I don't know if they're visible enough, but I've had some lists. I had one I was doing for a while. There was like women in infor sick information security that had a list out there. But if you look at some of the different sites, a different account, some people have lists to follow. But I'd say anyone from Black Hills and trusted sec are great to follow. Yeah, those would be some good ones to good ones to start with.
Speaker 1:Yeah, I would say Black Hills in those sec. There's another one I follow. They kind of get banned a lot just because they put out actual active attacks going on and they publish the source code because of their feeds and things that they do. I can't remember the name of the discord server that I'm in, but they also publish on Twitter. So I have to find that and I'll let you guys know I might. I'll probably bring it back and put it in the comments If I can figure out who it is. Again it's. It's been a while since I've actually Investigated all of their research. Oh, oh man, I haven't even seen a new Apple AR devices. But what do you think about the security environment of the new Apple AR devices?
Speaker 2:Yeah, I just seen those. I don't know anything about the security of it, but man, it's just a Pretty expensive. I don't know what the comparable products that other people put out cost. What are the other AR? Let's see.
Speaker 1:Oculus. The newest Oculus was a couple hundred bucks or a few hundred dollars, right. So it's like three, four hundred bucks. I think give or take might been less as you step up. There are more expensive ones that run like a grand, two grand. I think the Apple AR is the most expensive one out on the market or coming out to market right now and I see no reason for it. Yeah, I don't, Apple is not a gaming machine. Apple is not a gaming like you could put little mobile games on your phone, but really it's about it. So as far as, like Apple, a augmented reality, apple VR or whatever you want to call it, I See no reason for a thirty five hundred dollar price tag. My son's Oculus and I got three of them do the exact same thing for all of their games and I don't need to spend another three thousand dollars on an Apple computer to be able to do it.
Speaker 2:And usually I don't know people that really using Apple much for gaming anyway. No, it's. Yeah, I would say go. If you're gonna get something like that, go with whoever the Industry leader is. That's putting out good stuff.
Speaker 1:I mean, there's some unfortunately, the industry leader got bought by Meta, so okay. Because it was Oculus and then I could just go by. Meta got bought by Meta and then Meta. Now for some of their shit is requiring you have to log in through Facebook to use some of the features, and so I'm like I gotta create a bunch of fake accounts. Kids can do this shit because I bought it for them before that happened and now that happened, and metas being stupid and all this other bullshit.
Speaker 2:Sounds kind of Marvel like into the metaverse.
Speaker 1:It's basically what it is Oculus 350, apple AR. Thirty five hundred dollars.
Speaker 2:Thirty five hundred, that's yeah yeah, I love my Apple, my Mac laptops and my Mac studio, my iPhone, but I will not be buying.
Speaker 1:No, I saw that price tag. I was like yeah no, like I don't even have the money for a Mac. I custom built my desktop. That's that's what I use for day to day, and then I have a MacBook Pro that works at me. I use that for work. Yeah, I'll stick to Windows and desktops until I can afford. You know the three thousand dollars is gonna cost me to get a Mac that can do the same shit my windows desktop.
Speaker 2:I've got, yeah, my latest Mac I bought like in November or December last year. I got the Mac studio with the ultra, the ultra chip and 128 gigabytes of RAM and what that cost you. It was like around four thousand something dollars. Yeah, precisely but I can open all sorts. A lot of chrome tabs, chrome for the win.
Speaker 1:Oh, man, the bad part is in Chrome. Just because I mean duck, duck go, my default search engine. So now everything goes through duck, duck, go, like I'll use Chrome just because I've been using it forever. But I'm gonna use duck duck. Go for my search. You don't get your money. No more now you're late, I'll not give it to you.
Speaker 1:But yeah, so I but yeah. So we're like at the top of the hour, philip and I really got to know because we talked a lot about a lot of things tonight and try to give out as much advice as possible and just answer some questions. But my question to you is, if you had any advice to give anybody trying to break into Offensive security, you Would you recommend it as a junior role, right, coming straight from IT to offensive or nothing to offensive? And if not, what advice would you give to someone to break into cybersecurity?
Speaker 2:It's gonna be pretty difficult for a junior role but it's not impossible. You can do it. If you wanna do it. Don't let anyone talk you out of it. If it's something you're just passionate about, you really wanna do it, go for it. Don't let anyone talk you out of it. There's some people that have been around a while, like we have, and they're gonna tell you and this is their point of view because where they came from, what they learned. They'll tell you you need to be a sysadmin first before you do that. But that's up to you. It's gonna be a little more difficult to find the junior roles because they're gonna want someone as trained. But then there's a lot of companies that will that hire new people and bring them up Pretorian out of Austin. They do that. They hire people out of school and to pen test jobs. So it's out there. But yeah, it's gonna be more difficult for, like, entry level and junior roles. But one of the things, the biggest advice I can give anyone is networking. If you just network connecting with people on LinkedIn, connecting with people at conferences and meetups the better you network, the easier it is for you to find a job.
Speaker 2:I was just sharing with someone recently. Today, over the past 10 jobs I've had, there's only been two jobs that I did not network to get the job. One of this is once I started networking. You know only two jobs that I didn't get through networking and the last two jobs I've had have been people. One I was congratulating someone on a new job. I got recruited. They created a role for me. The second one I got recruited by Ira Winkler. He saw what I was doing for my previous employer and I got recruited there. The role didn't exist, they created it for me. So, networking some of the students I've had before when I was teaching the pen testing class at Dallas College people I've mentored all the people that find jobs the easiest way. They're networking and LinkedIn. For sure. You can network on Twitter. There's different Discord servers.
Speaker 2:Go to your security b-sides conferences, your different cybersecurity meetup groups. If the ISSA meetings are not your style, then the local DEF CON groups, the OWASP chapters just get involved, because the more people know you and a role comes up, they know what you're looking for. Then there's a lot of cases that'll reach out to you. I was teaching the class of the college. I had people always reaching out to me for junior pen testers and if I knew people in the community had the skill set, I would pass on their information along with them too, because they had the skills and that's because I knew they were going to the meetings. And it doesn't help to go to the meetings and just not say anything. Go around, introduce yourself, kind of let people know where you're at in your education journey, what kind of jobs you're looking for, ask for advice and interact. And the more you get to know these people and know you, the easier to get the job. Because once you're able to get your hands, the resume into the hands of a hiring manager or someone that can get it to the hiring manager, you're going to have easier job getting that role than if you applied out of nowhere just on your own.
Speaker 2:An example is when I went to work for US Bank. I met someone at an OWASP meeting that was given the presentation they were hiring. He let us know. I gave him my resume. Within a week I had an interview. Within two or three weeks I had a job offer. At the same time I applied at Bank of America, same type of role, and this is coming off of five years of consulting as a pen tester, oscp, sams, gw, apt cert, more than qualified for the job, but uploading the resume online. It took a year to hear back from them and they had a job opening. Whereas networking, I was able to get the role. So if you're not experienced or you have little experience, it's going to be even more difficult for you, so it's more important that you're networking.
Speaker 1:And that's the biggest thing is networking has always been huge. My first job out of the Army, I got paid shit and that was the only job, the only job I have gotten since I retired. That was not by networking, that was. I was applying to everything I could find, found one da-da-da-da. Now, mind you, when people talk about experience, when people talk about roles, at that time I had four SAM certifications. I had all my Cisco certifications to include CCNA, ccna CyberSofts, ccna Security, my CEH, my CPT, my degree, and it took me months after retirement to find a job and even then it paid shit After. That is when my networking came into play, because the people I had been talking to prior to retiring finally had rules open.
Speaker 1:I have literally worked for the same person three times because he does what he does and things have happened and he's left and found better jobs and been like hey, look, you wanna come with me? Got you, homie, I'm there, I'm out. I will go work for him any day of the week, and so for me, networking has played a huge role in where I work. But I will say this as a junior being friends with someone like Philip and networking with them or myself, or I'll even throw my boss out there. Ryan Benson, these people will help you, as a junior, find roles because, as junior slots open, we see them.
Speaker 1:I may not be able to hire a junior, but Philip might or somebody else might, and so if I can't hire a junior, I'm gonna send your information to somebody else. I'm like, I know this person. They bust their ass day in, day out. They're learning, they're growing. This is what they do. Hire them, and that takes a lot more weight than just you sending a resume. Go ahead, send that resume. They're gonna do shit. These days, your resume doesn't mean shit unless somebody sends it for you. That's just the way the world works because of social media. But saying that Philip has given all his advice. Philip is a genius. I love Philip.
Speaker 2:Thank you.
Speaker 1:Another fellow warrior, one of my brothers, me and you need to get a beer sometime, or? At least sit down, have a talk. Sure, we're gonna have to get together in person. I will be at New Jersey cyber firesize I forget what Alex calls it. I will be out that on Tuesday. So if anybody's there, come link up. I will be there doing a show live, and then I'll be doing a show next Friday as well, so you get two next week, which will be amazing, otherwise look go ahead.
Speaker 2:Are you gonna be at RacesCon?
Speaker 1:No.
Speaker 2:Okay.
Speaker 1:No, no, I'm not gonna that one, I just I got too much shit going on. I took off all next week to just I wanted the veggie out. And now I'm going to a conference and, just like man, I don't, I don't, wanna, it's five and a half hours of driving just to get to New Jersey.
Speaker 1:I ain't trying to damn man, this shit sucks. But no, I'm not going to that one and there's a whole story behind it. But yeah, I'm going to this. Alex invited me, said hey, and he was like hey, you could do your show, bet I'm there. And I think I got two people paying me for sponsorships, which will be even better.
Speaker 1:But anywho look, I love you all. Y'all take care, y'all have a good one. It's been another amazing episode of Security Happy Hour here on Cyber Warrior Studios. As always, I am the cyber warrior. Right above me is Phillip Wiley, who is the host of the Phillip Wiley show. You can find all ways to connect with us, support this, that and the other down below in the description here on YouTube. Otherwise, y'all have a fantastic weekend. Enjoy the rest of your Friday and I promise We'll be back again actually two episodes next week. So y'all take care and I'll see you then. Arguidacom.