Exploring the Versatility of Cybersecurity with Sans Instructor Jason Ostrom

1 00:00:00
Speaker 1: I was going, Jason.

00:00:01
It's been a long time since we last talked, even over video.

00:00:06
I'm really excited for our conversation today.

00:00:09
Yeah, hey.

00:00:10
Speaker 2: Joe man, thanks for having me on.

00:00:12
This is a.

00:00:13
I'm super pumped about this.

00:00:14
But yeah, how you doing, man, it's.

00:00:16
It's been a while and in fact we, we actually go way back,

00:00:20
don't we?

00:00:21
Yeah?

00:00:23
Speaker 1: At a very interesting place, especially for someone

00:00:26
coming like straight out of college, learning it, and then

00:00:31
being put into an environment where you have to troubleshoot

00:00:34
complex issues without touching a keyboard or a mouse, can't go

00:00:38
to the bathroom without a supervisor, like what a what an

00:00:42
interesting set of circumstances .

00:00:44
Speaker 2: Oh yeah, there's definitely interesting customer

00:00:47
with that.

00:00:48
I think we can actually say it was a three letter agency.

00:00:51
That's the most we can say.

00:00:53
But uh, were you working for a security vendor?

00:00:55
There was like a PAM, privilege identity access management or

00:00:59
something like that.

00:00:59
Speaker 1: Oh no, I'm sure if I was working with a PAM solution

00:01:02
I would have like pulled my hair out.

00:01:04
What, what little hair I had at the time.

00:01:06
I was working with a E nine one .

00:01:09
One vendor.

00:01:10
Speaker 2: Hmm, yeah, it wasn't E nine one.

00:01:12
It was a telephony related solution project we were working

00:01:16
on, so that makes sense.

00:01:17
Speaker 1: Yeah, yeah, that I mean even you know.

00:01:20
Thinking back, I didn't think of how much you know security

00:01:26
work I would actually have to do , uh, when I was on site at that

00:01:30
agency.

00:01:30
The reason being is that, you know, when you're going on site

00:01:34
you're told you know by the person who's in charge of all of

00:01:37
it at that company at that time that oh, this is jitik

00:01:41
certified.

00:01:42
We're good to be there.

00:01:43
You know they always want to make security changes, but we're

00:01:46
certified, so we're good to go Right.

00:01:48
And then you guys start hacking away at this thing right right

00:01:53
in front of me, asking me questions like well, why, why

00:01:56
can I do this?

00:01:57
If it's certified, why can I do this?

00:01:58
So why does it break after you run this stick?

00:02:00
And you know, it's like me, six months, maybe eight months at

00:02:05
the time out of college still learning you know the alphabet

00:02:10
of IT is like, well, I don't know.

00:02:12
I guess I got to go crack open a book in the hotel room because

00:02:15
apparently I'm not leaving this site until we figure it out.

00:02:19
Speaker 2: Yeah, that was certainly trial by fire on

00:02:22
learning on that.

00:02:22
That's the definition.

00:02:23
Good experience overall, though , yeah.

00:02:26
So hey, congratulations on your , on your kid.

00:02:28
By the way, I won't get personal or anything, but

00:02:31
congrats on that.

00:02:32
That's awesome.

00:02:33
Speaker 1: Yeah, absolutely, I mean it's.

00:02:34
I appreciate that it's.

00:02:36
It's been challenging for sure.

00:02:39
I guess it's it's fun and rewarding to have kids.

00:02:42
It absolutely is.

00:02:43
It's just that first year, right, that is just like it's

00:02:47
brutal, absolutely getting over the hump there, and it's not

00:02:50
easy to work at a nine to five job doing a podcast, doing

00:02:54
consulting and all the other things that I do, right, and if

00:02:58
I it's, it would be impossible to do all of that, really any of

00:03:02
that, without having my wife stay home.

00:03:06
Speaker 2: I wish I could give you some negative advice, but

00:03:08
just one day at a time really pushes you through.

00:03:10
But it does get easier, it does get better, right.

00:03:13
Speaker 1: So, jason, you know I like to start everyone off with

00:03:18
how you got into IT, how you got into security.

00:03:20
The reason why I do that is because I have a lot of audience

00:03:25
that it could be their first time, you know, going down the

00:03:28
path of trying to get into IT or trying to get into security.

00:03:30
Maybe they're doing a career change and hearing everyone's

00:03:35
path into it, you know, maybe lets that one person know like,

00:03:39
hey, it's possible, this person did it.

00:03:41
Maybe it's possible for me too.

00:03:43
Maybe I can do this thing.

00:03:43
You know, what was your origin story like?

00:03:48
Speaker 2: Yeah, great question, man.

00:03:49
I'm super excited to be on this podcast.

00:03:51
So my story is I actually started out cutting my teeth in

00:03:56
IT before I really got into cybersecurity.

00:03:59
And I'll make one point which I think is different than today

00:04:03
when you see a lot of college graduates going straight into

00:04:06
cybersecurity, infosec jobs, you know where they're doing pen

00:04:09
testing or something of that nature.

00:04:11
I had to kind of cut my teeth with IT so I was doing kind of

00:04:15
Linux engineer, sysadmin, slash network engineer, security

00:04:20
engineer for a few years for startups, before I even got into

00:04:25
cybersecurity where I started doing, you know, penetration

00:04:28
testing.

00:04:28
I think I didn't do my first pen test until about 2004.

00:04:32
Yeah, so when I graduated from college it's interesting, Joe I

00:04:36
was really interested in law enforcement, federal law

00:04:38
enforcement, going into the FBI, and at that time you had to

00:04:42
have like four years of undergraduate experience after

00:04:46
college if you weren't master's degree.

00:04:48
So I was like you know what?

00:04:49
I'm going to do some cool IT stuff for a few years because I

00:04:52
got to get some experience under my belt, something and I'm

00:04:55
going to do computer crime squad , FBI type stuff.

00:04:57
So I was kind of going down that path of like I'm going to

00:05:01
do IT and security for a while to get some good experience, but

00:05:04
my ultimate goal is law enforcement.

00:05:07
And then I kind of fell into something where the whole FBI

00:05:11
thing fell through and I found another pathway.

00:05:13
But I was inspired by someone who was a mentor of mine and I

00:05:18
wrote a tool and I did a blog.

00:05:20
I wrote this pen test tool.

00:05:21
I was working for a pen test mill, so to speak, doing back to

00:05:25
back pen testing over and over again, and my boss at the time

00:05:28
is a brilliant guy by the name of John Kindervog.

00:05:31
He's done done a lot of zero trust stuff.

00:05:33
He was my boss, my mentor at the time, and I was deathly

00:05:36
afraid of speaking at conferences and he convinced me

00:05:39
to speak at my first hacker conference and I presented this

00:05:43
tool called VoIPOPPER, a network pen test, kind of a UC pen

00:05:47
testing tool and it kind of took off for me there.

00:05:50
I decided you know, I want to do something cool in the

00:05:53
community to kind of give back to the community.

00:05:56
And they didn't have kind of taken off and I started speaking

00:05:58
at conferences like DEF CON and I kind of got the bug on doing

00:06:03
research and so I was really heavily involved in VoIP and UC

00:06:06
pen testing at the time.

00:06:08
This is kind of like the mid 2000s.

00:06:09
So it's kind of where I went off into getting into a niche

00:06:14
and I say it's going to be a generalist, but it's also good

00:06:17
to have a specific area within cybersecurity to specialize in,

00:06:22
you know.

00:06:22
But yeah, that's kind of to answer your question.

00:06:24
That's kind of my story.

00:06:25
I really got into pen testing and doing research and I'm also

00:06:30
happy to say that that tool I wrote, VoIPOPPER, is actually

00:06:33
still included in Cali Linux to this day, which is hilarious

00:06:37
because the tool was like was like written in 2005 type frame.

00:06:41
So but yeah, kind of answer your question on how I got

00:06:44
started.

00:06:45
And then I kind of connected with you, I think around 2014

00:06:50
when, when I was heavily involved in the VoIP UC security

00:06:53
world.

00:06:54
Speaker 1: Yeah, yeah, that was.

00:06:55
That was definitely an interesting time, for sure.

00:06:58
But you know you touch on a really important part of what I

00:07:03
would view as a successful journey.

00:07:06
Right Is getting a broad range of experience and then dialing

00:07:11
it in, and that's what I always recommend to people.

00:07:13
You know, I mentor some people coming out of college, coming

00:07:17
out of different security bootcamps, and even with the

00:07:21
security bootcamp experience, I still recommend that people get

00:07:26
experience in IT.

00:07:26
Right, because when you're in IT , when you're in help desk,

00:07:29
you're learning how to talk to people under stressful

00:07:32
situations.

00:07:33
You're learning how to even negotiate with people.

00:07:36
When you're 100% correct, you couldn't be more correct and

00:07:41
this other person who's a higher rank than you is, you know,

00:07:45
wrong or not 100% correct and it bugs you, it eats at you.

00:07:50
Right, you have to find that middle ground.

00:07:52
You have to develop those soft skills that will carry you

00:07:55
forward in security, because you can probably do the security

00:07:59
work you know from a technical perspective right, like you

00:08:02
could probably technically do it , but you would not make any

00:08:05
friends, you would make a whole lot of enemies.

00:08:09
Your tools would probably be ripped out the day that you

00:08:12
leave and you're not going to make you know really that much

00:08:15
progress and so it's important to really get that generalized

00:08:20
experience and then dial it in.

00:08:21
You know, over time, as you get more experience Is that kind of

00:08:25
how you thought about it as well when you started going down

00:08:29
this journey.

00:08:29
You know, when you realized that federal law enforcement

00:08:33
wasn't working, it's like, okay, well, maybe I'm going to find a

00:08:36
specialty.

00:08:37
Then, you know, maybe I'm going to dial something in and get

00:08:40
really good at it.

00:08:40
Speaker 2: Yes, absolutely.

00:08:42
I could not agree with you anymore.

00:08:44
I think we're saying the same thing here and I think is

00:08:47
cutting your teeth and IT and getting that strong foundation

00:08:50
before getting deeper into cybersecurity.

00:08:53
For example, if you're talking about something like penetration

00:08:55
testing as a use case, an example, joe, it's all about

00:08:59
context and business context, right, when you're executing

00:09:02
vulnerabilities to show business risk, if you're you know

00:09:06
straight out of college and going in and you're doing pin

00:09:08
testing and you're you're exploiting vulnerabilities and

00:09:11
flaws, but you don't have that business context to know how the

00:09:15
vulnerabilities impact the business and disruption of

00:09:18
revenue, it revenue, operations it's a major deal, right.

00:09:22
And just having that experience to sit down with network

00:09:24
engineers, developers, system administration, cio and CTO is

00:09:29
being able to talk to them.

00:09:30
So that's one key point and I think that's different than

00:09:33
today's market, right, because you see a lot of people going

00:09:36
straight in with little to no experience.

00:09:38
And I'm not I'm not hating on anyone or anything, I think just

00:09:41
the marketplace has changed and they're saying that there's a

00:09:45
dearth of skills and the skilled cybersecurity people, but then

00:09:49
it seems like you have a lot of people going in that haven't

00:09:53
formed that strong foundation.

00:09:54
So I totally agree with you there.

00:09:56
And then, relating to my story, yes, when I decided that I was

00:10:01
going to have a different path than the FBI, I basically

00:10:04
decided well, I kind of want to make a name for myself, I want

00:10:07
to create like a cool tool and give back to the community.

00:10:09
I'd already been doing the pin testing a while and, and so I

00:10:14
think it helped me to get better , to have that specific

00:10:19
knowledge but also kind of a generalist for like network and

00:10:22
app pin testing, but also specific to VoIPUC, and creating

00:10:27
that tool really helped me as a practitioner.

00:10:29
And I think also there's there's another kind of lesson

00:10:32
learned here.

00:10:33
It's like Joe, I think in my career I've learned when you go

00:10:36
too deep into the rabbit hole and become too much of a

00:10:40
specific skill on something, that, for example, with VoIPUC,

00:10:45
at the time it was really, really hot.

00:10:47
You know a lot of people were speaking at conferences, it was

00:10:50
like the cool kid and it kind of died in its popularity and now

00:10:54
VoIPUC is not considered a hot topic.

00:10:56
Now it's like cloud security and you know, machine learning

00:10:59
and all that stuff.

00:11:01
But I think it's good to have a generalist approach but also

00:11:05
being adaptable and flexible to like changing what your

00:11:09
specialty area is is what I was saying.

00:11:10
So I'm getting in more kind of changing the conversation.

00:11:15
But yeah, it's generalist versus specialist.

00:11:18
On your experience and I found when you go too deep in the

00:11:22
rabbit hole, you kind of box yourself in which might limit

00:11:26
yourself.

00:11:26
So sometimes it's good to take a step back and be like I'm

00:11:29
going to be a generalist.

00:11:30
I think you'd apply that to anything like cloud security,

00:11:33
cloud architect, whatever.

00:11:34
Right now that's the hot area and there might be lots of

00:11:38
specialty areas within that.

00:11:40
So each cloud provider is a whole world.

00:11:42
Within that cloud provider they might have 600 services and so

00:11:47
you could be spending a lot of time on one thing.

00:11:48
Does that make sense?

00:11:50
It's kind of like how has your experience been on that?

00:11:53
Speaker 1: Yeah, yeah, I think that makes a lot of sense.

00:11:57
When you were discussing being a generalist while having a

00:12:02
specialty right, it reminded me when I was trying to make the

00:12:05
jump into cloud security and be more specialized in cloud

00:12:10
security, because I saw that that's where everything was

00:12:12
going.

00:12:13
I had to do still a lot of other projects that were on-prem

00:12:18
based, not based in the cloud.

00:12:20
I got zero cloud experience from those projects, but I still

00:12:24
had to do it and I still kept up the skill set in a way and

00:12:29
convinced people like hey, I'm a generalist, yes, I do focus on

00:12:33
the cloud, but at the end of the day, I can do just about

00:12:36
anything, which is it's not an easy thing to do and that makes

00:12:39
you better.

00:12:40
Speaker 2: I mean obviously that makes you better.

00:12:42
Right, improved your skills and your marketability.

00:12:45
Speaker 1: Right, yeah, because I'll give you an example.

00:12:50
I was going to go work for a large mortgage company here in

00:12:53
the Midwest and I interviewed for a cloud security role and

00:12:58
after I had accepted the offer, the manager called me and said

00:13:02
hey, I actually have this urgent project I would need you to

00:13:04
work on because everyone else is bogged down with work.

00:13:07
It's not cloud security related , but I only need you to do it

00:13:11
through the end of the year and then you can pick up the cloud

00:13:14
security work.

00:13:14
And I said, okay, well, I'll do it until how?

00:13:17
About October 31st?

00:13:18
And then November I started doing cloud work and he agreed

00:13:21
to it, and so I you know, full blown rolled out this cloud web

00:13:26
proxy that I've never worked with before.

00:13:29
You know, I've rolled out a proxy before, but it definitely

00:13:32
was not this solution.

00:13:32
So I kind of knew what to do, but at the same time it acted

00:13:37
very differently.

00:13:37
And so you're learning the nuances and I I rolled out this

00:13:40
solution 100% by October 31st.

00:13:43
I kept up my end of the deal, and then they had to keep up

00:13:47
their end of the deal because you know, they know, that that

00:13:49
frustrates me, right.

00:13:50
Like the benefits of having this podcast is that it kind of

00:13:54
allows potential employers to hear my personality beforehand,

00:13:58
to know my, my thought pattern, you know, without me having to

00:14:02
tell them like, hey, I find this to be kind of insulting when

00:14:05
you sell me one thing and then you tell me to do another, and

00:14:08
it's confusing for me, it's disappointing, you're going to

00:14:11
get my hopes up and then I'm going to be disappointed.

00:14:13
It's not a good look, you know.

00:14:14
But but they were able to overcome that by just being

00:14:19
upfront with me, you know.

00:14:20
I think that that's what's important and also, you know,

00:14:24
when you're trying to specialize , also being open to that

00:14:27
possibility, right, someone may say, hey, you're a specialist in

00:14:31
this tool, we also need you to touch this, you know, be open to

00:14:35
it, because as soon as you start pigeonholing yourself, you

00:14:39
know that field is going to evolve right, like we're seeing,

00:14:42
or we saw the traditional firewall basically go extinct

00:14:47
overnight with what's called the next gen firewall, and now

00:14:51
they're still calling those next gen firewalls like the newer

00:14:52
version.

00:14:52
They're calling that next gen, right, but you have to relearn

00:14:57
this tool.

00:14:57
It has additional capabilities, additional things that you need

00:15:00
to learn and components.

00:15:02
Speaker 2: Yeah, absolutely.

00:15:02
There's so many great insights in this podcast when in the

00:15:06
discussion you have but you, you , you bring up a good point too

00:15:09
about learning by doing.

00:15:13
You know when you created your proxy and hands on the keyboard,

00:15:15
skill development, which I think is still important, no

00:15:19
matter where you are, even when you go into management just to

00:15:23
practice.

00:15:23
Some of that stuff is really good.

00:15:26
Speaker 1: Yeah, absolutely.

00:15:26
So.

00:15:26
You mentioned a little bit about getting into the, the

00:15:29
speaking circuit, talking at different conferences and

00:15:34
whatnot.

00:15:34
As someone that is looking to potentially do that in the next

00:15:38
12 months, how in the world does someone get started in that?

00:15:42
The daunting task of, you know, speaking in front of hundreds

00:15:49
of people, even tens of people, will make anyone nervous, in my

00:15:53
opinion.

00:15:54
Like, how do you get past that?

00:15:55
What do you decide you're going to talk on?

00:15:57
The issue that I have, personally, is thinking that

00:16:02
what I have to talk about is actually important enough to

00:16:04
talk about it.

00:16:05
I feel like I'm still the dumbest person in the room on

00:16:09
stage, just like all right, yeah .

00:16:12
Speaker 2: So great question Is this something you're thinking

00:16:15
about doing?

00:16:15
Just curious.

00:16:16
Speaker 1: Oh yeah, yeah, I definitely want to do it.

00:16:19
It's just about making that jump.

00:16:21
Speaker 2: Yeah.

00:16:21
So it's a huge leap.

00:16:23
In that very first one I'd say there's no getting around it.

00:16:26
It's painful and nerve-wracking and hard on the first one, but

00:16:31
it gets easier.

00:16:32
So, to answer your question, I had a great mentor, john

00:16:35
Kinervog, who kind of got me started on it.

00:16:38
So I could say, if you have someone you can co-present with,

00:16:42
like, do the research together.

00:16:43
It makes it kind of a team effort and it kind of takes a

00:16:47
little bit of pressure off of you because you're not failing,

00:16:50
you're failing with one other person the risk of doing that.

00:16:52
So that's one idea and I think.

00:16:55
I think what I did is I had first already created the

00:16:57
research first, before I worked on the presentation, and then

00:17:02
started pedaling it to the conferences, which I think is

00:17:06
important, because once I spoke at my first conference I started

00:17:11
getting the bug and I wanted to do it.

00:17:12
And what I started doing which I don't do anymore is I started

00:17:17
working on CFPs and presentation proposals with great ideas and

00:17:23
if I got accepted I would let the research evolve as I was

00:17:27
getting ready to present, versus doing the research first and

00:17:31
finishing it and then having the presentation evolve when you

00:17:36
apply for the CFPs.

00:17:38
Does that make sense.

00:17:39
So, instead of doing it the CFP first and then doing the

00:17:42
research, kind of finish the research or at least get halfway

00:17:46
through it and then start thinking about how you want to

00:17:50
present that to the world.

00:17:51
The other piece of advice I can give is, man, find something

00:17:54
that inspires you, that you're passionate about, and letting it

00:17:58
evolve organically.

00:17:59
Because when I created the tool and I started first doing it,

00:18:03
it was from the pen testing I was doing.

00:18:06
It was like a lesson learn, case study from a real pen test

00:18:10
and it kind of evolved into something I just want to share

00:18:12
with the community, kind of like a case study.

00:18:16
So I think, yeah, I'd say, first finding something you're happy

00:18:19
and passionate about that you can grab onto, kind of maybe

00:18:22
like a hobby of some sort.

00:18:24
I've kind of gotten back into this now and I've created some

00:18:27
new tools on my GitHub and I've started kind of getting back

00:18:31
into the speaking.

00:18:31
But I'm taking a different approach.

00:18:33
Like I said, I'm waiting until I'm done with the tool and the

00:18:37
research and then I think, well, that would be cool to show this

00:18:40
here or there.

00:18:41
I'm not in a rush, it's kind of like enjoying the process.

00:18:45
It's not a marathon.

00:18:46
It's like the grind of letting things evolve more naturally.

00:18:49
And then, hey, how can I present this at a conference?

00:18:54
Speaker 1: Yeah, I think it's definitely more of a process

00:18:57
right of deciding the topic and whatnot and kind of, I guess,

00:19:02
doing the research and setting that end goal right, Like DEF

00:19:05
CON, for instance.

00:19:06
Maybe in January you submit the paper, get approved and then

00:19:10
you're working towards that goal .

00:19:11
I think I definitely need that goal or that target date right

00:19:16
to motivate myself to get the stuff done on time and make the

00:19:20
progress that I need to make.

00:19:21
I think it's more about at this point deciding what I want to

00:19:24
talk on and maybe not even worrying about the value that it

00:19:28
provides to the community necessarily Not to say that I

00:19:32
don't want to provide value, but I think I get hung up on that

00:19:37
too often and it holds me back where it's like well, is this

00:19:41
providing value?

00:19:42
Am I, am I doing anything good here?

00:19:45
That's my opinion.

00:19:47
Yeah, I see what you're saying, To kind of change gears here.

00:19:51
You're also a sans instructor.

00:19:53
You kind of you kind of glanced over that left, that left that

00:19:57
fact out.

00:19:58
Right, you know how in the world does someone become a sans

00:20:02
instructor?

00:20:03
Like, do you have to have, like you know, all their

00:20:05
certifications, prove that you have this industry top tier

00:20:09
knowledge and go through the process like that, or you know

00:20:13
what is that like?

00:20:14
Because everyone knows, you know, sans certifications is the

00:20:18
gold standard and security.

00:20:19
There's nothing else on the market that beats it.

00:20:22
But it's also very expensive.

00:20:25
So finding an employer that will pay for it is like

00:20:29
absolutely critical.

00:20:30
It's like a gold mine.

00:20:31
You don't just, you don't just leave that employer.

00:20:33
Speaker 2: Yeah, absolutely it is.

00:20:35
They are expensive, but I am kind of biased I think.

00:20:38
I think they're worth it.

00:20:39
But so how to get started?

00:20:42
So my quick little story on that is Sands does have

00:20:48
different programs that also offset some of the costs as well

00:20:51
.

00:20:51
I'll mention this too.

00:20:52
They have a program called work study Joe, where you can, you

00:20:58
can apply and get discounted tuition and you kind of help out

00:21:02
and assist as a moderator, facilitator for a sans class,

00:21:05
but you get greatly reduced tuition.

00:21:08
So they do have a program that allows you to take a class and

00:21:10
not pay the full price.

00:21:12
So as far as entry into it and getting started on it, I think

00:21:18
what you have to do to get into it is you take a sans class.

00:21:21
So you have to find a way to take a sans class.

00:21:24
Or you take a certification exam for one of the jacked sans

00:21:28
certifications and if you score I think this the score is 90% or

00:21:34
better you get invited into the program where you can be a TA

00:21:40
for the class.

00:21:40
Now, this isn't for all the classes but some of the more

00:21:44
technical classes.

00:21:44
Hands on, they have what are called virtual TAs or TAs.

00:21:47
So you're helping out, assisting students with the labs

00:21:51
and that kind of gets you potentially into the instructor

00:21:53
development program as a TA.

00:21:55
You start helping out, getting more and more hands on

00:21:58
experience and you get to know the instructors and they can

00:22:01
recommend you and you kind of get vetted and recommended that

00:22:04
way.

00:22:05
And then you kind of there's a whole program that you start

00:22:08
proving yourself once you're in that program, where you start

00:22:11
you know you do a little co teach like a partial co teach

00:22:14
and then you go up to where you're doing half a day co teach

00:22:16
, where you're teaching half the day with another sans

00:22:19
instructor and you flip that to the other day and then you

00:22:23
eventually do a teach on your own.

00:22:25
So it's a meritocracy.

00:22:27
You have to prove yourself and so forth.

00:22:29
But there's always an entry point right, there's always a

00:22:32
starting point.

00:22:33
So the the starting point is probably within the whole sans

00:22:36
community.

00:22:36
You either have to pass the exam and prove yourself with a

00:22:39
score or you have to take the class and improve yourself with

00:22:43
a score and then it goes from there.

00:22:44
Speaker 1: Hmm, you know, in your own sans certifications,

00:22:49
which certification would you say is was the most difficult

00:22:53
for you to get?

00:22:53
I would assume the G-Pen.

00:22:55
If you have it, it would be the easiest right, because you were

00:22:58
a pentester.

00:22:59
I think that's an easy assumption to make, but maybe

00:23:01
that's not true.

00:23:02
Speaker 2: Yeah, great question.

00:23:03
When I started out teaching for sans, they had a program called

00:23:08
sans mentor, sans community instructor, which they don't

00:23:11
have that anymore, and so I was going to tell you that was kind

00:23:14
of the way to get started is as a sans mentor you do small

00:23:18
little teaching groups, which is a great way to get yourself

00:23:20
exposed to teaching.

00:23:21
But yeah, when I got started I was involved in the 504, which

00:23:26
the GCIH exploits incident, handling that class and then the

00:23:29
560 G-Pen were kind of the classes.

00:23:31
Now, another thing is I started as a student man.

00:23:34
I I've always been a lifelong learner, I'm a big fan of sans

00:23:38
classes.

00:23:39
So how I kind of got started with sans is I was a student

00:23:42
paying for the classes.

00:23:43
I got lucky because my employer and this is something maybe to

00:23:47
think about and recommend to others, there are companies that

00:23:50
do support their employees to take sans classes flat out.

00:23:55
So in the interviewing process, if that is something that's

00:23:59
valuable to you, you could actually negotiate with your

00:24:02
employer to say, hey, what's the tuition budget per student?

00:24:06
And with one particular employer I said I want to take

00:24:10
two sans classes a year and they said done, and so that was kind

00:24:14
of negotiated up front.

00:24:15
So maybe this is something even someone early on in their

00:24:18
career can be looking into, because when you have your

00:24:21
employer sponsoring you on this, it makes it so much easier to

00:24:25
get started, joe.

00:24:26
So I was very fortunate in that and that's how I took some of

00:24:33
these classes like forensic incident response 504, forensic

00:24:37
508 in the G-Pen, and so back to your question.

00:24:41
I started out as an instructor in 504 G-Pen and the hardest

00:24:45
class for me was during COVID.

00:24:49
I had to pivot over to the brand new cloud penetration

00:24:52
testing class 588.

00:24:54
I don't know if you heard of this class, but at the time

00:24:57
around COVID in 2020, this is a brand new class and a lot of the

00:25:03
instructor opportunities shut down because 588 was a brand new

00:25:07
class and I happened to know the instructor.

00:25:09
He kind of invited me on and said hey, do you want to have an

00:25:12
opportunity to teach this class ?

00:25:14
So, to answer your question, the GCPN the cloud penetration

00:25:18
testing was the hardest thing to pivot over to because it was

00:25:21
just a brand new class and the content was so much more like a

00:25:26
site reliability engineer type pen tester, network system, app

00:25:31
pen test.

00:25:31
It was just more challenging content for my background in,

00:25:35
like G-Pen and app pen testing.

00:25:37
So does that answer your question?

00:25:40
Speaker 1: Yeah, yeah, I think so.

00:25:42
I mean it's interesting, right, Like you would think that a pen

00:25:46
tester really of any caliber, that the skills would translate

00:25:50
easily across, like on-prem and cloud and whatever it might be,

00:25:55
right, Like containerized environments and whatnot.

00:25:57
But that's not always the case, you know, and I guess that

00:26:01
there's a reason why there's different specialties, right,

00:26:04
Like there's physical pen testers.

00:26:06
If you want to break into a building or infiltrate a

00:26:09
facility, you know there's people that carry around lock

00:26:13
picks and you know different methods of bypassing, you know

00:26:17
biometrics and all that sort of stuff, right.

00:26:20
And then, if you want to, you know pen test the actual network

00:26:23
.

00:26:23
There's a different specialized person for that.

00:26:26
So it only makes sense that there's a specialized, you know

00:26:31
cloud pen testing skill set.

00:26:33
Honestly, I never really thought about it like that.

00:26:36
It makes sense, though.

00:26:37
Speaker 2: Yeah, yeah, you bring up a great point Honestly, like

00:26:40
the pentesting methodology and approach is, you know, if you

00:26:44
have network or app pentesting, it's similar, yet different,

00:26:48
right?

00:26:49
So the difficult thing, I think, to wrap your mind around if

00:26:52
you're kind of new to it and we have a lot of people in the

00:26:54
class that are like very experienced pentesters, either

00:26:58
internal red team or consultancy type pentesters, and so I think

00:27:02
the difference is kind of like you're using the cloud control

00:27:05
plane to carry out attacks, whereas you have to shift your

00:27:08
mind because, like in the 90s and 2000s, it was coming in

00:27:11
through the front door into a data center on premise where you

00:27:14
know you had network services that were vulnerable on the edge

00:27:17
of the network or apps.

00:27:19
And now, with cloud pentesting, it's more.

00:27:21
You're using the cloud control plane.

00:27:22
So it's like how do I use the AWS CLI and the Azure AZ to

00:27:27
carry out attacks?

00:27:28
How am I carrying out attacks with Kubernetes and containers,

00:27:32
with kube cuddle, and so, yeah, it's like you're coming in

00:27:35
through the front door, but there's also, you know, there's

00:27:37
an overlay network and an underlay and you're coming in

00:27:39
through the cloud control plane.

00:27:40
So wrapping your mind around that, you know, and all the

00:27:43
different cloud services is definitely a little bit of a

00:27:47
shift, so to speak.

00:27:49
Speaker 1: So are you basically trying to use the cloud's

00:27:54
control plane against itself to gather information and have it

00:27:59
disclose more information than it should, or how does that work

00:28:03
?

00:28:03
Because that's a very interesting technique.

00:28:04
That's a very interesting method.

00:28:06
Speaker 2: Yeah, so potentially yes, and so the idea is that you

00:28:10
could take the authorization key material from whatever the

00:28:13
cloud provider is, whether it's GCP, aws or Azure a identity

00:28:18
like a programmatic access key in AWS.

00:28:21
So you're taking that as your starting point and saying what

00:28:24
are the privilege escalation and attack pathway primitives for a

00:28:28
developer or an admin within AWS environment to abuse the

00:28:31
network or a non-privileged programmatic access key?

00:28:35
How can they pivot unauthorized to another S3 bucket or how can

00:28:40
they elevate their privileges to become root or whatever the

00:28:44
scenario is.

00:28:44
So yes, you can do black box approach, but you can also say

00:28:49
let's start with some key material data, like a cloud

00:28:51
identity, and let's see how what can be abused within the

00:28:55
environment.

00:28:57
Speaker 1: That's really interesting.

00:28:58
And then I assume there's a different set of rules of

00:29:02
engagement for that sort of work , right, Because you have to

00:29:07
kind of get whatever AWS will allow it to be pentesting their

00:29:11
environment, and if it deviates from that you'd probably have to

00:29:14
get special approval in one time right, correct, yeah.

00:29:18
Speaker 2: And the beauty of it, the cloud providers each have

00:29:21
documented their terms of service for their services.

00:29:24
So you can go to their Pintest page.

00:29:25
You can basically scope out each one of the services that's

00:29:29
allowed.

00:29:29
Some of them you don't even have to get permission to

00:29:32
Pintest, some of them you do, and some of them are prohibited

00:29:35
type of activities.

00:29:36
So you do have to kind of map it out that way.

00:29:39
But yeah, I mean, the idea is a customer, you can test from the

00:29:44
outside to get unauthorized access to a cloud environment or

00:29:47
gain access, like if you can do code execution on a developer's

00:29:51
laptop, you can actually extract off their key material,

00:29:55
right?

00:29:55
So at that point it's become a control playing cloud Pintest to

00:29:59
see how you can pivot using the SDK, right?

00:30:03
Or another scenario is within the rules of engagement, and

00:30:08
this is kind of something we encourage is like what if you

00:30:10
tell the customer, let's just assume that a developer was

00:30:13
phished, right, and that someone got access to a programmatic

00:30:17
access key, right?

00:30:19
So let's start the Pintest with the key you've provided us, the

00:30:24
customer, that's non privileged key, and so that's a part of

00:30:28
the Pintest.

00:30:28
It's just included to see what are the privileged escalation

00:30:32
attack pathways.

00:30:33
Speaker 1: Interesting.

00:30:33
So, Jason, what are you working on or creating right now?

00:30:41
You mentioned before you created the VoIP tool.

00:30:44
I'm wondering if you're creating any new interesting

00:30:48
tools right now.

00:30:49
Speaker 2: Yeah, man, I love that question too.

00:30:51
Now I'm back in the community creating new tools, and I have

00:30:56
tools planned and I have a huge list of tools that I have in my

00:31:01
software roadmap, and so one of the tools that I released, that

00:31:03
I've been working on the last three years, is called Purple

00:31:08
Cloud.

00:31:08
Have you heard of Purple Cloud?

00:31:10
Yeah, I have mostly from you, yeah yeah, so Purple Cloud is up

00:31:14
on GitHub on my GitHub but it's basically a simulation tool

00:31:18
that allows you to create your own cyber range, and it's

00:31:22
focused on Azure and it allows you, using Terraform it's an

00:31:26
infrastructure as code simulator allowing you to create like

00:31:28
eight different types of use cases for your own custom Azure

00:31:33
security lab, and so you can create it and you can pretend

00:31:36
like you're a blue team or a network defender, like a cloud

00:31:39
architect, cloud security engineer, or you can practice

00:31:43
Pintesting techniques against it , and it's your own sandbox and

00:31:47
your own Azure account that you spin up with Terraform and then

00:31:51
you destroy it when you're done.

00:31:52
So that's one tool I created, and I created another

00:31:57
reconnaissance tool called Cloud Edge.

00:31:59
It's coded in GoLang, kind of has a novel approach, but it's

00:32:03
basically a cloud reconnaissance tool that loads in all the IP

00:32:07
addresses of the cloud providers into memory and then does

00:32:11
performant lookups of an IP address or a DNS domain, mapping

00:32:15
that IP to the cloud provider service, and all of this is

00:32:20
automated.

00:32:20
It's a recon tool that helps for bug bounty, but can also be

00:32:25
Cloud forensics and investigations when Cloud assets

00:32:27
are used for attacks.

00:32:28
You can use it to look up and find an IP and map it to that

00:32:32
Cloud provider.

00:32:33
Wow, yeah, those are two of the recent tools that I've done, and

00:32:40
I'm working on Purple Cloud for AWS.

00:32:42
I'm working on a new version of Purple Cloud for AWS.

00:32:44
Oh, okay, that's what I was talking about.

00:32:47
I have a software roadmap.

00:32:49
I'm going to finish it first before I look at conference

00:32:52
stuff.

00:32:52
I get your thing on conferences where sometimes you just put in

00:32:57
the CFP and do it, but with software I have to get it done

00:33:02
and then I'm going to put in for the CFP, right, yeah, those are

00:33:07
the two tools that I've worked on recently.

00:33:09
Yeah, but I also work for SANS full-time.

00:33:13
I do DevOps for SANS.

00:33:15
That's a whole other story.

00:33:17
Speaker 1: That's like a whole other podcast, basically.

00:33:20
Well, jason, I'm always very conscious of my guest's time.

00:33:24
When I say it's a certain amount of time, I tend to stick

00:33:28
to it, or at least I try to.

00:33:30
Before I let you go, how about you tell my audience where they

00:33:34
could find you, where they could find tools that you're

00:33:37
developing and any other information that you may want to

00:33:41
put out there for people to get ahold of you?

00:33:43
Speaker 2: Yeah, sure, I'm happy to connect my GitHub repo where

00:33:46
my tools are.

00:33:47
I have a different handle.

00:33:48
It's GitHub slash, my username, which is, I know Jason, it's

00:33:53
I-K-N-O-W.

00:33:55
Jason.

00:33:56
I know Jason.

00:33:57
A little play on, I know Jason, or whatever.

00:33:59
My Twitter.

00:34:01
I'm trying to get more active on Twitter, but you can reach

00:34:04
out DM and so forth.

00:34:06
My Twitter handle is security puck.

00:34:09
It's just security puck, as you would expect.

00:34:12
Yeah, those are the good ways to reach out.

00:34:16
Speaker 1: Awesome.

00:34:16
Well, thanks, jason.

00:34:18
I really appreciate you coming on and I hope everyone enjoyed

00:34:21
this episode.