Just as a river takes unexpected turns, so too does a career journey. Our special guest, Jason Ostrom, began with an eye towards federal law enforcement but found himself swept away into the world of Linux and security engineering for startups. A chance encounter with a mentor opened the door towards a career in cybersecurity, and the creation of a game changing pen test tool. Discover the story behind his first presentation at a hacker conference and how the early days of parenthood influenced his journey.
Ever wonder why a broad skill-set trumps specialization in cybersecurity? Jason breaks it down, emphasizing why IT experience, soft skills, and understanding the business context for executing vulnerabilities can make or break your success in this industry. Whether you're on cloud nine or keeping it grounded with on-prem projects, Jason explains why adaptability is crucial and how to keep your skills sharp and marketable.
Lastly, Jason demystifies the process of presenting at cybersecurity conferences and how to become a SANS instructor. The desire to teach or earn a SANS certification burns in many, but the path can seem obscured by smoke. Jason clears the air, providing a transparent look into the pros and cons of this career move. If you're fascinated by the world of pen testing, this episode will shed light on the various types and the importance of gaining broad experience before selecting a specialty. Buckle up, this ride with Jason is not one to be missed.
Affiliate Links:
NordVPN: https://go.nordvpn.net/aff_c?offer_id=15&aff_id=87753&url_id=902
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
Speaker 1: I was going, Jason.
00:00:01
It's been a long time since we last talked, even over video.
00:00:06
I'm really excited for our conversation today.
00:00:09
Yeah, hey.
00:00:10
Speaker 2: Joe man, thanks for having me on.
00:00:12
This is a.
00:00:13
I'm super pumped about this.
00:00:14
But yeah, how you doing, man, it's.
00:00:16
It's been a while and in fact we, we actually go way back,
00:00:20
don't we?
00:00:21
Yeah?
00:00:23
Speaker 1: At a very interesting place, especially for someone
00:00:26
coming like straight out of college, learning it, and then
00:00:31
being put into an environment where you have to troubleshoot
00:00:34
complex issues without touching a keyboard or a mouse, can't go
00:00:38
to the bathroom without a supervisor, like what a what an
00:00:42
interesting set of circumstances .
00:00:44
Speaker 2: Oh yeah, there's definitely interesting customer
00:00:47
with that.
00:00:48
I think we can actually say it was a three letter agency.
00:00:51
That's the most we can say.
00:00:53
But uh, were you working for a security vendor?
00:00:55
There was like a PAM, privilege identity access management or
00:00:59
something like that.
00:00:59
Speaker 1: Oh no, I'm sure if I was working with a PAM solution
00:01:02
I would have like pulled my hair out.
00:01:04
What, what little hair I had at the time.
00:01:06
I was working with a E nine one .
00:01:09
One vendor.
00:01:10
Speaker 2: Hmm, yeah, it wasn't E nine one.
00:01:12
It was a telephony related solution project we were working
00:01:16
on, so that makes sense.
00:01:17
Speaker 1: Yeah, yeah, that I mean even you know.
00:01:20
Thinking back, I didn't think of how much you know security
00:01:26
work I would actually have to do , uh, when I was on site at that
00:01:30
agency.
00:01:30
The reason being is that, you know, when you're going on site
00:01:34
you're told you know by the person who's in charge of all of
00:01:37
it at that company at that time that oh, this is jitik
00:01:41
certified.
00:01:42
We're good to be there.
00:01:43
You know they always want to make security changes, but we're
00:01:46
certified, so we're good to go Right.
00:01:48
And then you guys start hacking away at this thing right right
00:01:53
in front of me, asking me questions like well, why, why
00:01:56
can I do this?
00:01:57
If it's certified, why can I do this?
00:01:58
So why does it break after you run this stick?
00:02:00
And you know, it's like me, six months, maybe eight months at
00:02:05
the time out of college still learning you know the alphabet
00:02:10
of IT is like, well, I don't know.
00:02:12
I guess I got to go crack open a book in the hotel room because
00:02:15
apparently I'm not leaving this site until we figure it out.
00:02:19
Speaker 2: Yeah, that was certainly trial by fire on
00:02:22
learning on that.
00:02:22
That's the definition.
00:02:23
Good experience overall, though , yeah.
00:02:26
So hey, congratulations on your , on your kid.
00:02:28
By the way, I won't get personal or anything, but
00:02:31
congrats on that.
00:02:32
That's awesome.
00:02:33
Speaker 1: Yeah, absolutely, I mean it's.
00:02:34
I appreciate that it's.
00:02:36
It's been challenging for sure.
00:02:39
I guess it's it's fun and rewarding to have kids.
00:02:42
It absolutely is.
00:02:43
It's just that first year, right, that is just like it's
00:02:47
brutal, absolutely getting over the hump there, and it's not
00:02:50
easy to work at a nine to five job doing a podcast, doing
00:02:54
consulting and all the other things that I do, right, and if
00:02:58
I it's, it would be impossible to do all of that, really any of
00:03:02
that, without having my wife stay home.
00:03:06
Speaker 2: I wish I could give you some negative advice, but
00:03:08
just one day at a time really pushes you through.
00:03:10
But it does get easier, it does get better, right.
00:03:13
Speaker 1: So, jason, you know I like to start everyone off with
00:03:18
how you got into IT, how you got into security.
00:03:20
The reason why I do that is because I have a lot of audience
00:03:25
that it could be their first time, you know, going down the
00:03:28
path of trying to get into IT or trying to get into security.
00:03:30
Maybe they're doing a career change and hearing everyone's
00:03:35
path into it, you know, maybe lets that one person know like,
00:03:39
hey, it's possible, this person did it.
00:03:41
Maybe it's possible for me too.
00:03:43
Maybe I can do this thing.
00:03:43
You know, what was your origin story like?
00:03:48
Speaker 2: Yeah, great question, man.
00:03:49
I'm super excited to be on this podcast.
00:03:51
So my story is I actually started out cutting my teeth in
00:03:56
IT before I really got into cybersecurity.
00:03:59
And I'll make one point which I think is different than today
00:04:03
when you see a lot of college graduates going straight into
00:04:06
cybersecurity, infosec jobs, you know where they're doing pen
00:04:09
testing or something of that nature.
00:04:11
I had to kind of cut my teeth with IT so I was doing kind of
00:04:15
Linux engineer, sysadmin, slash network engineer, security
00:04:20
engineer for a few years for startups, before I even got into
00:04:25
cybersecurity where I started doing, you know, penetration
00:04:28
testing.
00:04:28
I think I didn't do my first pen test until about 2004.
00:04:32
Yeah, so when I graduated from college it's interesting, Joe I
00:04:36
was really interested in law enforcement, federal law
00:04:38
enforcement, going into the FBI, and at that time you had to
00:04:42
have like four years of undergraduate experience after
00:04:46
college if you weren't master's degree.
00:04:48
So I was like you know what?
00:04:49
I'm going to do some cool IT stuff for a few years because I
00:04:52
got to get some experience under my belt, something and I'm
00:04:55
going to do computer crime squad , FBI type stuff.
00:04:57
So I was kind of going down that path of like I'm going to
00:05:01
do IT and security for a while to get some good experience, but
00:05:04
my ultimate goal is law enforcement.
00:05:07
And then I kind of fell into something where the whole FBI
00:05:11
thing fell through and I found another pathway.
00:05:13
But I was inspired by someone who was a mentor of mine and I
00:05:18
wrote a tool and I did a blog.
00:05:20
I wrote this pen test tool.
00:05:21
I was working for a pen test mill, so to speak, doing back to
00:05:25
back pen testing over and over again, and my boss at the time
00:05:28
is a brilliant guy by the name of John Kindervog.
00:05:31
He's done done a lot of zero trust stuff.
00:05:33
He was my boss, my mentor at the time, and I was deathly
00:05:36
afraid of speaking at conferences and he convinced me
00:05:39
to speak at my first hacker conference and I presented this
00:05:43
tool called VoIPOPPER, a network pen test, kind of a UC pen
00:05:47
testing tool and it kind of took off for me there.
00:05:50
I decided you know, I want to do something cool in the
00:05:53
community to kind of give back to the community.
00:05:56
And they didn't have kind of taken off and I started speaking
00:05:58
at conferences like DEF CON and I kind of got the bug on doing
00:06:03
research and so I was really heavily involved in VoIP and UC
00:06:06
pen testing at the time.
00:06:08
This is kind of like the mid 2000s.
00:06:09
So it's kind of where I went off into getting into a niche
00:06:14
and I say it's going to be a generalist, but it's also good
00:06:17
to have a specific area within cybersecurity to specialize in,
00:06:22
you know.
00:06:22
But yeah, that's kind of to answer your question.
00:06:24
That's kind of my story.
00:06:25
I really got into pen testing and doing research and I'm also
00:06:30
happy to say that that tool I wrote, VoIPOPPER, is actually
00:06:33
still included in Cali Linux to this day, which is hilarious
00:06:37
because the tool was like was like written in 2005 type frame.
00:06:41
So but yeah, kind of answer your question on how I got
00:06:44
started.
00:06:45
And then I kind of connected with you, I think around 2014
00:06:50
when, when I was heavily involved in the VoIP UC security
00:06:53
world.
00:06:54
Speaker 1: Yeah, yeah, that was.
00:06:55
That was definitely an interesting time, for sure.
00:06:58
But you know you touch on a really important part of what I
00:07:03
would view as a successful journey.
00:07:06
Right Is getting a broad range of experience and then dialing
00:07:11
it in, and that's what I always recommend to people.
00:07:13
You know, I mentor some people coming out of college, coming
00:07:17
out of different security bootcamps, and even with the
00:07:21
security bootcamp experience, I still recommend that people get
00:07:26
experience in IT.
00:07:26
Right, because when you're in IT , when you're in help desk,
00:07:29
you're learning how to talk to people under stressful
00:07:32
situations.
00:07:33
You're learning how to even negotiate with people.
00:07:36
When you're 100% correct, you couldn't be more correct and
00:07:41
this other person who's a higher rank than you is, you know,
00:07:45
wrong or not 100% correct and it bugs you, it eats at you.
00:07:50
Right, you have to find that middle ground.
00:07:52
You have to develop those soft skills that will carry you
00:07:55
forward in security, because you can probably do the security
00:07:59
work you know from a technical perspective right, like you
00:08:02
could probably technically do it , but you would not make any
00:08:05
friends, you would make a whole lot of enemies.
00:08:09
Your tools would probably be ripped out the day that you
00:08:12
leave and you're not going to make you know really that much
00:08:15
progress and so it's important to really get that generalized
00:08:20
experience and then dial it in.
00:08:21
You know, over time, as you get more experience Is that kind of
00:08:25
how you thought about it as well when you started going down
00:08:29
this journey.
00:08:29
You know, when you realized that federal law enforcement
00:08:33
wasn't working, it's like, okay, well, maybe I'm going to find a
00:08:36
specialty.
00:08:37
Then, you know, maybe I'm going to dial something in and get
00:08:40
really good at it.
00:08:40
Speaker 2: Yes, absolutely.
00:08:42
I could not agree with you anymore.
00:08:44
I think we're saying the same thing here and I think is
00:08:47
cutting your teeth and IT and getting that strong foundation
00:08:50
before getting deeper into cybersecurity.
00:08:53
For example, if you're talking about something like penetration
00:08:55
testing as a use case, an example, joe, it's all about
00:08:59
context and business context, right, when you're executing
00:09:02
vulnerabilities to show business risk, if you're you know
00:09:06
straight out of college and going in and you're doing pin
00:09:08
testing and you're you're exploiting vulnerabilities and
00:09:11
flaws, but you don't have that business context to know how the
00:09:15
vulnerabilities impact the business and disruption of
00:09:18
revenue, it revenue, operations it's a major deal, right.
00:09:22
And just having that experience to sit down with network
00:09:24
engineers, developers, system administration, cio and CTO is
00:09:29
being able to talk to them.
00:09:30
So that's one key point and I think that's different than
00:09:33
today's market, right, because you see a lot of people going
00:09:36
straight in with little to no experience.
00:09:38
And I'm not I'm not hating on anyone or anything, I think just
00:09:41
the marketplace has changed and they're saying that there's a
00:09:45
dearth of skills and the skilled cybersecurity people, but then
00:09:49
it seems like you have a lot of people going in that haven't
00:09:53
formed that strong foundation.
00:09:54
So I totally agree with you there.
00:09:56
And then, relating to my story, yes, when I decided that I was
00:10:01
going to have a different path than the FBI, I basically
00:10:04
decided well, I kind of want to make a name for myself, I want
00:10:07
to create like a cool tool and give back to the community.
00:10:09
I'd already been doing the pin testing a while and, and so I
00:10:14
think it helped me to get better , to have that specific
00:10:19
knowledge but also kind of a generalist for like network and
00:10:22
app pin testing, but also specific to VoIPUC, and creating
00:10:27
that tool really helped me as a practitioner.
00:10:29
And I think also there's there's another kind of lesson
00:10:32
learned here.
00:10:33
It's like Joe, I think in my career I've learned when you go
00:10:36
too deep into the rabbit hole and become too much of a
00:10:40
specific skill on something, that, for example, with VoIPUC,
00:10:45
at the time it was really, really hot.
00:10:47
You know a lot of people were speaking at conferences, it was
00:10:50
like the cool kid and it kind of died in its popularity and now
00:10:54
VoIPUC is not considered a hot topic.
00:10:56
Now it's like cloud security and you know, machine learning
00:10:59
and all that stuff.
00:11:01
But I think it's good to have a generalist approach but also
00:11:05
being adaptable and flexible to like changing what your
00:11:09
specialty area is is what I was saying.
00:11:10
So I'm getting in more kind of changing the conversation.
00:11:15
But yeah, it's generalist versus specialist.
00:11:18
On your experience and I found when you go too deep in the
00:11:22
rabbit hole, you kind of box yourself in which might limit
00:11:26
yourself.
00:11:26
So sometimes it's good to take a step back and be like I'm
00:11:29
going to be a generalist.
00:11:30
I think you'd apply that to anything like cloud security,
00:11:33
cloud architect, whatever.
00:11:34
Right now that's the hot area and there might be lots of
00:11:38
specialty areas within that.
00:11:40
So each cloud provider is a whole world.
00:11:42
Within that cloud provider they might have 600 services and so
00:11:47
you could be spending a lot of time on one thing.
00:11:48
Does that make sense?
00:11:50
It's kind of like how has your experience been on that?
00:11:53
Speaker 1: Yeah, yeah, I think that makes a lot of sense.
00:11:57
When you were discussing being a generalist while having a
00:12:02
specialty right, it reminded me when I was trying to make the
00:12:05
jump into cloud security and be more specialized in cloud
00:12:10
security, because I saw that that's where everything was
00:12:12
going.
00:12:13
I had to do still a lot of other projects that were on-prem
00:12:18
based, not based in the cloud.
00:12:20
I got zero cloud experience from those projects, but I still
00:12:24
had to do it and I still kept up the skill set in a way and
00:12:29
convinced people like hey, I'm a generalist, yes, I do focus on
00:12:33
the cloud, but at the end of the day, I can do just about
00:12:36
anything, which is it's not an easy thing to do and that makes
00:12:39
you better.
00:12:40
Speaker 2: I mean obviously that makes you better.
00:12:42
Right, improved your skills and your marketability.
00:12:45
Speaker 1: Right, yeah, because I'll give you an example.
00:12:50
I was going to go work for a large mortgage company here in
00:12:53
the Midwest and I interviewed for a cloud security role and
00:12:58
after I had accepted the offer, the manager called me and said
00:13:02
hey, I actually have this urgent project I would need you to
00:13:04
work on because everyone else is bogged down with work.
00:13:07
It's not cloud security related , but I only need you to do it
00:13:11
through the end of the year and then you can pick up the cloud
00:13:14
security work.
00:13:14
And I said, okay, well, I'll do it until how?
00:13:17
About October 31st?
00:13:18
And then November I started doing cloud work and he agreed
00:13:21
to it, and so I you know, full blown rolled out this cloud web
00:13:26
proxy that I've never worked with before.
00:13:29
You know, I've rolled out a proxy before, but it definitely
00:13:32
was not this solution.
00:13:32
So I kind of knew what to do, but at the same time it acted
00:13:37
very differently.
00:13:37
And so you're learning the nuances and I I rolled out this
00:13:40
solution 100% by October 31st.
00:13:43
I kept up my end of the deal, and then they had to keep up
00:13:47
their end of the deal because you know, they know, that that
00:13:49
frustrates me, right.
00:13:50
Like the benefits of having this podcast is that it kind of
00:13:54
allows potential employers to hear my personality beforehand,
00:13:58
to know my, my thought pattern, you know, without me having to
00:14:02
tell them like, hey, I find this to be kind of insulting when
00:14:05
you sell me one thing and then you tell me to do another, and
00:14:08
it's confusing for me, it's disappointing, you're going to
00:14:11
get my hopes up and then I'm going to be disappointed.
00:14:13
It's not a good look, you know.
00:14:14
But but they were able to overcome that by just being
00:14:19
upfront with me, you know.
00:14:20
I think that that's what's important and also, you know,
00:14:24
when you're trying to specialize , also being open to that
00:14:27
possibility, right, someone may say, hey, you're a specialist in
00:14:31
this tool, we also need you to touch this, you know, be open to
00:14:35
it, because as soon as you start pigeonholing yourself, you
00:14:39
know that field is going to evolve right, like we're seeing,
00:14:42
or we saw the traditional firewall basically go extinct
00:14:47
overnight with what's called the next gen firewall, and now
00:14:51
they're still calling those next gen firewalls like the newer
00:14:52
version.
00:14:52
They're calling that next gen, right, but you have to relearn
00:14:57
this tool.
00:14:57
It has additional capabilities, additional things that you need
00:15:00
to learn and components.
00:15:02
Speaker 2: Yeah, absolutely.
00:15:02
There's so many great insights in this podcast when in the
00:15:06
discussion you have but you, you , you bring up a good point too
00:15:09
about learning by doing.
00:15:13
You know when you created your proxy and hands on the keyboard,
00:15:15
skill development, which I think is still important, no
00:15:19
matter where you are, even when you go into management just to
00:15:23
practice.
00:15:23
Some of that stuff is really good.
00:15:26
Speaker 1: Yeah, absolutely.
00:15:26
So.
00:15:26
You mentioned a little bit about getting into the, the
00:15:29
speaking circuit, talking at different conferences and
00:15:34
whatnot.
00:15:34
As someone that is looking to potentially do that in the next
00:15:38
12 months, how in the world does someone get started in that?
00:15:42
The daunting task of, you know, speaking in front of hundreds
00:15:49
of people, even tens of people, will make anyone nervous, in my
00:15:53
opinion.
00:15:54
Like, how do you get past that?
00:15:55
What do you decide you're going to talk on?
00:15:57
The issue that I have, personally, is thinking that
00:16:02
what I have to talk about is actually important enough to
00:16:04
talk about it.
00:16:05
I feel like I'm still the dumbest person in the room on
00:16:09
stage, just like all right, yeah .
00:16:12
Speaker 2: So great question Is this something you're thinking
00:16:15
about doing?
00:16:15
Just curious.
00:16:16
Speaker 1: Oh yeah, yeah, I definitely want to do it.
00:16:19
It's just about making that jump.
00:16:21
Speaker 2: Yeah.
00:16:21
So it's a huge leap.
00:16:23
In that very first one I'd say there's no getting around it.
00:16:26
It's painful and nerve-wracking and hard on the first one, but
00:16:31
it gets easier.
00:16:32
So, to answer your question, I had a great mentor, john
00:16:35
Kinervog, who kind of got me started on it.
00:16:38
So I could say, if you have someone you can co-present with,
00:16:42
like, do the research together.
00:16:43
It makes it kind of a team effort and it kind of takes a
00:16:47
little bit of pressure off of you because you're not failing,
00:16:50
you're failing with one other person the risk of doing that.
00:16:52
So that's one idea and I think.
00:16:55
I think what I did is I had first already created the
00:16:57
research first, before I worked on the presentation, and then
00:17:02
started pedaling it to the conferences, which I think is
00:17:06
important, because once I spoke at my first conference I started
00:17:11
getting the bug and I wanted to do it.
00:17:12
And what I started doing which I don't do anymore is I started
00:17:17
working on CFPs and presentation proposals with great ideas and
00:17:23
if I got accepted I would let the research evolve as I was
00:17:27
getting ready to present, versus doing the research first and
00:17:31
finishing it and then having the presentation evolve when you
00:17:36
apply for the CFPs.
00:17:38
Does that make sense.
00:17:39
So, instead of doing it the CFP first and then doing the
00:17:42
research, kind of finish the research or at least get halfway
00:17:46
through it and then start thinking about how you want to
00:17:50
present that to the world.
00:17:51
The other piece of advice I can give is, man, find something
00:17:54
that inspires you, that you're passionate about, and letting it
00:17:58
evolve organically.
00:17:59
Because when I created the tool and I started first doing it,
00:18:03
it was from the pen testing I was doing.
00:18:06
It was like a lesson learn, case study from a real pen test
00:18:10
and it kind of evolved into something I just want to share
00:18:12
with the community, kind of like a case study.
00:18:16
So I think, yeah, I'd say, first finding something you're happy
00:18:19
and passionate about that you can grab onto, kind of maybe
00:18:22
like a hobby of some sort.
00:18:24
I've kind of gotten back into this now and I've created some
00:18:27
new tools on my GitHub and I've started kind of getting back
00:18:31
into the speaking.
00:18:31
But I'm taking a different approach.
00:18:33
Like I said, I'm waiting until I'm done with the tool and the
00:18:37
research and then I think, well, that would be cool to show this
00:18:40
here or there.
00:18:41
I'm not in a rush, it's kind of like enjoying the process.
00:18:45
It's not a marathon.
00:18:46
It's like the grind of letting things evolve more naturally.
00:18:49
And then, hey, how can I present this at a conference?
00:18:54
Speaker 1: Yeah, I think it's definitely more of a process
00:18:57
right of deciding the topic and whatnot and kind of, I guess,
00:19:02
doing the research and setting that end goal right, Like DEF
00:19:05
CON, for instance.
00:19:06
Maybe in January you submit the paper, get approved and then
00:19:10
you're working towards that goal .
00:19:11
I think I definitely need that goal or that target date right
00:19:16
to motivate myself to get the stuff done on time and make the
00:19:20
progress that I need to make.
00:19:21
I think it's more about at this point deciding what I want to
00:19:24
talk on and maybe not even worrying about the value that it
00:19:28
provides to the community necessarily Not to say that I
00:19:32
don't want to provide value, but I think I get hung up on that
00:19:37
too often and it holds me back where it's like well, is this
00:19:41
providing value?
00:19:42
Am I, am I doing anything good here?
00:19:45
That's my opinion.
00:19:47
Yeah, I see what you're saying, To kind of change gears here.
00:19:51
You're also a sans instructor.
00:19:53
You kind of you kind of glanced over that left, that left that
00:19:57
fact out.
00:19:58
Right, you know how in the world does someone become a sans
00:20:02
instructor?
00:20:03
Like, do you have to have, like you know, all their
00:20:05
certifications, prove that you have this industry top tier
00:20:09
knowledge and go through the process like that, or you know
00:20:13
what is that like?
00:20:14
Because everyone knows, you know, sans certifications is the
00:20:18
gold standard and security.
00:20:19
There's nothing else on the market that beats it.
00:20:22
But it's also very expensive.
00:20:25
So finding an employer that will pay for it is like
00:20:29
absolutely critical.
00:20:30
It's like a gold mine.
00:20:31
You don't just, you don't just leave that employer.
00:20:33
Speaker 2: Yeah, absolutely it is.
00:20:35
They are expensive, but I am kind of biased I think.
00:20:38
I think they're worth it.
00:20:39
But so how to get started?
00:20:42
So my quick little story on that is Sands does have
00:20:48
different programs that also offset some of the costs as well
00:20:51
.
00:20:51
I'll mention this too.
00:20:52
They have a program called work study Joe, where you can, you
00:20:58
can apply and get discounted tuition and you kind of help out
00:21:02
and assist as a moderator, facilitator for a sans class,
00:21:05
but you get greatly reduced tuition.
00:21:08
So they do have a program that allows you to take a class and
00:21:10
not pay the full price.
00:21:12
So as far as entry into it and getting started on it, I think
00:21:18
what you have to do to get into it is you take a sans class.
00:21:21
So you have to find a way to take a sans class.
00:21:24
Or you take a certification exam for one of the jacked sans
00:21:28
certifications and if you score I think this the score is 90% or
00:21:34
better you get invited into the program where you can be a TA
00:21:40
for the class.
00:21:40
Now, this isn't for all the classes but some of the more
00:21:44
technical classes.
00:21:44
Hands on, they have what are called virtual TAs or TAs.
00:21:47
So you're helping out, assisting students with the labs
00:21:51
and that kind of gets you potentially into the instructor
00:21:53
development program as a TA.
00:21:55
You start helping out, getting more and more hands on
00:21:58
experience and you get to know the instructors and they can
00:22:01
recommend you and you kind of get vetted and recommended that
00:22:04
way.
00:22:05
And then you kind of there's a whole program that you start
00:22:08
proving yourself once you're in that program, where you start
00:22:11
you know you do a little co teach like a partial co teach
00:22:14
and then you go up to where you're doing half a day co teach
00:22:16
, where you're teaching half the day with another sans
00:22:19
instructor and you flip that to the other day and then you
00:22:23
eventually do a teach on your own.
00:22:25
So it's a meritocracy.
00:22:27
You have to prove yourself and so forth.
00:22:29
But there's always an entry point right, there's always a
00:22:32
starting point.
00:22:33
So the the starting point is probably within the whole sans
00:22:36
community.
00:22:36
You either have to pass the exam and prove yourself with a
00:22:39
score or you have to take the class and improve yourself with
00:22:43
a score and then it goes from there.
00:22:44
Speaker 1: Hmm, you know, in your own sans certifications,
00:22:49
which certification would you say is was the most difficult
00:22:53
for you to get?
00:22:53
I would assume the G-Pen.
00:22:55
If you have it, it would be the easiest right, because you were
00:22:58
a pentester.
00:22:59
I think that's an easy assumption to make, but maybe
00:23:01
that's not true.
00:23:02
Speaker 2: Yeah, great question.
00:23:03
When I started out teaching for sans, they had a program called
00:23:08
sans mentor, sans community instructor, which they don't
00:23:11
have that anymore, and so I was going to tell you that was kind
00:23:14
of the way to get started is as a sans mentor you do small
00:23:18
little teaching groups, which is a great way to get yourself
00:23:20
exposed to teaching.
00:23:21
But yeah, when I got started I was involved in the 504, which
00:23:26
the GCIH exploits incident, handling that class and then the
00:23:29
560 G-Pen were kind of the classes.
00:23:31
Now, another thing is I started as a student man.
00:23:34
I I've always been a lifelong learner, I'm a big fan of sans
00:23:38
classes.
00:23:39
So how I kind of got started with sans is I was a student
00:23:42
paying for the classes.
00:23:43
I got lucky because my employer and this is something maybe to
00:23:47
think about and recommend to others, there are companies that
00:23:50
do support their employees to take sans classes flat out.
00:23:55
So in the interviewing process, if that is something that's
00:23:59
valuable to you, you could actually negotiate with your
00:24:02
employer to say, hey, what's the tuition budget per student?
00:24:06
And with one particular employer I said I want to take
00:24:10
two sans classes a year and they said done, and so that was kind
00:24:14
of negotiated up front.
00:24:15
So maybe this is something even someone early on in their
00:24:18
career can be looking into, because when you have your
00:24:21
employer sponsoring you on this, it makes it so much easier to
00:24:25
get started, joe.
00:24:26
So I was very fortunate in that and that's how I took some of
00:24:33
these classes like forensic incident response 504, forensic
00:24:37
508 in the G-Pen, and so back to your question.
00:24:41
I started out as an instructor in 504 G-Pen and the hardest
00:24:45
class for me was during COVID.
00:24:49
I had to pivot over to the brand new cloud penetration
00:24:52
testing class 588.
00:24:54
I don't know if you heard of this class, but at the time
00:24:57
around COVID in 2020, this is a brand new class and a lot of the
00:25:03
instructor opportunities shut down because 588 was a brand new
00:25:07
class and I happened to know the instructor.
00:25:09
He kind of invited me on and said hey, do you want to have an
00:25:12
opportunity to teach this class ?
00:25:14
So, to answer your question, the GCPN the cloud penetration
00:25:18
testing was the hardest thing to pivot over to because it was
00:25:21
just a brand new class and the content was so much more like a
00:25:26
site reliability engineer type pen tester, network system, app
00:25:31
pen test.
00:25:31
It was just more challenging content for my background in,
00:25:35
like G-Pen and app pen testing.
00:25:37
So does that answer your question?
00:25:40
Speaker 1: Yeah, yeah, I think so.
00:25:42
I mean it's interesting, right, Like you would think that a pen
00:25:46
tester really of any caliber, that the skills would translate
00:25:50
easily across, like on-prem and cloud and whatever it might be,
00:25:55
right, Like containerized environments and whatnot.
00:25:57
But that's not always the case, you know, and I guess that
00:26:01
there's a reason why there's different specialties, right,
00:26:04
Like there's physical pen testers.
00:26:06
If you want to break into a building or infiltrate a
00:26:09
facility, you know there's people that carry around lock
00:26:13
picks and you know different methods of bypassing, you know
00:26:17
biometrics and all that sort of stuff, right.
00:26:20
And then, if you want to, you know pen test the actual network
00:26:23
.
00:26:23
There's a different specialized person for that.
00:26:26
So it only makes sense that there's a specialized, you know
00:26:31
cloud pen testing skill set.
00:26:33
Honestly, I never really thought about it like that.
00:26:36
It makes sense, though.
00:26:37
Speaker 2: Yeah, yeah, you bring up a great point Honestly, like
00:26:40
the pentesting methodology and approach is, you know, if you
00:26:44
have network or app pentesting, it's similar, yet different,
00:26:48
right?
00:26:49
So the difficult thing, I think, to wrap your mind around if
00:26:52
you're kind of new to it and we have a lot of people in the
00:26:54
class that are like very experienced pentesters, either
00:26:58
internal red team or consultancy type pentesters, and so I think
00:27:02
the difference is kind of like you're using the cloud control
00:27:05
plane to carry out attacks, whereas you have to shift your
00:27:08
mind because, like in the 90s and 2000s, it was coming in
00:27:11
through the front door into a data center on premise where you
00:27:14
know you had network services that were vulnerable on the edge
00:27:17
of the network or apps.
00:27:19
And now, with cloud pentesting, it's more.
00:27:21
You're using the cloud control plane.
00:27:22
So it's like how do I use the AWS CLI and the Azure AZ to
00:27:27
carry out attacks?
00:27:28
How am I carrying out attacks with Kubernetes and containers,
00:27:32
with kube cuddle, and so, yeah, it's like you're coming in
00:27:35
through the front door, but there's also, you know, there's
00:27:37
an overlay network and an underlay and you're coming in
00:27:39
through the cloud control plane.
00:27:40
So wrapping your mind around that, you know, and all the
00:27:43
different cloud services is definitely a little bit of a
00:27:47
shift, so to speak.
00:27:49
Speaker 1: So are you basically trying to use the cloud's
00:27:54
control plane against itself to gather information and have it
00:27:59
disclose more information than it should, or how does that work
00:28:03
?
00:28:03
Because that's a very interesting technique.
00:28:04
That's a very interesting method.
00:28:06
Speaker 2: Yeah, so potentially yes, and so the idea is that you
00:28:10
could take the authorization key material from whatever the
00:28:13
cloud provider is, whether it's GCP, aws or Azure a identity
00:28:18
like a programmatic access key in AWS.
00:28:21
So you're taking that as your starting point and saying what
00:28:24
are the privilege escalation and attack pathway primitives for a
00:28:28
developer or an admin within AWS environment to abuse the
00:28:31
network or a non-privileged programmatic access key?
00:28:35
How can they pivot unauthorized to another S3 bucket or how can
00:28:40
they elevate their privileges to become root or whatever the
00:28:44
scenario is.
00:28:44
So yes, you can do black box approach, but you can also say
00:28:49
let's start with some key material data, like a cloud
00:28:51
identity, and let's see how what can be abused within the
00:28:55
environment.
00:28:57
Speaker 1: That's really interesting.
00:28:58
And then I assume there's a different set of rules of
00:29:02
engagement for that sort of work , right, Because you have to
00:29:07
kind of get whatever AWS will allow it to be pentesting their
00:29:11
environment, and if it deviates from that you'd probably have to
00:29:14
get special approval in one time right, correct, yeah.
00:29:18
Speaker 2: And the beauty of it, the cloud providers each have
00:29:21
documented their terms of service for their services.
00:29:24
So you can go to their Pintest page.
00:29:25
You can basically scope out each one of the services that's
00:29:29
allowed.
00:29:29
Some of them you don't even have to get permission to
00:29:32
Pintest, some of them you do, and some of them are prohibited
00:29:35
type of activities.
00:29:36
So you do have to kind of map it out that way.
00:29:39
But yeah, I mean, the idea is a customer, you can test from the
00:29:44
outside to get unauthorized access to a cloud environment or
00:29:47
gain access, like if you can do code execution on a developer's
00:29:51
laptop, you can actually extract off their key material,
00:29:55
right?
00:29:55
So at that point it's become a control playing cloud Pintest to
00:29:59
see how you can pivot using the SDK, right?
00:30:03
Or another scenario is within the rules of engagement, and
00:30:08
this is kind of something we encourage is like what if you
00:30:10
tell the customer, let's just assume that a developer was
00:30:13
phished, right, and that someone got access to a programmatic
00:30:17
access key, right?
00:30:19
So let's start the Pintest with the key you've provided us, the
00:30:24
customer, that's non privileged key, and so that's a part of
00:30:28
the Pintest.
00:30:28
It's just included to see what are the privileged escalation
00:30:32
attack pathways.
00:30:33
Speaker 1: Interesting.
00:30:33
So, Jason, what are you working on or creating right now?
00:30:41
You mentioned before you created the VoIP tool.
00:30:44
I'm wondering if you're creating any new interesting
00:30:48
tools right now.
00:30:49
Speaker 2: Yeah, man, I love that question too.
00:30:51
Now I'm back in the community creating new tools, and I have
00:30:56
tools planned and I have a huge list of tools that I have in my
00:31:01
software roadmap, and so one of the tools that I released, that
00:31:03
I've been working on the last three years, is called Purple
00:31:08
Cloud.
00:31:08
Have you heard of Purple Cloud?
00:31:10
Yeah, I have mostly from you, yeah yeah, so Purple Cloud is up
00:31:14
on GitHub on my GitHub but it's basically a simulation tool
00:31:18
that allows you to create your own cyber range, and it's
00:31:22
focused on Azure and it allows you, using Terraform it's an
00:31:26
infrastructure as code simulator allowing you to create like
00:31:28
eight different types of use cases for your own custom Azure
00:31:33
security lab, and so you can create it and you can pretend
00:31:36
like you're a blue team or a network defender, like a cloud
00:31:39
architect, cloud security engineer, or you can practice
00:31:43
Pintesting techniques against it , and it's your own sandbox and
00:31:47
your own Azure account that you spin up with Terraform and then
00:31:51
you destroy it when you're done.
00:31:52
So that's one tool I created, and I created another
00:31:57
reconnaissance tool called Cloud Edge.
00:31:59
It's coded in GoLang, kind of has a novel approach, but it's
00:32:03
basically a cloud reconnaissance tool that loads in all the IP
00:32:07
addresses of the cloud providers into memory and then does
00:32:11
performant lookups of an IP address or a DNS domain, mapping
00:32:15
that IP to the cloud provider service, and all of this is
00:32:20
automated.
00:32:20
It's a recon tool that helps for bug bounty, but can also be
00:32:25
Cloud forensics and investigations when Cloud assets
00:32:27
are used for attacks.
00:32:28
You can use it to look up and find an IP and map it to that
00:32:32
Cloud provider.
00:32:33
Wow, yeah, those are two of the recent tools that I've done, and
00:32:40
I'm working on Purple Cloud for AWS.
00:32:42
I'm working on a new version of Purple Cloud for AWS.
00:32:44
Oh, okay, that's what I was talking about.
00:32:47
I have a software roadmap.
00:32:49
I'm going to finish it first before I look at conference
00:32:52
stuff.
00:32:52
I get your thing on conferences where sometimes you just put in
00:32:57
the CFP and do it, but with software I have to get it done
00:33:02
and then I'm going to put in for the CFP, right, yeah, those are
00:33:07
the two tools that I've worked on recently.
00:33:09
Yeah, but I also work for SANS full-time.
00:33:13
I do DevOps for SANS.
00:33:15
That's a whole other story.
00:33:17
Speaker 1: That's like a whole other podcast, basically.
00:33:20
Well, jason, I'm always very conscious of my guest's time.
00:33:24
When I say it's a certain amount of time, I tend to stick
00:33:28
to it, or at least I try to.
00:33:30
Before I let you go, how about you tell my audience where they
00:33:34
could find you, where they could find tools that you're
00:33:37
developing and any other information that you may want to
00:33:41
put out there for people to get ahold of you?
00:33:43
Speaker 2: Yeah, sure, I'm happy to connect my GitHub repo where
00:33:46
my tools are.
00:33:47
I have a different handle.
00:33:48
It's GitHub slash, my username, which is, I know Jason, it's
00:33:53
I-K-N-O-W.
00:33:55
Jason.
00:33:56
I know Jason.
00:33:57
A little play on, I know Jason, or whatever.
00:33:59
My Twitter.
00:34:01
I'm trying to get more active on Twitter, but you can reach
00:34:04
out DM and so forth.
00:34:06
My Twitter handle is security puck.
00:34:09
It's just security puck, as you would expect.
00:34:12
Yeah, those are the good ways to reach out.
00:34:16
Speaker 1: Awesome.
00:34:16
Well, thanks, jason.
00:34:18
I really appreciate you coming on and I hope everyone enjoyed
00:34:21
this episode.