Lambos and Tigers in Russia OR a Legit Career Without the Prison Time

so coming up next our next talk is matt dunn and he's going to do lambos and tigers in russia or a legit career without the prison time um for all of you out there that are maybe looking in the infosec industry and you're not sure how to do it i think matt's going to really be able to tell you what you need to know so uh let's bring that in here hello hi matt hey how are you doing good to see you messy background without the the blurry enough all right yeah i'll uh let's take it away have a great talk all right thank you all right let's see if we can share my screen here

all right all right hopefully everybody is uh doing great today um i was my first year at b-side ct was last year um i've been living in ct for a little bit now but today i'll be talking to you about my presentation lambos and tigers in russia or legit career without the prison time we've got on my slides um on the left side we've got the russian flag with a russian hacker criminal guy that apparently has made millions and millions of dollars from his hacking activity uh as lamborghinis has tigers just like tiger king and versus a legitimate career uh the example here is one of my co-workers cars he's got pretty sweet dodge challenger with the

osap license plate so we'll get on with the presentation here all right so who am i i'm matt dunn i'm a father and husband hacker pen tester i'm the uh i guess the reason you'd be interested in this talk is that i'm the founding technical member of a security consulting team a pen testing team uh and i'm the manager of that team now all right what does this talk about so am i gonna go through how to uh become like a cyber crime syndicate and make millions of dollars uh no we're not gonna talk about that today i guess you could use some of the concepts here to be a criminal but that that's not the goal of this talk

uh maybe maybe some other day but we're going to talk about uh you know something on the legal side you know how do you get your foot in the door to be a professional you know security professional in particular i'll hit a little bit harder on the offensive security so pen testing red teaming things like that because that's where you know the place i've been in for a while in my career and so we'll talk about how to do that legally without you know with limited risk of prison time depending on you know we've had some stuff happen in iowa and stuff with people interested but if you work for a company that is careful with

their contracts and the scope there should be very little risk of going to prison for for having a legitimate career so it's based on you know my personal experience okay this is my experience uh and uh experience from other people that i know i've worked with and what i've learned from building on a team so i some of this is stuff that i've learned from applying for jobs some of this is what i've learned from training people mentoring people hiring you know employees all right so we'll start out with how i got into infosec i'll go over that briefly offensive security careers what are what are some of the options out there how to get some of the technical skills

if you if that's an area that you work in uh we'll give i'll give you some tips on that some resume tips uh a couple you know tips for you know modern job searching and networking and then we'll finish up with how to advance your career all right so you know my path into information security you know is unique to me everybody has their own path some people want to call it some people didn't uh some people have been in prison you know it it whatever wherever you're at now you can become an informational security professional and a pen tester you know so my path was i started out you know i won the traditional route i had uh went

to high school uh and then went on to college was in electrical engineering uh didn't work out really well i wasn't really i thought that's what i wanted to do but it wasn't that into the course work i partied way too much um had you know a variety of problems and um you ended up quitting school and and having to start out my life and you know once i got things together i i'm like okay i'm gonna do graphic design you know i like art i'm okay at that uh started working on you know toward you know some classes on that realize this really isn't the career for me and i'm like what can i do that i

really like i like computers why don't i check that out like there's you know uh i t degree at this community college i'm going to um it seems interesting so i just take some classes you know got my associate degree during that i actually got you know an i.t job you know an internship at a state agency so i got to work in a large it environment like on a help desk i was taking calls going on site and that was my introduction at it and since then i've had a career in it and then later more specifically information security um how i got in the security was like i got interested in security like i

started class in college and it was really cool like we learned like pick locks and hack wi-fi and use like i'm back then i might have to backtrack linux i don't know uh what's cali now um and it was just really interested in me and i looked up what are the companies around me you know at the time where i lived uh that do you know security and i found a forensic company and i had a cool name and like man i want to work there and i applied to a job there and they emailed me back and said uh you don't have what we need uh so to work here but you know if you

uh if you get the skills that we need and i thought you don't have to get like a job doing that or school like if that's learning on your own that's fine and i stayed in touch with the owner of that company you know for a year or two and would ask them questions from time to time and eventually it was like hey why are you coming for an interview and i ended up getting a job there and so i worked in you know computer forensics and general security consulting it's my first job you know focused on like litigation focused forensics so employee does something bad and you try to help the employer you know prove that or

really expensive divorces you discover things like that did a little bit of pen testing too uh was out of security for like a year or two i moved and lived you know far away from you know big cities so i got a local job at a company i made firefighting equipment that was cool but i got bored pretty quickly i mean they weren't that interested in security um and i started networking more you know i went to like derby con i was doing a lot promoting myself on like places like linkedin i made a website uh posted articles and i got in contact what would eventually be my current boss uh he reached out to me on

linkedin and said hey um yeah i saw your article or you know your profile and thought you had um some good skills i'm looking to build out the ability testing you know you it auditing but we don't do any like real technical security and said oh i have a lot of ideas around that i was actually looking at starting my own company to do that and ended up you know starting my job at schneider downs which is where i work now which is like a medium-sized accounting firm um and became you know pen tester and started out with just me and now it's you know full team and we have an offensive team doing pen testing and

even a defensive team doing instant response and forensics so it's it's been awesome to see over the years the the uh it started out from just a conversation with somebody on linkedin and now it's become you know we have our own cyber security consulting team now which is awesome so that that was how i got into security uh some things to know about hiring in the security industry if you're not have don't have much uh background in that is um there's debate on this the supply of professionals experienced professionals is low and the demand is high and i think that is accurate based on my interviewing i have a lot of people that have maybe some experience but not direct

experience in what i'm hiring for and the people that do have the experience um the the salary requirements are incredibly high and you know we do the best we can do to meet it but you might be you know if you look at some job requirement you're like oh man like this is supposed to be entry level but they want to see issp and things like that i would take the jaw requirements with the grain or salt because what they'll probably find is that and this could could be like hr screwed up something they don't know what they're asking for the person who uh had to make the um the job requirements just like made up

stuff that was crazy maybe it's a warning sign but also it could just be they don't they don't realize you know what they really need so they just ask for everything so i would still apply to jobs even if you're not like quite there with the requirements uh because what what you'll find is when you try to hire for positions i've had people that were really good that before i could even get them in for a second interview they've already accepted another job you know so it's there is an advantage out there right now if you're trying to get into it there are more positions available than people to fill them with pen testing in general or other

offensive gigs typically those kind of jobs you're going to find at large companies or consulting firms so like you know the typical big four like ui and delight you know do penetration testing red team and things like that then you have you know smaller accounting firms like the one i work for that does similar kind of things uh you have your you know specialized um security firms like black hills information security trusted sac places like that spectre ops um and there's a lot of them and then you have like your larger companies like walmart and things like that that have your red teams now you might be set on like i really want to be a pen tester

right and that's cool if that's your goal like go for it but keep in mind that uh most of the jobs out there are actually blue team positions on the defensive side so there's going to be a lot less opportunity on the pen test from a pen testing perspective but that doesn't mean that there aren't really cool defensive jobs out there that you might enjoy as much or more than penetration testing all right so what what are some of the career options if you want to do offensive security there's you know pen tester which you can get into you know like kind of the general penetration tester be a network pen tester that you're being hired or working internally to

kind of take a more broad approach to attacking a network so you'll look for vulnerabilities you'll send phishing emails things like that you have people that might have more of a specialization in working on attacking web applications and web application security oftentimes people have multiple competencies um so if you're if you're you know a web developer and trying it in the security you would probably have a pretty easy transition to web application security social engineering i kind of talked about phishing there's people in firms that only do social engineering so trying to basically con their way into information or into areas of a facility that they should not have access to saul there saw goodman which is i think

he's a pretty good con man there's physical penetration testers so there's people that focus on like picking locks and you know slipping using under door tools to pop doors open sneaking in the buildings and server rooms or wherever you know they want you to access and oftentimes what you'll find is if you work for like a consulting firm or maybe even internally you're going to be doing probably you know more than just one of these there are certainly places that specialize in specific areas but in general you're probably going to have kind of a wide breath of the company you work with purple teaming is becoming more and more popular and i actually know like i

worked with a you know very large company and they actually had like official purple team positions with their within their company typically how i look at purple teaming that's like a fusing of you know offensive and defensive so maybe you're checking your sim to make sure it's operating properly properly by running the attack side by side with the person that manages that uh red teaming um red teaming like some people take that to be giantly just anything offensive i think also kind of the more popular term would be for people that are doing um adversarial threat emulation so they're actually doing more focused testing security testing against maybe like a key area or they're looking to emulate a specific

threat actor threat actors and how they operate and either like how they gain entry to a network or how they gain entry and then once they have access you know moving through it and doing that typically to test you know how the defenses are holding up um and trying to evade the defenders all right there's more there's definitely is more options on that listing but this is kind of some general options out there i think before i get too far into things like if you're not familiar with hacking and how it works i want to break it down like really simply because you might be like i want to be like a pen tester but like

what what do i do uh and and all you really have to understand is that with how hacking works is you need to be able to discover something to attack right so you're maybe doing port scans or you're doing an open source intelligence gathering to find email addresses to phish people or finding phone numbers or finding looking up google maps to find places you might be able to sneak over a wall and break into a building things like that so being able to discover you know the things that you can attack then looking at them and understanding them so okay there is this place is using you know as email or maybe has a vpn i

can i know that if there's a login i can try to do password guessing against that to try to get into it things like that so what what is out there okay something's out there okay how does that work can i attack it the attacking part of it is actually pretty small you know when you talk about penetration testing or even criminals the initial attack that gains access is you know typically send a phishing email or something like that find an exploit gain entry and then you show the impact so as a professional you show the impact by you know maybe doing lateral movement or demonstrating that you can take a basic user account and elevate your

way up to you know domain admin and get access to critical databases or things like that and you you know write a report and go over that with your client and explain to them you know how to how to resolve it so it's it's pretty simple it's you got to know how to find out what's out there you got to be able to have an understanding of what it is and ways to attack it then you attack it and then you show the impact and help help your client you know mitigate that risk so some skills that make a good hacker are you knowing how things work being able to fix things being able to

build things um maybe that you know you you have not like a technology background but you like puzzles or you like welding or whatever like you know it just having an interest and understand motivation to learn how things work will make you a good hacker i put linux on here a bunch of times the linux penguin i think linux is a key um asset to have uh to be able to use command line linux and command line unix utilities in security uh particularly offensive security because so many offensive tools are written for linux that you're going to miss out on a lot of tool sets if you only know how to use like gui systems and windows so also on the

defensive side there's a lot of open source linux distributions for monitoring you've got like the elk stack and all kind of defensive security tools that if you learn linux you can you open yourself up to a great amount of additional resources that you can use ethical hacking schools we'll talk about how to get those so uh you know we talked about kind of broke down what you know hacking is being able to do exploits and use hacking tools and do privilege escalation things like that and i'll throw out some ideas on how to get those you don't have that and then soft skills soft skills are really important particularly normally with consulting you're gonna be working with clients and

have to explain to them you know what what you did and how they can fix their problems um if you broke something you're gonna have to be able to uh smooth things over and get things back going and not have people mad because occasionally that will happen uh time management there's all kind of soft skills that people may not think of but that's really critical uh in any any career particularly as you're trying to progress uh move up all right so i'm gonna go through like a lot of different places where you can learn if you don't have you know the base knowledge that you feel you need or you want to add more you go to college right so you could

take you know if uh computer security computer science whatever you whatever maybe you learn some security stuff maybe you learn i.t or programming that's a great place to get a base knowledge of technology or security that you could use in a career a self-learning i think software is huge when i interview people that are in college i'm normally not looking at i don't care what courses they're taking so much maybe a little bit i care more what they're doing outside of school and that often it's self-learning so doing ctfs and we'll talk more about that internship so if you are a student you got to get an internship before you graduate um it's just going to having

some kind even if it's just a help desk or something having some kind of technical experience before you graduate and not just a degree is huge because i can't you know if you're having experience working a network i can't just say like go hack this network i don't i'm not going to trust you i'm going to need to train you for probably a long time before i would be comfortable with having you do that and if you do that through an internship oftentimes internships you know people will hire their interns you have because you know that they're a good worker and and how they operate and things like that another way uh to get skills is to

get based technical skills at you know work for like a startup like these guys you know pi piper or whatever you need to do you just any i.t job or programming job will help you with basic space skills that will could lead to you know the background knowledge that you'll need to be successful in our information security career all right so linux if you're not familiar with linux the best way to get familiar with it is to build something with it so build a server uh maybe you want it to run your own blog so maybe make a wordpress site uh there's a lot of places to do this right so for the cloud would be great to learn

you know because a lot of stuff's in the cloud now and um so you've got options like aws has a free tier so you can build a free server linux server in the cloud and it's good for at least a year i think it might be indefinitely a certain level of server uh microsoft azure has some free credits so if you sign up for account they'll give you like 50 or 100 bucks that you could run something for some period of time on digital oceans like that i think that like a student package will give you you know some money that you can use to run a server or you know uh something if you want to do some hardware hacking

or just have a little mini computer that you can hack with at home a raspberry pi is a great inexpensive option uh for hacking like if you want to learn some hacking skills there are a lot of free resources like pretty much all this stuff is free or there's cheap options for it that i'm gonna go through and there's just numerous places to learn there's uh online training free training like portswigger has a web app web application testing uh program that they put out within the last year or so that's really good i think it's mostly like kind of a in a book format like you know online book where you go through and they tell

you like what cross-site scripting is and sql injection things like that and tell you how to you know attack those things and prevent them offensive security has had a free course for a long time they have they're the oscp certification people uh menace white unleash it's a great free way to learn metasploit um you know metasplate's a great hacking tool i mean i don't use it quite as much as i used to but it's definitely still good to have in your tool set and understand how it works uh then there's some more interactive training options that i think are probably like the better route particularly if you're like a beginner so things like hack the box

pen tester lab both of these have some free tiers and free exercises you can do and then i think if you do the paid training it's not that expensive pentester lab is like 20 bucks a month um and they have like step-by-step walk-throughs so they have like labs you go into and you learn how to like you know you can learn how to use linux you can learn how to hack things your web application hacking rack windows there's a and they'll walk you through so if you don't know something um and need more hands-on there's like videos and walkthroughs that you know if you get stuck you can you won't just be stuck in um swimming

around for actually just hacking things legally you've got a lot of good options now i mean those are two good ones offensive security proving grounds is kind of newer and they have a free individual plan that's good and it gets you into like an environment with vulnerable servers that you can attack they also have a paid option that will get you more into networks that are some more similar to like the test labs you would pay for with offensive security or have to go against uh to complete their certifications a vuln hub if you want to do everything at your house you can download vulnerable uh servers uh preset up from vault hub and you know

figure out what's wrong with them and attack them and there's normally walkthroughs for a lot of those um so that's a great free resource if you have some extra ram and hard drive space on on your laptop or something so the videos you know we've got this like so conferences are great and um that's like one great uh creator of videos is that like if i if i'm at a conference or if there's a conference that i can't make it to i'll look at like the talks and see like okay like i somebody's dropping some new tool or new technique somebody mentioned in the chat try try hack me as another great site yeah there's a lot of options out there so

post them in the chat um iron geek uh i think last year he recorded b-side ct but he that they recorded a lot of the conferences and put them up on youtube so uh if you can't make it to a conference or can't afford i mean everything's digital now but you can't make it to one or can't afford it a lot of times the at the bigger ones the videos will be up for free pretty quickly after the conference and i learned a lot you know from the conference videos books um there's a lot of great books out there i think people like often you'll see like reviews of books and it'll be like um learning uh

learn linux for free the pentester labs has actually like a linux walkthrough that's pretty good and that i think you can do that for free books the problem with books is that like attack techniques and defenses change so quickly that like okay maybe you spend like a year or two or three or four years writing a book then i don't know how long it takes to publish it by the time it comes out like half the stuff might be out of date so if you buy a book that's 10 year old 10 years old on pen testing probably nothing in there will work maybe some of the techniques but a lot of it's not gonna work anymore

um so keep that in mind uh i i that said the hacker playbook uh two and three has very practical attack techniques for based on what scenario you're in so if you're already on the network if you have credentials don't have credentials that's a great place to start if you want to learn some practical hands-on advice for attacking networks um i listed some some other books that i like here the phoenix project i like it's not really a security book but it's i believe it's the foundation for devops so if you want to learn how to optimize your processes and how you do things it's a great book to read other great resources so we talked about

like try hack me and pentester labs and those kind of sites um if you want to like learning like new techniques and tools a lot of times before a conference comes out people post like a blog post and some great examples of that are black hills informational security spectre ops stress and sex there's many more out there but those are some of the ones that you can actually like get on a mailing list and when they have any blog posts they'll mail you you know email you and you can see like oh there's this new pen testing technique or this new way to password spray office 365 or any rate users so those are all great great resources

there's there's many others out there twitter um i don't know a lot of people like fight on twitter and stuff like that but it is you know not a bad place to get you know people will drop new tools on there and to throw out testing ideas and posts that they have jobs available so it's not a bad place to network being a starting point i'm at the planet on twitter mostly i follow security people so um you can like follow some of those people and that'll lead you to more and more people that have interesting things that they post you also get great other i like my favorite thing about uh dave kennedy's post is actually not

hacking at all it's like the smoked meats he posts this is like motivating me to do some more barbecuing which is you know important to do some stuff other than just work podcasts there's a lot of podcasts out there you know you hear some of them and these slides i'll put them on um discord i'll put them on linkedin so you know don't worry about having the links and stuff the slides will be available but there's a lot of good podcasts out there you know listen to some different ones find the ones you like all right so i guess certifications and getting skills maybe sometimes the line some certifications are more approved that you have the knowledge some will like

teach you the things you know like obviously the best ones the cissp i know everybody would agree with that everybody hates the cissp now i don't really know why but i've had one for a long time it's not really a technical cert but it is a good general uh informational security certification particularly if you're you know a manager or something all right the so the best certifications i have if you're interviewing like with me and i think a lot of other people that are doing technical things in security particularly penetration testing are going to be the sans gx certifications and offensive security so the sans ones jack would be like the g pen gxpn g-web so they have like and

they do all kind of training for security not just penetration testing they have like instant response and general security certifications they're very expensive you know most people i don't think are going on their own and paying you know the four thousand five thousand dollars plus to take the the course and the trade and the cert on their own normally you're having that backed by by your company offensive security um they're great certifications they're a lot cheaper than like the giac and sans but they're much harder to get because you know like with oscp you have 24 hours that drop you in a network and you gotta pack so many other servers and write a report um you get so many points

within 24 hours or you don't pass it and just taking the course alone you know like you're not gonna you gotta go further than that to pass that certification so most people that take that that i've talked to have failed it at least once if not multiple times so just keep that in mind where it might be cheaper but you might need more lap time but it is probably the though scp and the other offensive series certifications are probably the to me and i think sellers are probably the most respected because they show that you have very practical knowledge of linux and attacks and enumeration and things like that the ch some people look down upon it i

don't think it's a bad entry level penetration testing certification if you're going to be doing work for government um they'll require you to have something like a ch or another dod approved certification like a security plus something like that it's not a bad certification i don't know how i think the pricing changed but it used to actually be pretty expensive uh isc uh squared you know they have that cissp if you're going after penetration testing that's probably not they're out to take uh if you've never done a certification test before or never done a security one some of these other ones might be too expensive to start out with or maybe you want to get an easy win you know

comptia security plus they have a pen test plus now those are pretty good certifications where it only costs two or three hundred dollars to take the test you could probably buy a book for study book for 50 or 60 bucks and if you study it you could probably pass it um so that's a great place to start to get an easy one and get some confidence up before you you go after something like an oscp which can be like just devastating i i need to go back and pass it i've personally taken it and failed it you know once and just haven't had the time to go back all right soft skills so how to get soft

skills um and that's like you know communication skills time management skills you know managing your temper i can tend to get angry if things don't go my way and take it out on people and that's something that i work on um you know one great way to do that is to be around people and you know participation in the security community like you guys are all doing guys and gals and you know whatever we're doing today um attending conferences and participating in like the discord you know we're back when codefood's over uh hopefully that won't be too long we can you know meet up in person at local meetups conferences you know industry groups stuff like that um i'm a

very like nervous person not like socially awkward so like i can have a hard time going to conferences and talk to people that i try to go and like talk to at least one person like have lunch with people it's a great way even if to push yourself out of your comfort zone a little bit or you know maybe you are a very social person that's a great way to to network uh books are another good way to learn you know soft skills you know a really classic one business book is how to win friends and influence people which like i read that book and like it's actually like a business book on how to

con people and where you read it but it's pretty good it's got it's old but it's got some good tips uh i was in uh a management training recently and uh we have co-ceos and one of them was was talking and he said does anybody have any questions i asked him hey you know i don't have a lot of management experience what like what do you recommend the most in terms of like books uh to you know help beef up your skills and he said uh his biggest thing is books on emotional intelligence and i and um those are um i started reading this one book emotional intelligence by daniel goleman i guess is the originator of

that idea but that's you know kind of how to not be so emotional and you know um interact better with people and your thinking so that you can be a better manager you know a better uh a customer a better you know um a better provider for your client and not you know get pissed off if things don't go to your plan or you know things like that so i thought that was interesting for negotiations i really like never split the difference hey you might say like i'm not a salesperson that's cool you may never do sales but you're probably going to want to raise at some point or get you know be applying for a new

job get an offer and they're always probably going to offer you less money and they're willing to actually pay you the first time around so bringing in reading some books on negotiation are great great to have um some some background in that and that one's by like a hostage negotiator uh which so it's actually like pretty cool like because you're using techniques to deal with terrorists uh for your job offer so i just thought that was interesting all right so you got like the skills right so we've talked about getting skills you know we can do that a lot of different ways all right now now you're like okay i'm ready to apply for some

jobs or you know i need to update my resume so the key thing with the resume is like i'll be honest it's not the content i mean the content is important but the first thing is how it looks it needs to look really good particularly if you don't have a personal relationship at the place that you're applying to so if i you know if i have 50 resumes that come in i'm going to scroll through them and i might read all of them but i'm probably going to spend more time on the ones that look better than the ones that look like you know like some crappy you know word template that's below the word

some ways to make a resume look unique and and uh really polished is like latex is a type setting language that there's a lot of free resume templates out there you can run it for free locally on you know windows mac linux i have my resume on overleaf.com um that's all in the cloud so you can it'll compile everything for you and you can pull in the templates i find that really useful if you want something easier uh for some money you can use some of these services uh i don't have experience with any of them but i know like a guy just hired hired to use zetti or however you pronounce that he really liked it

some of those it might be like 20 bucks but you can get in like download all the templates um but just spending like a little bit of time or a little bit of money to make your resume stand out from a like visual perspective is going to go a long way all right so if you're watching this talk you may not have a lot of real world experience so don't let that get you down too much here's some things that you can do um if you don't have real world experience if you want to get a security job to to make yourself stand out a little bit um you know self learning doing ctfs side projects like on github websites

that stuff counts as experience put that on your resume somehow have a skill section uh something somehow including your resume the things that you do that maybe aren't part of your day-to-day job but are you know things you're doing to better yourself in terms of security all right um if you have a background i.t or software development those are like the foundational skills for computer security so put those on there you know that don't count yourself out because you don't think you have security skills if you know it really well if you know uh secure coding or coding really well you can be a security person pretty easily uh for me when i'm looking at resumes

the things that stand out like certifications i mean like kind of if you have an oscp that's like i'm like i know that you tried really hard to get that um you know github if you got some awesome tools that you've programmed you got them out there or you're contributing to a security project or any project that's great to see i've seen some really amazing personal websites the content doesn't even have to be good if it like it's just kind of cool site uh it can be impressive to somebody it shows that you have some kind of skills uh experience would be number one uh and i will yes i will be posting the slides in discord and um

on a linkedin slideshare so um you know experience is definitely like number one um but you may not have it that's okay a high level of interest in technology and security so that kind of goes back to having github going after certifications things like that public speaking experience is great to see particularly like i work in a consultancy so you're going to be speaking to clients normally most people do so having experience presenting at conferences or local meetings uh things like that it's great to have all right so for people that already like cat are in the it world um you know and you want to get in the security i think sometimes people are like oh man

i've been in like i.t for this long really interesting security but i can't get a break so don't keep going after it i think one thing to keep in mind and maybe other people disagree with this but in my mind an experienced like i.t person system admin systems engineer network engineer developer um to me is far greater than somebody with a security degree with no experience because they if they don't have a background in it because you know how the things work if you know how things work you're more easily going to be able to secure them um not that having a security degree is bad i don't want to discourage anybody from that but

you know if you already an it or a developer you have you know the core background that you need to be in security it's like the same thing it's just a different variation of i.t it's all security is it's not that much different you have to be able to adapt quickly and learn new things that's all and be paranoid being paranoid helps you know um you know list your technical skills so i i look at this so if like if i'm hiring for a pen test you know like i you know like i do we do a lot of stuff in the cloud and i'm always like i could use more people to help us with

our infrastructure automation script your writing internal code if you know different scripting languages put that on your resume if you know linux you know windows you know unix mac put that on there if you if you've developed applications for ios and android um you know that's that's good to know certifications can certainly help so if you have like an i.t background or your programming background you go out and get an oscp that's you know like pretty solid background to to do you know security work uh or any security certification will show that you're um even if your employer will pay for it sometimes it's worth it to invest in yourself to show that you're motivated and it

will give you an edge on people that don't have that all right so you got your resume now what do you do you're looking for a job you just go on like i don't know what are the job search sites i just always find this to be such a crap shoot but the big thing is networking whether you do it online or in person all right so getting involved with local groups like oaus i know like issa is in connecticut uh defcon has groups derby cons started to have like the derby con communities meet up it just depends on where you're at what groups there are but the benefit of local groups is that you normally the people in those groups

are working in security in your area so you if you get a personal relationship that will give you they might tell you about a job before it even is posted if you apply you can give that person a resume that can pass it along they might have incentives at that company for hiring so if you pass on a resume and they hire that person and they stay for a year that person might get like five grand you know like that's something to keep in mind so there's definitely advantages to having personal relationships at places that you're applying to um in code times that's harder if you live somewhere where there aren't a lot of security groups or aren't any

um there's still ways to do that discord has become extremely popular i didn't like know what it was like the last year just like blown up uh slack used to be the main thing there's still a lot of slack groups there's just search for like you know information security discord information security pen test uh stuff like that and you'll find a lot of a lot of good groups out there but it might be local groups or national groups or internationals that's a great place to meet people and network and find about jobs i always post my job postings first in discord and like local groups in the areas that our offices are um okay so another way to do that like

if you're trying to like target like figure out like what kind of jobs are available in your area or area you're looking to move you can use linkedin pretty pretty well um so like here's one example like so say i'm looking for a job and i live in new haven connecticut so i'm i'm in new york in canada what like kind of jobs where they're out there so i can look at like i can do search strings in linkedin to look for people already have existing positions but also it'll show you like if there's open jobs so if we're on this search so we say you know new haven and use the syntax we can look for any

you know city name that this city and it's got like security or cybersecurity pen testing whatever you're trying to target put it in there and then you'll start to find results of like people that work in that area or job postings that are open and some of them might come up like it might be physical security some of these but you can see like director of cyber security uh you can see like a cyber security advisory board member here if you scroll down i'm sure you'll find people at yale um and that's a great way to make contacts if you're trying to move somewhere you live somewhere like when i first moved here i went like

to look for security people and like i found people to have lunch with that i'd like never met before and found out more about the security community here and it's a great resource to look for jobs if you really want to work at like a specific company and you're just like want to stalk them a little bit um like not creepily please don't really stalk people but if you want to like you're really interested in working for a company get a job there want to target them you can take a pen testing approach to that right this is all kind of open source intelligence gathering this is the kind of stuff i do when i'm

fishing a company i might look at it probably isn't going to be i'm not probably normally going to go after like the pen you know the red team if i'm trying to fish the company but maybe um but i'll try to get intel about people that work there so you take the company name and then you put in your search string for the positions you're looking for and i put in our comp my company and i work for schneider downs and you can see you know there's a bunch of results and some of them will be people that didn't work there anymore or consulted for it but you can see the top result is one of you know our new

penetration testers that we hired recently uh tyler you can see got an internal security person so you can find like some contacts and try to connect with them and create a relationship and some ways to do that like hey would you do an informational interview like you work at this company i think that position is really cool or your company is really cool would you talk to me for a minute about it and they might you know be like hey we got a job opening or like i know somebody looking to fill a position or hey i'll let you know if i hear of anything it's a great way to network all right if you want to go further if you want to

try to email somebody um start with what we did there you know with linkedin find people you know people you want to contact get their first and last name so we can guess what their email addresses might be might be all right so and you could get names from linkedin company websites whatever all right normally email address formats if you're not familiar with like the corporate world are like first initial last name at targetcompany.com or your first name last name you can figure that out actually like you don't have to guess per se what the format is you can use a service like hunter dot io the uh the tool like the harvester or recon ng um to pull down like

you know you can search for at let's say shinydowns.com and see like are there email addresses you can associate with that you can say like oh i pulled back maybe not the email addresses you're interested in but you can see a pullback 10 and it's like oh okay this company is using first initial last name and um and and you can use that and you just say okay i got the first name last name and then guess and try to email that person so that's one thing if you want to try to email maybe don't just send your resume like say like hey like i saw you worked at this company and i wanted to talk to you a

little bit would you be willing to talk to me okay so i guess i've gotten through this like faster than i was playing too a little bit faster so that's good so kind of last thing we're going to talk about the last thing we're going to be talking about here is like maybe you already are a security professional and for some reason you're watching this talk that's cool hopefully you maybe learned a thing or two or maybe you didn't if you have any feedback from me i'd appreciate i'm happy to take that to make this talk better but hey okay maybe you have like i see this maybe you're working in i don't want to pick on you but a

security operations center and you're you're on the third shift and you're just dealing with alerts and they just have you google and you don't really understand what you're actually doing but you and maybe you want to be a pen tester or a security engineer or you're just like you feel kind of stagnant you kind of reach the peak at your company um or what you've been able to learn internally what you know what can you what can you do to advance your career and the key thing in my mind is to be a continuous learner it doesn't mean you can't have a family and you know like like like after this i won't be able to stay

too long i need to spend some time with my daughter or my wife but um you don't need to spend like all your waking hours learning stuff but hey maybe you're washing dishes you listen to a podcast or you're in the shower you listen to a book or you're working out i mean every time you work out you know maybe every other time you work out you listen to a book instead of music or whatever you know getting certifications definitely can help you know particularly you know some of the ones that are harder to get like in oscp and i sell that a lot of times um but if if you want to be a penetration tester

an oscp is going to give you an advantage um because it's just so hard to get by any certification you know if you go after a cissp if you have some experience to be able to get that the security plus any certification is great to add to your your resume work on your soft skills um so you know learn how to communicate better in writing by writing blog we talked about some of this stuff but learn how to communicate better in writing speaking you know do presentations things like that to get your name out there a great way to do that is to write tools um security tools and then or contribute to existing tools like if you come with

a cool new tool like one of my uh one of the guys that works with me wrote a sweet uh fishing platform because he had this idea we were doing fishing using a platform that was out there and there were things he didn't like about it so he was like i'm just gonna like write one and you know he wrote it and he's like he showed it to me as he was developing it and i'm like it's like we're talking about where should you present it i'm like dude this is freaking awesome you're presenting on at death corner and firing not right inside i was gonna fire him but like this is gonna get upset accepted at

defcon it's gotta be a defcon you're not going to present at some local conference you're dropping a defcon or somewhere like that and he got it accepted at defcon um and that just you know uh gives him a lot more exposure and i like people that i work with to do that i encourage people i work with to to get their name out there and so to to be able to get if somebody leaves um leaves my team i want them to go to google or spectre ops or somewhere really cool like that um and be you know heightening their career and so we talked about like you know writing blog posts making videos even you know

that's a great way to learn about things too maybe you don't you want to learn a new skill a great uh emphasis or a great way to motivate yourself to do that is like hey i'm going to write a blog post about how to do password spraying and i want to find three tools to do that and so you're going to get your research on how to do that read existing blogs things like that and oh sorry about the sun here um but yeah that's that's a great way to get out there to be your presence in the in the security community so we talked about i kind of run through a lot of different things hopefully

you're still awake i know like we're not in person and i can talk pretty monotone so i really appreciate you sitting here and hopefully you've learned of some different ways to like improve your resume and learn maybe some skills you don't have uh network um you know networking is huge i can't stress enough like my last my last job like i did not apply for a job somebody contacted me and i had a conversation and then like basically by the time they were about to hire me i did the job application right and that's pretty common so and not just that but like if you get a personal recommendation for a job you're gonna have an advantage

so i just cannot stress networking enough like if people know you um and know like you're a good person know that you can show up on time and things like that i don't know that if i'm just looking at a resume and interviewing somebody but if i'm seeing somebody once a month in you know an issa meeting or something like that or they're helping out with uh you know like the b-sides ctf or things like that i know that like that that's going to give you an advantage the other thing is don't give up it can be really hard to break into security that's the reason that i did this presentation i kept seeing people on linkedin and

twitter like ah like i'm trying really hard to get a job and i just can't get my foot in the where i got like 10 years of it experience or i'm a student how do you get your foot in the door just don't give up be persistent you know like i was like five years ago i was at derby con and i'm like i really miss security i really missed security uh doing it full time and and now i run an offensive security team and i hadn't done pen testing full time before that so you can go really quickly from you know zero to 180 it's it's the the the jobs are there the the need

is there so don't give up even if people get you down you know most people i think in the community will be friendly and provide you with tips and you know some people might be dicks just screw them um if you don't get a job that's okay just keep at it keep you know working on your skills ask for feedback on why you didn't get the job but don't give up if you're persistent you'll eventually find something once you get into security you're pretty sad like once you have some experience that's going to be pretty easy to move from jobs drop the job because you'll have the experience and there's a demand for it um you know thanks again for listening

my talk uh if you well i should move no uh we are actually hiring schneider downs on cyber security team we're hiring for uh some interns for 2021 summer 2021 so you want an internship uh hit me up on my work email and i'll get you the link to apply that we're also hiring for an experienced penetration tester um you know um you know so shoot me an email shoot me a resume i can uh hit you guys up with the job links if you want to just talk to me i'm also available on uh my personal email sarah matt at my wall security um and at the planet entry level sock positions we don't have a sock

we do have a defensive team they mostly do incident response and forensics so if that's something you have an interest in um we're like growing like more and more rapidly so it means shoot me an email um and i could put you in touch with the guy that leads our defensive team and see if maybe there's something that would open up but right now or i know we're hiring for an offensive pen testing position or red teaming position and for interns and the interns um you that would be arranged you we have a defensive and offensive team we work pretty closely together so normally interns we'll get to learning some pen testing maybe get to learn some insert response

to things like that so um all right hey thanks thanks for your time on the weekend uh hopefully i didn't bore you too much um i don't have too much time to stick around the discord if it's up for a couple days like i'll come back from time to time like at work and stuff and check it out i'll try to drop the slides in here right now um and i can probably take a couple questions but not really i apologize for that but um but i am available you know if you have questions or you know anything like that so