There is no one set path to a cybersecurity career, and our guests for episode 43 of Cyber Security Sauna have arrived in the field in very different ways. Logan Whitmire comes from a military background and Derek Stoeckenius has a degree in psychology. In this episode, they share what sparked their interest in infosec, their journey to their current roles, and how their unique backgrounds influenced the way they approach their work. Also: Tips on getting into the field, and what they might have done differently if they could go back.
Janne: Welcome guys.
Derek: Thank you. Glad to be here.
Logan: Thanks for having us.
So what’s your current role, or the area you work in, Derek?
Derek: So I’m an associate security consultant working in digital forensics and incident response. And in addition to that, I do web application security testing.
So that’s both defensive, or investigative, and offensive?
What about you, Logan?
Logan: I’m also an associate security consultant. I do a lot of web application assessments, as well as a decent amount of research into like IOT devices, is what I’m currently pretty passionate about.
So let’s talk about your IOT research. Can you tell us a little bit about that?
Logan: Yeah, so right now it’s just buying a lot of, I guess, cheap IOT devices and routers, and then practicing, extracting the firmware, different types of exploits, all to prepare myself for the upcoming Pwn2Own. I’m hoping to participate in that and win something.
Nice. What about you, Derek? Are you doing any research?
Derek: Sure. So my most recent research product was actually, we ran a workshop here, and it was a purple teaming workshop, and I did research on command and control systems. What we did was we ran them on a controlled lab environment, and we looked at things like packet captures and other sources of information that we call IoCs, which are indicators of compromise. And we went through that.
So, indicators of an attacker being present in a system.
Derek: Exactly. And so we talked about those things, so that’s my most recent research project.
That’s cool. So Logan, can you share with us a little bit about your infosec journey? How did you get here, where you are today?
Logan: In high school, we had the Army recruiters come into our classroom and they’re like, “Who doesn’t want to go to college?” And this was after our finals, so I was like, “I’m done with tests. I hate tests, never again.” So I stayed after school to listen to their whole pitch. And they’re like, “Do you like computers?” And I’m like, “Yeah, I mean, I play World of Warcraft for eight hours a day, so of course.”
So I went down and took the ASVAB and then I got a fairly high score. So like, “Hey, how would you like to do cyber operations?” Keep in mind, I had no idea. I thought that was just like IT support. So I’m like, “Yeah, I can do some tickets. I can fill out some emails.” And then ended up here.
But they came to your high school talking about computers. So they were recruiting specifically for that?
Logan: Yeah. So it was a brand new job that opened up. It was cutting edge. They needed people, and no one really knew about it just because when you think of the Army, you think of infantry, tanks.
Sure. But it’s also a very different kind of organization compared to corporations. Do you miss that clear-cut task, order structure of the Army in your civilian job?
Logan: Surprisingly enough, I feel like I have more clear-cut orders at F-Secure than in the Army. A lot of the Army was a lot of just winging it, mainly because no one really knew what to do with us. So a lot of the time they were like, “Hey, you guys do computer stuff, how about you set up some new desktops?” And it’s like, “That’s not my job, but sure.”
Oh, that’s very interesting. All right, Derek, how does that sound? Very different from your path.
Derek: Yeah, in many ways, my path was actually less direct because I took more of an academic route. So I started off as an undergraduate doing psychology research before I started to switch to information security. So I actually started doing a PhD program. I did that for a year before I decided that I’d rather actually do information security instead. So it was definitely a less direct approach.
Sure. Was there a particular moment or a recurring theme that sparked your interest in infosec?
Derek: Yeah. Sure. So actually when I received my offer letter for joining the program for the PhD program, I noticed that at the top in the URL bar, my student ID number was being displayed in the request itself. And I had my friend come over and she put in her student ID number and then her offer letter popped up without any authentication.
So for me, that was actually my first moment where I was like, “Wow, this is actually kind of interesting.” And then so from there I started doing software development, just for psychology research. You have to develop experiments and then run them. And so those two mixed together in my mind, and that’s how I got interested in information security.
But just to notice something like that, I mean, you must’ve been a little bit interested in infosec before?
Derek: Yeah. I always read like Wired Magazine and things like that when I was a kid in order to keep up on security and it was very interesting as a topic, although I’d never actually taken it seriously until I got into that.
Sure. So did you do any studying on your own or reading on your own before you made that big jump into official cybersec?
Derek: Yeah. So before, when I was studying psychology, I was actually studying human memory and learning. So that gave me an opportunity to learn a lot about how to self-learn. And so as a part of that, then I just jumped right infosecurity and started learning things, like the Web Hacker’s Handbook is where I started. And I just read through there. And I started following on with a lot of the exercises, and then I moved into doing my OSCP and started with that.
How do you feel the psychology background has served you in infosec?
Derek: Oh, definitely knowing about the best way people learn has been very helpful because this field is all about learning and especially learning on your own. So knowing how to effectively do that is really important, and focusing on things like making sure you’re testing yourself as you go along, and you’re doing exercises as opposed to just reading book knowledge, I think is really important. And I learned that a lot from my psychology background.
Sure. So you said you’ve been doing incident response before. The psychology background, does that help in understanding how the attackers think?
Derek: I would love to say that it does, but I actually didn’t study that form of psychology at all.
Okay. You said more about learning and stuff.
Derek: Yeah. Yeah.
Okay. But that helps you when you’re trying to pick up new skills, for example, offensive cybersecurity.
Derek: It definitely does. And my primary role now is doing incident response in addition to penetration testing. It’s helped a lot, because I’ve had to learn almost all of that informally. So I have to teach myself as I go along and then learn the skills I need to do on the job as quickly as possible in order to be able to help with clients.
All right. If you hadn’t been exposed to infosec while studying for the PhD, what do you think you’d be doing right now?
I’d definitely still be in that PhD program. It runs five years, and so my partner is now in her third year of the program. So I would be in my third year of the program if I didn’t switch to information security.
So Logan, how does Derek’s experience, how does that sound compared to yours?
Logan: Sounds pretty nice, honestly. It’s kind of a running joke with all my friends who are still in the Army that we should have gone to college.
(Laughing) All right. Do you think Derek that there’s something that Logan’s background has provided for him that yours hasn’t?
Derek: Oh, he definitely had more direct instruction about how to do this job. And he didn’t necessarily have to transition loosely related information into a new position, which would have been a lot more straightforward.
So you both have OSCP certification. How well do you feel that that certificate serves you in your career?
Logan: Honestly, I loved the OSCP. I feel like OCP is definitely like a good entry level cert for pen testing. I feel like it covers maybe like 65% of what you need to know, and then the rest you just pick up either on the job, reading blog posts, or doing like Hack the Box. Basically it’s like, it gets you to the point where you’re able to self-study, and you know what you need to self-study.
Derek: I completely agree with Logan on that. And I think what makes the OSCP unique is that it’s all application-based including the exam, which is really important because I know that there’s a lot of certifications that don’t have that really practical component. And so that’s really what makes it powerful.
So how’s the actual job of infosec been different from what you expected it would be when you were studying or anticipating a job in the field?
Derek: So I think for me, what’s been most different is that it’s actually a little bit more tedium than you would necessarily expect. So I think that’s important to people to know if they’re coming into this, that it’s not all going to be just like fun and popping boxes. And especially if you’re doing incident response, it’s a lot of sorting through big data sets in order to figure out how an attacker got in, and what they’ve done when they were inside the network. So I think that’s really important emphasize that it’s not all just fun, but it is still worthwhile.
More research than a martial art.
What about you, Logan?
Logan: I’d say it’s just constantly evolving. Whereas OSCP, we talked about earlier, it does get you to a certain point, if you want to be relevant on modern day systems, you definitely need to put in the time after hours to either skill up on new technology or constantly do your own research to better yourself. Because if you stay stagnant, you’re not going to survive.
Do you ever wish you had a job that didn’t require you to spend your own time in studying? Because there are jobs like that?
Logan: Not really. I think infosec is my passion, and I do spend most of my free time researching just for fun. I think it’s more of an ego thing of breaking someone else’s hard work.
Derek: Yeah. And I think that this field, while it really does require you to put in some work after hours, I think that it also still…like, I know that F-Secure supports people working a lot, even during their day. If they’re not working on a specific job, they’re able to do research time within their day. So I think it’s important to pick an organization that also supports it as well.
Yeah and like you said, for a lot of people in this field, it’s a passion, so this is the stuff they were going to be doing anyway. What do you like best about infosec? Hacking?
Logan: Popping boxes.
Is it breaking other people’s stuff, like Logan said?
Logan: Get in that root shell. Nothing’s better.
Derek: I think for me what I like most about it is that you’re able to, at least most of the time anyway, really help out the clients and give them some information that’s helpful to improve their security posture. It’s up to the client to actually take that information, but you’ve at least at the end of the day, done a reasonable job helping them improve if they’re going to follow along.
And incident response is a little bit stronger on directly on that point, because you’re actually more involved with the part where they’re remediating the problems, and that can really give you a good feeling if you’ve been able to actually help the client essentially kick out the attackers and take back control of their network.
Let’s take a look back. Is there anything you would’ve done differently in your InfoSec journey knowing what you know now?
Logan: I probably would’ve done OSCP sooner. I feel like everyone talks about how hard it is, and how it’s like a scary cert, but I feel like if you just put in enough time, it’s not that bad. It kind of solely relies on how well you self-study, and how motivated you are to do it. For example, I finished OSCP in 30 days. I have a friend who is now approaching almost the one-year mark and four failed attempts.
Logan: So I think it really just depends how well you can self-study and how motivated you are to get it done.
Derek: I would definitely agree that starting the OSCP earlier is a good choice. For me, it took a little bit longer than Logan’s 30 days. That being said, having the time to do that is really important. So if you’re able to set aside more time, and if you can’t necessarily finish it in just 30 days, then doing that would be a really good way to get started ahead of time. And I definitely would have started that earlier.
All right. Other than that, is there something you wish you had known before you made the leap?
Logan: I’d say be wary of useless certs. Sure, they pad your resume, but no one really cares.
Derek: I would definitely second that one.
But I guess that’s the tricky part. How do you tell… If you don’t know the industry, how do you know which certs are the good ones and which ones aren’t?
Derek: You definitely have to ask around for that information.
Logan: I feel like all of that’s just like self-research. You have Reddit, you have a lot of the big infosec people on Twitter, like SwiftOnSecurity, notdan, Zero Labs. A lot of those people have their own reviews on certificates.
Well, that’s the thing, and we often get like RFPs where one of the scoring criteria’s like, how many different certificates you have, or how many of the following names certificates do your consultants have? So it puts us in that weird situation where you want to have even the useless certificates because they’re not useless in that sense. But then again, it is a waste of time for people to be going through these courses.
Derek: They’re also quite expensive as well, which can really put a dent in people’s pocket books, especially when they’re early on.
Logan: I think it’s better to collect the useless certificates once you have a job, or once you have a better knowledge baseline, but I would definitely recommend just going straight for OSCP first, getting hired somewhere, and then moving on to certificates you don’t really care for, but might need.
Yeah. Maybe I should point out at this point that the OSCP certificate is not sponsoring this podcast at all. So these are all volunteer statements by the guys. So you guys must have career plans or goals. Where would you like to end up and how do you get there?
Logan: I want to win Pwn2Own, hopefully this coming Pwn2Own. They should be releasing the target list, I believe next month. So I’m hoping to get my first win there, and then move on to more research-based stuff.
Derek: My goal is to stay mostly technical. I know a lot of people in this field are looking to move into management and things like that. Whereas my goal is to stay technical throughout my whole career, and to focus really keeping an eye on both incident response and also the offensive security section of things, which at some point would put me more in the purple teaming category. However, I think incident response and both offensive security as separate fields are going to be really important for my career going forward.
But I mean, like you said, there is that overlap in the Venn diagram of those two fields or the Purple Team exercise.
Derek: Yes, very strong.
So, as fairly recent arrivals into the field, what’s your fresh perspective on what the industry could be doing better?
Logan: I’d definitely say a lower entry cost. I know a lot of people hear about SANS, and their courses run upwards of $7,000, and they definitely have a lot more advertising budget. So it’s a lot more of a common name. So a lot of the entry level job posts that I saw when I was looking, wanted SANS GPEN with either a masters or bachelor’s degree, and like two or three years of experience for an entry level penetration tester job, just didn’t really make too much sense. So it definitely feels like a lot of it is also just networking more of who you know, and less of what you know.
Derek: Yeah, I would agree with that. I also think that the skills assessments when you’re first joining positions should be more reflective of where people are at with that, and F-Secure is great at this because they really pull people in when they’re early on in their careers, and they will mentor them through as they grow.
And I think a lot of companies, I’ve seen a lot of job postings where they just say right in the job posting that they don’t accept juniors at their company. And I think that’s a very toxic perspective to not accept any juniors at a company seems to really be missing the point about how to get people into this field.
It’s also maybe not the strongest tactic in an industry that’s notoriously short on qualified labor.
Okay. Let’s talk about the people trying to get into this industry. What advice do you guys have for them other than taking the OSCP as early as possible?
Derek: I think doing your own independent research is really important, and making sure that you have something to talk about when you get to an interview. To be able to talk about things that you’ve worked on, or things that you are working on is going to be a really important conversation starter.
Logan: I’d definitely say make a blog. A blog is a great way of showing one, your research, and two, that you’re able to talk about it in a way that everybody can understand. As far as not being able to apply for jobs, I know a lot of jobs use their wish list for hiring people, but even if you don’t meet the requirements, still apply. The worst they can tell you is no. Best case you get an interview and you can go from there.
Right. That was some very sound advice. We’ve been doing a couple of these episodes where we talk about how to get into this business. And if there’s a recurring theme there, it’s always learn to communicate. Because a lot of people come into this field with very strong technical skills, but they’re not expecting how much communication happens in this job.
So when you were getting into cyber security, what kind of support from people already in the field did you appreciate the most? What’s the thing we already in the industry can do to help people trying to come up?
Derek: I think providing mentorship opportunities is really important. So when I first was getting interested, I actually joined the local DEFCON meetups, and I found that the local DEFCON meetup was very actually supportive for this because everybody was just there to talk about research. And you could ask people questions and do things like that.
And I also visited a couple of conferences, like the BSides series, and they had career workshops there where they talked about resumes and what it’s like to work in the field. And you were able to meet one-on-one and talk to people who had really been in those.
And I think that’s a really important way for people to give back is to go and sort of volunteer at those when they’re already at those conferences to be able to talk with people, especially if they’re more senior, to be able to talk to people about what they’re expecting and what they’re looking in they want to hire.
Anything you want to add, Logan?
Logan: I’m not really sure. I feel like a lot of it I just did on my own. A lot of it, I knew, I had my goal, I wanted to be a penetration tester. So I did a lot of research on what I needed to do, as well as looking at job postings for the requirements. And that’s how I figured out everyone’s talking about either GPEN or OSCP, and I can stomach $800 a lot more than seven grand.
And then because you can’t really talk about the tests of the certs you’re taking, I’m not really sure how much other mentoring I could use. What was nice was when I joined F-Secure, I did get a lot more mentorship for growing myself from junior to something else, which was appreciated, but getting into the field, I feel like it was a very simple, straight 1 – 2 – 3 path for me.
Very “Army of one” of you.
Logan: I have a friend who’s trying to enter the field right now currently. And as much as I want to help him, there’s only so much I can do. It kind of does require you to be your own Army. Because I can throw the Web Hacker’s Handbook at him a thousand times, but I can’t make him read it, and I can’t make him go through the OSCP PDF on his own free time. A lot of it is just your own determination, your own dedication.
So Derek, with your background into how to learn stuff, and how to teach stuff, is there any study tips you’d give to people who are trying to develop InfoSec skills on their own?
Derek: Yeah, sure. So I think the most important thing is to remember that this field is unlike any other academic fields that people have studied. So it’s not like school. And the really important thing is to get in there and get practical experience really early on.
So instead of reading a book and then just testing yourself on it, you really need to download some virtual machines, try setting up a network, try following through tutorials, and really doing those technical skills on your own as quickly as possible. It’s going to really make you a better person in this field.
How do you guys feel about capture the flag competitions or hackathons or things like that?
Derek: I think that it depends a lot on the actual content in them. So I’ve seen a lot of hackathons that are sort of… They’re really just more software development, and people are doing it really quickly in like a time box thing, where it’s like 24 hours to develop a new app, and then they call it a hackathon. So really focusing on things that are security related. CTFs is a really good choice.
Logan: I definitely agree. You have Hack the Box, VulnHub, TryHackMe, you have a whole bunch of new sites and every day there’s more companies making their own online CTFs that kind of copy the Hack the Box model. So there’s definitely a lot of options out there.
Do you guys ever participate in any bug bounty programs?
Logan: Yeah, I do in my free time. It helps my resume with the whole hall of fame or recognitions from various companies.
Logan: And then helps you just scale up too, because you’re always practicing on something new. So something I might see on a bug bounty might come back and be relevant on a future job. It’s just about scaling up. And the bounties are pretty nice to have.
Derek: I do not. Just for me personally, it would take a lot of time after hours, and it’s time I could be spending either doing research, or just living my life.
Yeah, hanging out with the family.
Derek: Yeah, exactly. So that’s why I choose not to participate in bug bounties.
That makes perfect sense.
Logan: Who needs family when you have infosec?
Well, you have a pretty hard core attitude towards infosec.
Derek: Logan’s a young guy.
Logan: Yeah, I’m a young guy in quarantine, so I really don’t have any other options.
Wow. All right. Hey, thanks for being with us today and walking us through your careers so far. Thanks guys.
Derek: Thank you.
Logan: Happy to be here.
That was our show for today. I hope you enjoyed it. Make sure you subscribe to the podcast, and you can reach us with questions and comments on Twitter @CyberSauna. Thanks for listening.