A Work in Progress

Friday, April 19, 2013

One of the most common questions asked by newcomers to our community is, "How do I get started in InfoSec?" This article shows it is not simply a matter of what you do (don't get me wrong, ability and aptitude is important), but also a matter of who you surround yourself with. In any profession, to create an environment for maximum professional development, you must surround yourself with people that are smarter and more experienced than you. If you're the smartest and most experienced guy in the room, the level of development you experience will be far less than that of those you are mentoring. That being said, I've been doing the infosec thing for a couple of years now, and I've always tried to surround myself with the smartest and most experienced people possible. While I've been personally gracious to some of those individuals who have helped me along the way, I would like to publicly thank the rest of them now. I'm sure I'll end up unintentionally leaving someone out, but this is closer to the beginning of my career than the end, so I'm sure there will be many more mentors and many more blog posts like this to make up for anyone I fail to mention here.

Jon Fox - Most of you have not had the pleasure meeting this man, and probably never will, but this man is special. He gave me the opportunity to create and lead something that was above my skill set and out of my comfort zone. He saw potential in me that I simply didn't see, and through friendship and leadership, developed that potential into the canvas with which I entered the infosec industry. The rest of the individuals listed here helped me to paint that canvas.

Eric Bassel - Some of you may know Eric from the SANS Institute. However, my relationship with Eric goes much deeper. As a friend and mentor, Eric put the priorities of the organizations and people around our professional relationship aside to help me understand what is really important in life. During the most difficult of life decisions, similar to one that Eric had to make in his own life, Eric was there to provide me with sound advice. As a result of his advice, I am happier today than I have ever been.

Mark Baggett (@MarkBaggett) - What can I say, Mark is the absolute smartest man I know, and the best decision I made while working with the Army cyber training program. I am convinced that just being in the room with Mark will make anyone a smarter person, and it definitely did me. If it wasn't for Mark, I wouldn't be a part of the PaulDotCom team and I probably would have never started speaking at infosec conferences. Mark was all the brains behind the Volume Shadow Copy stuff we released at Hack3rCon a couple years ago, and I was little more than a cheerleader. Yet he graciously let me take part ownership of his amazing research and present along side of him. Even today Mark continues to mentor me and is always willing to extend a helping hand. Mark is much more than a mentor to me, he is an incredible friend.

Rob Dixon (@304geek) - Got writer's block? Looking for an idea? This guy's got'em! So many times during the development of PushPin I leaned on Rob for testing and ideas. Each time, Rob came back with a list of things that totally rocked. The majority of the coolest features built into PushPin are a direct result of Rob's input. While every time I've talked about PushPin I've been sure to mention Rob's contributions, he deserves a larger stage, and I hope he gets it here. We made a great development team, and he was an invaluable asset. I would also me remiss if I didn't mention Rob's impact of my single largest achievement, Recon-ng. I mentioned the idea of building a recon framework out of the recon-ng script during my talk at DerbyCon in 2012. Rob approached me afterward and told me about a project that he and another friend, Vitomir Margetic (@NodeZero_Linux), were working on called TunnelRat. TunnelRat is a framework built for network tunneling. I'm not sure if they ever publicly released the project, but I look forward to when they do. They had some really innovative things going there. Rob and Vitomir invited me to be on the dev team for TunnelRat in hopes that we could build the functionality of the recon-ng script into the framework. Very early on in the project, I broke away from the team and created a separate framework because the core functionality of TunnelRat was not conducive to what I was trying to do, but I walked away with my first experience in what a true modular framework looks like in python, and I have those gentlemen to thank. Anyone that is considering building a modular framework in Python should look at this article written by Vitomir. It explains the principal ideas behind TunnelRat modular functionality and one way to do framework development in Python. Another way to create modular frameworks in Python, the technique used in the Recon-ng framework, is to use nested "cmd" class modules. That idea came courtesy of my good friend Mark Baggett (see above).

Chris Gates (@carnal0wnage) - Chris and I had some personality conflicts to work through when we first met many years ago, but we worked through those and Chris became the first person I went to for infosec mentoring. While I was still an Army officer, I watched Chris do his thing against DoD networks with a childlike wonder. It was pure awesomesauce watching him own network after network with grace and modesty. His work intrigued me so much that I couldn't help but to badger him with questions on how to be like him and grow a skill set like his. He was the first person I approached with the question, "How do I become an infosec professional?" Carnal0wnage is the reason I started blogging and why LaNMaSteR53.com even exists. Even today I lean on him for advice, and he continues to provide.

Former Fellow Red Teamers - When I was a member of the Army Red Team, I was responsible for taking documentation from each of the cells that operated within the team and creating the final deliverables. I absolutely loved my job. I learned so much about the methodology, tools, and techniques of penetration testing just by proofing their reports. Long before I was learning from reading Twitter feeds, blog posts, and magazine articles, I was learning by reading the carnage inflicted on target networks by the best Red Team operators in the biz.

Chris Campbell (@obscuresec) - I don't know what it is with the name "Chris", but I've had some personality conflicts with this one too. Go figure. At one time, not too long ago, Chris and I were pretty good friends. I can honestly say that most of what I know about owning Windows domains, I learned from Chris. Most of you know Chris by the work he does with PowerShell and Passing-the-Hash. That was a natural transition for Chris. He was our go-to-guy for everything Windows on the Army Red Team. Need a domain popped? This guy can do it. A truly gifted technician.

TJ O'Connor (@ViolentPython) - TJ humbled, and humbles, me. A brilliant man once asked me, "Can you outperform TJ O'Connor in a hacking competition?" I foolishly replied, "I don't know TJ O'Connor, but I imagine I could at least hang with him." buzzer Wrong answer. TJ whipped my arrogant tail and issued me one of my first lessons in infosec humility. But all the while, TJ never once claimed that he could beat me, or that he did beat me. He knew the lesson he had taught me. And it was an important one. Those that know TJ consider him one of the brightest minds in the industry, yet TJ would tell you that you are crazy for even thinking it. That kind of modesty is rare in our industry, and I look to TJ as an example of what right looks like.

Martin Bos (@purehate_) - Many of you are familiar with the verbal salvos that have taken place between Martin and I over the years on Twitter. While we are vastly different and disagree on just about everything, Martin has my utmost respect. Very few people have the passion and guts to be as honest and forthright as Martin is, and people like me who are equally passionate and stubborn need lessons in humility every now and again to keep our egos in check. Martin may not know it, because I've probably never said it, but he has taught me some valuable lessons about humility, and has helped me realize places in my personality where I need improvement. For that I am thankful.

My Father - He's old school, and not the best with computers, but I consider him to be the ultimate hardware hacker. I've never see anyone with the level of ingenuity and creativity he has to take ordinary things and do extraordinary things with them. Watching him as I grew up set deep roots in me to want to be like him. To be able to think outside of a seemingly useless object and do something amazing with it. My father is also the one that recognized my aptitude in programming at a very young age. I remember him watching me create batch scripts on an old IBM XT and asking me if I wanted to do more. He got me started with QBasic, introduced me to a man named Ron Davidson who gave me my first lesson on object-oriented and event-driven programming, and bought a new family computer (Packard Bell) so I could begin developing Visual Basic applications. My father is the reason why I am so passionate about code. He has also become my biggest fan, and now looks at me the way I look at him. That is an amazing feeling.

John Strand (@strandjs) - While I've not known John all that long, John has become, without a doubt, my strongest mentor. I met John in a SEC560 class in 2010. John noticed something in me, grabbed me by the arm, pulled me aside, and never let go. John watched me as I struggled through 2 jobs that he knew weren't making me happy or leveraging my potential, providing mentorship and sound advice all along the way. John then took a huge chance on me by hiring me as his first employee as he ventured into company ownership, and I sincerely hope it wasn't a mistake. John has fostered creativity in me that has lead to pretty much everything I've done. PushPin, Recon-ng, HoneyBadger... All of these tools were spawned from seeds that John planted in my mind. Whether or not he intended to, I'm not always certain, but in all cases, John has humbly stood aside and willfully offered me complete ownership of these creations.

Not all of the individuals listed here will read this, and not all of them maintain amicable relationships with me now. However, all of these people have played key rolls in my development to this point and deserve recognition. None of my accomplishments have been achieved alone. I have each of these individuals to thank. Thank you.

As you browse away from this article, remember the importance of surrounding yourself with bright people and being gracious for the mentoring they provide. Look around you. Are you the smartest and most experienced person in the room? If so, it may behoove you to change settings. But never forget that mentoring goes both ways. The only way this industry thrives is by its members simultaneously mentoring and being mentored at all times. There is always someone else in the same position you were in several years ago. Reach out and lift that person up, as those mentioned here lifted me.

Like what you see? Join me for live training! See the Training page for more information.

Please share your thoughts, comments, and suggestions via Twitter.