We think we know how to build differentiating skills in offsec
- Article tags
There’s a constant loop of learning, doing, and improving in offensive security. And one way to develop the “muscle” to tackle complex security challenges is through hands-on training. That’s what IppSec, our guest, does with kindness, passion, and in the community’s best interest.
IppSec helps us bust a couple of common myths which, if left unquestioned, may alter learning, distort results, and, ultimately, create big gaps in understanding, all of which can undermine your future success.
IppSec bio
IppSec is an offensive security pro known for his in-depth walkthroughs on complex hacking techniques and for openly sharing his thought processes with the community. He takes a generous approach to sharing his knowledge which is why the entire community appreciates him. Before joining this space in 2015, he was a professional video game player.
Now IppSec creates educational YouTube videos and writes blogs to continue improving his public speaking and communication skills. He’s on a mission to deliver engaging and practical technical training about various aspects of cybersecurity including incident response, threat hunting, and offensive security tactics.
Press play to listen to IppSec explain:
Why recon requires constantly "reading between the lines" [03:20]
Why AI can’t find business logic vulnerabilities [08:23]
Why genuine communication with clients is essential [12:48]
How rewarding and valuable it is to invest in the open-source community [17:35]
How discipline makes a difference and how to develop it [24:00]
How pentesting and bug bounty hunting complement each other [27:00]
How you can build specific skills that differentiate you in the community [35:36]
How to develop your own learning system [38:04]
Why it matters to make constant learning a positive experience [44:48]
IppSec’s generosity to share so many practical, valuable examples will help you get a better understanding of this discipline and enhance your knowledge.
Resources from this episode:
IppSec’s personal website
IppSec on LinkedIn
IppSec’s YouTube channel
How to avoid burnout
Ben Sadeghipour (aka NaHamSec)
Interview with IppSec for Hack The Box
Listen to this episode on:
Episode transcript
Andra Zaharia: Only the most curious and persistent people thrive in offensive security. How do I become a better hacker? How can I build and maintain my advantage over adversaries?
And what's limiting my ability to think creatively?
This podcast is for you. If you're the kind who's always digging deeper for answers, join me as I talk to some of the world's best offensive security pros about their work ethic, thinking, and real-world experiences.
This is We think we know, a podcast from Pentest-Tools.com.
[00:42] Andra Zaharia: There's a reason almost everyone in offensive security knows IppSec.
He's a generous, thoughtful member of the community who takes a unique approach to hacking challenges. His work reflects a deep understanding of systems and a really down-to-earth approach to problem-solving.
IppSec goes beyond just demonstrating techniques. He reveals his thought process and the craft involved in tackling complex off sec challenges. Through this, he inspires hackers from around the world to pursue offensive security with curiosity, intention, and perseverance.
Today, IppSec helps us bust a couple of common myths which, if we leave unquestioned, may skew learning, distort results, and ultimately create big gaps in understanding, all of which can undermine your future success. So let's unpack the truth behind all of this.
Andra Zaharia: It is wonderful to have you on the show, not just because you're one of the people whose names, when it comes up, everyone knows exactly who they're referring to.
The type of work that you do travels so far across the globe, and what I really love is how consistent and how much integrity your work reflects. And I really appreciate that you're bringing and sharing all of this with us today.
So welcome to the show!
IppSec: Thanks for having me. I'm excited to be here.
Andra Zaharia: So, as you've seen, our, let's see, we chose a name for this podcast that's specifically geared towards what happens when our expectations clash with reality.
Because I wouldn't say meet, they sometimes clash.
So what we're trying to do here is dig into what it's really like to do the kind of work that you do and everything that's behind it. And something that I wanted to start because the main topic of this entire season is how penetration testing and offensive security is a craft.
I wanted to start with something that you said on Live Recon, the episode that you did with Nahan Psych, Jason Haddock, and Stök. That recon can be automated because something that we see a lot is that many people in the space say that, oh, recon, it's the one step that you can fully automate. It's the one step that you should fully automate because you have much more important things to do otherwise. But I know that you have a slightly different opinion on this and I was wondering if you could unpack it for us a little bit.
[03:20] IppSec: Yeah, I think recon is one of the most important things and it's also one of the toughest. I also think it kind of parallels with a good versus bad security report, if the audience isn't technical. It's one of the reasons, like a lot of just, we call them like pentest, puppy mill type things can be successful because if a company's getting a pentest, they may be getting it for compliance reasons. And if that's the case, they just want a test that doesn't have any findings.
So if the security company does a bad job, they hand the report over and the company's happy with their work, right?! I think recon follows that type of logic, right?! All you want on recon is to get some endpoints. You get some endpoints, you're happy. It doesn't matter how many endpoints you got, right?! You just don't have a good measure of, did I do a good job here? I draw a lot of the parallels to just mastering any craft.
IppSec: Before I got into security, I was actually a professional video game player. Starcraft was my game of choice. And in that game, a lot of people just say recon is sending your unit across the map and seeing what is there. But when you reach a higher level of that game, you realize it's not that simple. Recon is really sending your unit across the map and seeing what is not there, right?! And I translate that a lot to security and trying to read between the lines.
So you can automate the start of recon pretty easily because it's just like running NMap, looking at a few things, that part of recon is easy to do, but it's a never-ending thing. You should always be doing recon and once a result comes in, you do some more. And I always say the only thing you can't hack is time. And if you don't have the good discipline to just keep going back, running recon, you're going to get to the point where you're just stuck and be like, man, I wish I started this one tool, this one thing a couple of hours ago. Well, I got to start it now. And now you're just kind of waiting.
And that time you're spent waiting, you probably get demotivated. Go do something else.
You may not come back to the task, right?! Well, yes, you can automate the start of recon, some tools have done that. - Like there's a tool like Autorecon. - But I really think that recon is something you always run in the background so you can always just go back to it and look at it.
And if you don't do that, you don't appreciate how much value you can get out of it.
I said, reading between the lines, there's one good example I have is there's a good URL parsing bug.
IppSec: When you put it, I think it's engine X or Apache in front of Tomcat that you can just abuse some of the ways the two applications handle URLs. And sometimes you can bypass something blocking you from getting to / manager because how Nginx processes it and how Tomcat processes it is different.
So if you recognize that Nginx is the thing that's blocking you, you can put, I think it's like a …semicolon beforehand. And then you bypass the Nginx logic, access Tomcat, and then you're good. And the way you would see that is seeing a jsession cookie handed out by something that says it's Nginx. And you realize that's reading between the lines, right?!
There's no good way to just always see that from just like a port scan or something.
But that is good recon.
[06:45] Andra Zaharia: And I feel like this is such a good metaphor, I guess, for many of the things pertaining to offensive security, simply because it's this cycle of always looking for things, the constant inquiry of all of it, the constant exploration that leads you to, let's say, narrower paths, and then it opens up again and you just have this constant dynamic.
You said at some point that security is so open-ended, and that is so true, not just because it has all of its technical intricacies, but also because the human dynamic that kind of models everything, that shapes everything, is infinite in its possibilities and its combinations and so on and so forth.
Andra Zaharia: So something that I really appreciate about your work and the way that you emphasize certain elements is that you always tie it to the context, you tie it to business logic. And I've heard you say and write that you do enjoy business logic vulnerabilities, sometimes more than a technical vulnerability, simply because those can be exploited without going the usual root. And I was wondering what kind of, let's say, system you've devised to focus on this and to create time in your schedule and in your workflow to actually focus on these types of issues.
[08:23] IppSec: The business logic vulnerability. I think this is one that just comes with intuition. So to give viewers a context of what we mean by business logic, we've moved to a world where a lot of people like these SaaS applications or cloud applications. And by that I mean think of Slack, think of Mattermost. The whole concept of having a company chat isn't like we had, I forget, like Link Spark messenger the same time was IBM.
There's been a bunch of internal IM clients. What's different is now the client is on the Internet and a lot of just IT. Admins don't like having to provision an account for SEC. One thing that may be common is they allow anyone with an email address to create a Slack account, right?! But they also have a help desk. And when you create a help desk ticket, you get a way to update that help desk ticket via email. It'll be like ticketid@company.com.
So if I create this help desk ticket, I can now use that ticket in Slack. And Slack will send a little email to the help desk and say, verify you're an employee by clicking this. Because Slack thinks you have a company email, you must be an employee. You click the link in the help desk and now you're on their Slack instance, right?!
That is like an example of a business logic vulnerability, and it's one that's somewhat tough to find if you're just not thinking about it. And I also think it's one that is going to be tough for AIs to find in the future because it's not really a vulnerability, right?! One of the things that I think AI is going to have trouble with is a lot of security isn't vulnerabilities. That's one thing I think a lot of people have a misconception of when they get into this field. They do like Hack the Box, watch my video, see all this complex exploitation. But in practice, probably 90% of clients, it's just checking SharePoint, checking a shared drive, getting a credential, and just going without any vulnerabilities as far as they can go in the network, right?!
And that's tough for AI just because to me, I think AI be easy if it defines an end goal, right? The first concept I had of AI was watching like something play Mario and learn how that game works. Well, it knows I just got to get to the end, jump on this flagpole and that's it. So it can play 20,000 or 20 million rounds, discover the game, and always knows I just want to get to the flagpole as fast and efficiently as possible, but there's no flag in real life to get. So you never know what that data you're giving, what implication it has. And I think that's going to be the tough thing for computers to automatically determine, like it knowing, oh, just having access to Slack, which every employee does. That's a vulnerability, right? The goalpost for vulnerability changes upon what it is. And to discover it, you need just human intuition, I think.
Andra Zaharia: Exactly. And not just the human intuition that comes with living in society, that comes with going through these experiences and understanding how they feel and what they mean, because that's the sort of context that, of course, systems lack, no matter how much they try to actually understand those.
And this ties to something in your experience that I find very valuable, which is you working as a defender first before going into offensive security.
And you've talked about how this really helps you notice some bad habits that people develop when they don't go through this experience because they don't necessarily understand or have empathy for how difficult it is to actually do the things that they recommend in their reports.
And I was wondering, how can they get the sort of awareness that you had coming into this as a defender without going through this experience?
Because so many people want to start and start their careers in penetration testing directly instead of going through this step, which is obviously optional, not necessarily a precondition, although something that's definitely very valuable to have.
[12:48] IppSec: Yeah. The quick answer is, I don't know, right?!
It's one of those things, like, for me, when I do pentesting, I always just try to get to the access I used to have as a blue team, or it would help. But the long answer, I think, is it really depends on trying to force your mindset down a certain path.
I think one of the most dangerous things to cybersecurity is how often you see bad things, because as a security tester, your job is to find all the bad things in a company. If that's what you do 40 hours a week, it's probably going to be more, because we spent so much time doing this and it's our passion, we love it.
So let's say 80 hours a week. You're looking for bad things. It's very easy to just see there's crap everywhere, right. No one does their job because your job is just to highlight. You're not really highlighting the good things.
And when you go into that mindset and only highlight bad things, don't highlight the wins, don't spend time on the positive.
IppSec: The people on the other end of that report probably aren't going to want to talk to you. So when you get down that logic of you just handing your report, they get the report. They're like, yes, you did a good job, and then they don't want to talk further. You're never going to learn why they can't fix some of your things.
So what I find always helps is to try to be positive and then also try to talk to the technical people who get your report. And that can be tough because a lot of clients try to shield the administrators from the pentesters because social engineering is a bad type of thing.
But I find a lot of the time if you can ever get them to agree to that communication and say if they don't want it at first, fine, but let's try. Once we hand in the report, can we have a debrief with the developers, the sysadmin, who's responsible for this and see what they think, right?!
It'll be really good if you can get that beforehand because one of the issues I faced a lot is my upper management gets this report. Some of the findings aren't really findings.
There are mitigations in place or something, but they see all this badness and then it puts a lot of pressure on the person that's trying to fix it. It's really good.
If the person who gets to fix it gets a heads up about it, they can fix some of the things or give some recommendations. Say, you did this, it is a problem, but you're over exaggerating this problem or something like that.
If you can ever handle a report that shows things that are fixed, it's going to show you did your job.
It's also going to relieve a lot of the stress of other people, like the actual worker bees. And then at the end of the day, the management is going to see, like, let's say next year they go to do a pentest.
They see, oh, we hired this firm and their report says a lot of things are fixed versus firm b, that says we have a lot of problems. Which do you think they're going to go to next year, right?!
Andra Zaharia: It's buying that well, earning that goodwill in a way that truly cements and builds these relationships, which at the end of the day are the essential thing that gets things done and that gets things fixed is because people want to do it, not just because they're just forced to do it. That's one way.
But that's never going to be as effective as getting someone to understand why this is important, why it's important for their business and also making you like a really better pentester in the process, both in terms of people skills, but also in terms of technical skills. So, yeah, that was a super valuable example. Thanks for sharing that.
IppSec: Yeah, no problem.
Andra Zaharia: And this is something that I've seen perhaps change for the better in the offensive security space, particularly is people talking more about their tools and techniques, about their mindset, because there is this tendency, which is somewhat natural, to keep your knowledge to yourself, to keep your tactics to yourself for that competitive advantage, of course, and you're doing the opposite.
You're sharing it all, you're sharing it with everyone, not just as an educational resource, but I feel as a community-building pool of experience that people can dip into and truly learn from.
And I was wondering what motivated you to do this?
Was it like a milestone moment for you, where you figured out, like, this is something that I want to do, and what's the kind of reward that you get from it?
[17:35] IppSec: So that's really a tough question.
I think it kind of stems just from how CTFs have progressed throughout the years.
I started as a blue teamer, but when I was, I want to say, like 13, I was making map packs for video games, doing shenanigans on instant messengers. There wasn't really any good resource in order to learn security. It was all, you're not going to go to jail for putting a map pack in a video game. So I got very lucky that that's what my interest was. And I didn't do it against any companies. It was against my own computer. Right now, we have a lot of websites like Hack the Box, TryHackMe offsec. There are countless places that just have these resources for you to go learn cybersecurity in a good way.
And what it's also good about that is it let’s people like me talk about it.
If we went back ten years, if I was a pentester, I still can't really talk about my craft, because if I talk about it, you know, my clients, you know, what they've been vulnerable to.
So CTFs have just been really good about providing a safe way to have this communication.
We can talk about a vulnerability, put no one at risk, doesn't risk the previous clients I've worked with just because it's out there, right?! And the reward for me, I started this.
So I got into video game shout casting because I used to have a speech impediment.
I have rhotacism, so I have a hard time pronouncing R's, which is a horrible thing to give someone with that. It starts with a hard r. I don't know how it got that name. I also used to stutter. I still stutter occasionally if it's topics I'm not really super passionate about. But video games, definitely helped me. I started falling out of love with the game I was playing.
I had this milestone where it was either get OSCP or go move to Korea and play the game full-time.
I thought OSCP was the better track for me. And getting a certificate and going into pentesting, looking back on how gaming has progressed, maybe it wasn't. Now it's like a multimillion-dollar industry. It didn't used to be.
But once I quit playing video games so much like 40 hours a week, I lost the ability to just talk to myself for ten to 20 hours a week to improve my speech.
So that's when I saw Hack the Box and I wanted to do kind of commentate myself solving these boxes.
And it really helped me just progress in terms of speech. It also helped me in terms of mastering this craft or becoming a master. I guess I still wouldn't say I'm a great pentester. I don't think anyone is. But it's also like the unintentional benefits is it just been like job security.
I'm super confident if something happened to my job today, I could probably just make a tweet and get another job. And that's just because of just how much time I've put into the open-source community. I think anyone that does maintains a blog, has that type of dedication to do something doesn't have to be every week.
IppSec: If it's just one post a month or something, that's probably enough to prove that you're going to do the job that you say you would and you have some type of passion, a company is going to want you. So I would say that's a big motivation for me to keep doing it.
And the other thing is, it's just, I guess, discipline. I had a tweet, I'm not sure if you saw it a couple of days ago, about discipline versus motivation. And a lot of people are surprised how I can keep this up for so long and not burn out.
It's hard to burn out for something you're passionate about. That doesn't mean it's not possible. But I think a lot of people attribute the wrong things to burnout. And whenever I go start a recording or do a machine, it's normally going to be like a Wednesday to Friday, like three days before I make it because the motivation isn't always there for me to do it. It's hard to kit that start recording button, but eventually, I get to the deadline. I have it on my calendar. I have to start this.
I know I'm disciplined enough to say if it's on my calendar, I'm going to start it. At this time, I may not finish it, but probably nine times out of ten, if I start something, then I find out I'm having a fun time with it and I finish it through, right?! It's the same way with playing a lot of sports.
I didn't always want to go to practice. I didn't want to go to the game. It was always just the discipline that got me to that physical location. And then the motivation came, right?!
Andra Zaharia: That's such a good insight, and thank you for highlighting that.
Because we have this, in this space, there's an immense ability to learn.
People have this incredible ability to learn all sorts of things, but we sometimes were perhaps not perfectly capable of applying that sort of willingness and that sort of drive to everything that we do. And that's where discipline comes in. And just like everything else, it's a muscle that we built that needs constant practice. Of course, like all of the great things do.
And that, let's say, boots on the ground, simple, true, dedicated, honest practice is something that can be replaced.
As much as we see people, perhaps in this industry, especially younger people, try to burn through stages and get there faster and get their first CV and get all of the, let's say, things that sometimes fuel your ego a little bit. And they want to get there fast, they want to have those wins.
And they sometimes don't develop the love for the process like you did, like many of the people in the space that we look up to did. So thank you for highlighting that. I think that's such an important aspect. And again, it ties into the craft aspects of it. Craftsmen spend time on their techniques.
They spend time reflecting on why things work, why things don't work, how they can improve, what's keeping them from evolving, and what their self-imposed limitations are. Because we all live with these limiting beliefs that sometimes get in the way. And when you get that sense of reward, that really kind of keeps this positive cycle going. And I think that we love that.
[24:00] IppSec: I think my favourite parallel to discipline versus motivation is the gym, right? It's New Year's. A lot of people have started going to the gym. Even if I think most people who listen to this probably know who Dave Kennedy is. Huge physical fitness thing.
I hope he's not upset on me saying this and making this assumption, but everyone knows he works out every day. I would go on a limb and bet every time he works out, he's probably not excited to work out that ten minutes beforehand. It's just something he starts doing and then once he starts working out, he's happy to keep doing it, right? I know.
Like with me in particular, as long as I keep a schedule for the gym, it's super easy.
Like the first week, easy, the second week, somewhat hard, but as long as I get through that third week of I go to the gym at this time or I do this exercise at this time, then it's easy for me to continue that. However, if I get sick and I don't go to the gym for one week, it's going to be very hard for me to go back to the gym because I lost that discipline of going at this time.
And it just takes a while for me to realize I was never motivated to go to the gym in the first place. It was just something I knew I had to do and I'd enjoy it once I did it.
Andra Zaharia: But the community, when you build community like you did, that kind of keeps you accountable. That kind of pulls you back into, hey, we miss you, we need the stuff that you create and we still want to hear from you. So that's one way to motivate yourself and to create the system that keeps you going, but not in a way that's draining, but in a way that's actually rewarding because having other people appreciate your work, that's pretty awesome.
IppSec: Yeah, that happened like the last two weeks of the year. I always take a break, but people don't realize I take breaks sometimes. So I get so many messages. The last Saturday of the year are you okay? You haven't posted a video. I'm like, yeah, just the last two weeks of the year, I try to take some time off. This is my time to just think about what I want to do better next year.
Andra Zaharia: I love that. And that's a great example to set as well because going at full speed all the time, that never leads to - it can be unhealthy, let's just say that. We've talked about all of these few aspects that make penetration testing a craft and all sorts of offensive security work. What have you seen? Gets really commoditized that perhaps shouldn't.
So we talked about recon and we talked about how that some people want to simplify that to a sequence that it sometimes is, let's say, less than the sum of its parts because simplification works like that.
Are there any other examples that kind of follow the same logic that we should perhaps look a bit closer into?
[27:00] IppSec: I think this answer, really it all depends on the company. I do think there is right now a dangerous thing of companies wanting too much so they want all these sexy red teaming things when in reality they may not be ready for that.
It goes back to the red teaming versus pentesting argument, like what's the difference?
And I think a lot of pentesting has been commoditized to just Nessus and not just doing good vulnerability analysis. It's just the company comes in, they run this tool, they hand the report over and that's it. I think that will eventually lead to some issues down the line, and then the company goes for this big fancy red team and they don't find all the vulnerabilities.
So in my mind, when you do pentesting, you're looking for a lot of the low-hanging fruit and you try to catch as much of the low-hanging fruit as possible. Your goal is not to get domain admin.
Your goal is to provide as many foundational security fixes as possible, right?! Whereas red teaming, you have this goal. It's objective-based. You want to get domain admin, you want to get to customer data, you want to get something. And once you get that, then you're kind of done.
You don't really do a lot of retrospectives and see, I'm going to try to get to this 100 different ways, right?!
So I think if companies just go after the red teaming type of contracts and ignore the pentesting ones, they're not going to fix as many things as they need to.
Andra Zaharia: That's a super helpful perspective, especially because you highlighted how complementary things are. It's not an if either or type of situation, which maybe some people think it is, especially because we do think in black-and-white terms in this space particularly.
But working with professionals who have different roles and different backgrounds and different skill sets is actually so important to building the level of awareness that you would ideally want for your company and understanding and kind of learning from all of them, especially if you spend time talking to them just like you mentioned before, and not just get the report and check that box and say like, yeah, we're good, we know what to do now.
It's a constant learning curve and it never really ends for people in companies as well.
And I love that you mentioned that companies seem to want too much and not be ready for it.
How have you seen companies not necessarily fail, but struggle to actually make the most of the money and time and effort they invested in working with pentesters, especially when they're external to the company?
IppSec: Thinking about this one, how can companies get the most money from a pentest or a red team?
Andra Zaharia: How they kind of struggle to actually make the most of that experience.
[30:12] IppSec: I think it kind of goes to they're not fully ready for it or their staff is just busy during the time.
So if you don't have good logging, like Elastic Splunk or something, logging all your obviously five login attempts, your workstations, you don't have Sysmon deployed, you don't have a lot of the visibility in your system, then I don't know if a red team is really for you, right?!
Because what the red team is going to do is attack those types of things. And if you don't have the visibility to begin with, of course, you're not going to see someone accessing a file, right?!
So the other thing is, if you have all those things in place, but don't have people watching over them during the test, then you're also not really getting the most out of it. And if you just, during that test, you say, this person's going, I'm going to take them off of this task and put them here, and we only watch it when we're getting attacked, that's also not going to help you, right?!
So there has to be a lot in place, I think before you do the assessment. Unless it's, again, some type of compliance reason, then of course you need it. But I don't like compliance-based testing, or I don't like testing for compliance reasons because it's just like if you get into this field for the money, you're probably not going to have the greatest time.
As if you got into this field because you like puzzles, you want to improve things, you have some type of passion. All right. I think that's going to produce better results than doing it for a reason.
Andra Zaharia: Absolutely. And we can see this. I mean, I feel that it's visible. If you spend a bit of time in the space, you start to see the differences in how people act and what kind of results they do and how big of a community gathers around them, how much of an impact they have on others who feel that those values and principles and that type of behavior is worth emulating is worth building on.
So those things start to be quite visible, especially if you're dedicated to, just like you mentioned, to the mission of helping others. Because essentially humans will almost always be more important than computers. And I think that that's worth remembering, especially in a space where we feel like that interface is the end game, but it's not.
[32:45] IppSec: So I have a good example. I just thought of like a company that just wants compliance-based testing. You give them a recommendation that is somewhat tough to do, that not many places do, and that would be like a hardened network. So a lot of times when I go to test things, I find some vulnerability and some software, some default creds somewhere. Those are everywhere. But I don't just recommend fixing that.
I'm like, why can I even access that service? I'm in this building on a recruiter's computer and I'm accessing something in a different building that probably only the IT staff need.
My computer shouldn't be able to reach this by default. You really need to put some type of subnetting in place or restrict workstations so they can't just hit every network resource. Don't make your network Flatland - is what we call it. Flatland just means this workstation can access everything, right?!
And the compliance-based testing, those companies typically say that's too much work, that's just a medium finding, we're not going to do anything about it. Whereas if the company is not there for compliance reasons, they'll start thinking, how can we actually fix this more often than not, so true.
Andra Zaharia: And then with medium findings, we see all sorts of data breaches that truly affect millions of people and just build their information, information that they can never change, such as Social Security numbers or other types of data, births and things like that.
And it was probably a medium finding or a business logic vulnerability or things that get messed in this always on, constantly automated type of thinking that's not realistic and not tied to meaningful change in these organizations. That was truly very helpful.
When you talked about, so you have this particular set of skills like Liam Neeson says that you built over 20 plus years of practice and you have this discipline in the system that got you to this point. What is, let's say, a sustainable way to build some differentiating skills?
Can you build specific skills that set you apart or that get you appreciated for doing particular work in this space? Especially because there's room for a lot of types of different work in offensive security. Have you seen people thrive on that? Is that something that you would recommend people perhaps focus on from point onward in their careers?
[35:36] IppsSec: Definitely. I think it really helps with just staying motivated, picking new things, like one of the things I love about cyber is I can spend a month programming, making some things. I can spend a month doing web pentesting. I can do binary exploitation. There are a lot of different tasks I can do in this space.
One of the things I'm doing now is going more on just branding, messaging, marketing-type things. And that also helps. Like cybersecurity - anyone can do anything.
And about the whole branding, messaging, whatever thing that I just said, be weird for a cybersecurity professional to want that. But also one of the problems is the typical nerd talk. It's hard to talk to the people that get your reports and convey the right meanings, right?!
Communication is so important and it can be tough sometimes to talk about these technical things but not use any technical jargon. And that is definitely a needed skill as well in this field.
Andra Zaharia: Absolutely. And I think that if we look at, well, when I look at the people that I admire in this space and that I've learned a lot from, there are always people who speak well, who have clear thinking, who have the energy to show up for the community and do things on top of their jobs, on top of their roles.
And it's those people such as yourself, like Jason Haddix, like NahamSec, like John Hammond, to actually push the conversation forward and make all of this knowledge available for so many people.
So those aspects that are usually perceived as trivial are actually important. And they also play a part in your personal development as an individual who's working in the space. And you talk a lot about, well, you focus and you communicate a lot on this, on why it's important to kind of build your learning process intentionally.
We talked about discipline earlier on, but I know that you have a few other tips for people who really want to develop a system for learning to make sure that they don't get overwhelmed, to make sure that they actually pursue the goals that they want to pursue without being sidetracked by the new shiny thing. So I was wondering if you might share that a little bit.
[38:04] IppSec: Yeah, I think my biggest advice is don't set your goal too high. If you just want to get like the Hack the Box, CPTs cert or OSCP or get one of those. Me personally, I think that's a bad goal. It's, I guess maybe a good milestone, but a goal should just be something you can measure on a smaller scale, right? It would be like, I'm going to go to the gym and my goal is to get a six pack. I'm probably not going to see that six pack until six months of training. So month one, how do I stay motivated, right?! I'm nowhere near that. I don't see any results.
And that's just the same with doing CTFs, doing security. You're not going to see the result very quickly and it's hard to see the result if you set the goal too far in advance. My favorite goals are just, I'm going to do something for 1 hour every week. Like if it's Hack the Box, I wouldn't even say I'm going to do one machine a week because you may not get a machine that week.
Just say I'm going to dedicate this hour, block this time of day to doing this and then I'm going to do it for two months and we're going to see how I progressed in two months. And chances are you will see some type of benefit.
The other thing that I think always helps is keeping some type of physical journal and just writing down your wins every day. Just spend ten to 15 minutes after work, after some type of session writing what you accomplished.
Don't write what you did not accomplish, like what you failed or what you didn't like. Just spend that ten to 15 minutes on positivity. And that's why I also say a physical journal, because you're going to hamper the amount, like the speed you can write because I can type much faster than I can write in a journal. So you're also going to spend more time just thinking about that. It's also not as easy to erase. So you put more thought into what you are writing and make sure it's good, right?!
And I think that definitely does help. And that also stays with motivation because if you make that a habit every day you do that. Or like Monday to Friday, you're writing your wins.
If you realize you're not flipping the pages as quickly as you used to, you may realize you're starting to get into some type of rut and then losing that discipline to start something like, oh, that's why I joined this discord server and I realized I'm no longer starting the work when I normally would because I'm getting into this conversation and then suddenly 30 minutes passed and my time is now not there, right?! So I find just writing wins down, staying positive does help in the long run of keeping that discipline up or at least identifying when something slipped.
Andra Zaharia: It really does. Those are super helpful and they have such deep psychological implications into how our brain works, into how we form new connections in the brain, into how we manage to sustain a healthy type of relationship with ourselves first, because then we can do that with other people as well. So those are super valuable things that you mentioned.
And I was wondering how this applies to the situation that we talked a bit, kind of at the beginning of our conversation, where you train for all of these spectacular, intricate scenarios that involve hacking challenges.
And then you go out into the field and things are not nearly as Hollywood hacking-like, they're not nearly as interesting or as stimulating as the ones that you are used to.
And because we're kind of overly stimulated mentally in this space, how do you apply this type of, let's say, smaller goal setting to stay motivated when you just have to do things that look like rent work over and over again before you actually reach something that's juicier and more interesting and just more rewarding as well, because I find that maybe a bit of a challenge and a bit of difference in expectations versus reality, like we talked at the beginning.
[42:24] IppSec: Yeah. So before I answer that question, I'm going to go over a concept that me and 0xdf coined kind of is going beyond root. And that's how we train. When we do CTFs, what beyond root is it's all the time you spend after solving the challenge. I always think when I solve the challenge, my time there is only halfway done. I always like looking into something else.
It's easy to get the flag, but if you don't go and analyze all the steps, don't say, you know what? If I took this one piece out of the puzzle, can I still get to the flag and try to do things different ways? Then you're not going to learn nearly as much. And I think that goes back to what you said about doing the grunt work, right?!
Because if I found a credential in a really silly way, I may think of, was there a better way I could have found this? One of my favorites is just writing regular expressions to identify passwords because passwords are unique to the human language. Because if you look at the entropy of a word, it falls into some type of typical value, right?! But a password is not. So it's very easy to create some type of programming thing to identify potential passwords.
It's probably going to end in a symbol, it's going to have an uppercase, it's going to have a lowercase, it's going to have that password complexity thing that makes a strong password. But by making it a strong password, you make it not a word. So if you made it not a word, now you can programmatically identify it. If you can programmatically identify it, you can find a more optimal way to find it other than looking for a password.txt and clicking on it.
Andra Zaharia: Excellent example again. Having these sort of mental challenges for yourself certainly can build a lot of creativity and a more flexible mindset. That's totally a requirement for thriving in this space and doing work that you're proud of.
And you seem to be pulling from a lot of other, let's say, areas into your work from psychology, neuropsychology and a lot of other disciplines as well. So I was wondering, what type of, let's say, material do you feed on outside security? What type of books or other source of learning materials do you like to go into?
[44:48] IppsSec: I typically try to read whatever I can. Growing up, I always did like no technology after. I want to say it was like 09:00 p.m. If I wanted to stay past nine, it was to read a book or not do tech. I was a kid, I found ways around that and of course did it. But now I still just try to find other things to do outside of it. Like I said this year, my whole thing is learning more marketing speak, branding type of things.
I've always been interested in psychology and it's one of the reasons why I always stay positive. The other good thing about a beyond root is even if I thought something was stupid, not every box I solve I enjoy, right? I don't think anyone gets that impression. When you do a challenge, you're going to enjoy it. There's a lot of times you complete the challenge and you just think, Damn, that was really stupid, right? But if you spend the time to go beyond the root and look for things, you'll often find something you liked about that box and end that thing on positivity.
If you end it on positivity, the likelihood of coming back is higher, right? So I always try to read things not just related to security and try to relate it back.
Another example is like very introductory courses, you can read and you just scratch that. A great example would be college. I think we've gone to this age and this is coming from someone. I have not done college, I just never did it.
IppSec: I went straight to the workforce. But I think a lot of people go to college now because it's an expectation of them. That's what you do after high school. I think if you went to the generation before me, they went to college because they wanted to and if they want to, they're probably not going to spend as much time partying.
Even if they party, they're still probably putting more focus on that education. And as they do these classes, they're relating it to what they want to do with life. If you just go to college, because that's what's expected of you, you're not going to draw those relations as you're working with something and you're not going to see the immediate value.
So you're just going to do some basic computer science course that goes into how a CPU or assembly works. You're not going to relate it to how other things in your life work, and you're not going to retain the knowledge. You're not going to have a positive experience of that class, and you're going to wonder what you're doing there, right?!
So I think a lot of it is just going out, finding new things to learn about and trying to make that learning experience positive. And not saying, I'm learning this because I have to, it's not going to benefit me.
Andra Zaharia: That is very particular to adult behavior. I actually read this in a book that children do things because they have to, but adults do things because they want to. Whether that's a conscious choice or an unconscious one, whether that's a choice or a nondecision because that's also a choice as well. That is going to impact a lot how we grow and how we develop and how much enjoyment and connection we get from the work that we do.
And as much as people like to believe, especially in cybersecurity or in technology in general, that we are completely rational people who have zero emotional needs, and the less emotional you are, the better you are at your job.
That's simply not true from a biological point of view. And that's okay. That's not a bad thing.
We need both things. We actually couldn't make any decisions without our brain's ability to have emotions. Emotions actually precede and are preconditioned for any type of choice that we make. And that's actually proved it scientifically.
So I really appreciate you taking that, highlighting or spotlighting this particular type of experience that you can carry from one part of your life to the other. Because I think that many of us enjoy when we go to conferences or when we watch talks that other people give, we enjoy the sort of allegories and stories and personal anecdotes that people share to illustrate or preface a concept that's related to security because that builds bridge and that captures attention and imagination, and it makes everything just so much better, honestly.
IppSec: Yeah.
Andra Zaharia: To wrap up a conversation that I wish we could definitely keep going. I would love to know what's something that particularly gets you excited these days, something that gives you that energy and creativity and that sports, that healthy curiosity that you keep putting into your work.
[49:40] IppSec: I mean, I think it's just whenever I come across something new that changes how I think about things. One of the things that I've started looking more into within the last couple of months is microservices and more like just programming in general. I always thought my mind was very wrapped in two services. Talk to each other through REST, which is just a web communication. But when you dig into all the different ways you can talk to a microservice, whether it be through a message broker like Kafka, RabbitMQ.
A lot of these languages and tools like RabbitMQ, something I saw on pentesting reports a hundred times. I never fully understood it, but I always knew it showed up on Nessus or something. I never understood why that technology existed. So I started looking into it. I'm like, oh, wow, this is actually really beneficial.
If we wanted to create something that scales this way, I understand it now. Or like, gRPC does a lot of things web, but it makes things non-blocking. It's just a really cool protocol. My first experience with it was like Pokemon Go hacking a couple of years ago, because it was like, if you don't know, Protobuff is a serialization language. That was my first experience with Protobuf and back then I didn't have as much positive mindset, like, why would anyone use Protobuf? I looked at it, I didn't like it. I like JSON. JSON made sense, but when I re-approached it from programming, I realized the benefits it had and just more positive. And now I hate JSON, right?! I understand it now. I wish I could go back four or five years ago whenever I was looking at it and spent time and actually dug into why they use Protobuff instead of something else. But now that I'm just exploring that technology myself, I'm understanding why they made all those decisions. I'm having a lot of just Eureka moments of, oh, that clicks. Now I understand it.
And I think that's what gets me excited, just learning the new things and then thinking back in time of just, oh, that's why now I understand it. And completing missing pieces to puzzles that I didn't know were missing, because back then I thought I understood it. I thought the puzzle was complete. I'm now learning more and be like, oh, those puzzles weren't complete.
I think that's just how security is overall, right? If you're still studying for your first hands-on certification, it's probably going to be an entry certification. This may be demoralizing, but like OSCP is a beginner cert and it's not going to seem like that until you get it. And then most people, as soon as they get it, they're like, wow, now I've understood all the things I don't know.
This field is so much more bigger than I thought. It was just like a way to shift how I think about things. And doesn't mean you're not going to get a job if you don't get that cert, but it just means don't think you get like anyone that has it is an expert. Don't think getting it is going to make you an expert. It's just one of the milestones many people have in the journey. And once you get it, you'll probably have a better way to study and realize how to keep learning.
Andra Zaharia: And that ties it all back to the process and the dedication and all of the little things that accumulate into this unique experience that everyone has, that everyone builds and brings to this field and that truly kind of changes things and pushes both companies and teams and the people behind them, of course, for the better.
And I really appreciate how generous and transparent and honest you are with all of these examples and how thoughtful you are. I think that this is just a testament to not only your contribution to this field, but of why people appreciate you so much and why you have such a strong, supportive community that appreciates you.
And I'm happy to be part of that community and really, really grateful to have had this conversation today.
IppSec: Yeah, it's been a blast. I've been enjoying talking about everything.
[53:53] Andra Zaharia: Ever wondered how deep the rabbit hole goes in the world of ethical hacking? Well, we're still falling, and we're dragging you along with us. One question at a time.
Thanks for wandering through this maze with us as we tackle the nitty gritty flipped misconceptions on their heads and maybe, just maybe, made you rethink some of the things that are important to you.
This has been the We think we know podcast by Pentest-Tools.com and before I sign off, keep this in mind.
There's always a backdoor, or at the very least, a sneaky side entrance.
See you next time.
