Unusual Journeys Into Infosec featuring @LargeCardinal

Continuing our voyage of discovery into Infosec professionals background’s, I next interviewed the wonderful Mark C. (LargeCardinal). I have a lot of respect for the work that Mark does in the industry, especially mentoring Infosec noobs, he is the organiser for BSides Leeds (in its first year), which ran in Jan this year, and by all accounts was a raging success!

As discussed in the previous article, the vision for the series is to provide stories and inspiration for those who may not have considered, or may be struggling to find a path into Infosec!

As unconventional goes, Mark has a very unique story and I feel privileged that he decided to share it with us- here is our interview:

CyberSecStu (CSS): It would be great if you could start off by providing a little background on your journey into Infosec?

Mark C. (MC): Ok, so I was a ‘music kid’ at school, but also loved to take things apart and reassemble them (often with improvements). I was a smart kid, but nothing to write home about, until you gave me a violin. So, I naturally drifted towards hacking and music, and music won out first, when I went to Chetham’s School of Music in Manchester.

I started a kind-of hacking club there, but it was really just me, on my laptop, doing stuff (finding bugs, writing some baby exploits, etc.). I did the usual school network mischief, but nothing malicious — it was just about exploration! I never entertained the idea of being a pentester because I was told by many people ‘you’ll just end up in prison’ (being from Merseyside, that’s quite common amongst those I went to school with).

So, I got a job at 18 in a software firm, and was appointed a consultant when I was 19 — I wrote a DB schema that is still in use in the NHS today. But, I was held back getting other jobs because I didn’t have a degree, and I chose music.

So, I got that, and also studied philosophy as a minor (it’s a bit unusual to do that in the UK — but I always loved literature, poetry, and philosophy, so it made sense to me). Then I freelanced as a developer, music teacher, magician (I used to hang out on http://socialengineering101.com a lot, so doing table magic was a good way to make money from these skills :P), and later started doing some security consultancy. I then moved to Leeds to do my MSc in mathematics, and started my career properly in Infosec when I finished that and joined Sec-1 Ltd.

Worked my way up to CHECK Team Member, but had a need to finish my PhD and move to research, so I went full time PhD a year ago and joined Security Research Labs in Berlin as a Researcher and expert consultant.

In Infosec- I’ve done the full Red Teaming thing (social engineering in to buildings, deploying custom malware implants I wrote for each job to evade detection, pwning their network very quietly, etc. etc.) but moved to research for the moment to ‘scratch that itch’ (though I do miss doing Red Team stuff sometimes- I still get some chances to do so).

CSS: Excellent- did you have any challenges breaking into Infosec?

MC: Ok, so, there were many challenges in getting into the industry. First off, my CV like I mentioned, only had some ‘support work’ from the software firm, and then ‘freelance’ on it, so it was hard for companies to see what I could do.

Also, recruiters would see ‘support’ and tell me:

“Nah, don’t bother with pentesting, I’ve got a support role in [small town/village I’ve never heard of]. The salary is [essentially a ‘very shiny penny’]. Interested?”

So, I had to devise a way to work get past the CV barrier. So, I called up a friend of mine who used to work in HR at Google, and we had a long chat. Reformatted my CV based on that, and had the idea of including a portfolio. Code samples, exploit examples, some research notes, and a list of ideas for projects.

This, I think, is what clinched it to get to interview with a few pentesting firms, but even then it was hard. They saw ‘scruffy arts student’ and not much more else, but law of averages meant I managed to get a job with Sec-1 — but one of my interviewers didn’t like the idea of hiring me. So, he would set me lots of challenges/tasks for me to ‘prove myself with’. We’re good mates now, but that was an interesting time :P

On a side note — I’ve replicated some of this with students I mentor from the local uni’s HackSoc. I get them to write baby reports about vulnerable VM’s I get them to hack (from vulnhub, for example), and it’s helped a few of them stand out, I think. :)

The weird thing is — once the barrier was broken, the professional industry was very mobile and welcoming! It’s like those guards in pirate films — hold a knife to you until you say the passphrase, and then give you enough grog to make Keith Richards blush… if that makes sense? :P

CSS: Yes - you’ve just got to get to the captain first to parley!!

MC: I also pulled some tricks I had learnt along the way — my CV was a PDF that doubled as a zip file, so you would ‘unzip my CV.pdf to get my portfolio’ which helped turn heads (I got that from PoC||GTFO vol2, iirc).

CSS: Hahaha! Good work! So from another perspective- what can the industry do as a whole to help get more people on-board?

MC: Well, from my experience in getting jobs in Infosec, I would probably have had a better ride at the start if it were clearer what is needed and expected.

We often draw the line early on between ‘red team’ and ‘blue team’, and the framing of that is very much taken from Goethe; “you must be hammer or anvil”. (Du muss amboss oder hammer sein), I think this framing doesn’t help, but I have seen signs of it shifting recently.

Take the minefield that is certifications: The OSCP is a very professional exam — do your labs, and for the assessment; do a test for one day, write a report the next day, submit for review. That’s how the job works. But students/wannabes/n00bs aren’t told this — and I think that is to our detriment. The CEH, however, is presented as a multiple choice survey that happens to have some right answers. I know I’m being unkind to the CEH, but it genuinely doesn’t prepare you for working as a pentester, but people think it does. (it is, I think, an amazing qualification for developers who want to get clued up on how their code will be attacked, for example).

Other exams are somewhere on this scale — but I think the problem is, you can be a n00b, sink tens of thousands of dollars into certifications, and still not get where you want to be. That is certainly a big aspect, to me, of this barrier — The job descriptions are a bit wishy-washy; Whilst being a ‘penetration tester’ is quite well established now, the skillset required (its breadth and mindset requirements) are quite shrouded in mystery, I think.

Likewise, I have seen people declare ‘malware analysis is basically reverse engineering’ and that’s wrong — reverse engineering is one of the skills a good malware analyst needs, but you also need OSINT knowledge, some political awareness, a good dollop of experience, etc. And if I’m honest, I still don’t know what the hell a ‘security analyst’ really is, and I’ve been in the industry for a good few years, now :P

When you wanna be an engineer, you know you have to go get certain qualifications, know a load of maths and physics, etc.

If you want to be a developer you should know about algorithms and ideally a couple of programming langs. But what do you need to be a pentester? A malware analyst? A researcher? An ARM exploitation guru? Many people don’t know, and it’s quite hard to find out if you don’t know the right buzzwords.

tl;dr — if we signposted the industry better through just ever-so-slightly more effective recruitment and skills identification, I think we’d lift a large cloud of confusion from those getting into Infosec.

CSS: I couldn’t agree more here! If someone was starting out or looking to jump into Infosec, what advice would you give them?

MC: If I could whisper in the ear of any ‘new recruit’ into infosec, I’d tell them this: keep absorbing information, and question more. You’ve been questioning your whole life, and learnt so much, but keep it up once you get into this industry.

Question higher, question deeper, question wider and for longer, and question further and broader, than you have ever questioned. What isn’t important is whether someone thinks you are a n00b for asking a basic question. We’re all n00bs at some point, and many of us stay that way in certain areas. What is important is your knowledge, and your understanding. You’re the one who, if you get into this industry, will have to answer the questions like; ‘How secure are we?’ ‘Are we safe from hackers?’ ‘what do I need to do to improve my security?’ You need to know your stuff, and be able to hold your own, and that comes from continual learning and feedback.

Once you’ve been around for a while, and you know the basics (like how to use Burp, or can recite the OSI model, written a few hello words and basic tools, etc) mix it up a bit; don’t just ask any questions — try and find the right questions.

Ask the deep, meaningful, world-changing questions. Don’t seek to know something by its properties, but instead to know something by its nature.

Asking:

'why do injection attacks like SQLi, XSS, Buffer Overflow all look/feel the same?’

And the answer was that these are part of the nature of Turing machines!! VM’s and injection attacks all appear in Alan Turing’s work — a thing called the ‘s-m-n theorem’ which I dubbed the ‘hacker theorem’ in my MSc thesis, and solidified my current mathematical knowledge quest;) (probably a blog I should write one day :P)

Don’t be intimidated by the ‘rock stars’. If they’re worth their salt, they’ll share what knowledge they have, and be inquisitive in return. Big names only got there by one day being like you, and then many, many days later being where they are now. We’re all learning, sharing, and building knowledge.

Don’t be afraid of cons, and don’t be afraid to reach out. As they say in revolutionary circles; ‘educate, agitate, organise’. If you wanna go to CoolCon, then there will be people who also wanna go to CoolCon that you may already know. Clue everyone up, and go as a group, and have a blast! :D You’ll be networking without even realising it.

Lastly, have a goal in mind, but know that the goal can (and probably will) change. Educate yourself on what jobs exist, what is available, and where. Speak to people (twitter is good for this) who have that very job and learn what is really involved.

Pentesting is, on the face of it, hard to get into. This is generally to deter ‘posers’ and there are plenty of them. But if you really want to learn exploitation or defence techniques or whatever — then you’re not a poser. You belong in this amazing crowd. Reach out, and we’ll do some amazing things!

Oh, and don’t feed the trolls.

CSS: Superb advice there! Thank you Mark.. it’s been fascinating learning not only about your journey but your approach and mindset to Infosec.

MC: Ah — many thanks! And it’s been a true pleasure! And sure — use all this material as you like. It might even help some people :P

CSS: I certainly will! We seem to share a similar viewpoint especially on being inquisitive and never stop learning.

And yeah- this is a mindset that I’ve see in others that are ‘established’ in the industry. The only embellishment of mine is that you should seek to improve your own questioning- for some that happens automatically, but for others, it needs a nudge ;-P

There are many lessons one can take from Mark C. (LargeCardinal), first is that we as an Industry need to get better at explaining what we want (there was a post by Stu Hirst on Linkedin recently that summed this up).

If we can’t get our message clear about the expectations around the technical and soft skills right- then there is little chance for the noobs- and currently they are having to pick between the lines and decipher themselves!

You need to think outside the box if you want to get noticed, so sharing Github repos, any previous POC’s or work as part of the interview process- will certainly help differentiate you and at the same time validate your technical knowledge.

The next is close to my heart, never stop questioning, push harder, and make mistakes because when you stop making mistakes you stop learning. This will certainly get you noticed, and help you break into Infosec, or help propel your career no matter what route you take!

It could be said that unconventional paths into Infosec foster new and exciting thought processes and skills that can be drawn down upon, and that can only be a good thing!

Main Image Credit : The awesome piece of artwork used to head this article is called 'Conductor' and it was created by graphic designer Jack Daly.