Unusual Journeys Into Infosec featuring @LargeCardinal
Part Two of the Unusual Journeys Into Infosec series by Stuart Peck of The Many Hats Club, who talks to @LargeCardinal about his journey.
Continuing our voyage of discovery into Infosec professionals backgroundâs, I next interviewed the wonderful Mark C. (LargeCardinal). I have a lot of respect for the work that Mark does in the industry, especially mentoring Infosec noobs, he is the organiser for BSides Leeds (in its first year), which ran in Jan this year, and by all accounts was a raging success!
As discussed in the previous article, the vision for the series is to provide stories and inspiration for those who may not have considered, or may be struggling to find a path into Infosec!
As unconventional goes, Mark has a very unique story and I feel privileged that he decided to share it with us- here is our interview:
CyberSecStu (CSS): It would be great if you could start off by providing a little background on your journey into Infosec?
Mark C. (MC): Ok, so I was a âmusic kidâ at school, but also loved to take things apart and reassemble them (often with improvements). I was a smart kid, but nothing to write home about, until you gave me a violin. So, I naturally drifted towards hacking and music, and music won out first, when I went to Chethamâs School of Music in Manchester.
I started a kind-of hacking club there, but it was really just me, on my laptop, doing stuff (finding bugs, writing some baby exploits, etc.). I did the usual school network mischief, but nothing maliciousâââit was just about exploration! I never entertained the idea of being a pentester because I was told by many people âyouâll just end up in prisonâ (being from Merseyside, thatâs quite common amongst those I went to school with).
So, I got a job at 18 in a software firm, and was appointed a consultant when I was 19âââI wrote a DB schema that is still in use in the NHS today. But, I was held back getting other jobs because I didnât have a degree, and I chose music.
So, I got that, and also studied philosophy as a minor (itâs a bit unusual to do that in the UKâââbut I always loved literature, poetry, and philosophy, so it made sense to me). Then I freelanced as a developer, music teacher, magician (I used to hang out on http://socialengineering101.com a lot, so doing table magic was a good way to make money from these skills :P), and later started doing some security consultancy. I then moved to Leeds to do my MSc in mathematics, and started my career properly in Infosec when I finished that and joined Sec-1 Ltd.
Worked my way up to CHECK Team Member, but had a need to finish my PhD and move to research, so I went full time PhD a year ago and joined Security Research Labs in Berlin as a Researcher and expert consultant.
In Infosec- Iâve done the full Red Teaming thing (social engineering in to buildings, deploying custom malware implants I wrote for each job to evade detection, pwning their network very quietly, etc. etc.) but moved to research for the moment to âscratch that itchâ (though I do miss doing Red Team stuff sometimes- I still get some chances to do so).
CSS: Excellent- did you have any challenges breaking into Infosec?
MC: Ok, so, there were many challenges in getting into the industry. First off, my CV like I mentioned, only had some âsupport workâ from the software firm, and then âfreelanceâ on it, so it was hard for companies to see what I could do.
Also, recruiters would see âsupportâ and tell me:
âNah, donât bother with pentesting, Iâve got a support role in [small town/village Iâve never heard of]. The salary is [essentially a âvery shiny pennyâ]. Interested?â
So, I had to devise a way to work get past the CV barrier. So, I called up a friend of mine who used to work in HR at Google, and we had a long chat. Reformatted my CV based on that, and had the idea of including a portfolio. Code samples, exploit examples, some research notes, and a list of ideas for projects.
This, I think, is what clinched it to get to interview with a few pentesting firms, but even then it was hard. They saw âscruffy arts studentâ and not much more else, but law of averages meant I managed to get a job with Sec-1âââbut one of my interviewers didnât like the idea of hiring me. So, he would set me lots of challenges/tasks for me to âprove myself withâ. Weâre good mates now, but that was an interesting time :P
On a side noteâââIâve replicated some of this with students I mentor from the local uniâs HackSoc. I get them to write baby reports about vulnerable VMâs I get them to hack (from vulnhub, for example), and itâs helped a few of them stand out, I think. :)
The weird thing isâââonce the barrier was broken, the professional industry was very mobile and welcoming! Itâs like those guards in pirate filmsâââhold a knife to you until you say the passphrase, and then give you enough grog to make Keith Richards blush⌠if that makes sense? :P
CSS: Yes - youâve just got to get to the captain first to parley!!
MC: I also pulled some tricks I had learnt along the wayâââmy CV was a PDF that doubled as a zip file, so you would âunzip my CV.pdf to get my portfolioâ which helped turn heads (I got that from PoC||GTFO vol2, iirc).
CSS: Hahaha! Good work! So from another perspective- what can the industry do as a whole to help get more people on-board?
MC: Well, from my experience in getting jobs in Infosec, I would probably have had a better ride at the start if it were clearer what is needed and expected.
We often draw the line early on between âred teamâ and âblue teamâ, and the framing of that is very much taken from Goethe; âyou must be hammer or anvilâ. (Du muss amboss oder hammer sein), I think this framing doesnât help, but I have seen signs of it shifting recently.
Take the minefield that is certifications: The OSCP is a very professional examâââdo your labs, and for the assessment; do a test for one day, write a report the next day, submit for review. Thatâs how the job works. But students/wannabes/n00bs arenât told thisâââand I think that is to our detriment. The CEH, however, is presented as a multiple choice survey that happens to have some right answers. I know Iâm being unkind to the CEH, but it genuinely doesnât prepare you for working as a pentester, but people think it does. (it is, I think, an amazing qualification for developers who want to get clued up on how their code will be attacked, for example).
Other exams are somewhere on this scaleâââbut I think the problem is, you can be a n00b, sink tens of thousands of dollars into certifications, and still not get where you want to be. That is certainly a big aspect, to me, of this barrierâââThe job descriptions are a bit wishy-washy; Whilst being a âpenetration testerâ is quite well established now, the skillset required (its breadth and mindset requirements) are quite shrouded in mystery, I think.
Likewise, I have seen people declare âmalware analysis is basically reverse engineeringâ and thatâs wrongâââreverse engineering is one of the skills a good malware analyst needs, but you also need OSINT knowledge, some political awareness, a good dollop of experience, etc. And if Iâm honest, I still donât know what the hell a âsecurity analystâ really is, and Iâve been in the industry for a good few years, now :P
When you wanna be an engineer, you know you have to go get certain qualifications, know a load of maths and physics, etc.
If you want to be a developer you should know about algorithms and ideally a couple of programming langs. But what do you need to be a pentester? A malware analyst? A researcher? An ARM exploitation guru? Many people donât know, and itâs quite hard to find out if you donât know the right buzzwords.
tl;drâââif we signposted the industry better through just ever-so-slightly more effective recruitment and skills identification, I think weâd lift a large cloud of confusion from those getting into Infosec.
CSS: I couldnât agree more here! If someone was starting out or looking to jump into Infosec, what advice would you give them?
MC: If I could whisper in the ear of any ânew recruitâ into infosec, Iâd tell them this: keep absorbing information, and question more. Youâve been questioning your whole life, and learnt so much, but keep it up once you get into this industry.
Question higher, question deeper, question wider and for longer, and question further and broader, than you have ever questioned. What isnât important is whether someone thinks you are a n00b for asking a basic question. Weâre all n00bs at some point, and many of us stay that way in certain areas. What is important is your knowledge, and your understanding. Youâre the one who, if you get into this industry, will have to answer the questions like; âHow secure are we?â âAre we safe from hackers?â âwhat do I need to do to improve my security?â You need to know your stuff, and be able to hold your own, and that comes from continual learning and feedback.
Once youâve been around for a while, and you know the basics (like how to use Burp, or can recite the OSI model, written a few hello words and basic tools, etc) mix it up a bit; donât just ask any questionsâââtry and find the right questions.
Ask the deep, meaningful, world-changing questions. Donât seek to know something by its properties, but instead to know something by its nature.
Asking:
'why do injection attacks like SQLi, XSS, Buffer Overflow all look/feel the same?â
And the answer was that these are part of the nature of Turing machines!! VMâs and injection attacks all appear in Alan Turingâs workâââa thing called the âs-m-n theoremâ which I dubbed the âhacker theoremâ in my MSc thesis, and solidified my current mathematical knowledge quest;) (probably a blog I should write one day :P)
Donât be intimidated by the ârock starsâ. If theyâre worth their salt, theyâll share what knowledge they have, and be inquisitive in return. Big names only got there by one day being like you, and then many, many days later being where they are now. Weâre all learning, sharing, and building knowledge.
Donât be afraid of cons, and donât be afraid to reach out. As they say in revolutionary circles; âeducate, agitate, organiseâ. If you wanna go to CoolCon, then there will be people who also wanna go to CoolCon that you may already know. Clue everyone up, and go as a group, and have a blast! :D Youâll be networking without even realising it.
Lastly, have a goal in mind, but know that the goal can (and probably will) change. Educate yourself on what jobs exist, what is available, and where. Speak to people (twitter is good for this) who have that very job and learn what is really involved.
Pentesting is, on the face of it, hard to get into. This is generally to deter âposersâ and there are plenty of them. But if you really want to learn exploitation or defence techniques or whateverâââthen youâre not a poser. You belong in this amazing crowd. Reach out, and weâll do some amazing things!
Oh, and donât feed the trolls.
CSS: Superb advice there! Thank you Mark.. itâs been fascinating learning not only about your journey but your approach and mindset to Infosec.
MC: Ahâââmany thanks! And itâs been a true pleasure! And sureâââuse all this material as you like. It might even help some people :P
CSS: I certainly will! We seem to share a similar viewpoint especially on being inquisitive and never stop learning.
And yeah- this is a mindset that Iâve see in others that are âestablishedâ in the industry. The only embellishment of mine is that you should seek to improve your own questioning- for some that happens automatically, but for others, it needs a nudge ;-P
There are many lessons one can take from Mark C. (LargeCardinal), first is that we as an Industry need to get better at explaining what we want (there was a post by Stu Hirst on Linkedin recently that summed this up).
If we canât get our message clear about the expectations around the technical and soft skills right- then there is little chance for the noobs- and currently they are having to pick between the lines and decipher themselves!
You need to think outside the box if you want to get noticed, so sharing Github repos, any previous POCâs or work as part of the interview process- will certainly help differentiate you and at the same time validate your technical knowledge.
The next is close to my heart, never stop questioning, push harder, and make mistakes because when you stop making mistakes you stop learning. This will certainly get you noticed, and help you break into Infosec, or help propel your career no matter what route you take!
It could be said that unconventional paths into Infosec foster new and exciting thought processes and skills that can be drawn down upon, and that can only be a good thing!
Main Image Credit : The awesome piece of artwork used to head this article is called 'Conductor' and it was created by graphic designer Jack Daly.