I currently work as an offensive security engineer in the tech industry and have been in security now for 17 years (I cannot believe it has been this long!). However, I have worked in various capacities across different security functions through my security career. I have learned that there is no “right path” into security and that each person’s journey provides a unique perspective on things. In this post, I will highlight my journey and things I have learned along the way
The first 5 years of my career.
I began my professional experience as an IT Auditor for one of the Big 4 Accounting firms (KPMG) based in the Washington, DC area. In this role, I learned about Federal standards and requirements related to IT systems that housed financial data. Essentially I was part of an audit team that showed up, met with stakeholders and system owners to discuss the last audit, what had changed since the last audit, and how we would collaborate with them to perform interviews, collect data, and write up the audit report. My clients were federal organizations all over the DC area and made for an interesting start to my career. About a year into this role, I realized that this role was very documentation heavy and I really wanted to do more hands-on technical work.
Next, I applied to a role at federal contractor Booz Allen Hamilton (also in the DC area). This role was initially a Certification & Accreditation role for Federal IT systems. Essentially, this role was pretty similar to the IT audit role in terms of being documentation and process heavy, but I also knew that there were several teams at Booz Allen doing more technical work that I was interested in learning (penetration testing, network traffic analysis, etc.). So my plan was to use the Certification & Accreditation role as a foot in the door and to later pivot over into a more technical role. It took me around 2 years but I was able to do just that. What really helped me make this transition was the amount of work I put in on my personal time learning things like virtual machines (VMWare and Virtual Box), Linux (Fedora, CentOS, Backtrack Linux at the time, etc.), capturing and analyzing traffic (Wireshark and tcpdump), and some basic penetration testing tools inside of Backtrack Linux. I set up a personal lab at home and spent hours after work on my personal time over the course of those first 2 years upleveling my technical skills so that I could be a good fit for these technical roles I desired. The opportunities came for me to obtain a role as a network threat analyst at Booz Allen for an intel community client, and I had to take a technical skills assessment in order to obtain the role. Questions were asked around what services run on what ports, how traceroute and icmp work, the OSI model, encryption basics, and other questions and my at home lab time really prepared me. Additionally, I had studied for and obtained a few certifications during these 2 years that also helped a bit: Systems Security Certified Practitioner (SSCP), Certified Information Systems Security Professional (CISSP), and Certified Ethical Hacker (CEH). So I then spent the next 2 years honing my skills as a network threat analyst (analyzing packets in wireshark, searching for anomalies, and writing detection content). I really enjoyed this role and learned a ton working with lots of experienced professionals. This experience set up up for the next phase of my career.
Years 6–12 in my career
I decided that I wanted to leave the federal contracting world and see how things were done in the private sector. I felt I had a decent enough foundation of skills where I could go and hopefully contribute in a meaningful way in Corporate America. So I applied for a few jobs and landed a job at NetApp as a Sr. Intrusion Analyst. I was super excited to see how things looked in the private sector versus what I had only known up to that point in the federal sector. Well…I was shocked to say the least. In the federal sector, there were a ton of regulations, requirements, and policies that essentially “locked down” the environment. However, employees had way more freedom than I had experienced or anticipated in the private sector so that took some getting used to and required me to shift the way I thought about things. Thankfully I had a great manager (shoutout to Wyman Stocks), who was patient with me, took me under his wing, and helped me make the transition over from federal to private sector. And here is where my skillsets really began to develop. I had the opportunity to work with my teammate to build out an incident response program from the ground up and learned a ton in the process from the GE SIRT, Mandiant, and others in the industry at the time who had world class SIRT teams. I learned hands-on malware triage, analysis, snort and yara signature detection, how to build secure sandboxes, memory forensics, the incident response process start to finish, and how all the various security teams at the time fit into the overall organization. This was invaluable experience and really put me firmly on the blue team path at the time. I was able to grow and become a senior and respected member of the team and had gained experience analyzing and responding to all sorts of security events. However, after being in this role for over 4 years, I felt that I was missing something…in particular I felt that I wanted to get closer to understanding the attacker’s mentality. Essentially, I wanted to gain more offensive security experience in a corporate enterprise environment to help better round me out as a security professional. Thankfully I had made friends with a coworker who ran the Vulnerability Management practice (shoutout to Brad Richardson here!) and he was willing to bring me under his wing and allowed me to join his team doing Vulnerability Management full time. This role allowed me to become familiar with common vulnerabilities that you might see in a common corporate enterprise today. I learned Metasploit intimately and began performing vulnerability validation of the vulnerabilities that the corporate scanner had identified. I also learned about the vulnerability management life cycle and key stakeholders as well as how vulnerability management, governance risk & compliance, incident response, and other key security teams can share information to make the security organization as a whole stronger. After doing this role for about a year, I started performing small scope assumed breach assessments in our environment and really started learning the basics of red teaming. My coworkers and I began to build this out more and started to even get into a cadence with blue where we would run these small scoped assumed breach assessments that would result in new detections and new preventions. This was such a fun period in my work career and spurred me on to this current chapter of my work experience.
Years 12–17 in my career (up through present)
Next I pivoted over to a full time internal corporate red team role at Box. My prior experience at NetApp, personal time doing online CTFs, and even experience I was blessed to have at a National Guard run red v. blue exercise really helped prepare me to be in a full time red team role. I started as a one person red team, spent year 1 proving out the value of the red team with impactful assessments and purple team activities and was able to grow the team from 1 to 3. In turn, the red team program also evolved and we went from typical assumed breach assessments to outside-in assessments and even some interesting social engineering exercises. We were having a positive impact across the company (helping drive new high fidelity detections, helping uplift security awareness training with relevant content around social engineering, helping improve customer protection initiatives, helping improve engineering practices, etc.). This helped me to see the true value in red teaming was driving positive change (detections, preventions, process improvements, etc.) and security awareness across all levels in an organization while building positive relationships as you emulate/simulate real world threat actors. I enjoyed this role so much that I knew I wanted to remain in this role for a while. However I also felt that maybe I would move back into a blue team role and leverage my offensive experience to help quickly uplevel detections and response. So after a little over 2 years at Box, I switched into a Staff level blue team role at Credit Karma with a focus on detections and purple teaming. Despite being in a great environment with great people and a great culture, I quickly began to miss the offensive side of the house and driving positive change through impactful assessments. I also began to feel that I took a step backwards in my career and lost visibility: in my red team roles I was able to brief all sorts of teams and even C Level execs on my findings and helped drive positive change that way…but being back in a blue team role again I felt like I worked in a vacuum and lost that ability to drive change across the org. As sad as it sounds, I was reminded that blue teams do not tend to get the credit they should get up the management chain and are often taken for granted. The shiny red team report is often much more well received than the report on new high fidelity detection content created, which is unfortunate. This is not a knock against my employer at the time (Credit Karma) as I think highly of CK as a company and the team there is amazing. Instead this is more of a general observation that I and others have had across the industry as it relates to how internal corporate blue teams and red teams are viewed. So, I decided to pivot back to a full time red team role and only stayed at Credit Karma for 4 months. This was by far the shortest period that I have remained with a company but I felt it was the right move for me given where my passions were and the type of organizational change I wanted to help drive at this stage of my career. So next I moved back into a full time red team opportunity at Twilio where I once again had the opportunity to build a red team from the ground up (like I did at Box). And to date, I have been blessed with similar success in this role at Twilio as well. 17 years in I can now see how all of my experience (even the seemingly uninteresting roles at the beginning of my career) have helped me today with a broader view in my approach to red team planning and program development.
A few things I have learned along the way:
- Network, Network, Network! I would not be where I am at today if key people (such as the individuals I mentioned above) had not helped me. It is important to build relationships with people who are where you want to be one day and learn from them. This helps both from a technical and professional level as you chart out your career path and objectives
- If an opportunity you desire does not present itself at work, as much as possible try to create it at home. Learning offensive security basics, lab configuration and setup, linux, packet analysis, etc. on my own time really helped fuel my hunger to progress in security and gave me the knowledge needed to help pivot into these types of technical roles that I was looking for at the time. This also is a good opportunity to take control of your career and continue building out meaningful skillsets even if your current job situation is limiting in those areas currently.
- Blog about the technical or professional things you have learned throughout your journey. When I first started blogging, I felt that what I had to share was not relevant or useful to others. However, I decided to start anyway and found that lots of people have indeed been helped by my blog posts. Your experiences and knowledge are valuable and you sharing will help others. Just get started and you will see!
- All of our paths are valuable in security. There is no “correct path”. We each bring different views, values, experiences, and perspectives into security which help our respective security organizations be more well rounded and thoughtful in the approaches and initiatives planned.
- Take control of your career. If you do not have a vision for where you want to go, someone else will and you will find yourself doing something you do not really enjoy doing. Identify what your 1–3 year roadmap looks like (where you want to go, skills you want to obtain, roles you would like to work in, certifications you desire, conferences you want to attend or speak at, etc.) and then start plotting out actions on how to get there. This is where relationships can be helpful, as you can reach out to other peers and get their thoughts on effective steps to take to reach your goals.
- I personally have enjoyed having “side projects” that can challenge my growth. These can be writing blog posts, learning a new programming language, building a tool, automating a task, researching a topic, or a myriad of other things. This keeps me personally interested in tech and helps me grow and develop skills that I am interested in and that I may not have the time to build in my day job. Don’t get me wrong: I definitely enjoy completely disconnecting from tech and often do so from time to time to remain sane. But interesting side projects have helped me grow a lot and have even led to some content and tools that have helped others in the security community.
For additional content around my career and technical research, check out my blog posts at: https://medium.com/red-teaming-with-a-blue-team-mentality
Thanks for reading and reach out if I can help in any way!