Cybersecurity Mentors Podcast

Craig Sheffield's Unconventional Journey Into Cybersecurity

Cybersecurity Mentors Season 3 Episode 4

Share episode

Craig Sheffield shares his unconventional journey transitioning from teaching English in Taiwan to pursuing a cybersecurity career, highlighting how his background in music and audio engineering provided unexpected transferable skills. He also shares his candid experiences with the TryHackMe Security Analyst Level 1 certification. 

Episode Resources:


Connect with us and leave us feedback:



Send us fan mail via text

Speaker 1:

Could you teach me First learn stand, then learn fly. Nature ruled on your son, not mine.

Speaker 3:

I know what you're trying to do.

Speaker 1:

I'm trying to free your mind, neo, but I can only show you the door. You're the one that has to walk through it. What is the most inspiring thing I ever said to you don't be an idiot changed my life welcome back to the cyber security mentors podcast.

Speaker 4:

In today's episode, we'll be talking about taking an unconventional path into cybersecurity and making it work. Our guest is Craig Sheffield, a cybersecurity analyst currently based in Taiwan, who made a big career switch from teaching English and working in the arts to diving deep into cybersecurity. So welcome, craig.

Speaker 2:

Hey guys, Thanks for having me.

Speaker 3:

Yeah, thanks, craig and Craig we've connected through Discord. I think, craig, you found the podcast somehow some way I don't remember what it was, but you reached out and Craig and I chatted back and forth, just kind of helping him out, giving him some advice on things. And I think when I first got information and learned about you, craig, I was like I feel like you're pretty good, you're far along as far as what you've done, experience wise. But we're gonna, we'll talk about that, but before we get there, tell us how you know. You kind of landed in Taiwan and or transitioned, you know, from teaching English to thinking that cybersecurity was the way.

Speaker 2:

Okay, the way.

Speaker 3:

Yeah, the way. This is the way.

Speaker 2:

I'm still very much figuring it out along the way here, but yeah, it's kind of a long story. My parents were teachers, to give you some context and so I really had a love for music early on and so I pursued that passion for many, many years and you know, I still play around and I do some audio production these days. But after a while I was teaching kids and I got tired of doing that. So I was like I'm thinking I'm going to make a change and so I moved to Taiwan and still teaching kids, ironically but I was teaching English instead and I was in a brand new place. Everything's new and different for me. And I stayed here for about 10 years now and I've had a great life. It's very comfortable here. I met my partner here. I've had a lot of great experiences, started numerous bands and did a great life. It's very comfortable here. I met my partner here. I've had a lot of great experiences, started numerous bands and did a music festival and all this.

Speaker 2:

So I was still trying to make it as a musician and just kind of got burnout really burnout for the second time of teaching, and so I was looking around I'm talking with friends back home. I got friends that went into software development. They've gone into game production, various different things, life insurance, for instance Market's kind of blowing up. There's all these opportunities out there. So let me just take a computer science course and figure out if I like this at all. And I did that. I took the CS50 course through Harvard on edX you know very affordable option and learned a lot and I really enjoyed the challenges and all of the scenarios that they were giving me. So I kind of dug deeper and I did IBM Skillshare course, tried to see what I could possibly do. So it showed me web development, it showed me cybersecurity and you know a few other options and I just I just went full on with cybersecurity at that point, yeah, and that's you know. You know where I've, where I found the light.

Speaker 3:

You could say yeah, no, and I think, um, I mean you're, you're still. I'm trying to give you the hope that, hey, yes, you got to get there. Once you get there, it's even better. Right, you know, you haven't even been in the full time position yet, but, um, but the things that you liked about and have seen through the training, I think give you that feel and that taste of, like you know, puzzle solving challenges. I mean, are those the things that you kind of that intrigued you about it, or is there anything specific?

Speaker 2:

Yeah, I mean I had a friend, you know, really encouraged me as actually a student of mine and he's excuse me, he encouraged me to, you know, pursue, like security plus certifications, the CISA plus certifications, and he got his start in a SOC role at AT&T in a SOC role at.

Speaker 2:

AT&T and you know I didn't talk to him extensively about what he was doing, particularly in the SOC, but you know he made it seem very interesting. He was kind of I was very insecure about, like, my coding ability, you know, and I was asking him, like so how much coding are you doing?

Speaker 2:

Like what is that about? And he's like well, I don't think there's a whole lot of coding as far as what I'm doing, what I'm seeing right now, even though you can get deeper into that if you wanted. So that's the nice part about it is that there are many different paths that you can take, and that's both a good and a bad thing, of course, when you are not sure exactly what you'd like to do. So I knew that I didn't have a lot of, you know, coding background. I think I did very, very poorly in the one coding course that I took back in high school and so I thought maybe I could have a chance, because I'm really good at software.

Speaker 2:

You know learning tools. I'm an audio engineer, you know I've been recording. I've been recording people and figuring out things in that nature. I've been, you know, developing my own websites and running that for my business and such. So I like tinkering with things, and it seemed like that's pretty much all technology is is tinkering with things indefinitely and things are going to break and you're going to figure out how to make it work.

Speaker 2:

And then I also I feel like I have strong integrity and you know, I like justice, I like to see things done correctly or I don't want to take advantage of people, and so cybersecurity felt like a natural fit in that aspect as well, and especially because I'm kind of tracking toward blue team work right now. So you know, defending people and their data and just tinkering with technology, it sounds like a dream really.

Speaker 3:

Yeah, all right. Those are a lot of the reasons why I love it definitely. I'm curious, though so what kind of music? That was one of the things I thought about, like, what kind of music do you play, or what your bands have played?

Speaker 2:

Okay, yeah, interesting. So I was classically trained, so I played in lots of wind bands, you know orchestras. I played marching band. That was kind of my big thing. I used to teach for the Blue Knights drum and bugle corps and I got really, really into bass drumming, so that was my thing. I've always been a drummer, I'm a percussionist, but so it kind of left me at odds with what do you like? Exactly Because I'm a drummer, I don't always listen to things the same way as other people, and I would say I just don't do things like other people sometimes. So I listen to like interesting rhythms. I used to listen to metal music a lot of, like Meshuggah, death metal even and then I kind of got tired of that. I went into jazz for a bit and uh, and then I started my own bands and I was studying, um, I guess, middle eastern music for lack of a better word but um, arabic music, and so I I started like a band that played world music.

Speaker 2:

We were just grabbing songs from all over the globe and then we were performing them with various instruments and then I started a duo here that was kind of more electronic based, playing pop music, but we were using samples and loops and acoustic instruments as well. And then I started a huge project, which kind of burnt me out, which, uh, was basically afrobeat music, doing that in taiwan for a little bit. So all over the place really. Yeah, all over the place really.

Speaker 4:

Yeah.

Speaker 3:

All over the place, yeah.

Speaker 4:

Yeah, very cool. So how has it been living in Taiwan? So for for you know, for us Americans, um, how, how has it been for you? And um, yeah, has has it, you know, been a good thing, a bad thing? I mean, you said you've been living there for over 10 years. Is that right, correct?

Speaker 2:

yeah.

Speaker 2:

I mean like I said, it's hard to complain about my life here.

Speaker 2:

It feels, you know, I guess, being from the states not particularly from a well-to-do, you know background, but you know well enough for sure.

Speaker 2:

And being from the US, I think we're privileged in a lot of ways and coming here, I definitely felt very privileged as well, because you can come into Taiwan and not really have anything but a bachelor's degree and you can find work as a foreign language teacher here and it pays fairly well I would say better than minimum wage back in the States, that's for sure and you kind of have a light schedule. Most of the times I've worked less than 20 hours a week, so this has given me plenty of extra time to pursue other things, like I said, my own freelance businesses and studying cybersecurity, for instance. So, and I have enough income because everything is very affordable here in Taiwan and very convenient. On top of that, I've met a lot of great people here. My partner is also Taiwanese, so, yeah, I feel very fortunate to have been here this long very cool yeah it's definitely one on my bucket list like places to visit, for sure yeah, do it.

Speaker 2:

Um. Yeah, I mean you can hop around Asia, um, and it's very affordable after you get here. That is, yeah, you have to get there yeah, definitely.

Speaker 3:

Um, well, let's talk about you know you talked about a couple of training things you you focused on, I think, the cs50 that's very interesting. I've not heard of the cs50, sounds cool. The harvard class um, the ibm, skillshare. And then how did you kind of look at the other training opportunities that you've done and maybe talk about what you have done?

Speaker 2:

I would say, the more I look, the more I find especially these days. Right it's really becoming almost overwhelming.

Speaker 4:

It is what to choose.

Speaker 2:

I, and now that I've I've been looking at it so long I and I, you know I've actually put it, some of it into practice and I'm applying for jobs currently. You know, I I don't know if all the paid the really expensive paid options are are really worth it. I saw some content on your YouTube. Forgive me for not looking at all of it, but whether a boot camp is worth it or not, I've talked with at least one individual who told me I wouldn't do it again. Looking back on it, so spending a lot of money, that wasn't something I was really interested in. If you look at my resume, you look at my background. I have a bachelor's degree and I'm happy with that. I didn't go any further with that because I've seen too many people get all the way through a doctoral program and then do the same job that I have basically, which is, I guess, disheartening for the education.

Speaker 3:

But anyway.

Speaker 2:

So I'm looking at affordable stuff. I found Chris Romano. There was some ads on YouTube and I found his SOC analyst course and I went through a lot of his training. He has lots of videos and he's put it together all himself training. He has lots of videos and he's put it together all himself. But you know, walking you through, you know securing a Linux and Windows system, active Directory, you know basic system admin type of knowledge and he's given you labs to actually go through.

Speaker 2:

I found that very, very helpful. I like when I can actually do some hands-on work, even if it's in a virtual environment, right, so just spinning up a machine in VirtualBox. So I like that. That was I could go back through all of that material and still gain something from that, because I don't have them ingrained. I don't do it day in and day out.

Speaker 2:

On top of that, a lot of studying for certification exams. So you know what that's about. Lots of flashcards. You know lots of video courses and note taking and then yeah, I guess we could talk about that at a later time exactly what I do to prepare for those types of exams. But I recently found John Strand from Black Hills and he has a lot of pay-what-you-can content out there really solid information. He also has labs that go along with it. So if you get the link to the labs, there are a ton of labs that he has on his GitHub page. That's also great, but there's plenty of resources. I know that you can just look up a practice test, take a practice test. That's just as good as taking the real legit test.

Speaker 2:

In most cases you may not get a certification from it, but you're going to learn something so just don't if I'm talking to the audience here, don't go out and try to spend a bunch of money and think that that's going to win the game, because it's just about what you know and who you know and how you can present that information to other people.

Speaker 3:

Yeah, absolutely Go ahead, Steve.

Speaker 4:

I completely agree and it's a shame, you know, society has this view on certifications. They put a lot of weight on them and a lot of them, especially at the beginning, are a lot of memorization. You're just remembering things, not really learning them fully, but you've got gotta play the game. So but uh. But yeah, I agree with exactly what you said. There's so many free resources, which is why we made that episode about bootcamps. Um, there's so many free resources out there that you can use and put together. But that's also the hard part. People are unsure, especially when they don't know coming in brand new. They don't know coming in brand new, they don't know what's good content, they don't know what they should put together. So that's hopefully where John and I in this podcast we we come in and kind of give somebody a clearer path, make things a little bit easier for them to to go and tackle it and um, but yeah, I completely agree.

Speaker 3:

Yeah, um, and one of the things that stood out to me about your resume and kind of what you shared with me, that's all I think is a great approach that other people can and I think should approach and use. This approach is I really like the way you break down projects, and I've actually shared your GitHub page with others that are that are asking me questions and say, hey, take a look at what Craig has done and what I like about it. If you look at it, it really breaks down these labs that you have walked through and built and run through and run through, and even with a video to some of at least the a video, maybe more, that you've used to back this up and say you know, if I'm a hiring manager, I can go look at your project page and I can see, ok, you built an elk stack environment that used elk to do sock like work, right, I can go through each one of those projects and see what kind of hands on type skill you would have gotten from it versus even, hey, I took this course Right, so I could, I could go. Maybe I go look up that course and read the bullet points of what the course gives me and maybe I'm familiar with it, maybe I'm not, but when you show me your, your walkthrough from that in that lab now also, I'm evaluating what you've done in that course and or in that lab and I can see your writing skills a little bit, right, it's not like a report, but it's, you know, it's still writing skills and I can see how well you articulate what you did.

Speaker 3:

Also for the video portion, right, I think teaching is is one of the best way to learn. Also, right, if you have to teach it to me, then I'm. Then you're going to have to really learn it to be able to teach it back and I can also get something from you when you do that video and walk through, I can learn a lot about how you teach and how you share information and how you share information that you're also learning. So I think those are awesome. Right, it take extra work, they take extra time. They take you know you do have to learn it to make sure if you're going to record it or teach it, then you know what you're talking about.

Speaker 3:

But, over than just getting the resume, then now I can add this to your resume, which is a good resume even on its own, but that's where I've said you know, then I said this earlier I think that you, from your skill set, you are definitely ready to to start a job me. I haven't done a full interview with you, but I feel like, based on what you've given me and what you've shared through the video and the projects, like OK, I think Craig is ready, like he's got the skills to jump into a SOC type job and hit the ground running, even from most people maybe have got Security Plus or maybe they've got CESA Plus. The things you've also added to your resume give me more confidence that I feel good about where you are, because you may not even get in an interview where they're going to throw you through a ton of scenarios to see what you would do and how you would operate right, but with this additional information it just gives me more details about okay, I can see where he's walked through this. He's used Elastic. He's actually done a video on Elastic, right, he's worked through Elastic. Here's how he's used it and learned from it.

Speaker 3:

So what I think the question is is like how did you think about adding that out? That's unique and what I've seen. Most people are just doing a resume. So how did you come up with adding that additional?

Speaker 2:

Yeah, I mean, if you're out in the job market right now, you know that it's very competitive. There's not that many entry-level jobs probably, and you know there's a ton of people that are really trying to get them. So trying to stand out from everybody else it's very hard and the resume is one aspect of that because you have to get through that automated system. What is it? The ATS?

Speaker 2:

system where if you don't have the right keywords, sometimes you're going to get tossed out. If they're using that, like you said, you get so many applicants that are sending you resumes If you're not at the top of the pile and you tick those boxes, you don't even get thought about really. So you know putting projects up higher because you know I don't have the background, the experience. You know help desk experience or whatnot, which is another recommendation I think people don't give enough. But even though I do hear it quite a lot, you know just getting some kind of tech experience. I don't have that. So I was finding ways to offset that deficit. You know that gap that I have.

Speaker 2:

So doing the projects just seemed natural and then once I put the project up, it seemed like a waste if I wasn't going to tell people exactly what I did in that project, because nobody's going to know what you did unless you told you.

Speaker 2:

Tell them explicitly what happened. So you know I'll tell you the hack that I used here that other people can use. So you know I'll tell you the hack that I used here that other people can use. And if you are doing a lab, it's written out for you or there's a video of that. Oftentimes, you know if there's a video, there's going to be a transcript related to that video, so you can use that transcript, you can use the write up, you can drop it into one of your favorite AI tools you choose and it will give you a very clear outline of everything that is in there. Now you need to go back through and make sure that it doesn't make stuff up or add things that you didn't really do in there, but it's going to help you get you 80% of the way there and then you just need to go back and take your screenshots, take some kind of proof that you actually did walk through that. I see too many people writing medium blogs and they're just it's all text they're not showing you anything.

Speaker 2:

Sometimes the information is completely useless. It's not interesting to anybody. I don't even know if a hiring manager would find it interesting. It's like they copy pasted a walkthrough.

Speaker 2:

They're not giving you any insight. So you know I need commands in there, I want something, a screenshot that you did. This, I think, is very helpful. It shows that you really, you know, put some effort into it, and then sometimes I'll take it even further. And I think this is what you're talking about with teaching other people is a walk through with a video, and oftentimes that's after I've already finished the lab.

Speaker 2:

I might be a trihack me room, you know. It's something in that vein where I've already finished that thing and I kind of know what I'm doing. But when I start making the video, I find that I really have to figure out how am I going to talk about this, how am I going to say this and how am I going to go through this process in a way that doesn't waste everybody's time or bore them or I get stuck in something. So I have to work out all those kinks for myself and it helps me learn it. I have to work out all those kinks for myself and it helps me learn it, and I think it it again further demonstrates that I um, you know I have that skill, I have that ability and I can communicate that, which, from what I hear, is very important.

Speaker 3:

Yeah, no, absolutely Steve. Any any thoughts on that?

Speaker 4:

or his resume.

Speaker 4:

Yeah, no, absolutely. So. Yeah, looking at your resume solid I agree with what John said I would love to see kind of what jobs you're applying to and kind of see what you know, kind of what you're doing in terms of are you tailoring your resume a bit or is it just kind of just one master resume that you're using across the board? But other than that, I mean I think, yeah, I mean I think you have a pretty solid background already and all these extra things that you're doing to set yourself apart. I mean that is very unique.

Speaker 4:

I think I as a hiring manager, if I see that come across my table, I will definitely be giving you some brownie points there for sure, especially if there are videos where you are going through and explaining something or teaching something in a way. I mean that is really how a lot of people learn. You don't really, I feel like you don't really fully understand something unless you're able to teach it to someone else. But anyway, that's just my, my thoughts. But yeah, this is pretty cool. I did have one question is are there any projects that you've done that you would uh say are your favorite and kind of why?

Speaker 2:

um. So I I don't know if you guys have heard of a youtuber called my dfir um. Anyway, he does a lot of content. He even has some course, I believe, out there for SOC analysts. But you know it's free content and he'll walk you through a lot of projects and one of those I remember I think it was oh no, it actually wasn't involving the Elk Stack.

Speaker 2:

That was a complicated project that I did put together, from him, I believe. But the one that I kind of remember more was using Lima Charlie, an EDR solution, and then using Tynes to connect that to Slack and email notifications notifications. So basically it's a SOAR project where you're working in the cloud, you're setting up servers, you put a listener on a machine. It feeds into Lima Charlie that will be sent out through Tynes to send an email message and a Slack message that analysts can then click on and they can go to a ticketing system.

Speaker 2:

I believe it was a separate part of the project is setting up a ticketing system and so you can go through that ticket. You know you can click a link and then click a button and it would actually lock the machine. It would close off network connections and I thought that was just cool, like I didn't even know I could do that uh. So when I did that project and connecting all those dots and and put, and you know, working with lima charlie, it's, it's pretty cool too. So yeah, I just I really thought that was my favorite, uh, just because there was so much automation involved yeah yeah, very cool, that's very good.

Speaker 3:

Yeah, we, we are automating as much as possible, right? Because, um, the the threats and and malware quote-unquote malware. Maybe it is malware, maybe it's not, but they're they are automating their steps to get access, start pillaging, start moving, start doing reconnaissance and then potentially moving laterally. So it's a, it's a very it's a race to automate our side. As much as that, you, we know they're automating their side. So those skills are super important.

Speaker 2:

Cool. Well, I'm glad, it seems like my time wasn't wasted there.

Speaker 2:

And I guess to speak back to the idea of you're saying am I tailoring resumes? You know I've paid some money to some people, whether it be like interview coaches and then other mentors who have coached me through the process of tailoring resumes to different job applications. So I absolutely do that, by the way, steve, and I think it's something you kind of have to do. You don't want to go too far with it, of course, and say that you did something that you didn't do, but you can massage the wording so that you're more closely aligned with the wording they're using and the job descriptions. And again, I'm going back to AI tools, like it's all the rage these days you know, so use it.

Speaker 2:

you know, drop that job description in there and then go ahead and put your resume. And I go a step further. This is another mentor, michelle. She told me to make a master experience list and I've got one document that has everything that I've done over the course of all of my experience and it uses that as well to tailor the resume and a cover letter if I ask it to later. And that's how I'm applying to jobs. But I'm all over the place with job applications. Man, I'll apply to help, desk data center technician, soc analyst uh, you know wherever I fit in.

Speaker 4:

Yeah, no, that's perfect. I mean, I'm sure you've heard John and I speaking about, you know, taking that step as help desk knock jobs, you know anything to kind of help you get the foot in the door and then help you transition into a cybersecurity role within that same company if possible. So, yeah, absolutely. And yeah, I completely agree with the master. I call it a master resume, master list. Yeah, and the fact that you are using AI, that's perfect, because that's another thing I recommend. Is there any AI-specific tools you use that you'd like to share with the audience?

Speaker 2:

Well, I mean, most of the things are free. You know I basically replace Google with perplexity these days. If you haven't clued in on that one, that one is pretty solid, but I would imagine most of the listeners know that already. I do have one that I use, just because I bought in early. So I'm a lifetime member of this one, but it's called Voila and basically it's just an agent that runs. You know it's fetching, you can connect to whatever source you want if you're going to pay for it, and you know you can use Clod or you can use to whatever source you want.

Speaker 2:

If you're gonna, you're gonna pay for it and you can know. You can use Claude, or you can use a chat GBT and then, okay, I can save custom prompts in this so I can just call it up with a keyboard shortcut, for instance, and then I can choose a persona. So I have a couple of personas. I have a. So I have a couple of personas. I have a cybersecurity mentor, I have a personal assistance mentor.

Speaker 2:

You know like these things have certain parameters to make it speak differently, basically, and then I have custom prompts that I've already saved in there. So if I wanted to summarize a YouTube video, I can drop the YouTube link in there and just bam, it'll summarize that YouTube video based on the transcript. If I wanted to tailor a resume, I will say you know, be my resume consultant, and then I drop the resume in there and I tell I give it the job description and it'll do that for me. So it's a very handy tool that I've been using, just because I don't have to have a web browser open, so I can just pull it up and drop it away whenever I want.

Speaker 4:

Awesome. Yeah, that sounds really cool. I'm going to have to check that out. You said it was voila.

Speaker 2:

Voila, yeah like magic Voila, yeah like magic Voila.

Speaker 3:

Awesome. Well, let's pivot to one of the things that I'd asked Craig about, because he had mentioned that he was going to go through the certificate, the new certificate from TriHackMe, the Security Analyst Level 1, sal1 or SAL1, however you say it and he talked about this. I was like you know it'd be a great because it's a new RA, it's a new hotness. Be great for Craig who, having gone, you know, seen what you've done and some of these experiences you've, trainings you've done and certificates, to get your take on it maybe versus my take who I might be, have a different perspective on it as somebody who's learning and trying to see like, hey, is this going to help me prepare me for a job in a SOC type position? And yeah, I guess, to start out with, how did you decide, maybe to give it a shot and or to try it out and what's your experience been with it?

Speaker 2:

Well, that's easy. They gave me a free voucher to take the exam Exactly yeah yeah, I was already on the platform, though I'm not going to throw shade on TriHackMe, Even though, full disclosure I failed both attempts at the exam and we'll talk about that because.

Speaker 2:

I have a unique perspective here and we'll talk about that because I have a unique perspective here. I'm not a stock analyst, as everyone knows, but I've been doing a lot of research and a lot of studying and so I'll talk to you guys and ask you some questions as we talk about this. But yeah, they gave me this because I'd already finished the CYSA whatever CYSA Plus the size I call it size of the sysa whatever cysa plus. And yeah, I I'm in a community, station x as well. I do, you know, some mentoring or some study sessions in there. I'm talking with other other guys and one of the guys in there is like I just took this exam and it was great and uh, he loves try hack me and you, I've probably been a member since last June or July and I hadn't played with it very much.

Speaker 2:

I just started going through the sock level one material and so I maybe was 25%. You know, finish through that learning path and that's a. That's a deep, deep learning path path. There's a lot of content there. They have a really, they have a lot of good content and it's very fun. You know, beginner friendly. So, yeah, there was another guy that's also said inside of my community here, station x. We uh decided we're going to kind of hook up, we're going to talk about it and we're going to make a plan. So plan was I'm got, you got two attempts at it and we only we had through the end of the month to get it done. So I had to take this exam by the 31st oh, they gave you a timeline.

Speaker 2:

Yeah, march okay, march okay so basically cramming in now or paying later.

Speaker 2:

I got so there we were and you know he has a little bit more of an IT background, you know doing like database administration, me doing a lot of studying in this area but not having a lot of experience. So we talked about it. We went through some of their training materials because the other friend of ours said you should bone up on Splunk because you're going to be using Splunk. So we went through their Splunk rooms and then we decided we were going to do some of their sock simulations and they just released that as well, basically almost the same time they released their certification, maybe a few months prior.

Speaker 3:

But, really there's only two. I think it was pretty months prior, but really I think it was pretty close. Yeah, I think it was really close, like they'd release the sock and the certificate, like really close right.

Speaker 2:

So there's only two scenarios I that I I can recall and I think it's still true now unless you're on a business plan, I guess, or you maybe you can pay extra. So there's two fishing scenarios that you can go through to kind of get a feel, for you know what that environment is like and you know we both went through those and we didn't do very well our first attempts through those simulations, Like we both failed those and then we took it again and we knew what we were expecting. I should say we knew what they were expecting of us.

Speaker 3:

Sure.

Speaker 2:

So we did better, right? So, yeah, you learn. But yeah, so I took my first attempt, maybe three weeks ago now and I you know, you already know that I failed this. But the reason why I failed I'll just jump to this kind of is I didn't close out all the true positives in the allotted time. And because I didn't close out the true positives, they scored me with a zero for two portions of the test, which is 80% of your score.

Speaker 2:

So I did miserably my first attempt to put it nicely, I guess, but yeah, so I definitely learned something from that. Yeah.

Speaker 3:

Well, let me pause you there for a sec, so and we don't have to go in and reveal anything that we, that you're not supposed to about the questions or anything but just generally, for instance, or the scenarios or similar scenarios is that you know you have, you have splunk right, you have this data, you have have log data from an incident or incidents and you're mining or, you know, analyzing the data that's in Splunk to try and find what happened. Maybe you know all the W's right, what happened, how it happened, where it happened, when it happened Right and when it happened right. And is that what they're saying as far as the true positives, like you missed all the indicators that you should have, like source address and source attack vector and those kind of things. When it says you missed all the true positives.

Speaker 2:

So the way that I understand that it's being graded is you're kind of scored on. Did you mark this as true or false positive? I think it's heavily weighted on that aspect and that's largely where I failed to tell you the truth. And then they're also scoring you based on whether you escalated the incident or not. And then they're also scoring you which must be AI scoring you on the report Did you answer those five.

Speaker 2:

you know, like all of those who, what, when, where, questions right, based on the report that you submit with each alert that you receive. You know I did need to do some digging and splunk, you know, here and there just to confirm something. But you can tell me this like is your hands? Are your hands kind of tied? If you're in a level one position, you're probably not able to see very deep into the information In one scenario, not to be too specific, but you can't see the content of the emails, for instance. So that was something that was blocked out. You couldn't see what was going on inside the email, you just knew that it was from this sender, this IP, this IP, and you could do research. You know OSINT research. Basically, is this malicious or clean, benign?

Speaker 2:

So, is that kind of typical, because that was my experience.

Speaker 3:

Sure, I mean that was that's the bad case scenario. I mean today we don't do that right, we have full access to the email. But in the past it has happened where some vendor would say this is bad, this email is bad, and they don't tell you what's in the message, which is dumb. Usually you have to go. You know you would still try to get the message, either get somebody to give you a copy of it or what you know. You may have the headers at least, right, which is maybe they gave you headers or things like that for this scenario. But you know, and that is helpful. But for me really to do good analysis, you need the email right. What's in the email's, the link You're not just the sender and receiver and the header information. Is there a link, is there an attachment, et cetera, et cetera, right. So yeah, I have had to do that. We have had to do that with. You don't have the full content of the message, but all of our analysts now would have the full email.

Speaker 2:

Yeah, I would say that's just one of the scenarios that I went through put me in that position where it was hard for me to tell I'm not really sure this is. You know what they're asking for. There's not an attachment in it. I'm just going off of, like I said, the sender information in that situation.

Speaker 3:

But yeah, in other situations, other simulations, simulations.

Speaker 2:

They did provide the content of the message and so a lot of times I felt like it was pretty obvious. You know um this is there's a sense of urgency to this message for instance and you know they're at they're. They're just obviously sending out personal information or something sure, sure, yeah, hey, fill this out.

Speaker 3:

Yeah, no, that's good. Um, I mean, that's stuff. I mean definitely phishing emails. Phishing attacks are the most common attack that we investigate, right, we're getting those every day, all day, different types. You know, hopefully our tools will auto mitigate those and catch those and you don't even have to deal with them. But there's always some that get through, that you know. You just have to deal with and go triage. So there is a lot of that triaging of emails and I think that's good. It sounds like it's a good approach because it's hard to get examples of those, of real ones. I mean, you can get those. I've actually looked to see like, hey, me some examples, but even then they kind of scrub them if they're real phishing emails where you maybe don't see all the details because it's from a. You know it's a real attack to a destination. But I think, having you know, it's tough to get those reps in that specific use case without really being in a sock, right, so right. So I think that is good.

Speaker 3:

Typically, in our experience, we aren't using Splunk to triage those and I don't know if that's what this is or what they're doing. Not that you couldn't use Splunk. But usually you know you're looking at the message, right. You have some messaging tool and or email security tool that you would use to help triage this message and also give you some of the intel about it right there in the tool, right, but previously we would use Splunk this is back when we didn't have the full content of the emails to like, dig out all the senders, who all was it sent to, right? You might have to go figure that out, like how many people was it sent to? Who were those people? Um, and then again who the sender was, those kind of things. So looking up senders and kind of giving pieces that of that puzzle isn't a bad thing. It's just very small. It's just one piece or two pieces of the puzzle, right? You need so much more to help triage it, in my opinion.

Speaker 2:

So you know that's part of it. What I did feel was really good, you know about it not having the experience you know to compare it to is all I'm saying. But they did give you different kinds of alerts. So you probably got the outliers inside of some of the scenarios, because you know I had incidents where you know there's actually something significant going on in the system and I don't know from your experience, but that probably doesn't happen all that much, all that often.

Speaker 2:

So being put in a scenario where, wow, there's something actually going on right now and I can see the alerts coming in, you know, over this two hour window that you have, it is kind of exciting to be there and like watching it happen and then trying to kind of keep up with it. You know they're already, you know, telling you whether it's a low, medium or kind of giving you the priority to look at each thing. So you know, as you look through those, you figure out this is serious. So, yeah, I like that experience. You know that they gave you a little bit of thrill and like you're really in the thick of it, yeah, yeah. And then there's a multiple choice questionice question aspect to it as well. But all this stuff's open book, which is kind of nice, but there's a time limit to it, so you can't just dwell on everything and go and research it right there.

Speaker 2:

So you have to pull some stuff out of your head and definitely trying to write the reports and definitely trying to write the reports. I don't think there's anything wrong with using AI tools to write those reports as well. If you've got a well-formatted kind of thing, they're going to give you the alert and you can absolutely copy-paste that kind of information into your favorite AI tool and it'll help you write the alert report for you. So yeah, you just got to make sure that you escalate it and you categorize it correctly.

Speaker 3:

Gotcha yeah, steven, any questions?

Speaker 4:

Yeah, so you, you took it twice right.

Speaker 2:

Yes, sir.

Speaker 4:

Okay, so on the second time, how did it go compared to the first?

Speaker 2:

um, I have to say, like the multiple choice questions, I pretty much did. You know it was almost identical. Um, I definitely missed some, but you know fairly well, you know I've taken other multiple choice questions, uh tests, so not an issue. The different scenarios they give you are slightly different. You're still going to get, I think in all of them I had phishing attempts, probably I think all four scenarios, and then certain scenarios were more geared toward maybe like brute force attacks, but Others maybe it started out that way and then it moved into exfiltration. It went even further and the environments that they gave are.

Speaker 2:

I'm sorry, I'm not talking specifically about the second attempt. I'm just saying that each scenario was quite a bit different and you can't really approach it differently. I tried to learn what I could from the first time going through the simulations, but it's all different and I think that's a good thing. It's very practical, but it also makes it frustrating as someone who likes to do well on things. Uh, how do I improve on this when they're going to give me a different scenario each time? And you know I might need a little feedback, and that's what I was supposed to get by failing the first time they were supposed to give me those scores, but I got nothing from the scores. I don't know how many true positives or false positives I misclassified and I don't know the escalation scores. They didn't give me any feedback.

Speaker 2:

I believe they're going to change that scoring system going forward, but I'm not sure when that's happened. I don't even know if that's been officially announced yet. I've seen it unofficially announced. But yeah, I wouldn't say I approached it any different the second time. I was feeling uncertain the whole time I was doing it because there's lots of information that you need to ingest from the environment, the staff that they had working there. Each one of those was different every time. So you had to kind of frame everything in your head and then look at the alerts, come in and then classify and escalate based on what you knew from. Maybe the previous SOC analyst told you. They gave you a little note telling you that, hey, this is happening, don't worry about it or it's normal so let it slide Interesting.

Speaker 4:

Are you planning on taking it again?

Speaker 2:

I'll probably wait. I'll wait a while, I'll see where everything shakes out. If I start seeing it on job listings, well, yeah, I'll take it again. If I don't see it on a job listing and I just have some extra time and extra money lying around, yeah, why not give it a shot? Like I said, it is kind of fun. I just spent nine hours going through those exams, though it's a lot.

Speaker 2:

So you have to kind of block out a significant amount of time for it. So not anytime real soon I'll go back to my labs. I might do some deep dive into Linux here soon.

Speaker 3:

Yeah, no, that's cool. I think what it sounds like. The positives are, you know, they're trying to give you an environment that is like a real sock-ish and it's hard to do. Right, how do you do that? And, yes, the data and the incidents change, but if you're trying to learn from those experiences, I think that's the only thing I would say about TriHackMe, which I love.

Speaker 3:

Trihackme, as far as hands-on right is, you don't get that feedback through most of the stuff, right, it's just. Here's your scenario. Here's your room, right, go work this room. And even then, when you get stuck, now they have the AI helper. I don't know how, I don't know how good it is, but if you get stuck, you know you gotta go find somebody or go Google it or something. Right, find some help, um, but you don't have that help to guide you and like, hey, well, here in this situation, here, here's how you can work your way through that problem.

Speaker 3:

Um, so I think feedback obviously, if you're, if you're trying to get better, you want feedback and I think that's a big thing that's missing from, honestly, a lot of training. So I think I can see that for sure, but I do like them using Splunk, I like them giving you real, like incidents in Splunk that you kind of triage and go from there. That's something that you know is real and is a good skill to bring to a SOC. But you know, in order to get better, you need more of those incidents and you need more feedback. I think, yeah, and maybe and I'm curious what you think about this if it was like hey, I don't know how much training they give you before you actually go forth with the try, the actual exam prepped, I mean, do they go through and train you before you were to get ready to do the exam? I mean, how does? How is it situated?

Speaker 2:

um, I guess another you know, like tick, tick, one of their boxes is uh, is they recommend that you go through the SOC level one?

Speaker 3:

material.

Speaker 2:

And they do give you access. So if you aren't a paid member of TriHackMe, you can't have access to all the rooms, right. But if you pay for the certification exam, I believe they give you currently they're giving you like three months access to all of their rooms. Okay, so you could try to like squeeze in, uh, all that stuff, you know, depending on how much time what your life's like.

Speaker 3:

Right.

Speaker 2:

Uh, it's a lot that, like I said, a lot of material, and but there are. They do kind of help you by saying there are a few highlights that you really should look at and there's some rooms some challenges that they have, and so you could try those challenge.

Speaker 2:

you know, if you really wanted to skip ahead, you could try those challenges right away, figure out.

Speaker 2:

If you didn't know how to do something in that, then you need to backtrack and check out. You know some of the stuff leading up to that in the other rooms and that's pretty much the extent of it, other than the SOC simulator which they are still developing. I think in the future what I'd like to see really is the SOC simulations. They have more scenarios or they just have it where, if you pay a certain amount of money, you just jump into the simulator and it's going to throw you however many alerts that you can stay in for and then at the end of it you close it out and then you would see, you would get feedback about whether you classified it correctly, whether you escalated. You could write a report on it. You know, classified it correctly, whether you escalated, you could write a report on it. If they gave you something like that, I feel like I'd be much more confident going into the certification exam, having that feedback before trying to attempt the certification exam.

Speaker 3:

Yeah, no, that's that's. I think that's really really great feedback. Just kind of give you more reps, right, right, you just got to get those reps of like, hey, here's some more incidents, here's some more incidents, here's some more alerts, triage, triage, triage, right, and then get feedback. Hey, how did I do? How did I do? Okay, let me do this again, let me try this again. Um, no, that's, that's good, and maybe that's something that they're they're going to move to as well, I imagine yeah any anything else. Steve, on that one.

Speaker 4:

Yeah, I was going to say is there any quick advice, like someone thinking about taking the certification anything quickly, that you can say, hey, here's my recommendation, some advice without giving away too much of your experience.

Speaker 2:

So, whenever you know, the first friend that I told you about um, sorry, I'm looking up some uh some notes here Um, he recommended you know like a few really key uh things. All right, so yeah, my, my friend was basically just uh telling me good advice, uh to say make sure you read all the documentation that they give you first. And I don't know if they've changed this or it's still like this because it feels a little pressured, because your time starts as soon as everything opens and you get all the information all at once but, you're on the clock, right, you have a two hour window to close all these true positives and, in that same amount of time, though, you have to, like I said, ingest all that information.

Speaker 2:

So it's very important that you you understand that environment that you are working in. So, whether that be the IP addresses of the different office workers, there may be different network segments that you have, you know, just get a feel for that. However, that helps you. You might need to write it on a piece of paper. You know, draw a little diagram, because they're just going to give you text. Sometimes they might give you some infographic. Like you know, write out, draw out, but you know, make sure you understand that. And then, if there are any notes, those can be important. Make sure you pay attention to other stock analyst notes.

Speaker 2:

And then, yeah, as far as escalating and classifying things correctly, I found that a little confusing personally.

Speaker 2:

Classifying things correctly, I found that a little confusing personally, but, basically, if something is going to be given to you and, let's say, defender blocked it, the advice that I received and probably what I should have followed more closely, is that that should be classified as a true positive. Something probably was wrong with that it may not need to be escalated. But you don't have enough information in most cases to say it's not a true positive. And maybe just with that advice there and with some basic Splunk skills and using like OSINT, you know like they have kind of a virus total, their own version of virus total that you need to put in an IP address for Between reading the alert, understanding the network environment and any notes from any SOC analysts, that might be like a dead giveaway. You know, if something's blocked it's probably going to be a true positive, if it looks very suspicious, it's going to be a true positive and if you can tell that something nasty has happened you're going to need to escalate it as well. That's probably as much as I can say about it.

Speaker 4:

Yeah, yeah, no, that's great. Yeah, I think that's great. So if anyone has taken it already and has similar experiences, would love to hear about it. If there are some people that are thinking about taking it or prepping to take it, these little key insight things could be very, very helpful. So I appreciate it.

Speaker 3:

Joel glad to share. Yeah, thank you. Yeah, that was great, very helpful, and I'm actually curious to go play with it a bit more now. I think they gave me a free voucher, but it may have expired too, we'll see. Maybe I can go and play with it and try it out.

Speaker 2:

Maybe they'll do another round of that, you don't know. Yeah, maybe.

Speaker 3:

Any last things on it, any last information that you would like to share about it?

Speaker 2:

I don't think we don't need to beat a dead horse here. But as always with everything, you need to weigh your options and look at everything from kind of like a bigger perspective. So don't just take the certification exam because you think it's going to get you a job, you know. Take this certification exam and treat it like a learning opportunity. So maybe you don't have a TriHackMe membership and you say, well, hey, I can kind of knock out two birds with one stone. I'm looking for something and I want to get a SOC analyst job. Then it might be a good idea to possibly pay that money for that certification exam. Go through three months of training on TriHackMe, like, get the most you can out of that money spent and then make those attempts and make that post at the end when you're like I got it, guys, I did this thing. I'd love to hear that from people. You know whenever they reach some accomplishment, you know it's great whenever that happens. But do it for the learning experience, don't do it for the certificate. In the end that's great advice.

Speaker 4:

Yeah.

Speaker 3:

Yeah, I think people might see these in these new certificates, new training opportunities, and they're oh, this is going to be the thing that's going to help me land this job.

Speaker 3:

You know, it's not going to hurt. But don't get too over. You know, get worked up about. This is going to be the end-all be-all, just like the boot camps, right? This is going to be the end-all be-all, just like the boot camps, right? Boot camps have been sold as like hey, this is going to be. You're going to have a guaranteed opportunity after this boot camp.

Speaker 2:

Oh, I'd love to sign up for that. Where is that? I know?

Speaker 3:

I know right, oh, they'll sell it to you. They will sell it to you, but yeah, I think that's great advice, craig. So thank you. Great advice, craig, so thank you. I think that's it. Is there anything else that you want to share with the audience? Any recommendations?

Speaker 4:

Where can people find you, Craig?

Speaker 2:

People want to reach out to you. Yeah, I had a podcast for a little while. It's still floating around out there. If you want to listen to some friends of mine and some people that I ran into, it's called Field Talk. You can go listen to that. You listen to a podcast already, right? Yeah, if you're on YouTube, you can probably look me up. I only have about three or four videos, but hopefully I'll have more later on. Just Craig Sheffield, my name, and then I'm on LinkedIn, so definitely shoot me a message or try to connect with me on LinkedIn. That's where I am most of the time these days. I try to start a Blue Sky account and all these other things, but I just don't care to keep up with everything I never have been even though I think I've been a member of Facebook since like 2002 or something.

Speaker 2:

But I can't be bothered with every platform, so LinkedIn is the best, exactly.

Speaker 3:

Yeah, please reach out to Craig. You know I think you've got a lot and you mentioned you're also giving back and being a leader for groups and mentoring, and you've dropped really valuable information in our channel and our discord um. You can reach him on discord as well. Just um, looking to help, and I think that's another thing. That's that's great and stands out to me is just also giving back, also helping others along their journey, even though you're still learning, right, um, but also giving back, so so thank you for that thank you, uh, john.

Speaker 2:

Thank you, john, you've definitely offered incredible advice for me. I'm still learning Zeek and getting into security hunting still on my checklist. I've got to get those done. And, steve, it's been a pleasure. Thanks for having me.

Speaker 4:

Absolutely. Thank you, Craig.

Speaker 3:

Yep, thank you. With that, we're out.

Speaker 1:

Thank you for tuning in to today's episode of the Cybersecurity Mentors Podcast.

Speaker 3:

Remember to subscribe to our podcast on your favorite platform so you get all the episodes. Join us next time as we continue to unlock the secrets of cybersecurity mentorship.

Speaker 1:

Do you have questions or topics you'd like us to cover, or do you want to share your journey? Do you have questions or topics you'd like us to cover, or do you want to share your journey? Join us on Discord at Cybersecurity Mentors Podcast and follow us on LinkedIn. We'd love to hear from you. Until next time, I'm John Hoyt and I'm Steve Higuretta. Thank you for listening.