The Hacker Mindset: Interview with Ed Skoudis

Show Notes

What does it really mean to think like a hacker?

In this episode of the Cybersecurity Mentors Podcast, we sit down with Ed Skoudis, President of the SANS Technology Institute and one of the most respected leaders in cybersecurity education.

Ed shares how his career evolved from defense to offense—and why developing a hacker mindset is critical for anyone serious about cybersecurity.

We break down:

• Why focusing only on defense can limit your growth
• The mindset shift from reacting → proactively finding vulnerabilities
• How offense and defense are more connected than most people realize
• The real skills beginners should focus on (networking, cloud, AI)
• Why AI is changing cybersecurity faster than ever
• How to actually get started in cybersecurity without feeling overwhelmed

If you’re trying to break into cybersecurity—or level up your skills—this episode will challenge how you think about the field. 

Come hang out with us in the Cybersecurity Mentors Skool community. It’s free to join.

Chapters

• 0:00: Opening Quotes And Mindset
• 0:58: Meet Ed Skoudis And His Work
• 3:25: Counterhack Books And Cyber Ethics
• 5:41: How Ed Got Into Hacking
• 9:36: The Shift From Blue To Red
• 11:48: Red Team Exists For Blue
• 16:34: NSA Museum Night And Enigma
• 19:43: How Cyber Changed Over Decades
• 24:04: Should Exams Allow AI?
• 27:03: Hallucinations And Trust But Verify
• 30:21: Getting Started In Cyber Today
• 34:07: Build Secure Hack In An AI Era
• 38:04: Connecting The Dots In A Career
• 41:04: Community, Cons, And Networking
• 42:58: Defining The Hacker Mindset
• 45:10: Where To Follow And Final Thanks

Transcript

Opening Quotes And Mindset

Ed 0:00

I'm paraphrasing Einstein. Said, you know, when you go through your life, it just seems like a random collection of things. But when you get toward the end, said Einstein, you can look back and you see that it was a story told over time. And you were a character in that story, and it was unfolding in ways that you didn't even know, but it all kind of comes together as you move through it. I feel that in a in a good way, you know.

Speaker 0:24

Could you teach me? Then learn fly. Nature ruled on your son, not the mind.

Speaker 4 0:36

I'm trying to free your mind, Neo. But I can only show you the door. You're the one that has to walk through it. What is the most inspiring thing I ever said to you? Don't be an idiot. Changed my life.

John 0:58

Welcome back to the Cybersecurity Mentors Podcast. On today's episode, we're joined by Ed SCOTUS, just a great leader in the space. And really, for me, my first exposure with Ed was back his 2009 time frame when I first took Sans 560. And I was like, who's this Ed guy? Right? I've heard people talk about him. And uh, and it was my first exposure really to offensive security. And like I was always like protect, protect, protect. But then this switch happened when I was like, wait a minute, you know, here's how I can actually be offensive and help the defensive side of things. Um, but so that was that was a big deal for me. Ed and and just if you wouldn't mind, just kind of introduce yourself and um what you're about.

Counterhack Books And Cyber Ethics

Ed 1:46

Sure, John. Well, hey, thank you for this opportunity to talk with you and uh to uh talk with your listeners. I'm super excited to be here. Um my name is Ed Scotus. Uh I am the president of the Sands Technology Institute College. I also build cyber ranges for the Sands Institute, including Net Wars, which is one of our commercial ranges. I also do the Holiday Hack Challenge, which is a free range that, uh despite the name Holiday Hack, runs year-round, so people can play that anytime they want. They can go to Sands.org slash holidayhack. I also serve on several boards of directors, including that of a local bank, as well as uh some charities and others. And uh I've been involved with the SANS Institute now for going on 27 years. I am the original author of SANS 504, which is a class on incident handling and hacker attacks. There's the GCIH certification associated with that. Um, and I am the author of SANS Security 560, at least the original author of it, which is on network penetration testing and ethical hacking. I've uh had the great fortune of, in the last 27 years, teaching over 40,000 students in the art of incident handling and hacker attacks, and it has just been fantastic. I also have a company uh that does penetration testing. We are counterhack. Uh we keep it small. We have 18 people because I want to preserve the culture. I'm really trying not to grow. And I'm not just saying that. In fact, it's harder not to grow than to grow. It's a you got to kind of steer your business. You want to take it on very carefully and strategically, execute great tactics. Um, and uh the our company, uh Counterhack, has been uh going strong for 16 years now. Actually, it'll be 17 soon. So um so I keep busy and it's been great stuff. Great stuff.

John 3:31

Yeah, absolutely. Um and Counterhack Counterhack Reloaded, right? Isn't that uh what was what was that? Was one of your books, right?

Ed 3:39

My my first book was called Counterhack. That came out in 2001, so that was 25 years ago. Uh it sold 70,000 copies, which was really quite nice. Um, and then uh I did a book called Malware. Uh that was 2003, which is on malicious code, and it was quite early on in that space. Uh, and then I did uh uh sort of um a redo of the original Counterhack, sort of a sequel, if you will. Um it was more than a reissue, and it was called Counterhack Reloaded. That was in 2006. So then I had to name my company in 2010, and it's like, well, I can't think of a better name that I like more than Counterhack. So I named the company after the book, and here we are. Uh Counterhack Reloaded was named after the second Matrix movie. So you had The Matrix, The Matrix Reloaded, right? And then there was the Matrix Revolution. So people have asked me, are you going to do Counterhack Revolutions the book someday? We'll see. It's a major undertaking uh to release a book, given everything else I've got going on. So Counterhack Reloaded uh was my last book in the Counterhack series. I did release a book a year ago on cybersecurity ethics. Um it's called The Code of Honor, and uh it's about 160 pages long, and it's just about how to practice cybersecurity, offense, defense, digital forensics, with an ethical framework and backing, and how to do decision making in cybersecurity with ethics. And it's for everyone from a CISO down to uh SOC analyst and everybody in between. Um so it's on cybersecurity ethics. Very different, different take. I worked on the book for about two years with my co-author, uh, Dr. Paul Maurer, and uh that came out a little over a year ago, and I've been happy uh with that. So that's my most recent book.

John 5:25

Great. Yeah, and we don't have to go too deep. I'm sure you've given this story many times about how and why cybersecurity, information security. Like, what was your a little bit of your origin, origin story with how this happened?

The Shift From Blue To Red

Ed 5:41

Yeah, so um when I was a teenager, I had a Commodore Vic 20. Um, some of the folks in your audience, their hearts just warmed up. Like I remember that. Others have no idea what that even is, right? Because they're too young. Then I got a Commodore 64, I got a modem, I went online and was learning all about computers and bulletin board systems and so forth. Um and then from there I went to college and I studied electrical engineering. So I was actually hardware focused uh for my undergraduate. And then I went to grad school to study information networking because the internet was starting to become a big force. And uh that got me more into the software side of things. And in in grad school, I started working with folks there, essentially hacking the network uh at Carnegie Mellon, and uh found some vulnerabilities, responsibly disclosed them, and uh then I got a job working with the phone companies. I was at Bell Corps, Bell Communications Research. It was the part of um Bell Labs that was split off to handle the regional Bell telephone companies, uh, you know, like Ameritech or Bell Atlantic or Bell South. And there I worked on payphones and operator services, right? You know, those are technologies that we don't really have that much anymore. But that got me into seeing how fraud is committed. Because there's a lot of fraud in payphones and social engineering of operators back in the day, which moved me by 1996 into cybersecurity because the the phone companies were starting to deploy their big-scale IP networks, right? So that the they moved into the um space of providing uh internet services. And uh I started on incident handling there. They were getting hacked, and we would help them respond to the hacks, and then they would call us and say, Hey, that that hack that you just dealt with at Southwestern Bell Telephone, would you mind coming into 9X and try that hack against us and see if it worked? Or, you know, that hack that just happened against Bell South, would you try that against Bell Atlantic and see if it worked? So that's so we so we learned from incident response, how to apply things into the hack. And the first 10 or 15 years of my career were about doing instant response and defense, and then taking that and mapping it directly to offense. So I balanced my career super carefully between offense and defense until about 2008 or 2009, John, when I first met you. And that is when I decided I can't do both. It's too hard. There's just too much happening. So I needed to focus. And I searched my soul a bit and decided I like the offense best. It was just more fun. And I even did a presentation on it back in those days, and uh, it might be a YouTube video of it here or there. Um, but essentially it was saying, I just like what you said, John, in your intro, um, I want to help the defense, but I'm gonna do that by working offensively in pen testing, in red teaming. It was a big change in my career, and I've never looked back since then. And that's that's you know, as I was writing 560, the SANS pen test course, and then I became the curriculum lead for penetration testing at SANS and so forth. So um, yeah. So that's that's kind of my origin story. Uh and uh, you know, I wouldn't trade it for anything. I just I love the cybersecurity space. I consider myself a hacker. Uh, I will in just a couple of weeks be going to my 30th RSAC conference. And then this summer I will be going to my 30th DEF CON. Wow. Which, you know, I've had people say to me, I I'm gonna take this as a compliment. You could look at it the other way, but people are like, my gosh, you've been to 30 of them. That's wow. So I'm gonna take that as they had no idea that I, you know, looking so sprightly and young as I do, that I could have possibly gone to 30, or they might just say you are unimaginably old, and that's why they're saying, but I'm looking past that. So yeah, yeah, yeah.

John 9:39

Yeah, and and I I talk about this often, how there's a mindset shift. And I and I've both basically don't uh done both throughout my career. I would have preferred to if I had given the choice, mostly gone offensive, but I didn't really have that choice. I had to kind of balance both of those. Um, but whenever you're on defense, you're you're on defense, right? You're getting attacked, you're waiting for the bad thing to happen. But it it is a a literal shift when in your in your mindset of okay, now I'm gonna go find the bad things before the bad guys find it. And I think that's good for security professionals, especially if all you're doing is defense, because you're just waiting, it's like you're a firefighter, you're waiting for the fire to happen. Right, right, right. And something to happen to you versus you get to go happen and find and be proactive. And that has really helped me in my career because I've I would sit in conferences and maybe they were primarily uh defensive focused. And I'm in my in my mind, I'm thinking, well, this is what a bad guy would do, this is what I would do, this is how I might approach it. And and a lot of people get caught in the the tunnel vision of that track of like, yeah, we have very good detections, we're finding bad things, but they don't they aren't able to switch over to the offensive mindset. And the worst things I have found in my career are because I went looking.

Ed 11:07

Yes, yeah, yeah.

John 11:08

There was there was there would there were some things that I found that we're never ever have an alert for. Uh that would it just you wouldn't you just wouldn't be able to to alert on that activity or that thing that was misconfigured, right? But unless I had switched on, hey, let's go look for for for interesting things, um, I would you know would not have found those things. So those I talk about both. I do think, you know, it is good if you can dabble in both. It's probably good to pick one to focus on it to improve and and get better at at that at that the most. But I like being able to to bounce back and forth. And I've just been fortunate in that way.

Red Team Exists For Blue

Ed 11:46

I I get it and I agree. And even if you do choose offense, this is something that a a good friend of mine, Tony Sager, used to be the head of red teaming at the NSA, uh said to me long ago, decades ago. You know, while we do our red team stuff to find vulnerabilities before the bad guys do, like you just said, um, never to lose sight of the reason the red team exists. It exists to help the blue team defend better. So you can easily lose sight of that because it gets so exciting to just attack and to view everything from attacker's mindset. But fundamentally, if you're a really good penetration tester or you're a really good red teamer, you realize your job is to help blue get better. It's not to make fun of blue, it's not to make blue look bad, none of those. It's the opposite. It's to help lift up blue so they can do better. Purple teaming helps to achieve this when done right. So I think that's very important. I mean, there are exceptions. Like if you're in offensive operations in the military, frankly, you're not there to help the other side's blue get better. But those are exceptions that certainly we in the commercial space don't occupy, right? Right. Um, so putting aside the military offensive operations thing, in our world, um, all of us are working to try to improve the defense. But you know, I actually wrote an article about this. This is 15 years ago or so. And the thesis of this article, it's probably still online somewhere, it's a blog posting, that said, at sufficiently advanced levels, there increasingly is no difference between red and blue. So the idea is, uh I mean, there's so many illustrations of it. But if you get really, really advanced and like say military operations, you know, establish uh command and control C2 with uh embedded malware in the target environment, you have to defend that C2, right? And once you so-called own a system, you have to defend it or you don't own it for long. Somebody else will come in and own it underneath you, right? Um, or, you know, if you think about it, what you know, what is an EDR tool? Endpoint, detect, and respond tool. It you know, lets you control that end system and look for attacks against it. It's a root kit. It's just a root kit, right? A root kit, you know, controlling the fundamentals of the operating system. We call it a root kit when an attacker deploys it. We call it an EDR system when we deploy it, right? But at these really advanced levels, there really isn't a whole lot of difference between attack and defend. Um, it's all about controlling computers and who gets to do that. Um that was an interesting revelation. I did several presentations on that for various military uh groups, as well as some civilians as well. Um, and I like the way you framed the whole thing, John, is you choose one, maybe it's defense, maybe it's attack, maybe it's blue, maybe it's red, but you need to be versed in the other side. If you're a pure blue team or pure defense and you don't know what the attacks are going to be, you're not gonna be very successful.

John 14:29

Yeah.

Ed 14:30

And likewise, if you're a great attacker but not don't know what the defenses are, you won't be so successful because you won't be able to get around those defenses. Or you won't even be able to recommend appropriate defenses for the thing you just did. So we both need to practice both sides. However, it's nice to major and then major on a given topic and then have a minor uh in the other side.

John 14:49

Yeah. Um, NSA, just maybe because you mentioned NSA, actually, they came and spoke to some of our students as like encouraging them to apply for internships, apprenticeships. And I like the way they structured what they described as their program is you can you can move into one and do offensive. And if you want to try and move into defensive, they were open and like, hey, come and and and do both and try them out. And they gave that flexibility in the program, which I thought was unusual. Most of the time you get an internship or apprenticeship, it's like, here's what you're doing, here's what you need to do, here's the next step, here's the next step. I thought that was interesting.

Ed 15:31

They have some amazing programs there, really incredible people trying to help defend our nation, and I'm very thankful for them.

John 16:03

The other thing is at one of the conferences, and I'm gonna miss the conference. Um, it was it's the offensive security conference that you ran. Um, we actually went to NSA, you took us to the NSA Museum, and I remember that, got to see the Enigma machine and and some of those things. It was really cool.

Ed 16:22

You were there for that. That was a special night. Oh my goodness, did that take a long time to plan? So we so what John is talking about here uh is we were able as Sands to host the first ever outside group having a party inside the National Security Agency's Cryptologic Museum down in Fort Meade. And we got a couple of big buses and we drove down there. Um we were hosting as part of the Sands Pentest Hackfest, and my wife made 300 cookies for everybody. I don't remember the cookies. Oh, you got the cookies, yeah, yeah. And what a time we had. They have, I think they have nine Enigma machines there. Um, and you got to use them. If you if any of your listeners ever get a chance to visit it, it's outside of DC. It's about 25 miles, um, which could be as short as 25 minutes or as long as an hour and a half from DC, depending on traffic on that road, uh, which I've sat on many times. But um it's worth seeing. It's an incredible asset, national asset, this museum. So much to learn. It goes all the way back to the founding of the country and some of the crypto algorithms in use then. It's got some amazing stories of World War I and World War II and the Cold War. Gosh, is it a good time? And uh I went there once years ago and kind of fell in love with the story of cracking the Enigma machine. And uh back in 2012, I was actually able to get an Enigma machine. I uh I bought A726. That's uh that's my baby. So I've I've got that and I've held on to it now uh low these many years.

John 18:00

So yeah, I mean I remember it vividly, really, that experience. So thank you for that opportunity. I still have my my coffee mug, my NSA coffee mug, so I'll pull it out every now and then that I bought on that trip.

Ed 18:13

Do you ever talk to it? Hey guys, how's it going?

How Cyber Changed Over Decades

John 18:18

That's funny. Um, I I told this story before, but I was at the FBI Academy, uh, they had a CISO Academy and they had the Q building, which is kind of where they the the the Q folk like from James Bond, right? Where they build all the cool gadgets and um and actually listening devices and things like that. And the guy was showing off their listening devices and they're you know very uh hidden and and very cool. And then he said, Hey, is uh is John Hoyt here? And like, boy, okay. He's uh can you and I raised my hand, you know, apprehensively, and he's like, Can you come up after uh you know that we're done with this presentation? I need to talk to you. I'm like, Oh, I'm in trouble. What did I forget? So he comes up, he you know, I come up to him and he um he's oh I just want to show you my ring, and it's his Clemson University ring. And it's like, oh nice, okay. I thought it was that coffee mug you got they've been listening to. I know, I know, I know. But yeah, I mean uh I was just thinking about talking about the tr what you've seen. I mean, you've been in the education space for cybersecurity over so many years, and what what have you seen? How has it transformed? How is it similar? How is it different? What does that look like? Wow. So gosh.

Should Exams Allow AI?

Ed 19:33

So when I was a kid, um, you know, there were individual computers, and then we networked them initially by the phone system. I'm gonna go fast through this early stuff. Then when I got to college, we started networking them via the internet, so we had higher speed, but not to the home. The home was still largely dial-up. And then when I became a professional, we started getting faster and faster home access to broadband access. But there were still individual computers. Client server was the name of the game in those days. You had your clients, maybe you had a workstation, there were a bunch of servers distributed around the world, and you'd access them. I remember in 1993 when I first downloaded NCSA Mosaic, my first browser. And I was like, this thing changed the world. This is incredible. Um, so fast forward, the internet got bigger and bigger, social networking got added. Cloud computing was the after after client server, cloud computing was the next big revolution as far as I'm concerned. Whereas there were these vast computer environments in the cloud, up online, that had all kinds of systems and a whole different paradigm for accessing it. Um, it wasn't just client server, it was um, you know, storage, it was various API calls, it was a whole new networking construct in the cloud. Then became multi-cloud environments, and you know, that changed everything. Um then you've got um, you know, that so you've got the social networking of web 2.0, you got web 3.0 and distributed finance and cryptocurrency. That was one of the next big revolutions, so that money's not tied into fiat currency necessarily. I mean, there was the putting the credit cards online, but then beyond that, now we've got things like Bitcoin and uh Ethereum and others. So that was the next big revolution was this this payment technology, cloud enabled, um, with blockchain. Um, and then now I think the most recent and biggest evolution, which you know what I'm gonna say it, two letters. First one is A, second one is I, so AI. So that's kind of how I carved this stuff in my mind. It went from individual computers with dial-up to higher speed internet with a client-server model, to a cloud model, to a different payment model. I know that might seem odd compared to all the rest, but I think it is so vitally important because it just was a big game changer for how cybercrime is done, right? I mean, they still try to study credit cards, but they try to launder it quickly into some sort of cryptocurrency. And then now we live in the age of uh generative AI, but even more importantly for today, agentic AI. Uh, and that's where all the action is now. Um, and none of the previous technologies really go away, but everything just gets accelerated. And you mentioned this in the your question, John, is things are moving faster now than ever. And that can cause a lot of consternation. Nation, it can cause a lot of frustration, but it also creates great opportunity. So if one of your listeners is saying, I'm two years behind with respect to AI, the good news is things are changing so fast every few weeks, every month or two, every three months, it's a completely new paradigm. They can jump in anytime and start picking up really useful things. Because if your AI knowledge is merely six months old, you're way behind. So the good news is if you're if you're behind, you can catch up quickly because things are changing so fast. But some people will take that and say, well, there's no need to jump in now. I'll just wait. And I think you're waiting for something that will never happen. Or at least if it does happen, it's unforeseeable and likely long ways off. And that is, I'm waiting for the technology to quiet down and calm down. That's when I'll jump in. If you think that and you do that, you have sidelined yourself and you're going to hurt your own career, jump in now. You know, they say, you know, the best time to learn something is, you know, a year ago. The second best time is right now. You can't control a year ago, you can only control now, so do it now. So start building your skills and learning how to leverage this AI in whatever role you're in in cybersecurity, or even if you don't have a role yet. You know, I gotta tell you, John, I don't want to get too long-winded about this, but we have debates within SANS. And what I'm about to say is not SANS doctrine. I want to just tell you about a debate we're having. Okay. I'm not, don't, and I don't want anybody out there, your listeners, to say, well, Ed said this, and therefore it should be this way, or Ed's an idiot because he said this. We're still thinking through this, okay? Yeah. On a GEC exam, should we allow students to use AI? Now, you could say, well, if they use AI, they might not know the actual topic matter, and all you're measuring is their ability to use the AI, right? So do they really know this stuff? So I was talking to my wife about this when we got into a bit of a um debate, let's say. She I said to her, look, if if there's a question that is hard and needs to be answered, and a student uses an AI to answer it and they answer it well, I want to hire them. I do. Yeah, she said, but if they don't know the knowledge, you know, isn't that a problem? And I said, Well, how do I know that they don't know the knowledge? So she came up with this solution. You ready for this? Yep. Two exams. Two exams. One exam is for the human, and the other exam is for the human with the AI. Great idea on the surface. It sounds really wonderful, doesn't it? Well, first of all, you've greatly increased the cost of creating exams for GAC itself, but also for the test taker. Can you imagine? Hey, John, you've got to take two exams. You're like, oh, you're kidding me, right? It's hard enough to take one. All right, but putting that aside, think about it as me at Counter Hack as an employer. Suppose I got somebody who passes the human section, and they also pass the human and AI section. Well, I'll hire them, right? And they pass both tests. Okay. Now suppose this scenario. You've got someone who fails both of them. Well, that's easy. You don't hire them. The much more interesting circumstance is where they pass the human test but fail the AI test. Right. I I don't hire them. They can't do the job. The job involves using an AI now, and they can't do that job. The other thing is, so let's flip that. Um they fail the human test and they pass the AI test. I might hire them if they didn't fail the human test so badly. Maybe, probably not. But I said to my wife, I said, the point is your human test is really doing nothing for me as a hiring manager. Right? It's really the human and AI working together, is what I need to see. I mean, look, you get some extra kudos if you pass the human test too, but that's not going to be the determining factor of whether I hire you or not. Right? Which is a little scary and crazy to admit. Now, that doesn't mean that SANSA is gonna go out and require AI or yes or that. It doesn't mean that. It just means stuff that we're thinking about and talking about right now. And we're not imminently going to make a decision on that right now. Right now, GIC exams still work in the fashion that they have in the past. But as the jobs change and increasingly require AI, we're talking about it. And I'm even debating it with my wife.

Hallucinations And Trust But Verify

John 26:29

Yeah, I think that's great to, because it's a new day, new dawn. And for me, I worry about if you've not done this work manually, the the manual way, right? How do you know when AI tells you a thing, how to vet that thing to validate that thing, right? Yes.

Ed 26:49

How do you establish that gut feel for it? So no, so no one it's being hallucinated or just wrong.

John 26:55

Yeah, or just well, AI told me that was true. Then I guess it's true, right? Because you don't have the manual reps to back it up. So what I tell people is yes, use AI. You need to know how to use it. I but also try to build your reps in for the quote unquote manual side so that you can validate what it's telling you. Now, there's gonna probably be a curve where you're like, man, this thing's been right 99 out of you know, 99 out of 100. And so for the most part, we don't double check it. But I'm old school. I I just like knowing that I trust but verify. How can I verify that what it told me is accurate?

Ed 27:38

That's a really good point. And if you you think about the scenario I just gave you, so let's say that there is an AI, an exam that allows you to use AI. Well, these AI solutions are non-deterministic. They'll give you different answers based on context window, based on news that the thing has been trained in, based on training, based on which AI it is. So you could have two different test takers, both leveraging the same AI or maybe different AIs, and it will hallucinate for one and they'll get it wrong. And it doesn't hallucinate for the other and they pass. And you and I would say they got lucky, and you're right. Unless they had the built-in reps, like you refer to it, to know this doesn't feel right. It's hallucinogenic or it's hallucinated. I, you know, I read every report my pen test team does, every single one. Just read one last weekend. And I'm, you know, we leverage AI to help write those reports, which makes reports better. But when I'm reading every single one, I drag my eyes across every word of every report. Some weeks I have no reports to read, which means we're not gonna have any revenue uh coming in, no cash flow in 30 to 60 days. There are other weeks I read four or five reports, which means we're gonna have a good time in in 30 or 60 days, because you know, we bill. Um I'm looking for hallucinations. And and you know, you get your sort of gut, I'm sure you've got this too, John, where you're like, this is oddly precise, or I've never heard this term before. I didn't hear this about this idea or this site, or this just feels wrong to me. Now, I gotta tell you, if you go back two or three years, a lot of times my gut instincts on what was hallucination was hallucination. Increasingly, the hallucination is problem is getting a lot better. Yeah. And I still have my, you know, spidey sense that this doesn't feel right. And I'll circle it and say to the folks, hey, did you verify this? And then sometimes I'll just start sitting there verifying, is this right? Is it not? You know, um, I and I never heard this term before. What does the term mean? Oh, it's some new, you know, cloud weird thing that some cloud provider introduced. Oh, I'm learning now. Um, so yes, you want to have that gut level instinct and enough base knowledge to tell when you're being presented hallucinations. Yeah. Otherwise, you make the wrong conclusions.

Getting Started In Cyber Today

John 29:48

Yeah. Yeah. Definitely. Well, on that note, if you were gonna give advice to someone that's new in this time, in this era, and they want to get into cybersecurity, um I I'll I'll talk about some of the things I mentioned, but I'm very curious, like what what would you say? If you if you could give advice, hey, what should I focus on? How do I get started? Those kind of questions.

Ed 30:12

Yeah. So I mean, you need to learn the basics. You need to learn how computers work, you know, what is what is RAM, what is file system, what I almost said hard disk, but increasingly it's not, uh, right? It's solid state storage. What is a file system? Um, what is CPU? What is GPU? Those basic uh ideas. Um, you need to learn networking, TCP IP, the OSI stack, which seems to have gotten itself into a lot of controversy lately because it's not really sliced up quite exactly the way it is in real life, but you need to learn what layer one is, the different layer one options. Um I'm talking things like Ethernet or Wi-Fi. You need to learn layer two, Wi-Fi does extend into layer two, what is ARP, you know, stuff like that. You need to get into layer three, IP and IPv6, layer four, TCP versus UDP, and then layer five and above. You need to be able to sort those out in your mind and understand them. Then you need to get into the cloud. You need to understand how the cloud works. And what are, you know, EC2 buckets? Uh, what are various API calls into the cloud? What does the AWS CLI? I don't want to be AWS centric, what is the AWS command line interface or Azure command line interface? What do they look like? How do they differ? What can I achieve in there? Um, what are the security options in that? Those are all the basic blocking and tackling. And at the same time, you need to learn AI. And how can I leverage AI to properly prompt it to get good information that I can learn from, to have it do analysis of different cybersecurity problems, to be able to learn when to identify hallucinations and when not. That's just prompting. Yeah. And then there's a gentic AI. What agents is it useful to me to set up to have it help me do my job on a day-to-day basis? There is so much to learn, but what I really don't want to do by listing all those things to learn is to alienate your audience and to have them say, it's too much. No, no, start somewhere. This is a great space, and there's so many opportunities, and it's very exciting. Don't let it intimidate you. You say, Oh, easy for you to say. Look, it's hard for me to say, really, because there's so much technology. You see it moving so fast, but you just jump in and just start learning. There's plentiful blogs, there's some great resources on X. John, you share a ton of resources on this stuff. People probably should pick a specialty to get involved in. I remember when I first started in cybersecurity, you know, as I mentioned earlier, I was doing incident response and penetration session, kind of both of those, but my real focus was firewalls, how to configure them securely and how to get around them. That was the defense and offensive side. How to also look through their logs for incident handling. So my first focus was firewalls. And then from there I expanded into more packet analysis and into more stuff. But choose a narrow place to start. Learn as much as you can about that. Maybe it's going to be malware analysis of Linux malware or Windows malware or Mac OS malware. Um, maybe, maybe you want to focus on digital forensics. Okay, digital forensics where? In the cloud. Oh, interesting. Which cloud? Let's go with Azure. So I would recommend people pick something that they just find interesting. And maybe, maybe you'll get employment there, maybe you won't, but spend a month just doing a deep dive in that. And then from there see what else is adjacent, or maybe you decide you hate that. And then you can jump into something else and look at it from all the different levels I talked about, the local compute, the cloud compute, and then the AI involvement with it. That's what I would recommend.

Build Secure Hack In An AI Era

John 33:35

Yeah. I have I have this um three-piece structure, framework that I kind of give people that I think you kind of hit around, and I call it build secure hack. Or it could be build hack secure, but learn how to build something because a lot of people don't learn how to build the things anymore, right? They come straight to security and they may skip over some of the blocking and tackling because the need, oh, we need we need a security analyst, we need a security analyst. But I'm for I feel fortunate that I was able to be a system administrator, a network administrator. I had to learn understand how to how to actually troubleshoot and build those things. And then you add the secure, how to harden piece of that to that. Then just like you mentioned with the firewalls, then you learn how to get around those things. And you can repeat that over and over, add AI on top of it, right? Makes your makes all that grunt work that we used to have to do to bang our heads on the wall or the or the desk to like I can't I get this error, right? What do I do? What do I do? Um, but I think that that build piece is important because people miss out on that piece, build the cloud, learn how to build a cloud, yeah, whatever, tenant, process, program, and then learn to hack how learn how to hack it and learn how to secure it. And then I think you could just kind of stamp that in different ways. And then, and then when you find, yeah, then you find your little niche. Oh, I really like this, and and then pick either the secure or the hack, right? Then you can kind of focus on that niche. But I agree.

Ed 35:10

I think that's a a a great, you know, three-part approach. I do think that increasingly we're gonna see people skip the build side of things. They have in the past, they were just but with AI, they're gonna have to ask the AI to build it. Yeah. You know, agentic AI. Please make a custom application that does this, this, and this. Instantiate the whole thing in AWS. Here's my credentials to do so. Uh go. And then it just does that. And you don't know how it did it or how it worked. And then you get to the point where you say, well, you go in there and you get an error message and something's broken. So then you say to AI, fix it. And then it's fixed. Yeah. And then you don't know how it fixed it. You don't know if it's any secure or anything like that, but it it does exist and it seems functional. The the build is being incredibly automated. And I do think we stand the risk of humans l losing the ability to build certain things as we just rely on AI and tools to do that.

John 35:59

Yeah. So it's a good point. Uh, maybe I'm just being um, you know, just from my experience and thinking about how much it helps me. Because when I go have a conversation with these different groups that have that are those focus areas, I I know where they're coming from. I can go have a an assist administrator conversation about security because I've been there before, right? I know their pain points. I can go have a network conversation with the network engineers because I know their pain points. The developers, a little bit. I'm not a developer, but I I know how to script. Sure. But yeah, I think that that piece is a good point that it's going to be tough to have that as a strong uh pillar because people are gonna make it easy. It's too easy.

Connecting The Dots In A Career

Ed 36:43

It is. Um but but what you say has helped me tremendously in my career too. The ability to talk to different kinds of people on their level. And maybe you're not an expert on that level, but you can at least communicate with them appropriately. That served me super well to be able to talk to a CISO or even a board, but also be able to talk to developers or sysadmins and such. And it has made a huge difference in my career. The ability to talk at those different levels, uh, to run my team, because you know, my team, I've got DevOps folks, I've got pure play development folks, I've got, you know, mostly offensive guys, but some of them have a good defensive background. I've got cloud folks, I've got web app folks, I got network folks, um, to be able to communicate with all of them. And then to pull all that stuff together, which we do in the Sans Holiday Hack Challenge, where we build this giant thing and, you know, launch it for 20,000 people every year. Um so yeah, it's it's interesting, you know, when you get into your career a bit to look back and say, wow, all these different pieces came back to me in ways that I never expected to at the time. There's um Steve Jobs before he passed, did a commencement speech. I think it was at Stanford. It was one of the California colleges. I think it was at Stanford. Yeah. Yeah. You've obviously seen it. And about how his courses that he sat in on, because I think he had dropped out of college at that point, but didn't leave, just sat down on courses on calligraphy and so forth, tremendously helped him. And I look back, maybe mine, you know, wasn't quite as uh calligraphy-oriented, but you know, I took classes on operating system design that I thought were a waste of my time. My goodness, were they helpful? I took classes on database administration that I thought was a waste of my time. My goodness, is that helpful? Um, all these different classes that my that people at the University of Michigan and Carnegie Mellon knew would be valuable to me turned out to be immensely valuable. And I never knew. So, but but looking back, you can kind of see all that come together. Yeah, yeah. Um Einstein once said, he said this toward the end of his life. Let's hope this is not toward mine, but uh you know, you know, something to the effect, I'm paraphrasing Einstein said, you know, when you go through your life, it just seems like a random collection of things. But when you get toward the end, said Einstein, you can look back and you see that it was a story told over time, and you were a character in that story, and it was unfolding in ways that you didn't even know, but it all kind of comes together as you move through it. I feel that in a in a good way, you know. I mean, sure, some people's stories are harder than others, that's for sure. But but you see that, and a lot of your folks here are are going through a big, big change in their story, right? Career changers. So welcome to the next chapter. You flip the page, let's get ready to rock and roll. And some of the folks that listen to you are at the start of their story, and it's exciting times, you know. Yes, technology change is a little scary, and people are worried about losing jobs and what will we do in the future. But gosh, it's exciting times. Really? There's so much out there. You know, I say don't let it intimidate you, but um, it's easy for me to say. But embrace and learn and what an adventure we've got.

John 39:49

Absolutely, and and I echo that that sentiment. It's like when I became CISO and now I've been CISO a little, I think this is my fourth year, which time flies. But all those little things, little pieces, little classes, little experiences, database administration, all those things, it's like, wow, those those things all have helped, and you don't realize it until you're looking back and you're like, man, I'm so glad I had that experience and that experience. And I'm not perfect, and and there's some things that I'm stronger at than others, but definitely you look back and you're like, man, these have all helped me get to this point so that I can be effective in where I am now, for sure.

Community, Cons, And Networking

Ed 40:32

Yeah, it's so true. And it's not only based on stuff that you've learned, but people that you know too, which is why I would encourage your listeners to participate in the community. We've got a great hacker community. You know, there are B-sides located around the world, so there might be a B-sides within 50 or 100 miles. Usually it's pretty low cost. It's a it's a conference, usually lasts a day, maybe two. Uh they're usually quite low cost. There's also hacker cons of various kinds, um, you know, the big one being DEF CON, which I'll be going to. You going, John? DEF CON this year? I'm not going. No, not this year. I know. I was gonna invite you to dinner, but all right. Yeah. Maybe maybe I need to make it happen now. I just say it. So, you know, there's DEF CON, there's the bigger ones, there's the smaller ones. B-Sides is a good one because it's so distributed. I mean, many medium towns and large towns have a B-Sides offering sometime in the year. So, you know, go to that, uh, talk with people, volunteer, you know, just get to know people better that way. Uh, or there's great, you know, online forums, Slack channels, Discord. Um, you know, we have our holiday hack Discord. People talk in there year-round about holiday hack stuff. Um, you know, I know Black Hills Information Security has some great Discord discussion channels. That's, you know, a company run by John Strand, dear friend of mine. Um, there's, you know, various X groups as well. There's plenty of places to get to know people a little better and contribute. I know some people can be a little shy. Look, that happens. Um, but but there's a lot out there. There really is. So it's not just the technical learning, it's building in the community, especially if you want to get a job. Knowing people, yeah, networking. It's true. It's true.

Defining The Hacker Mindset

John 42:06

Well, um, I I want to ask maybe close this out, Ed, with just I think people lose that or the the term hacker, it's not as forefront as it used to be. And I think you did a great job, especially in the Pentest Hack Fest. You talk about being a hacker and what it means. And I think if you asked the new folks today, maybe they don't have that same idea of what a hacker is. And for what you what you gave to me and the in those talks was like being a hacker is that you're constantly, you know, you're testing things, you're trying to learn, you're trying to get better, and you're you're testing controls because you want to see where the weaknesses are, right? So I think we can all think that way and and bring that you know to the forefront as we're continuing to learn with AI and other things. But would you speak to that?

Ed 42:57

Sure. The hacker mindset. It just for me, it it's natural. Maybe it didn't come natural at first because I've been doing it 30 plus years, but just this idea of how does this thing work? How can I take it apart? How can I make it work again after I've taken it apart? Sometimes that's really hard. Um, how can I make it work differently? Where does this break? How can I purposely break it? Um, it's a tremendously useful thing. And I think this gets back to the whole red versus blue, and we all have to be somewhat both. I do think, even if you're, you know, deeply blue and defensive oriented, you need to have the mentality of how can somebody break this? And I need to prevent that from happening. Or I at least need to be able to monitor it. So, so even blue people, blue people, it sounds like a blue man group. Even people who are deeply skilled in blue need the hacker mentality so that they could see how things will break to prevent that from happening. I was once talking with Randy Marcaney, SANS instructor of 35 years. You know Randy probably, right? Yep. Yep. And he's the CISO of Virginia Tech. Great school, great. Just retired. He just retired. I'm actually gonna have him on the podcast soon. So good. Yeah, he just retired. Uh he's still gonna be doing some sand stuff, which is good. But he's retiring from um Virginia Tech. Anyway, he and I used to talk all the time about the hacker mentality. And he said to me once, and I I I was I appreciated him lumping me in with himself. He said, People like you and me, we're really good at looking at how things are gonna break. And you know, some people will call us pest. For that, but we'll look at some process or some technical thing and say it's gonna fall apart there, it's gonna blow up there. And I'm like, Yeah, he's right, he's absolutely right. Yeah, yeah. So good old Randy. I'm glad he's gonna be on the show. Fantastic.

Where To Follow And Final Thanks

John 44:36

Yeah, he's great. Well, Ed, this is awesome. Thanks so much for taking the time to come on here. And and for me, it's great to see you again. It's been a long time, yeah. Introduce you to my audience, audience if they don't know about you, if they don't know about the holiday hack challenge, they don't know about some of the opportunities with Sans. Definitely encourage you to go out, follow Ed and follow the Sans community and what they're doing. There's Discord channels, there's so many. Um, but yeah, get get plugged in and uh and go forth.

Ed 45:07

Thank you, John. So yeah, they can find uh holidayhack at sans.org slash holidayhack. Easy, uh all lowercase. Uh they can find me on X uh at just Ed Scotus E-D-S-K-O-U-D-I-S. I'm pretty easy to find. But but thank you, John, for the the opportunity to talk and share and reminisce and talk about opportunities with you. That was lovely.

John 45:27

Yeah. All right. Thanks everybody. We'll see you.

Speaker 1 45:30

Thank you for tuning in to today's episode of the Cybersecurity Mentors Podcast. Remember to subscribe to our podcast on your favorite platform so you get all the episodes.

John 45:39

Join us next time as we continue to unlock the secrets of cybersecurity mentorship.

Speaker 1 45:44

Have questions, topic ideas, or want to share your cybersecurity journey? Join our school community, the Cybersecurity Mentors, where you don't have to do this alone. Connect with us there and on YouTube. We'd love to hear from you. Until next time, I'm John Hoyt. And I'm Steve Higgeretta. Thank you for listening.