[Joshua Ragland] (0:00 - 0:08)  
I don't know, I just want to do something great in the world that would benefit humanity or mankind before, you know, I get really, really old and kick the bucket.

[Kyser Clark] (0:09 - 1:56)  
That's a great take. That's honestly a great thing, a great mentality to have. I think the same way.  
I'm like, you know, I'm the defender of cyberspace, and I'm trying to make the world a safer place through security because, you know, pretty much everybody I know that's not in security, they don't care about security and they're relying on us to protect them. Hi, I'm Kyser Clark, and welcome to The Hacker's Cache, the show that decrypts the secrets of offensive security one byte at a time. Every week I invite you into the world of ethical hacking by interviewing leading offensive security practitioners.  
If you are a penetration tester, bug bounty hunter, red teamer, or blue teamer who wants to better understand the modern hacker mindset, whether you are new or experienced, this show is for you. Hello, hello. Welcome to The Hacker's Cache.  
My name is Kyser Clark, the host of the show. If you don't know who I am, I have six years of experience in the field. I've been working full-time for six years now, and I have multiple certifications, a bachelor's degree in cybersecurity, currently working on my master's degree, and currently work as a full-time penetration tester.  
Today, I have Joshua Ragland, who is a cybersecurity analyst with a strong background and passion for offensive security and ethical hacking. He has OSCP, he has a couple of Microsoft certifications, he has a few degrees, and overall a jack of all trades in cybersecurity and IT. So Joshua, first of all, thank you so much for coming in and giving your perspective and having this discussion with me.  
I really do appreciate it. Go ahead and walk me through your background and introduce yourself to the audience.

[Joshua Ragland] (1:57 - 5:22)  
Yeah, well, everything started when I was younger because I always had a, how do you put it, curiosity on how everything works, everything from mechanical to electrical to even computers, the way that they communicate, they're connected, and basically the security aspects, it's like literally everything. So the curiosity, I think, is what drives me to, I guess, figure out things. So some of my background was I had decided to go to a community college, and my first degree was in programming, and I started liking how you can turn logic, objects, procedural, you can create things just by adding a couple lines of code, and then it's like, oh man, the computer's doing something.  
So after I had eventually finished that first degree, I decided I wanted to get into network engineering as well. So I mean, if you're going to have programs and they got to communicate with each other, then you have to at least understand how the devices sending and receiving these kind of things work as well, like communications in general. So I finished that degree, and I jumped into cybersecurity, and along the way I was always participating in things like NCL, National Cyber League.  
It's a really, really, really good little competition thing for the students to learn, and CCDC, which is like another competition where you actually have to go onto their hosting sites, and they have networks set up, and you have to defend it, and there's attackers and infections and stuff. It was pretty cool. I can't get into details really about that, but it's a very, very good learning experience that would add value to the real world.  
But I did extracurriculars, and I even hacked cars. I say eCyber Auto Challenge, but I can't get into details on that either, because you actually have to participate a lot, that kind of stuff down. So, but it's something good to look into if when it's hosted around certain areas or even travel to, it's well worth it for a lot of the students to get a jump start in the different industries.  
And other than that, I mean, I'm still going to do double degree programs. Like my next place I want to go to is University of Michigan in Dearborn, and they have a dual bachelor's program for software engineering and information assurance, which is cybersecurity. So that would level up the three areas I already cover.  
And other than that, I've just been a security analyst for the last three, four years or so, somewhere around that. And I mean, it's rough. There's a lot to this.

[Kyser Clark] (5:23 - 6:00)  
Yeah, you have a very impressive background. Like I'm going on your LinkedIn, and like, there's just so many things, and you've touched on so many things, and it's very interesting for sure. I guess one thing that I'm wondering is like, what made you go from like, like a generalist in like all things IT?  
And what made you like actually like, yeah, I want to go full-time SOC analyst/cybersecurity analyst as a career? What made you, what motivated you to do that? And why did you choose to go into cybersecurity analyst in particular?

[Joshua Ragland] (6:01 - 7:55)  
Well, when you know how everything works after a while, it's easy work, even though it's long hours and repetitive. But at the same time, if you don't have an offensive security background and evolve and change with the landscape, then it's going to be a problematic area in order to be keeping up with things. Because that's one of the main things that made me switch to this was after learning how all the things work through the different areas, the degrees, the interconnectivity between all the different areas.  
It's like, you still need to defend these creations or the way that these processes and mechanisms are working, you need some kind of defense in a way. So because of all these different areas I cover, I mean, I feel like maybe I can make a difference for maybe at least a little while before I go full-time offense. Because I really love the offensive side of things, because it's like blue team.  
It kind of, you have frameworks, rules, and things that you have to set something up to make it compliant, or at least up to standards. And with the offensive side, if you have the right mindset, a lot of that stuff doesn't matter, you just have a scope and certain rules of engagement. So when you have that in there, creativity exists outside of those bounds.  
So it can help you change and shape policies and make them safer. And it really makes a difference in the world with some simple solution or fix. So I mean, that's why I play defense.  
I believe with that offensive side, I can make an actual difference. Because a lot of what I see is a lot of blue teamers, they lack the offensive side.

[Kyser Clark] (7:57 - 8:34)  
Yeah. It does seem like, like I said, you focus on a lot of offensive security. And do you think that focusing on offensive security, more than because like, there's tons of like other blue teaming, like credentials that you could be pursuing?  
There's, yeah, there's like, there's tons of more, like, I guess, training options for you on the blue team side. But it seems like you focus more on, on offensive security and the red team side. Why do you have plans going into offensive security? Or do you plan on using your offensive skills in defense?

[Joshua Ragland] (8:37 - 10:22)  
Right now I'm doing that right now using the offensive skills in defense, but I eventually want to go pure offense because it's like, how do you put it? So when you're looking at logs, a lot of people that are in the industry that are especially higher-ups, I honestly don't care if they get mad at me or not, but they don't really do the lower-level work. They don't understand a lot of the things they talk about when it's the people that are in the trenches that are constantly shoveling the events that fire off detections and things like that.  
And when you have this red team skill set, you can almost instantly recognize certain types of behaviors that you're triaging or dealing with. And it gives you an edge over the others. Like even though there are training options, it's compartmentalized pieces of knowledge that's maximized for profit.  
When you go full red team, you get basically everything plus some cheaper. Like if you go get an OSCP, you're tested across all these different domains and it's practical. You have to do it in order to pass.  
It's not something like a SANS cert where you take a hundred questions and they call you a pen tester. It doesn't work that way. And I believe you have your OSCP as well and you've seen how hard that was to get.  
And that's the newer one. That's the newer one. You got lucky with the newer one. The older one was worse.

[Kyser Clark] (10:22 - 10:42)  
Yeah, from what I've seen, I feel like the older OSCP doesn't seem harder. I mean, it was still hard. I have multiple certifications and still the hardest one I've done so far.  
Yeah, that's definitely a challenging one. But I had so much fun learning and doing the exam. I actually had a lot of fun with that one.

[Joshua Ragland] (10:43 - 12:00)  
I will tell you this much. I had to take that older exam twice and it's because of the time. I was up seven hours before the exam.  


So it was like I wound up knocking out for 12 hours in the exam or something like that. And I had to retake it because I woke up. But I did have 45 points.  
So I thought I could get away with taking a nap. That was a bad decision. The second time I passed.  
But I stayed in that old lab. That was the best lab that I ever seen. Because I mean, a lot of people complain about boxes getting shut off in the new version.  
And like when you're trying to exploit something. And that was actually good because that happened to me so many times. A lot of that stuff became muscle memory.  
And it helped me through the exam. And there were 66 lab machines at that time, three different subnets. And that was like the best I've ever seen.  
It was like to do and pack the boxes Dante or something. But it was not the same. It was offensive security style.  
And it was it was nice. I manually went through it and barely used Metasploit on it, like everyone wants to use Metasploit.

[Kyser Clark] (12:01 - 12:22)  
Yeah. Because you get to use Metasploit on one box in the exam. So when I did my training, I just I was like, oh, I'm just I'm going to use Metasploit.  
And I didn't. Yeah, I didn't even use Metasploit to pass my exam. So, yeah, I just practiced as if I didn't have it.  
And if I needed it, then I would throw it in there.

[Joshua Ragland] (12:23 - 12:29)  
I love the buffer overflow on the old one. That was the best. Yeah.  
I had that thing in twenty-five minutes.

[Kyser Clark] (12:30 - 13:49)  
Nice. Nice. Yeah. They took it out and I was studying for it. And then they're like, yeah, we took it out for good because when I was studying for it, they were like, you might because I think when you went through, you were guaranteed to have buffer overflow. But then when I started doing my studies, they're like, you might get the buffer overflow.  
You might not. So I learned it real good. And then like after I mastered buffer overflows, they're like, yes, on the exam, I'm like, dang.  
But yeah, I want to go ahead and I want to start doing a rapid fire round that I have prepared for you. So the way this works is I'm going to give you five questions and 30 seconds to answer five questions. And if you answer all five of them in time, then I'm going to do a bonus sixth question.  
And your time is going to start as soon as I stop with the last question. So let me get my stopwatch ready here. And these are all cybersecurity related, except for the bonus question.  
That's actually the only off-topic question I have for you. So hopefully we can get there. But yeah, no pressure on these.  
Just say the first thing that comes to your mind. And don't provide an explanation of these because we got to get through them. So are you ready?  
Multiple certifications or a college degree, which is more valuable in a cybersecurity career today?

[Joshua Ragland] (13:52 - 14:15)  
I would have to say vendors will most likely want our vendors. People want the certifications, but they don't realize how important the degree is. The degree is 15 weeks with hands-on and an AAS when you have the certifications that do not really give you as much as a degree does.  
One's a specialty, one's not.

[Kyser Clark] (14:16 - 14:17)  
Do you think cyber insurance is worth it?

[Joshua Ragland] (14:18 - 14:26)  
Yeah, it's about as bad as your security is. But I would still recommend it. You never know.

[Kyser Clark] (14:27 - 14:29)  
Soft skills for cybersecurity professionals.

[Joshua Ragland] (14:31 - 14:36)  
That's a must in modern times because nobody can take a joke anymore.

[Kyser Clark] (14:37 - 14:40)  
Do you think there's a cybersecurity skills shortage?

[Joshua Ragland] (14:43 - 14:59)  
No, but I also think that a lot of the ones that have the big massive amounts, they think that they can just take one certification and jump over when I had to take seven years of degrees before I was able to find a solid spot.

[Kyser Clark] (15:00 - 15:04)  
And then last question, what is the best way to keep up with cybersecurity trends?

[Joshua Ragland] (15:07 - 15:17)  
Go for the malware development, the zero-day bug bounty research, all the heavy-duty stuff that CSO advisory stuff ain't going to cut it.

[Kyser Clark] (15:19 - 16:16)  
Those are all really good responses. Yeah, you went way over 30 seconds. We got a minute 39 here.  
But those are really good responses and a little more explanation than I wanted. But very, I mean, very good points that you brought up. I guess the one I want to dive into the most is the cybersecurity skills shortage.  
So you said that there's not a shortage. And then you mentioned that maybe part of the problem is people who are wanting to break into the field, but they're kind of expecting a fast track after getting one certification. Can you explain what you meant by that?  
And then maybe even explain if it's a problem or how much of a problem this whole cybersecurity skills shortage is?

[Joshua Ragland] (16:18 - 19:48)  
Okay, so it's not this is what I mean by that. So you got all these boot camps and all this other stuff that say guarantee they're taking people's money. You got all these people building courses that some are good, some are bad, but they hold no weight in it.  
And don't get me wrong. That's valuable stuff that I've seen in off-brand certs, and they don't get enough credit for what they have in them. But nothing beats a degree because the degrees have hands-on experience.  
When I was going for me to go through that at seven years, I did full degrees that specialized in specific areas, mainly because if I wanted to jump ship and work in separate areas, I would always have that option. If I don't want to work in cybersecurity, I can go be a programmer. If I don't want to be a programmer or work in cybersecurity, I can go run some drop downs, install some switches, configure some Cisco, and be on my way and make just as much without jumping around in the pay range.  
Right. But when I learned how all these things started connecting, and especially the automotive industry with the car hacking and security, and the more it's being integrated, there's a lot to this field. It's not as easy as, oh, I'm going to go take four certifications and be done.  
You need specific certs that cover that at least the foundational on everything, because all these people are talking out of their mouth and not showing any results and being glorified just because they have a cult-like following, but the knowledge is not there. I mean, you can do Linux plus, security plus, and then you can do something like network plus or things of that sort. That way you have at least a base foundation, and if you're lucky enough to fall into a small spot because you covered the three base areas, then you might actually be able to do something, but that's rare.  
That's where this whole crying out for the cybersecurity shortage is. When they say shortage, they're talking about the skill sets, not the people, and you need specialized skills in this because, for instance, Zero Day's threat actors, they sit there and take months. SolarWinds is an example.  
Microsoft, all these different types of things, and people think it's cupcakes, butterflies, and all this other stuff when it's an actual war in the field. That's like taking some toddlers, giving them some AKs, and expecting them to fight a war. There's no structure to it.  
There's no understanding of how a lot of these things connect. There's even legal perspectives and aspects to it because you get someone that doesn't know what they're doing, like say Blue Team Field triaging alerts, and it's like, I don't know, it becomes a problem and a liability because now whose fault is it? You got an MSSP or a company providing these services, and it's like, why haven't you got the training for this?  
Why isn't your person that you said is the best able to catch this when a level one regular analyst with the training would have been able to spot it and made a case or a ticket in time? It's not an easy field. It involves multiple disciplines in order to understand these things.

[Kyser Clark] (19:49 - 21:30)  
Right, yeah. I always tell beginners to get a foundation in Linux, a foundation in networking, and just basic IT troubleshooting skill set as a foundation. I feel like a lot of people do try to skip over the fundamentals.  
For me, when I was going through, the way I broke into the field was I overspent. I spent a lot of time on the fundamentals. My journey was like this.  
I went into the Air Force, and we started off with Security Plus, and that's really what got me into security. Thinking I was going to work on computers as a system administrator, which is what I did. They made us

 get Security Plus, and that's what made me think about security.  
I would say I started my college degree, and at that moment, I was like, I want to be an ethical hacker. I'm going to be a pen tester. I spent three and a half years learning Linux, learning networking, learning how to program before I even considered touching the OSCP certification.  
I definitely agree with you there with the foundation. It requires multiple disciplines. You're right, it is a hard field.  
It's not a walk in the park. For me, that's what makes it fun. You mentioned before we started recording that burnout is a thing.  
You've been in the field for four years. Well, I guess you've been in the field for longer than four years, but you've been in cybersecurity for four years. What do you do to prevent burnout?

[Joshua Ragland] (21:32 - 22:43)  
I don't. I work through it. Lots of caffeine and bad health problems is what happens at that point.  
More people that are able to be active, it's always good to at least keep some weights or something around and at least try to get up and move and all that other stuff. When I was fresh, I just dived into different areas. That's one of the reasons why I do hack the box all the time since my work is blue team and incident response, things of that sort.  
I go to hack the box like every Saturday a new machine drops because it's more or less on the offensive side. I don't have to use a SIEM or an EDR to sit there and look at logs and sit there really doing nothing much, but just logs and logs and logs and logs. It's a good advantage doing both sides.  
Anyone in this field should do a little bit of everything, even hardware. That's the good stuff.

[Kyser Clark] (22:44 - 23:07)  
Yeah. That's always a debate that I have within myself on my career progression. It's like, well, do I specialize or do I generalize?  
I think there'll be a debate in this field for many years to come. Personally, I kind of stick with to be a generalist until you have to be a specialist. That's kind of how I view that.

[Joshua Ragland] (23:08 - 23:34)  
But I definitely- No, I was going to say that's what I do right there, what you just said, generalist until you have to be a specialist, get your hands in everything so you can at least know how everything works and specialize in whatever part you like the most. You can be both. Whoever said they can't, they don't know what they're talking about.  
They're just scared of the extra hard work.

[Kyser Clark] (23:35 - 23:59)  
What a hot take. That's great. Man, this has been good.  
I want to shift your attention a little bit. You are a big fan of CTF competitions and you've excelled in them. What's some of the strategies that you use to excel in CTF competitions while you're competing?

[Joshua Ragland] (24:01 - 24:37)  
I just do it to stay busy. It's even about competing. It's always new content.  
One of the good strategies is to always have a good team at least. Someone that's got the same goals aligned with yours is to constantly keep growing. Because if you have, you're only as strong as your weakest link.  
If you have a good team where everybody is moving together and learning new things all the time and not afraid to put in the hard work. There's that keyword, the hard work that everyone's afraid of.

[Kyser Clark] (24:37 - 25:16)  
I've said that several times. For me, there's no shortcuts to success. I always tell myself that.  
I tell other people that. You have to put in the time and you have to put in the effort. I also tell people, this isn't a nine to five.  
You have to work your job and then you have to, outside of work, find time to stay up with the trends, learn the latest exploits, the latest vulnerabilities, and then practice them. This is a very demanding field. A lot of people don't realize that.  
Oh, you sit on the computer all day. It's not physically demanding, but it is mentally demanding.

[Joshua Ragland] (25:17 - 25:27)  
Oh, yes. Yes. I get yelled at all the time.  
I'm playing on the computer and it's like, come on, woman. I want to see you do this for a month. Yes.

[Kyser Clark] (25:30 - 25:57)  
A lot of people, when I started looking in, they're like, oh, you just sit on the computer all day. How hard can it actually be? It's like, man, this is hard.  
Like you said earlier, this is like cyber warfare. This is like real war stuff. There's real world implications to what we're dealing with in this field.  
There are potential lives on the line in some of the cases.

[Joshua Ragland] (26:00 - 26:43)  
Yes, pretty much. It's already, I think, been done before where they hit a hospital and ran somewhere. If I remember, I was watching a video not too long ago.  
I don't remember who it might have been, but it was like a hospital got shut down. I think it was WannaCry and people could have died. People were turned away, things of that sort.  
Then you had, I don't remember what it was. I think we had a pipeline or something shut down. Then you got SolarWinds, you got Microsoft, like I had mentioned before, and then you got major infrastructure getting hit.  
It's like, oh, man, go ahead and get smart people that shouldn't be touching a computer, working things.

[Kyser Clark] (26:49 - 27:14)  
I guess that makes me want to wonder, with the skill shortage, from an employer perspective, there are people that are lacking the skill, but I feel like a lot of employers are willing to hire someone who lacks skill if they show passion and dedication and a willingness to learn.

[Joshua Ragland] (27:15 - 27:29)  
There's nothing wrong with that as long as the employer that's doing the hiring provides the training because that's going to have to be the trade-off. Otherwise, you're going to get people that keep opening ransomware.

[Kyser Clark] (27:30 - 27:31)  
Yeah, that makes sense.

[Joshua Ragland] (27:31 - 29:18)  
That makes a lot of sense. I mean, you can go look at the MITRE framework and you skip the recon and the tool building. You go straight to the initial access.  
It gives you a neat little column with different techniques or tactics that they use. You go and look. Most people aren't emphasizing the defensive capabilities on the initial access.  
You've got a castle that you're trying to guard, right? And because you're a defense, you know all the little ins and outs and the secrets, but the attacker doesn't, right? So the most logical thing would be to go patch or put barricades or reinforce all your soft spots so that when the enemy sends their stuff in, it's not going to get anywhere.  
That's where you get layered defense ideology or whatever. But even then, that just slows things down and throws up flags. And that's only if your team's good that's doing the detections and your R&D or research type of deal is going on.  
Because that's why I emphasize on offensive security, it's better to have someone that is on your team out there bashing the walls in to see what's soft and what's hard. And then plug the holes, report to vendor anything newfound, get things closed. But that's a very, very rare structure that you'll see in the industry.  
And then they complain when they give a $20,000 budget just to keep the lights on and they get hit, they didn't update any of their security or defenses. That's like stone versus wood.

[Kyser Clark] (29:21 - 29:49)  
Yeah, interesting. Yeah, that's, yeah, very valid points. So I want to bring in our final question of the show.  
And this is my favorite question to ask everybody. So final question, do you have any cybersecurity hot takes? And I feel like you've been dropping tons of hot takes, but feel free to drop more.  
Or do you have any extra wisdom that you'd like to share to wrap things up with?

[Joshua Ragland] (29:51 - 33:05)  
Well, instead of lighting gasoline or the blowtorch, I want to give something positive and stuff. So, okay. The whole, the way the different areas connect, it's not going to be until a lot of people start realizing this.  
Our lives, everything we do is very similar to the cybersecurity field that encompasses all the different things and technologies together. And what I mean by that is like we'll say programming down to the way of programs compiled. If you move it over to biology and science, that's your DNA, the RNA, reverse transcription and communications and things of that sort.  
That's the software link being created at execution. So, programming is no different than what we are and how we react to the world. So, we're all programmers, whether we like it or not.  
Like you've got objects that are already made that we interact with. And our world, our lives is event-driven. So, you have to interact with the things around you, logic and procedural.  
That's the way you think, the way you are, how you handle

 things and put out the processing. Networking, it can be very, very simple related to the things we do from getting in a car, going to the store, and coming home. That's literally the machine connecting out and giving a reply and a response.  
You get into the routing, you're going to take the shortest path to the store. There's your RIP routing. Say you want to do the OSI model, you're the packet, you get in the car, you want to go to the store, you get something, you come back.  
It's weird how a lot of that is different ports and protocols. That's the different types of languages that we speak and the way we communicate. And when we're talking to one another, the data is being processed, transferred as we speak as well.  
Cybersecurity, the policies, the common sense that's needed with it. That's the locks on your door to keep people out, away from your stuff. Because then we go back to objects, communications.  
It's crazy how taking so many different fields lets you see things in this manner, right? But if people start understanding things that we do these things every day, it'll help overcome all the lack of understanding that they have when they get into the field and it looks intimidating to learn. If you relate these things to simple things, then it becomes even easier to do.  
Just like a computer virus is no different than the cold virus. In the end, it's like somehow we're bio-machines and we have our own programming and we communicate differently and transfer data and retain it. But I just hope that that's something interesting that people would maybe benefit from.

[Kyser Clark] (33:05 - 33:34)  
I think that's really good advice. Correlating these complex security issues to everyday terminology really helps non-security professionals understand the implications of this stuff. Thank you so much for sharing that view.  
If the audience wants to get a hold of you, what's the best way to do that, if they're inclined to do so?

[Joshua Ragland] (33:36 - 34:39)  
They can hit me up on LinkedIn. I'm always accepting new connections and things of that sort. If I can help out in any way or throw a little guidance, I don't mind.  
I like helping people. That's basically why I'm playing defense for now. Maybe one day I can transition to the offensive side, like maybe R&D or something like that, where I can help find flaws, build proof of concepts, discover CVEs at the more complex level, like reverse engineering, tearing apart binaries, and the real heavy-duty things where you don't even have to make contact with people in order to exploit a system, trick them into opening something for a reverse shell or a loader or downloader or whatever. I don't know, I just want to do something great in the world that would benefit humanity or mankind before I get really, really old and kick the bucket.

[Kyser Clark] (34:40 - 35:25)  
That's honestly a great mentality to have. I think the same way. I'm the defender of cyberspace, and I'm trying to make the world a safer place through security because pretty much everybody I know that's not in security, they don't care about security and they're relying on us to protect them.  
It's a huge deal, especially when you talk about attacks at ransomware hospitals and pipelines shutting down. One of my favorite attacks I like to tell people that a lot of people know about is there was a water tower in Florida that hackers got control of and they changed the chlorine levels and could have poisoned the whole town. It's just crazy stuff.

[Joshua Ragland] (35:26 - 35:39)  
I said that's warfare, that's war right there when it hurts people. I don't like that kind of stuff.

[Kyser Clark] (35:39 - 35:45)  
Yeah, it's real scary and it's very unfortunate that things like that can happen.

[Joshua Ragland] (35:47 - 36:13)  
I was going to say, if it's something like little kids trojaning each other because they're mad because they lost on Call of Duty or something, I mean it's still wrong, but I don't see as big of an impact on something in that sort compared to poisoning people or robbing people and things like that. Come on man, that's petty right there.

[Kyser Clark] (36:13 - 36:56)  
Yeah, I totally agree and unfortunately we're out of time, but man this has been a great conversation, great discussion. You've had a lot of great insights and I really do appreciate your thoughts and opinions on everything we talked about today. For me to close up, if you want to get connected with me, I'm Kyser Clark on LinkedIn and you can check out my website at kyerclark.com.  
If you're listening to the show or you're watching on YouTube, whatever platform you're on, do me a favor, leave a review and I'd really appreciate it. Hopefully, I see you in the next episode. Until then, peace out, take care, have a good one.  
Kyser, out.