Ep 27 Transcript

[Mike Ortiz] (0:00 - 0:28)

On his video, he said, if you're going to start your OSCP, first thing you need to do is apologize to your wife, your friends, your family, and your loved ones, because this will consume you for the next however many days or months until you get this exam. And it was so true, right? You know, going into work, you know, doing work, labbing on the side, going through the manuals, going through the stuff, coming home, spending another two, three, four hours at it, going to sleep, waking up, rinse, wash, repeat.

[Kyser Clark] (0:28 - 2:35)

Hi, I'm Kyser Clark, and welcome to The Hacker's Cache, the show that decrypts the secrets of offensive security one bite at a time. Every week, I invite you into the world of ethical hacking by interviewing leading offensive security practitioners. If you are a penetration tester, bug bounty hunter, red teamer, or blue teamer who wants to better understand the modern hacker mindset, whether you are new or experienced, this show is for you.

Hello, hello, welcome to The Hacker's Cache. My name is Kyser Clark. I have over six years experience in cybersecurity, and I currently work as a full-time penetration tester, and I'm here to help you grow your hacking and cybersecurity knowledge.

And I have an exciting announcement today. So for those who have been keeping up with the show and watching my content, you probably know that I failed the OSWA several times, and I'm happy to announce that I finally passed it after three failed attempts. So I passed my fourth try, and I also passed the TCM Security Practical Web Pen Test Associate, formerly known as the Practical Junior Web Tester.

So I failed that one too on the first try, and then I got it on the second try. And then I also passed a third certification recently. I did the Com2SecurityX beta in the summertime, which was like six months ago, and I finally gave me my results, and it was a pass.

So three certifications came my way all at one time, and it's super exciting. That brings up to a total of 16 certs. Today I have Mike Ortiz, who has 24 years of experience in tech, IT, and cybersecurity.

He currently works as a red teamer, and for education, he has a bachelor's degree in cybersecurity and is currently working on his master's degree in cybersecurity. For certifications, he has the Red Team Lead, the OSEP, the CRTO, the OSCP, CAS Plus, two Cisco Certified Specialist Certifications, the CCNA, the Com2Net Plus, and the SecPlus. So Mike, thank you so much for taking your time and doing this recording with me.

Go ahead and introduce yourself to the audience and walk through your background.

[Mike Ortiz] (2:37 - 6:51)

Hi. Thank you. That was quite the introduction.

So yeah, thank you for having me. Hopefully I can tell you a little bit about my journey, and hopefully someone out there will find some value in that, and hopefully it'll help them in their path as well. So for me, I'm, like you said, 24 years in the field.

I really started in the early 2000s. Well, actually, before the 2000s, when I was still in high school, I was doing a little bit of IT work there. I was part of a program where they were basically taking kids and running them through a VoTech-like course where we're kind of assisting and helping the IT administrator of the school at the time.

Shout out to you, Mike Petitucci, you really were one of those defining moments, forces in my life. So thank you for that. And did that for a couple years while I was there, learning basic computer skills, basic administration.

We were doing things like unlocking accounts, remapping users to printers, helping the teachers with some of their projectors and peripherals and things like that. After high school, I got out and immediately went into the Marines, where lo and behold, I get selected into the 4066 field. At the time, the MOS was Small Computer Systems Specialist.

So basically doing IT for the Marine Corps. At the time, it was very fledgling. It was, they were really trying to figure out what they were going to do with these data Marines.

They called this data at the time. And it took a bit of growing pains, a couple MOS's, collapses and mergers and things like that to where we finally got our footing and have evolved into what is known as the cyber workforce, Cyber Marines MOS today. In my time, it was still data.

So Tactical Data Specialist, Data Chief was my MOS's, at which point I got out of the Marines in 2012 and immediately started contracting. So ended up overseas a lot, Middle East, Central Asia, did a couple of years in Afghanistan, a couple of years in Djibouti, some time in the UAE, back to Afghanistan, off and on until I finally came back and repatriated back in 2019, working over in CENTCOM, CENTCOM Headquarters on MacDill. Was there for a couple of years, left there and then joined the fight over in UCOM.

I was working with a company that we specialized in doing integration work and services overseas, specifically for our Eastern European partner nations and allies. So we were doing a lot of tech refreshes, perimeter defense, building out CSOCs, building out security architecture for those countries because they were under threat. And as you know, you know, we're only as strong as our partners.

So we were, we were spending a lot of time engaging with them. Same with some of our partner nations down in South America. Well, so I was, I was kind of overseeing several teams that would manage and take those, take those projects from cradle to grave as I'm just applying the guiding hand from the architectural, technical standpoint and also going where I'm needed to augment the staff of engineers that I have working, working with me and for me.

Then after that, that's that landed me here in Arlington, Virginia, where I left Sunnyside, Florida for freezing Arlington and working with the Department of State now as part of their red team on in their red cell branch.

[Kyser Clark] (6:52 - 7:57)

Hey, I wanted to tell you about my new cybersecurity insider list, where you get raw unfiltered cybersecurity advice, tips, and hot takes, plus exclusive first looks at my content delivered directly to your inbox every single week. No flow for spam, just valuable content. Head over to Kyserclark.com slash newsletter and level up your cybersecurity knowledge today. Once again, that's Kyserclark.com slash newsletter. There's also a link in the description. All right, now back to the show.

All right, Mike, are you ready for the rap fire questions? Yeah, let's do it. So for those who don't know, for the new audience members, Mike will have 30 seconds to answer five questions.

If he answers all five questions in 30 seconds, he will get a bonus six questions unrelated to cybersecurity. His time will start as soon as I stop asking the first question. So here we go.

Mike, do you think privacy is dead in the digital age?

[Mike Ortiz] (7:59 - 8:03)

Um, no, but you do have to make some trade spaces for convenience.

[Kyser Clark] (8:03 - 8:09)

Is it ever okay to pay the ransomware demands? Uh, no. Favorite hacker from history?

[Mike Ortiz] (8:10 - 8:13)

Oh, uh, I would say Adrian Lamo.

[Kyser Clark] (8:14 - 8:16)

Most memorable hacking experience?

[Mike Ortiz] (8:17 - 8:22)

Oof, uh, getting that fifth flag callback on my OSCP exam.

[Kyser Clark] (8:23 - 9:38)

Most important quality for a hacker? Uh, curiosity. We are at 31 seconds, almost 32.

So you, you barely missed it, but it's a challenge for a reason. If I had to, um, critique you, you explained your first answer a little too much there. If you wouldn't have done that, you would have made it, but it's okay.

Um, that you provide an explanation because you're absolutely right with it when it comes to privacy is deadness in the digital age, because there are some things that you have to sacrifice if you want convenience. So it's like, it's like a fine line. Like, do you want convenience or do you want privacy?

And it's like, well, if you want total privacy, then you make life harder on yourself. And then, um, it's definitely a hard balance. So, you know, I'm going to do, so I'm going to try something else.

Something new for, for this episode. Is there any one of those answers that you want to explain more? Or do you want me to pick one?

Um, no, I'll let you, uh, dealer choice. All right, let's do, uh, let's do most important quality for a hacker. So you said, what did you say?

Curiosity. Curiosity. So why do you think it's curiosity?

[Mike Ortiz] (9:39 - 11:04)

Yeah, because that's, that's, what's going to give you the drive, right? Um, when you're up at 3am bashing your head against the keyboard, trying to figure out why something isn't working or why something is working, you know, trying to figure out what's the underlying cause of that, that is where that, that mentality kind of kicks in, right. That drive to keep pushing and, and not to sound trite or cliche, but, you know, to just keep trying harder.

Right. Um, that is, that's a, one of the main defining qualities really in just info sec in general. Um, I know a lot of people don't like to be reminded, but cybersecurity is it, no matter how you slice it.

So that same mentality also helps you in the traditional IT roles when you're talking network systems, um, engineering, you know, uh, wanting to understand, uh, how something works, why it works, all the underlying factors, and then what you can do to make it better, tweak it or manipulate it. Right. Um, and, and that is where, uh, I think that is probably the strongest quality to have.

That is also the hardest one. You can't teach that, right. You got to have that innate-ness in yourself to, to want to keep pushing, to want to keep discovering, to want to keep churning over all the rocks and flipping all the switches, uh, to figure out, you know, Hey, how can I, how can I make this system do what I want it to do?

[Kyser Clark] (11:07 - 12:05)

Yeah. Yeah. I agree with you.

Um, you know, the first thing that comes to my mind is, uh, the, the try harder mantra, like the, the unwillingness to, to give in, like, right. I think that's an incredible, uh, quality. And I guess that does fall under, you know, the curiosity, cause you want to know how it works and you're not going to stop until you figure out how it works.

And so, um, yeah, they, they, all of those traits go hand in hand. And I totally agree with you on, you know, cybersecurity is under the IT umbrella. Some people, you know, I, when I first got in the field, I'm like, Oh, cybersecurity and IT is not the same.

And then I realized like, Oh no, cybersecurity is just a discipline of it. It falls under it. And a lot of people sometimes forget that.

Yeah. And, um, yeah, that's very, that's important to know. Uh, I mean, it's a lot, it's a lot different than a traditional IT role, but it is still a IT role, um, in the grand scheme of things.

Yeah. Yeah.

[Mike Ortiz] (12:05 - 13:10)

I mean, it's, it's absolutely one of the pillars because, you know, uh, it was born from IT there, you know, before there was cybersecurity, it was network security or system security. Right. Um, and then that, those kind of, as security became more, uh, I would say more specialized, more niche, then they needed people to just focus only on that.

So, you know, we offloaded all the network security stuff, all the system security to actual cybersecurity. Um, and a lot of people like, you know, they tend to forget that, Oh no, cybersecurity, we're not it. You know, you are it, right.

Um, you know, you're just your own branch of it, or are you still part of the overarching umbrella? Just like it is under the underarching umbrella of computer science, right? We like to forget that too.

Um, we were born from the old gray beards in our time, you know, those guys in the sixties and seventies on the soldering boards and, and making blips on a, on a screen go left and right, you know, that is where it came out of. So, you know, it's important to know our history and all your roots because you can see the lineage all the way through.

[Kyser Clark] (13:11 - 14:32)

Yeah. And when you saw about computer science and one of the things, one of the playlists I really liked on YouTube, I don't know if you ever saw it. It's called a crash course, computer science.

Are you familiar with like the crash course series? Is that the one from MIT that they put out? Um, I don't know if it's from MIT, but crash course is like a YouTube channel.

They do like crash course, history, economics, all this stuff, but they have a computer science one. And I thoroughly enjoyed that computer science one. Cause it goes all the way back.

Like, you know, and it's, it's really good because it introduces like it, um, into our computer science in, in a very casual way. Like you don't need to be, you know, tech savvy to understand it. And when you're going through that playlist, like, I think like, you know, 95% of the way through, they finally get to cyber security and it's just one episode.

You know what I mean? It's just a piece of the puzzle and the whole grand scheme of things. And that's when I kind of realized like, Oh, this is way, there's way more to this, you know?

Okay. So let's go ahead and dive into our main discussion. So this, we're going to talk about red team operations and adversarial threat emulations.

And, uh, the first question I want to ask you is what is a critical, but often overlooked aspect of red team operations that a lot of people, you know, might not understand about red teaming.

[Mike Ortiz] (14:33 - 18:46)

Oh yeah. Um, that's a great question. So, um, yeah, one of the things about red teaming is, is that it's not your traditional pen test.

And sometimes the information owners or the system owners, or even the, the, the people who are requesting it don't quite understand exactly what a red team is supposed to be and what it should entail. Um, one of the, one of the main defining, uh, defining aspects of, of red teaming itself is, is just the timeline and the scale where pen testing, you're usually given a very finite set of boundaries. You know, these are your rules of engagement.

This is your perimeter. This is what you can touch is what's in play. What's not in play.

And you're going to be testing it for two, three, four weeks. And then at the end of that, you're going to write your report, give your outbrief and move on to the next project. But red teaming is a little different.

Um, pen testing, you know, we, we, we consider that, you know, kind of like smashing grabs. You walk in a jewelry store, you're going to smash all the, all the, uh, the glass containers. You're going to steal all the jewelry.

You know, you're not worried about being sneaky. You're not worried about evasion. You're not worried about getting caught.

You just want to get in and get out before the cops arrive. Um, we're in red teaming is that's your more prolonged activity. We're going to sit on your network.

We're going to watch it. We're going to take our time. We're going to discover it and get red team engagements can be anywhere from, you know, weeks to months to, you know, Hey, you're doing it, you know, quarter by quarter on a yearly, yearly based cycle.

And what you're doing there is you're, you're pretending to be the bad guy or the bad threats so that when your system does get those threats, that knows how to respond. Um, that is, that is the key point in, in what we're doing with, um, with, with red teaming where pen testing, you're, you're testing that finite box, but we're red teaming you're testing, you know, what I like to say, you know, the three P's the people, the products and the processes, the people, those are your, your, your, your SOC, your, your, um, SOC engineers, your SOC watch officers, your analysts, your blue team, your defenders, your cyber defenders, network, you know, whatever your organization has the roles of the watchers who are looking at the dashboards, looking at the logs, looking at the feeds as they come in.

The products of course, is your things like your, your architecture, your security stack, your, your IPSs, your IDSs, your scene, your, uh, XOR orchestration platforms, all of that. That is your products. And then lastly is your processes.

Um, your processes are, Hey, we have a threat. It's a validated threat. What do we do now?

Generally, when we come in in a red team engagement, um, if it's done correctly, the blue team is not going to know we're there. Um, what they're going to see is they're going to see our artifacts. They're going to see our beacons or maybe not our beacons, but they're going to see some anomalies.

Now the question is, is the process that they've been taught. Do they look at this anomaly and, and, and keep clicking, Hey, this is, um, this is good to go. Um, or this is, this is just, you know, white noise or do they take it and they, um, drill down and dig in and see exactly what it is and realize, Oh, wow, we have a compromise.

Um, so, you know, that's, that's the important part too, is, is those processes. What does that watch officer do at 3am when he sees my beacon accidentally trip, uh, one of the EDRs and he gets a weird alert that he usually doesn't see before. You know, does he, you know, what does he do from there?

And then once they determine that, yes, we do have a threat actor in our, in our network. What do they do then? Do they call the white cell or obviously they won't call the white cell because they don't know it's part of the exercise, but, you know, do they escalate?

How do they escalate? You know, um, different organizations have different, uh, protocols, you know, uh, crash, everyone crashes the war room. They stand up, uh, a, uh, a skiff or some, or something like that.

And they start, you know, taking logs, snapshots and all that. Like, this is the things that red team gets to test, uh, a lot more so than, um, than your standard, you know, audit based pen test or vulnerability scan.

[Kyser Clark] (18:47 - 20:06)

I love your analogy with the smash and grab bankrupt, like street robbery. And then like, you know, a red team assessments, like a well, well planned heist. Like that's a really good analogy.

So I'm going to steal that from you. That's a good one. I like that a lot, but yeah, you're right.

Like it's absolutely right. Cause as a pen tester, you know, I'm not worried about getting caught. I just, I'm just running the scans as long as I can.

Cause I, I'm just trying to, to test. And, um, there's, there's days where it's like, I don't feel like a hacker. I feel more like a QA for, for it, honestly, because I'm not being stealthy at all.

And, um, you know, there's times where it's like, man, you know, I don't feel like a hacker cause I'm not trying to be stealthy. And which is one of the reasons why I want to start getting into red teaming, uh, because pen testing is, um, less threat actory than, than a pen test, you know? Yeah.

So another thing you've mentioned, so you mentioned the blue team, you said, well, a good red team is one where you get in and you don't get caught or you, you, you leave, you know, little to no trace for the blue team. And when that happens, how does the blue team respond? Like, have you ever had a situation where the blue team, they just get like super solidly like, oh my gosh, like, why didn't we catch you?

Or like, do they generally find it like helpful?

[Mike Ortiz] (20:09 - 22:47)

Yeah. I mean, uh, to, to borrow from one of my colleagues, you know, he says what we do by nature is adversarial, right? Um, it's always, and what we try and do is we try and, and, and control the narrative and change the mindset, say, look, I'm not here to, to run in and make you look bad, right?

We're here to work together. We're on the same team, right? Uh, to sit down, work together, work through these problems, work through these findings and help you get to the end goal of, uh, you know, defense changes in your defense posture or, you know, mitigation remediation strategies, right?

Uh, you know, it does no good if a red team comes in, uh, craps all over the, the environment gets domain dominance, starts spinning up enterprise admins left and right, and then walks away. Right. Uh, just like they taught us, you know, when you're, when you're going through your, your pen tester stuff is like the quality of your work is determined not by what you do, what flags you capture, what boxes you root, but rather by the report you write afterwards, because that is what you're getting paid to do.

Um, they need that report because that is what is going to drive policy changes is also going to drive remediation and, um, uh, mitigation strategies, uh, with, uh, so with the red team is the same. Um, depending on the type of red team, right? Um, there's, you know, the, the new push now is, is kind of like a, uh, I've, I've seen it where engagements are like, okay, we're going to assess you for a week and then we're and, you know, back and forth.

Ideally, the larger enterprises have their own internal red team that can do this on a continuous cycle so that you're not just having a team come in once every, you know, 18 months to, for your sock to compliance or whatever compliancy your insurance company needs, but you're taking it serious enough that you are having a threat emulator that can work through these problems with your blue team side by side. Um, sometimes, you know, there's benefit to the blue team and the red team blocking themselves in the same conference room, bringing out their laptop and say, okay, this is what we're going to do.

I'm going to test this. You're going to see what you see and, and develop those, those, uh, alerting strategies for those indicators of compromise and those artifacts and, and helping, helping, um, them develop their detection analysis stuff. So that when, uh, when, you know, when, uh, cozy bear is knocking at the door, Lazar's group is, you know, trying to get in, you know, your equipment, your people and your product or your policies, you're not seeing it for the first time.

[Kyser Clark] (22:49 - 25:04)

Yeah. Yeah. I like what you said there about the, you're not, you're not here to make people look back because, you know, if I was a blue teamer, I would take a lot of pride in not having any breaches or quickly detecting them and responding to them and mitigating them ASAP.

I would take a lot of pride in my work, which I take a lot of pride in my red team work too. But I feel like if, if a red team came in and just got in and out without me knowing I would have been like, my whole life would be like, dude, what, what have I been doing my whole career? You know, I've been working on this.

So I can imagine like, it's gotta be hard for a blue team or to, to go, to go through that. But if you do go through that, then like, that is definitely a learning opportunity and it just makes you better in the end. And I mean, there's, there's probably gotta be for every blue team, there's gotta be a point in time where like, you know, before they learn, like, man, like, how did I let this through?

You know? So, you know, like you said, like when it comes to red teaming and pentesting, it's the report that you're right. And it's like delivering the bad news is not easy sometimes, you know, you'll find some severe critical vulnerabilities and like, you gotta kind of like, you gotta talk about like what they did good and stuff, you know, cause it's their baby, you know, they worked really hard on that network and it's, you gotta break the news to them in the best way possible.

You want to be, you want to be direct with them. You don't, you don't want to let, you know, sweep vulnerabilities on the rug or like downplay them or anything. But at the same time, it's like, you don't want to like put them down as a person, you know what I mean?

You suck. You don't want to say that, you know, it's definitely a graceful thing that you had to do as a red team in it, which is why communication and soft skills is incredibly important in this field. Even though we are, you know, as red teamers, probably the most technically savvy, one of the most technically savvy people in the industry, we have to have very good communication skills.

Yep. Absolutely. So you, you got in the red teaming without being a pen tester first.

And I want to know what you did and how you did to do that. Because for me, I was like, if I want to be a red team, I gotta be a pen tester first. And that's what I did.

I, I'm a pen tester now. And so I've worked my way towards a red teamer. So how did you, how did you make that happen?

[Mike Ortiz] (25:05 - 39:08)

Yeah. So, um, it was one of those things that, uh, a lot of being in the right place at the right time. Um, I think, uh, a lot of the stuff that I was doing within my career.

So towards the end, so traditionally I come from the network background, right? Um, uh, even back in my military days, I was always geared towards the more, the networking side, a lot of tactical data. We're doing a lot of like, uh, SATCOM shots, MUX shots, VSAT shots.

So bringing in multiple network nodes, putting in, um, equipment to push, you know, FMV and feeds down to trucks on the go and all that in that tactical comms world, you know, all kind of play together and it's all IP based network based. Right. So for me at the time is I don't want nothing to do with cybersecurity.

Why? Because DoD cybersecurity at the time was all GRC people. It was all governance compliance.

It wasn't even cybersecurity. It was information assurance. So, um, words matter and words have meaning.

And those titles definitely, they take a, a, a different type of person that traditionally for a long time, uh, was known to be non-technical policy focused. Right. You know, yeah.

Uh, I can grab your average DoD cyber workforce, IA person, and they can spit me out all the different domains of the CISP and what it means. But if I put them behind a keyboard and put them on a Linux shell, they wouldn't know what to do. And to me, that was always like, it was always like, yeah, no, we're not those kinds of people.

Right. So hands on the keyboard, um, consistently, uh, you know, skilling up, leveling up. Um, a lot of what we started doing was shifting the focus to where we did.

We determined that, Hey, our security posture is not working. Right. Perimeter defense is no longer working.

Why? Because when we put all of our focus at the perimeter, we're not, we're not paying attention to what's happening when our number one attack surface, which is always the user. Right.

So out of that, um, growing pains, you know, things like zero trust architecture, security stacks, um, SSL break and inspect. A lot of those, uh, things kind of, uh, came out of the network world where, you know, micro segmentation, macro segmentation, right. A large groups of nodes, and then splitting those, splitting those even further down into granular, you know, um, single host VLANs, things like that.

Um, depending on, on the level of, of things. And, and a lot of that came out of the network world. Right.

Um, so, uh, I know nowadays a lot of these are buzzwords, but when you're talking, you know, 10 years ago, it wasn't, it was the cutting edge when you're talking about VX VLAN implementations and, and zero trust architecture and, and, uh, SSL break and inspect. Like those were the things that were, that were hot at the time. Um, things.

Um, so a lot of that was building out security stacks, building out large clusters that can take traffic that the users are generating and not only segment, but also inspect it, right. Inspect it and make sure it's on the up and up. Um, so when you're doing those kinds of types of things, right.

If, if I tell you, Hey, I just built you this massive, you know, uh, enterprise wide security stack, that's going to be able to, uh, you know, log and spec and your break apart, inspect DPAC inspection, run it through, uh, playbooks, running through analysis, running through all these security tools. Then I say, Hey, but trust me, it works. You know, how do you validate that?

How do you vet that when it comes time to FOC or it comes time to delivery and turnover. So working on the ENI side of things, which is the engineering implementation, you know, we come in, we have a defined product. We're putting it together.

We are documenting everything. And then we're turning it over to the guys who do the O and M and that's the operations and maintenance. Right.

Um, so a lot of that before we could turn it over, we had to proof that it worked. Well, how do you prove a lot of these work? Well, you start getting those, those playbooks, um, for MITRE came out, it was the cyber kill chain.

So we were taking things out of the cyber kill chain. We were taking things out of the CVEs. We were testing them.

We were running them. And, you know, Hey, that's how I kind of got into the offensive security world is because these things that we were doing natively inherently already, um, just to test and validate and vet that, Hey, our equipment's working, our, uh, our, our tools are working, right. Everything's working as intended or as needed, uh, was really, you know, that is how we got into that.

And of course, you know, where, when you're actually on the keyboard side of things and you're are on the, I don't want to say you're not on the blue team. Cause even the blue team is separated from what we do. We're the infrastructure guys, right?

You know, we're building your pathways. We're handling your, your campus networks, your, your architectures. We're doing your whole entire enterprise, all the branches and, and, uh, and extensions.

Um, and then the blue team is tasked with hardening and defending or monitoring. And then the red team will come in. But at the time DOD didn't really have the red team.

We weren't really, in fact, it was DODs. I can't tell you how many times I got told, no, no, no, no. Especially when we're doing a lot of like, uh, uh, foreign military cells, FMS stuff we're worth with foreign, uh, nations, partner nations and allies.

Like, no, no, no, we don't train offensive capability. Yes, I get it. But this is not training offensive capability.

This is testing defensive capability because you can't test without that op four, right? You can't, you can't, uh, you know, you can't play, do the little war game, you know, like when you're in the military and they say, Hey, you're in a fob, you're, you're defending it. Right.

You know, I don't know how much the air force does it, but we do a little more like you always need that op four, because if not, then you're not, your training value is not, it's not real. It's not realistic enough. Right.

If we're going to train, like we fight, right. Uh, in order to fight, like we train, we got to train, like we fight. Um, so, and on the Marine side of things, it just makes sense.

Like someone has to be the adversary. Someone has to push the buttons and someone has to, you know, uh, check all the, all the locks on the door and check the windows of, of, of that, you know, Hey, everyone's so focused on the front side, on that perimeter defense, who's, who's watching from the inside. Um, so that is how I kind of got into that.

Um, that was just the first phase. The second phase really was COVID. Um, COVID came, had a lot of time on my hands.

I was sitting at CENTCOM. Um, I had, I had, uh, I was pretty, I had just attempted my CCIE six months prior then because I said, okay, I'm going to move back to the States. I'm not going to sit for it again.

A new version was going to come out right that year. So I was like, okay, I'm not going to study anymore. I'll just take a long break.

New version comes out. I'll study that and go attain my CCIE, which, you know, the CCIE is, is the pinnacle of the networking field. Um, so I, I went and did it once I, I, I passed two of the three portions, uh, but I failed the last portion.

So I just ran out of time. Uh, so I was like, okay, I'm just done new job, just relocated. Let me not, let me not drill down in the studying too hard.

I'll catch up later. Well, never later, never came. So that year, you know, I came back Stateside and, uh, I want to say June, July, uh, that February, March, we were in COVID lockdown.

Uh, Cisco delayed the start of the new exam. Then you can't just take the new exam. You have to wait for the new exam materials.

All that got, got screwed around. So here I am, you know, sitting on night shift in CENTCOM a lot of time. My hands didn't need, you know, a lot of certs out there.

So I said, you know what? My buddy that was sitting next to me, uh, uh, he was like, oh, you know, uh, you, you're doing a lot of this stuff, you know, uh, maybe you might want to give it a go. And it was the OSCP.

And I said, oh, there's a lot of this stuff and stuff that, you know, I already do. I already knew Metasploit because we were doing it when we were building out CSOX. I already knew about, you know, a lot of that stuff, but I was like, you know what?

Yeah. You know what? Let me go and get it.

You know why? My number one reason is because every time cyber division will come over and complain about something I was doing on the network, I would tell them, okay, look, I understand your Nessus scan is telling you X, Y, Z, but this is a Cisco router, not a, not a BSD device. I can't patch this.

I can't remediate this. I have to wait. It's a closed system.

So a lot of the times is, you know, as network, as networkers, we want to, we want to make connections. We want to bring in networks. We want to bring new links online, get new circuits up, get new, new routes going in, you know, bring up new enclaves.

And then the C division or cyber division are the ones that come and say, no, no, no, hold on. You got to get a stig. You got to get a scan.

You got to get it documented. And for good measure, right? Because we can't all just live by the seat of our pants, but sometimes they will come in and they would just push that ball a little too far.

And a lot of the times I say, look, you know, you sit there where you're, you know, your CISSP, you're telling me something is, is not vulnerable, what I'm doing. And I'm telling you, it doesn't apply, but yet you have no understanding why it's not vulnerable or why it doesn't apply here, because all you're doing is just regurgitating a Nessus scan or something you read about in the CISSP or, or a NIST 800, you know, section and all that's valuable. And I don't want to take away from that, but when that becomes your sole focus and you lose sight of the mission and lose sight of what's happening on the ground, right?

First of all, everything is palatable, right? To a certain point, as long as the owner can accept that risk. And as long as you show them all the cards, Hey, this is what we have to do.

Yes, it's risky, but here is the risk matrix chart that will allocate to that, right? Then you can make that informed decision. The problem is the GRC governance guys sometimes don't understand all the cards on the table.

All they know is, well, this is real risk. We can't have it. Zero out the risk.

Where zero out the risk is not always acceptable or not always possible, especially when you're talking, you know, warfighter networks, you're talking things where, you know, if you have nodes go down, that is a loss of C5, right? Command, control, computer, you know, all of that. You lose that, you lose, you lose your ability to communicate.

Then, you know, that can equate to lives lost, you know, downrange. So those are the kind of the hard choices. So that is where I kind of said, not to go on a tangent here, but that is when that is how I got, okay, let me go ahead and formalize all the stuff that I've been doing innately.

Thank you, Lance, by the way, because you're the one that really challenged me to do it. And I got started back then. They didn't have to learn one.

It was just a PWK. And I got hooked. And I tell you what, that was the most grueling nine months of my life.

I ate, slept, breathed, OSCP, you know, everything. And it was rough because I remember I was, I can't remember which video it was. I was watching a video.

It might have been TJ Knowles, or it might have been maybe TCM on his video. He said, if you're going to start your OSCP, first thing you need to do is apologize to your wife, your friends, your family, and your loved ones, because this will consume you for the next however many days or months until you get this exam. And it was so true, right?

You know, going into work, you know, doing work, labbing on the side, going through the stuff, coming home, spending another two, three, four hours at it, going to sleep, waking up, rinse, wash, repeat. And at that time, we had the 90-day, it was a 90-day clock, right? So, you know, we didn't have the year-long subscription that they have now.

So you were even more under the gun. So every minute, every hour that you were awake, you were doing something. And even if you weren't doing the offset stuff, right?

So, you know, I failed my first exam. So I had like 30 days to redo my other one. I failed that one, too, by a technicality, because I uploaded the wrong report.

It wasn't a point thing. Yeah. So that's another story.

But word of advice for those of you who are attempting OSCP, when they tell you, when you get your flags and you have enough score to pass, go to sleep. Don't immediately go into report and wrapping it up. At that point, you're going to be at 30-something hours and you're going to make a mistake.

I zipped up. At the time, we had the two files. We had the lab report that you would do all the exercises for the 10 extra points.

And then you have your exam report, right? I put the exam report, I zipped it up. I forgot to include the, I'm sorry, the lab report.

I zipped it up or roared it, right? And I didn't do it for the exam. My exam didn't make it in.

So when I hit submit, it was just my lab report for the 10 extra points. Completely missing. And I had the pass.

I was dancing. I was celebrating. It was a hard fought.

And because of a technicality, I wasn't paying attention. My sleep-addled brain, you know, just wasn't thinking straight. And I submitted it off.

And within a minute, I realized, oh, shoot, I forgot to add in my actual exam report. So sleep. No matter what you do, sleep after you get your flags and then wake up.

Then do your exam report. Then submit it. So third time's the charm.

But in between then, right, you're on a cool down. So you have to wait, right? So in there, you know, I'm going through Hack the Box.

I'm going through VulnHub. I'm going through, you know, Proving Grounds was just really getting started. So it wasn't really much of an option for us at the time.

But we were just consuming every bit of information that we could in the meantime. Which now I would say, hey, if you are planning your OSCP or something like that, go straight for the Learn 1 subscription. Because it really is going to take you a year just to get comfortable with everything.

[Kyser Clark] (39:10 - 40:33)

Yeah, I did an episode with, I forget what number it was, but that was kind of like part of the conversation, how much it consumes your life. Like the OSCP sacrifices are real. And it does take a lot of time.

And, you know, it's definitely a commitment for sure. And then what you said about, you know, getting your flags first and then going to sleep. You know, I just passed my OSWA like a few days ago.

And I got enough flag points, enough flags to pass. And I was, what I did was I got all of my screenshots. And I actually, I wrote the report because it was my fourth attempt.

So by the time I had my fourth attempt, like I was pretty, pretty comfortable in the environment. So I actually got enough points to pass pretty early on that fourth attempt. And I wrote the report during the exam.

I suppose the practice was watching me type in a way, just type in a report the whole time, I bet. Because I got the flags pretty early. But even then, you know, I had the whole report pretty much done.

And I ended the exam. I went to bed and I was like, I'm going to reread this in the morning because I'm really tired and I don't want to turn it now. And when you turn it in, like Offsync has instructions on how to do it.

Just follow it to the letter.

[Mike Ortiz] (40:33 - 40:34)

Yes.

[Kyser Clark] (40:34 - 41:03)

And now, nowadays there's no bonus points. So there is only one report for you to upload for OSCP. So you can't fall in that trap like you did.

But you can still make a mistake because, you know, if you don't zip it with 7-zip, you have to use 7-zip now. If you don't zip it or if you put a password on it, they tell you not to put a password on it. Just there's a lot of rules with just the way the file structure is.

It's got to be your OSID-OSCP. Yeah, it's really particular.

[Mike Ortiz] (41:03 - 41:07)

You zip up a draft copy of your report, not your actual report, right?

[Kyser Clark] (41:08 - 41:32)

Yeah. Yep. So when you zip it up, make sure you extract it out and make sure it's the right file.

And literally quadruple check that because you only get one upload. For sure. All right.

Well, that's really good advice. Unfortunately, we're out of time. So before we end the show, I got to ask you the final question.

Do you have any additional cybersecurity hot takes or hidden wisdom you'd like to share? Oh, hot takes.

[Mike Ortiz] (41:33 - 44:23)

Yeah. For me, and I know I'm going to get burned for this, but I don't think cybersecurity, entry-level cybersecurity is not necessarily an entry-level field, right? I think that sometimes, you know, I am going through my master's program or my bachelor's, you know, when I was going through my bachelor's program, you know, I was involved with the cybersecurity clubs, right?

Titan Sec for SVC and the Pentest Club for St. Leo's. You know, sometimes I have seen where sometimes students would say, hey, you know, I'm looking at a job, but oh, it's just a help desk job, or oh, it's just a sysad job. And I'm like, what are you doing?

Take those jobs. Oh, but they're not cybersecurity. I was like, no, no, no, stop that.

You know, first of all, you know, I'm not one that's going to say, oh, well, you have to go work at a help desk. But going to work at a help desk should not be something to snub or look down on, right? That is some of the best learning you're going to get, you know, people-wise, soft skill-wise.

And you're going to show that, you know, like, not that you have to work your way up, but it gives you a good solid foundation to understand, you know, all the ins and outs and intricacies of what it is that you're doing. Sometimes as pen testers, you know, we're stuck in that auditing mode, or as red teamers, you're stuck in that adversarial mode. Sometimes you don't understand that sometimes the blue team or the system owners have no choice but to do their operations like this, because there's some kind of, you know, either financial restraints or some kind of, you know, limiting factors that you may not be aware of.

And you kind of lose sight of what it is to be on the other side of the seat when you're on the other side of that table. So, my thing is, you know, hey, you know, I know people sometimes they want to, they get, they come out of college, they get their cybersecurity degree, and immediately they think, oh, I'm going to be a CISO. Slow your roll, buddy.

You know, don't be, and a lot of them, and I think I fault academia to a bit here, because they pump these kids up for four years. Oh, you're going to do this. You're going to do that.

You're going to do that. No, you're not, right? I'm not going to hire a 22-year-old CISO.

That has never been through, that doesn't even know how to unlock an account, right? Or doesn't even know the ramifications of some of the decisions and policies he's going to be writing. So, a lot of them hold out for that better thing and missing all the opportunities that are just passing them by, where they can get those hard skills, where they can get that keyboard time and can get that time, you know, sitting with the infrastructure team, the CISAD team, the network team, and understand how it all comes into play.

At which point, now, you become a better cybersecurity person in general, because you understand the ramifications of your policies or, you know, the kind of things that you want to lock down and you want to do, who's going to be affected by it.

[Kyser Clark] (44:25 - 44:49)

That's really good advice. Yeah, I couldn't agree with you more. Definitely do not look down on those help desk jobs and those system admin jobs, because that's a key to the success, and it definitely benefits you in the long term, for sure.

So, thanks for saying that. So, Mike, where can the audience get a hold of you if they want to connect with you? LinkedIn.

[Mike Ortiz] (44:49 - 45:10)

My LinkedIn's there. It's open. So, you can always reach me there.

Hit me up. I'm on all the usual groups and boards and stuff like that. Seeing, you know, I love listening to what the community is out there doing, researching topics, discussions, things like that.

So, LinkedIn is usually the best place to find me.

[Kyser Clark] (45:11 - 45:31)

Perfect. And audience, LinkedIn is also the best place for me and my website, Kyserclerk.com. Audience, thank you so much for watching.

Thanks for listening. If you haven't, share the show with a friend. That will help out the podcast tremendously.

So, do that if you haven't done that yet already. And hopefully, I'll see you in the next episode. Until then, this is Kyser, signing off.