BPRBP - The journey there and back again

Well, this blog post is going to be interesting. I’ll try and run through my entire work life in security, describe decisions which led me where they did, and I’m going to run through where I am now and what expects me (hopefully) in the future.

The origin: The SOC trenches (Blue)

As many security professionals I know, I snagged my first job in a SOC. At the time, it was the only job in security that required little to no prior knowledge, for me, that was the “help desk” stage. Many people start out in a helpdesk position, I went for the OSWP cert and then went straight for the SOC position.

As I reminisce, it was a fine job, the pay was good (for someone coming out of a teacher’s salary), and it was interesting. I had fun putting out fires, and after a while, I managed to get semi-promoted to an L1+ position. I got into a team lead position with 4-5 people in my team, and my work was now split up between doing L1 work and also making sure my team members were up-to-snuff and happy doing what they did.

One event that I fondly remember was being awoken from a half-slumber at 1AM (after a late shift) to a chorus of “Holy fuck, m4iler, everything is on fire!” The root cause was a misconfigured rule in the detection, but it did not stop until I called the CISO at around 2AM. This man was the epitome of professional: After a very sleepy “Hello,” I explained the situation and the man went from asleep to ready-to-go in exactly 0.3 seconds. The issue got solved 10 minutes later, which only goes to prove that going high, regardless of fear, has its benefits. If I were just calling helpdesk, they’d leave me on read. They did, several times. The CISO took one call to have the issue fixed immediately.

However, the entire time, I knew I wanted to go into the red team. I wanted to be the attacker, that’s what I was passionate about (and still am, of course). After 6 months of no word from my employer about the OSCP being available for SOC analysts, I decided it was time to jump ship. After a year and a month, I found a position for “penetration tester.” Sounded straighforward, I managed not to drop in pay, and I moved into what I thought would be a straightforward network penetration testing career.

The past: Security consultancy (Purple)

What I expected was me breaking shit. What I did not expect was the fact that security consultancy has so many facets. It started out quite slow (apparently, “we have a security team” means “they’re all online in another country,”) and all I got to do were labs on Portswigger. After the initial slowness, things picked up a bit, definitely in a direction I found a good interest in: Anything and everything a client wanted. I felt appreciated, I felt like I accomplished something every time I hung up. There were fuck-ups (I spent 2 days at work during holidays because apparently, not all countries have the same holidays).

When I started there, I felt like it was going to be for a year, year-and-a-half tops, and then off to another, better paid position, leveraging my skills each hop of the way. The thing was, the pay kept creeping up nicely (every half-year I got a raise) and so there was no rush. I also would have missed the people there (which I do now, considering I don’t work there anymore,) but I managed to keep in touch with most, even though only limited to a message every now and again. What was supposed to be a hop that would take a year turned into three awesome years filled with fun and excitement. I got to do pentests of webapps, devices, cloud services, consulting on issues such as active defense strategies, and to top it off, I got some hands-on skills doing ISO27001 help! It was like working in several positions at once, never doing one thing until it became monotonous. It was the buffet of work, and if you ever consider a startup that does security, I can wholeheartedly recommend it.

I got to work with amazing people, and found out that Finns (contrary to what people say) can be a very welcome bunch of people. They are the dictionary definition of “work hard, party hard.” And who can blame them, with the night lasting half a year, right? They are capable of staying calm at all times, but jump into action whenever there is a thing that needs doing. No issues, just team spirit. Seriously, I’d go into a firefight with any of them, mostly because some of them actually were in the army! Every Finn knows their stuff, and if you get through the no-nonsense exterior, you will find a kind-hearted person, at least that was my judgement from my team.

I know some of my former colleagues from this company read my blog. If you’re reading this, bröther, no wörries. I’ll be fine, and if you’re ever in town, come visit!

The very recent past: Full-on red team and overeating (Red)

After three years of this, I thought I’d move into a position that has more of the hacker vibe. Less general consultancy, more… just hacking, you know? So I applied for another position, where things started out just peachy, but after 3 months, I was given a task. My probation period was coming to a close, and I was told to “finish 90% of the Portswigger medium-level labs” before the end of the month. Cool, it was stressful, but I managed to go through it. The next day, I got told I am “not learning fast enough.”

My main problem? I went down in pay and up in stress. The fact was magnified by the fact that less pay equals more stress in other parts of your life. The other problem was overeating. The first penetration test that’s actually quite free and done with another person in the same room is fine, but after several other pentests, most of which go the exact same way, it starts to feel same-y for me. I never thought I’d say it, but real-life pentests are nothing like the boot-to-root boxes I did in the past. Sure, the vulns are the same, but sometimes, you get a client who says “well, this is all for compliance. We’ll put this in a drawer and not worry about that anymore. Have fun!”

This is the moment in my life where I need steady. I know I’m not too old, but with my skills, I was not doing the thing I loved: Helping clients. As a former teacher, I long for the moment where a person’s eyes light up with understanding, where information is transferred, where you know you’re on the same wave as the person you’re speaking to. That was the thing I missed when the only contact with a client was my sending a report (which I never sent, it was someone else’s job) and then never hear back from those people.

The present: Picking a boss (fight)

After my premature evacuation from the last company, I bit down. That was a bit of an ego boost (3 hours after hearing the news and signing the paperwork, I got 3 people telling me they’ll hire me back). Finnish boss was mad (the word “dickheads” was mentioned), but I told myself that this time, I’d do it right. I put 20% on my current pay, made it my least asking price, and went on the job market.

Some companies got back to me immediately, some didn’t until 2 days ago. I was scared, as everyone is, and I can tell you, the local unemployment office is not a place you want to be at. I made it my goal to be back at work by May 1st, and I’m happy to say I actually managed to do that, against all odds! Lucky me, I’d hate being unemployed for longer, I’d go obso-1337.

If you’re reading this and currently unemployed, I urge you: Look up some courses in your country that may apply to where you want to go! My country has a series of requalification courses, some of which are more than just “chainsaw 101: How not to chop off your limbs,” there are actual security courses with certifications. I am getting an ECIH in May, for 20% of the price I’d have to pay if I were buying it on my own! Apparently, my country supports learning to the tune of $2000 every 3 years, and that, to me, is plenty.

It took me 22 days to find a new position, and I’m moving to a SOC room again! This time, I’m L2/architect (after applying for an L3 position), but there will be some fires to put out, and that’s the fun stuff! The guy in the interview was very similar to my consultancy boss, the only thing missing is him being in a band.

The future: Back to blue, purple will follow (Blue & Purple)

The short-term solution is SOC. I’m excited, since it will be more than just putting out fires, but also finding out new information and creating rules. This means that I will not just have to “follow the rulebook,” but I’ll also get a chance to read up on the cool new stuff and make rules that will help others.

This is only the short-term solution, though, as I believe I may have seen the light at the end of the security tunnel, a perfect balance of what I enjoy and what I’m good at: DFIR. Digital Forensics and Incident Response, the closest I believe I’ll get to being a defender, helping people, and getting an adrenaline fix along the way. I believe that DFIR is a place where I will do SOC-level stuff (resolve incidents), but also use my attack skills, however bad they may be. As someone much smarter than me once said: “Who can tell you where a sniper would be? Another sniper, because that’s where they would be.”

It’s going to be difficult, but I believe that this is where the hitman-level business is. Be on retainer, and show up in a burning building where everyone is losing their shit. This job needs you to be cool, calm and collected, do what you need to do and not kick up dust on the crime scene. Sounds fun, in my opinion, and a good way to get good at something. It’s going to give me a dose of adrenaline and make me feel more useful than just “one of the SOC team.”

It’s going to be something, and the ECIH seems like a good start. It showed in the interview for the L2 SOC position, the guy basically set me down in front of a laptop and told me “this is the story. This person had Linux installed on their laptop by someone and now they’re complaining their data showed up online, and their passwords are getting used. What do you do to find it?” I managed to find out everything that could only be found with an internet connection and clam-av. It was the most fun I had in weeks, and it was interesting to see how my future boss would install malware on someone’s computer.

In closing: Future’s looking bright!

If you’re unemployed, don’t be discouraged. Everyone finds their groove one day. At this point, I am not in the niche I want to fit into or carve for myself, but I’m getting there. It’s not going to be a day-to-day thing, but a boy can dream. When I grow up, I want a job where I will help people and get an adrenaline fix.

My blogs from May onwards may include some more blue-team stuff, but hey, it’ll probably help red-team people as well! I promise to keep you in the loop for all the sexy goodness that happens in the blue-team side, and you send me over some cool 0-days I can look at.