Career Notes 5.15.22
Ep 100 | 5.15.22

Eric Escobar: Collaboration is key. [Pen tester]

Transcript

Eric Escobar: Hey everybody, my name is Eric Escobar. I am a penetration tester, which basically means I break into a corporate networks on the daily basis.

Eric Escobar: So I always wanted to be an engineer of some sort. Wasn't quite sure what kind of an engineer. I grew up playing with Legos, building things, taking things apart. So it was, uh, one of those things that it was a pretty easy thing when my family was like, you know, you should go to engineering. I was like, hold on a second, I can get paid to do what I just do for fun, like that sounds kind of cool.

Eric Escobar: So I took a, like a survey of engineering class when I was in high school and, uh, my, my toss-up was like computer science/computer engineering and civil engineering, which are far different ends of the spectrum. Um, and so I basically like pick between the two of them and I picked civil engineering. So, uh, I went to school and I got a four year degree in civil engineering and a master's degree in civil engineering, um, and started my professional life as a civil engineer and now I'm a registered civil engineer in the state of California. So I could still technically build a building, build a hospital, build a, you know, whatever, whatever you need to. But, um, yeah, just took that degree and leveraged it right into cybersecurity.

Eric Escobar: I've always loved computers. That's why my second choice was going to be like computer engineering or computer science something along this lines, and it was one of those things that as, as many situations happen, your roommate from college comes home and you're like, oh, I want to do something fun, like what are we gonna do? Go over to his parent's house, um, managed to break into their wifi or to do some, you know, like nefarious hi-jinks that's completely harmless, his dad gets home and it's like, whoa, how did you guys like, what'd you guys do. Uh, and you know, I would come to find out later that he is like the, you know, director of security for some cybersecurity company, uh, in California, and he's like, how about I replace your engineering salary and you come work for me in the cyber security arena? I was like, okay. But I don't know anything. He's like, trust me, if you could do whatever hi-jinks we did you know, enough to get started, your mind is in the right place. So make the hop and I haven't looked back since.

Eric Escobar: So, uh, went from being a civil engineer to working on like the blue team or, you know, defensive, uh, team for a company called Barracuda Networks. And then basically I just got involved in the whole like infoSec, so information security like culture, we did, you know, went to DefCon went to a bunch of different conferences. Um, and at one of these conferences, I, you know, it was just chatting with somebody and, uh, you know, we hit things off and he's like, Hey, if you, if you're ever interested in moving over to the red or the offensive side of things, um, you know, we'd love to interview you. So you know, a couple, a couple of interviews later and I started working in an adversarial role, um, at Secureworks, which is currently where I am now and it's the absolute dream job, a hundred percent.

Eric Escobar: I basically just make the analogy of, of I'm a bank robber for hire and companies will come hire Secureworks to try and break in and steal everything that they hold dear, right. And all companies are different. Um, and you know, on any given day I commit several thousand felonies, if I didn't have permission to do what I do. One week I could be breaking into a literal bank, the next week I could be breaking into, you know, some type of tiny hardware, um, or just a website, right? When you work in one level of like security or like you work for a company in security, you typically deal in only what they deal with, whereas in my role, since we go through so many different companies, testing their security, you get to see the inside of several dozen networks maybe in a given month, right, and so it's, it's awesome cause you get to learn really quickly on your feet. Um, and yeah, you're, you know, any, any type of expertise, it's really easy to say like, hey, I don't know, but let's learn like, you know, learn by doing kind of a thing.

Eric Escobar: The best personality trait is curiosity. Um, because you know, there's sure there's a lot of items that you have to like go through and, you know, check the box to make sure that you did it correctly, but there's always that like, huh? I wonder if I did this, how would either the program, the hardware, the website, how would it respond? Then from there, I feel like if you have the natural curiosity to say, how does this work and what happens if, then it kind of blossoms out into like, whatever other personality trait that you have. You know, our team is filled with, the most weird ragtag group of people, you know, you have a civil engineer like myself, we have RV salesman, we have physicists, we have electrical engineers, we have, gosh, I mean, you name it, everybody has those weird quirky traits, and I think the one that unifies all of us is we're all curious about how things work and that's, what's really nice is that there's no one, there's no one like archetype of, of a hacker pen tester. It's it's completely across the board.

Eric Escobar: I think the collaboration piece is key because there's nobody that knows everything, right. There's no one that even knows 10% of everything. You know, that like, if you need to get on the phone with somebody, hey, this person's a real smooth talker on the phone. Let's pick them up and so having just that, you know, the list of skillsets as they go across the board. So pulling from everybody's life experience, and then everybody's also spread across the globe and that's, it's all, you know, a whole other crazy thing to deal with time zones. And it's like, you know what, let's tap on the Japanese team to see if they've ever encountered, you know, X, Y, or Z, and so that collaboration is absolutely key, especially when you don't know everything.

Eric Escobar: Just start, you know, just start listening to security podcast, just to learn the vernacular of like what words are commonly used and how things are phrased. Um, and then just start, you know, going and looking for either, if you want to get involved in like a bug bounty program, or if you don't know anything at all, and you're starting from scratch, there's like $30 courses that will walk you through you know, your first years of pen testing from, you know, setting up a full, active directory domain and how to compromise in common misconfigurations. I've had oh, gosh, maybe three or four personal friends now that have come from all walks of life that have gotten their OSCP or in progress of getting their OSCP. And even just, if they're in progress, it's led to jobs where, you know, one of them used to be a former pastor and now he's in information security. So it's, um, uh, you know, there's a whole bunch of different windy paths, but really the first thing is just get started, learn how people talk about, you know, in the industry and then go after a certification if you can. My whole thing is like, if we can just teach people in a fun way like that'd be great.