EPISODE 61
SKILLS-BASED CERTIFICATION AND TRAINING WITH JOHN STRAND

SKILLS-BASED CERTIFICATION AND TRAINING WITH JOHN STRAND

About This Episode

 

In this episode, we talked with John Strand (Founder of Black Hills Information Security and Antisyphon InfoSec Training) about the importance of skills-based certification and training. John’s goal is the provide world-class skills-based training to everyone at an affordable price using a unique pay-what-you-can model.

 

Skills-based certification is different from traditional certifications in that they do not use multiple-choice exams to test your knowledge of the material and instead require candidates to prove their knowledge through real-world, work-related exercises. These skill-based certification courses are short in duration and extremely hands-on in nature.

 

During this discussion, we explain the differences between ANSI-based certifications and non-ANSI certifications. The importance of certifications in general to the hiring managers and human resources teams is also discussed because large organizations rely on these ANSI-based certifications. Smaller organizations, though, like Black Hills Information Security who has under 100 employees, don’t necessarily rely on certifications to find qualified candidates.

 

Cyber deception was also discussed, which is a way of setting up honey tokens in your domain servers to identify hackers, attackers, and penetration testers when they try to break into your system. John provides three quick tips to implement cyber deception in your network today!

What You’ll Learn

  • The importance of skills-based certifications
  • The difference between ANSI and non-ANSI certifications
  • How to use honeytokens and canary tokens to detect an attacker quickly

 

Relevant Websites For This Episode

Episode Transcript

Audio:                   

                        Welcome to Your Cyber Path, the podcast that helps you get your dream cybersecurity job by sharing the secrets of experienced hiring managers and top cybersecurity professionals with you. Now, onto the show.

Kip Boyle:                    

                        Hi everyone, I’m Kip Boyle. I’m here with my co-host, Jason Dion. Well, thank you for joining us here in the episode. Hey, we’ve got a great guest for you today, it’s John Strand with the Black Hills Information Security. John also is a ringleader in a couple of other places that we think you ought to know about, one of them is Wild West Hackin’ Fest which we’re going to talk about some other time. Today, what we want to talk about is a new skills based certification program that John and his team has created, it’s called Antisyphon. John, welcome to the podcast, would you introduce yourself?

John Strand:                

                        You bet. I’m the owner of Black Hills Information Security. I was a co-host and still am, I think emeritus for Security Weekly. So I see all these podcasts and I’m like, “Oh, it’s my children and grandchildren.” And I taught for the SANS Institute for about 15 years, I was a senior instructor with them. And now, really trying to focus on trying to make cybersecurity accessible for the rest of the population that just can’t afford to get world class security training, and that’s really what we’re trying to do.

Kip Boyle:                    

                        That’s great. Now your company is called Black Hills Information Security because you live in the Black Hills, right?

John Strand:                

                        Yes. That was a mistake. So whenever we moved home, I was living in Denver, Colorado, and Northrop Grumman wanted me to travel all the time to do consulting. And I was teaching for SANS quite regularly, and my wife and I were like, “We don’t need to do that. We don’t need to proudly serve corporate masters.” So we moved to the Black Hills and the idea was we would name the company Black Hills Information Security so everyone in the Black Hills knew we were local. To date, Black Hills Information Security has three customers in the State of South Dakota out of about 650 per year. So yeah, that’s how we ended up with Black Hills Information Security, so that was a mistake but I think it’s good.

Kip Boyle:                    

                        I don’t know. Yeah, I think it was a good mistake because there’s zero chance anybody else is going to conflate you with anybody else, right, so that’s good.

John Strand:                

                        “Oh, you could be owned by Chris Nickerson?” “No, that’s not us. No.” Yeah.

Kip Boyle:                    

                        And you’ve got Wild West Hackin’ Fest happens in Deadwood, right?

John Strand:                

                        Mm-hmm (affirmative).

Kip Boyle:                    

                        So I heard you talk on another podcast about the vision for a conference that would actually require you to not travel very much, right?

John Strand:                

                        That was a bet actually between my wife and I. So she kept on trying to convince me to convince the SANS Institute to run a class here in Deadwood, and there’s no way that would happen, like ever. And after I retired from the SANS Institute, she still was pushing that. She goes, “You do all these conferences, you should totally do a conference here.” And I’m like, “That’s not going to work, hun. No one is going to want to fly to South Dakota and attend a security conference.” Turns out she was right, I was wrong. That’s a huge spoiler, I think for people like, “I didn’t see that coming.”

                        But I think our last one, we ended up with something like 850 people that flew in to Deadwood, South Dakota to hang out and do a conference, and we give a free steak dinner to everybody. We put on either a nerd core rap show or Beau and I will do a metal set. We do all of this stuff because we’re desperately trying to break even or lose money in this conference just because it’s so cool to get everyone to come here. We try to make it the best security conference on the planet. Yes, Bruce, Heidi, I just called you guys out, and as cool as Schmoocon is, they’re not giving steak dinners to people. And we really, really want to make sure that we reward people for being willing to make the track out here.

Kip Boyle:                    

                        Well, I was trying to come out this last time, but of course COVID, right, so I had to-

John Strand:                

                        Well, we had it right after the rally and I don’t know, bringing in 500,000 people, we saw our hospitals were completely at capacity and we were noping the hell out of doing this conference at that time.

Kip Boyle:                    

                        I think that was the right call. I was totally comfortable with that, so I was like, “Well, that’s all right. I’ll let the calendar spin and I’ll get up to date next time,” right. So it’s no problem.

John Strand:                

                        Well, San Diego is coming up I think in March.

Kip Boyle:                    

                        I’ll be at San Diego. Yeah.

John Strand:                

                        Yeah, I think that’s when’s going to happen, I think.

Kip Boyle:                    

                        As long as we don’t stay virtual, but eventually, right, we’re going to meet in-person again, so.

John Strand:                

                        Yeah.

Kip Boyle:                    

                        Well okay. So thanks for taking a moment to tell everybody who you are, what you do, really appreciate it. Well, let’s start talking about Antisyphon training because that’s really what I think people want to know about and I want them to know about it because I think it’s a valuable resource. And in another venue, we’re going to talk about Antisyphon to hiring managers, right, because that’s the other side of the equation, right? Because if we want folks to consider taking advantage of this new certification, well now we got to get hiring managers to recognize that it’s valuable, right? So we’re going to have that other conversation some other time, but I just want to let everybody know that’s a valuable part of the conversation that is going to happen. But John, why did you even start this? I mean, what’s going on in your head?

John Strand:                

                        COVID actually. So COVID. So I had traveled for a long time and I taught anywhere between 12 to 17 times a year. Towards the end, I was down to nine. And I had been away from my family for a long time. And whenever I retired from that, I was ready to be done. I don’t want to get on airplanes, I don’t want to teach. I was talking about it earlier with somebody about the InfoSec luminary, the InfoSec rock star thing, there’s a bunch of people, that’s not me. And I’ve come to peace with being ‘luminary,’ being a rock star, whatever the hell it is that people want to do it and I was cool with just never doing that again, ever.

                        And what happened was COVID hit and at Black Hills Information Security, at the time COVID hit, I think we had 68 employees and we are now 90 something, we’ve grown quite a bit. And whenever something happens where all of a sudden, every single engagement is canceled over the next 30, 45 days, you panic. And being a monkey that’s lost its tail and came down from the trees, you start throwing poop at the wall and seeing what sticks. So we’re like, “How are we going to make money? How are we going survive as a company? And how can we open up alternative revenue streams?” One of them was starting a security operation center, which has been also successful, that poop stuck, and then we did training. And when we started doing the training, we’ve really focused on people that were at home, they couldn’t go into the office, and people who were unemployed, and making that training as accessible and the PayWhatYouCan model to make it just easy for people to get in. And it stuck and it took off.

                        The first time we did the PayWhatYouCan.Training, we had 5,000 people, that’s a lot of people. And then we moved into cloud and all kinds of other stuff. So it became a revenue stream for BHIS and for our testers and the people that wanted to do this. Not that we needed it at the end of the day for COVID, everything worked out really, really well for the company, but it all started because we were panicky and we started doing things. Because it has been so successful, as a business owner, I’d be an idiot if I’m like, “Well that’s done, let’s move on.” We’re going to keep going.

Jason Dion:                  

                        So John, let me ask you this because some of our audience probably doesn’t know about Antisyphon, and what that training is, and how it’s different. So a lot of the audience already knows me. I do a lot of certification training, it’s a lot of book work, it’s a lot of memorization, it’s a lot of passing an A, B, C, D test at the end of the day to say, “Hey, I know enough to be a basic level cybersecurity analyst or a basic level pen tester,” or something like that. How is your training different? What does it look like to the end user?

John Strand:                

                        So a couple of things, one, the quality of the training is going to be on par with any other training organization you’ll take training from, but the difference is instead of it being long form, we really try to stick to focused, like two day maximum sessions, right? So if you’re going to do Breaching The Cloud W/ Beau, it’s going to be a two day session. If you’re going to do Webapp Pentesting essential skills W/ BB, it’s going to be a two day session, keeping it really hyper focused, number one. Number two, hands on are huge. We’re huge believers and you just can’t learn just by Death by PowerPoint, you need to have people get hands on. And for me with our classes like Applied Purple Teaming W/ Jordan And Kent, you’re learning how to do purple teaming, and running these tools, and detecting these things in an environment and making sure it’s as hands on as possible for the different labs.

                        Now there’s lots of training that does that. On the certification side, that’s where things are getting a bit different. One of the things I would like to see more of is that skills based assessment that is no longer, as you said, the A, B, C, D. Look, there’s value in that, there’s no question that there’s value in that. But I think the better assessment of skills for the people that we’ve been hiring is, when we hire pen testers and they’re like, “I’m ridiculously high on hack the box. I’m ridiculously high on Tryhackme. I’m ridiculously high on meta CTF,” who’s our partner on creating the cyber range and everything, those people perform. Even something like the Holiday Hack Challenge, which is coming up, from Ed Skoudis and Counter Hack where somebody says, “I’ve solved all the Holiday Hack Challenges over the past five years, here’s my solution writeups,” that’s applied and that’s something that I think that we need to start focusing more on in the industry as a whole.

Jason Dion:                  

                        Yeah, I love that. And I’ve seen a big change in the industry in recent years when they’ve tried to get away from A, B, C, D, and more into skills based training, but they’re not a hundred percent skills based yet. There are some certifications out there that try to do that, and we can talk about why that has or has not been successful.

John Strand:                

                        And I think that that’s a good conversation, let’s dwell on that.

Jason Dion:                  

                        Yeah.

John Strand:                

                        One of the big reasons is, a lot of the certification programs are completely wrapped up in being an antsy certified certification, right?

Jason Dion:                  

                        Yes.

Kip Boyle:                    

                        Mm-hmm (affirmative).

John Strand:                

                        So there’s rules. It’s got to be proctor. You got to have this, you got to have that and you got to have this. And honestly, I don’t think anybody cares about antsy. Whenever you’re hiring somebody… At BHIS, we don’t get together and go, “Well, did he take an antsy certification?” No one cares. It’s like that scene from Jurassic Park, it’s like, “Hey, your antsy is certified.” See, no one cares. And then they talk about cheating, right? “Well, somebody could cheat, they could do this. It’s like bad people are always going to do bad things.”

Jason Dion:                  

                        Oh, definitely.

Kip Boyle:                    

                        That’s why we exist.

John Strand:                

                        That’s why we exist.

Jason Dion:                  

                        I think one good-

John Strand:                

                        Touche, touche.

Kip Boyle:                    

                        Somebody was doing it the non-antsy way, right, and doing a skills based training is OCSP, right, the hacking cert, right?

John Strand:                

                        Yep. Yep. Well, and even there fighting it because remember, there was people that you could hire them in India, and they got really good, and they would take the test for you. So now at the OSCP they’re like, “Well now we want everyone to turn on their camera and we can watch them.” I’m like, “Totally not creepy at all.”

Kip Boyle:                    

                        Yeah. My wife had to take some certification exams to become a public school teacher and that’s what she had to go through as well. She did it one time and after that she’s like, “I’m not doing that again. I’m going to it on my mask. I’m going to the testing center,” because that was such an awful, awful experience that she had. But John, I think one of the reasons why the basic certifications aren’t necessarily of interest to you at BHIS is because, well, you don’t have a separate HR department, would be my guess, right, whether there’s an applicant tracking system and a bunch of gate keeping that’s going on, right? And so I think that if you are somebody who’s seeking cybersecurity work at a very large organization, well, that’s something you’ve got to figure out how to navigate, right?

                        So if all you had were skills based testings from Antisyphon, then you might not be able to navigate all those wickets in applicant tracking system at this point today, right? But that gets back to the whole idea of once hiring managers realize that this is a thing they can go to HR and say, “Hey, I want you to put the Antisyphon terms into the applicant tracking system so that you can key those on the resume and float those out. Because I agree with you, John, I have a team of people, I operate as a virtual chief information security officer and what I care about is people who can solve problems.

John Strand:                

                        Yep.

Kip Boyle:                    

                        And what are the proxies that let me know that they can solve problems and an A plus, or a network plus, or security plus isn’t enough to give me that assurance.

John Strand:                

                        And you know what’s happening with a lot of these certifications.

Jason Dion:                  

                        I come from the DOD-

John Strand:                

                        Oh, go ahead.

Jason Dion:                  

                        Oh, sorry. I come from the DOD contracting world, right, and the DOD in government sector. And they have rules, and the 8570 that says, “You must have this cert,” right? So if you don’t have Security+, you’re not getting hired, right, that’s part of job description. Yeah.

John Strand:                

                        You want to know a little bit of inside baseball about the 8570?

Jason Dion:                  

                        Yeah. Go for it.

John Strand:                

                        I’m more open with stories that I tell about these things. So years ago, a long, long, long time ago when 8570 was just a wee baby, they reached out to all the certifying organizations out there like Security+, and they reached out to ISC, and they reached out to SANS. Steven Northcutt for who was running the SANS Institute at the time brought together the greatest minds of the SANS Institute. Like you’re like in a room, it’s like Kung Fu Panda. You got like Eric Cole, Ed Skoudis. I’m the fat panda, I’m like, “Why am I here? I’m not a tiger.” And there was a tremendous amount of thought, and care, and love that went into deciding which cert would be at which level, would be level one. This maybe can be level three. This can be level two.

                        I’m not kidding guys, it was a lot of thought. And I’m not being facetious, it was a lot of thought. When it came out, a lovingly thought of level one classes, level two classes were there and there was the CISSP, it was tech level three and management level three, it was booyah! And we were just like, “What the hell just happened in this entire thing?” So it’s funny how that 8570 thing came about and how certifications got at the level that they did. And once again, SANS was trying to do the right thing and other people were just like, YOLO, sucking it and just dropping it at the highest levels.

Jason Dion:                  

                        Definitely. And I think this goes back to KIP’s point though, right? In a lot of large organizations, if you’re going to try to get a job in the government, you’re going to try to get a job at a government contractor. If you’re a military employee even, you have to meet the 8570 requirements, and so because they’re on that chart, those certs become powerful. And that’s one of the things that I’ve seen that OSCP has struggled with, they are not on the chart, but CEH is, and you and I both know CEH is in my opinion, a garbage cert, right? I mean, anybody can study a test dump and go take CEH this weekend and pass it, it’s not hard. But it takes a lot of effort to actually pass the OSCP but yet, because it hasn’t made that cut, it’s not valued by HR managers.

John Strand:                

                        Well, and I think one of the things I’d like to ask you is I think things are changing, right? Because the hiring process in security has pretty much been for a long time, standardizing mediocrity. Basically like you said, we have certain certs that may or may not be garbage, but they’re not as high and good as other certs, but we’re creating something for HR to create a filter, right, so standardizing mediocrity across the board.

                        But it’s weird, the last Wild West Hackin’ Fest, I had people coming up to me because they took my Intro to SOC, Intro to security training class. And I had these three people, separate people come up to me and they’re like, I literally got a job specifically because I said I took your class. And I’m like, “What the hell?” No certification, right, there’s no cert with it. So I think what’s happening is the organizations who know know, and they’re starting to put a little bit more effort into it. And even the larger organizations, I think the people that are hiring for their position, not the HR managers, but the actual manager managers are being much more invested in that process than just letting HR deal with it.

Kip Boyle:                    

                        Okay. I don’t think there’s any doubt that a hiring manager wants to get people who can solve problems now, but they struggle because the recruiters, whether they’re internal recruiters inside the HR department or the external recruiters, they’re doing more traditional filtering based on keywords that are embedded in resumes. So Jason and I, when we teach people who want to break into cybersecurity or want to level up into a promotion or something like that, we always tell them, “Look, do what you can to get through ATS. Get those keywords in there,” we teach them that. But then the other thing we teach them, which is really what Jason Blanchard also teaches, and God bless him, right, is how do you actually get yourself in front of a hiring manager as an alternative or as a second path to applicant tracking, because that’s when you’re going to have a conversation like, “I took Antisyphon training. These are the courses that I did.” And that hiring manager, right, if they’ve heard of what you’re doing, John, that’s where the value is going to pop.

John Strand:                

                        Yeah. Yeah. I just keep wondering, there’s a, I can’t remember what it’s called, but I think it’s SAG, Screen Actors Guild, right?

Kip Boyle:                    

                        Mm-hmm (affirmative).

Jason Dion:                  

                        Yes.

John Strand:                

                        And when people are applying for roles in movies and in TV, you have to hire somebody who’s SAG or you have to be willing to pay a fine and then bring on that person, whoever acted into SAG. So it’s really hard to get, if you’re a new actor or actress, anything if you’re not SAG. And what a lot of actors and actresses do is on their resumes and stuff, they say, “I’m SAG eligible.”

Kip Boyle:                    

                        Yeah. Yeah.

John Strand:                

                        That’s what we need to do is. “I’m CISSP eligible.”

Jason Dion:                  

                        I’ve seen that when I was hiring for positions, and I actually talk about this in our course that we have. I was hiring for a position and it was a DOD position, so it required that they had CISSP because it was a level three management position, right? And I got thousands of applicants, HR narrowed it down to 83. Out of those 83, 3 people were CISSP certified, right? But the other 80 had written, CISSP, took a bootcamp in X, Y, Z, studying for my CISSP, something like that. So it got to me. And then as a hiring manager, I said, “You don’t meet my requirement,” and I threw them aside and I went from people who actually had CISSP. So it will get you to a point-

Kip Boyle:                    

                        But in my case, right, where CISSP desired, I might have said in my job posting, right, but then I’m going to see all these other people that, “Oh okay. So they were smart enough to get through the filters on HR. Well, that takes a little doing, right, that takes a little thought, and a little effort, and a little application, I like that.” I would probably look at them and at least they’d get additional consideration.

Jason Dion:                  

                        And that’s why hiring is so hard, right, because it’s completely different depending on where you come from and what your background is, right?

Kip Boyle:                    

                        Absolutely. Mm-hmm (affirmative).

John Strand:                

                        Yeah. I had one person that applied and he had a cert from, I think it was Immunity, that was not a CISSP. So Immunity had these weird certs, like their no-op certification like if you showed up to their booth, this is 10 years ago. And you could write an exploit on the fly within 15 minutes. You could get a no-op certification. You can get a button in a certification, not a CISSP. And I’m going through his resume and it’s like, not a CISSP and then it says no-op, and I’m like, “You’re hired.”

                        Just because once again, that’s tribal knowledge, right, how do you transfer that to the hiring department at Booz Allen Hamilton? They would lose their minds. So if they say they’re not a CISSP, then that’s probably not good. But if it says it’s this thing, if it’s no-op, and then they have this, and then they have this, and then they do these things, and if they make any dead beef references, what? “Yeah. Do they mention dead beef anywhere in their resume, it needs to get to me immediately.” It’s like, “What do you mean?” “Just send it to me,” right? It’s just weird.

Jason Dion:                  

                        Yeah. Going back to your training, I wanted to dig into that a little bit more. So you had mentioned the two day micro courses focusing on a specific thing, whether it’s Intro to SOC, Intro to pen testing, webapp hacking, whatever that thing is. In that, is that a video based asynchronous, or is that a live nine to five each day with a live instructor for two hours and doing labs? What does that look like?

John Strand:                

                        Both-ish. So up until recently, it has been instructor-led. And you guys probably know more about this than I do, but I was cool with that, right? They get up, they present, they teach 80 people, or some of the stuff that we do it’s PayWhatYouCan, we get in the thousands. Chris Brenton has some that consistently pop 3,000 to 5,000 people, which is just mind blowing. And we had people constantly saying, “Well, do you have anything on demand? Do you have anything on demand? Do you have anything on demand?” And we’re like… So in the next 30 days, we are going to be converting our number of our classes to on-demand as well.

Jason Dion:                  

                        That’s awesome.

John Strand:                

                        There will be live. I love live. Most of our on-demand classes are going to be live, recorded with Discord-

Kip Boyle:                    

                        15 years of SANS instruction. I wonder why he likes live.

John Strand:                

                        Yeah. Oh, my God. I’ve had companies that have approached me. They’re like, “Could you just teach, and then we put you in a box and we write you checks?” And I’m like, “That sounds like it sucks. Why would I do that?” But because there’s been a huge demand for it, we are going to be moving to an on-demand platform. But you’ll get access to the Discord server, the labs, the instructor, and everything, which is what every on-demand platform tells you.

Kip Boyle:                    

                        I’ve got to compliment you, John, because you’re listening to the market and a lot of companies don’t do that. And it’s the easiest thing in the world, just listen to the market.

John Strand:                

                        You know how much that hurts me. Oh my God.

Kip Boyle:                    

                        I mean if that’s what they want. I mean, we’re all about serving, right? I mean, we want to serve, and if our customers want us to serve them in the way that we wouldn’t necessarily choose. I mean, you can be purist, I suppose, and denied, but I really appreciate it when companies are willing to be flexible and serve people the way they want to be served. I mean, it’s not unethical, it’s not illegal, let’s go ahead and do it. So anyway, I just want to compliment you for that.

John Strand:                

                        No. And I think you’re being a little bit facetious, but you know how hard it is for me, right, to make that leap.

Kip Boyle:                    

                        Yes, I do.

John Strand:                

                        It really is because I’m a purist at heart. But like you said, one, I suck at capitalism. I don’t suck that bad at capitalism. And then two, like you said, people want it. O have people like, “I live in Mongolia. I am not going to get up and listen to you rant at 11 o’clock tonight until three o’clock tomorrow morning.” I’m like, “Good point.”

Kip Boyle:                    

                        Yeah. Yeah.

Jason Dion:                  

                        And you know I am actually really surprised that you guys started out with live being that you’re doing a pay as you can model, right? Normally, the whole goal with a pay as you can is try to get your cost as low as possible so that you can put this out and scale it as many people as possible. And doing that live is really hard because you got to pay for that instructor and these guys are expensive because they’re qualified and they know what they’re doing, right?

John Strand:                

                        That’s one of the fun facts. We have former SANS instructors that are doing this. My big brother Chris Brenton who taught the firewall perimeter protection class at SANS and he was a fellow. He does his class pay which you can. Jeff Thyre who taught all kinds of classes in Python for SANS and myself are doing it. And couple of things, one, guys the energy of teaching 3000 people and they’re all on Discord. And then they go on to this, it’s this weird thing we’re like, “We’re going to make John laugh with SpongeBob Squarepants memes while I’m teaching.” I’m getting choked up thinking about it, it’s magic.

                        And when we started the PayWhatYouCan, we started it and it had a lot to do with scholarships, it had a lot to do with diversity. So we’re always fighting this thing in the industry of, how do we get more diverse people, different race, religions, sexuality, color, whatever, because diversity of thought is important. And no one ever really talks about why. Everyone is like “Diversity is important.” Why? And they’re like, “Because I saw it on a book.” But the reason why diversity is so important is because, I’m just going to use some examples. Look at music, if you look at pop music, it sucks, it’s bad. If you look at any huge explosion in music, it’s always a fusion of different things. You’ll take Celtic music and you’ll fuse it with African blues, and you start coming out with harder rock and roll. Or you do a lot of acid and you come out with Pink Floyd.

                        But the point is, whenever you have diversity in art, whenever you have diversity in music, you come up with things that you didn’t even know could exist and you can solve problems. So with diversity, everyone is like, “Scholarships,” and that’s great for the people that get the scholarships, it doesn’t change the damn game at all. You give a few scholarships to people of a certain group or whatever and then you do the photo op, “Look at us, we’re diverse,” doesn’t change the game. But when you do PayWhatYouCan, wherever you’re coming from, wherever socioeconomic status, whatever race, religion, creed, sexuality, whether you’re coming out from the mountains of South Dakota and you haven’t taken a bath in weeks or you’re coming from the inner city in Chicago-

Kip Boyle:                    

                        And haven’t bathed in weeks.

John Strand:                

                        It’s always about money, always. The gate is money.

Kip Boyle:                    

                        Yeah.

John Strand:                

                        We remove that gate, and dammit, let’s change the game. But the weird thing is getting to your point with this long-winded, rounded thing. And I had a point, I’m sorry I just forgot it for a second. But the point of all of it is when we did that and we got those thousands of people, I made more in four days than I did in an entire year of teaching for SANS.

Kip Boyle:                    

                        Which is no small ticket item.

Jason Dion:                  

                        Yeah.

John Strand:                

                        No. Well, there’s a big difference between what you pay and what instructors get paid, let’s not get into that, okay? But the point of it is we found by doing that we were actually still able to make money. But like you said, “It’s a scale game.” How many people can you get in and what’s the average per seat? And honestly, when we started it, I think it was averaging like $20 or something like that per student. And what happened is we had a whole bunch of people that took it and they’re like, “I feel really bad because I didn’t pay you anything. Can I come back and pay?” And I’m like, “Absolutely. Not a problem.” And now we’re averaging about a $100 to $150 per student is what we’re making on some of our classes. And that’s not huge money but dude, it changes their life and it helps keep the lights on. Let’s keep doing it, that rocks.

Jason Dion:                  

                        Yeah, totally. And then I think the next piece of this is, as we talk about the training, it’s awesome training. You’re getting labs, you’re getting a live instructor, you’re getting high quality instruction because as Kip said, if you go to a SANS course, it’s awesome high quality stuff as you said, you did that for a long time but it’s $5,000 a person to go.

Kip Boyle:                    

                        Eight, eight.

Jason Dion:                  

                        I don’t know anybody who’s ever [crosstalk]-

Kip Boyle:                    

                        Yeah, it’s up to eight now-

Jason Dion:                  

                        … that paid for themselves. They always did it because their company paid for them.

Kip Boyle:                    

                        And not every company will pay for it.

John Strand:                

                        No, they won’t. And let’s be honest, right? I came from the SANS Institute. The best training in the world is SANS training. For me teaching, the number of people that were like, “I took a class from SANS and it fundamentally changed my life right below religious experience,” is off the charts. But is it accessible for everybody? Hell no. It’s like you said, most companies won’t even pay for it. Is it available for somebody that’s washing dishes, or working two jobs, or a single mom that’s trying to pay for daycare? Hell no. So for me, I look at success. If our program is successful, it’s the number of people that get the jobs that can then take training like the SANS Institute, well God damn then I’m successful. So if you’re in a job that’s paying for that, you’re welcome, and it’s going to make you a better person. So it’s all about finding the places that are the right fit for the right people at the right time, and having a more diverse training like Palette is really going to help people get there.

Jason Dion:                  

                        Definitely. Definitely.

Kip Boyle:                    

                        Yeah this is great. Okay, so John as we wrap up the episode because we’re coming to the end of the time here. So listen, you wanted to say something about cyber deception. There’s a little tip for the audience.

John Strand:                

                        Yeah.

Kip Boyle:                    

                        Tell us what you had in mind.

John Strand:                

                        So with cyber deception, we have a class coming up and I can get you guys a link. But if you go to the Antisyphon website, go to free training, you’ll see all of our free training classes that are there and cyber deception’s one of them. Why is it free training? Or not free, but pay what you can?Just because I’m teaching it and literally every class I’m going to teach from here on out is going to be pay what you can because this is the best way for me to serve the community that has been so good to me. It is truly all about serving and getting these people where they need to go. Cyber deception is my favorite class.

                        Literally the first two, Intro to SOC and Intro to Security are building up to the cyber deception class and I want to leave your listeners with a couple of recommendations. One, go into your environment and create some honey user accounts. You don’t have to worry about the names, you don’t have to be administrators because attackers don’t target specific accounts in your environment, they’ll dump all the users with net user space forward slash domain and they will password spray all of them post-exploitation. So create an account, log into this account, that’s important because you want to update the date timestamp for last login from January 1st, 1961 because that’s what it is by default until you log into it. You want to make sure it’s an actual active account. Don’t deactivate it because there’s tools will skip right over it. Give it a really long password, set it’s log on hours to zero. So it’s active but it’s impossible to interact with and then create a ruling your SIM that if anybody tries to authenticate as that account it locks that workstation out.

                        This is easy, you can set it up relatively quickly and most of your SIM, set up critical alerts and it will make your pen tester cry because pen testers almost universally will be go post-exploitation, password spray to elevate. You can also do this with service accounts, create a fake service account that’s curb roastable, give it a long password and set up an alert if somebody tries to authenticate to that service account, same thing.

                                    And finally, I want you to check out a website called Canarytokens.org, this is by a good friend of mine Heron. The people at Thinkest, they have created a website where you can generate a whole bunch of different honey tokens, anything from word web bugs, DNS tokens, custom executables, JavaScript that you can put on your authentication portal that if an attacker clones your authentication portal, as soon as they stand up that server will reach back and let you know that it’s been clone, fake AWS keys and so on. Look at some of these things here. They’re easy, they’re really simple to use, highly effective.

                        And the third thing I want you to do is the next time you have a pen test and the attacker fumbles over these things. I want you to click their tears and make wine because pen testers tears make the best wine. And check out the class. If you like these tips, we have a class that has 14 labs, two days all cyber deception, wall to wall. We tie it to the MITRE Shield Framework which is now a framework for cyber deception. It’s all killer no filler, and on top of that, it’s pay what you can. So you really have no risk whatsoever. Come check it out, let’s make cyber deception mainstream.

Kip Boyle:                    

                        That’s really cool. Now I want to do two things for the audience in case anybody is listening and they might have tripped up on a couple things you said John, right? A honey this, a honey that, okay? Just to be clear, if you don’t understand what that term means, right? A honey pot is something that we use in network security to attract an attacker away from our high value assets and get them to interact with a trap, a honey pot, right, get them all sticky and stuck, and get them really interested in this sweet looking thing. Meanwhile, all the alarm bells are going off and that gives us an opportunity to respond. So that’s what honey pot means and now we’re applying that to all these other different things. Now, if you’re wondering why does John Strand know so much about pen tester’s tears, well that’s because that’s a lot of what Black Hills Information Security does right?

John Strand:                

                        Yep. We do pen testing, and it’s one of these weird things where I have my pen testers call me up sometimes and they’re like, “Did you talk to this customer before I broke in?” I’m like, “Maybe.” “Because I went in and I was on an SSH box, and I was there for 15 minutes and it turns out it was fake. Do you have anything to do with that?” “Maybe.” “I did a password spray and they locked the machine out that I compromised within five minutes of me doing it, was that you helping them?” “Maybe.” So look, my goal and everyone’s goal in the pen testing community should be one thing, it should be singular, making our lives difficult. If we are successful, we make our lives miserable and hard, that is the definition of success, and that’s what we’re after, and that’s what I’m teaching in this class, basically how to make your pen test or hacker cry.

Jason Dion:                  

                        Awesome. So John, I’m going to take this opportunity since you’re here and you’re the leader of Black Hills Information Security. We have lot of folks in our audience trying to break into cybersecurity and I have a lot of people always asking, “I want to be a pen tester,” that’s everybody’s dream in cybersecurity, it seems like, because it sounds fun, and sexy, and cool. If somebody wants to become a pen tester, they’re brand new, what are the steps you’d recommend for them to take? What is the classes they should take, the certificates, college, whatever it is? And then how do they get somebody to take notice of them so they can possibly get a job as a junior pen tester and enter your team?

John Strand:                

                        You bet. So number one, take whatever you can get, don’t be picky and choosy. We were talking about CEH, yeah, kind of a garbage cert but you know what? It’s going to get you through some interviews. It’s also affordable, so you can do that. If you can get the CISSP, get it. If you can get SANS certs and you have a company that’s paying for that, get them. If you don’t have that, then really focus on Tryhackme, and hack the box, and meta CTF. You want to set up, you want to start doing these cyber range challenges. You want to start pushing yourself and learning how to do these things and grinding through it and you want to put that front and center on your resume because you have to prove something.

                        And even if you have certifications, if I have two resumes, one resume is nothing, but is bunch of InfoSec certs and the other one is a whole bunch of Tryhackme and hack the box challenges, and your levels, and how kick you’ve done there, I’m going to go for the second resume with the Tryhackme and hack the box because that shows me this is a person that’s taking personal initiative to improve their career, not just through the path that everyone goes, but doing it their own way. So get out there and just start doing these cyber ranges.

                        Also once again, Ed Skoudis’ Holiday Hack Challenge. You can’t do much better than the Holiday Hack Challenge. You can go do previous years challenges, still solve those, put it up on a blog somewhere, link it. So whenever I’m reading your resume, it’s like, here’s my write up for the Holiday Hack Challenge. Because there’s a dirty little secret in pen testing, people don’t know this but how do you feel about being an author? If you’re like, “I hate running.” Or, “I hate writing and I want to get into pen testing,” well guess what? You’re going to learn to love it.

                        So that’s number one, take advantage of anything and everything. And you do this by shutting off the TV, shutting off video games, choose a 30 day window, drill as hard as you can for 30 days and then take a couple of months off and not watch Game of Thrones or whatever. Just sit down and watch something, play video games, whatever it is you do. And then take another 30 days and focus on these short bursts of where you learn as much as you can, you’re going to get in, you’re going to get in.

                        The final thing I’m going to recommend, and this is weird, I want you all to go out and get registered for NoRedInk. NoRedInk is a writing and grammar website that teaches you in probably one of the best interactive ways how to use the proper active and passive voice, how to use verb tenses, the and there, which and witch, and all these different things. It’s absolutely essential that you write and you communicate effectively. And just like you’re going to feed your technical chops, you need to feed your writing chops as well.

Jason Dion:                  

                        Awesome. Thanks John.

Kip Boyle:                    

                        I love it.

Jason Dion:                  

                        As we say, the name of the platform is Antisyphon. It is a little bit hard to spell, so we are going to make sure it’s in the show notes.

Kip Boyle:                    

                        It’s with the Y? Yep, with the Y.

Jason Dion:                  

                        So make sure you go ahead and go to the show notes at yourcyberpath.com for this episode and you’ll make sure to get all links to Black Hills Security and Antisyphon. You can go get some of that awesome Pay As You Want training.

John Strand:                

                        Absolutely. Thank you so much guys.

Kip Boyle:                    

                        We’re so glad you were here. Thanks John. Strand.

John Strand:                

                        You bet. Take care.

Audio:                   

                        Thank you for listening to this week’s episode of Your Cyber Path. Don’t miss an episode, press the subscribe button now. If you would like to learn more about how to get your dream cybersecurity job, then be sure to visit yourcyberpath.com where you can access the show notes, search the archive of our top tips and tricks, and discover some fantastic bonus content.

 

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle serves as virtual chief information security officer for many customers, including a professional sports team and fast-growing FinTech and AdTech companies. Over the years, Kip has built teams by interviewing hundreds of cybersecurity professionals. And now, he’s sharing his insider’s perspective with you!

Headshot of Jason DionYOUR CO-HOST:

Jason Dion
Dion Training Solutions

Jason Dion is the lead instructor at Dion Training Solutions. Jason has been the Director of a Network and Security Operations Center and an Information Systems Officer for large organizations around the globe. He is an experienced hiring manager in the government and defense sectors.