CyberWire Daily - Eric Escobar: Collaboration is key. [Pen tester] [Career Notes]
Episode Date: May 15, 2022Principal consultant and pen tester at Secureworks, Eric Escobar, shares his career path translating his childhood favorite Legos to civil engineering and pivoting to cybersecurity. Eric was always h...eaded toward engineering and got both his bachelor and master degrees in civil engineering. Upon breaking into a network with a friend, he was bitten by the cybersecurity bug. Making the switch to the red team and basically becoming a bankrobber for hire, Eric tests the security of many companies' networks. He feels that curiosity is an essential trait for cybersecurity and collaboration is key as no one person knows everything. He advises those interested in cybersecurity to just start. We thank Eric for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024. These traditional security tools expand your attack
surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security. Thank you. Learn more at zscaler.com slash security. So I always wanted to be an engineer of some sort.
Wasn't quite sure what kind of an engineer.
I grew up playing with Legos, building things, taking things apart.
So it was one of those things that it was a pretty easy thing when my family was like,
you know, you should go into engineering.
I was like, hold on a second.
I can get paid to do what I just do for fun?
Like, that sounds kind of cool.
So I took a survey of engineering class when I was in high school.
And my my toss up was like computer science, computer engineering and civil engineering, which are far different ends of the spectrum.
And so I basically like pick between the two of them and I pick civil engineering.
So I went to school and I got a four year degree in civil engineering and a master's degree in civil engineering and started my professional life as a civil engineer.
And now I'm a registered civil engineer in the state of California.
So I could still technically build a building, build a hospital, build, you know, whatever, whatever you need to.
But yeah, I just took that degree and leveraged it right into cybersecurity.
Yeah, I just took that degree and leveraged it right into cybersecurity.
I've always loved computers.
That's why my second choice was going to be like computer engineering or computer science,
something along those lines.
And it was one of those things that as many situations happen, your roommate from college comes home and you're like, oh, I want to do something fun.
Like, what are we going to do?
Go over to his parents' house, manage to break into their Wi-Fi
or do some, you know, like nefarious hijinks.
That's completely harmless.
His dad gets home and is like, whoa, whoa, whoa, whoa.
How did you guys, like, what'd you guys do?
And, you know, I would come to find out later
that he is like the, you know, director of security
for some cybersecurity company in California.
And he's like, hey, how about I
replace your engineering salary and you come work for me in the cybersecurity arena? I was like,
okay, but I don't know anything. He's like, trust me, if you could do whatever hijinks we did,
you know enough to get started. Your mind is in the right place.
So make the hop and I haven't looked back since.
I haven't looked back since. So I went from being civil engineer to working on like the blue team or, you know, defensive team for a company called Barracuda Networks. And then basically I just got
involved in the whole like infosec, so information security like culture we did, you know, went to
DEF CON, went to a bunch of different conferences. And at one of these conferences I you know was just chatting with somebody and uh you know we hit things off
and he's like hey if you if you're ever interested in uh moving over to the red or the offensive side
of things um you know we'd love to interview so you know a couple couple interviews later and
I started working in an adversarial role um at Secs, which is currently where I am now. And I've,
it's like dream job, a hundred percent. I basically just make the analogy of,
I'm a bank robber for hire and companies will come hire SecureWorks to try and break in and steal everything that they hold dear. Right. And all companies are different. And, you know,
on any given day, I commit several thousand felonies if I didn't have permission to do what
I do.
One week, I could be breaking into a literal bank.
The next week, I could be breaking into, you know, some type of tiny hardware or just a website.
When you work in one level of like security or like you work for a company in security, you typically deal in only what they deal with.
Whereas in my role, since we go through so many different companies testing their security, you get to see the inside of several dozen networks maybe in a given month, right? And so it's awesome because you get to learn really quickly on your feet. And yeah, any type of
expertise, it's really easy to say like, hey, I don't know, but let's learn by doing kind of a thing. The best personality trait is curiosity because, you know, there's sure there's a lot
of items that you have to like go through and, you know, check the box to make sure that you
did it correctly. But there's always that like, huh, I wonder if I did
this, how would either the program, the hardware, the website, how would it respond? Then from there,
I feel like if you have the natural curiosity to say, how does this work? And what happens if,
then it kind of blossoms out into like whatever other personality trait that you have.
You know, our team is filled with the most weird ragtag, you know, group of people, you know,
you have a civil engineer like myself.
We have RV salesmen.
We have physicists.
We have electrical engineers.
We have, gosh, I mean, you name it.
Everybody has those weird quirky traits.
And I think the one that unifies all of us is we're all curious about how things work.
And that's what's really nice is that there's no one archetype of a hacker pen tester.
It's completely across the board. nice is that there's no one there's no one like archetype of of a hacker pen tester it's it's
completely across the board i think the collaboration piece is is key because again
there's nobody that knows everything right there's no one that even knows 10 of everything
you know that like if you need to get on the phone with somebody hey this person's a real
smooth talk on the phone let's pick them up and so having just that you know the list of skill
sets as they go across the board.
And so pulling from everybody's life experience, and then everybody should also spread across the
globe. And that's, it's all, you know, a whole other crazy thing dealing with time zones. And
it's like, you know what, let's tap on the Japanese team to see if they've ever encountered,
you know, X, Y, or Z. And so it's, that collaboration is absolutely key,
especially when you don't know everything.
absolutely key, especially when you don't know everything.
Just start.
Start listening to security podcasts just to learn the vernacular of like what words are commonly used and how things are phrased.
And then just start, you know, going and looking for either if you want to get involved in like a bug banning program or if you don't know anything at all and you're starting from scratch, there's like $30 Udemy courses that will walk you through, you know, your first years of pen testing from, you know, setting up a full active
directory domain and how to compromise in common misconfigurations. I've had, oh gosh,
maybe three or four personal friends now that have come from all walks of life that have,
you know, gotten their OSCP or in progress of getting their OSCP. And even just if they're
in progress, it's led to jobs where, you know, one of them used to be a former pastor and now he's in
information security. Right. So it's, you know, there's a whole bunch of different windy paths,
but really the first thing is just get started, learn how people talk about, you know, in the
industry and then go after a certification if you can. Like my whole thing is like,
if we can just teach people in a fun way, like, from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.