End of an Era!

After 10 years, I have resigned from a “large financial” today. I will announce my next adventure on June 1. For now, I want to look back on the past 10 years, at least what I can publish, because large financials are like Fight Club (the first rule of Fight Club: you do not talk about Fight Club).

In June 2010 I started as an infrastructure vulnerability assessment analyst in a team of 6 ethical hackers. I began learning about offensive security, how to bring value, and how to portray risk in a manner that is actionable for reduction. I recently took SANS SEC504 where I learned about hacker techniques and exploits.

Exploit all the things! We matured from vulnerability assessment to penetration testing and exploiting new products before they were purchased from vendors and deployed into production. This was amazing leverage as products with high risk vulnerabilities would not be allowed to go into production. We found over 30 0days that received CVEs with high or critical risk CVSS. This was fulfilling because the industry would get patches for vulnerabilities we found. The downside is that no one in the community will ever know these were found by me or my team. It was tough at first to overcome this because street cred is a thing in infosec.

In 2011, The Hackers Choice (THC) created an SSL renegotiation Denial of Service tool. I got my hands on a leaked version and tested it out. No one was talking about it, yet organizations were getting DDOSed on the daily. So, I blogged about it to raise awareness… this is when I learned the rules of fight club.

That near-termination experience led me to erase all traces and associations of my employer and me from the Internet. Yes, you can find what “large financial” this is but it will take you longer than you care to spend on it. I did this to be able to speak and teach without too much red tape. From that point, I had to decide between growing at the organization or growing in the community. I chose the job but was not happy it couldn’t be both. It brings me a lot of joy giving back to the community!

I learned and experienced just about anything you can imagine in corporate America. I also made relationships that will last a lifetime and for this, I am eternally grateful.

Here’s some highlights I can share:

• Moved from an officer to Director in 10 years
• Began growing by becoming team lead, then manager of infrastructure testing
• Created the Red Team in 2015, one of the first in the financial services industry and one of the top accomplishments to this day
• Led application penetration testing team
• Grew team to 140 ethical hackers globally
• Created the coordinated vulnerability disclosure program
• Founding member of FS-ISAC and FIRST Red Team Special Interest Groups
• SIFMA/GFMA Penetration Testing Working Group and release of threat-led penetration testing framework
• CVSS Voting Member releasing CVSSv3.0 and CVSSv3.1
• Founding Member of MITRE Engenuity Center for Threat-Informed Defense

Here’s what I’ll be up to in the next month, you should join me:

• April 14 - GRIMMCon volunteer and mentor for a first-time speaker: https://www.grimm-co.com/grimmcon
• April 15 - SANS @MIC Webinar on C2 Matrix hands on. No PPT: https://www.sans.org/webcasts/cybercast-sansatmic-c2-matrix-114070
• April 23 - DigitalEra webinar on Ethical Hacking/Offensive Security - Hack Yourself First: https://register.gotowebinar.com/register/8300923968439652109
• Recorded conversation about getting into info sec with @Robert Rounsavall
• A day in the life of a pen tester conversation with @ITSPmagazine
• June ISSA Journal article - Ethical Hacking and Offensive Security: Basics to the Bleeding Edge.
• July ISSA International Webinar on Adversary Emulation through Red and Purple Teaming

I look back at the past 10 years and they are all excellent memories. Learned a lot, grew a lot, and now I am ready for the next big thing. I appreciate all your support and hope I can continue to bring value to you and your organizations.