/* CAT(1) */

By Jeff White (karttoon)

The powers been out for the past 4 hours due to Hurricane Irma and will likely be out until tomorrow, if not longer, as she pelts my house with rain and wind. She's still 3 hours out, before the eye passes over me at a Category 3 (hopefully 2 by then), and another 4-6 hours as she moves further north. Since I won't be sleeping anytime soon, I've decided to put some thoughts down and write a blog about a misplaced career goal I chased. Basically, if you took the OSI stack and reversed it, that was the direction I wanted to take my career. Starting at the top and working my way down till I was completely intimate with the lowest levels of technology.

I grew up around computers and spent the majority of my youth on one system or another, eventually becoming enamoured with the concept of networking. You could send data from one machine to the next...holy crap?! Sign me up! It was the beginning of my love for the nitty gritty technical aspect of computing; all the bits - 1's and 0's. I taught myself networking, admitedly mainly to play video games over dial-up and later UPX, then through tons of trial and error. But, like a lot of other people in the InfoSec industry, I started my career at a help desk which I absolutely dreaded. This felt about as far from technical as could be and the opposite of that "low level" direction I wanted to go. I felt I knew more than the average help desk employee but without any experience, those were the cards I was dealt and the hand that I played with. A lot of people shit all over the help desk but it was the first time I realized there was a lot I didn't know in general. Where I exceled was being able to recognize when I didn't know something and then forcing myself to learn it - here, I shined. In fact, I'd go as far to say that my ability to think through a problem and come up with a solution overode the fact that I didn't truly understand a lot of things and probably blinded me to this fact. Instead of getting solid general fundamentals, I trucked on with this idea of going lower and lower in technology as if it would give me some ultimate knowledge of how things worked. From there I guess I thought I would be able to tackle anything thrown at me.

Now, by the time I got this first "IT" job, I'd had a Cisco router at home for a while. I asked for a Cisco router for Christmas from my parents when I graduated highschool (I was really popular, if you couldn't tell) and taught myself the in's and out's of "real" networking. I took, and failed multiple times, the Cisco CCNA and was halfway through my CCNP when I started the helpdesk gig. Within the first week I set out to meet the networking team and then volunteered for any and all work they would give me. I worked countless hours on second shifts in the helpdesk and then drove over to one of our datacenters to work until daylight racking gear, running cables, helping on change controls, and troubleshooting issues with them. It was an amazing learning opportunity and felt like I was knee-deep in the technical shit, exactly what I wanted. By now I had fully convinced myself that the "lower" I went, the better it would be.

Networking was great for this at first and definitely fed my desire but, or at least within the given time period, networking seemed very black and white. You might not know how to fix something or what the problem was, but it was always due to not yet knowing a protocol or some vendor specific caveat - obstacles easily overcome with a bit of study and application. When I eventually joined that networking team, I was surrounded by some of the best networking engineers I've ever met who constantly pushed each other to forward. We worked on projects at such a massive global scale that I've still yet to find something comparable. The challenges were tough, complex, yet understandable. Within a short period of time I felt at ease managing the vast networks with intermixed protocols all over the world. When MPLS started to get big, along with every physical chassis becoming home to dozens of virtual networking devices, I saw the complexity continuing to rise but the jobs technical requirements never getting much "lower".

When an opportunity cropped up for me to join an Incident Response (IR) team at another organization and conduct forensic investigations, I took it without looking back (*That's a lie, I talk about networking all the damn time still). This was a bit of shift in knowledge domains and I approached it similar to networking - tons and tons of study. Forensics, or at least the learning of forensics, was a lot of 1's and 0's so it felt again like I was on the right path again. Sadly, the actual practice of forensics was less about 1's and 0's and more about letting the myriad of commercial tools pull all the data for you so you can analyze whether joe blow was actually dumb enough to look at goat porn in his cubicle (yes, they were always that dumb). It was cool but I can probably count on my hands the number of times it was truly necessary to get super technical after 7 years of investigatory work. Tools automated things to the point it was completely uninteresting and the general context of the investigations rarely required "going low" except for the one off data recovery which didn't require specialized companies and clean rooms. Regardless, I learned a lot about the fundamentals of system architecture and forensics eventually gave way to more technical interests in the IR realm over time, such as exploitation and malware. Both seemingly aligning with my goal.

I'll start with exploitation, since malware is where this story ends, and it definetely got into the 1's and 0's. First off, I still love exploit writing and hunting for vulnerabilities. It was something I always thought was cool and played with, albeit at a much higher level, when I was younger so when I actually started learning and applying it, then it was even cooler. With just one byte you could overwrite a buffer, change how an application executed, call your own shellcode, so on and so forth. It was awesome and totally inline with that "low level" technical goal I sought. I pushed myself to get multiple certifications in this realm, started playing CTF's constantly, and spend a lot of free time reading and learning the black arts. Career wise though, at least from my experience, it was shown to be extremely boring and not at all technical in most scenarios. Sure, you might get to make some exploits here and there if you're lucky, but after spending years talking to dozens and dozens of red teamers (pentesting being the only place I saw myself being able to actually apply said knowledge) it sounded absolutely miserable. Reports, templates, SOP's for compromise...I quickly talked myself out of this field and can say I actually haven't looked back on this one.

Now, obviously with IR, malware comes into play quite a bit. Malware, in the most general sense, is nice because it covers such a wide gamut of technologies. I'd spend weeks working on JavaScript malware and then weeks on X86 malware then weeks on Office docs. Spending tons of free time even outside of work trying to figure out how malware worked and eventually volunteering to help analysts at other companies understand malware they found. It didn't take long for me to realize just how little I knew in this field, which had me craving more. At some point, IR lost its appeal and I sought other opportunity where I might be able to be a bonafide reverse engineer (RE), which seemed like the natural progression. Malware is always changing - new techniques, new targets, new formats, new everything. It's dynamic AND low level - sign me up!

Alas, that wrecking ball of reality came crashing back in just about as quick as it did for pentesting. I applied for, and got turned down on, an RE job because, quite frankly, I didn't know shit. I still don't know shit. I was told I wouldn't really know that shit either unless I had spent years in a queue basically RE'ing samples day-in-day-out. Ugh, sign me out quick. *It should be said that this is obviously my experience and not representative of the whole. Knowing what I know now, I could have found jobs in either field doing things more akin to what I originally was after so if that's your schtick - the jobs are there, you just have to know how to find them.

Fast forward to today and I now have a research job which lets me do RE AND exploitation, if I so choose. They aren't the primary focuses by any stretch of the imagination but the opportunity is there should I go down a rabbit hole and want to spend time doing so. After everything in my career, lessons learned, successes, failures and the like, I've realized that trying to "go low" really doesn't mean anything. I don't know what I was thinking except that I possibly wanted more technical roles than I currently had and that was the actual path I was already walking, but it wasn't the end-all-be-all. There isn't any magical door of knowledge that unlocks when you hit bottom. I got all of my jobs because of a diverse background in multiple technologies and because of my ability to figure problems out when I didn't know the answer - not because I already knew it. It took a long time for that to sink in and even longer for me to appreciate it. Being in a technical role is great but you'll never know everything and it's pointless to try; it's far more important, to me at least, having a diverse background of experiences to pull from.

Welp, T-Minus 1 hour till the eye wall hits so I'm going to sign-off and hold onto my butt. Ciao




Older posts...