WEBVTT NOTE This file was generated by Descript 00:00:00.240 --> 00:00:04.590 john-hammond_1_09-03-2025_170629: Truth be told, and maybe this is silly, but I 00:00:04.590 --> 00:00:10.440 get to feel like my security, charlatan, fraudster imposter syndrome kick in, but 00:00:10.500 --> 00:00:14.190 I've never been a penetration tester. 00:00:14.895 --> 00:00:18.285 I've never been a a soc analyst. 00:00:18.345 --> 00:00:22.575 I've never been a detection engineer, and that is always, oh dang, that, 00:00:22.575 --> 00:00:24.735 that kind of hurts to say aloud. 00:00:24.735 --> 00:00:27.435 But I do wanna make sure that's totally transparent and known. 00:00:27.674 --> 00:00:33.495 I've just fell into the researcher and that lets me poke and play it a little bit 00:00:33.495 --> 00:00:36.614 of everything the way I fell into that. 00:00:36.915 --> 00:00:37.754 It's no secret. 00:00:38.985 --> 00:00:44.145 Huge proponent of capture the flag and CTF, hey, being hands on, keyboard, learn 00:00:44.145 --> 00:00:48.495 and understanding different languages, different vulnerabilities, and that 00:00:48.615 --> 00:00:53.955 naturally points you a little bit more of that red team offensive security side 00:00:56.175 --> 00:00:56.925 to your point. 00:00:56.985 --> 00:00:57.585 Absolutely. 00:00:57.585 --> 00:01:01.335 That's how, yeah, I was building out the cyber emulation course, creating 00:01:01.335 --> 00:01:05.474 some of that material and content, and that was in that direction 00:01:05.595 --> 00:01:07.455 of pen testing, but I've never. 00:01:07.980 --> 00:01:08.730 Done it. 00:01:11.300 --> 00:01:13.610 josh-mason--he-him-_43_09-03-2025_170632: Simply Defensive brings you the industry's 00:01:13.610 --> 00:01:22.370 top practitioners, innovators, and leaders to inform, educate, and join us defensive. 00:01:30.068 --> 00:01:33.188 Hello, and welcome to the latest episode of Simply Defensive. 00:01:33.188 --> 00:01:36.638 I'm Josh Mason and with me as always, wood Wells. 00:01:37.063 --> 00:01:37.933 wade-wells_24_09-03-2025_140632: Hello? 00:01:39.518 --> 00:01:41.828 josh-mason--he-him-_43_09-03-2025_170632: And our guest today is John Hammond, 00:01:42.248 --> 00:01:47.618 researcher at Hunts YouTuber, and one of the best known educators in cybersecurity. 00:01:49.208 --> 00:01:50.768 John, welcome to the show. 00:01:51.218 --> 00:01:52.058 john-hammond_1_09-03-2025_170629: Goodness gracious. 00:01:52.058 --> 00:01:53.918 Thank you so much for the warm welcome, everybody. 00:01:53.918 --> 00:01:55.298 It's super cool to be hanging out with you. 00:01:55.298 --> 00:01:55.793 Happy to be here. 00:01:56.023 --> 00:01:56.203 wade-wells_24_09-03-2025_140632: Yeah. 00:01:57.548 --> 00:02:00.968 josh-mason--he-him-_43_09-03-2025_170632: So John a lot of people know 00:02:00.968 --> 00:02:07.418 you from YouTube, from social media, from conferences 00:02:09.488 --> 00:02:14.108 how do you like to present yourself when someone's Hey, what do you do? 00:02:14.858 --> 00:02:16.118 john-hammond_1_09-03-2025_170629: Oh, super. 00:02:16.118 --> 00:02:16.928 Good question. 00:02:18.128 --> 00:02:22.178 First and foremost, I feel like a lot of folks tend to just explain their 00:02:22.178 --> 00:02:26.348 day job, which may or may not be the correct answer to what do you do? 00:02:26.378 --> 00:02:31.718 Because people got passions, people got hobbies, people got stuff all out of work. 00:02:31.718 --> 00:02:33.788 But I tend. 00:02:34.288 --> 00:02:35.398 Do a lot of work. 00:02:36.208 --> 00:02:37.648 'cause work is fun for me. 00:02:37.648 --> 00:02:38.608 Maybe that's the passion. 00:02:38.608 --> 00:02:39.568 Maybe that's the hobby. 00:02:39.838 --> 00:02:42.178 But yeah, my day job is over at Huntress. 00:02:42.388 --> 00:02:46.558 I'm a security researcher there, which is a ton of fun to stay. 00:02:46.558 --> 00:02:50.998 Hey, chasing hackers, cutting up malware, trying to dig into what are the real 00:02:50.998 --> 00:02:54.838 world threats that are out and about in the whole land of cybersecurity. 00:02:55.483 --> 00:02:57.493 When I can I squeeze in to tell folks? 00:02:57.493 --> 00:02:57.673 Yeah. 00:02:57.673 --> 00:02:59.023 I do have a YouTube channel. 00:02:59.233 --> 00:03:03.013 I know it sounds silly to say it out loud, but it is, it's 00:03:03.013 --> 00:03:04.513 turned into a machine of its own. 00:03:04.513 --> 00:03:07.543 It is blossomed and grown and it's very fulfilling to 00:03:07.543 --> 00:03:09.433 see what that is turned into. 00:03:09.733 --> 00:03:13.273 But sharing cybersecurity education, trying to get more, hey, hands-on, 00:03:13.273 --> 00:03:15.823 keyboard, tactical, practical stuff. 00:03:16.213 --> 00:03:17.413 But just having a lot of fun with it. 00:03:17.413 --> 00:03:20.313 I like to showcase what's cool, what's fun, what I like. 00:03:21.538 --> 00:03:23.218 wade-wells_24_09-03-2025_140632: I honestly feel like security researcher is 00:03:23.218 --> 00:03:25.468 like my dream job to tell you the truth. 00:03:25.468 --> 00:03:27.778 Like you get to deal with the coolest stuff, right? 00:03:27.778 --> 00:03:28.438 You're out there doing. 00:03:30.403 --> 00:03:33.013 Like everyone, looks at pen testers and go, oh, look at that. 00:03:33.013 --> 00:03:36.763 I'm doing all this cool stuff where the researcher like, you're ha, you're in 00:03:36.763 --> 00:03:40.213 your own playing field where yeah, you get to do these exploits and do stuff, 00:03:40.213 --> 00:03:41.653 but then you also get to detect them. 00:03:41.863 --> 00:03:45.043 You get to share your evidence with the greater community, right? 00:03:45.283 --> 00:03:48.733 And help defend people in a, I think, a larger scale than just your 00:03:48.733 --> 00:03:51.193 organization, which is also really cool. 00:03:52.333 --> 00:03:55.873 And trust me, I know plenty of your blogs I've used in my research, 00:03:57.933 --> 00:03:58.413 john-hammond_1_09-03-2025_170629: thank you. 00:03:58.653 --> 00:03:59.128 Yeah, I think. 00:04:00.218 --> 00:04:03.398 I always feel maybe sometimes it's a little unfair just because 00:04:03.398 --> 00:04:06.758 security researcher is flexible. 00:04:06.818 --> 00:04:10.208 Just as you mentioned you have your own playing field. 00:04:10.418 --> 00:04:15.008 You get to do just what's interesting and cool and what you think will bring 00:04:15.008 --> 00:04:17.168 the most value, and sometimes that. 00:04:17.433 --> 00:04:21.003 Oh, leans a little bit on the, red team, red side, maybe that leans a 00:04:21.003 --> 00:04:24.723 little bit on the blue, team defense side, maybe detection work, et cetera. 00:04:25.383 --> 00:04:28.893 Or hey, getting a chance to chat with our security operations 00:04:28.893 --> 00:04:30.363 center analysts and work with them. 00:04:31.143 --> 00:04:33.723 But, oh, maybe it's recreating a little proof of concept. 00:04:33.723 --> 00:04:36.453 Maybe it's digging into some of the exploits and seeing how this would work 00:04:36.453 --> 00:04:38.373 and like a, pen tester sign of a house. 00:04:38.493 --> 00:04:41.283 So a lot of fun, just flexibility. 00:04:41.343 --> 00:04:42.693 I'm super grateful for. 00:04:43.943 --> 00:04:46.943 josh-mason--he-him-_43_09-03-2025_170632: Yeah, I'm curious about that because 00:04:47.063 --> 00:04:53.783 my introduction to you was I taught the courseware that you were the SME on 00:04:54.503 --> 00:04:57.773 back at DAA for cyber threat emulation. 00:04:58.898 --> 00:05:08.048 I'd teach buffer overflows, and I'd watch your videos to learn how to properly then 00:05:08.048 --> 00:05:16.508 teach the content in class back when we were both at DC three and at that point 00:05:16.508 --> 00:05:21.038 it seemed like you were an offensive operator, and I know you've got the OS 00:05:21.038 --> 00:05:27.668 C3 or OS C3, and were you were like one of the first people to get that off Ssec. 00:05:28.523 --> 00:05:30.893 Like special cert, right? 00:05:31.288 --> 00:05:31.888 john-hammond_1_09-03-2025_170629: Yes. 00:05:34.013 --> 00:05:35.033 josh-mason--he-him-_43_09-03-2025_170632: When they bundled them. 00:05:35.033 --> 00:05:35.273 All 00:05:35.573 --> 00:05:36.398 john-hammond_1_09-03-2025_170629: Yeah, for sure. 00:05:36.398 --> 00:05:40.808 For some context, maybe a lot of folks are familiar with the OSCP or like the 00:05:40.808 --> 00:05:43.058 offensive security certified professional. 00:05:43.958 --> 00:05:47.528 There were a lot of other offerings that offensive security brings out. 00:05:47.708 --> 00:05:54.443 Some being offensive security, web exploitation some being in experienced 00:05:54.443 --> 00:05:57.713 penetration tester and more of inside of a attack and defense, 00:05:57.713 --> 00:06:01.463 active directory environments, and even more for exploit development. 00:06:01.673 --> 00:06:06.323 So when they bundled those up in a halo cert, when you have OSED, 00:06:06.353 --> 00:06:08.008 the exploit development, OSEP. 00:06:08.708 --> 00:06:10.958 Experience, pen tester, whatever, active directory. 00:06:11.108 --> 00:06:16.958 And then we, for web exploitation, they called that OSCE three. 00:06:17.918 --> 00:06:19.418 Which is that halo yes. 00:06:19.418 --> 00:06:22.178 All of them combined in this cool triforce power. 00:06:24.098 --> 00:06:28.988 I guess that was new at the time when I was so excited to dive into. 00:06:29.468 --> 00:06:37.088 OSED and OSWE and somehow, some way I got that email from Ning, I believe I 00:06:37.088 --> 00:06:40.538 might be getting the name wrong, but the CEO chief Executive Officer over 00:06:40.538 --> 00:06:42.218 at Offs SEC in offensive security. 00:06:42.488 --> 00:06:44.078 That said, you got there first. 00:06:45.308 --> 00:06:47.258 You were the first to get all three. 00:06:47.528 --> 00:06:48.488 And I was like, oh, this is cool. 00:06:48.488 --> 00:06:49.478 I caught all the Pokemon, 00:06:51.053 --> 00:06:52.823 josh-mason--he-him-_43_09-03-2025_170632: yeah, of course. 00:06:53.813 --> 00:06:54.323 Nice. 00:06:55.523 --> 00:07:00.443 Do you feel like, were you headed down the path of wanting to be a 00:07:00.443 --> 00:07:04.523 pen tester and write exploits and do all that stuff, or do you feel like 00:07:04.523 --> 00:07:07.443 you've, did you divert from a path or. 00:07:08.798 --> 00:07:10.688 Was that, are you, 00:07:13.568 --> 00:07:17.463 have you just gone with like the way the roads opened up in front of you? 00:07:17.993 --> 00:07:22.343 john-hammond_1_09-03-2025_170629: Truth be told and maybe this is silly, but I, 00:07:22.343 --> 00:07:28.283 get to feel like my security charlatan fraudster imposter syndrome kick in, but 00:07:28.283 --> 00:07:32.003 I've never been a penetration tester. 00:07:32.633 --> 00:07:33.023 I've never. 00:07:33.818 --> 00:07:36.098 Been a SOC analyst. 00:07:36.098 --> 00:07:37.898 I've never been a detection engineer. 00:07:38.828 --> 00:07:42.518 And that is always, oh dang, that, that kind of hurts to say aloud. 00:07:42.518 --> 00:07:45.218 But I do wanna make sure that's totally transparent and known. 00:07:45.458 --> 00:07:50.228 I've just fell into the researcher end that lets me poke and play it. 00:07:50.738 --> 00:07:51.968 A little bit of everything. 00:07:52.958 --> 00:07:59.228 The way I fell into that, it's no secret I was a huge, proponent of capture the flag, 00:07:59.498 --> 00:08:04.208 CTF, hey, being hands on, keyboard, learn and understanding different languages, 00:08:04.208 --> 00:08:09.143 different vulnerabilities, and that naturally points you a little bit more 00:08:09.143 --> 00:08:11.738 of that red team offensive security side. 00:08:14.033 --> 00:08:14.693 To your point. 00:08:14.753 --> 00:08:15.353 Absolutely. 00:08:15.353 --> 00:08:16.433 That's how, yeah. 00:08:16.433 --> 00:08:19.253 I was building out the cyber threat emulation course, creating some 00:08:19.253 --> 00:08:20.513 of that material and content. 00:08:21.323 --> 00:08:25.193 And that was in that direction of pen testing, but I've never. 00:08:25.748 --> 00:08:26.498 Done it. 00:08:27.218 --> 00:08:33.668 But all those skills lend themselves to even, oh, understanding how some malware 00:08:33.668 --> 00:08:37.688 comes to life, how some attack chains could be built out on the end points. 00:08:38.288 --> 00:08:42.698 So it almost for industry work and for my career, that points 00:08:42.698 --> 00:08:44.708 me more blue than it does red 00:08:47.518 --> 00:08:49.438 wade-wells_24_09-03-2025_140632: I have an interesting one where, okay, 00:08:49.438 --> 00:08:53.008 so I know I've heard you talk about this before, but I honestly think 00:08:53.008 --> 00:08:55.198 being outspoken as you are and also. 00:08:56.938 --> 00:08:59.428 Being in cyber is always rare, right? 00:08:59.428 --> 00:09:00.718 Being able to tell a good story. 00:09:00.718 --> 00:09:01.738 Not everyone can do it. 00:09:01.738 --> 00:09:02.908 Not everyone can hold attention. 00:09:02.908 --> 00:09:07.228 And I know, or at least I've heard you have a performance background, right? 00:09:07.318 --> 00:09:08.758 Or a little bit of one. 00:09:09.598 --> 00:09:13.018 Which I think I, I was in a couple plays and stuff like that and I was a 00:09:13.018 --> 00:09:15.358 class clown, but definitely not as bad. 00:09:15.358 --> 00:09:19.558 But how do you think being able to tell a good story, at least from 00:09:19.558 --> 00:09:21.683 a threat research perspective, has affected your career? 00:09:21.983 --> 00:09:24.023 john-hammond_1_09-03-2025_170629: Oh, okay. 00:09:24.023 --> 00:09:25.163 Your question first. 00:09:25.163 --> 00:09:25.583 I'm sorry. 00:09:25.583 --> 00:09:26.123 And then I know 00:09:26.123 --> 00:09:26.203 I'll 00:09:26.623 --> 00:09:27.163 wade-wells_24_09-03-2025_140632: Yeah, Go for it. 00:09:27.283 --> 00:09:27.433 Yeah. 00:09:27.433 --> 00:09:27.583 Yeah. 00:09:27.583 --> 00:09:27.943 Go for it. 00:09:28.483 --> 00:09:28.693 All good. 00:09:29.093 --> 00:09:30.923 john-hammond_1_09-03-2025_170629: I totally, without a doubt, a 00:09:30.923 --> 00:09:32.618 thousand percent because you. 00:09:33.803 --> 00:09:37.643 In your work, no matter what it is, whatever role you may have, blue, 00:09:37.643 --> 00:09:39.053 red, whatever, blah, blah, blah. 00:09:39.383 --> 00:09:45.408 You are communicating with people and they're gonna be in their own different. 00:09:46.058 --> 00:09:50.438 Walk of life with their own experiences with all that they've gone through. 00:09:50.738 --> 00:09:53.768 And they might have either just a different understanding or even 00:09:53.768 --> 00:09:57.698 interpretation of cybersecurity stuff. 00:09:57.788 --> 00:09:58.958 And I know that's super vague. 00:09:58.958 --> 00:09:59.618 I know that Oh yeah. 00:09:59.648 --> 00:10:01.268 Big broad concepts there. 00:10:01.718 --> 00:10:06.638 But can you genuinely communicate to them? 00:10:06.698 --> 00:10:10.628 Can you hold their attention and can you tell them something that's important, 00:10:10.628 --> 00:10:15.128 that's actionable, that's very necessary for what they need to know in a way that. 00:10:16.733 --> 00:10:21.533 Relates to them or, bridges, the gap between, oh, their worldview and how 00:10:21.533 --> 00:10:27.413 they see everything going on around them compared to what and know and 00:10:27.413 --> 00:10:28.793 understand everything around you. 00:10:29.033 --> 00:10:34.823 So the best way, usually just being able to make that for one thing good and 00:10:35.333 --> 00:10:37.763 something they can receive is a story. 00:10:37.913 --> 00:10:41.723 And then how to be able to retain that, to remember that, to do something with it. 00:10:42.503 --> 00:10:43.583 That's a story. 00:10:44.563 --> 00:10:44.893 wade-wells_24_09-03-2025_140632: Yeah. 00:10:46.988 --> 00:10:49.538 One of the points in my threat intel class that I teach is 00:10:49.538 --> 00:10:50.873 like being able to tell a story. 00:10:51.503 --> 00:10:54.533 And so I always point people over, like Jason Blanchard has some really good 00:10:54.533 --> 00:10:56.153 stuff about how to tell stories, right? 00:10:56.663 --> 00:10:59.993 And I think that's like a huge differentiator that 00:11:00.053 --> 00:11:01.343 it's harder to learn too. 00:11:01.373 --> 00:11:03.203 'cause you don't have the opportunity to tell stories. 00:11:03.413 --> 00:11:08.003 But once you find someone who you can pay attention to a lot and can take 00:11:08.003 --> 00:11:12.473 technical terms and know how not just how to speak to them, but how to speak 00:11:12.473 --> 00:11:14.063 to them, to certain people, right? 00:11:14.063 --> 00:11:17.993 And to know, to judge the crowd too is a very rare talent. 00:11:18.023 --> 00:11:20.333 And I know it's one you have, but it's a cool one too. 00:11:20.993 --> 00:11:21.083 Yeah, 00:11:21.228 --> 00:11:21.618 john-hammond_1_09-03-2025_170629: flattered. 00:11:22.038 --> 00:11:24.378 I think Jason Blanchard certainly beats me out though. 00:11:24.378 --> 00:11:25.188 He wins, he 00:11:25.188 --> 00:11:25.388 hands 00:11:25.683 --> 00:11:26.243 wade-wells_24_09-03-2025_140632: Yeah. 00:11:26.303 --> 00:11:27.083 He's pretty good. 00:11:27.083 --> 00:11:27.353 Yeah. 00:11:30.018 --> 00:11:31.878 josh-mason--he-him-_43_09-03-2025_170632: The man can tell a story that 00:11:31.878 --> 00:11:36.948 I think is one of the, real tricks in in any business. 00:11:37.758 --> 00:11:43.758 If you can get people to stop and listen to you speak and actually want 00:11:43.758 --> 00:11:50.448 to hear, stick around and hear you say the next words, that is so valuable. 00:11:50.823 --> 00:11:51.813 So crucial. 00:11:52.203 --> 00:11:58.863 And if you can speak in cybersecurity and business terms I've seen you do it. 00:11:58.863 --> 00:12:07.113 I, both of you gentlemen be able to make that translation that that's the key. 00:12:10.353 --> 00:12:17.823 How did you make that translation from the, 00:12:20.568 --> 00:12:23.058 the mindset of an attacker. 00:12:25.188 --> 00:12:29.748 Obviously you can tear apart malware, eventually figure out what it's doing in 00:12:29.748 --> 00:12:37.878 a system, but then translating that to, okay, here's now what we should do for 00:12:37.878 --> 00:12:40.818 defenses and why you should care about it. 00:12:42.648 --> 00:12:44.898 Obviously a lot of weight. 00:12:45.528 --> 00:12:49.878 What you teach in CTI and what a lot of defenders are doing. 00:12:51.828 --> 00:12:57.018 But how can someone start learning how to do that? 00:12:57.018 --> 00:13:02.058 How can someone practice that if they wanted to get into the like CTI field 00:13:02.058 --> 00:13:04.458 or into the Yeah, I guess threat intel 00:13:04.613 --> 00:13:04.833 john-hammond_1_09-03-2025_170629: Oh. 00:13:04.953 --> 00:13:05.133 wade-wells_24_09-03-2025_140632: Threat 00:13:05.358 --> 00:13:05.518 research. 00:13:05.628 --> 00:13:06.138 josh-mason--he-him-_43_09-03-2025_170632: of field 00:13:06.228 --> 00:13:06.438 john-hammond_1_09-03-2025_170629: Yeah. 00:13:08.538 --> 00:13:16.728 I, for one thing, good question and a tough thing to answer because I really. 00:13:17.508 --> 00:13:21.288 And maybe it sounds so boring and so basic, but I think it is the right answer 00:13:21.588 --> 00:13:26.658 of first and foremost, hey, do something that you think is fun, that you enjoy, 00:13:26.718 --> 00:13:30.648 that you like and you're willing to do more of, because it is something you 00:13:30.648 --> 00:13:32.388 enjoy and it's fun and it's passion. 00:13:32.658 --> 00:13:38.868 So that may or may not be, oh, strictly down the path of threat, intel, threat 00:13:38.868 --> 00:13:40.728 research, blue team, defense, et cetera. 00:13:40.728 --> 00:13:41.118 If it. 00:13:41.478 --> 00:13:45.798 It if it's just more fun to Oh, kinda learn a little bit more of how these 00:13:45.798 --> 00:13:50.268 hacks work, how these vulnerabilities come together, exploits and that attack chain. 00:13:50.958 --> 00:13:54.228 The attack chain, I think is the most interesting aspect to it. 00:13:54.498 --> 00:13:57.798 Because if you didn't, if you then wanted to bring that to the 00:13:57.798 --> 00:14:01.038 other flare or to something, be a little bit more aligned with Sure. 00:14:01.038 --> 00:14:04.878 Threat, intel, threat research, whatever bucket and name tag 00:14:04.878 --> 00:14:06.528 you wanna put on it, then. 00:14:07.578 --> 00:14:11.238 Think about how did the attack chain come to life? 00:14:12.408 --> 00:14:15.828 Literally, I know people keep, oh, they use the cyber kill chain as a cool 00:14:15.828 --> 00:14:19.848 analogy in all these different words, but genuinely think of a chain because 00:14:20.088 --> 00:14:23.538 each of those little links, each of those components are things that you would now 00:14:23.538 --> 00:14:27.108 have an opportunity to break the chain. 00:14:28.188 --> 00:14:31.938 Put a mitigation, put some remediation in place, stop or block one 00:14:31.938 --> 00:14:33.453 aspect of what happened and when. 00:14:34.033 --> 00:14:37.698 And then the more knowledge you have on all those different parts, the 00:14:37.698 --> 00:14:41.358 better you're gonna be at, oh, I know. 00:14:41.628 --> 00:14:44.268 This is gonna drop a file in this location, but if there were a 00:14:44.268 --> 00:14:47.898 file already there maybe we could cut a little like countermeasure 00:14:47.898 --> 00:14:49.848 vaccine, clever little stop gap. 00:14:50.448 --> 00:14:50.628 Oh. 00:14:50.628 --> 00:14:53.148 Actually, the permissions on that directory are probably 00:14:53.148 --> 00:14:54.618 what's ruined this whole thing. 00:14:54.858 --> 00:14:56.088 Let's lock that down. 00:14:56.088 --> 00:14:58.548 Let's know our access controls, blah, blah, blah. 00:14:58.818 --> 00:15:01.698 You can extrapolate that and however many different ways that you 00:15:01.698 --> 00:15:04.848 want, but it is just exactly that. 00:15:06.003 --> 00:15:07.923 Understand kind of piece by piece. 00:15:08.193 --> 00:15:13.323 You build out the chain, and is where you can get creative and innovative 00:15:13.383 --> 00:15:14.283 and think more on that front. 00:15:19.083 --> 00:15:21.333 josh-mason--he-him-_43_09-03-2025_170632: For the people who are trying 00:15:21.363 --> 00:15:27.063 to get to that point, how can they, how do you get started? 00:15:27.093 --> 00:15:31.923 Like how do you show I know how to do this, hire me. 00:15:35.508 --> 00:15:42.678 Is it like, I think a lot of us were able to see why you got hired onto Hunts 00:15:44.178 --> 00:15:46.278 being able to watch you, I don't know. 00:15:47.658 --> 00:15:52.368 There were a lot of us who watched you dissect things on multiple 00:15:52.368 --> 00:15:59.958 terminals at speed live streaming some in some cases and we're like. 00:16:00.528 --> 00:16:01.818 This guy knows what he's doing. 00:16:03.858 --> 00:16:07.728 Probably let's put him on some like real malware and see what he does. 00:16:08.808 --> 00:16:12.078 How do other people get into this sort of thing? 00:16:12.738 --> 00:16:14.628 And get hired onto teams to 00:16:16.908 --> 00:16:18.378 yeah, be researchers full-time. 00:16:19.008 --> 00:16:21.798 john-hammond_1_09-03-2025_170629: Yeah, you get into, obviously I know kind 00:16:21.798 --> 00:16:26.028 of the chicken and the egg problem of, oh, I need experience to get a job 00:16:26.178 --> 00:16:27.948 and I need a job to get experience. 00:16:28.638 --> 00:16:30.798 And I'm sure thousands of folks gonna tell you that. 00:16:31.548 --> 00:16:33.738 I'm sure you've heard that time and time again. 00:16:34.248 --> 00:16:38.658 So when you are learning, when you're practicing, when you're getting 00:16:38.658 --> 00:16:42.978 a chance to play, whether that's in Blue Team Labs, online, hack 00:16:42.978 --> 00:16:45.258 the box, try hack me, et cetera. 00:16:45.318 --> 00:16:46.518 The list could go on and on. 00:16:48.258 --> 00:16:51.588 I don't want to sound like, Hey do something similar to what I 00:16:51.588 --> 00:16:56.418 did, but I do think that when you build out your own portfolio. 00:16:56.748 --> 00:17:00.558 Or your own sort of, hey, notes, your write-ups, your solutions, 00:17:00.558 --> 00:17:01.938 everything that you've been learning. 00:17:02.448 --> 00:17:08.028 You build up an awesome catalog, a whole archive of look at all this that I can 00:17:08.028 --> 00:17:11.838 do because I've already done it and I can show you, and I've got this to point to. 00:17:12.408 --> 00:17:13.668 That is. 00:17:14.058 --> 00:17:14.958 Invaluable. 00:17:15.888 --> 00:17:18.828 And I know so many folks will tell you, you probably hear it time and time again, 00:17:18.828 --> 00:17:20.658 so maybe folks are bored of that answer. 00:17:20.688 --> 00:17:23.328 Oh, have a website, have a GitHub, build out your portfolio. 00:17:23.628 --> 00:17:29.178 But it is really just a help. 00:17:29.358 --> 00:17:30.078 A foot in the door. 00:17:31.208 --> 00:17:33.908 wade-wells_24_09-03-2025_140632: Definitely I, one thing, one thing I don't 00:17:33.908 --> 00:17:37.358 hear a lot of people talk about, which is something I always wanted to do but 00:17:37.358 --> 00:17:40.688 never did, was also like, throw out some like honeypots and stuff like that, right? 00:17:41.528 --> 00:17:44.648 You don't need to work for a big security program to do security 00:17:44.648 --> 00:17:46.358 research at the end of the day, right? 00:17:46.748 --> 00:17:50.468 You get theoretically infect yourself completely and screw yourself, but 00:17:50.468 --> 00:17:51.458 you're gonna have fun doing it. 00:17:51.458 --> 00:17:52.358 You're gonna learn a lot. 00:17:52.403 --> 00:17:56.153 To tell you the truth I'm not gonna lie, I've done stuff like that where I 00:17:56.153 --> 00:17:59.333 accidentally ran malware on a host and I'm like, all right, just gotta re-image that. 00:17:59.663 --> 00:18:03.593 But it's something that can be done too in as a pastime. 00:18:03.713 --> 00:18:07.253 There's a bunch of different honeypot open source stuff out there. 00:18:09.063 --> 00:18:12.843 josh-mason--he-him-_43_09-03-2025_170632: And frankly there's the ability 00:18:12.843 --> 00:18:17.523 to pull down a lot of stuff and follow along with what you're doing 00:18:18.453 --> 00:18:21.438 on any run with the latest win. 00:18:23.808 --> 00:18:25.668 It's a bit much for me. 00:18:26.208 --> 00:18:29.088 There's a reason I do sales and for pen testing company 00:18:29.088 --> 00:18:30.318 rather than doing pen testing. 00:18:30.918 --> 00:18:33.108 I've realized what I like to do with my day. 00:18:34.068 --> 00:18:34.698 But 00:18:36.828 --> 00:18:43.203 for other people, like if you enjoy really that stuff, excellent. 00:18:43.908 --> 00:18:48.258 There's ways of like really doing it and being able to follow along and love it. 00:18:50.018 --> 00:18:50.588 john-hammond_1_09-03-2025_170629: Absolutely. 00:18:53.013 --> 00:18:55.203 josh-mason--he-him-_43_09-03-2025_170632: If someone else makes the same 00:18:55.203 --> 00:19:02.013 video, ma or makes a video of their approach to the same like malware, 00:19:04.173 --> 00:19:05.373 that's not a bad thing. 00:19:05.853 --> 00:19:09.063 john-hammond_1_09-03-2025_170629: Yeah can I, actually, this is super cool. 00:19:09.063 --> 00:19:11.013 It's a little bit tactical and current, if I may. 00:19:12.828 --> 00:19:17.598 There are incredible, phenomenal, and fantastic content creators out there. 00:19:18.198 --> 00:19:23.778 And I am just one of a few I hope, I'm in that cool sweet group. 00:19:24.018 --> 00:19:26.598 But there are so many that I adore and look up to. 00:19:26.868 --> 00:19:30.618 And a good friend of mine, genuinely from college days while I was at 00:19:30.618 --> 00:19:33.888 the Coast Guard Academy, he was at the military academy at West Point. 00:19:34.943 --> 00:19:38.903 Ed or low level, some might fo, some might know his online handle. 00:19:39.083 --> 00:19:40.373 It used to be low level learning. 00:19:40.373 --> 00:19:43.073 I think now he shortened it to be cool hip low level. 00:19:43.463 --> 00:19:48.413 But he had just gotten out a video on Docker, the containerization kind of 00:19:48.413 --> 00:19:54.348 capability for, running a little kind of, not really a virtual machine, but 00:19:54.348 --> 00:19:58.908 a container to, to run more code and applications in this sort of sandbox area. 00:19:59.778 --> 00:20:02.988 But there was some silly shenanigans of vulnerability for 00:20:02.988 --> 00:20:05.038 Docker on Windows, where that. 00:20:05.703 --> 00:20:09.303 API or like the control plane that could handle and spawn off and 00:20:09.303 --> 00:20:14.673 spin up new containers was exposed and there was no authentication. 00:20:14.763 --> 00:20:16.893 There was no access control in the middle of it. 00:20:17.103 --> 00:20:21.813 So even from inside of a guest container, you could create and 00:20:21.813 --> 00:20:27.123 spawn and mount the host computer file system and then get, oh, remote 00:20:27.123 --> 00:20:29.463 code execution, critical damage, 9.8 00:20:29.463 --> 00:20:30.303 cv, blah, blah, blah. 00:20:32.253 --> 00:20:33.963 And Ed put out this video. 00:20:35.043 --> 00:20:36.843 And I put out. 00:20:37.173 --> 00:20:40.473 The same video, basically covering and showing the same thing. 00:20:41.373 --> 00:20:45.903 And I feel I, feel humanly the certain amount of guilt and shame oh 00:20:45.903 --> 00:20:47.223 dang, someone beat me to the punch. 00:20:47.373 --> 00:20:48.963 And it's the same stuff. 00:20:49.023 --> 00:20:54.873 But the way that you tell a story, the way that you explain what the 00:20:54.878 --> 00:20:57.453 CSRF or SSRF vulnerability might be. 00:20:58.313 --> 00:21:01.703 That could totally relate to more folks in a different way 00:21:01.703 --> 00:21:03.113 than another content creator. 00:21:03.323 --> 00:21:07.853 So I know I'm seeing the I'm, having the shame of Hey, someone already 00:21:07.853 --> 00:21:09.323 talked about this a couple days ago. 00:21:09.503 --> 00:21:11.993 It's look, I'm not trying to announce this thing. 00:21:11.993 --> 00:21:13.373 This isn't some breaking news. 00:21:13.373 --> 00:21:19.553 This is, I hope, an educational vessel that will live and permeate throughout. 00:21:19.623 --> 00:21:20.193 Time. 00:21:20.283 --> 00:21:23.463 Someone's gonna find this video however many years on from now, and 00:21:23.463 --> 00:21:27.573 I hope that'll bring value to them, maybe some way, somehow down the line. 00:21:28.173 --> 00:21:28.923 So still do it. 00:21:28.953 --> 00:21:29.793 Still get it out there. 00:21:29.793 --> 00:21:35.373 Even if oh, someone else already has your presentation, your way, your story 00:21:35.373 --> 00:21:37.563 is still gonna resonate with folks. 00:21:38.848 --> 00:21:39.088 wade-wells_24_09-03-2025_140632: I think 00:21:39.778 --> 00:21:40.143 josh-mason--he-him-_43_09-03-2025_170632: huge. 00:21:40.168 --> 00:21:41.098 wade-wells_24_09-03-2025_140632: I watched your, video. 00:21:41.098 --> 00:21:43.978 It's really, it was really old on alternative data streams 00:21:44.038 --> 00:21:45.298 and Windows file system. 00:21:45.328 --> 00:21:47.458 I watched that pro, yeah, it was an old one. 00:21:47.698 --> 00:21:51.268 But the thing is I built a detection for it and of course, what do you do? 00:21:51.748 --> 00:21:55.948 You gotta run the de detect, you got an attack and I was able watching your videos 00:21:55.948 --> 00:21:58.708 to able to follow along and there was like countless other videos, but it was. 00:21:59.063 --> 00:22:02.033 A lit like that attack is actually pretty old, right? 00:22:02.213 --> 00:22:02.613 john-hammond_1_09-03-2025_170629: Yes. 00:22:02.663 --> 00:22:04.703 wade-wells_24_09-03-2025_140632: it's not a new thing, but once again, like 00:22:04.703 --> 00:22:08.123 you said, you coming, you creating it even though there's plenty of other ones. 00:22:08.483 --> 00:22:10.343 And honestly, you're already a trusted source. 00:22:10.343 --> 00:22:12.773 So I knew that was a, slam dunk person to go to. 00:22:12.773 --> 00:22:13.913 Yeah, it was a while. 00:22:13.913 --> 00:22:14.873 It was probably like two years ago. 00:22:14.873 --> 00:22:15.803 It was a cool detection too. 00:22:16.583 --> 00:22:18.543 john-hammond_1_09-03-2025_170629: Was that the one, and I'm gonna nerd out here. 00:22:18.543 --> 00:22:20.133 Forgive me, I'm so sorry because the. 00:22:20.693 --> 00:22:21.108 wade-wells_24_09-03-2025_140632: No, you're all 00:22:21.168 --> 00:22:23.178 john-hammond_1_09-03-2025_170629: Cool thing about the cool thing 00:22:23.178 --> 00:22:24.558 about alternate data streams. 00:22:24.558 --> 00:22:26.898 'cause we saw some, like some ransomware gang doing this 00:22:26.898 --> 00:22:29.118 however many months or times ago. 00:22:30.078 --> 00:22:33.678 If you put an alternate data stream, which is a little, I don't know, 00:22:33.708 --> 00:22:37.578 Easter egg of the N Ntfs or Windows file system, if you put it at the 00:22:37.578 --> 00:22:40.368 absolute root of the drive, like C colon 00:22:41.288 --> 00:22:41.558 wade-wells_24_09-03-2025_140632: Yep. 00:22:41.658 --> 00:22:42.348 john-hammond_1_09-03-2025_170629: then you can't. 00:22:43.563 --> 00:22:43.803 them. 00:22:44.013 --> 00:22:47.913 You'll never be able to list them out or even know that they existed. 00:22:48.183 --> 00:22:52.353 You just had to know exactly the name that you chose, and it's like a certain 00:22:52.353 --> 00:22:54.483 kind of secret you could hide away. 00:22:55.388 --> 00:22:58.028 wade-wells_24_09-03-2025_140632: yeah, that was the exact video, and so writing 00:22:58.028 --> 00:22:59.678 a detection for it, I saw the same report. 00:23:00.323 --> 00:23:03.443 And then had to do like a quick little writeup for ir, right? 00:23:03.653 --> 00:23:06.743 Hey, if you guys like see something like this hey, you have 00:23:06.743 --> 00:23:07.923 to go to this exact location, 00:23:08.223 --> 00:23:08.943 john-hammond_1_09-03-2025_170629: Sweet. 00:23:08.993 --> 00:23:09.833 wade-wells_24_09-03-2025_140632: what we're gonna have to do. 00:23:09.833 --> 00:23:11.753 Or at the end of the day, we just nuke the system. 00:23:13.998 --> 00:23:15.528 john-hammond_1_09-03-2025_170629: are those small, fun things, though 00:23:15.528 --> 00:23:17.418 I hope, again, they all add up. 00:23:17.448 --> 00:23:18.318 They compound over 00:23:18.318 --> 00:23:18.653 time. 00:23:19.608 --> 00:23:22.878 The parts of the attack chain, all those links in the chain where 00:23:22.913 --> 00:23:23.093 wade-wells_24_09-03-2025_140632: All right. 00:23:23.118 --> 00:23:24.948 john-hammond_1_09-03-2025_170629: just get a little bit more understanding, more 00:23:24.948 --> 00:23:30.318 of the context, more of the knowhow, Hey you're, you got a sword and shield there. 00:23:32.883 --> 00:23:33.423 josh-mason--he-him-_43_09-03-2025_170632: For sure. 00:23:36.618 --> 00:23:41.808 I remember, yeah, four or five years ago especially during the pandemic. 00:23:44.358 --> 00:23:49.548 A lot of videos about Tri Hack Me Hack the Box CTFs. 00:23:49.998 --> 00:23:55.068 Now I know you still are doing CTFs, but you're building them and 00:23:55.068 --> 00:23:57.288 hosting them and teaching them. 00:23:57.528 --> 00:23:59.148 Are you still participating? 00:23:59.148 --> 00:24:05.418 Are you on a CTF team anymore or are you more on the teach create and. 00:24:07.288 --> 00:24:08.098 john-hammond_1_09-03-2025_170629: Yeah. 00:24:08.958 --> 00:24:11.748 Let me say this breaks my heart. 00:24:12.738 --> 00:24:19.758 I wish I were doing more pure capture the flag and playing CTF and participating in 00:24:19.758 --> 00:24:22.578 a lot of the war games as I am these days. 00:24:23.313 --> 00:24:26.598 I, that has faded away a lot and it breaks my heart. 00:24:26.598 --> 00:24:27.378 I'm super sad. 00:24:28.368 --> 00:24:33.108 But it's I, think outside looking in, if I were to zoom way out, 00:24:35.748 --> 00:24:40.908 I think in my own growth, like in my own trajectory, that's getting older, 00:24:40.908 --> 00:24:46.008 getting married hey, trying to get in the industry, do more for work and 00:24:46.008 --> 00:24:48.468 stuff, and life, that takes up time. 00:24:48.798 --> 00:24:51.858 So your priorities just shift a little bit. 00:24:52.518 --> 00:24:53.748 And I think everyone goes through that. 00:24:53.748 --> 00:24:54.378 I don't know if you all 00:24:54.533 --> 00:24:54.713 wade-wells_24_09-03-2025_140632: Yeah. 00:24:55.163 --> 00:24:55.493 Yep. 00:24:55.643 --> 00:24:56.693 Exactly the same way. 00:24:56.753 --> 00:24:58.763 I don't do CTFs at all, and I wish I could. 00:24:58.773 --> 00:24:59.283 john-hammond_1_09-03-2025_170629: I know it. 00:24:59.623 --> 00:24:59.913 josh-mason--he-him-_43_09-03-2025_170632: Yeah. 00:25:00.213 --> 00:25:02.013 john-hammond_1_09-03-2025_170629: students, all of our young guns 00:25:02.013 --> 00:25:03.758 listening, do it while you can. 00:25:04.583 --> 00:25:06.923 wade-wells_24_09-03-2025_140632: Yeah, it's definitely a young man's game, right? 00:25:07.313 --> 00:25:10.073 Going to a conference nowadays and sitting down to A CTF. 00:25:10.073 --> 00:25:13.733 There's no way I want to do it just because it's more fun going 00:25:13.733 --> 00:25:17.753 off for me and talking to people where I've done most of the CTFs. 00:25:17.753 --> 00:25:21.053 I feel like the other interesting part for me is half the time I feel like it's 00:25:21.053 --> 00:25:23.633 just learning whatever tool the F is in. 00:25:24.023 --> 00:25:25.073 That's the real struggle. 00:25:25.073 --> 00:25:27.353 I know the attack chain, but yeah. 00:25:28.623 --> 00:25:28.803 josh-mason--he-him-_43_09-03-2025_170632: Yeah. 00:25:28.803 --> 00:25:31.623 Now we're coordinating conferences, not 00:25:32.438 --> 00:25:33.573 Trying to beat the CTF. 00:25:33.953 --> 00:25:35.483 wade-wells_24_09-03-2025_140632: If we upgraded from CTFs. 00:25:39.063 --> 00:25:39.753 josh-mason--he-him-_43_09-03-2025_170632: Seriously. 00:25:44.313 --> 00:25:48.213 What, would you love to see be the new trend? 00:25:48.813 --> 00:25:53.163 So now that you said it, not me. 00:25:53.478 --> 00:25:57.123 I, consider myself old, but now if you're willing to put yourself in the same 00:25:57.123 --> 00:25:59.013 old person bucket as the rest of us. 00:26:00.123 --> 00:26:01.563 'cause Wade's definitely old like me. 00:26:04.368 --> 00:26:09.618 What would you like to see out of the next generations, John Hammond? 00:26:10.338 --> 00:26:14.898 And do you know of them if so, 00:26:18.018 --> 00:26:21.378 yeah, who are they and who should we point the should we 00:26:21.378 --> 00:26:22.878 be pointing 'em out to folks? 00:26:23.523 --> 00:26:25.083 john-hammond_1_09-03-2025_170629: Very sweet, very flattering. 00:26:26.733 --> 00:26:28.053 I, don't think I could give any. 00:26:29.103 --> 00:26:32.343 Oh, names or, just shooting from the hip. 00:26:32.613 --> 00:26:35.343 Pull a name outta the hat for Cool and incredible. 00:26:35.343 --> 00:26:37.083 There are so many phenomenal folks. 00:26:37.263 --> 00:26:40.713 A lot of them are doing some sweet stuff with the US cyber team 00:26:40.713 --> 00:26:42.273 or some of the US cyber games. 00:26:42.783 --> 00:26:45.003 A lot of those kids are geniuses. 00:26:45.003 --> 00:26:46.143 They're absolute wizards. 00:26:47.943 --> 00:26:52.353 What I hope we do both as more Yeah. 00:26:52.353 --> 00:26:54.933 Even the practitioners, the people that are working in, the 00:26:54.933 --> 00:26:57.963 trenches and as an industry, I. 00:26:59.028 --> 00:27:04.188 This is totally just a John opinion, but I think it's so cool when we now 00:27:04.188 --> 00:27:07.848 know this blue and red team side, and especially on the defensive end. 00:27:07.848 --> 00:27:11.118 'cause I know that's the focus of our podcast and conversation here. 00:27:12.558 --> 00:27:18.018 We can put these together when you start to get a little bit of trickery for the 00:27:18.018 --> 00:27:21.228 adversaries and defend it in that way. 00:27:21.738 --> 00:27:22.968 What I mean by that. 00:27:23.298 --> 00:27:26.928 May or may not be a hot topic for folks, but I'm a huge 00:27:26.928 --> 00:27:29.238 proponent of like deception. 00:27:29.843 --> 00:27:30.173 wade-wells_24_09-03-2025_140632: Yes. 00:27:30.888 --> 00:27:31.728 john-hammond_1_09-03-2025_170629: Yes. 00:27:32.168 --> 00:27:32.388 wade-wells_24_09-03-2025_140632: Ah. 00:27:33.813 --> 00:27:35.073 john-hammond_1_09-03-2025_170629: And folks are always, yeah, 00:27:35.073 --> 00:27:36.423 let me throw out a honeypot. 00:27:36.423 --> 00:27:39.693 Let me get some network device that, oh, ha, I can, if you end 00:27:39.693 --> 00:27:41.883 map it, the ports go away bonkers. 00:27:41.913 --> 00:27:42.393 Sure. 00:27:42.663 --> 00:27:48.603 But I want on the end points, 'cause these attack chains this trade craft all these 00:27:48.603 --> 00:27:54.513 living off the land tricks and all that hey, freak out and scare the attackers 00:27:54.813 --> 00:27:56.793 by putting a couple landmines there. 00:27:57.543 --> 00:27:59.823 Those I think will be really awesome. 00:28:00.393 --> 00:28:03.303 When you put that together with detection engineering, when you 00:28:03.303 --> 00:28:07.323 put that together with deception engineering in a sweet, wild way. 00:28:09.423 --> 00:28:15.243 that I think is the coolest, perfect blend for both red and blue, and I hope that 00:28:15.243 --> 00:28:19.653 gets much more love and is embraced by, yeah, the new generation, if I may say 00:28:20.828 --> 00:28:21.188 wade-wells_24_09-03-2025_140632: I love 00:28:21.188 --> 00:28:21.428 it. 00:28:21.588 --> 00:28:21.708 josh-mason--he-him-_43_09-03-2025_170632: it. 00:28:21.878 --> 00:28:23.408 wade-wells_24_09-03-2025_140632: That is literally deception 00:28:23.408 --> 00:28:24.578 is one of my favorites. 00:28:25.823 --> 00:28:28.373 Frustrated, like coming from John Strand, right? 00:28:28.373 --> 00:28:32.633 With the deception engineering courses and me, I've deployed several 00:28:32.633 --> 00:28:35.513 deception technologies at a couple companies and it's always literally 00:28:35.513 --> 00:28:39.173 been my favorite because you just, you hear the red team cry, you win. 00:28:39.173 --> 00:28:40.583 It wins all the time. 00:28:40.733 --> 00:28:41.783 It's easy wins. 00:28:41.783 --> 00:28:42.053 Yeah. 00:28:45.573 --> 00:28:45.993 josh-mason--he-him-_43_09-03-2025_170632: All day. 00:28:48.783 --> 00:28:51.603 As a solutions architect, like sales engineer type. 00:28:51.603 --> 00:28:56.193 If I turn in a old report to someone on their external and they're like, 00:28:56.223 --> 00:28:57.513 haha, those are all my honeypots. 00:28:57.543 --> 00:28:58.683 I'm like, excellent. 00:28:58.773 --> 00:28:59.223 Great. 00:28:59.433 --> 00:28:59.973 Perfect. 00:29:00.303 --> 00:29:00.693 Good. 00:29:01.263 --> 00:29:04.983 Let's get some people looking at the stuff and get past that. 00:29:06.183 --> 00:29:07.173 At the real stuff. 00:29:08.033 --> 00:29:10.433 wade-wells_24_09-03-2025_140632: AKA, he hates deception is what he is saying 00:29:10.773 --> 00:29:13.683 josh-mason--he-him-_43_09-03-2025_170632: No, that. 00:29:14.628 --> 00:29:18.918 That shows me someone's at a, great level of maturity in their cyber program. 00:29:19.323 --> 00:29:19.623 john-hammond_1_09-03-2025_170629: That's the 00:29:19.698 --> 00:29:21.258 josh-mason--he-him-_43_09-03-2025_170632: So as a sales dude that's 00:29:21.638 --> 00:29:21.908 wade-wells_24_09-03-2025_140632: There, 00:29:23.028 --> 00:29:23.868 josh-mason--he-him-_43_09-03-2025_170632: is, this could be 00:29:23.948 --> 00:29:24.728 wade-wells_24_09-03-2025_140632: about that though. 00:29:25.238 --> 00:29:28.358 People think you have to be super mature to do deception. 00:29:28.508 --> 00:29:29.918 I don't think you have to be that mature. 00:29:29.918 --> 00:29:32.168 You just have to have good notes, right? 00:29:32.168 --> 00:29:36.818 Like it to deploy deception and at least in an internal network is fairly easy, 00:29:37.148 --> 00:29:39.788 fairly cheap, thanks to Thinkest, right? 00:29:40.088 --> 00:29:44.828 And is not, it is definitely like free if you think about it correctly. 00:29:45.278 --> 00:29:48.248 That's the one thing like fake 00:29:48.428 --> 00:29:49.343 josh-mason--he-him-_43_09-03-2025_170632: I'm talking to though. 00:29:49.643 --> 00:29:50.063 wade-wells_24_09-03-2025_140632: Oh yeah. 00:29:50.063 --> 00:29:51.473 The people you're talking to a lot different. 00:29:51.473 --> 00:29:51.833 Yeah. 00:29:52.193 --> 00:29:55.793 Setting up some like fake ad records of a Windows 2003 box on 00:29:55.793 --> 00:29:57.353 your network with an IP address. 00:29:57.833 --> 00:29:58.193 Boom. 00:29:58.193 --> 00:29:59.873 Dude, that's gonna catch people all day, 00:30:01.473 --> 00:30:01.893 josh-mason--he-him-_43_09-03-2025_170632: Nice. 00:30:02.353 --> 00:30:04.753 john-hammond_1_09-03-2025_170629: I will sprinkle in some, of that 00:30:04.753 --> 00:30:06.148 sugar though, just as you mentioned. 00:30:06.148 --> 00:30:06.463 Yeah. 00:30:06.493 --> 00:30:07.693 Usually this is, that is. 00:30:08.718 --> 00:30:13.788 Normally a ladder end of you bolstering and building your security posture. 00:30:14.088 --> 00:30:16.788 Get all the fundamentals, get the bare bone basics, get all that 00:30:16.788 --> 00:30:21.348 stuff locked in first, do the two factor education, blah, blah, blah. 00:30:21.798 --> 00:30:25.278 Hey, make sure we've got the training in place, yada, yada, yada. 00:30:25.368 --> 00:30:30.948 Checklists, asset application inventory, everyone knows, but we need to get 00:30:30.948 --> 00:30:32.683 everyone to get that right first. 00:30:33.888 --> 00:30:34.458 josh-mason--he-him-_43_09-03-2025_170632: Yeah. 00:30:35.388 --> 00:30:35.778 That. 00:30:36.648 --> 00:30:41.598 If I start seeing that and they start talking about it, I'm hoping I'm, assuming 00:30:41.988 --> 00:30:46.038 that they've, they're along the same lines as what you just mentioned, that they've 00:30:46.428 --> 00:30:51.378 done all those basics and that we're having a, mature conversation about yeah, 00:30:51.558 --> 00:30:56.628 like we're, we've done all these things and now we're having fun okay, cool. 00:30:56.958 --> 00:30:58.848 Now let's like have some real great 00:30:59.208 --> 00:30:59.658 john-hammond_1_09-03-2025_170629: Oh yeah. 00:31:00.573 --> 00:31:00.993 josh-mason--he-him-_43_09-03-2025_170632: Yeah. 00:31:01.923 --> 00:31:05.313 You probably understand it as well, I'm sure. 00:31:05.763 --> 00:31:06.063 Yeah. 00:31:06.183 --> 00:31:09.363 Hunter's customers are also in that similar vein. 00:31:13.653 --> 00:31:15.963 I wanna have one goofy question. 00:31:16.473 --> 00:31:23.223 If reverse engineering malware were a video game, what's been 00:31:23.223 --> 00:31:25.623 your hardest boss fight so far? 00:31:28.893 --> 00:31:33.183 Been like the one thing where you've been like, this sucked. 00:31:35.553 --> 00:31:36.333 john-hammond_1_09-03-2025_170629: Can I 00:31:37.083 --> 00:31:38.943 maybe level set it in a cool way? 00:31:39.873 --> 00:31:45.843 I'll be the first to admit I am not all that sharp inside of a. 00:31:48.123 --> 00:31:51.483 I can't read assembly fluent by any means. 00:31:51.993 --> 00:31:53.013 I've gotta jump around. 00:31:53.163 --> 00:31:55.773 I hope I can find a decompiler if that works well. 00:31:55.863 --> 00:31:59.283 So raw op codes and machine codes, I struggle with it. 00:32:00.123 --> 00:32:02.688 josh-mason--he-him-_43_09-03-2025_170632: Maybe not reversing, but analysis. 00:32:02.958 --> 00:32:04.458 Maybe a, yeah. 00:32:05.328 --> 00:32:06.438 Was there a. 00:32:08.943 --> 00:32:12.633 A a malware, oh. 00:32:12.843 --> 00:32:18.753 Or is that the thing that, like the part that is, has been the hardest for you? 00:32:18.753 --> 00:32:24.308 Is the using like a Gira or an ipro. 00:32:24.693 --> 00:32:28.203 john-hammond_1_09-03-2025_170629: Yeah, so it's neat because I think in the real 00:32:28.203 --> 00:32:35.763 world a lot of times you don't always get to that hardcore compiled flat binary. 00:32:36.513 --> 00:32:38.223 You'll see folks using PowerShell. 00:32:38.223 --> 00:32:43.233 You'll see them using silly cutesy like Visual Basic Script or JS Script or Python 00:32:43.233 --> 00:32:48.123 or silly scripting languages that still get them to the place where they're. 00:32:48.648 --> 00:32:54.168 Doing damage running info dealer, doing drop in ransomware, and those can be much 00:32:54.168 --> 00:32:58.668 more easily signatured and oh, figured out, analyzed in a dynamic sandbox. 00:32:58.938 --> 00:33:04.728 So those are always the hard bosses for me as to okay, I gotta have to crack 00:33:04.728 --> 00:33:11.748 open Gira, Ida binary, ninja, and then just drone through however many lines 00:33:11.748 --> 00:33:13.998 of assembly op codes and instructions. 00:33:14.883 --> 00:33:15.543 josh-mason--he-him-_43_09-03-2025_170632: Gotcha. 00:33:15.948 --> 00:33:16.788 john-hammond_1_09-03-2025_170629: it's tough. 00:33:16.878 --> 00:33:17.658 I'll be the first 00:33:17.658 --> 00:33:18.138 to admit. 00:33:18.408 --> 00:33:23.268 So I do like when, oh, we get to play with some of those script-based malware 00:33:23.268 --> 00:33:26.718 while they stage and prepare all these droppers and lures and all that. 00:33:27.618 --> 00:33:32.238 All to eventually get to what is the end of the attack chain. 00:33:32.538 --> 00:33:35.658 But the whole rest of it is neat and fun and cool. 00:33:37.278 --> 00:33:38.778 I don't know if I answered your question. 00:33:39.923 --> 00:33:40.493 wade-wells_24_09-03-2025_140632: No, you did. 00:33:40.493 --> 00:33:40.883 I got it. 00:33:40.923 --> 00:33:41.523 josh-mason--he-him-_43_09-03-2025_170632: I get that. 00:33:41.553 --> 00:33:42.033 Yeah. 00:33:42.573 --> 00:33:47.223 Assembly and messy, non flat. 00:33:47.943 --> 00:33:53.073 Binary stuff in like a disassembler being the pain in the butt. 00:33:54.123 --> 00:33:54.543 Yeah. 00:33:54.843 --> 00:33:56.403 john-hammond_1_09-03-2025_170629: that's relatable thing for 00:33:56.403 --> 00:33:57.513 a lot of folks tuning in. 00:33:57.693 --> 00:33:59.133 'cause you might be in the same boat. 00:33:59.163 --> 00:34:00.663 Hey man, it's tough getting 00:34:00.813 --> 00:34:01.293 josh-mason--he-him-_43_09-03-2025_170632: feel that. 00:34:01.293 --> 00:34:01.953 I felt that 00:34:02.448 --> 00:34:02.668 john-hammond_1_09-03-2025_170629: but 00:34:02.678 --> 00:34:04.298 wade-wells_24_09-03-2025_140632: blue teams are never gonna deal with 00:34:04.328 --> 00:34:04.818 john-hammond_1_09-03-2025_170629: exactly. 00:34:04.838 --> 00:34:05.118 wade-wells_24_09-03-2025_140632: right? 00:34:05.498 --> 00:34:08.228 You're gonna hire some type of IR company and they're gonna come in. 00:34:08.228 --> 00:34:10.628 Some dude who's specialized been doing that for 20 years. 00:34:10.628 --> 00:34:12.758 No one ever like this, like exactly what you said. 00:34:12.758 --> 00:34:15.818 The scripts are what we all look at because we can easily read them and 00:34:15.818 --> 00:34:20.313 understand and pull out those atomic IOCs out of them and follow the chain. 00:34:21.128 --> 00:34:27.218 But that last piece, that EXE, I don't think I've ever actually taken apart one. 00:34:27.218 --> 00:34:29.678 Just drop it in a sandbox, then see what it does. 00:34:29.678 --> 00:34:30.488 It's easier to do. 00:34:30.633 --> 00:34:31.833 john-hammond_1_09-03-2025_170629: Yeah, folks will use virus, 00:34:31.833 --> 00:34:34.263 total folks will use vm, right? 00:34:34.293 --> 00:34:38.133 Folks will use any, run, whatever to see the dynamic analysis. 00:34:38.163 --> 00:34:42.363 So I hope that doesn't spook or scare anyone when they're thinking 00:34:42.363 --> 00:34:46.023 about, oh, malware analysis, researcher, reverse engineering. 00:34:46.173 --> 00:34:46.503 There is 00:34:46.983 --> 00:34:49.863 Much more to it than flat. 00:34:50.698 --> 00:34:54.208 Compiled hardcore XE or, any of that. 00:34:54.448 --> 00:34:58.948 So I hope you know that helps even just set expectations and levels 00:34:58.948 --> 00:35:00.028 set for the folks tuning in. 00:35:00.388 --> 00:35:03.538 You don't have to fight those hard bosses and dragons all the time. 00:35:04.748 --> 00:35:05.423 wade-wells_24_09-03-2025_140632: I usually don't. 00:35:05.753 --> 00:35:05.963 Yeah. 00:35:06.318 --> 00:35:06.648 josh-mason--he-him-_43_09-03-2025_170632: Yeah. 00:35:09.513 --> 00:35:09.803 Wade, 00:35:09.803 --> 00:35:09.908 do 00:35:10.538 --> 00:35:12.278 wade-wells_24_09-03-2025_140632: Yeah, usually we end on one question. 00:35:12.878 --> 00:35:15.788 What is your one piece of advice for a blue teamer? 00:35:16.088 --> 00:35:19.838 It can be any level, can be any grade, any person, anywhere. 00:35:20.168 --> 00:35:22.028 Just straight blue teamer. 00:35:22.028 --> 00:35:22.928 General advice. 00:35:23.223 --> 00:35:23.443 john-hammond_1_09-03-2025_170629: Huh 00:35:24.638 --> 00:35:25.388 wade-wells_24_09-03-2025_140632: Yeah, it's a hard one. 00:35:30.588 --> 00:35:31.548 john-hammond_1_09-03-2025_170629: I think I've got it. 00:35:32.023 --> 00:35:32.313 wade-wells_24_09-03-2025_140632: Okay. 00:35:32.613 --> 00:35:34.578 john-hammond_1_09-03-2025_170629: Maybe everyone says the same thing. 00:35:34.578 --> 00:35:35.888 I don't know, but. 00:35:36.188 --> 00:35:37.298 wade-wells_24_09-03-2025_140632: Surprisingly, no one 00:35:37.298 --> 00:35:38.228 has really said the same 00:35:38.228 --> 00:35:38.528 thing. 00:35:39.243 --> 00:35:39.483 josh-mason--he-him-_43_09-03-2025_170632: almost. 00:35:39.578 --> 00:35:39.938 wade-wells_24_09-03-2025_140632: Yeah. 00:35:40.048 --> 00:35:41.928 john-hammond_1_09-03-2025_170629: I'm sure someone will maybe 00:35:41.928 --> 00:35:43.428 I'm duplicating someone now. 00:35:45.168 --> 00:35:48.018 I think we've already ran all over the map to talk about, Hey, make sure it's 00:35:48.018 --> 00:35:50.538 fun, make sure it's a passion, make sure it's something that you enjoy and 00:35:50.538 --> 00:35:52.338 you can show your work kind of thing. 00:35:52.818 --> 00:35:58.098 But what I would give is my best advice, especially for blue teamers 00:35:58.098 --> 00:35:59.568 or the folks doing defense work. 00:36:00.948 --> 00:36:07.758 Take notes, document, documentation, the worst, the thing that everyone hates. 00:36:08.028 --> 00:36:13.638 But seriously put it in a place that other folks can see and read and 00:36:13.638 --> 00:36:19.338 can refer back to so that something doesn't live and die in a slack thread. 00:36:19.668 --> 00:36:20.328 You know what I mean? 00:36:22.218 --> 00:36:22.703 Put it in 00:36:23.543 --> 00:36:23.983 a wiki. 00:36:24.083 --> 00:36:25.253 wade-wells_24_09-03-2025_140632: left an organization and then 00:36:25.253 --> 00:36:28.763 two weeks later I got hit up, but Hey this canary just went off. 00:36:28.823 --> 00:36:29.843 Like, why? 00:36:29.933 --> 00:36:31.643 And I'm like, whoa, I don't remember. 00:36:33.918 --> 00:36:34.908 john-hammond_1_09-03-2025_170629: Write it down. 00:36:35.693 --> 00:36:38.393 wade-wells_24_09-03-2025_140632: Yep, No, it was great. 00:36:38.423 --> 00:36:38.963 It was a good one. 00:36:39.543 --> 00:36:40.323 josh-mason--he-him-_43_09-03-2025_170632: That's fresh. 00:36:40.643 --> 00:36:43.193 wade-wells_24_09-03-2025_140632: notion, obsidian what's your note? 00:36:44.123 --> 00:36:45.438 Taking platform of choice. 00:36:45.738 --> 00:36:48.078 john-hammond_1_09-03-2025_170629: I am an obsidian junkie. 00:36:48.138 --> 00:36:48.498 I'll be the 00:36:48.798 --> 00:36:49.193 wade-wells_24_09-03-2025_140632: Okay. 00:36:50.183 --> 00:36:50.633 All right. 00:36:52.158 --> 00:36:53.568 john-hammond_1_09-03-2025_170629: Still use a little bit of notion just 00:36:53.568 --> 00:36:55.308 for like organization work, but for 00:36:56.028 --> 00:36:58.158 Off the cuff, I need to just jot something down. 00:36:58.398 --> 00:37:00.528 Obsidian makes it the most easy, thing. 00:37:01.478 --> 00:37:01.558 wade-wells_24_09-03-2025_140632: Agree. 00:37:03.603 --> 00:37:06.243 john-hammond_1_09-03-2025_170629: But if I may, realistically, that should 00:37:06.243 --> 00:37:09.063 be like for an org for organizations. 00:37:09.063 --> 00:37:09.903 Confluence. 00:37:09.963 --> 00:37:12.273 A Wiki, something to 00:37:13.028 --> 00:37:16.958 wade-wells_24_09-03-2025_140632: Atlassian, the yeah, it's like the the 00:37:16.958 --> 00:37:20.588 graveyard of all blue teams is Atlassian, just all of their products together. 00:37:20.618 --> 00:37:22.538 Confluence in Jira. 00:37:24.168 --> 00:37:28.188 josh-mason--he-him-_43_09-03-2025_170632: A SharePoint, a OneNote, a something, 00:37:28.188 --> 00:37:33.078 that lasts that most, a Google Doc that multiple people have access to. 00:37:34.923 --> 00:37:37.443 Something word. 00:37:38.373 --> 00:37:38.793 John, 00:37:39.093 --> 00:37:39.483 john-hammond_1_09-03-2025_170629: guys. 00:37:39.483 --> 00:37:41.163 I feel like I've been rambling for too long. 00:37:41.163 --> 00:37:42.303 Sorry we ran so late. 00:37:43.223 --> 00:37:43.523 wade-wells_24_09-03-2025_140632: Yeah, 00:37:43.523 --> 00:37:44.258 you're all good ahead. 00:37:44.343 --> 00:37:46.593 josh-mason--he-him-_43_09-03-2025_170632: having a guest is you talk. 00:37:47.883 --> 00:37:50.193 If they wanted us to talk, they'd invite us. 00:37:50.828 --> 00:37:51.068 wade-wells_24_09-03-2025_140632: Yeah. 00:37:51.363 --> 00:37:51.453 josh-mason--he-him-_43_09-03-2025_170632: Dude. 00:37:51.818 --> 00:37:53.558 wade-wells_24_09-03-2025_140632: So John, if people wanna find more 00:37:53.558 --> 00:37:55.343 about you, where would they go? 00:37:55.773 --> 00:37:56.313 john-hammond_1_09-03-2025_170629: Oh totally. 00:37:56.313 --> 00:38:00.723 Hey, you can track me down out on the internet you'll see my ugly mug just 00:38:00.723 --> 00:38:02.078 looking around for that redhead kiddo. 00:38:02.348 --> 00:38:08.078 But just my name, John Hammonds on YouTube, on Twitter, on LinkedIn. 00:38:08.348 --> 00:38:09.218 Please don't hesitate. 00:38:09.218 --> 00:38:10.118 Don't be a stranger. 00:38:10.568 --> 00:38:11.948 Would love to chat anytime. 00:38:11.948 --> 00:38:12.338 Reach out. 00:38:12.338 --> 00:38:15.368 It might take me a little bit to get to you, but I will absolutely 00:38:15.398 --> 00:38:16.268 do want to hear from you. 00:38:16.268 --> 00:38:17.708 So see me on out online. 00:38:18.683 --> 00:38:18.923 wade-wells_24_09-03-2025_140632: Awesome. 00:38:18.933 --> 00:38:21.303 josh-mason--he-him-_43_09-03-2025_170632: if people wanted just tacking training? 00:38:21.483 --> 00:38:22.473 Is there a place that they could 00:38:22.503 --> 00:38:23.433 john-hammond_1_09-03-2025_170629: Thank you so much. 00:38:23.463 --> 00:38:23.883 Totally. 00:38:24.153 --> 00:38:27.153 Yeah Some fun extra venture that we've been up to is 00:38:27.153 --> 00:38:30.033 getting some other curriculum, material training out the door. 00:38:30.603 --> 00:38:33.303 That is just hacking training or JHT. 00:38:33.873 --> 00:38:36.903 If folks wanted to dive in, any of that fun stuff, whether it's free 00:38:36.903 --> 00:38:41.073 name, your price, or any pay what you want, shenanigans just hacking.com. 00:38:41.283 --> 00:38:42.363 So thank you. 00:38:42.363 --> 00:38:43.323 Appreciate the shout out. 00:38:44.133 --> 00:38:44.823 josh-mason--he-him-_43_09-03-2025_170632: of course. 00:38:47.253 --> 00:38:48.003 Big fan. 00:38:49.593 --> 00:38:51.213 Thank you John for joining us. 00:38:51.213 --> 00:38:53.973 This has been a lot of fun as always. 00:38:54.663 --> 00:38:56.403 See you in a couple months in Deadwood. 00:38:57.183 --> 00:38:58.413 john-hammond_1_09-03-2025_170629: don't know if I'll make it out, but I'm 00:38:58.413 --> 00:38:59.638 trying my darnedest without a doubt. 00:39:00.063 --> 00:39:00.393 josh-mason--he-him-_43_09-03-2025_170632: Okay? 00:39:01.233 --> 00:39:01.743 understand. 00:39:02.163 --> 00:39:02.763 Good stuff. 00:39:03.003 --> 00:39:09.723 Alright folks, if you enjoyed this episode subscribe all of that fun stuff. 00:39:09.723 --> 00:39:12.693 Thank you to our sponsors and we'll see you next week 00:39:13.283 --> 00:39:13.503 wade-wells_24_09-03-2025_140632: See, 00:39:14.823 --> 00:39:14.883 josh-mason--he-him-_43_09-03-2025_170632: bye.