Those on the red team may not be household names to the everyday person, but they are absolutely legends and icons in the world of cybersecurity and hacking. While we have our personal favorite hackers between the two of us, we also invite our guest, Davin Jackson, to share his favorite cybersecurity legends and the lessons he’s learned from them.
[00:50] The importance of red teaming, especially during this season
[02:17] Ron and Chris’ first experience working in a red team environment
[11:23] Communication and collaboration between blue and red
[16:53] Knowledge gained from Davin Jackson’s humble beginnings in tech
[22:19] Gaining the blue perspective with Hacker Valley Blue
Thank you to our sponsors Axonius and PlexTrac for bringing this season of HVR to life!
Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone
PlexTrac is pleased to offer an exclusive Red Team Content Bundle for Hacker Valley listeners. This bundle contains both our "Writing a Killer Penetration Test Report" and "Effective Purple Teaming" white papers in ONE awesome package. Head to PlexTrac.com/HackerValley to learn more about the platform and get your copy today!
Legends, Icons, Teachers, and Friends
From Marcus Carey to Johnny Long, we’re excited to share the legends that had an early influence and lasting impact on our careers in cybersecurity. While our two backgrounds in red teaming are different, we can attribute so much of our success and our ability to share our knowledge with all of you to the experts that were willing to invite us to join and learn the best hacking techniques alongside them.
“I think that's the most important thing in red teaming, it’s passing that knowledge on to someone else.” - Chris Cochran
Communication, collaboration, and community instead of red vs blue
It is not two teams with two separate fights when we’re talking about red teams and blue teams. Often, when cybersecurity is too focused on this split between offensive and defensive, we forget to collaborate and fall short of improving on issues we discovered. Communication between red and blue can be a costly struggle, which is why we’re happy to see our sponsor PlexTrac stepping in to develop communication technology for these teams.
“There's this push and pull of collaboration. On one hand, you want the red team to work autonomously…but on the other hand, they do need insight if you’re going to go deeper and deeper.” - Ron Eddings
Legends met, lessons learned, tech loneliness understood
In the latter half of our episode, we’re joined by Hacker Valley Blue host Davin Jackson, also known as DJax Alpha. Davin started his cybersecurity journey with no computer of his own. Working his way up from basic tech jobs at corporations like Circuit City, lessons Davin learned from the legends he looked up to include finding a mentor, focusing on networking (even when it
feels like a dead end), and being always willing to share what you’ve learned.
“It’s about consistency, and you have to have self control and discipline…It’s one thing to get it, but it’s another to maintain that success.” - Davin
Axonius Ad 00:21
Hey everyone, it's me, Simone Biles. You might be wondering why you're hearing my voice on a cybersecurity podcast ad. Well, it's because I'm partnering with Axonius. Whether you're a gymnast like me, or an IT, or a Security Pro, complexity is inevitable. And I've learned that the key to success is focusing on what you can control. Go check out my video at Axonius.com/Simone. That's Axonius.com/Simone.
And we are back with another season of Hacker Valley Red where we are exploring the nexus ofoffensive cybersecurity and humanity with a hacker’s mindset. I'm one of your hosts. I'm Chris Cochran.
And I'm Ron Eddings. And this season, we're going to be exploring cybersecurity legends, people thathave really put their heart and soul into this game of red teaming, offensive operations, and hacking,and we're going to be breaking it down and showing you all facets about cybersecurity legends.
One thing we didn't do last time is that we didn't talk about the origin of red teaming. So, when we talk about red teaming, it really came from the government, it came from the United States Air Force. In 1971. They had their first tiger teams, protecting computers, making sure that there were no gaps or vulnerabilities that could be exploited. And then we get even further and we talk about this red team mentality. Red teaming is playing the adversary adversarial emulation is something we talk about all the time. This is really where it began, but why is it important? It's important because this is where we find the holes, the gaps, the things that we need to take care of because if we don't take care of it, the enemy sure will.
Exactly. And let's do a little history lesson on ourselves, too. I'm going to try to reflect back on when the first time I experienced a red team was, but I'll start with you, Chris, I'll have some time to think.
Yeah, absolutely. The first time I had dealt with a red team at all was in the United States Cyber Command. We had a red team cell, but they were more thinking about the strategy, like what would the enemy do to the nation via cyber? And so that's what really started having me think about the enemy side of intelligence, which is my background. So really understanding the intent, the motivations, the tactics, the techniques, the procedures that enemies do, because now what you can do is you can take what the folks that are committing these attacks are doing and you can bring that into your network and see what those attacks would look like. That's why it's super, super important. And one thing we should probably mention is that pen testing and red teaming are not necessarily the same thing. Pen testing is where it's completely open. Everyone knows that someone's doing this, you're looking for as many holes as possible. When you're doing a red team, this is usually secret. This is when someone is trying to break through and achieve some type of objective under the cover of the network. So, this is almost like a very realistic simulation of what an attack might look like.
Love it. And for me, the first time that I experienced anything close to a red team was when I was working for Booz Allen Hamilton. I was working with government agencies and my job was to do offensive operations. We had to do reconnaissance, discovery, enumeration on networks, and even users, to try to get an understanding of organizations' networks. And then, after we started doing our recon, we would create a plan for operations. And this operation will consist of us carrying out a set of steps to ultimately gain access to a network. And I'll be honest, like this was one of the first jobs that I had, I couldn't truly appreciate it because I didn't know all of the things that I will be exposed to on the defensive side. And I'll be honest, red teaming was a bit more fun as a practitioner, like I was hands on keyboard, rowing exploits, breaking into computer networks, and it was very fast-paced. It was almost
like playing a game of soccer versus football. I feel like being on the blue side of the house is like, you're developing a play and you're trying to carry out that play to stop defense from penetrating your offense. And that's how I kind of looked at red teaming and offensive ops at that point in my career.
I got to bare my soul here for a second. I am honestly a red teamer at heart. I've never really had the moniker and never had the title as red teamer, but I've always been so fascinated with the red side of the house. The offensive side out of the house. Of course, I started with my CEH and all that good stuff to really just understand the concepts of hacking, but it's been near and dear to my heart for many, many years, even to the point where I used to teach things like lockpicking, like physical penetration testing, like actually breaking into organizations under the cover, under our guys, under some type of cover in order to get access to devices and get access to rooms that are controlled. But I really love this concept of red teaming because really, it's a puzzle. It's a giant puzzle that you need many, many pieces in order to exploit. So, when you're looking at things like: How do I get access to the people?
How do I get access to the building, the technology, the servers, the cloud infrastructure? All those things are different puzzles, and each puzzle has its own series of steps, or we sometimes call it, "the kill chain." These steps are how you get to that end objective of doing whatever it is that you want to do in this medium of red teaming. But what I love so much about this is that there are so many great people in the red, in the offensive side of cybersecurity; people that we look up to. One of my best friends in the world is Deviant Ollam, he is one of the pioneers of lock picking and pen testing from a physical standpoint. So, when you look at folks like that, they're really setting the stage for everything that's to come in the future. And there's so many things that we need to discuss in this particular season about where we're headed as a red team.
So, let's talk about cybersecurity legends. This season is themed legends, and we're going to be focusing on the legends of the red team side of the house. When I think of legends, the first name that pops into my mind is Johnny Long. He wrote the book on Google hacking. Google hacking is using built-in features of Google to discover specific pages, maybe pages that organizations and companies and users thought were hidden. But with Google hacking, you can look for things like file types, you can look for text in a page, and you can also search across an entire domain to see what pages Google has indexed. And this is really valuable for an attacker because sometimes, with Google indexing, you'll find administrative consoles and login pages. You may even find artifacts about like, internal documents that a company never meant to share with Google in the first place. So, that piece of the fundamentals for me really cemented Johnny Long as a legend for myself.
You know, it's so funny. I don't even know if you knew this, but I actually took pen testing with
Backtrack with Johnny Long, like he was the instructor. I didn't even realize at that time, I knew he had a great reputation for the stuff that he does, great reputation for being a great instructor, but I had no idea that I was really taking a class with a legend at that time.
Yes, same here. So, when I first got started in cyber, I always like to attribute my success, at least part of it, to Marcus J. Carey. He's wrote the book Tribe of Hackers. But when I met Marcus, he came into this public access channel studio that I was working at. I was doing work study in high school and just trying to make it by and these guys walked in: Johnny Long, Marcus Carey, and also Joe McCray. And they were doing a bit on cybersecurity here at some little small station at Anne Arundel County, Maryland, and they blew my mind, not because of how much they knew, but how inviting they were for me to get started in the field.
Yeah, that's incredible that you do something so young, and it becomes what you do forever. I wish that was my life. I wish as soon as I got out of high school, I hopped right into tech, but my life took a very, very different turn. I went to college first, ended up getting my degree in humanities, practically a philosophy degree, and ended up going to the United States Marine Corps. But what's really cool is that we both ended up at the National Security Agency. You were focused on offense, I was focused on intelligence, and then together, we synced up and ironed it, which I think is really, really cool. And one of the first things I remember from you is some of the exploitation stuff that you were doing with DNS at the time. I remember the day you came in, you're like, "Hey, we wrote this whole thing, we wrote this white paper." And I thought it was really, really cool. But then I really didn't understand your ability to teach because I think that's what is the most important thing in red teaming, is passing that knowledge to someone else. And when I saw that you taught people how to write exploits, that's when I was like, "This is the guy that can teach people and bring that next generation of cybersecurity practitioners up to the next level." But when you talk about red teaming, I mean, it's really, really super sexy, right? It's the coolest thing that you think of. It's usually what people think of like, "I'm in cybersecurity." "Oh, so that means you're a hacker, right?" Not always. But I mean, it is kind of like the cool crowd. But we should probably talk for a second about why sometimes red teams are great in theory, but in practice, they don't always live up to the expectation. Red teams can be great, they can be effective, they can go through all the things that they need to from an attacker standpoint, but they might miss the mark on
communication, or maybe the communication was missed from the organization to the red team. Maybe that's not an important operation to execute, maybe they need you to focus on something else, something that's more critical. So, when communication is missed between the red team and the organization, or the red team and the blue team, that is a missed opportunity. Sometimes there's no buy-in, doing red teams is unbelievably expensive, especially when you have really skilled folks doing it, whether you're hiring folks to do red teaming, whether you are bringing in a third party to do a red team, it's really, really expensive. So, understanding what that framework for what that job is, is unbelievably important. Communication, teamwork, also not working in a silo. I think this kind of extends into that communication bit, but really understanding like, in the big picture of the cybersecurity program, where does red teaming fit in? From your perspective, where do you think sometimes red teams might miss the mark?
That is a loaded question, just because we know that that subject goes back far, pretty much since the beginning of red teaming, and even pen testing. It's almost like, there's this push and pull of collaboration, because on one hand, you want the red team to work autonomously and discover things without guilty knowledge of your network, because that makes it hard for the blue teamer. But on the other hand, the red teamers, they're trying to provide a service, they're trying to show you those flaws and vulnerabilities that may exist within your security stack, but they do need insight if you're going to go deeper and deeper, because that's what the attacker is going to do. The attacker is going to infiltrate a network, they're going to start to do reconnaissance, build a map, and then have an understanding of how your network works, and then use that understanding to get further and further. And the disconnect that I've seen in a lot of organizations is just this two team, two fight mentality, where the red team has their goals and missions and objectives, and the blue team has their missions and objectives, and they're not aligned at all.
Right. They're not aligned at all. And it's kind of like, back to that communication bit. Seems like we've said communication in three different ways, but one of the greatest things about this particular season, it is sponsored by PlexTrac. They are trying to solve this communication problem between the blue and the red team. It's from a prior red teamer that has spent most of his time writing reports, but this particular application enables that information to go into a single place where folks can go in and get the context they need to improve the security posture of that organization. Ron, when you were doing all of your work on the offensive side, and I'm sure there was a lot of notation that you had to keep track of, a lot of notes, a lot of like, "I did this, I did this at this time." How important would it be to have something like a PlexTrac in your corner?
So important. Just imagine, all the tools that you use for documentation are probably a little clunky. Like, we have Google Docs, Microsoft Word, we have Sheets, or Excel, and these are great for writing papers. But how can you take a paper and then make it actionable? That's the difficult part, is taking that report, digesting it, and making sure all of those items are hit. With PlexTrac and a tool like PlexTrac, you can not only have the report and the findings, but then you can relate that report to actions, you can pass those bullet points to team members and they can use an interface to say, "Yes, I did achieve this objective. I did remediate this finding." And then that creates that collaboration. Because then, when the red team goes back to the blue team on their next engagement, they can then say, "Hey, we know that the team fixed this, we can test those items, or we can skip them, or do a combination of both just to do an audit on what was found on the last red team engagement." And that's exactly what PlexTrac does through their platform, and we would highly recommend for you to check them out. They are a sponsor of this episode, but they are also friends of Hacker Valley. Check them out at PlexTrac.com/HackerValley. That's PlexTrac.com/HackerValley.
One of the things you just hit on is one of the biggest reasons why red teams don't have the impact that we hope they do in an organization, and that is this concept of ownership. It's great if you find all these holes and we put it in this beautiful document, but who's going to remediate all those vulnerabilities? Who's going to remediate all those gaps in our security posture? If we don't assign it to someone, if we don't say, "Hey, look, this is the stuff that we need to take care of in priority order," it's gonna just sit in a document. So, understanding all the things that need to be done, and then also, figuring out who needs to do them is the most important thing when it comes to utilizing a red team. Because we want to do those iterative improvements every single day, we talk about this on Hacker Valley Studio, we talked about this on all of our shows, but it's iterative improvements that make something great. And so, if you want a great cybersecurity program, it's getting better every single day. It's being better than you were yesterday.
You know, we're on this subject of red team and blue teams uniting, and to bring this unification together, we can't do it alone, and that's exactly why we brought in DJax Alpha. You may also know him as Davin Jackson, he's just the host of a show that is called InfoSec Unplugged and Hacker Valley Blue. We brought him in on this episode, we had a conversation with them about the unification of red teaming and blue teaming. So, let's jump right into.
So I am Davin Jackson, also known as DJax Alpha on Twitter, like these gentlemen said, I am a pen tester and an ABSEC engineer, mainly in the API space right now, API and web applications. Been doing this now for about 15 or 16 years, started off from the bottom like, Circuit City, Firedog, Desktop Technician, so I'm showing my age a little there. But I'm a dad, husband, US Air Force veteran, just trying to make it in this world.
Looking back at your entire journey, what is it like to look back and seeing where you were and where you're at today?
So, I actually I do that fairly often, because we all struggle with this thing that we call impostor
syndrome. I look at it as, look how far I came, you know? I jumped into tech with no computer, right? We couldn't afford a computer at the time, that's why I went to Circuit City and was using the client's computers to get that experience. So, to see how you come up, not just from a socio-economic standpoint, but just your knowledge, just where you are now, just the fact that I'm here on a podcast talking to you two gentlemen, and you refer to me as a legend. Like, 12, 13, 14 years ago, I'm in the living room of my one-bedroom apartment going, "Where's the CMOS battery?" Yeah, it's amazing to see and then it's also a testament of two things I tell people all the time: always bet on yourself and do the work. Because we've all been there, you work in a field that— we all understand it, but maybe not everybody in our immediate circle does. So, I can't go to like, some of my friends and say, "Man, I'm having this problem. I know that there's this exploit here, but I just can't crack it, or I'm struggling with this code review." They're looking at you like you're speaking a different language. And it gets lonely, especially when you're in the "building yourself up" phase, right? When you're trying to build it and you
study for your certifications, and your friends might still want to go party, or everybody's doing something else and you're stuck here because you want to get to that next place. It gets lonely, it gets frustrating. Like I said, it's hard, it will bother you physically or mentally, because you just don't have anyone to share it with. You keep pushing and eventually, like everything else with consistency, it pays off.
Yep, it's gonna lead to something and hopefully whatever it is, is closer and closer to where you want to end up. One of my favorite books of all time is The Alchemist. And in The Alchemist, the whole story is about the main character following clues that success is leaving him, and he runs into these wise men and women, and then they leave him strategies. And that's one of the things I've learned throughout this field, even the most successful leave you clues and the experts will leave you strategies. What clues did you pick up along the way that really helped you break out of this previous life? You talked about socio economic differences, that's a big thing to really, I guess, acknowledge is that you were able to take it from nothing, and then really make it into something. What clues and strategies do you think really helped lead you there?
One of the things that I harp on all the time is the consistency. The consistency, and you have to have self-control and discipline, because you will run into situations where you run into people who, I guess they say they "chase the bag," or whatever. That's fine and well, but if you don't take care of things that you need to take care of, or you don't take care of yourself professionally and stay on top of it, that's gonna be short lived, right? You know, it's one thing to get it, it's another to maintain it and keep it and increase it. One of the things that I've learned along the way that's very strategic is taking that time to read up on different things, or read up on what's going on in the world, and a lot of people don't want to keep up with cybersecurity stuff off-hours, but it's necessary. When new exploits come out, try to figure
out why that happened and what you can do to add that to your arsenal for looking for that vulnerability. Practice, practice, practice, lab work, these are all things that you can do that aren't really difficult or hard to find. And then, the other thing is networking. One of my biggest failures, I think, in my career was when I first started and they tell you to find a mentor, I tried, and I failed. I reached out to a bunch of different people, and no one responded. And I just took that, like Michael Jordan, that meme that's like, "I just took it personally." And I just went for so long and I'm like, "I don't need anybody." And I just, I was grinding and I'm like, "I'm gonna make you see me, I'm gonna make you notice me." And then it wasn't until maybe about two, three years ago, where it was just like, "Alright, let me try networking again." And then I met some amazing people. I met you gentleman, and Marcus J. Carey, who played a
big role in even having these conversations that I do today. He's the one that kind of pulled me to the side and just said, "Maybe they wanted to see what you were going to bring to the table first, or maybe they were busy." And then I stopped to think about it and I'm like, "Well, yeah, obviously, there was something that I saw in them that made me say, I would love to learn from them." When I started doing like, my blog and sharing certain things that I was doing, I remember thinking back to Davin from 8 or 9 years ago. So now, when people try to reach out to me, I'm like, "I might not be able to to respond." So now, I write blog posts or I write Twitter threads, or something, of questions that I wish someone would have told me coming up. So, this way, I might not be able to answer you physically right there on the spot, but I can say, "Hey, go check out this video I did," or "Go check out this blog I wrote, I think that'll answer your questions. And then if I can help you after that, let me know, and we can set up a time."
Absolutely. One thing I gotta ask you about being born and bred on the offensive side of cybersecurity, and now, you've been forced into this situation where you have to talk and listen with an empathetic ear to people on the blue side. Because a lot of folks get this mentality of like, "Oh, it's always red versus blue," right? We're always come in at each other,but what has been some of the things that you'vevlearned so far, just having these deep, empathetic conversations with folks?
We have a lot of the same feelings towards certain things. So, on the offensive side, or from the pen testing side of things, a lot of people get frustrated with all the red tape that gets involved with a pen test, or you might deal with a client that does like a lot of scope creeping. So, this is the scope when you started, but then halfway through the assessment, they realized, "Nope, it's this," because they can't fix the issue that you found or whatever, or whatever the reason, maybe. A lot of blue teamers, they deal with a lot of the same issues where they have to kind of get through a lot of red tape and have a bunch of meetings about meetings about another meeting that they had, before they can even get to the keyboard. They have a lot of the same concerns that we do when it comes to finding vulnerabilities
and fixing them and remediating them. There's actually reason why they don't patch certain things. There's some where they can't because it might break something else, or when dealing with ICS systems, they are outdated and obsolete on purpose. Because if you do that you're going to risk breaking a multimillion-dollar machine that's going to take down some key critical infrastructure. So, getting their perspectives on things and giving them a voice to kind of speak to some of the trials and tribulations that they face in the field has definitely been a breath of fresh air. It's been definitely enlightening. And yeah, it was a challenge because coming from that offensive side, at first, you don't even know what to ask, right? Outside of so, "What do you do? What's that like?" But it was really cool, just kind of hearing it and hearing some of the things that they go through and certain things that excite them. Like, as a pen tester, our biggest thing is when we pop a shell or we gain access, and we elevated privileges, and now we have complete control of a system. They have that same exciting feeling on the other side, like in the VFIR, when they're able to put all the pieces together to the puzzle and now they can form a timeline of events. I hope to hear more stories from them and, like I said, enlighten them because truth be told, they don't get a lot of credit. When you hear about cybersecurity it's all a lot of the red team stuff. That's the sexy side of the cybersecurity world, they don't get a lot of the love and admiration that they should. So, it's been a great experience hosting Hacker Valley Blue.
We're going to ask you for a little bit more advice, because in this season, we're going to be going deep on the red side. We're obviously going to talk to legends, we're going to speak to one of the founding members on the red side. We're going to be talking to the legends in the making, people that are upand-coming, the difference-makers, the folks that are making a social impact on the cybersecurity side. We're going to be accelerating innovation and talk to the folks that are thinking about all the things that we haven't even thought of yet. We're going to be talking to folks that are creating a new future, they're looking so far ahead that they're starting right now to change the way we operate in cybersecurity. And of course, impact and awareness. How do we make everyone more aware of what we're doing in this realm of offensive cyber security and the like? And then, of course, we're going to wrap it all up with a
bow, with a retrospective, looking at what we've learned along the way. But we got to ask you, you're the expert now, because you've been on that side where you're talking to people that don't do what you do, you're asking different questions, giving different perspectives. What would you recommend to us as we embark on this next Hacker Valley season? What piece of advice do you have for us to be the best interviewers that we can be?
Learn from your guests. You interview and you have your questions lined up, but there might be a couple of gems that get dropped along the way. It's a reciprocal experience. So, yes, you're asking questions and interviewing, and yes, they're answering, but there are certain things along the way that you might not have known. Like I said with Hacker Valley Blue, there's a lot of things and a lot of lessons that I did not necessarily know, even with all my experience. And clearly, you're calling them legends for a reason. So yeah, just learn from your guests and apply that.
Absolutely. Great advice. Davin, thank you so much for taking time out of your busy schedule to hop on the mics with us. For the folks out there that want to keep up to date with you, your world, and all the content that you're putting out there, what are the best ways for people to do that?
Oh, man, so I am DJax_Alpha on Twitter and on Instagram. I have AlphaCybersecurity.tech, that is my blog site where I post content, I have some new content on the way, coming. And then, I also have a YouTube channel, Alpha Cybersecurity on YouTube, and I host InfoSec Unplugged every Thursday live at 6pm Eastern, so make sure you tune in. I just interview different people from all over and we talk about our experiences and share whatever advice we can give to the listeners and the viewers because
it is a video podcast. So yes, find me there. DJax_Alpha and AlphaCybersecurity.ech.
There you have it, folks, a pure legend in the red side of cybersecurity, but we have so many more conversations coming this season. It's going to be really good. We're going to be diving deep into the legends of the offensive side of cybersecurity. I'm looking forward to learning more about the hacking mindset. I'm looking forward to seeing how we can get this information from the red side and use it on the blue side to improve our security posture, because I do think that there is a lot of missing connection between the two sides. So, we're going to really focus on the legends of the red team, but how do we make it and take those legends and make them impactful on the blue side?
Yes, cybersecurity legends. Stay tuned with us throughout the season. If you miss it, don't worry, you can always catch it on your favorite streaming platform, whether it be YouTube, Apple, Spotify, or any streaming platform. Any reviews that you also leave us are greatly appreciated by Chris, myself, and the entire Hacker Valley team. If you want to get closer to us and our guests, be sure to check out HackerValley.com and also join our Discord by visiting HackerValley.com/Discord and we'll catch you in the chat.