November 10, 2022

Bridging Generation Gaps in the Cyber Workplace with Alexia Crumpton

by Hacker Valley Blue

Show Notes

Alexia Crumpton, Lead Cybersecurity Engineer at MITRE, joins the pod this week to cover leaving the old ways of cybersecurity behind to embrace the new generation. As both an engineer with MITRE and an educator for future cybersecurity practitioners, Alexia understands the complexity of new and emerging concepts in modern day cybersecurity— and she sees the confusion our current training methods are creating. Alexia helps us answer: How can we teach the purple team perspective to the next generation?

 

Timecoded Guide:

[00:00] Gaming MMOs & becoming a cybersecurity engineer for MITRE

[08:36] Knowing defensive & offensive cyber to sharpen any practitioner’s skills

[23:04] Teaching the new generation of cybersecurity & changing the old ways

[32:13] Using Fortnite gaming to accessibly teach cyber skills

[42:09] Learning cyber skills & being patient with the cybersecurity salary

 

Sponsor Links:

Thank you to our friends at Axonius and PlexTrac for sponsoring this episode!

The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley

PlexTrac, the Proactive Cybersecurity Management Platform, brings red and blue teams together for better collaboration and communication. Check them out at plextrac.com/hackervalley

 

Do you think knowing both the red and blue sides sharpens whatever side you're working on?

Alexia describes defensive and offensive knowledge like a marriage— both have to not only coexist, but also work together. Having both defensive and offensive skills under your belt gives you, as a cyber practitioner, an overwhelming advantage in your ability to work efficiently. Instead of having to wait for someone to explain or struggle through systems you don’t understand, you can rest assured nothing is missed and everything is understood.

“When I first got into the defensive side, the way the SOC was moving, the way the blue team analysts were moving, I was like, ‘You guys are missing a lot of things that I had to develop to bypass all of the things that you're looking for.’”

 

What would you say is the biggest challenge with trying to build that cohesive purple team mentality? 

In Alexia’s opinion, two challenges hold back companies from being able to build a cohesive purple team: communication and training. Without proper communication protocols between team members, everyone fends for themselves and neither red nor blue team practitioners can fully understand each other. Without proper training and knowledge, teams are stuck arguing between the old ways of past technology and the new ways of present day programs.

“If I know what you know and you know what I know, we can work together as two brains to create something that is innovative and better for the cybersecurity community as a whole. Us working as a team is better in the fight against adversaries than me working by myself.”

 

How do we get corporations to embrace creating content developed around bringing people in, teaching them, and most importantly, investing in their talent? 28:51

Unfortunately for many new practitioners entering the industry, a large majority of cybersecurity companies still rely on the “old” way of doing many tasks and working with a lot of modern day tools. In Alexia’s perspective, this “old” way of thinking creates a massive gap between new employees and experienced professionals where confusion and dissatisfaction thrive. If they embraced the new way and asked new professionals how they learn best, many companies would find talent more willing to learn and stay in cyber roles at their organization. 

“I think it’s about working with a new generation, just asking them: How do you learn? How do you retain information? What do you want to know? What are you interested in? So that we're giving information that helps people, that tells them the resources that are out there.”

 

What is a piece of advice that you wish you would have known early on in your career? 

As an educator herself, Alexia understands the money-driven, certificate-driven mindset of newer cybersecurity practitioners. However, for the next generation of cyber professionals, Alexia recommends not chasing a salary. Instead, be willing to learn different skills, roles, and teams within cybersecurity. When you have the information you need to be a well-rounded practitioner, the salary will follow and you will avoid burnout or dissatisfaction with your role.

“Don't worry about chasing a salary, because when you find the field that you want to be in, that you love to be in, the money will follow. The money is definitely going to follow. Learn about the different career fields, because having that information is going to help you.”

---------------

Links:

Keep up with our guest Alexia Crumpton on LinkedIn

Learn more about MITRE on LinkedIn and the MITRE website

Connect with Davin Jackson on LinkedIn and Twitter

Watch the live recording of this show on our YouTube

Continue the conversation by joining our Discord

Hear more from Hacker Valley Media and Hacker Valley Blue



Transcript

Davin 00:00
Welcome, everybody, to Hacker Valley Blue, where we get the industry's best and brightest cyber defenders to share their experiences and tips on how you can better defend your assets and networks.
Axonius Ad 00:31
Hey, everyone. It's me, Simone Biles. You might be wondering why you're hearing my voice on a cybersecurity podcast ad. Well, it's because I'm partnering with Axonius. Whether you're a gymnast,like me, or an IT, or a Security Pro, complexity is inevitable. And I've learned that the key to success is focusing on what you can control. Go check out my video at Axonius.com/Simone.
Davin 01:05
This season is all about the color purple will be bridging the gap between red and blue teams and combining their strengths to form purple teams. Join me as I meet with some of the very best purple teamers out there who are changing the way we do security on a daily basis. We're gonna go ahead and explore their journeys, talk about their time from red and/or blue teams, some of the challenges they faced as well as some of the successes, and benefits from coming together and forming one team to defend against cyber threats from all over the world. So, let's go.
Davin 01:33
All right, everybody. Welcome to another episode of Hacker Valley Blue. I'm your host, Davin Jackson. Thank you for joining now a Lead Cybersecurity Engineer for MITRE. So, ladies and gentlemen, everybody watching, please welcome my guest. Alexia Crumpton, how you doing?
Alexia 01:48
Thank you for having me. And it doesn't matter, we all have the same title, okay? There's so many different verbs and terminologies, they're all the same at this point.
Davin 01:56
I wanted to make sure I got it right, because you do have a very impressive resume. So, I want to make sure I put some respect on your name when I bring it up. So, go ahead, for those who don't know, you gotta do a brief introduction of yourself and then, we'll get into your origin story.
Alexia 02:12
Yeah, my name is Lex. I am a Lead Cybersecurity Engineer for MITRE. I got my start in computers and cybersecurity at a very young age. I was technically a PC gamer playing MMOs and one day it just stop working like, some walkie DLL or whatever happened, and researching more into it, which led me to getting my Bachelor's in computer science and my Master's in cybersecurity and my first job doing exploitation. During those initial years, I fell in love with defensive, as opposed to offensive, which is crazy because most people fall in love with offensive first, but something about defending against adversary activity, it just seemed way cooler to me than the alternative. That passion and that love drove me to try different defensive careers, threat hunting, Mauer Re, Windows, digital forensics, incident response. In my digital forensics team, where we were doing analysis by hand, combing through terabytes of data, there wasn't a lot of automation back then, for a low-level fruit. They weren't
focused on TTPs. They were strictly IOC based, there was lack of communication with our blue team counterparts, and there were constant situations where TTPs were left out of the reports back to the customer, because they only wanted the IOC. They only wanted IP addresses and the hashes and the email names. There were situations where legitimate Windows tools that were used every day were being used maliciously in the grand scheme of the attack, and I hated it. I know hate is a strong word, but I hated it. So, I was constantly pleading the case to improve our workflow through behavior analytics and mending the defensive gap, where this was essentially trying to make my job easier because I'm all about working smarter, not working harder. Funnily enough, this was a time where ATT&CK was starting to gain traction. Magnet IEF was transforming into Axiom, which had a little bit
more analytic development in their background. There were commissioned tools being developed that could help my cause. However, banging my head against the wall, trying to instruct change to an organization that just wouldn't have it, in the height of the pandemic, working shifts, working high priority. I was like, "Enough is enough, and that's enough." So, I got into MITRE, fortunately, which is my dream job. Thank the Lord. And so, for MITRE, I am the attack defensive lead, focused on detections, data sources, and mitigations. I'm the blue team lead for attack evaluations, where my lane is getting a solid grasp on what the vendors could see during execution week, developing rules and signatures based on the malware and the emulation plans that our TTI and red dev teams develop. And I am a defensive cyber operations intern co-lead, where we just had 18 college interns this past summer. So, it was an amazing experience for them.
Davin 05:03
Well, okay, that's a lot, but we're gonna break it all down and get into all of it. So, again, thank you for joining because clearly, you're busy. Couple things, I find it really interesting how many people I come across who got into computers or cybersecurity because of MMO Gaming. I unfortunately didn't get into the world of MMOs. My computer wasn't fast enough and I wasn't risking doing anything that could break the computer and have my mother probably have me grounded.
Alexia 05:35
I probably would’ve definitely went through that. Yep.
Davin 05:37
And I'm damn near 40, so I didn't really get into that, but I've come across a lot of people who their first experience was dealing with an MMO or dealing with some type of gaming that broke and it led them down that path. For me, it was like, AOL instant messaging and then, seeing a couple little things here and there. I was like, "Oh, this is interesting." And then, I got terrified of code. So, I was like, "Yeah, I'm not doing it." And then, the other thing you said is most people veer to the offensive side once they're introduced to it. Like for me, I worked in a school system and we just kept getting hit with different type of things. I did a lot of stuff on the preventative side or blue team side of things. And then, it wasn't until I started researching: Why are we constantly getting hit? What is wrong with our systems? So, that led me down to doing vulnerability assessments, and then, I came across the thing called penetration testing and I was like, "Yeah, this is where I'm gonna stay." So, it's interesting to hear you went the opposite route. I think you did touch on it a little bit, about why you led that direction. Did you ever try anything on the offensive side?
Alexia 06:39
Yeah, so, of course, exploitation dev is offensive, just from the developer’s perspective. And then, all the training that I was having back then, was, of course, doing Red Hat Linux, we were looking at the hacker side of red side, and a whole bunch of other training classes that we've had, just so we can be able to develop the tools that we needed to develop.
Davin 07:02
For me, one of the things that I really liked when I did do a dive into the blue team side was forensics. So, I took a cyber forensics course doing like, investigations and stuff like that and I completely loved it. If I had to do it all over again, I probably would go that direction, because I like getting in the mindset of the attacker, trying to figure out what they did or what their motivations were following the chain of custody. A lot of people find that stuff tedious, which for me, I just, I loved it, because it's like a puzzle. It's putting the puzzle together, but it's also making sure that you don't do anything to mess up the puzzle in the process. And then, at the end of the day, bringing the culprits or the attackers to justice, or finding the solution or the answer. I think of one of the things I worked on, it was like, a carding situation where someone was stealing card off of the internet, and you put the pieces together to figure out, "Okay, it was indeed this person doing that." That was probably the one time I tried to leave the
offensive side. And when I was living in the northeast, someone was interested, but in order to do it where I was living, you had to deal with law enforcement. That ship had sailed, I wasn't going into any more academies or boot camps or anything like that, but I feel knowing that made me a way better pen tester than I was prior to doing that. We're going to touch on that a little bit later, since the focus is on purple teaming, but what are your thoughts on knowing both sides of that to sharpen whatever side you're working on?
Alexia 08:36
Yeah, I think everybody needs to have it. When I first got into defensive, pretty much at the analyst level, even though I had developer background, the way the SOC was moving, the way the blue team analysts were moving, I was like, "You guys are missing a lot of things that I had to develop to bypass all of the things that you're looking for." And so, having the knowledge of these are the places in the computer system that I needed to go to or like, bypass, and I'm looking at blue team detections and they're completely missing it. Completely, and I'm like, "Oh, no, you guys need the same knowledge that we have." Because having that offensive knowledge and then, having the defensive knowledge is like a marriage that just works perfectly.
Davin 09:21
Exactly. Okay. So, you started with exploit development, moved into forensics, which again, I think that's like, a cheat code in itself, because you know how to make the stuff that you're hunting for. So, it's like, I was right then and there, where they would put it. And again, for me with the pen testing side of things, it was like, okay, so now as a pen tester, I know if someone's watching, or someone's gonna watch, I know where they're gonna look. And then, on the defensive side it was like, "Okay, so if I'm a pen tester," it turned into this game of mental chess because now, it's, "Ah ha, I'm gonna have to do something that they wouldn't look at," but then on the forensic side is goes, "I know that you're going to do that." And then offensive is, "I know that you know, that I know." It turns into this big thing, but you take all of that and then you end up at MITRE. MITRE, for those who aren't familiar, and I'll let you
actually get into a deeper dive, is pretty much the framework that everybody is trying to use or adopt these days. So, talk about that transition there and what that experience is like. I know you said, "Thank the Lord," and heaven is shining down on you for that, but talk about your experiences there. I've talked to a few people who worked with MITRE, whether it was ATT&CK or D3FEND, and I've heard nothing but great things, but talk about your experiences with them.
Alexia 10:30
Before I got to MITRE, I was pretty much at the same company for about seven years and that was government space. Coming to commercial space, having access to resources and current technology, hands down the best decision ever in my life. But for MITRE, I work directly on the ATT&CK team where ATT&CK is a curated knowledge base, and a model for cyber adversary behavior, tongue twister, whew. So, that is reflecting the various phases of an adversary’s attack lifecycle, and the platforms that they know to target. It was just crazy, because we trying to ask the government team that like, "Hey, we need to find this information and here it is a framework that has all this information for you, is amazing." So, ATT&CK focuses on how external adversaries compromise and operate within a computer system, information that works in all the things, ICOs cloud, all the platforms. They have tactics that denote short term tactical adversary goals during attack, they have techniques describing the means by which the adversary achieves tactical goals, and then, they have sub techniques describing the specific means by which the adversary is trying to do their activity. They document adversary usage of the techniques, their procedures like, the how, and other various metadata. Me
specifically, my team, we have the other metadata area, where we have the mitigations, we have the data sources, and then, we have detections. In those areas, of course, data sources is the source of information collected by a sensor or a logging system that may be used to collect information relevant to a defined activity. Detections is a high-level analytic process, sensors or data detection strategies, whatever you want to call it, that can be useful to identify the techniques. And then, of course, mitigations is the configurations, tools, or the process that can be used to prevent those techniques from acting.
Davin 12:35
Thank you for sharing that and explaining that. Again, you said everybody is either adopting it or trying to adopt it now. And one of the things that they're really adopting it for is for the implementation of purple teaming, where the red and the blue actually have to come together, which from my personal experience, as well as some previous guests that I've had, has not always been met with welcoming arms. I remember being on teams before where it was like, "No, this is the offensive side and that's the defensive side," and you don't really communicate and I never quite understood that. I never understood the tension or whatever, and whether it was red team and blue team, or the security team and development teams, when you're working in the app sec space, because developers are essentially ingrained in the security team because you have to deal with them on a daily basis and pretty much say, "Hey, not that your code sucks, but you code sucks, your code could probably be a little bit more secure," and there was always just this divide. So, now, you coming from essentially offensive, and then moving to the defensive side, and then moving to MITRE, what is your experience
with dealing with that siloed type environment between offensive and defensive?
Alexia 13:53
It's a good question. So, I think I experienced it more outside of MITRE. I think being at MITRE is the first time where I've seen a cohesive team try to work together in that purple teaming aspect, especially because we have attack evaluations, where we're conducting that purple teaming activity to help vendor tools, bridge their defensive gaps, and help improve them with their knowledge about adversary activity and helps MITRE, our evaluations team, improve our knowledge on purple teaming and the atmosphere activity. My experience beforehand, like I was saying, like, there was miscommunication, lack communication with blue teaming, And of course, definitely the red operators. I would never touch read operating space IN my previous job just because if you touch the keyboard, you mess up, you're gonna die. And I was like, "No, this is too high stress for me. I don't want any parts of this activity," but getting information from them didn't come directly to my digital forensics team. It was like, a chain of command that I was not a part of, and sometimes, people took scissors and cut and you would never
hear, "Why are you looking for this? What is the information that I need to know to help me further my investigations?" And all the ABC through Z. It got to a point where my digital forensics team literally turned into threat hunters, because they gave us no pivot points, they didn't tell us what was alerted on this system to say, "Oh, we need to go search for this activity." They didn't tell us why they were doing things, the customers weren't answering questions when we're like, "Hey, is this legitimate activity, legitimate user activity? Or, is this like, malicious?" We had none of that. And so, me having to switch my mindset from pivot points to not having pivot points and looking for malicious activity. It spun that need to, "Hey, I see things that adversary is doing, but we're not putting it in reports." We need to because it's important to that attacker process, lifecycle, whatever you want to call it. So, that's been
my very passion project to get into behavior analysis and get into TTPs, and what spun me getting into MITRE and now, that I work for both teams, that's their mission, that's their goal, it is a blessing.
Davin 16:08
So, I guess you would say that would be the moment, purple teaming. Usually for everybody, there's a moment where the light bulb clicks for purple teaming. So, I guess you would say that was probably your moment, right there. And for the offensive, on behalf of the offensive side, I'm going to apologize for that, for those experiences. I partly believe I think, especially if they came from consulting backgrounds first, a lot of the times we're told, basically, don't tell all the secrets, because you want to get called back for the next engagement, whether for compliance or stuff. So, you write the report and say, "Hey, this is what we found," and depending on the consultancy you work for as well as the client, sometimes it's literally just for the sake of the paperwork to say, "Hey, you're compliant," they don't really care about fixing this stuff. But for those who do care, you're like, "Don't tell them too much, because then it's going to be harder next year." And I guess that was my introduction into why we should probably work more together, because if the name of the game is to help the good guys win,
then we should tell them, "This is what we did. This is the exploit we used." I tried to find different ways, so maybe I didn't blurt it out directly, but I put it in my documentation, or I made sure I did my screenshots well enough, where anybody can just emulate what I did, and do it there. Again, it wasn't really well received in the beginning, but now, I think, I want to say it's trendy, or it's a buzzword, but now you hear more about it. But it's like 5, 10, maybe even longer than that years ago, when people were trying to do this, it was, "Are you crazy?" You were getting you're getting laughed out of the room. It's nuts. Like, I talked to a couple people who dealt with the idea of purple teaming back from the Target breach, and they talk about their experiences going and saying, "We should do this," and they were literally getting cursed at. So, it's just crazy that now it seems like, oh, this new idea, but I'm just glad that they're doing it, I guess. And again, we have organizations like MITRE, who are trying to be at
the front of it, saying, "No, this is how it shouldn't be done." So, what would you say is the biggest challenge with trying to build that cohesive purple team mentality?
Alexia 18:26
I think I'm gonna come from two different perspectives. One, communication, getting your team members out of the mindset of, "I can't share data," because that's gonna hinder you at most. If I know what you know and you know what I know, we can work together as two brains to create something that is innovative and better for cybersecurity community as a whole. Us working as a team is better in the fight against adversaries than me working by myself trying to figure everything out. You might know something that I've been racking my brain for, like, weeks on end trying to figure out and you had this answer the whole time. That's a waste of my time, and a waste of the company's time. We don't need to have that. And then, the second thing I probably say is— I'm going to structure it as maturity of the team, but I'm going to caveat that with the knowledge and the training. So, not being stuck in, "This is what we did 5, 10 years ago, it should be the same way." Wait, no, technology's ever changing.
Adversaries are getting smarter and so, that means we as defenders, we as the red teamers are the people who are supposed to be protecting our company need to get smarter as well. We need to learn more, we need to grow with how things are changing.
Davin 19:40
I couldn't agree more. It's funny that you mentioned that about the maturation of the team, as well as the communication because that will actually bring me into this season's sponsor. So, this season's sponsor, if you don't know, is Plex Trac, and Plex Trac says that the best pen testing begins and ends with Plex Trac this podcast is sponsored by Plex Trac the proactive cybersecurity reporting and collaboration platform bringing red and blue teams together for better collaboration and communication. Plex Trac empowers teams to communicate findings between red and blue teams electronically for rapid remediation, centralize remediation efforts and automate ticket generation for faster, more efficient workflows. Facilitate tabletop exercises, purple teaming, engagement, breach and attack simulations and more, a better security posture begins and ends with Flex track, claim your free month of flex track and get a copy of our blue team content bundle at PlexTrac.com/HackerValley. Again, that's PlexTrac.com/HackerValley. Now, you've talked about the need for communication and maturity and the fact that Plex Trac does map to MITRE. How does that help teams just across the board with that purple teaming and dealing with those challenges that you just mentioned.
Alexia 20:49
So, let me give you some good use cases for ATT&CK. You have behavior analytic development, you have defensive gap assessment, you have the SOC maturity assessments, adversary emulation, red teaming, and the list can go on and on. ATT&CK gives you this information that takes from different resources, different reporting, different people, and culminates into one place. I don't know how many people have like, 1000 tabs open on their computer, I'm one of them, it's probably in the million range right now, but with ATT&CK, having all the information front and center, of course, they don't have everything, but they have a good amount where it makes your job easier. And so, when you have companies who help bring that information in, add to the knowledge graph, add to the information there, it just helps the cybersecurity community as a whole.
Davin 21:44
Agreed. And with the documentation and the reporting features that Plex Trac has, I think it definitely helps with that communication and, and bridging that gap, so everybody sees what everybody is doing. So, again, thank you to Plex Trac, go give them a shout out, tell them I said hi. And if you're interested in a demo, that is PlexTrac.com/Demo. So, switching gears, Lex, one of the issues that you talked about earlier that I also have been yelling about from the rooftops is the lack of training, and the lack of teaching that mindset. You touched on it just a second ago, where you said, 'This is how we did things 5, 10, 15 years ago." And unfortunately, a lot of those people who have that mindset— I'm not gonna say, unfortunately, because they're really great people and they're really talented and they're really great at what they do. But because of that mindset, they may be teaching the next generation or their junior staff the old way of doing things, or the old way of thinking. I see that one of your passion projects
on the side is helping bring up the next generation, whether it's through mentorships or college courses or summer camps, everything that you're doing. What are some of the challenges that you face in teaching the next generation? And what are you doing to help change, I guess, the old way of thinking?
Alexia 23:04
Let me do a little background story. And then, I'll answer the question. So, I have taught college courses, beginner, intermediate and advanced in C++ programming. I did that for three to four years. I have done summer camps with middle and high school girls and boys, teaching them cybersecurity, robotics, wearable technology, programming, all the things Mentorship of entry level analysts, developers, and some mid level, too, and I've seen the gambit of knowledge that has passed from a young age to when you're supposed to be out in the professional workforce, ready to do this activity. There is a lot of information that I wish I would have had in college, about day to day activity that you should know on the job. Some of the classes I took in college probably like, was a good background knowledge, but it didn't get me ready to be out in the field and do what I do every day. So, taking that, learning about cybersecurity, which it's not a new field, but it's in a different term, and they split it out
into a lot more fields than where it was back then. But having a knowledge of what fields are out there, what you need to know for those different fields, and then, understanding where the connecting pieces are. Just because I'm a blue teamer doesn't mean I don't need to know red teamer operations. Just because I'm a developer, doesn't mean I don't need to know what analysts go through in day to day. So, that's the information I try to pass back to the people who I teach or I mentor, giving them the resources, all the things that I've been through, whether it be cybersecurity, cyberwarfare, legal and policy, just to let you could say, "I have this base information and I feel I've been trained enough for when I get into the field, my information or my knowledge breadth is good enough for means to answer questions and think without being taught the answers."
Davin 25:05
For me, I think, the information that is out there today is so much better than what was out there when I got started. People can literally start their careers just from watching YouTube videos. When I made the decision to move into tech, it was either a computer science degree, or there wasn't really anything else that was out there. So, I left it alone and then, I came back years later, and was like, "I really want to give it a try," and that's where I was introduced to certifications. I was like, "Okay, this is a little bit more in the direction that I want to go." And from there, it just grew and grew, but you had to go get the books. Amazon wasn't that big, so you had to actually go get the books from Microsoft, or from Cisco, or Barnes and Noble. When we moved, I literally had like giant construction bags of books and printed paper and things that I just found interesting and articles that I just threw away. And now, you can
literally pick up your phone and go on like, TikTok and see the day in the life of a SOC engineer. I think it's a good thing and a bad thing. I'll start with the bad part first. I feel like when you post certain things like that in that short form, that short video form, it just shows like the glitz and the glamour of it. It doesn't show, "Hey, this is the work that I put in." So, people get confused and think, "Oh, that's all it takes, and then I can just do this in a few months and then I'll make six figures." Sure, there's a lot of work that goes into it, but the good thing is that the information is there, so those who are really interested in it, have a better informed decision. Because before, you have people who said, "I want to jump into forensics, I want to jump into reverse engineering malware," and then, they go in there like, "Holy crap, this is not what I thought it was going to be," but now you invested so much time that you
feel like you have to do it or that you don't want to start all over again. So, that's where I think the content out there is a good thing and a bad thing. This is coming from someone who creates content. In doing it, I try to be super honest about it. I think that's one of the challenges that I have, and then, also trying to change that mentality and showing them that it doesn't have to be one way, it doesn't have to be linear. You don't have to just know defensive or offensive, you should know both. But I think one of the bigger challenges that we face is a lot of the stuff that you do or that I do is on the side. So. yeah, I love helping people, I love creating the content, I love doing this show, I love doing my other show, but I do have a family. I do have outside things that I have to work on, so trying to do all of that and work my
9 to 5 is challenging. One of the issues that I have is that I feel like these companies should invest more in the content creator space. So, how do we get these companies— Not so much MITRE, because it seems like MITRE got it together with the bringing the teams together— But from a content space, how do we get corporations like MITRE, or like the company I work for, to embrace creating content or creating training developed around bringing in more people, bringing in more talent, teaching them the right way to do things, bridging that red and blue gap, and most importantly, investing in their talent, investing in their junior talent? How do we get them to just get on board?
Alexia 28:51
I think that's hard because, one, it goes back to the old mentality and old generations and the new mentality and the new generations. That gap is massive. It's not talking about generations, like your generation, my generation, we're talking about two, three generations ago, compared to who's coming into the workforce, that gap is massive. How things were back then to how they are now is very different. And so, do we transform our way of thinking to speak the same language as the incoming people or the junior analysts? Or, how can we work together to build something that works across the board? Because when I go on Twitter, when I go on TikTok, when I go on Instagram, and I see the content, I'm like, "Okay, this is good information, short 30-second clip, give me what I need to know, I got other things to do." This is useful, because I have to value my time, respectfully. And so, if that works, then can we take our career and put it in the same line where we can have other people understand and still respect their time? Instead of taking the old way, which utilized more time to get a
point across and to train and learn and so, that way we're retaining more people. And I think it was working with a new generation, just asking them: How do you learn? How do you retain information? What do you want to know? What are you interested in? So, that when we are giving information back to the community, we're not just talking about the same old, same old. We're giving information that helps other people, that tells them the resources that are out there. Because the way I see it, you won't know unless you ask the right people, or you ask Google the right question. You won't ask the right question unless you're sitting pounding your head and like, "Alright, let me try a different way of asking," or you stumble upon the right person. That takes a lot of time, a lot of effort, and we're in this fast-paced moving world. So, what are some ways that we can do that? So, yeah, talking to people, networking, of course, is always a solution, but how do we go past that to put in that time variant to help out?
Davin 31:05
That's another gap that needs to be bridged, but one step at a time. But seriously, I think luckily, there are some companies who are embracing creating content and having their professionals go out there, whether it's giving talks, or doing short, like lunch and learns or presentations or podcasts and stuff like that. I think that's a start. I think, to your point, speaking the language, I think that can also be very helpful. I noticed that TikTok, which we don't have enough time for me to go on a tangent, the irony and hypocrisy of TikTok wanting to create cybersecurity content, but TikTok is trying to create cybersecurity content, and I'm okay with that idea. Not sure if I'm okay with TikTok being the platform, but I'm okay with that idea. I'm just not dancing. That's all.
Alexia 31:59
I can't dance either, so it's okay.
Davin 32:01
I'm not doing no trendy nothing, none of that. I'm just say, this is how you run an Nmap scan. But that's just not going to work.
Alexia 32:10
I think that's going too far, okay? Because I can't do it either. I'm not doing it.
Davin 32:13
But I definitely think speaking the language, again. For example, I gave a talk about a year or two ago, where I came up with the idea from watching my son play Fortnight at an Esports event and the coach was explaining to them basically the different phases that you go through in a Fortnight match. And I was like, "Oh, this is the phases of a pen test." So, you land and you survey the area, that's your renumeration. Now, you start actively scanning. So, now, you're looking like, "Okay, this area has been looted. This looks like this house has been broken down. So, clearly, there might be someone here." That's you're scanning. You see someone, take a couple shots at them, crack their shield, they're vulnerable, get a bigger weapon, that's your exploitation. They drop their stuff, you loot it, that's your stuff and you're elevating your privileges as you move up and survive through the game. And then, at the end, when you read your stats, that's your report. So, I literally did a whole talk and that was very well received, as opposed to when I talked to a similar group of kids six months before that. And I was like, "This is how you do it," and they were just kind of confused. So, I totally think the idea of finding ways to, again, bridge that gap and speak their lingo will definitely be helpful. For no other reason, then, I think, to quote Whitney Houston,I believe that children are the future. I think they are already technically inclined. I came from the era where computers weren't in every household and you had to make sure no one touched the phone to get on the internet, and stuff like that. So, now, seeing where people have more powerful computers than I had in my house, in their pocket and the things that they can do, or the things that they do on a regular basis just because of their pure childlike curiosity, it makes them the perfect candidates for these jobs. So, we definitely need to do that, because, as much as I enjoy it, I don't want to be doing this forever.
Alexia 34:17
I know, we got to retire at some point.
Davin 34:19
Yeah, it was like, I want to retire at some point, but I also want it to be safe for my kids and my
grandkids. And if my kids and grandkids want to be the ones that are making that change, then I need to make it welcoming for them. So, I'm hopping off my soapbox now.
Alexia 34:34
I'm in the same place. I remember one situation where I was teaching a programming class, and I was trying to explain— Was it pointers? I think it was pointers. And so, I'm explaining the difference between the ampersand and Asterix and it's like, a doe in headlights, they do not understand. But when I transformed it into something they utilize every day, like a bookcase and boxes, they were like, "Oh, I get it. I understand." Having that common language that everybody is used to on a daily basis is very useful for getting information across. I like that you use Fortnight, that's an impressive idea. I like that.
Davin 35:14
Like I said, shout out to my son. I was literally just sitting there going, "Okay, what am I gonna do?" But I'm looking and I'm going, "Oh, wow, this is like that." But again, another example is look at the video that's surfacing online now with, I think, like the 3-year-old kid that is teaching for loops, and while loops. If the statement is true, then you punch. And I'm just like...
Alexia 35:34
This makes so much sense, and we spent years trying to understand it.
Davin 35:37
I'm still trying to understand it. What are we talking? I'm still trying to understand it, and I look at him. I'm like, "I know where he was five years ago, but..."
Alexia 35:48
But you know what that is? And I think this is a pivotal thing in defensive. Once you understand it, you can explain it. And a lot of things in defensive is the unknown territory, because not a lot of people go into it, specifically capabilities, low level API stuff. Understanding how an actual operating system works at the internal level, nobody understands it. So, once we venture off into that knowledge and we have that understanding, we can then portray that information to other people in the language that they
understand. So, that was a very good video explaining that process. Your parents understood it enough to explain it to a five-year-old, to a three-year-old, for them to spit it back and have a good base understanding of what happened on a whiteboard on a whiteboard. Crazy, right?
Davin 36:37
He can get a six-figure job,
Alexia 36:38
The children are the future, okay?
Davin 36:41
We've been talking shop now for a while, but let's move on to something else. What are your hobbies?
Alexia 36:49
What are my hobbies? Okay, if you can see, I have a whole bunch of plants behind me. I am a green thumb. I have a hydroponic garden to my left, where I grow like, fruits and vegetables indoor, okay. Of course, all my plants i take care of. I still game. I'm a ps4 gamer until I get to ps5. Mostly, Call of Duty Destiny. I like to read fantasy books, elves, dragons. Of course, I'm watching the new House of Dragons TV show. Follow me on Twitter. We can talk about it, okay, because there's a lot of things happening. I roller skate for activity. I'm trying to learn how to do jam skating because I want to dance. I want to learn how to dance eventually. What else? Oh, okay, this is great. So, I used to have a side hustle where I made lotions and like, healing salves. I use tea to heal the body, herbs and plants to heal the body, and like, granola bars without allergen products in it that I don't sell anymore, but I still make it
because it's delicious and I can't use anybody else's products. Like, I can't go to Target and spend $100 on hair products, because they just don't work. It's called the creamy crack for a reason. I think that's it. Most of the other things, I'm creative. Oh, photography, I do street photography. That was the other thing. Yeah. So, I go outside, I still try to be creative, still try to clear my mind outside of technical work. So, I'm not just all working and no play.
Davin 38:16
I'm slowly getting there. I was one of the lucky one, I should say it was my wife was one of the lucky ones to actually get a ps5 for me, credits to her. And then, one day, me and my son were walking through Microcenter. We just happen to look down and there was like, the brand new xbox just sitting there. And I'm like, yeah, there's no way, that's got to be a display. And then the guy comes around and says, “Oh, yeah, it's in stock.: I ran out the store with it, but the sad part is it has been collecting dust because I've been so goal oriented, that I'm just like, horse blinders. Now, I'm trying to jump into certain things. I posted the other day about the new Overwatch game because I enjoyed the first one a little bit. I was late to the party. By that time, I was getting killed by seven-year-olds and being told I suck.
Alexia 39:00
Isn't that the craziest thing? You just hear a tiny voice on the mic.
Davin 39:06
We came a long way because like, my wife and I, and it's funny, like the new Modern Warfare is coming out. But when the first one came out all these years ago, my wife and I actually used to play and we were really good at it, to the point where she would go on and wouldn't talk and she would just get her kills. And at the end of every match, when it was that public toxic lobby, everybody's talking stats and they would go, "Oh man, you've got great stats," and then my wife would speak and they're going, "Oh my gosh." My wife has been invited to prom. My wife has been told to leave me. And those are the things that I can say without Chris and Ron probably getting in trouble.
Alexia 39:46
She is a goddess, okay? That is the best moment, when you can turn on your mic.
Davin 39:50
But then, we stopped because we decided to be parents. Then the first time we tried to play, this had to be like, eight months, nine months later and we got on there and it was like, from the moment we spawned, we just kept getting killed and it was like, "What is happening?" So, it was just after that, and it's kind of just, I did that, I was competitive in 2K for a little while, and now that I've stopped all of it, I suck at everything. So, now it's like, I have to get past that ego side of things, and do it all over again, but I promise I'm gonna start gaming soon. In the frame of photography, I actually bought a fairly expensive drone, thinking that would motivate me to go outside more and I want to do like, drone photography. So, I started thinking, it's pretty cool to just fly around and just get those overhead shots. So, those are a couple things that I'm trying to do outside of the technical stuff, and like I said, it's just a matter of prioritizing.
Alexia 40:46
Yep. I totally get what you're saying. So, we were playing Blackout, and of course, it was hacker central. Like, literally, we could not win a game, and that's when we left Call of Duty for a little bit and we went to Destiny and I'm like, "Oh, this is nice. We can play and not get angry. This is the life." So, I could play and understand like, taking a break, and then going back to Modern Warfare and we were like, "Oh, we're really crappy at this. We haven't played Call of Duty in so long. We're terrible." But that was us playing the beta, so we're waiting for the preseason to come out. He's asking me every day. "Can we order it? Can we order it?"
Davin 41:29
I'm trying to make sure I clear every one of my obligations because between the end of this month until this holiday season, I might take time off for work just when the new God of War comes out. So, just like, "Where's Davin?" I don't know, you can catch me on Twitch.
Alexia 41:47
My gaming TBR is so large. Kingdom hearts. God of War. Mortal Kombat. We just got Super Smash Brothers and Mario Karts back on the Switch, and there's like, a bunch of other games. I'm like, "Alright, I'm gonna put money aside to save for this. I have adult money, but I still need to plan and play."
Davin 42:09
Oh, yeah, I agree. 100%. So, yeah, so we're gonna have to probably link up at some point and do like cybersecurity gaming night or something. And we're gonna wrap up with this last question. For those who are new to security, or new to the purple teaming world. So, they've been in security for a little bit and now, they're moving on. What is one piece of advice that you wish you would have known that you
could share?
Alexia 42:34
Take your time, don't worry about the money. Don't worry about chasing a salary, because when you find the field that you want to be in, that you love to be in, the money will follow. The money is definitely going to follow. So, take the time to learn this space information. Learn about the different career fields, because having that information is going to help you long term in your actual career.
Davin 43:00
Yes, yes, yes. Not to mention, the money's not gonna go anywhere once you acquire the skill. Too many people try to just grab a certification and not actually learn what's being taught in that course, they just grab it just so they can put it on their LinkedIn profile and they don't really know it. Like, I tell people all the time, as long as I don't do anything that's super detrimental, or that's going to cause like, irreparable damage, I'm not worried about losing a job anymore. Knock on wood, because with the economy the way it is, but based off of my merits, I know if I lose a job, or I get laid off, I have work. I know I have work, someone's gonna hire me, my credentials, my experiences, they speak for themselves, and that's because I took that time away from gaming, away from everything else to hone in and really mastered my craft. No one really masters anything, so maybe that's the wrong phrase, but really hone in to know my stuff, so that it's not just fly by night success. It's literally, "Okay, if I lose my job today, I'll get something soon," and I might get something that actually pays me more than what I was getting anyway, because I taken that time to do the work. So, yes, take your time. Make sure you learn your stuff, and the nly thing I would add to that is don't feel like you have to learn everything.
Alexia 43:00
That's how you're going to keep from the burnout phase. Yeah, seriously.
Davin 44:33
So, Alexia, thank you for joining and being a guest on Hacker Valley Blue. For those who want to follow you or get in contact with you, what is your social media information?
Alexia 44:44
Yeah, so, my Twitter is Lex on the Hunt. There's a pun, because I used to be a threat hunter. And then, you can find me on LinkedIn. My actual first name is Alexia. So, when you find me and it says Alexia Crumpton, just know that is my actual name, but I go by Lex. So, you can find me on LinkedIn and you can find me on Twitter, at those places.
Davin 45:03
Okay, so, again, thank you for joining. Again, ladies and gentlemen, everybody watching, this has been another episode of Hacker Valley Blue: Bridging the Gap. This has been my guest, Alexia Crumpton, or Lex, and again, put some respect on her name. I've been your host, Davin Jackson. If you liked this episode, make sure you check out the other episodes of Hacker Valley Blue from this season as well as last season. Make sure you like it, leave a comment in the comment section below wherever you're watching this, and also subscribe whether you're striving to the audio podcast or the YouTube or video version of this podcast. Show your support there. Also, make sure to check us out on Discord, where
we hang out and talk about a whole bunch of stuff from cybersecurity, to gaming to art to self help. There's a bunch of people there and it's a great community. So, go check us out there. Until next time, everybody stay safe out there and take care.
Davin 45:58
I hope you enjoyed this episode of Hacker Valley Blue. If you did, please remember to like it, subscribe to the channel, share it with your friends and colleagues and family members. Get it all out there, and make sure you tune in for the next episode. Also, remember to join our Discord server, where you can talk to me and some of the other Hacker Valley family. So, make sure you go check us out over there, too. I will see you next time. Peace.

00:00:00