Cyber Crime Junkies

How To Hack And Turn It Into A Career. Legendary JOHN HAMMOND.

March 03, 2023 Cyber Crime Junkies-David Mauro Season 2 Episode 16
Cyber Crime Junkies
How To Hack And Turn It Into A Career. Legendary JOHN HAMMOND.
Cyber Crime Junkies PRIME+
Support the show & get subscriber-only content.
Starting at $4/month Subscribe
Show Notes Transcript

Legendary Expert John Hammond. Exclusive. Learning How To Hack And Turn It Into A Career with topics: Newest security expert insight, best cybersecurity practices for business, how capture the flag exercises help, How To Protect Security Of Organizations With Artificial Intelligence, how red team exercises help you stay protected, how transition fro military into cybersecurity today, Artificial Intelligence Isao Info Gathering, best ways to protect business from cyber crime, how to limit liability from cyber attacks, understanding the hacker mind, why hacktivists help keep businesses secure, benefits for having security assessments done, best security awareness training software, best security tips for small business, and how security awareness training lowers risk. 

John has a massive following so follow him to great insight. John has a huge following: 550K Youtube subscribers, 170k+ Twitter followers and 140k+ Linkedin Followers! 

John’s socials:




 VIDEO Episode Link for EP1: 👩‍💻     

/LETS CONNECT/ We Really want people to be able to Watch and Listen and we would love your help. 

📲 📲 PLEASE CONSIDER SUBSCRIBING. It's FREE and it will help us to help others. 

📲 📲   Our Channel @Cybercrimejunkiespodcast 


 📲 DAVID MAURO Linkedin:  

 📲 Cyber Crime Junkies Linkedin:  

Thanks for all the support! -David, Mark, Kylie and Team @CCJ   

 Music Credits:   Two Guitars by Admiral Bob (c) copyright 2012 Licensed under a Creative Commons Attribution (3.0) license. 

Support the show

Want EXCLUSIVE Content? For only $4 SUBSCRIBE to Cyber Crime Junkies PRIME

Please consider subscribing to our YouTube Channel for ALL Video episodes.
It's FREE. It helps us help others.

Our YouTube Channel @Cybercrimejunkiespodcast

Learning How To Hack And Turn It Into A Career 


How To Hack and Turn It Into A Career

Legendary Expert John Hammond. Exclusive. Learning How To Hack And Turn It Into A Career with topics: Newest security expert insight, best cybersecurity practices for business, how capture the flag exercises help, How To Protect Security Of Organizations With Artificial Intelligence, how red team exercises help you stay protected, how transition fro military into cybersecurity today, Artificial Intelligence Isao Info Gathering, best ways to protect business from cyber crime, how to limit liability from cyber attacks, understanding the hacker mind, why hacktivists help keep businesses secure, benefits for having security assessments done, best security awareness training software, best security tips for small business, and how security awareness training lowers risk. 

John has a massive following so follow him to great insight. John has a huge following: 550K Youtube subscribers, 170k+ Twitter followers and 140k+ Linkedin Followers! 

John’s socials:




VIDEO Episode Link for EP1: 👩‍💻     

/LETS CONNECT/ We Really want people to be able to Watch and Listen and we would love your help. 

PLEASE CONSIDER SUBSCRIBING. It's FREE and it will help us to help others. 

 Our Channel @Cybercrimejunkiespodcast 


[00:00:00] It's always in the news. Cyber criminals attacking great organizations wreaking havoc on the trust of their brand. We socialized cybersecurity for you to raise awareness. Interviewing leaders who built and protect great brands. We help talented people enter into this incredible field and we share our research and blockbuster true cyber crime stories.

This is Cyber Crime junkies, and now the show.

Hey, well, good afternoon. Uh, I am David Morrow, your host of Cybercrime Junkies. Uh, in the studio today, we have a true renaissance man, somebody that serves as a senior security [00:01:00] researcher at Huntress, uh, educator, um, overall, uh, a great human and is also a, uh, kind of. Has a whole history. I of a senior researcher in malware and runs his own capture the FLAG sessions, um, and is a massive content creator and, uh, uh, has a very popular YouTube, Twitter, and LinkedIn presence.

And, and as I said, and all around great human, John Hammond. So thank you and welcome to the studio. Well, hey there, David. Hey, thank you so much for that, uh, super, super generous, uh, and warm welcome . Uh, no problem. And if you want, like any Zoom meeting you have, uh, mark and I can come in. Yeah. First introduce as you walk into a room or you get on Zoom, we can.

Whatever you, that same intro. Very flattered. Thank you. Now that's, this is great to have you all, this is really, how's audio and video? Am I on the right microphone? Are we looking? Sound good? At least you, do you you sound great. Yes. We really, really appreciate it. Let [00:02:00] me, uh, actually, uh, change up our, uh, video spot and there we go.

Cool. So, uh, just share with every. Kind of what your current role is, and then I kind of want to back into that and kind of always get down to the, the purpose that you're driving and things like that. Okay. No, absolutely. And thank you. Um, So, hey. Yeah. Uh, from that, uh, introduction and all, uh, currently for my day job, I work as a, uh, senior security researcher in quotes, whatever formality they put on that title thing,

Uh, but no, uh, Huntress is a, uh, a fantastic place that I got to fall into around 2020. Um, their ceo, Kyle Hansler, but I'm not sure if folks are familiar, but, uh, he had reached out and said, Hey, John, you know, we had just landed, uh, series A at that time. I think at the end of 20. And, uh, he said, we're moving and shaken, having a whole lot of fun.

But listen, I need some help. Uh, having someone kind of, uh, carry the weight of creating content, bringing out education, bringing [00:03:00] cybersecurity out to folks, uh, and do that sort of stuff, whether it's a main stage presentation, whether it's talking to reporters, whether it's writing a blog or making content, uh, I need someone to handle that for me cuz I just gotta.

Regular CEO stuff, right? Um, . But he was, uh, super kind and said, look, look, I, I, I know you gotta stay technical. I know you wanna stay on the keyboard. We're both nerds and geeks at heart. Uh, and that's where I fell into this, a little bit of a blessing. Hey, I get to wear two hats. I can sling some code together.

I can still hack on the agent and the product, but I can hey, go out and, and be a little bit of a public face, uh, and shake hands. Well, and that's great, and you're really doing that. So you were just at write a boom, you just had like a precursor to write a boom, like a, like a session, uh, ahead of time. Uh, walk us through that.

How was that? Because it absolutely, I, I heard some phenomenal reviews from it. I wasn't surprised at all. But, uh, share with us, uh, kind of what y'all did and, and what, what the. Hey, thanks [00:04:00] again. Uh, yeah, just past week I was over at the, uh, Rite of Boom event and conference over in Texas. Uh, and that event is put on by Andrew Morgan.

Uh, just for some background, for folks that aren't familiar, uh, he's one great, incredible individual that spearheads the cyber nation or the cyber call that gets a whole lot of, hey, service provider organizations and businesses together to chat. Security. Um, this is the second year that they put on the show.

Um, but Rite of Boom was a ton of fun. This year. I got together with, uh, John Strand, who's over at Black Hills Information Security. Yep. Great. Him and I, him and I did a little pre-day, a little workshop kind of class activity that ran for about four hours, but we were, hey, getting folks into doing some role play for tabletop exercise or back doors and breaches is a, a great game that mm-hmm.

uh, black Hills had built to kind of, Ride that vessel, uh, to think about, Hey, what are we gonna do when boom hits, when there's an incidence where that bad B word breach? Um, and then write of [00:05:00] boom, how do we respond, recover to remediate it the best we can? Uh, so all of that and getting hands on keyboard for some labs.

Hey, what are we gonna do, for instance, response? Are we throwing out velociraptor? Are we digging through event logs? Blah, blah, blah. It's a whole lot of fun and, uh, an absolute great event. . That's fantastic. So walk us, walk us through kind of a little bit of your background. I mean, did you know you wanted to do this when you were younger?

Like what, what kind of drove you into, uh, cybersecurity? There was a single event. Was there a single event that drove you into cybersecurity? Oh, okay. So, hey. Yeah, I guess a little bit of a story there if it's all right. But if I'm, of course, uh, if I'm rambling or, or yapping on for too long, please say the word, uh, cut me off.

But, uh, no, I feel like I, I grew up sort of like any other kid that's thinking, Hey, uh, I wanna make video games, or I want to be a hacker, like I see in the movies and all that Hollywood sense. So I went online, I used the computer. I hate the only thing that I really could to do [00:06:00] that. And I started to Google, I started to look online and research.

Watch YouTube videos on how to be a hacker in a, in a genuine Google search. , uh, I think I stumbled across, uh, Eric s Raymond's blog, Eric S. Raymond, one of the hey leaders of sort of the free and open source software movement for some time. Uh, and he said, look, if you wanna be a hacker, you need to learn how to code.

You need to learn how to program. Uh, he recommended Python as a language to work with at that time. And I'd go back over to Google or go to YouTube and how do I learn? Right. So for a long, long time the origin was, Hey, just let's make stuff. Let's create things. Yeah, let's build software, make video games.

It wasn't until truthfully I attended the, uh, United States Coast Guard Academy, uh, for my undergraduate. I was looking, Hey, could I hang out with the Air Force? Could I do something with the Navy? Uh, coast Guard said yes. So, It's really interesting cuz at a military institution or for some of that government stuff, they think, Hey, it's really cool that you can build [00:07:00] things.

It's nice that you can make something, but can anyone break it? Uh, right where they care more about the vulnerabilities and the exploits and that cybersecurity flare to it. Uh, so at one point I got to go participate in, uh, like a, again, a capture the flag, a training competition with all the other service academies.

And it was sort of this like Olympic style event with jeopardy challenges. When you are a, a freshman at one of the military academies, whether you're a plebe or you're a swab or whatever they folks call you, you have to like walk in the middle of a hallway and, and square in the, the edges of, uh, the corners of the stairwell and the ladder.

Well, like being a pledge at a fraternity, the same thing you. So I remember, hey, on the day we were gonna go drive to Pittsburgh or whatever for this in-person event with all the service academy cadets and midshipman and hey, do cyber in a really cool hands-on event. I just remember four in the morning or whatever it is that we got up squaring down the stairwell and I was [00:08:00] thinking like, this is it, man.

This is, this is kind of what I want to do. I, I, I like, I like this. It brings a little bit more meaning because even at Hunters, hey, sort of on the front lines or in the trenches, Something hits the fan. There's a new vulnerability or there's some threat actor causing havoc. I don't know. I feel like it really does make a difference when we have a partner or a person or a business that says, Hey, you guys really saved my bank here.

Uh, you know, right. You're the reason I can sleep at night because we got someone on the watch. So, yeah, that, that's the motivation. That's great. Yeah. So it's, it's kind of that, that drive and we still, we see a lot of people that we talked to in cybersecurity that came from military, and it's something about that, that it's not just the discipline that's learned to me in my opinion, but it's, it seems to be that, that that drive to serve and protect.

Right. Okay. That drive to kind of cover your, cover your brother, cover your sister, right. Like kind of cover a higher calling. Really? Yeah. You know, a higher purpose. [00:09:00] So, um, go. Yeah. So let me ask you this. When it comes to, uh, and there's a whole host of business owners, they own manufacturing companies, attorneys, physicians that listen to this podcast or that will watch these videos, what.

Can, can you walk people through what a capture the flag is, just from a rudimentary level and then why it's so useful? Because you, I know you know the answer. You, you do them and you lead them all the time. I, I, we know the answer, but let's kind of paint that picture for us. Is that okay? Sure thing.

Absolutely. And, and thank you for helping me, uh, add that backdrop and color the picture a little bit, cuz I know, hey, if I'm throwing around these terms with acronyms or whatever, um, right. Exactly. Capture the flag, uh, is taking cybersecurity, the whole industry, the whole theme, the whole business, right? Or, or just that practice and making it into a game, uh, making it into a sport, making it into a puzzle.

Uh, something that you can kind of play [00:10:00] with, right? Because say, Hey, you're with all your friends, and I know you might imagine to capture the flag at outdoors recess, but no, it's, you get everyone with a. And you put it in front of them. Hey, here are a couple tasks. Here are a couple activities. Mm-hmm. or challenges that I might present to you.

Like, Hey, look at this website over here. Can you, if you were to go look at this website, can you hack into it? Can you break into it? Can you find those vulnerabilities? Or look at this program. Look at this application. Can you find the memory corruption issues or with the cryptography that it's using?

Can you break that crypto scheme? It sounds silly, but you hear the term jeopardy a lot of time with Capture the flag. Mm-hmm. , because it's like these grab bag, different categories. Yeah, web application security, binary exploitation. Reverse engineering. Cryptography, forensics. It's like English literature for 3000, please.

Alex . Yeah, exactly. Absolutely. Everybody just wanted to mention Cybercrime Junkies Prime. We now have a subscription [00:11:00] available. Through our podcast and it offers exclusive content, bonus episodes, and even pre-releases of all of our standard shows. We keep it simple. It's just the cost of one cup of coffee, one time a month, and you can cancel anytime.

You can subscribe by, uh, scanning the QR code next to me in the video or by clicking the link in the show notes. If you select not to subscribe to our Prime membership, please at least consider subscribing to our YouTube channel. It's at Cybercrime Junkies podcast on YouTube, and it's absolutely free. It allows us to bring great guests on the show.

Thank you for your support, and now let's get back to it.

Yeah, exactly. Absolut. Okay. So the, so the clear benefit in, in learning that, is there a way, is there a methodology of winning that, that game, or is it more about the, the learning and the steps, the building blocks to get there? Yeah, so [00:12:00] entering the certain amount of stakes right, to, uh, to really win the game.

Whenever you capture a flag. Sort of a, a string of text or the key mm-hmm. or the token that proves, Hey, yeah, I broke into this website. I found the secret data that was hiding there. You'll go submit it on a scoreboard or some heyer, uh, agreement spot that says, yeah, hey, this is where you can submit all of the keys and flags and tokens that you found, and then your points on the scoreboard or the board will increase.

So all the peers and the other teams that you're playing against, all the other players, They'll see the shift and the leaderboard in the scoreboard and say, who, who's the winner? Who, who's gonna take top 10, top 500, or top a thousand? Um, and it's, I know sure adds a certain element of competition to it, but it is still really for fun.

It's so that you can learn, it's so that you can get exposure to new technologies, new software, new hardware, new exploits or tools and vulnerabilities that you might. Otherwise play with on your own. And I try to, I try to draw that parallel a [00:13:00] lot because when I talk about CTFs and honestly why I , I probably beat the Dead horse.

I sound like a broken record for championing. But, uh, you as a person go to your day job and you do your work and you have your workflow with the tools that you use, the processes, the software that you're used to, but everyone else has their different. Workflow and technologies that they love and they use.

So when they get to bring that to you and say, Hey, look, I made a game out of this for you. Mm-hmm. , you get that new exposure, you get to see what sort of malware can do in this scenario. Hey, what different thing, uh, or tool or software can solve this problem and what faster way? So it's a wonderful fire hose.

And uh, again, I, I scream and shout from the rooftops. I think capture the flag is one of the best ways to. Absolutely. Because to me it seems like it's the practical application of things that you've studied, right? Yeah. And you get to, to do it in a controlled environment where you're really not gonna do harm to the other side, and, and you can [00:14:00] actually apply that knowledge and it's gamification, right?

There's a whole host of ways that people learn. Right, and they absorb information, um, making things fun, making things gamified is uh, it's a, uh, it's a brilliant way they use it in, in formal education and, uh, and makes perfect sense here. Can I ask, you know, when you focus on, um, you were just at rite of Boom, um, when you, when you focus on.

boom and right of boom. Are, are you seeing anything in the, in the clients that, that you guys serve over at Huntress or in the industry? Are you seeing a lot of organizations actually practicing and doing those exercises? Or is this something that is relatively, it's more rare than common occurrence.

Sorry, mark, I didn't know if you had anything else in there or No, no. That was, uh, I, I was thinking the same thing. You know, how often do you see this, or how often do you not see this? Yeah. Yeah. [00:15:00] It's, you're getting into a, a fun hey, glass half full or glass half empty. Uh, you . Um, I think there are a good handful of businesses and organizations that know, hey, what the heck is a capture the flag?

Or what is a tabletop exercise? But then the question that you ask is, okay, do they actually do it right? Um, I think tabletop exercises and that role play gamification has grown very, very well in the service provider or it M S P space. I think in the quote unquote, traditional, if I may say, or like the cookie cutter cybersecurity scene capture the flag is a little bit more prominent.

And I, we sort of have to pour these two into each other in a, in a strange way. Um, because, hey, is are we gonna get a business owner to go to Defcon, you know, Hey, are you, are you attending local BSides? Well, maybe not, but as a, as a BSides member gonna go, Some MSP conference here, vendor A, B, C, X, Y, [00:16:00] Z, you know, uh, I don't know, spending a lot of time with John Strand and if I may, he has, he has a wonderful perspective.

Cause when we did our class together, we acknowledged and he had openly said like, Hey, for a long time, I think what we tend to think of when we think of the word InfoSec, Just sort of left behind a lot of the managed service providers or small mid-market businesses because oh, there's no money there or whatever.

And it was just the, the desert wastelands. But it's not, it's not at all. It's a Nope. They're the front lines. Yeah, exactly. And there's still, and, and so I think that gets into my, the question that I just asked is, Do we see it more in enterprise space as opposed to that SMB space? Because our experience as an M S S P is we, we are seeing it more so on the enterprise space.

Agreed. We're, when we mention it to the SMB space, Some of them have never even heard of it. Or they, what is that? Saw it and they don't know what it [00:17:00] is. And I'm like, oh my gosh. like, like you have, like, first of all, it's hard to get them sometimes to create the right policies, let alone practice them. Like what would happen?

It's almost like a live racy document, right? Like mm-hmm. , who, who does what? I mean in school we have kids that do fire drills, right? Because if we didn. We'd have kids in the actual fire running down the hallway, going the wrong way, bumping into each other, et cetera. But we don't do that in, in, for a lot of small businesses.

And I'm just curious if I, whether you're seeing the somewhat of the same thing I am. I, I am. I'm. I'm seeing the improvement. Uh, a slow improvement though, but like, Hey, yeah, let's, let's keep amping that up. Let's again, why I try to keep chatting about, Hey, can we get folks to play a game? Yeah. Can we get folks to be hands on keyboard?

Right. Um, Not to pivot, but, uh, again, hey, something that we kind of pivot away, bring out with Huntress, no event that we bring [00:18:00] and we love to bring to different shows or conferences, and we can get people together, is a silly sort of hacking with Huntress or hey. Mm-hmm. , um, hacking windows, like modern trade craft.

Uh, and we'll get folks in a, a virtual environment like an Azure lab sort of thing where you, hey, get to pry open Kelly Linux. You get to act like the adversary. Hey, let's load. Cobalt strike. Let's, let's see what a command and control framework might do and what happens when we point it at a web server, like it's beat up Microsoft Exchange with all those recent vulnerabilities and exploits.

Or like, Hey, let's have you craft a phishing email and genuinely send it so you can get your callback, uh, mm-hmm. . And it's all these different weird, nerdy things, but I think it is very, very different when you get to put them in front of it. Let them interact with it and it's in, they see it with their own eyes.

I don't know. I, I always think that's very, very eye-opening and great when you can really do it and not just talk about it. . Yeah, absolutely. So let me ask you this. Um, people that [00:19:00] are in school or coming out and they're in help desk and they're looking for cybersecurity careers, I mean, people look at you and they're like, man, that looks fun.

He makes it so, he makes it seem so fun. And really what you're doing is like researching mal. Right. It, it, otherwise, you know, 20 years ago people were doing that and it looked really dry. Right. But you have engaged in a way that makes it really fun. What, like, what's a great career path to learn that?

What are some of the, like what's the best certification that you could advise or one that you got the most out of? Like what advice can you give to people like that? Looking to get into what, what you do for a living? Ooh. Okay. Um. man. Super good question cuz there are a whole lot of roads to go down, right?

Yeah. Uh, and I don't have by any means, a a a one size fits all answer, but, uh, Look, hey, I, I still put, capture the flag front and center. Everything that I tend to do. Mm-hmm. has been [00:20:00] translated from that. Um, if you wanted to, hey, go explore some of those other online war games or practice ranges, stuff to be able to play.

People will always list and mention, look, you've gotta try hack me. You've got a hack the box. You've got all those things. And I, and I'll realize, and I'll admit, Hey, they'll put you. Hacker pen tester, red teamer perspective, sort of sometimes you have to translate it to what is the blue team, what is the defense gonna look like here?

Exactly. There are some spots like let's defend, I think, uh, blue Team Labs online has a lot of great stuff where you're doing some more of that log analysis, artifact collection, et cetera. Um, but when you get to see both ends of the spectrum, that's when you really kind of put puzzle pieces together.

Certification wise? Oh, it's hard. Uh, cuz again, a lot. Feel like, Hey, let's go be the sexy hacker. You know, be the, the Hollywood movies slinging keys on the keyboard. Um, I think El Learn Security, which I think now is working with I and e had some threat hunter one. Um, but there's some really [00:21:00] great stuff that, um, Sector seven puts out if you wanna get some of the top tier things, uh, I'm scraping the bottle of the barrel, forgive me.

But, uh, I, I really recommend folks, hey, just be part of the scene. And with it, whether you're on Twitter or Mastodon, you might see folks that'll share their analysis and share their research, and they'll find samples if you're willing to play with them. Unlike Malware Bazaar, or, uh, VX underground, of course.

Uh, kind of just pull those down. Uh, get a virtual machine, a safe environment for yourself and. Kick the tires . Yeah. Actually do it. Right? Like actually create like, oh, it's almost like a home lab, right? Like, actually go, go ahead and do that. Excuse me. I mean, I, I kind of see that, um, a lot of people that we know that are getting informatics degrees or, Hmm.

Computer science, four year degrees. They're, I mean, they're, they've kind of just gone traditional routes and then they're, they're asking, you know, how do we break into something like this? And I said, well, it's the, the degree is great for [00:22:00] historical knowledge and understanding frameworks and, and things like that.

But, but it's really about what you're doing right? And it's, and it's all those examples that you just gave and actually, Trying to break stuff, trying to get in, like, like actually doing that. That's really where the, that's really where you can demonstrate and set yourself apart from another candidate when you're looking for a role.

Is that fair? Oh, absolutely. Without a doubt. Yeah. That, that's a, Hey, well that's a wrap. Thank you for listening. Our next episode starts right now. Please be sure to subscribe to our YouTube channel. It's free, and download the podcast episodes available everywhere you get podcasts. To support our show and get exclusive pre-release episodes and bonus content, please subscribe to Cybercrime Junkies Prime Lincoln, the description and show notes, and thanks for being a cyber crime junkie.[00:23:00]