Breaking and building your way to an infosec career with Chris Elgee
A top penetration tester and challenge developer shares how being playful, continuously challenging yourself, and developing your network can expand your mind - and your career.
A top penetration tester and challenge developer shares how being playful, continuously challenging yourself, and developing your network can expand your mind - and your career.
As a self-taught programmer since elementary school, Chris Elgee is no stranger to learning by trial and error. Now a challenge developer and penetration tester, he shares advice on how to build a career you're passionate about.
In this episode, Elgee discusses the importance of creating a strong network, both in local communities and throughout the industry, as well as the critical role of education and certifications in developing skills. He also stresses the importance of pursuing your passions in a playful way by building challenges and completing CTFs.
With a penchant for puzzles, Chris is a challenge developer and penetration tester for Counter Hack Challenges. He is a SANS instructor, the project lead for Core NetWars 6.0, and contributes to other projects like the SANS Holiday Hack Challenge. Chris also holds a commission in the Army National Guard and has served in roles from international partnership management to red team leadership on large-scale cyber exercises.
Passionate about information security education, Chris has spoken to thousands of students in dozens of Maine high schools and has contributed to (ISC)2's Safe and Secure Online materials. He holds GSEC-Gold, GCIH, GWAPT, GPEN, CISSP, and OSCP certifications.
Outside of work, he enjoys spending time with his wife and four kids and volunteering at his church.
Jason Nickola: This is "Trust Me, I'm Certified," brought to you by GIAC Certifications, a podcast exploring how to conquer imposter syndrome. Welcome back! Our guest this episode is Chris Elgee, builder and breaker at Counter Hack Challenges. Chris will chat with us about practically applying some of the skills that you're gaining through self-study or training and how to do lots of cool and crazy things with the new infosec skills that you build out there in the world. He offers a ton of useful feedback and tips for anyone going through similar experiences. I really enjoyed this conversation, so let's dig in. I hope you enjoy it!
Jason Nickola: I'm very pleased to be joined by Chris Elgee. Chris, thanks a lot for coming on the show.
Chris Elgee: Jason, thanks so much for having me.
Jason Nickola: So talk to me about your initial path into technology and security. When did you first realize that you were gonna be a tech nerd?
Chris Elgee: I think for me it started relatively young. Like a lot of kids, I was fortunate to have some computers in schools. So way back in the days of the Apple 2, you know, I was just drawn to computers, thought they were the coolest thing, taught myself how to program in elementary school and ended up going to college for computer science. I actually got away from it for a while, but then just kept feeling called back to it. It's one of those things that I think if it's something that is in you, you can't really escape it.
Jason Nickola: Yeah, for sure. So when did security first start to come on your radar?
Chris Elgee: For me, it was probably right around the end of college. Security wasn't really a topic in the computer science curriculum then, but in the National Guard I was in an information security unit and went to this cool course where I learned about things like everything from IP chains to John the Ripper and L0phtCrack, if you remember some of the older tools there, and really got taken in at that point.
Jason Nickola: Do you look at your initial path with more general technology in a computer science curriculum before security became a major component? Is that an asset to your development?
Chris Elgee: Yeah, I really think it is. I don't think, however, that a bachelor's degree in information systems or computer science is necessary to be successful in the field, but I've definitely been able to draw on some of the courses I've had. Learning things about reverse engineering and buffer overflows comes more easily when you get a few credit hours of Intel assembly and that kind of thing. So it's definitely helped me. But again, I don't think it's essential for people in the field.
Jason Nickola: And I would say, just general networking overall, regardless of what field in technology you want to work in, but especially security. If I were to identify somewhere that I think there's a real gap to fill in, I think the networking component, really understanding packets and different protocols and how to manipulate those things. Having a background that is more grounded in general technology and allowing you to dig into the networking side of things is a real asset.
Chris Elgee: Yeah, absolutely. It's like they say, you know, packets don't lie. Like you could make logs say whatever you want but if you're watching the wire, then you know what's really going on.
Jason Nickola: Yeah, for sure. So when you were starting out in your first cyber security role, how did you really start to dig in and fill in some of those gaps that you had - not foundationally with general computer science - but start to really dig your heels in and learn the security industry?
Chris Elgee: So I actually want to skip past my first role. It was that National Guard, part-time InfoSec unit I was in. We kind of dabbled in it there. But I got away from it for years after that, but then it was really - I got back into it with some large-scale cyber exercises that the National Guard holds, one's called Cyber Shield. And this was maybe 10-15 years after college. And it was kind of seeing everything at once, seeing how it all fits together and what the purpose of the red team and the blue teams are, that kind of made it start to stick for me.
Jason Nickola: Yeah, so not necessarily getting lost in the tools or the specific offensive or defensive components themselves, but how all of those things come together to try to serve a greater need, especially as it relates to structured exercises in the armed forces.
Chris Elgee: Exactly. And the tools are fun - I love cracking hashes like the next guy. But, yeah, when you get a feel for why it's important, that can really kind of drive, at least for me, that drives passion in making sure that we're doing this well.
Jason Nickola: And it's a real motivator, too. If you're just learning tool after tool and you're thinking about in isolation, it's a little bit more difficult to put it into context and keep going and figure out where this information is gonna be of value to you. But we really do have the context about how it fits into a larger scale and how it can be used to accomplish broader organizational and, in your case, national goals. It's a real motivator and can start to breed some real passion.
Chris Elgee: I absolutely agree 100 percent.
Jason Nickola: So we spoke to Max Shuftan who is the director of the CyberTalent efforts at SANS, and he mentioned that you are a graduate of their VetSuccess program. What role did that play in getting started in information security? And what practical skills did you take out of that?
Chris Elgee: Yeah, Max is great. So that was key for me. At the time I was active duty in the Army National Guard, and not in an infosec role at all. Every once in a while, they let me play a little bit. But for the most part I was doing budgets and planning, and they were both nightmares. But the VetSuccess immersion academy program was just a game changer for me because I'd studied a little bit on my own and gotten like Security+ and that kind of thing, but to just be able to leap in and get three SANS classes and three GIAC certs gave me a whole new level of understanding of how everything works. And at the same time it was really good for networking purposes, because when you take these classes, it connects you to other people in the industry and those connections, that type of networking becomes really important, more important than I thought it would be, actually.
Jason Nickola: Yeah, not just the networking alone, but as someone who was transitioning from non-cybersecurity roles into the cybersecurity industry, when you get to go to these courses and network, not just with the people who are taking the class, but the instructors and other people who are at events, and maybe you get on a CTF team with someone and then you start to take some of these certifications and accomplish things that you see others who you respect in the field accomplishing, it's a real confidence boost to show that hey, I can do this too. And I can speak with people who are doing some of the more impressive research or developing tools or working at some of the best companies. And it's not this fear I have of falling on my face and saying all the wrong things, it's "yeah, I belong here." It's a confidence builder from that perspective.
Chris Elgee: Yeah, it really is, in the same way that in the military we have badges and shiny bling that we put on uniforms that say I'm qualified to fall out of a plane or whatever. Having certifications I think fills that same role in a lot of the same ways. It doesn't mean you don't have a skill if you don't have the cert, but you know you do if you do have it.
Jason Nickola: Yeah, absolutely. So as you started to take these classes and go through the VetSuccess program and come out with some certifications. What was your approach for taking this knowledge that you're gaining and trying to practically apply in the real world so that you can get the next role or continue to develop those skills outside of an academic format?
Chris Elgee: Sure. So one of the first steps for me was actually something - the SANS Holiday Hack challenge. And this is gonna sound a little self-serving because it's something I work on now.
Jason Nickola: Right, really full circle there.
Chris Elgee: Full circle, absolutely. But it was just great. It was a great way for me to try things out. It's this free CTF, like you mentioned CTFs are great, that requires a bunch of different varied skills and being able to take some of the things that I had there was again a confidence booster. It's kind of like certifications in a way, and in fact it's the kind of thing I put on resumes right next to certs, you know? Hey, I completed the holiday hack challenge 2016 or I got an honorable mention. It's another feather in your cap.
Jason Nickola: Yeah, absolutely. So I was about to ask when you are trying to get a role and you have to represent yourself in ways that are other than hands on keyboard and showing, yes, I can do this and watch me do it, I can prove it. In addition to doing some extracurriculars like Holiday Hack challenge and putting those things in your resume, do you have any other tips for how potential job applicants that are trying to get their next role can stand out and show, yes, I can do these things, and here's how I prove it to you, devoid of I'm gonna sit down and show you?
Chris Elgee: Right, because every once in a while, you'll hear about the interview where they give somebody a whiteboard and a marker and say, write me some code for something, or here's a box, you know, hack the box. Outside of that, certainly things like CTFs and certs are fantastic. I think it's also great when people have a blog that they keep up where they're posting about the things they know, they're sharing with other people. One thing I like asking about are people's home labs. What are you doing at home? And if it's some great, cool, gee whiz, awesome set up with some devices, that's great. Or if it's just two VMs within your laptop at the same time, it's fantastic. It shows that you're putting time in outside of what you have to, to try to learn more and play around.
Jason Nickola: Sure. So you're a SANS instructor for SEC560: Network Penetration Testing and Ethical Hacking. You also work at Counter Hack, which produces NetWars and Holiday Hack challenges, as you mentioned. These are places where there's a really high bar for not only what you know about, but what you can do, right? So how do you continue to fill in those gaps in some of the skills that you don't have while continuing to move forward in new areas for things as they start to come out? Because things are changing all the time, as you mentioned.
Chris Elgee: Yeah, that's definitely a challenge. Certainly, I'm still taking classes. I'm still learning and growing in the formal sense of things, but a lot of it comes from just messing around. I'm working on a challenge for the next version of NetWars. It's going to use WebSockets, and I've never programmed in WebSockets before. So I do what anybody does and start Googling it and start building something and playing with it and get it to work, maybe try to get some practical application for it, which then I can turn into a challenge. So I think so much of it is just finding something that's interesting, finding something that's relevant, and going after it and making it work.
Jason Nickola: Yeah, and it's so interesting to me because I think from the outside most people would say Chris has the opportunity to work at Counter Hack and work on NetWars and work on Holiday Hack challenge. And those are kind of the fruits of your career and the things that you've been able to accomplish and the hard work that you put in. But on the other side of it, it sounds like someone like you looks for those opportunities, not necessarily for validation of okay, I've arrived, now I deserve these things, but more because you have to continue learning, right? They are a professional extension of learning processes. Is that something that you look for in the projects that you get involved with?
Chris Elgee: Yeah, I want a challenge. I want something new to play with, and if I don't have that at work like when I was doing budgets and planning, I would do it in my free time. Sometimes you meet people who say, yeah, you know, I do computers at work, and I don't want to see a computer at home. I'm not like that. Jason, I know you're not like that. I think that people who are really successful in this field, or in any field, are passionate about what they're doing. You know that the mechanic who goes home at night and tinkers on his old '69 Ford Mustang is going to be a better mechanic than the guy who goes home and doesn't. It works the same way for us.
Jason Nickola: Yes. So you have transitioned from someone who was looking for challenges like Holiday Hack challenge as a way of just practicing your skills and trying to break in and get your first few initial roles. And now you are someone who does that for a living, right? You get to build challenges, which is an awesome job.
Chris Elgee: It's weird and fun and fantastic, yeah.
Jason Nickola: Yeah. So what advice do you have for people who really enjoy the challenge aspect of it, and they're looking for the kinds of challenges that you're developing. What advice do you have for them in moving into creating their own kinds of things, right? So, taking that same passion and desire that they have for solving puzzles and challenges and then leveraging that as a way of continuing to build yourself, by maybe producing your own stuff, because I think that's how Holiday Hack challenge started. Having heard Ed in the past talk about things, it was just like a cool, interesting thing that he did so the he could join technical challenges with his creative spirit and love of literature and those kinds of things. So I think that there are probably more people who would do the same kinds of things if they just knew how to get started
Chris Elgee: Yeah, that's a great question, Jason. I think sometimes there are outlets for that. Like when I came off active duty, I decided I wanted to build a challenge and I was coming off to be a pen tester, not to work for Counter Hack, but I wanted to build a little game for some of the other nerds that I knew were floating around the office. So I took this official Army photo, except instead of standing tall and looking serious, I've got the guns out and am smiling at the camera.
Jason Nickola: I think I've seen that.
Chris Elgee: And so I took that and put some put some stuff in it. And then in the exit data I mentioned what tool I used and then it ended up being like a little kind of Easter egg challenge. And a few of the guys went through and solved it, but it's not something that 1000 people are gonna play or 10,000 are gonna play. But it was some way for me to kind of express that. And it's great when people just play. It doesn't have to be for a large audience. It doesn't have to be for points or money, just play with these technologies. And, yeah, if it's something that interests you go find it.
Jason Nickola: We talk about it so often with teaching, how teaching is almost a necessary component of the learning journey. So you learn something, and you try to internalize it and see how you can practically apply it. And then the next logical step after that is, how can I know this enough in order to distill it and teach the relevant points to other people? And I think it's the same thing with building challenges. If you really want to understand an area, especially something that you don't have a strong skill set in, then a great way to take that into some depth and real substances is to say, I'm going to build something for the outside world and really come through the other side with some practical skills in that area where maybe you didn't have any before.
Chris Elgee: Yeah, totally. And you don't have to be a SANS instructor to do this kind of thing. You can go to any local meet up with, you know, insert group here: ISACA, OWASP, ICS2. They're always looking for people to give talks, get a challenge put together. I'm sure there are people in your area that would love to tinker with it or work on it with you, but yeah, you're exactly right. Teaching is the next step of learning. I think anybody who's ever taught a class has realized that. I think I get this concept, but until I really teach it to somebody else and am able to answer questions about it, I don't really know it as well as I thought I did.
Jason Nickola: Like the first time you stand up in a room full of SANS instructors and have to explain rainbow tables. You're like, okay, maybe I don't know this as well as I should have.
Chris Elgee: Can I have a do over?
Jason Nickola: Right? Yeah. So you mentioned building things out in the community. I think that work, if you have the right kind of company, can also be a great outlet for these kinds of things. At different places I've been, we've built up programs to do weekly or biweekly challenges. And they're just small things that people in the office devote 1/2 hour or so toward developing. And it becomes a real way of starting to fill in some of your gaps. And people really start to look forward to it and make a lot of headway in a short amount of time just creating challenges and disseminating them. And then you look back after a year or two and these challenges that you did as a side thing at work really start to fill in some of the gaps for your team.
Chris Elgee: That's fantastic. I wish I had that in my last workplace. I mean, obviously, that's what we do for a living at Counter Hack. I've got plenty now, but that's awesome. In fact, one of the one of the challenges we got in the Holiday Hack this year was from Splunk and the guy who built the challenge for us, Dave Harold, builds challenges at Splunk, and I think it's awesome that they have that internal to their company. And there's so much value in that. I wish more companies were able to have that function during the workday.
Jason Nickola: Absolutely. So when you are looking at bringing someone onto a team or hiring someone, what are some of the things that you look for to try to test that someone has the right skills? Because we can ask questions and we can have somebody draw things up, and there are lots of people who are great at answering interview questions, but to dig through and show, not only does somebody have technical skills, but even beyond that, that someone has the right intangibles to be on a team that you would like to be on, what are some of the things that you look for in that person?
Chris Elgee: Yeah, the intangibles are huge. We hear the term soft skills a lot, and that encompasses so much. And I think maybe that term has a stigma among some, but it's so important because you can have the most elite hacker in the world. But if he can't get out of bed in the morning, or if he can't work with other people on a team, then you know he or she is not good for you. And as far as those intangibles go, I think one of the most important is integrity. If somebody's got a lot of integrity, they're going to tell you when they're overtaxed or when they don't have enough to do. They're gonna tell you when you've given them something too hard, they're gonna tell you when you're wrong and should be looking for a different solution. Unfortunately, that's - at least as far as I know - just about impossible to figure out in an interview because everybody in every interview ever has always had fantastic integrity.
Jason Nickola: Right.
Chris Elgee: But that's where networking comes in. And I hate that networking matters, but it does. When you're looking for a job, every once in a while, you can find the posting and you could apply and interview and get a job that way. But usually, jobs come when you know somebody, and they in turn know you, so for the intangibles, things like integrity. I think, you know, hopefully somebody I've already met, hopefully I've met him through a meet up or they're another instructor or something, and then that could be some gauge of how they're gonna be that way. Certainly, you can ask around as well. It's a small industry. Chances are somebody you know knows that other person.
Jason Nickola: Right.
Chris Elgee: So that's good for those. As far as skills go, degrees are great. I think they do show the knowledge and it does show a certain level of stick-to-it-iveness. I think just gutting out a four-year degree or a masters just shows a level of grit. Certs are fantastic for skills, some more than others certainly. But then again, blogs and the home lab and CTFs they've competed in and played with, those are gonna be good indicators of skill and some of the softer side of things as well.
Jason Nickola: Sure. So in looking at your career, one thing that is apparent is that you've always tried to do something outside of your day-to-day work job, whether it's I'm gonna build a home lab or I'm gonna do CTFs or I'm gonna go to meet ups and network and these kinds of things. Is this something that is just natural to you, a natural extension of the learning process and how do I start to use these things? Or did you have a real model or mentor in going about things this way?
Chris Elgee: I think I've always had an interest in extracurriculars. I've always been kind of scattershot in my attention, doing math team and swim team and band or whatever. But when you ask the question, what I really think of is this guy, he was an instructor in ROTC in college, you know, when we were getting ready to graduate to become officers and do our thing, the one piece of advice he wanted to give us was "be more than the Army." And this guy, if you can picture, he was like, Super Soldier Guy Ranger Tab Airborne, all that stuff. And to hear him say be more than the army really, really rung a bell. I just think of that now where I'm at in the industry and where guys like Ed Skoudis are. He's, yes, a fantastic hacker and instructor, but he's also a music lover, and he's into different types of history and film, and I think those other interests do a lot to color who we are and inform our work even in a technical world.
Jason Nickola: Right. So what are some of the things in your life that are non-technical, non-security that you've been passionate about or spent time on that have maybe started to give you a little bit of benefit and seeing your technical projects and your security work in a different light and more creatively and differently than you would have if you were just a basement troll coding and breaking all day?
Chris Elgee: You know, what's funny is I'm actually in my basement right now.
Jason Nickola: Okay, so maybe you can still be a basement troll, but you're interested in other things.
Chris Elgee: And it's a carpeted basement, so it's nice.
Jason Nickola: There you go.
Chris Elgee: So there are always lots of things, right. We all have interests in different types of music and movies and books. I love audiobooks and podcasts. I think central for me is, honestly, faith. For me, if you do the jar and the big rocks and the little rocks in the jar, my big rock is faith, and everything I do comes from that. That's kind of what led me to where I've been in terms of the military and family and everything but, you know, from that comes a desire to serve and that's again the Army stuff but as well I feel like we in infosec are in large part servants of the greater community. When other people are producing the widgets, we're the ones making sure that the widgets can be produced because everything's digital now. So that's a big thing. Family, too, is huge for me. We have four kids and I have a wonderful wife who puts up with my SANS travel and my Counter Hack travel and my Army travel and they're an inspiration. One of the pieces I got to make for the Holiday Hack this year is an Oregon Trail clone called The Holiday Hack Trail. And, you know, I look at my kids, I look at my wife who is learning cybersecurity, and I think what would be an engaging way for them to learn web app hacking? And we came up with this game and coded that, so they definitely have an influence on where I'm at as well.
Jason Nickola: Nice. And as you said you're a dad and I know you've done some work in rules for keeping kids safe in their use of technology and those kinds of things. Do you see a real contrast between when you were coming up and trying to learn technology and getting interested in those things, and some of the things that are available for kids today to go off and build from an early age?
Chris Elgee: Yeah, it's kind of crazy. We had a computer when I was in maybe third or fourth grade and I realized how lucky we were in the eighties to have a computer in our house where so many didn't, but now we've got raspberry pis all over the place. We've got laptops and tablets, and it just makes it so much easier. My eight year old daughter last night told me that well, tonight I'm not supposed to read from a book, I'm supposed to read from this website, and she brings up the website and it's tracking the time she's reading and the vocabulary and everything, and that's awesome. I think hopefully it'll only help everybody be more technology literate as we go forward because we really need it now. It's part and parcel to everything we do.
Jason Nickola: Yeah, and I think technology is so different than a lot of the things that traditionally kids have learned in school. And what I mean by that is you learn geography there. There are lots of things inside of your head and just expanding your knowledge base that you can use standard things for, like geography and math and reading and writing and those kinds of things. And they're certainly creative outlets for all of those. But we're at a point in time now where there's so much available to kids to immediately practically apply the basic technological things that they learn in school now or because they have awesome depth to build challenges like you, where often we want a tablet, and instead of us being like let's go buy a tablet, well, let's go buy the things that we need to make a tablet. So it's almost like that ability to practically apply knowledge is becoming more built into the learning process from an early age and that alone really excites me for some of the things that we're gonna be able to accomplish in cybersecurity and in technology overall moving forward is that we have this whole generation that is practically applying technological learning from a very, very young age.
Chris Elgee: Yeah, absolutely. And you see it not just in technology kind of things, but also in some of the games that come out where we'll get this one called Robot Turtles, where it's a board game, and the kids have to navigate their little turtle around this grid to get to a jewel at the end. But to move it around, they have to play these cards that are basically instructions, you know, turn left, turn right, shoot laser. And we're teaching them coding. Yeah, we're teaching them coding at four or five years old, right? Even if they don't get it now, and I'm sure they don't get it now, it helps them understand how discrete instructions work and will benefit them.
Jason Nickola: It's way easier to learn more complex topics later on if you have an initial starting schema for how something similar works. Yeah, I share that, I think that's really important.
Chris Elgee: Especially if it's fun. You know, it's almost like slipping vegetables in meatloaf - they don't notice it.
Jason Nickola: Right. So what words of encouragement or advice do you have for people who are listening to the show? Maybe they're just getting started and are looking for the next role, but they're getting rebuffed, and they're looking for ways to practically apply some of the things that they go off and learn. What's some advice for them as they go through that process?
Chris Elgee: Yeah. Again, I'm gonna go back to networking. If you're at some local meet up, you're gonna find people who need help with a project. You're gonna find people who want somebody to come speak at a school. You're gonna find opportunities to learn and grow and apply and that's a just a fantastic way to do that. Also staying current is really big. Maybe somebody new to the industry says, well, what do you mean to stay current? I'm not even in yet. But, you know, listening to podcasts like the ISC StormCast and the Cyber Wire and Security Weekly, if you can handle those crazy guys, they're super for me at least. I like processing stuff in an audio format. They're super for me for learning about the news, learning about the thought processes that other people have and just seeing what's going on the industry in terms of trends, but above all else, just play. Do things, try things out and try a lot of different things. You might start in cybersecurity and be exposed to something like policies and procedures and password policies, that kind of thing and say, wow, this is really boring or maybe that's exciting. I'm sure it's just to some people, but to me that's really boring. Then I find out about things like pen testing or forensics or social engineering, and then it's in the playing around and in the discovery process that you find what really interests you. And when you find that and you can make a job out of that, then you're going to be really good at it because you're going to put the time in because you enjoy doing it. So play around and find what interests you.
Jason Nickola: Absolutely. Most importantly, what are some hints that you can give us for Holiday Hack challenge 2020?
Chris Elgee: (laughs) Boy, Ed would kill me. I'll say, try hard and play around.
Jason Nickola: Good advice. Chris, thank you so much for coming on the show. It's been a pleasure.
Chris Elgee: Thanks, Jason. It's been a good time.
Jason Nickola: Thanks to all of you for listening to this episode. Visit giac.org/podcasts to sign up for updates and to receive alerts about each episode as they're released and definitely subscribe and follow us wherever it is that you get your podcasts. Thanks and we will see you soon!