From his first "hack" (getting unlimited ammo on
Oregon Trail) at age 12, O'Shea Bowens knew he liked working with
computers. Despite studying a completely different field in college, he
has built a successful career in cybersecurity. In this episode, he and
Jason walk through his strategic path not just into infosec, but into
progressively higher-level roles. They discuss the importance of
effective communication, taking notes, and how determination can make a
significant difference in getting the job you want - and succeeding once
you get there.
O'Shea Bowens is a cybersecurity enthusiast with a
decade of information security experience. He is the founder of Null Hat
Security, which focuses on incident response, SOC training and blue
team engagements. O'Shea has worked and consulted for companies and
clients in the space of federal government, Fortune 500, and
international firms. He specializes in areas of incident response,
network and systems security, security architecture and threat hunting.
O'Shea founded Null Hat Security as he believes a greater focus should
be placed on personal engagements with defenders to fine tune skill sets
and knowledge of threats for best response efforts. O'Shea is also the
founder of SkiCon Conference and the co-founder of "Intrusion Diversity
System," a bi-monthly hosted cyber security podcast.
This is "Trust Me, I'm Certified," brought to you by GIAC Certifications, a podcast exploring how to conquer imposter syndrome.
Welcome back to "Trust Me, I'm Certified." I'm your host, Jason
Nickola, and on this episode we're joined by O'Shea Bowens for the first
of a two part interview in which we cover a ton of really interesting
ground. O'Shea is probably one of the first people who comes to mind for
me when I think of someone who just grinds and really works hard for
the things he wants to make happen in the world. From his role as CEO
and founder at Null Hat security, and trainings he's offered at events
such as DEF CON, to speaking and serving as an advisor at the SANS Blue
Team summit, in addition to a lot of the mission based work that he
does, which is probably the thing that I respect about him the most. You
don't have to spend much time with him before you get a real feel for
why he does what he does and how passionate he is about enabling others,
especially as it relates to communities of color. With projects such as
the Intrusion Diversity System podcast, cybersecurity nonprofit, and
the Boston security meetup scene. With such impressive things on his
resume and some real momentum in his career over the last couple of
years, you might think that InfoSec was an obvious professional path for
him, but as appears to be a running theme on our show, there's some
real twists and turns to O'Shea's journey, which were so helpful for me
to hear and I think that lots of you will find some real value here too.
So please enjoy round one with O'Shea Bowens.
All right, so we are joined by O'Shea Bowens. I'm really excited to have a conversation with you. Thanks a lot for joining us.
Yeah, thanks for having me, man. I greatly appreciate it.
For sure. So, let's start out with what was your path to security and
technology? When did you realize that this was going to be it for you?
Realized it was going to be it maybe 22, 23? The introduction was in
sixth grade, so I was like 12 or 13. There was a computer programming
class, not necessarily like assembly, but making games essentially. I
figured out how to get unlimited ammo on Oregon Trail and I just thought
that was awesome. Well, me and my buddy did actually, you can't take
all the credit.
So you had that class in sixth grade?
Yeah, that was a weird thing. So I'm originally from Dallas, Texas,
but I guess you guys don't have, I'm in Boston now, but I guess there's
no year-round school up here.
So year-round school, it's basically what it sounds like. Instead of
having a summer, you get like two weeks off at a time or three weeks.
And we had electives at my school, and we had a computer class and I was
really hooked on the computer class and ironically enough that same
year hackers came out, my buddy's mom bought the movie. And as we were
walking back his house, he was like, hey, do you want to check out this
movie my mom bought? It's about people doing stuff and I remember
specifically, I was like, what's it called? And he said "Hackers" and I
had no idea what that was. Cause we were like 12 or 13. And when we
watched it, you know, it was just awesome. It still is awesome, of
course. But that was like the moment, not necessarily I thought about
security, but I was really understanding like what a computer could
Right. You had this really progressive middle school that taught you
some kind of programming at the time, which is becoming more common
today. But especially 10, 20 years ago, it wasn't as common as it is
now. And then "Hackers" came out and you got exposed to it and you just
wanted to dig in to computers and figure out what you can do with them.
Yeah, essentially. And then, you know, at this time AOL was fairly
big. And I remember specifically typing in, I was in some room and I was
asking, hey, how do I get a virus? It sounded like crazy newbie. But I
mean, I have a whole theory about asking questions. We can talk about
that later, but some dude pushed me and he's like, well, AOL really
isn't the place you should be talking about that, here's this link to
this bulletin board site. Then that led to a full-blown board that
seemed not as friendly, but I got pushed to this forum. And then inside
the forum was where I started to speak to other people that were kind of
on the - whatever you want to call it, black hat, dark arts side. You
know, but the fun side to me, cause I was a kid and curious adolescent
and learning things and people treat you like an adult when you're
online. They have no idea you're like 12 or 13.
Yeah. So a very quick transition from, hey, this computer stuff is
cool, I'm going to use things like AOL to hey, here's your entrance into
the seedier underbelly where people are actually learning how to attack
things and exchanging techniques and maybe even some binaries.
Yeah. And I didn't get into reverse engineering or anything, but it
was really getting these small viruses on how to connect to someone's -
how to take over someone's chat channel. So how do you throw this
executable and hopefully they click on it and it commits a buffer
overflow and then from that buffer overflow, when it crashes and the
session comes back up, you're in control and it was stuff like that, I
didn't totally understand how it worked. I think even now today you can
still buy whatever malware you're interested in for a price and just
click and go. But that was just - it's still fascinating to me to this
day, which is why I've stayed in InfoSec.
Yeah. Well especially at such a young age to see, the kind of power
and the depth of, hey, there's something behind all of this. I love
speaking with people young and older that don't have a lot of experience
in technology. And although it seems just super obvious to us, one of
the first things I love to show them is these internet pages, these
pages that you're going to in your browser are really just texts and
it's just delivered to your computer. You can manipulate them. And
there's just another computer somewhere that has this text and then your
screen just knows how to display it. And you can kind of see, wow,
there's something behind all of this and it exists because people
created it, right?
That's the really cool thing: it's just people. It's not magic. It's
just people. It's just somebody else just like you, you know.
Yeah, I love the way you put that, that it's not magic because I've
talked about those kinds of things so often because especially in
security and technology, there are lots of people that like to make
things seem so much more complicated than they are. I think as a
validation of the fact that they understand it and can use it and that
if you can't, then it's a one-upsmanship kind of thing. But none of it's
magic. There were people in a room that decided how TCP was going to
work, that decided how C++ was going to compile, that decided how Nmap
was going to work, and the list goes on and on and on and they created
it. And you know, if you have the interest and the drive and the
stick-to-itiveness to keep going with it, you can figure it out. And I
find that more than anything else, certainly more than the technical
skill is really the hallmark of somebody who's going to have a lot of
success in this industry is can you really just work past some of the
challenges and just stay interested and stick with it until you get it.
Yeah. I think a lot of determination and also communication. Like I'm
a big fan of interpersonal and extra-personal communication. Like how
do you just speak to people in a fashion where it seems like you're open
versus standoffish. I don't have that pride in me that's like, I don't
ask for help. If I don't know, I'll ask for help. I was raised like my
mom with I guess a Southern saying, closed mouths don't get fed. Like if
you don't ask the question, you're just starving yourself of that
potential knowledge. Cause you're too proud to ask it or you're
embarrassed, you have to just get over that. No one is born with this.
It's not innate to anyone. Everyone asks a question at some point.
Right. So it sounds like you were kind of brought up that way, but
have there been times, especially earlier on in your career when you're,
or even when you were a kid and trying to learn this stuff, have there
been times when you were more hesitant to voice questions because of how
you would come off or maybe environments where it was easier to stay
quiet than others? Has that been something that you've dealt with or
seen in other people that you've dealt with throughout your career?
Yeah, I mean it's mostly as an adult to be honest. I think when
you're dealing with other people, when you're, at least from my
perspective, from teenager years, I never really had that from the IT
side or the technology side. I never really dealt with someone that I
felt embarrassed to speak with. I guess what you would call the 2600
group in Dallas, everyone was really, really friendly at the time and we
had we had a bazaar every other Saturday or third Saturday of the month
and you can go there and pick up boards and drives and things like
And everyone there was fairly open. I didn't really run into that
until my second job. I was working for a defense contractor and there
was just this one guy, I didn't pick up on at the time, but it's one of
those things you start to realize because someone's buddy-buddy with me
at work doesn't necessarily mean they're on your side. He just
constantly tried to make me question myself. And then at this point I
was in a position where I was actually shadowing him. So it became
uncomfortable to really ask him for help. And in regards to learning the
system or learning the environment, he would kind of just make it seem
like, oh, you don't know that? Oh, well what are you doing here?
You know, it was that type of thing. And then eventually you kind of
realize just don't speak to him. Like there's some people, you know,
there's no there's no reasoning with them because they have an idea in
their head that's driving their actions and when they have that seed
planted, however long it took them to plant, that seed is going to take
longer for you to try to remove it. And as you're spending 40 hours a
week with this person, is that really what you want to invest your time
into? So it's happened once at a role and that was super uncomfortable
for like three months.
So did you just try to segment yourself from that person and find
other people to kind of be your immediate clique at work or did you just
No, it's actually kind of hilarious cause it still holds true now. So
this was a very junior level role and there were a couple of seniors on
the team that for some reason I didn't want to approach them cause I
thought, you know, maybe that's what they thought of me because this is
what he thinks of me and he's been here for a while and he's more
connected with these guys.
Maybe it's representative of the larger culture.
Yeah. Like that's what the representative body thinks of you. And
when I started to speak to the seniors that they were 360 degrees
different. They're like, oh, so why don't you just pull up a chair next
to me? There's a guy named James Fisher, he's still in Dallas. And
James, he's more like a security architect. But he was instrumental in
being like, "oh, this is our environment. This is how it's built out,
what are you up to? What's your background? Oh cool, I'm going for my
PhD, if you have any questions, let me know." And I still speak to James
every so often when I'm stuck on something. But it was one of those
things I was like, maybe I should just speak to someone else. I reached
this point of just getting over the embarrassment part because I wanted
to perform well. I'm there to perform. My performance is suffering. If
you know me, I freak out - not freak out, but I'm one of those people
that whatever they say about me, they can't say his performance was
horrible. I kind of pride myself on my work and end result, you know, I
try to be the best version of me in the personal and professional life,
as corny as it sounds. So if my work is representative of me, I want
that to be on par, you know?
Right, right. So backing up a second. You talked about some of the
things that you did when you were a kid and first started getting into
technology. When you look back at it, are there kind of generic traits
that knowing where you would end up, you go like, oh well duh, obviously
I was gonna end up being a security professional and working in
technology and breaking things and fixing things and defending things.
But it's really hard to see that ahead of time. But looking back, do you
think that those traits were there and what are they?
Well, yeah, I guess to go back a bit, I didn't know that was really
going to go into the security side until I was like maybe 22. Because
when I went to college, I went to college for fashion design. I kind of
wanted to take a break from technology and I've always had this kind of a
weird obsession with fashion. The idea that you can create something
and someone will basically wear your idea, what you've made is what
someone else is wearing, you know, and that's still a fascination with
me. My ultimate goal is to make enough money to sponsor a young designer
and then hopefully they blow up and then I get to go hang out at
But when I do look back though, there were certain challenges or
certain parts of my personality that did kind of click with security,
like the curious aspect of wanting to put things together. I've pretty
much spent the majority of my career on the defensive side of security. I
know some awesome pen testers, I always say I suck at pen testing even
though I've had to pick up more and more offensive traits to kind of
become a full team, full-sided, transitioning from blue team to I guess
purple team essentially. So you gotta get an attack to defend, you gotta
defend to attack. But the idea of puzzle pieces and how things are
separate and how to bring them together. When I began intrusion analysis
from a layer 3 or from a networking perspective, what was really kind
of cool with me, I remember the first time I saw Wireshark, I thought it
was awesome that you could run pattern matching against a pcap and then
just string together pieces of traffic or particular protocols that may
look out of place and make them line up to equate to something. That
was a really awesome day. And I remember specifically the first couple
of times I began to like working in an intrusion analysis base. I didn't
think I was really going to move away from network security because
that was really the big interest of mine for probably for three years
straight was really understanding what's happening on the wire. Like,
how can I detect, how can I get better and how can I analyze? It wasn't
until later in the career where I started to pick up other disciplines.
So you studied fashion design in school and then you come out and
around 22, you start to pursue a career in technology. Was it right into
security and what did you do to try to build your chops for that first
role? You had a lot of experience as an enthusiast in your younger
years, but how did you really move into becoming a professional
technologist and then eventually security professional?
Yeah, so I was going to school at Texas Tech University for fashion
design. I left that to essentially work at this smaller startup that my
friend's brother had created. And after that, I started to think, well,
what do I to do with my career? You're 22, you have to make a decision
and your buddies are going to be graduating soon. Not to say that was a
huge driver, but it was really thinking down the line, what do you want
to do? So luckily I was able to find a network engineering job at a
telecom. It was at AT&T. And ironically enough, Metro PCS
headquarters were right in the same courtyard as AT&T in Richardson,
So I don't know why competitors were - this was the first year of
Metro PCS was around. This was really, really early, hadn't gone public,
very, very new. And there was a gentleman I met one day when I was
parking who was the director of security at Metro PCS. And keep in mind,
this was like 2008 right? So there's not a lot of security jobs. It
gets difficult now to read through security job descriptions. You wonder
if you're qualified or question your qualifications. So go back, you
know, 2008 when there wasn't a lot of searching online for the roles and
they weren't very well written. But this is borderline stalker, but
essentially what happened was the manager or the director of security at
Metro was a smoker. And from my desk at AT&T I could see him going
down into the courtyard and he smoked.
I knew his habit after a couple of weeks, cause I was always asking,
hey, are you hiring? So when he's smoking I would like bolt downstairs
maybe like a minute before he was finished. And I would just ask like,
oh, hey, did you see this happen in the news? Or hey, what do you think
about this tool? What are you guys using to analyze network security?
What are you guys using to analyze the tags or is there something that
you think someone should know to come work with you? And this went on
for a couple of months. So every time - his name was Andy - every time
he would go down to smoke, not every time, but most of the time,
especially if I saw him, I would bolt down the stairs because the
elevator was too slow.
So I'd literally run down the stairs, walk outside and just kind of
pester the dude. And he knew I didn't smoke. He was like, what are you
doing man? But after two or three months of that he had an opening for a
junior intrusion analyst. That's how I got the job. I just kept
bothering him, really borderline stalking him and watching him when he
smoked. But I also would always kind of bust his chops around like, hey,
I saw this happen. What do you think about this? I remember one time I
was talking about some piece of malware that's a key logger or
something. And I was like, if I were to deploy this in your environment,
how would you guys catch it? And I think that was kind of where he was
like, okay, well I think he's serious right now. He's thinking about how
to actually capture this and report on it.
Well, in security, we're allowed to say that you social engineered him. You didn't stalk him.
True. I say that now, yeah.
Right. So what about the technical side of things? What did you do to
really try to fill in - like how did you learn about key loggers and
malware? Granted, you had the experience when you were younger digging
into that stuff, but how did you make the transition to becoming a
professional in that regard?
I basically broke a lot of stuff in my home environment. I'll back
up. So from a layer 3 perspective - I wish I could remember the website,
but there was a website where you could basically build out virtual
environments for Cisco routers and switches. Cause I was working in
networking at AT&T so I had access to this site. I just can't recall
the name of it. But basically, I abused that site. I was constantly
learning about routing and BGP, about different protocols and how
routers actually are functional within large environments. And how to
stand up a network and how to take down a network, things like that. And
around that time I was still hanging out on different sites, different
websites or whatnot, I guess you could say forums.
And I was still interested in how attacks occur from layer 3 sites.
That's basically what I was interested in as a kid, it was networking.
Like how does the internet backbone work? How am I speaking to this dude
in Germany in this chat room right now? How the heck is that possible?
So a lot of it was based on having access to that CCNA lab, which was a
lifesaver because I learned so much on the layer 3 side and building out
environments. But also I built out home environments. And then from the
home environment side, what I would basically do is run samples I got
offline at the time into my environment and then watch my routing
protocols break or watch something become introduced in the virtual
And it was books and speaking to other people. But a lot of it was
really me just on my own, not to say I did everything on my own. I had
people I would ask questions to, but none of my friends were into this,
so it was mostly me just grinding away at night, everyone else was kind
of out doing whatever and I was at home on my laptop, banging away,
trying to get better. And the one thing I do remember vividly doing was
following most of what was going on at DEF CON. It was a lot of learning
what those guys were up to because even now I still look at some of the
people - it sounds maybe fan boyish - but some of the people that
present at DEF CON are just ridiculous.
Yeah, I agree.
It's like, how did you do that? You find yourself in this position
thinking like, okay, maybe I won't be at that level. But if I can at
least understand a percentage of what the heck he's talking about, I can
probably use that. You know? And I still use that to this day. I still
use that technique to this day. I don't need to understand a hundred
percent but if I can understand enough that I could apply it to my life
or what I'm doing, then I consider that a win.
Yeah. And I think that's such an important realization. It's not that
to learn something, you have to know every single prerequisite piece of
information and be able to absorb everything in the new topic. I really
don't think that learning works that way. I think it's expose yourself
to as many even tangentially related things as you can and pick up
something from all of them. I can't tell you how many times three years
down the line I'll understand something because of some random piece of
information or get some opportunity because of some random connection or
something that I just happened to do for no reason a few years ago and
then it all just kind of starts to make sense and connects. But if you
don't stay busy, if you're not trying to learn new things and you don't
have those nights that you described where it's just you getting your
hands dirty and doing what you can to try to work through things, then I
don't know if you get that same reward of being able to connect the
dots over the long term in that way.
Yeah, totally. And I think another big thing to do is - okay, I'm an
avid note taker. It looks like a madman in my office cause there's like
legit notebooks from like three or four years ago that I filled out, but
I refuse to throw them away. Something that I've learned is notating
what you do and moving back towards that in a later time period. A good
example is a couple of weeks ago, I was creating this lab for this
workshop that I'm leading actually this Saturday I'm leading this blue
teaming workshop. And there were some notes I took on shamu, that old
ransomware from a couple of years ago from the Saudi Aramco attack. And I
remember there were certain indicators that I had - now I'm giving away
a couple of the exercises.
But I remember there were certain indicators that I wrote out how you
could carve them out from IDA Pro and, I just wrote them out. I was
like this, this, this and this, you know. And then a couple of nights
ago I was stuck on something. And I was like, I know I have this written
somewhere. Where's that book from 2017, where's that notebooks? I know I
have it, but because of those notes it allowed me to kind of refresh
around what that piece of ransomware does. So being an avid note taker
can be so helpful cause there's a lot of times I think your knowledge is
almost recursive. Like you're doing this backwards look up on something
you've learned previously and you're likely going to forget a lot of
this stuff unless you have a photographic memory. But when you have
massive amounts of notes that you can rely upon going back months and
months or probably a year based upon your own research, yeah, that is
like gold in your hands.
Right? Yeah, I'm very similar with notebooks. And for a while I
transitioned to using a Surface so that they could all be in one note
and I wouldn't have to keep a bunch of notebooks, but there's something
about a physical pen and physical paper that just makes me learn more
easily than another screen, you know?
Yeah. I try to remove myself from the screens if I can. So I think
pen and paper and I think most studies show that too, you're more likely
to remember or it helps with memorization, you physically have to write
it out as you're thinking it.
So changing gears a little bit, was there a time when you started to
have a concept of your larger career and an arc that, I'm here now and I
want to get somewhere else. Here are the places that I have to go and
the things that I have to do to fill in the gaps in between. Was that a
thing for you or is it more of I'm going to do the next right thing and
keep working harder?
No, I definitely plan it out. I would say it was around 2012, 2013.
Like I said before, most of my background at the time was from a network
security perspective. But something I realized around that time I was
working for the Department of Energy in Vegas and subcontracted out to
NSA. And it was one of the first time I had exposure to basically a
broad unit of individuals with different talents. We had some Air Force
dudes that were great with intel, and then we had some people that were
great with forensics and then we have some people that were kind of like
me, kind of a generalist around network security, but knew a little bit
on the system side.
And when I had that exposure to multiple individuals with multiple
disciplines, I realized moving up for my next 10 year plan, if I wanted
to be in a position of management and not management as a title type of
thing. The way I think about management is you have broad perspectives
on different areas of disciplines for cyber or for security. But now you
can incorporate the bit of knowledge that you know to build out a
program. And then bring in some more talented and hardworking
individuals that are specialists in the areas that you're a generalist.
Not only to grow your own knowledge and your own passion, but also to
build out a strong team and a strong program and help the organization.
So when I looked at myself like 2013 timeframe, okay, I had to map out
essentially what's the next five years look like? If you want to move
into a management position, what do you need to understand? And then if
you think about your 10 year plan going into 2023 or 2024, where do you
want to be in your life, right? Is that quote unquote like a CISO
position, is that more so on the technical side and leading projects or
is that running your own shop? Like what does that look like? But what I
did know at the time was even if I didn't have an answer for the three
previous questions, it was staying a generalist and continuing that down
that path and picking up different bits and pieces of knowledge from
people that I knew that were great with digital forensics and people I
knew that were great with intel will help me move down my path.
And that's essentially what happened. I moved from essentially a
generalist from network security to learn a bit more on the system side.
And then that led into IR. And then IR led into a bit of malware
analysis, analysis will begin to incorporate threat intelligence inside
of organizations that were fortunate enough to have an intel program,
right? You start to pick up these three or four different areas. What I
think is super fascinating especially about our field is there are some
great specialists out there that you can follow and listen to and just
keep ramping up, but just doing that work on your own first to start
understanding these different areas.
That was the first of our two part interview with O'Shea Bowens.
Thanks to you for listening and to him for joining us and spending the
time to delve into his origin story. Don't miss part two with O'Shea in
two weeks to hear about how he grew his skills and actively cultivated
his career, as well as tips he has for how you can do the same thing.
Please don't forget to subscribe to the show wherever you listen and
sign up for notifications about new episodes at giac.org/podcasts.
Thanks so much for joining us and we'll see you in two weeks.