A top cybersecurity practitioner discusses strategically building each step of your infosec career through planning, determination, and communication.
From his first "hack" (getting unlimited ammo on Oregon Trail) at age 12, O'Shea Bowens knew he liked working with computers. Despite studying a completely different field in college, he has built a successful career in cybersecurity. In this episode, he and Jason walk through his strategic path not just into infosec, but into progressively higher-level roles. They discuss the importance of effective communication, taking notes, and how determination can make a significant difference in getting the job you want - and succeeding once you get there.
O'Shea Bowens is a cybersecurity enthusiast with a decade of information security experience. He is the founder of Null Hat Security, which focuses on incident response, SOC training and blue team engagements. O'Shea has worked and consulted for companies and clients in the space of federal government, Fortune 500, and international firms. He specializes in areas of incident response, network and systems security, security architecture and threat hunting. O'Shea founded Null Hat Security as he believes a greater focus should be placed on personal engagements with defenders to fine tune skill sets and knowledge of threats for best response efforts. O'Shea is also the founder of SkiCon Conference and the co-founder of "Intrusion Diversity System," a bi-monthly hosted cyber security podcast.
Jason Nickola:
This is "Trust Me, I'm Certified," brought to you by GIAC Certifications, a podcast exploring how to conquer imposter syndrome.
Jason Nickola:
Welcome back to "Trust Me, I'm Certified." I'm your host, Jason Nickola, and on this episode we're joined by O'Shea Bowens for the first of a two part interview in which we cover a ton of really interesting ground. O'Shea is probably one of the first people who comes to mind for me when I think of someone who just grinds and really works hard for the things he wants to make happen in the world. From his role as CEO and founder at Null Hat security, and trainings he's offered at events such as DEF CON, to speaking and serving as an advisor at the SANS Blue Team summit, in addition to a lot of the mission based work that he does, which is probably the thing that I respect about him the most. You don't have to spend much time with him before you get a real feel for why he does what he does and how passionate he is about enabling others, especially as it relates to communities of color. With projects such as the Intrusion Diversity System podcast, cybersecurity nonprofit, and the Boston security meetup scene. With such impressive things on his resume and some real momentum in his career over the last couple of years, you might think that InfoSec was an obvious professional path for him, but as appears to be a running theme on our show, there's some real twists and turns to O'Shea's journey, which were so helpful for me to hear and I think that lots of you will find some real value here too. So please enjoy round one with O'Shea Bowens.
Jason Nickola:
All right, so we are joined by O'Shea Bowens. I'm really excited to have a conversation with you. Thanks a lot for joining us.
O'Shea Bowens:
Yeah, thanks for having me, man. I greatly appreciate it.
Jason Nickola:
For sure. So, let's start out with what was your path to security and technology? When did you realize that this was going to be it for you?
O'Shea Bowens:
Realized it was going to be it maybe 22, 23? The introduction was in sixth grade, so I was like 12 or 13. There was a computer programming class, not necessarily like assembly, but making games essentially. I figured out how to get unlimited ammo on Oregon Trail and I just thought that was awesome. Well, me and my buddy did actually, you can't take all the credit.
Jason Nickola:
So you had that class in sixth grade?
O'Shea Bowens:
Yeah, that was a weird thing. So I'm originally from Dallas, Texas, but I guess you guys don't have, I'm in Boston now, but I guess there's no year-round school up here.
Jason Nickola:
No.
O'Shea Bowens:
So year-round school, it's basically what it sounds like. Instead of having a summer, you get like two weeks off at a time or three weeks. And we had electives at my school, and we had a computer class and I was really hooked on the computer class and ironically enough that same year hackers came out, my buddy's mom bought the movie. And as we were walking back his house, he was like, hey, do you want to check out this movie my mom bought? It's about people doing stuff and I remember specifically, I was like, what's it called? And he said "Hackers" and I had no idea what that was. Cause we were like 12 or 13. And when we watched it, you know, it was just awesome. It still is awesome, of course. But that was like the moment, not necessarily I thought about security, but I was really understanding like what a computer could actually do.
Jason Nickola:
Right. You had this really progressive middle school that taught you some kind of programming at the time, which is becoming more common today. But especially 10, 20 years ago, it wasn't as common as it is now. And then "Hackers" came out and you got exposed to it and you just wanted to dig in to computers and figure out what you can do with them.
O'Shea Bowens:
Yeah, essentially. And then, you know, at this time AOL was fairly big. And I remember specifically typing in, I was in some room and I was asking, hey, how do I get a virus? It sounded like crazy newbie. But I mean, I have a whole theory about asking questions. We can talk about that later, but some dude pushed me and he's like, well, AOL really isn't the place you should be talking about that, here's this link to this bulletin board site. Then that led to a full-blown board that seemed not as friendly, but I got pushed to this forum. And then inside the forum was where I started to speak to other people that were kind of on the - whatever you want to call it, black hat, dark arts side. You know, but the fun side to me, cause I was a kid and curious adolescent and learning things and people treat you like an adult when you're online. They have no idea you're like 12 or 13.
Jason Nickola:
Yeah. So a very quick transition from, hey, this computer stuff is cool, I'm going to use things like AOL to hey, here's your entrance into the seedier underbelly where people are actually learning how to attack things and exchanging techniques and maybe even some binaries.
O'Shea Bowens:
Yeah. And I didn't get into reverse engineering or anything, but it was really getting these small viruses on how to connect to someone's - how to take over someone's chat channel. So how do you throw this executable and hopefully they click on it and it commits a buffer overflow and then from that buffer overflow, when it crashes and the session comes back up, you're in control and it was stuff like that, I didn't totally understand how it worked. I think even now today you can still buy whatever malware you're interested in for a price and just click and go. But that was just - it's still fascinating to me to this day, which is why I've stayed in InfoSec.
Jason Nickola:
Yeah. Well especially at such a young age to see, the kind of power and the depth of, hey, there's something behind all of this. I love speaking with people young and older that don't have a lot of experience in technology. And although it seems just super obvious to us, one of the first things I love to show them is these internet pages, these pages that you're going to in your browser are really just texts and it's just delivered to your computer. You can manipulate them. And there's just another computer somewhere that has this text and then your screen just knows how to display it. And you can kind of see, wow, there's something behind all of this and it exists because people created it, right?
O'Shea Bowens:
That's the really cool thing: it's just people. It's not magic. It's just people. It's just somebody else just like you, you know.
Jason Nickola:
Yeah, I love the way you put that, that it's not magic because I've talked about those kinds of things so often because especially in security and technology, there are lots of people that like to make things seem so much more complicated than they are. I think as a validation of the fact that they understand it and can use it and that if you can't, then it's a one-upsmanship kind of thing. But none of it's magic. There were people in a room that decided how TCP was going to work, that decided how C++ was going to compile, that decided how Nmap was going to work, and the list goes on and on and on and they created it. And you know, if you have the interest and the drive and the stick-to-itiveness to keep going with it, you can figure it out. And I find that more than anything else, certainly more than the technical skill is really the hallmark of somebody who's going to have a lot of success in this industry is can you really just work past some of the challenges and just stay interested and stick with it until you get it.
O'Shea Bowens:
Yeah. I think a lot of determination and also communication. Like I'm a big fan of interpersonal and extra-personal communication. Like how do you just speak to people in a fashion where it seems like you're open versus standoffish. I don't have that pride in me that's like, I don't ask for help. If I don't know, I'll ask for help. I was raised like my mom with I guess a Southern saying, closed mouths don't get fed. Like if you don't ask the question, you're just starving yourself of that potential knowledge. Cause you're too proud to ask it or you're embarrassed, you have to just get over that. No one is born with this. It's not innate to anyone. Everyone asks a question at some point.
Jason Nickola:
Right. So it sounds like you were kind of brought up that way, but have there been times, especially earlier on in your career when you're, or even when you were a kid and trying to learn this stuff, have there been times when you were more hesitant to voice questions because of how you would come off or maybe environments where it was easier to stay quiet than others? Has that been something that you've dealt with or seen in other people that you've dealt with throughout your career?
O'Shea Bowens:
Yeah, I mean it's mostly as an adult to be honest. I think when you're dealing with other people, when you're, at least from my perspective, from teenager years, I never really had that from the IT side or the technology side. I never really dealt with someone that I felt embarrassed to speak with. I guess what you would call the 2600 group in Dallas, everyone was really, really friendly at the time and we had we had a bazaar every other Saturday or third Saturday of the month and you can go there and pick up boards and drives and things like that.
O'Shea Bowens
And everyone there was fairly open. I didn't really run into that until my second job. I was working for a defense contractor and there was just this one guy, I didn't pick up on at the time, but it's one of those things you start to realize because someone's buddy-buddy with me at work doesn't necessarily mean they're on your side. He just constantly tried to make me question myself. And then at this point I was in a position where I was actually shadowing him. So it became uncomfortable to really ask him for help. And in regards to learning the system or learning the environment, he would kind of just make it seem like, oh, you don't know that? Oh, well what are you doing here?
O'Shea Bowens:
You know, it was that type of thing. And then eventually you kind of realize just don't speak to him. Like there's some people, you know, there's no there's no reasoning with them because they have an idea in their head that's driving their actions and when they have that seed planted, however long it took them to plant, that seed is going to take longer for you to try to remove it. And as you're spending 40 hours a week with this person, is that really what you want to invest your time into? So it's happened once at a role and that was super uncomfortable for like three months.
Jason Nickola:
So did you just try to segment yourself from that person and find other people to kind of be your immediate clique at work or did you just ignore him?
O'Shea Bowens:
No, it's actually kind of hilarious cause it still holds true now. So this was a very junior level role and there were a couple of seniors on the team that for some reason I didn't want to approach them cause I thought, you know, maybe that's what they thought of me because this is what he thinks of me and he's been here for a while and he's more connected with these guys.
Jason Nickola:
Maybe it's representative of the larger culture.
O'Shea Bowens:
Yeah. Like that's what the representative body thinks of you. And when I started to speak to the seniors that they were 360 degrees different. They're like, oh, so why don't you just pull up a chair next to me? There's a guy named James Fisher, he's still in Dallas. And James, he's more like a security architect. But he was instrumental in being like, "oh, this is our environment. This is how it's built out, what are you up to? What's your background? Oh cool, I'm going for my PhD, if you have any questions, let me know." And I still speak to James every so often when I'm stuck on something. But it was one of those things I was like, maybe I should just speak to someone else. I reached this point of just getting over the embarrassment part because I wanted to perform well. I'm there to perform. My performance is suffering. If you know me, I freak out - not freak out, but I'm one of those people that whatever they say about me, they can't say his performance was horrible. I kind of pride myself on my work and end result, you know, I try to be the best version of me in the personal and professional life, as corny as it sounds. So if my work is representative of me, I want that to be on par, you know?
Jason Nickola:
Right, right. So backing up a second. You talked about some of the things that you did when you were a kid and first started getting into technology. When you look back at it, are there kind of generic traits that knowing where you would end up, you go like, oh well duh, obviously I was gonna end up being a security professional and working in technology and breaking things and fixing things and defending things. But it's really hard to see that ahead of time. But looking back, do you think that those traits were there and what are they?
O'Shea Bowens:
Well, yeah, I guess to go back a bit, I didn't know that was really going to go into the security side until I was like maybe 22. Because when I went to college, I went to college for fashion design. I kind of wanted to take a break from technology and I've always had this kind of a weird obsession with fashion. The idea that you can create something and someone will basically wear your idea, what you've made is what someone else is wearing, you know, and that's still a fascination with me. My ultimate goal is to make enough money to sponsor a young designer and then hopefully they blow up and then I get to go hang out at fashion week.
O'Shea Bowens:
But when I do look back though, there were certain challenges or certain parts of my personality that did kind of click with security, like the curious aspect of wanting to put things together. I've pretty much spent the majority of my career on the defensive side of security. I know some awesome pen testers, I always say I suck at pen testing even though I've had to pick up more and more offensive traits to kind of become a full team, full-sided, transitioning from blue team to I guess purple team essentially. So you gotta get an attack to defend, you gotta defend to attack. But the idea of puzzle pieces and how things are separate and how to bring them together. When I began intrusion analysis from a layer 3 or from a networking perspective, what was really kind of cool with me, I remember the first time I saw Wireshark, I thought it was awesome that you could run pattern matching against a pcap and then just string together pieces of traffic or particular protocols that may look out of place and make them line up to equate to something. That was a really awesome day. And I remember specifically the first couple of times I began to like working in an intrusion analysis base. I didn't think I was really going to move away from network security because that was really the big interest of mine for probably for three years straight was really understanding what's happening on the wire. Like, how can I detect, how can I get better and how can I analyze? It wasn't until later in the career where I started to pick up other disciplines.
Jason Nickola:
So you studied fashion design in school and then you come out and around 22, you start to pursue a career in technology. Was it right into security and what did you do to try to build your chops for that first role? You had a lot of experience as an enthusiast in your younger years, but how did you really move into becoming a professional technologist and then eventually security professional?
O'Shea Bowens:
Yeah, so I was going to school at Texas Tech University for fashion design. I left that to essentially work at this smaller startup that my friend's brother had created. And after that, I started to think, well, what do I to do with my career? You're 22, you have to make a decision and your buddies are going to be graduating soon. Not to say that was a huge driver, but it was really thinking down the line, what do you want to do? So luckily I was able to find a network engineering job at a telecom. It was at AT&T. And ironically enough, Metro PCS headquarters were right in the same courtyard as AT&T in Richardson, Texas.
O'Shea Bowens:
So I don't know why competitors were - this was the first year of Metro PCS was around. This was really, really early, hadn't gone public, very, very new. And there was a gentleman I met one day when I was parking who was the director of security at Metro PCS. And keep in mind, this was like 2008 right? So there's not a lot of security jobs. It gets difficult now to read through security job descriptions. You wonder if you're qualified or question your qualifications. So go back, you know, 2008 when there wasn't a lot of searching online for the roles and they weren't very well written. But this is borderline stalker, but essentially what happened was the manager or the director of security at Metro was a smoker. And from my desk at AT&T I could see him going down into the courtyard and he smoked.
O'Shea Bowens:
I knew his habit after a couple of weeks, cause I was always asking, hey, are you hiring? So when he's smoking I would like bolt downstairs maybe like a minute before he was finished. And I would just ask like, oh, hey, did you see this happen in the news? Or hey, what do you think about this tool? What are you guys using to analyze network security? What are you guys using to analyze the tags or is there something that you think someone should know to come work with you? And this went on for a couple of months. So every time - his name was Andy - every time he would go down to smoke, not every time, but most of the time, especially if I saw him, I would bolt down the stairs because the elevator was too slow.
O'Shea Bowens:
So I'd literally run down the stairs, walk outside and just kind of pester the dude. And he knew I didn't smoke. He was like, what are you doing man? But after two or three months of that he had an opening for a junior intrusion analyst. That's how I got the job. I just kept bothering him, really borderline stalking him and watching him when he smoked. But I also would always kind of bust his chops around like, hey, I saw this happen. What do you think about this? I remember one time I was talking about some piece of malware that's a key logger or something. And I was like, if I were to deploy this in your environment, how would you guys catch it? And I think that was kind of where he was like, okay, well I think he's serious right now. He's thinking about how to actually capture this and report on it.
Jason Nickola:
Well, in security, we're allowed to say that you social engineered him. You didn't stalk him.
O'Shea Bowens:
True. I say that now, yeah.
Jason Nickola:
Right. So what about the technical side of things? What did you do to really try to fill in - like how did you learn about key loggers and malware? Granted, you had the experience when you were younger digging into that stuff, but how did you make the transition to becoming a professional in that regard?
O'Shea Bowens:
I basically broke a lot of stuff in my home environment. I'll back up. So from a layer 3 perspective - I wish I could remember the website, but there was a website where you could basically build out virtual environments for Cisco routers and switches. Cause I was working in networking at AT&T so I had access to this site. I just can't recall the name of it. But basically, I abused that site. I was constantly learning about routing and BGP, about different protocols and how routers actually are functional within large environments. And how to stand up a network and how to take down a network, things like that. And around that time I was still hanging out on different sites, different websites or whatnot, I guess you could say forums.
O'Shea Bowens:
And I was still interested in how attacks occur from layer 3 sites. That's basically what I was interested in as a kid, it was networking. Like how does the internet backbone work? How am I speaking to this dude in Germany in this chat room right now? How the heck is that possible? So a lot of it was based on having access to that CCNA lab, which was a lifesaver because I learned so much on the layer 3 side and building out environments. But also I built out home environments. And then from the home environment side, what I would basically do is run samples I got offline at the time into my environment and then watch my routing protocols break or watch something become introduced in the virtual environment.
O'Shea Bowens:
And it was books and speaking to other people. But a lot of it was really me just on my own, not to say I did everything on my own. I had people I would ask questions to, but none of my friends were into this, so it was mostly me just grinding away at night, everyone else was kind of out doing whatever and I was at home on my laptop, banging away, trying to get better. And the one thing I do remember vividly doing was following most of what was going on at DEF CON. It was a lot of learning what those guys were up to because even now I still look at some of the people - it sounds maybe fan boyish - but some of the people that present at DEF CON are just ridiculous.
Jason Nickola:
Yeah, I agree.
O'Shea Bowens:
It's like, how did you do that? You find yourself in this position thinking like, okay, maybe I won't be at that level. But if I can at least understand a percentage of what the heck he's talking about, I can probably use that. You know? And I still use that to this day. I still use that technique to this day. I don't need to understand a hundred percent but if I can understand enough that I could apply it to my life or what I'm doing, then I consider that a win.
Jason Nickola:
Yeah. And I think that's such an important realization. It's not that to learn something, you have to know every single prerequisite piece of information and be able to absorb everything in the new topic. I really don't think that learning works that way. I think it's expose yourself to as many even tangentially related things as you can and pick up something from all of them. I can't tell you how many times three years down the line I'll understand something because of some random piece of information or get some opportunity because of some random connection or something that I just happened to do for no reason a few years ago and then it all just kind of starts to make sense and connects. But if you don't stay busy, if you're not trying to learn new things and you don't have those nights that you described where it's just you getting your hands dirty and doing what you can to try to work through things, then I don't know if you get that same reward of being able to connect the dots over the long term in that way.
O'Shea Bowens:
Yeah, totally. And I think another big thing to do is - okay, I'm an avid note taker. It looks like a madman in my office cause there's like legit notebooks from like three or four years ago that I filled out, but I refuse to throw them away. Something that I've learned is notating what you do and moving back towards that in a later time period. A good example is a couple of weeks ago, I was creating this lab for this workshop that I'm leading actually this Saturday I'm leading this blue teaming workshop. And there were some notes I took on shamu, that old ransomware from a couple of years ago from the Saudi Aramco attack. And I remember there were certain indicators that I had - now I'm giving away a couple of the exercises.
O'Shea Bowens:
But I remember there were certain indicators that I wrote out how you could carve them out from IDA Pro and, I just wrote them out. I was like this, this, this and this, you know. And then a couple of nights ago I was stuck on something. And I was like, I know I have this written somewhere. Where's that book from 2017, where's that notebooks? I know I have it, but because of those notes it allowed me to kind of refresh around what that piece of ransomware does. So being an avid note taker can be so helpful cause there's a lot of times I think your knowledge is almost recursive. Like you're doing this backwards look up on something you've learned previously and you're likely going to forget a lot of this stuff unless you have a photographic memory. But when you have massive amounts of notes that you can rely upon going back months and months or probably a year based upon your own research, yeah, that is like gold in your hands.
Jason Nickola:
Right? Yeah, I'm very similar with notebooks. And for a while I transitioned to using a Surface so that they could all be in one note and I wouldn't have to keep a bunch of notebooks, but there's something about a physical pen and physical paper that just makes me learn more easily than another screen, you know?
O'Shea Bowens:
Yeah. I try to remove myself from the screens if I can. So I think pen and paper and I think most studies show that too, you're more likely to remember or it helps with memorization, you physically have to write it out as you're thinking it.
Jason Nickola:
So changing gears a little bit, was there a time when you started to have a concept of your larger career and an arc that, I'm here now and I want to get somewhere else. Here are the places that I have to go and the things that I have to do to fill in the gaps in between. Was that a thing for you or is it more of I'm going to do the next right thing and keep working harder?
O'Shea Bowens:
No, I definitely plan it out. I would say it was around 2012, 2013. Like I said before, most of my background at the time was from a network security perspective. But something I realized around that time I was working for the Department of Energy in Vegas and subcontracted out to NSA. And it was one of the first time I had exposure to basically a broad unit of individuals with different talents. We had some Air Force dudes that were great with intel, and then we had some people that were great with forensics and then we have some people that were kind of like me, kind of a generalist around network security, but knew a little bit on the system side.
O'Shea Bowens:
And when I had that exposure to multiple individuals with multiple disciplines, I realized moving up for my next 10 year plan, if I wanted to be in a position of management and not management as a title type of thing. The way I think about management is you have broad perspectives on different areas of disciplines for cyber or for security. But now you can incorporate the bit of knowledge that you know to build out a program. And then bring in some more talented and hardworking individuals that are specialists in the areas that you're a generalist. Not only to grow your own knowledge and your own passion, but also to build out a strong team and a strong program and help the organization. So when I looked at myself like 2013 timeframe, okay, I had to map out essentially what's the next five years look like? If you want to move into a management position, what do you need to understand? And then if you think about your 10 year plan going into 2023 or 2024, where do you want to be in your life, right? Is that quote unquote like a CISO position, is that more so on the technical side and leading projects or is that running your own shop? Like what does that look like? But what I did know at the time was even if I didn't have an answer for the three previous questions, it was staying a generalist and continuing that down that path and picking up different bits and pieces of knowledge from people that I knew that were great with digital forensics and people I knew that were great with intel will help me move down my path.
O'Shea Bowens:
And that's essentially what happened. I moved from essentially a generalist from network security to learn a bit more on the system side. And then that led into IR. And then IR led into a bit of malware analysis, analysis will begin to incorporate threat intelligence inside of organizations that were fortunate enough to have an intel program, right? You start to pick up these three or four different areas. What I think is super fascinating especially about our field is there are some great specialists out there that you can follow and listen to and just keep ramping up, but just doing that work on your own first to start understanding these different areas.
Speaker 1:
That was the first of our two part interview with O'Shea Bowens. Thanks to you for listening and to him for joining us and spending the time to delve into his origin story. Don't miss part two with O'Shea in two weeks to hear about how he grew his skills and actively cultivated his career, as well as tips he has for how you can do the same thing. Please don't forget to subscribe to the show wherever you listen and sign up for notifications about new episodes at giac.org/podcasts. Thanks so much for joining us and we'll see you in two weeks.