Intro

If you don’t want to read so much, I’ve put a brief summary at the bottom:

Hi!

Hi there! My name is Daniel Bolster. I’ve been in security for a few years now (3 years as of this month), but I’ve just now gotten around to starting a blog. I figured to start off I’d give a quick introduction, talk about where I’ve been, and what I’ve done so far. Then you can use that to identify just how many grains of salt to take my advice with. My hope is I can read this a few years later and cringe at where I started this blog.

This first post will be much less technical than what I expect my average post to be, but storytime is a fun way to start :-)

What’s my job?

I work on an internal red team for a mid sized fortune 500 company. If “internal red team” doesn’t mean anything to you, basically it’s my job to attempt to hack into my company on a regular basis to test our response process and spot gaps. It’s a super fun job and one I spent a number of years trying to get to, as I’ll get into below. I get paid to research hacking and attempt to hack into an actual company. Note that there’s a huge amount of responsibility and approval aquisition that goes into this, and it’s not just popping shells and running exploits all day.

So How did I get here?

I’m going to walk through my journey to get into where I am now. Note that a LOT has happened since this, but I think it’s a cool backstory especially since everyone’s “so how’d you get into this” is wildly different. As new as I am, it’s been a windy road already.

College

My technical journey began my spring semester of college. Prior to that I was like every 3rd college student and thought I wanted to be a doctor. 1 biology course later I said nope and flipped through the catalog. I decided to try out Computer Science. That choice was probably one of the best decisions of my life. I fell right into coding and really liked diving into different languages & programming topics. Note that I didn’t say I was good at it, just that I really liked it. From there I took the standard set of CS courses:

I was really lucky to get such a spread of classes, and was able to pick up such a wide set of topics. Having a big variety of content helps a lot with security, since you’re going to be dealing with a wide spread of things to try to hack.

I also did some independent studies which weren’t directly relevant, but helped me to build up a lot of skill at self teaching. This was crucial for me and I would argue is a required skill for suceeding in this field.

Branching into IT

Around my Junior year of college I started to develop an interest in what I’ll call the “IT” side of things. My networking course was really interesting to me and I was also starting to use linux as my daily driver. While I still liked programming, my software development course gave me a hint that might not be my favorite thing. I was lucky enough to start an internship the summer of my Junior year where I worked in IT. Particularly it was on the ServiceNow team, which is a vendor tool used to track support tickets, IT items, and other ecosystem management. It was a great experience to start to understand IT processes and resolve basic tickets.

However, the part of the internship I found most valuable was the “shadowing week” where we could spend each day of the week following whatever teams would put up with us.

I spent a day with:

The Security Operations Center held both the red and blue teams, so it was kind of 2 days with both. During this time I was able to learn about what cybersecurity teams do and ask all the questions I had about hacking and defending. I now consider those 2 days in the SOC as life changing. It felt like all the interests I had picked up over the past 3 years in tech were all encompassed here. I came in with a clipboard and I started filling it up with every term I heard and didn’t understand. From there on out my goal was to break into this line of work and learn every word on that clipboard. I also was lucky enough to have my internship extended, so I’d built up a plan to pivot into security from there. Later into the year I actually ended up getting an internship position with that company’s blue team which rocked. All I had to do now was finish up my degree and start my cybersecurity career . . . or so he thought

Wrapping Up College

Ready to wrap up school and hop into work, I started my last set of classes while starting to mess with capture the flags and teaching myself stuff from that clipboard. Cueeeeeeeee COVID. My last semester was at home, which wasn’t a huge deal academically since I was far enough along that I could teach myself whatever topics my professors were assigning without trouble. What was a bigger deal, was that my employer from the summer was hemorrhaging money. As a result, my extended internship position was canned, along with the blue team internship I was set to start on my graduation.

What do I do now???

OK, so now I’m unemployed and the job market is pretty shaky, so whatdoIdo? I decided to solidify those topics I had less background in like networking and IT. So I studied and got my CompTIA Network+ and CompTIA Security+. These were more entry level certifications that covered networking basics/terminology and security basics/terminology respectively.

From there I dove into the OSCP. If you’re less familiar with the offensive security world, the Offensive Security Certified Professional is an intensive practical hacking certification with a famously intense exam spanning 24 hours + another 24 for reporting.

As much as the $1000+ out of pocket bill hurt, since I had nothing but free time this seemed like a worthwhile time to do it.

The OSCP Grind

To start the course, they send you a ~900 page pdf along with some videos that contain roughly the same information. From there you are to read that pdf, work through a few labs and absorb all this how-to-hack material. I’ll likely do a whole post about the OSCP at some point, but suffice to say there’s a lot of details included. I’ll also note the material has changed quite a bit since I took the OSCP in 2020.

Anyways, once you’re done with the book material, you have the remaining lab time you bought to attack their lab network. I’m talking ~70 vulnerable computers, you gotta figure out how to exploit as many as you can. There are forums you can get hints from, but leaning on them is not recommended. This was an intense process but boy do you learn. I’m a huge proponent of that CTF mentality of “figure out the puzzle however you can.” I could go on and on about why I love capture the flags so much, but there’s a talk from RSA that does it much better than I could here

So after a couple months of OSCP prep (I got about 30 lab machines in my time), I booked my exam. The exam itself is 24 hours like I said, with there being 5 vulnerable hosts. The format has changed a bit since then, but that’s how it was at the time. To pass, you need to get enough points by compromising the exam machines. I did not pass my first attempt. It was close but no cigar as I didn’t quite have things organized enough.

Luckily in the meantime I had gotten a job, so I started that and let the OSCP take the backburner for a bit.

First Real Tech Job

My first real security role was working as an Identity Access Management Engineer at a Fortune 50 company. Identity is all about access and who can access what. I managed a lot around Single Sign On, which involves allowing users to log into different services using their same credentials/account. We also did a ton of ticket remediation. When someone “can’t login” and it made it past helpdesk, my team would step in to figure out what’s going on or where the ticket should go.

We also had on-call rotations where for a week you could get a call at any time for urgent issues, and you had to figure something out. This helped a lot in building up my troubleshooting skills and tech exposure while also giving me practice dealing with the pressures that comes with the work. When someone calls you at 3AM and you have to solve their problem NOW, you get some calluses.

To make matters more intense, my manager changed roles shortly after I joined, so the trial by fire got a bit hotter. I ended up being THE okta admin for the entire company for a bit, which was interesting to say the least. I learned a ton in a short span of time not only technically, but also in terms of having real accountability in your job.

I also did a re-take of the OSCP, but again it wasn’t quite enough to pass. I’ll probably go into more detail on each take in a later post, but I psyched myself out pretty hard on this take and didn’t get a ton of traction

Switching Companies

After about 9 months (We’re in ~ August of 2021 at this point), I accepted a role at a new company, which is where I work now. While I was doing well in my identity role, it was time for a change. This role was around Secure Development Services. That’s a fancy way of saying we supported tools that developers would use to make sure their applications more secure.

This spanned from credential management to tokenization to code scanning. My day to day was closer to a standard development role where we would develop code around our products, and support our stakeholders (other application teams in our company). This was also the first time I was really exposed to cloud environments. I’m still no cloud expert, but I was able to build up a lot of those skills and understand how to leverage a whole new toolset which abstracts a lot of the infrstrcuture I was used to worrying about from my IAM days.

Squashing the OSCP

Around December of 2021 I decided I was going to finish the OSCP once and for all. Lucky me they were updating the exam format to include Active Directory material which I was really rusty on. So I went to the grindstone and boy did I grind.

Between the months of December and January I studied pretty much every day, as much as I could. Once I was done working, off to studying. As exhausting as it was, I was in fighting form and managed to finally pass the exam under the new format. I started the exam at 11:00 AM and knew I was going to pass at 4:00 AM the next day. After all was said and done I had a 60 page writeup (lots of screenshots) and bagged the win.

After finishing that exam, I had a coworker who worked on the red team reach out asking about the exam since he was also doing OSCP. We chatted about it for a bit, and then a month or so later he told me there was an opening on the team and that I should apply. Lo and behold shortly after I joined the red team and have been there every since! I can’t describe how gratifying it was to see the days I spent grinding OSCP until 3AM during COVID ultimately play a key part in landing my dream job.

Conclusion

As recent as all that was (I joined the Red Team in July of 2022), it feels like all that happened a decade ago. One of the reasons I love my job is that so much new stuff happens that it feels like I’ve been doing offsec work for half my life. Once again I really hope I can look back at this several years later and cringe at how stupid it sounds when I was only 3 years in. I have lots to talk about from my time so far as a red teamer, but this feels like enough for an introduction. Thank you for reading if you’ve made it this far. And here’s to a bunch more blog posts to come!

Windy Road

Summary

Who are you? I’m Dan! This is my first blog post I’m using as a sort of introduction

What do I do for work?

How did I get there?

top