S6E2: John Hammond on Security Research, Storytelling, Deception, and Getting Hired in Cybersecurity
Download MP3john-hammond_1_09-03-2025_170629: Truth
be told, and maybe this is silly, but I
get to feel like my security, charlatan,
fraudster imposter syndrome kick in, but
I've never been a penetration tester.
I've never been a a soc analyst.
I've never been a detection engineer,
and that is always, oh dang, that,
that kind of hurts to say aloud.
But I do wanna make sure that's
totally transparent and known.
I've just fell into the researcher and
that lets me poke and play it a little bit
of everything the way I fell into that.
It's no secret.
Huge proponent of capture the flag and
CTF, hey, being hands on, keyboard, learn
and understanding different languages,
different vulnerabilities, and that
naturally points you a little bit more
of that red team offensive security side
to your point.
Absolutely.
That's how, yeah, I was building out
the cyber emulation course, creating
some of that material and content,
and that was in that direction
of pen testing, but I've never.
Done it.
josh-mason--he-him-_43_09-03-2025_170632:
Simply Defensive brings you the industry's
top practitioners, innovators, and leaders
to inform, educate, and join us defensive.
Hello, and welcome to the latest
episode of Simply Defensive.
I'm Josh Mason and with
me as always, wood Wells.
wade-wells_24_09-03-2025_140632: Hello?
josh-mason--he-him-_43_09-03-2025_170632:
And our guest today is John Hammond,
researcher at Hunts YouTuber, and one of
the best known educators in cybersecurity.
John, welcome to the show.
john-hammond_1_09-03-2025_170629:
Goodness gracious.
Thank you so much for the
warm welcome, everybody.
It's super cool to be
hanging out with you.
Happy to be here.
wade-wells_24_09-03-2025_140632: Yeah.
josh-mason--he-him-_43_09-03-2025_170632:
So John a lot of people know
you from YouTube, from social
media, from conferences
how do you like to present yourself
when someone's Hey, what do you do?
john-hammond_1_09-03-2025_170629:
Oh, super.
Good question.
First and foremost, I feel like a lot
of folks tend to just explain their
day job, which may or may not be the
correct answer to what do you do?
Because people got passions, people got
hobbies, people got stuff all out of work.
But I tend.
Do a lot of work.
'cause work is fun for me.
Maybe that's the passion.
Maybe that's the hobby.
But yeah, my day job is over at Huntress.
I'm a security researcher there,
which is a ton of fun to stay.
Hey, chasing hackers, cutting up malware,
trying to dig into what are the real
world threats that are out and about
in the whole land of cybersecurity.
When I can I squeeze in to tell folks?
Yeah.
I do have a YouTube channel.
I know it sounds silly to say
it out loud, but it is, it's
turned into a machine of its own.
It is blossomed and grown
and it's very fulfilling to
see what that is turned into.
But sharing cybersecurity education,
trying to get more, hey, hands-on,
keyboard, tactical, practical stuff.
But just having a lot of fun with it.
I like to showcase what's
cool, what's fun, what I like.
wade-wells_24_09-03-2025_140632: I
honestly feel like security researcher is
like my dream job to tell you the truth.
Like you get to deal with
the coolest stuff, right?
You're out there doing.
Like everyone, looks at pen
testers and go, oh, look at that.
I'm doing all this cool stuff where the
researcher like, you're ha, you're in
your own playing field where yeah, you
get to do these exploits and do stuff,
but then you also get to detect them.
You get to share your evidence
with the greater community, right?
And help defend people in a, I
think, a larger scale than just your
organization, which is also really cool.
And trust me, I know plenty of your
blogs I've used in my research,
john-hammond_1_09-03-2025_170629:
thank you.
Yeah, I think.
I always feel maybe sometimes
it's a little unfair just because
security researcher is flexible.
Just as you mentioned you
have your own playing field.
You get to do just what's interesting
and cool and what you think will bring
the most value, and sometimes that.
Oh, leans a little bit on the, red
team, red side, maybe that leans a
little bit on the blue, team defense
side, maybe detection work, et cetera.
Or hey, getting a chance to chat
with our security operations
center analysts and work with them.
But, oh, maybe it's recreating
a little proof of concept.
Maybe it's digging into some of the
exploits and seeing how this would work
and like a, pen tester sign of a house.
So a lot of fun, just flexibility.
I'm super grateful for.
josh-mason--he-him-_43_09-03-2025_170632:
Yeah, I'm curious about that because
my introduction to you was I taught
the courseware that you were the SME on
back at DAA for cyber threat emulation.
I'd teach buffer overflows, and I'd watch
your videos to learn how to properly then
teach the content in class back when we
were both at DC three and at that point
it seemed like you were an offensive
operator, and I know you've got the OS
C3 or OS C3, and were you were like one
of the first people to get that off Ssec.
Like special cert, right?
john-hammond_1_09-03-2025_170629: Yes.
josh-mason--he-him-_43_09-03-2025_170632:
When they bundled them.
All
john-hammond_1_09-03-2025_170629:
Yeah, for sure.
For some context, maybe a lot of folks
are familiar with the OSCP or like the
offensive security certified professional.
There were a lot of other offerings
that offensive security brings out.
Some being offensive security, web
exploitation some being in experienced
penetration tester and more of
inside of a attack and defense,
active directory environments, and
even more for exploit development.
So when they bundled those up in
a halo cert, when you have OSED,
the exploit development, OSEP.
Experience, pen tester,
whatever, active directory.
And then we, for web exploitation,
they called that OSCE three.
Which is that halo yes.
All of them combined in
this cool triforce power.
I guess that was new at the time
when I was so excited to dive into.
OSED and OSWE and somehow, some way I
got that email from Ning, I believe I
might be getting the name wrong, but
the CEO chief Executive Officer over
at Offs SEC in offensive security.
That said, you got there first.
You were the first to get all three.
And I was like, oh, this is cool.
I caught all the Pokemon,
josh-mason--he-him-_43_09-03-2025_170632:
yeah, of course.
Nice.
Do you feel like, were you headed
down the path of wanting to be a
pen tester and write exploits and do
all that stuff, or do you feel like
you've, did you divert from a path or.
Was that, are you,
have you just gone with like the way
the roads opened up in front of you?
john-hammond_1_09-03-2025_170629: Truth
be told and maybe this is silly, but I,
get to feel like my security charlatan
fraudster imposter syndrome kick in, but
I've never been a penetration tester.
I've never.
Been a SOC analyst.
I've never been a detection engineer.
And that is always, oh dang, that,
that kind of hurts to say aloud.
But I do wanna make sure that's
totally transparent and known.
I've just fell into the researcher
end that lets me poke and play it.
A little bit of everything.
The way I fell into that, it's no secret I
was a huge, proponent of capture the flag,
CTF, hey, being hands on, keyboard, learn
and understanding different languages,
different vulnerabilities, and that
naturally points you a little bit more
of that red team offensive security side.
To your point.
Absolutely.
That's how, yeah.
I was building out the cyber threat
emulation course, creating some
of that material and content.
And that was in that direction
of pen testing, but I've never.
Done it.
But all those skills lend themselves to
even, oh, understanding how some malware
comes to life, how some attack chains
could be built out on the end points.
So it almost for industry work
and for my career, that points
me more blue than it does red
wade-wells_24_09-03-2025_140632: I
have an interesting one where, okay,
so I know I've heard you talk about
this before, but I honestly think
being outspoken as you are and also.
Being in cyber is always rare, right?
Being able to tell a good story.
Not everyone can do it.
Not everyone can hold attention.
And I know, or at least I've heard you
have a performance background, right?
Or a little bit of one.
Which I think I, I was in a couple
plays and stuff like that and I was a
class clown, but definitely not as bad.
But how do you think being able to
tell a good story, at least from
a threat research perspective,
has affected your career?
john-hammond_1_09-03-2025_170629:
Oh, okay.
Your question first.
I'm sorry.
And then I know
I'll
wade-wells_24_09-03-2025_140632:
Yeah, Go for it.
Yeah.
Yeah.
Go for it.
All good.
john-hammond_1_09-03-2025_170629:
I totally, without a doubt, a
thousand percent because you.
In your work, no matter what it is,
whatever role you may have, blue,
red, whatever, blah, blah, blah.
You are communicating with people and
they're gonna be in their own different.
Walk of life with their own experiences
with all that they've gone through.
And they might have either just
a different understanding or even
interpretation of cybersecurity stuff.
And I know that's super vague.
I know that Oh yeah.
Big broad concepts there.
But can you genuinely communicate to them?
Can you hold their attention and can you
tell them something that's important,
that's actionable, that's very necessary
for what they need to know in a way that.
Relates to them or, bridges, the gap
between, oh, their worldview and how
they see everything going on around
them compared to what and know and
understand everything around you.
So the best way, usually just being
able to make that for one thing good and
something they can receive is a story.
And then how to be able to retain that,
to remember that, to do something with it.
That's a story.
wade-wells_24_09-03-2025_140632: Yeah.
One of the points in my threat
intel class that I teach is
like being able to tell a story.
And so I always point people over, like
Jason Blanchard has some really good
stuff about how to tell stories, right?
And I think that's like a
huge differentiator that
it's harder to learn too.
'cause you don't have the
opportunity to tell stories.
But once you find someone who you can
pay attention to a lot and can take
technical terms and know how not just
how to speak to them, but how to speak
to them, to certain people, right?
And to know, to judge the crowd
too is a very rare talent.
And I know it's one you have,
but it's a cool one too.
Yeah,
john-hammond_1_09-03-2025_170629:
flattered.
I think Jason Blanchard
certainly beats me out though.
He wins, he
hands
wade-wells_24_09-03-2025_140632: Yeah.
He's pretty good.
Yeah.
josh-mason--he-him-_43_09-03-2025_170632:
The man can tell a story that
I think is one of the, real
tricks in in any business.
If you can get people to stop and
listen to you speak and actually want
to hear, stick around and hear you say
the next words, that is so valuable.
So crucial.
And if you can speak in cybersecurity
and business terms I've seen you do it.
I, both of you gentlemen be able to make
that translation that that's the key.
How did you make that
translation from the,
the mindset of an attacker.
Obviously you can tear apart malware,
eventually figure out what it's doing in
a system, but then translating that to,
okay, here's now what we should do for
defenses and why you should care about it.
Obviously a lot of weight.
What you teach in CTI and what
a lot of defenders are doing.
But how can someone start
learning how to do that?
How can someone practice that if they
wanted to get into the like CTI field
or into the Yeah, I guess threat intel
john-hammond_1_09-03-2025_170629: Oh.
wade-wells_24_09-03-2025_140632: Threat
research.
josh-mason--he-him-_43_09-03-2025_170632:
of field
john-hammond_1_09-03-2025_170629: Yeah.
I, for one thing, good question and a
tough thing to answer because I really.
And maybe it sounds so boring and so
basic, but I think it is the right answer
of first and foremost, hey, do something
that you think is fun, that you enjoy,
that you like and you're willing to do
more of, because it is something you
enjoy and it's fun and it's passion.
So that may or may not be, oh, strictly
down the path of threat, intel, threat
research, blue team, defense, et cetera.
If it.
It if it's just more fun to Oh, kinda
learn a little bit more of how these
hacks work, how these vulnerabilities come
together, exploits and that attack chain.
The attack chain, I think is the
most interesting aspect to it.
Because if you didn't, if you
then wanted to bring that to the
other flare or to something, be a
little bit more aligned with Sure.
Threat, intel, threat research,
whatever bucket and name tag
you wanna put on it, then.
Think about how did the
attack chain come to life?
Literally, I know people keep, oh,
they use the cyber kill chain as a cool
analogy in all these different words,
but genuinely think of a chain because
each of those little links, each of those
components are things that you would now
have an opportunity to break the chain.
Put a mitigation, put some remediation
in place, stop or block one
aspect of what happened and when.
And then the more knowledge you have
on all those different parts, the
better you're gonna be at, oh, I know.
This is gonna drop a file in this
location, but if there were a
file already there maybe we could
cut a little like countermeasure
vaccine, clever little stop gap.
Oh.
Actually, the permissions on
that directory are probably
what's ruined this whole thing.
Let's lock that down.
Let's know our access
controls, blah, blah, blah.
You can extrapolate that and
however many different ways that you
want, but it is just exactly that.
Understand kind of piece by piece.
You build out the chain, and is where
you can get creative and innovative
and think more on that front.
josh-mason--he-him-_43_09-03-2025_170632:
For the people who are trying
to get to that point, how can
they, how do you get started?
Like how do you show I know
how to do this, hire me.
Is it like, I think a lot of us were
able to see why you got hired onto Hunts
being able to watch you, I don't know.
There were a lot of us who watched
you dissect things on multiple
terminals at speed live streaming
some in some cases and we're like.
This guy knows what he's doing.
Probably let's put him on some like
real malware and see what he does.
How do other people get
into this sort of thing?
And get hired onto teams to
yeah, be researchers full-time.
john-hammond_1_09-03-2025_170629: Yeah,
you get into, obviously I know kind
of the chicken and the egg problem
of, oh, I need experience to get a job
and I need a job to get experience.
And I'm sure thousands of
folks gonna tell you that.
I'm sure you've heard
that time and time again.
So when you are learning, when you're
practicing, when you're getting
a chance to play, whether that's
in Blue Team Labs, online, hack
the box, try hack me, et cetera.
The list could go on and on.
I don't want to sound like, Hey
do something similar to what I
did, but I do think that when
you build out your own portfolio.
Or your own sort of, hey, notes,
your write-ups, your solutions,
everything that you've been learning.
You build up an awesome catalog, a whole
archive of look at all this that I can
do because I've already done it and I can
show you, and I've got this to point to.
That is.
Invaluable.
And I know so many folks will tell you,
you probably hear it time and time again,
so maybe folks are bored of that answer.
Oh, have a website, have a
GitHub, build out your portfolio.
But it is really just a help.
A foot in the door.
wade-wells_24_09-03-2025_140632:
Definitely I, one thing, one thing I don't
hear a lot of people talk about, which
is something I always wanted to do but
never did, was also like, throw out some
like honeypots and stuff like that, right?
You don't need to work for a big
security program to do security
research at the end of the day, right?
You get theoretically infect yourself
completely and screw yourself, but
you're gonna have fun doing it.
You're gonna learn a lot.
To tell you the truth I'm not gonna
lie, I've done stuff like that where I
accidentally ran malware on a host and I'm
like, all right, just gotta re-image that.
But it's something that can
be done too in as a pastime.
There's a bunch of different
honeypot open source stuff out there.
josh-mason--he-him-_43_09-03-2025_170632:
And frankly there's the ability
to pull down a lot of stuff and
follow along with what you're doing
on any run with the latest win.
It's a bit much for me.
There's a reason I do sales
and for pen testing company
rather than doing pen testing.
I've realized what I
like to do with my day.
But
for other people, like if you
enjoy really that stuff, excellent.
There's ways of like really doing it and
being able to follow along and love it.
john-hammond_1_09-03-2025_170629:
Absolutely.
josh-mason--he-him-_43_09-03-2025_170632:
If someone else makes the same
video, ma or makes a video of their
approach to the same like malware,
that's not a bad thing.
john-hammond_1_09-03-2025_170629: Yeah
can I, actually, this is super cool.
It's a little bit tactical
and current, if I may.
There are incredible, phenomenal, and
fantastic content creators out there.
And I am just one of a few I hope,
I'm in that cool sweet group.
But there are so many that
I adore and look up to.
And a good friend of mine, genuinely
from college days while I was at
the Coast Guard Academy, he was at
the military academy at West Point.
Ed or low level, some might fo,
some might know his online handle.
It used to be low level learning.
I think now he shortened it
to be cool hip low level.
But he had just gotten out a video on
Docker, the containerization kind of
capability for, running a little kind
of, not really a virtual machine, but
a container to, to run more code and
applications in this sort of sandbox area.
But there was some silly
shenanigans of vulnerability for
Docker on Windows, where that.
API or like the control plane that
could handle and spawn off and
spin up new containers was exposed
and there was no authentication.
There was no access control
in the middle of it.
So even from inside of a guest
container, you could create and
spawn and mount the host computer
file system and then get, oh, remote
code execution, critical damage, 9.8
cv, blah, blah, blah.
And Ed put out this video.
And I put out.
The same video, basically covering
and showing the same thing.
And I feel I, feel humanly the
certain amount of guilt and shame oh
dang, someone beat me to the punch.
And it's the same stuff.
But the way that you tell a story,
the way that you explain what the
CSRF or SSRF vulnerability might be.
That could totally relate to
more folks in a different way
than another content creator.
So I know I'm seeing the I'm, having
the shame of Hey, someone already
talked about this a couple days ago.
It's look, I'm not trying
to announce this thing.
This isn't some breaking news.
This is, I hope, an educational vessel
that will live and permeate throughout.
Time.
Someone's gonna find this video
however many years on from now, and
I hope that'll bring value to them,
maybe some way, somehow down the line.
So still do it.
Still get it out there.
Even if oh, someone else already has
your presentation, your way, your story
is still gonna resonate with folks.
wade-wells_24_09-03-2025_140632: I think
josh-mason--he-him-_43_09-03-2025_170632:
huge.
wade-wells_24_09-03-2025_140632:
I watched your, video.
It's really, it was really old
on alternative data streams
and Windows file system.
I watched that pro,
yeah, it was an old one.
But the thing is I built a detection
for it and of course, what do you do?
You gotta run the de detect, you got an
attack and I was able watching your videos
to able to follow along and there was
like countless other videos, but it was.
A lit like that attack is
actually pretty old, right?
john-hammond_1_09-03-2025_170629: Yes.
wade-wells_24_09-03-2025_140632: it's
not a new thing, but once again, like
you said, you coming, you creating it
even though there's plenty of other ones.
And honestly, you're
already a trusted source.
So I knew that was a,
slam dunk person to go to.
Yeah, it was a while.
It was probably like two years ago.
It was a cool detection too.
john-hammond_1_09-03-2025_170629: Was
that the one, and I'm gonna nerd out here.
Forgive me, I'm so sorry because the.
wade-wells_24_09-03-2025_140632:
No, you're all
john-hammond_1_09-03-2025_170629:
Cool thing about the cool thing
about alternate data streams.
'cause we saw some, like some
ransomware gang doing this
however many months or times ago.
If you put an alternate data stream,
which is a little, I don't know,
Easter egg of the N Ntfs or Windows
file system, if you put it at the
absolute root of the drive, like C colon
wade-wells_24_09-03-2025_140632: Yep.
john-hammond_1_09-03-2025_170629:
then you can't.
them.
You'll never be able to list them
out or even know that they existed.
You just had to know exactly the name
that you chose, and it's like a certain
kind of secret you could hide away.
wade-wells_24_09-03-2025_140632: yeah,
that was the exact video, and so writing
a detection for it, I saw the same report.
And then had to do like a quick
little writeup for ir, right?
Hey, if you guys like see
something like this hey, you have
to go to this exact location,
john-hammond_1_09-03-2025_170629: Sweet.
wade-wells_24_09-03-2025_140632:
what we're gonna have to do.
Or at the end of the day,
we just nuke the system.
john-hammond_1_09-03-2025_170629:
are those small, fun things, though
I hope, again, they all add up.
They compound over
time.
The parts of the attack chain,
all those links in the chain where
wade-wells_24_09-03-2025_140632:
All right.
john-hammond_1_09-03-2025_170629: just
get a little bit more understanding, more
of the context, more of the knowhow, Hey
you're, you got a sword and shield there.
josh-mason--he-him-_43_09-03-2025_170632:
For sure.
I remember, yeah, four or five years
ago especially during the pandemic.
A lot of videos about Tri
Hack Me Hack the Box CTFs.
Now I know you still are doing
CTFs, but you're building them and
hosting them and teaching them.
Are you still participating?
Are you on a CTF team anymore or are
you more on the teach create and.
john-hammond_1_09-03-2025_170629: Yeah.
Let me say this breaks my heart.
I wish I were doing more pure capture the
flag and playing CTF and participating in
a lot of the war games as I am these days.
I, that has faded away a
lot and it breaks my heart.
I'm super sad.
But it's I, think outside looking
in, if I were to zoom way out,
I think in my own growth, like in my
own trajectory, that's getting older,
getting married hey, trying to get
in the industry, do more for work and
stuff, and life, that takes up time.
So your priorities just
shift a little bit.
And I think everyone goes through that.
I don't know if you all
wade-wells_24_09-03-2025_140632: Yeah.
Yep.
Exactly the same way.
I don't do CTFs at all,
and I wish I could.
john-hammond_1_09-03-2025_170629:
I know it.
josh-mason--he-him-_43_09-03-2025_170632:
Yeah.
john-hammond_1_09-03-2025_170629:
students, all of our young guns
listening, do it while you can.
wade-wells_24_09-03-2025_140632: Yeah,
it's definitely a young man's game, right?
Going to a conference nowadays
and sitting down to A CTF.
There's no way I want to do it
just because it's more fun going
off for me and talking to people
where I've done most of the CTFs.
I feel like the other interesting part
for me is half the time I feel like it's
just learning whatever tool the F is in.
That's the real struggle.
I know the attack chain, but yeah.
josh-mason--he-him-_43_09-03-2025_170632:
Yeah.
Now we're coordinating conferences, not
Trying to beat the CTF.
wade-wells_24_09-03-2025_140632:
If we upgraded from CTFs.
josh-mason--he-him-_43_09-03-2025_170632:
Seriously.
What, would you love to
see be the new trend?
So now that you said it, not me.
I, consider myself old, but now if you're
willing to put yourself in the same
old person bucket as the rest of us.
'cause Wade's definitely old like me.
What would you like to see out of
the next generations, John Hammond?
And do you know of them if so,
yeah, who are they and who
should we point the should we
be pointing 'em out to folks?
john-hammond_1_09-03-2025_170629:
Very sweet, very flattering.
I, don't think I could give any.
Oh, names or, just shooting from the hip.
Pull a name outta the hat
for Cool and incredible.
There are so many phenomenal folks.
A lot of them are doing some
sweet stuff with the US cyber team
or some of the US cyber games.
A lot of those kids are geniuses.
They're absolute wizards.
What I hope we do both as more Yeah.
Even the practitioners, the
people that are working in, the
trenches and as an industry, I.
This is totally just a John opinion,
but I think it's so cool when we now
know this blue and red team side,
and especially on the defensive end.
'cause I know that's the focus of
our podcast and conversation here.
We can put these together when you start
to get a little bit of trickery for the
adversaries and defend it in that way.
What I mean by that.
May or may not be a hot topic
for folks, but I'm a huge
proponent of like deception.
wade-wells_24_09-03-2025_140632: Yes.
john-hammond_1_09-03-2025_170629: Yes.
wade-wells_24_09-03-2025_140632: Ah.
john-hammond_1_09-03-2025_170629:
And folks are always, yeah,
let me throw out a honeypot.
Let me get some network device
that, oh, ha, I can, if you end
map it, the ports go away bonkers.
Sure.
But I want on the end points, 'cause these
attack chains this trade craft all these
living off the land tricks and all that
hey, freak out and scare the attackers
by putting a couple landmines there.
Those I think will be really awesome.
When you put that together with
detection engineering, when you
put that together with deception
engineering in a sweet, wild way.
that I think is the coolest, perfect blend
for both red and blue, and I hope that
gets much more love and is embraced by,
yeah, the new generation, if I may say
wade-wells_24_09-03-2025_140632: I love
it.
josh-mason--he-him-_43_09-03-2025_170632:
it.
wade-wells_24_09-03-2025_140632:
That is literally deception
is one of my favorites.
Frustrated, like coming
from John Strand, right?
With the deception engineering
courses and me, I've deployed several
deception technologies at a couple
companies and it's always literally
been my favorite because you just,
you hear the red team cry, you win.
It wins all the time.
It's easy wins.
Yeah.
josh-mason--he-him-_43_09-03-2025_170632:
All day.
As a solutions architect,
like sales engineer type.
If I turn in a old report to someone
on their external and they're like,
haha, those are all my honeypots.
I'm like, excellent.
Great.
Perfect.
Good.
Let's get some people looking
at the stuff and get past that.
At the real stuff.
wade-wells_24_09-03-2025_140632: AKA,
he hates deception is what he is saying
josh-mason--he-him-_43_09-03-2025_170632:
No, that.
That shows me someone's at a, great
level of maturity in their cyber program.
john-hammond_1_09-03-2025_170629:
That's the
josh-mason--he-him-_43_09-03-2025_170632:
So as a sales dude that's
wade-wells_24_09-03-2025_140632: There,
josh-mason--he-him-_43_09-03-2025_170632:
is, this could be
wade-wells_24_09-03-2025_140632:
about that though.
People think you have to be
super mature to do deception.
I don't think you have to be that mature.
You just have to have good notes, right?
Like it to deploy deception and at least
in an internal network is fairly easy,
fairly cheap, thanks to Thinkest, right?
And is not, it is definitely like
free if you think about it correctly.
That's the one thing like fake
josh-mason--he-him-_43_09-03-2025_170632:
I'm talking to though.
wade-wells_24_09-03-2025_140632: Oh yeah.
The people you're talking
to a lot different.
Yeah.
Setting up some like fake ad
records of a Windows 2003 box on
your network with an IP address.
Boom.
Dude, that's gonna catch people all day,
josh-mason--he-him-_43_09-03-2025_170632:
Nice.
john-hammond_1_09-03-2025_170629:
I will sprinkle in some, of that
sugar though, just as you mentioned.
Yeah.
Usually this is, that is.
Normally a ladder end of you bolstering
and building your security posture.
Get all the fundamentals, get the
bare bone basics, get all that
stuff locked in first, do the two
factor education, blah, blah, blah.
Hey, make sure we've got the
training in place, yada, yada, yada.
Checklists, asset application inventory,
everyone knows, but we need to get
everyone to get that right first.
josh-mason--he-him-_43_09-03-2025_170632:
Yeah.
That.
If I start seeing that and they start
talking about it, I'm hoping I'm, assuming
that they've, they're along the same lines
as what you just mentioned, that they've
done all those basics and that we're
having a, mature conversation about yeah,
like we're, we've done all these things
and now we're having fun okay, cool.
Now let's like have some real great
john-hammond_1_09-03-2025_170629: Oh yeah.
josh-mason--he-him-_43_09-03-2025_170632:
Yeah.
You probably understand
it as well, I'm sure.
Yeah.
Hunter's customers are
also in that similar vein.
I wanna have one goofy question.
If reverse engineering malware
were a video game, what's been
your hardest boss fight so far?
Been like the one thing where
you've been like, this sucked.
john-hammond_1_09-03-2025_170629: Can I
maybe level set it in a cool way?
I'll be the first to admit I am
not all that sharp inside of a.
I can't read assembly fluent by any means.
I've gotta jump around.
I hope I can find a
decompiler if that works well.
So raw op codes and machine
codes, I struggle with it.
josh-mason--he-him-_43_09-03-2025_170632:
Maybe not reversing, but analysis.
Maybe a, yeah.
Was there a.
A a malware, oh.
Or is that the thing that, like the part
that is, has been the hardest for you?
Is the using like a Gira or an ipro.
john-hammond_1_09-03-2025_170629: Yeah,
so it's neat because I think in the real
world a lot of times you don't always get
to that hardcore compiled flat binary.
You'll see folks using PowerShell.
You'll see them using silly cutesy like
Visual Basic Script or JS Script or Python
or silly scripting languages that still
get them to the place where they're.
Doing damage running info dealer, doing
drop in ransomware, and those can be much
more easily signatured and oh, figured
out, analyzed in a dynamic sandbox.
So those are always the hard bosses for
me as to okay, I gotta have to crack
open Gira, Ida binary, ninja, and then
just drone through however many lines
of assembly op codes and instructions.
josh-mason--he-him-_43_09-03-2025_170632:
Gotcha.
john-hammond_1_09-03-2025_170629:
it's tough.
I'll be the first
to admit.
So I do like when, oh, we get to play
with some of those script-based malware
while they stage and prepare all
these droppers and lures and all that.
All to eventually get to what
is the end of the attack chain.
But the whole rest of it
is neat and fun and cool.
I don't know if I answered your question.
wade-wells_24_09-03-2025_140632:
No, you did.
I got it.
josh-mason--he-him-_43_09-03-2025_170632:
I get that.
Yeah.
Assembly and messy, non flat.
Binary stuff in like a disassembler
being the pain in the butt.
Yeah.
john-hammond_1_09-03-2025_170629:
that's relatable thing for
a lot of folks tuning in.
'cause you might be in the same boat.
Hey man, it's tough getting
josh-mason--he-him-_43_09-03-2025_170632:
feel that.
I felt that
john-hammond_1_09-03-2025_170629: but
wade-wells_24_09-03-2025_140632:
blue teams are never gonna deal with
john-hammond_1_09-03-2025_170629: exactly.
wade-wells_24_09-03-2025_140632: right?
You're gonna hire some type of IR
company and they're gonna come in.
Some dude who's specialized
been doing that for 20 years.
No one ever like this,
like exactly what you said.
The scripts are what we all look at
because we can easily read them and
understand and pull out those atomic
IOCs out of them and follow the chain.
But that last piece, that EXE, I don't
think I've ever actually taken apart one.
Just drop it in a sandbox,
then see what it does.
It's easier to do.
john-hammond_1_09-03-2025_170629:
Yeah, folks will use virus,
total folks will use vm, right?
Folks will use any, run, whatever
to see the dynamic analysis.
So I hope that doesn't spook or
scare anyone when they're thinking
about, oh, malware analysis,
researcher, reverse engineering.
There is
Much more to it than flat.
Compiled hardcore XE or, any of that.
So I hope you know that helps even
just set expectations and levels
set for the folks tuning in.
You don't have to fight those hard
bosses and dragons all the time.
wade-wells_24_09-03-2025_140632:
I usually don't.
Yeah.
josh-mason--he-him-_43_09-03-2025_170632:
Yeah.
Wade,
do
wade-wells_24_09-03-2025_140632:
Yeah, usually we end on one question.
What is your one piece of
advice for a blue teamer?
It can be any level, can be any
grade, any person, anywhere.
Just straight blue teamer.
General advice.
john-hammond_1_09-03-2025_170629: Huh
wade-wells_24_09-03-2025_140632:
Yeah, it's a hard one.
john-hammond_1_09-03-2025_170629:
I think I've got it.
wade-wells_24_09-03-2025_140632: Okay.
john-hammond_1_09-03-2025_170629:
Maybe everyone says the same thing.
I don't know, but.
wade-wells_24_09-03-2025_140632:
Surprisingly, no one
has really said the same
thing.
josh-mason--he-him-_43_09-03-2025_170632:
almost.
wade-wells_24_09-03-2025_140632: Yeah.
john-hammond_1_09-03-2025_170629:
I'm sure someone will maybe
I'm duplicating someone now.
I think we've already ran all over the
map to talk about, Hey, make sure it's
fun, make sure it's a passion, make
sure it's something that you enjoy and
you can show your work kind of thing.
But what I would give is my best
advice, especially for blue teamers
or the folks doing defense work.
Take notes, document, documentation, the
worst, the thing that everyone hates.
But seriously put it in a place that
other folks can see and read and
can refer back to so that something
doesn't live and die in a slack thread.
You know what I mean?
Put it in
a wiki.
wade-wells_24_09-03-2025_140632:
left an organization and then
two weeks later I got hit up, but
Hey this canary just went off.
Like, why?
And I'm like, whoa, I don't remember.
john-hammond_1_09-03-2025_170629:
Write it down.
wade-wells_24_09-03-2025_140632:
Yep, No, it was great.
It was a good one.
josh-mason--he-him-_43_09-03-2025_170632:
That's fresh.
wade-wells_24_09-03-2025_140632:
notion, obsidian what's your note?
Taking platform of choice.
john-hammond_1_09-03-2025_170629:
I am an obsidian junkie.
I'll be the
wade-wells_24_09-03-2025_140632: Okay.
All right.
john-hammond_1_09-03-2025_170629:
Still use a little bit of notion just
for like organization work, but for
Off the cuff, I need to
just jot something down.
Obsidian makes it the most easy, thing.
wade-wells_24_09-03-2025_140632: Agree.
john-hammond_1_09-03-2025_170629: But
if I may, realistically, that should
be like for an org for organizations.
Confluence.
A Wiki, something to
wade-wells_24_09-03-2025_140632:
Atlassian, the yeah, it's like the the
graveyard of all blue teams is Atlassian,
just all of their products together.
Confluence in Jira.
josh-mason--he-him-_43_09-03-2025_170632:
A SharePoint, a OneNote, a something,
that lasts that most, a Google Doc
that multiple people have access to.
Something word.
John,
john-hammond_1_09-03-2025_170629: guys.
I feel like I've been
rambling for too long.
Sorry we ran so late.
wade-wells_24_09-03-2025_140632: Yeah,
you're all good ahead.
josh-mason--he-him-_43_09-03-2025_170632:
having a guest is you talk.
If they wanted us to
talk, they'd invite us.
wade-wells_24_09-03-2025_140632: Yeah.
josh-mason--he-him-_43_09-03-2025_170632:
Dude.
wade-wells_24_09-03-2025_140632:
So John, if people wanna find more
about you, where would they go?
john-hammond_1_09-03-2025_170629:
Oh totally.
Hey, you can track me down out on the
internet you'll see my ugly mug just
looking around for that redhead kiddo.
But just my name, John Hammonds on
YouTube, on Twitter, on LinkedIn.
Please don't hesitate.
Don't be a stranger.
Would love to chat anytime.
Reach out.
It might take me a little bit to
get to you, but I will absolutely
do want to hear from you.
So see me on out online.
wade-wells_24_09-03-2025_140632: Awesome.
josh-mason--he-him-_43_09-03-2025_170632:
if people wanted just tacking training?
Is there a place that they could
john-hammond_1_09-03-2025_170629:
Thank you so much.
Totally.
Yeah Some fun extra venture
that we've been up to is
getting some other curriculum,
material training out the door.
That is just hacking training or JHT.
If folks wanted to dive in, any of
that fun stuff, whether it's free
name, your price, or any pay what you
want, shenanigans just hacking.com.
So thank you.
Appreciate the shout out.
josh-mason--he-him-_43_09-03-2025_170632:
of course.
Big fan.
Thank you John for joining us.
This has been a lot of fun as always.
See you in a couple months in Deadwood.
john-hammond_1_09-03-2025_170629:
don't know if I'll make it out, but I'm
trying my darnedest without a doubt.
josh-mason--he-him-_43_09-03-2025_170632:
Okay?
understand.
Good stuff.
Alright folks, if you enjoyed this
episode subscribe all of that fun stuff.
Thank you to our sponsors
and we'll see you next week
wade-wells_24_09-03-2025_140632: See,
josh-mason--he-him-_43_09-03-2025_170632:
bye.
