This Framework in Focus interview was featured in the Winter 2021-22 NICE eNewsletter.
Title/Organization: Offensive Security Engineer, Zoom
NICE Framework Categories: Protect & Defend; Analyze; Collect & Operate
NICE Framework Work Roles: Cyber Operator; Cyber Ops Planner; Exploitation Analyst; Security Control Assessor; System Testing and Evaluation Specialist; Vulnerability Assessment Analyst
Academic Degrees: A.A., French Language, Grossmont College; B.A., Russian and Soviet Studies, University of California, San Diego; M.S., Cyber Security and Information Assurance, Western Governors University
Karen Wetzel: Hello, my name is Karen Wetzel. I am manager of the NICE Framework at the National Initiative for Cybersecurity Education at NIST. The NICE Cybersecurity Workforce Framework, published as NIST Special Publication 800-181, establishes a taxonomy and common lexicon used to describe cybersecurity work. The NICE Framework is intended to be applied in the private, public, and academic sectors. In this edition of the NICE eNewsletter series, Framework in Focus, it is my pleasure to speak with Maril Vernon, Offensive Security Engineer. Maril, thank you for letting us learn more about your career pathway and understand the NICE Framework from your perspective.
Maril Vernon: Absolutely. It’s awesome to be here.
Karen: Let’s just jump into it. Can you explain more about what an offensive security engineer is?
Maril: Absolutely. Typically someone who works in offensive security might be known as a penetration tester, or pen tester for short. However, within offensive security, you can do a number of things. You could be a pen tester, a red team operator, a purple team operator, an exploit developer, a tool developer for exploits, or be doing reverse malware engineering.
Of all the flavors that are available, I specifically am a red team operator, which is nuancedly different from a pen tester. For pen testers, someone will contact them and say, “I think this product or network is secure; will you come in and test it to make sure and that I haven’t missed anything?” So when they conduct an engagement against a target they want to get in there and find everything they can possibly find. They want to throw the kitchen sink at it to see what sticks and try and find as many vulnerabilities as possible for you to remediate. But if you’re doing a proper red team engagement, generally you have a much more specific goal. It might be to get you to provide me corporate credentials on a malicious website, to get remote code execution on a compromised remote host, or to exfiltrate data from your environment without you knowing. Typically, you have a very specific objective and everything the red team does is to meet that objective. We want to get in, be stealthy, stay low under the radar, accomplish our objective, and get out without you even knowing we were there. That’s the kind of team I work on.
Karen: It sounds like it could be a lot of fun. As a red team lead, what other kinds of people are on your team? What other kinds of roles do you work with?
Maril: It often depends on the size. You can be a one-woman red team, as I was at one of my previous organizations, where your work runs the gamut — it could be vulnerability testing firewalls and products to pen testing your website and helping the developers do DevSecOps. A larger red team will typically have someone doing exploit development, someone in charge of infrastructure, and someone who’s really good at pivot and lateral movement. You’ll also possibly have a social engineer or someone who’s good at the client side of your kill chain. That’s what usually I specialize in. I am gregarious and outgoing, so I’ll hop on and pretend to be someone else or I’ll write all the phishes and stuff.
As far as roles we work with within the organization—there are a number of them. It’s really important for a red teamer to build rapport with other departments. We work a lot directly with the CTI (cyber threat intel) teams, DFIR (digital forensics and incident response) teams, the SOC (security operations center) – those are all technically blue teams. We also work a lot with other departments because at the end of the day, our goal is to make our organization more secure. We’re here to make sure that, whatever reason for a hole, it gets addressed before someone really bad finds and exploits it. So you want to do a lot of relationship building, assuring managers in other departments that our goal isn’t to come in and delete a bunch of things in production or take the entire company offline. You need to explain to people what you do, how you do it, and why you are doing it — that it has a purpose for the organization, not just because you can.
Karen: We introduced Competencies in the NICE Framework with our November 2020 revision. Included in our draft list were professional competencies or soft skills because we keep hearing from the community how important those are, no matter their role. You came from a customer service background and began your career in marketing, is that right? What led you to cybersecurity?
Maril: That’s right — I used to be a copy editor and social media marketing manager for a hospitality brand. I got into cybersecurity because one day in, I looked at the jobs ahead of me. I looked at my boss, her boss, and his boss and realized I didn’t want to be any of those people. They had no work-life balance and were stressed-out all the time. I needed a new challenge, and I was desperate to find an industry where I would never kick back one day and say, well I know it all now and there’s nothing new to learn. Cybersecurity was that perfect match. There is something new to learn every day so we’re all kind of perpetual students—that makes us more effective security professionals. It’s just really reassuring because you’re amongst other people who want to continuously learn —you’re probably not the only one in the room who hasn’t heard of a new term, tool, or framework.
Karen: What are your tricks to keep your growing your knowledge and keeping your skills sharp and current?
Maril: If you know where you want to be, you can learn more about what the next role to propel your career forward looks like. Then you can learn what will give you the most return on investment for that role. For me, there were certain things I wanted to learn but they weren’t always synced up with what would benefit my organization and team for me to learn. You have to target the content that will propel you forward where you want to go. Always have a career plan in mind.
A lot of industry knowledge comes from peers, so I hang out in hacker environments to be plugged into that content. Discord servers, Twitter conversations – that’s where people are posting new bugs they find, new breaches, new tactics.
Karen: Luckily, the cybersecurity community is a great resource—willing and open to working with each other and sharing knowledge. Coming back to the NICE Framework—what are your thoughts on how someone could also use it to help plan their career?
Maril: Hiring managers can use it to better understand the skills that are demanded by a cybersecurity role and not just the acronyms they hear associated with a role. For me, I want people to know that there is no shortage of roles to choose from. Pen testing is really fun and pays well, but there are cool roles in architecting and DevSecOps and cloud architecture. There’s purple team. There are tons of opportunities as a security engineer on the blue side or an offensive security engineer on the red side. Being on the red team doesn’t only mean pen testing, either—you could be a reverse malware engineer, a binary expert, or a source code expert. So don’t limit yourself. The NICE Framework can be used to learn about these roles, find out what skills are needed, and how new skills can lead into different places.
Karen: Career pathing is one of my favorite ways people use the NICE Framework. We have over 50 Work Roles identified and we’re looking at adding others. There are so many jobs out there, but what are your thoughts on the ones that might be the most difficult to fill today?
Maril: The roles that are hardest to fill are ones where people have cross-responsibilities—where someone needs to be three layers deep expert in three different things, not an expert 10 layers deep in one thing. For instance, you might be a network architect or red teamer but also need cloud specialties. There are so many lanes involved with just about any job that it really behooves you to become at least a service-level expert in as many lanes that apply to your role as possible. Business risk is a business function, but it serves me to know it because when I’m making an impact statement I can tie it to revenue and productivity lost—terms that the business manager understands. That helps drive my program forward because I get more buy-in from those managers.
Karen: Do you think these kinds of jobs are even more crucial just because they are not as common?
Maril: Yes. Anything where you see on a job description two or three responsibilities that wouldn’t typically be the same person. I might need a security person with a little bit of project management, product evaluation, and a little bit of this and a little bit of that — someone who will need to wear multiple hats, and they can be hard to find.
Karen: We know that workplaces that value that diversity, equity, and inclusion (DEI) have improved outcomes. Can you share about how DEI has played a role in your career and how you can make your own workplace more diverse?
Maril: I came from a non-technical background. When I started, I didn’t even know what IP addresses were and how those worked. Someone took a chance on me, and I brought a level of diversity and a fresh perspective to my team. The team members had been working in tech for 50 years among them and would say “This is normal,” but then I’d ask, “Why is it normal?” And I’d point out something that they hadn’t considered before. Valuing different learning paths—some people might be self-taught, others will rely on classrooms, and yet others will have come from bootcamps—means your team will have people who can bring differing opinions and driving discussions. Altogether this results in a better security program. We’ve seen that time and time again.
Karen: I was reading a report earlier today about people who are successful at recruiting for cybersecurity positions. The report noted that one thing these people had in common was that they were more likely to hire less-experienced candidates and have re-skilling in programs in place. Looking for that non-traditional person who can bring a different perspective can be a really good approach.
Maril: My former CISO used to say, “I don’t want to be smarter than my team. I hire people smarter than me on purpose. I want them to outthink me.” That was a great philosophy to have.
Karen: I love that. I’ve heard a lot of joy in your voice when you talk about your work. What do you enjoy most about the work that you do?
Maril: I do love my work. My favorite part is how creatively I have to think—I love that because I want to solve the puzzle. There is constant pivoting and asking what else we can try. I want to find that teeny, tiny little piece of information that’s eight years old and hidden in an image somewhere that you totally forgot about it and now I have a backdoor. It’s like a little treasure hunt every time.
Karen: My last question to you is: What final bit of advice would you give someone who’s considering a career in cybersecurity?
Maril: I would say be open to the foot-in-the door position. I went from risk analyst to pen testing. It’s a way to learn a lot about how security relates to the business as a whole without the pressure of having to perform in a security capacity right away. It’s much easier to pivot yourself into a security role at an organization when you can speak to their security goals, program, and outcomes. So be open to those off-the-beaten path positions.
Additionally, I would suggest that if someone is interested in this field they should get a mentor. If you think you want to be in cybersecurity, explore some different jobs, look at different job descriptions, and then find someone with that job title and learn how they started. That will help you find out how to get where you want to go and what organizations take chances on people who need to gain that experience on the job.
Finally, I would start showing up where we show up. We have a very small world, and the more you’re known in it the more people will think of you. You need to network yourself, start showing up, commenting, and interacting with people. You might see someone you can reach out to, and then you have a security buddy who can recommend jobs to you and vouch that you have good ideas and understand the field.
Karen: That’s great advice, and even applies when you’re internal at a large organization. If you’re not in cybersecurity right now, you can reach out and maybe shadow someone for a little bit. A lot of times organizations hire from within and, as you pointed out, if you already have organizational knowledge, that’s a leg up.
I really appreciate this conversation. Maril, thank you so much for sharing your time and insights today, and for letting us learn more about the kind of work you do.
To listen to the full audio interview with Maril Vernon, click on the audio below:
Download a full transcript of the interview.