I fell into the information security field accidentally. As a Middle Eastern studies subject matter expert and Arabic linguist, I was supporting clients at the U.S. Departments of State and Defense in counter-terrorism and counter-intelligence operations, chasing bad guys on the internet. That turned into Cyber Threat Intelligence (CTI) and I then had the opportunity to get a job at Capital One as an incident response analyst. I took the job, got on the job training, and got certifications that helped me understand incident response and become good at thwarting threats. Today, at Capital Group I am building upon years of experience in the industry to solve technical problems by being an ethical hacker as a Red Team Security Engineer. I get to simulate cybersecurity hacks that occur in the wild and help prepare Capital Group to proactively defend against them.

Before joining the Red Team, I was responsible for incident response management and cyber threat mitigation and prevention. I responded to several phishing and malicious code incidents, found new threat actors, and utilized anomalous behavior detection to proactively hunt for malicious activity in the network. I also achieved my GIAC Certified Incident Handler (GCIH) and GIAC Penetration Tester (GPEN) certifications from the SANS Institute to further hone my skills.

Not long ago, I conducted some testing against the HR department. The testing was focused on insider threat and hacking the human via social engineering. I got to use my technical skills by setting up a vishing and a phishing campaign. I was able to successfully phish and vish from outside the network because of my setup. I really liked this because now others on my team can utilize this setup and it helps streamline Red Teaming. The hardest part of being a bad guy for the good guys is setting up the infrastructure to do it while playing within the rules so that we comply legally to company standards. The real adversaries don’t have to think of this stuff.

Critical thinking skills are very important. Being able to analyze data points to make connections to solve problems is ideal in identifying and detecting vulnerabilities.

Be tenacious. Technology is constantly changing and there is a lot to learn. If you like to learn and problem solve then this is the perfect career for you. Remember to not give up because information security is hard and we need more good people ready to fight to protect it from the bad ones.