Applying Elite Military Training to Civilian Assessments

The foxes who work here come from a variety of backgrounds, giving them unique insights that advance our ability to emulate real-world attackers and secure our clients’ systems. In previous lives, our foxes have worked in areas like development, research, bug bounties, and cyber operations. Each perspective in the team brings us closer to representing the way that real-world attackers think since they may have any one of these backgrounds.

To wrap up Military Appreciation Month, we’re focusing on the many military-trained foxes in our Managed Security Services (MSS) team. With the creation of the Continuous Attack Surface Testing (CAST) platform through our MSS team, security experts with a military background have found an especially comfortable yet challenging role where they can continue their security careers.

ANOTHER LEVEL OF PREPAREDNESS

Our MSS team is full of foxes from the most elite offensive cyber operations units in the Department of Defense. Their security knowledge and skills were forged during an intense two-year pipeline of offensive cyber training that has equipped them with unparalleled skill sets and a deep level of knowledge about how to discover and exploit vulnerabilities, as well as manage security risks and apply mitigations. Their military-funded training has afforded them a relentless focus as they intelligently pursue their goals.

Thinking through consequences

One of the benefits of their military training is the ability to reason through the potential second- and third-order consequences of their actions, which translates into a smooth experience for our clients. When independent security researchers root around an organization’s site looking for bug bounties, they may try to avoid setting off alarms or causing disruptions—but their pursuit of a payment-worthy vulnerability may cloud their judgment and lead them to cause a denial of service or an unwanted configuration change.

The rigorous military environment of offensive cyber operations, however, leaves little room for error. A simple mishap could jeopardize the mission or even an entire operation. These high-risk scenarios honed our operators’ logical and technical skills, enabling them to carefully weigh the potential impact of their offensive testing against their desire to exploit systems. Because our operators keep the consequences of their testing in mind at all times, our clients receive expertise powered by an attention to detail without delays or disruptions.

Providing thorough documentation

One way to support thought-out decision making is through careful note-taking. This focus on documentation is deeply rooted in offensive military operations; if anything should go wrong, each action would be under scrutiny. Without review and analysis the same mistakes could be repeated.

Since the nature of our work with CAST clients is cyclical and communal, the importance of recording each explored avenue in detail really comes to the forefront. Without such logging, our operators would do redundant work, get stuck in the same dead ends as another teammate, or lose track of potentially vulnerable endpoints. Even though the fully remote MSS team works across separate locations and schedules, the asynchronous hand off of tasks between teammates is smooth because they respect the power of deliberate documentation. They keep track of it all and fold those details into the whole picture, resulting in actionable reports for CAST clients.

A HIGHLY VALUED BACKGROUND

The intense two-year training program (along with stringent security clearance requirements that our military foxes completed) has given them a unique experience that can’t be come by casually. With such a proven skill set from a respected program, they have access to many opportunities after completing their time in the military.

Defense contractors and government agencies understand and highly value this background and what it means about applicants, and already having a security clearance makes military veterans especially attractive to government organizations. Though it’s easy to get a foot in the door, switching from the military to a military-adjacent position within a huge organization can feel too familiar and too structured. After years living in a highly regimented structure, many of our foxes were looking for a more flexible position with options to work remotely, and many defense contractors require on-site presence, often in D.C.

Being valued on their own merits

The first military fox to join our MSS team was Senior Security Engineer Caleb Gross (@noperator), who was weighing the merits of one of those government-adjacent jobs when he started looking into Bishop Fox. As he spoke with his future manager and began our hiring process (which includes completing an extended, rigorous hands-on test), he began to feel that it was even better to be tested on his acquired skills than to be accepted on site for assumedly having those skills based on his background. He passed our tests, but more importantly, he learned through those tests that everyone he was about to work with had joined Bishop Fox on their own merits too.

FREEDOM AND FLEXIBILITY

Aside from the work itself, the ability to do that work remotely was an enticing factor that Bishop Fox offered. After working and sometimes living within the confines of a military base—often spending workdays in windowless buildings while difficult to reach by phone—these foxes were looking to have more control over their work hours and be able to participate in spontaneous family events throughout the day. Although the MSS team meets briefly every day for an agile status update, they can move their schedule around and pick up where others left off. During the ongoing pandemic for example, some foxes work for half the day, then homeschool their kids, then return to their projects.

In addition to physical freedom, military foxes enjoy their ability to connect with internal experts and learn from them, regardless of where they sit in the hierarchy. In military situations, following protocol by raising an issue up the chain is often the only way to make a change, and unfortunately those issues are sometimes filtered and abandoned. Although their roles center around serving our CAST clients, the day-to-day here is much more varied, shifting from developing tools, creating new processes, and improving themselves in the areas of offensive security that interest them.

Rather than simply maintaining a functioning system as they would on an established program, members of our young CAST team directly influence the systems and process that they work in every day.

WORKING AS A TEAM

In addition to their employers inherently valuing their background experience, service members often choose to work for government organizations because they function in a similar way to the military.

There was a lot to adapt to while considering applying to work at a civilian firm like Bishop Fox. But just like in their military lives, our operators knew that even when they left the service, they could always rely on their teammates. Those bonds forged during years of training provided the exact kind of familial support they needed to navigate through these transitions. By staying close through group chats, this tight-knit community of veterans maintained that connection while job hunting, where they alerted each other about useful resources and employers to avoid. Together, they translated their expert abilities into phrases that civilian institutions would recognize and appreciate.

As Caleb worked through our hiring process, he reached back to this group of veterans to share his increasing excitement for the flexibility and new challenges it offered, which got others interested. His smooth experience with our onboarding process, positive impressions of his coworkers, and engaging work he contributed to on the CAST team quickly spread to others in the community, marking Bishop Fox as a place that seemed to fit the skills and personalities in the group. They were also looking for a meritocracy with room for growth, autonomy, and freedom to make good choices that benefited the company and its clients.

By getting direct recommendations from a trusted friend who they could work with on an emerging service—one that would employ their technical and leadership skills, but would also require continued growth—they started looking seriously at Bishop Fox too.

Improving every day

Even though each of the foxes on Caleb’s group chat had been through an intensive two-year training program, they were all looking for positions where they would be challenged to improve their skills while having the freedom to explore new areas of information security.

Instead of resting on their laurels, they actively chose to keep impressing by improving themselves over time. Their urge to improve has been integrated into the schedule—each day, they each have an hour allocated to self-improvement, whether through classes, reading, research, or working through training labs. With unique challenges ahead of them and resources to continue leveling up their abilities, our operators have found a place to pursue their interests and apply them to their daily work.

UNIFORMED PAST, FOXY FUTURE

For the military-trained operators that have found their way onto our MSS team, it feels like the perfect fit. They are highly trained experts who bring their unmatched skill set, work ethic, and passion for offensive security to our clients. Because of our thorough hiring process, they know that they are surrounded by colleagues who have been similarly vetted and who have comparable ambitions. Not only do they appreciate that working here uses what they’ve learned in their training, but that they aren’t limited in a strict environment and can change and improve to match their interests. And once Caleb recommended Bishop Fox as an engaging place to land, he’s been joined by others from the same program who already know how to work well with one another in high-pressure situations.

Although nothing in civilian life can compare to the immediate understanding that two people in uniform have when they meet each other, the offensive security experts who have chosen to call Bishop Fox home have found new ways to make community and continue their interests, including small internal groups, conference meetups, and company-wide gatherings. Senior Operator Barrett Darnell (@pwneip) and his former military colleagues have competed in and won CTFs including the Netwars Tournament of Champions. And to continue the conversations about security that keep this industry alive, he and his colleagues created a virtual conference called DerpCon. They organized 24 speakers and hosted over 2K attendees while raising over $20K for the Colorado COVID-19 Crisis Fund.

With the flexibility to work from home, engage with foxes across all departments, and continue improving their skills, these foxes have settled into their roles here. As Barrett put it, “I never wake up upset about having to go to work.”

Thank you to Barrett Darnell, Mark Goodwin, Caleb Gross, and Zach Zeitlin for teaching me about your backgrounds and advising me on this piece, which only scratches the surface of how amazing you all are.