Our team at ANY.RUN is very excited to introduce a new guest for our Q&A –John Hammond, a popular YouTube blogger, cybersecurity specialist from Huntress and just an amazing human being. We will ask 19 cybersecurity questions and discuss his blogging experience, CTF, certificates and top lifehacks for beginners in cybersecurity.
Hello John, thank you for joining our expert Q&A series! It’s a pleasure for us to have you as a guest. Can you tell our readers what you do?
John Hammond: Thank you so much for letting me join you! This is a real treat, and I am flattered to be included in the series. Currently, I work as a Senior Security Researcher at Huntress. When I can squeeze in some extra time, I produce educational cybersecurity content on an online YouTube channel and host Capture the Flag training.
Your experience is inspiring. And I believe many beginner specialists are eager to become a cybersecurity rock star like you. There are 456k subscribers on your YouTube channel right now. How did you become a blogger?
John Hammond: I super appreciate all the kind words! To be honest, I grew up like most kids that wanted to “make video games” or “become a hacker” without knowing really anything about what all that entails. Many years ago, from just Googling a cheesy “how-to” for those aspirations, I stumbled across Eric S. Raymond’s article that explained: if you really want to become a hacker, you need to learn how to program. The text suggested learning Python as an introductory programming language, so I searched for tutorials on YouTube. Back in that time, “thenewboston” channel produced tons of educational series, and I learned the very beginnings from following those videos.
At some point, I had the thought, “I could try and make videos to teach people just how I learned!” I think there is a known saying, if you really want to become a master at something, try and teach it… so I started chipping away releasing videos, and it slowly grew over time.
You mentioned that “thenewboston”channel was useful for you at some point. What YouTubers do you watch right now and why?
John Hammond: These days, I watch LiveOverflow, NahamSec, IppSec, Grant Collins, and lots of other security creators. I love to see what they are up to and to learn from them. I think it is a really cool kind of family, where we bounce ideas off of each other or get inspiration to create new content.
Do you remember the moment when you realized: “My life has changed,
I’m a famous person now”?
John Hammond: I try to avoid the notion that “I’m famous” or some silly ego-stroking stuff, but I do remember when it became very surreal, and I could really see the impact of my content. A lot of my channel growth and notoriety came during the beginning year of the pandemic, so it was tough to gauge its value from just seeing numbers on the screen.
But when I attended DEFCON when things started to return to normal, there were a few kind folks that were willing to come up and say hi and offer thanks for all the videos. Being able to see people face-to-face, see how happy they were, and how they expressed I had helped them in their own growth was so fulfilling. It means the world to me when someone stops to say hello.
Cybersecurity is quite a unique niche. What is it like to be an influencer, a content creator
in this field?
John Hammond: That is a super interesting question… sometimes I compare myself to other “influencers” in different spaces, whether it is exercise or health or gaming, or anything – and it is strange to see what aligns and what doesn’t. Something that I try to keep constant throughout all my content is humility and a resounding reminder that I’m not an expert. I don’t think there really are any experts in cybersecurity. I want to show an authentic and genuine portrayal of cybersecurity, with all the mistakes and the rabbit holes and the bang-your-head-against-the-wall problem-solving.
You also have a day job as a senior security researcher. How do you manage to combine a full-time job with YouTube, conferences, and your other projects? Do you have a secret?:-)
John Hammond: Well, truthfully, I really struggle to balance it all. Unfortunately, some things fall to the side, and I’ll end up re-prioritizing some obligations more or less, and honestly, things completely slip off my radar sometimes. On days that I have the energy and drive, I will stay up late and “postpone” sleep to try and juggle the efforts between my actual day job, YouTube, hosting CTFs, and more. Oftentimes it feels like an unmaintainable lifestyle, but I either lean into it or lean away from it in a sort of ebb and flow. Somehow, it works. I hope, anyway.
Your channel has existed for more than 10 years, and still, you post a bunch of content. 7 videos in June and 16! in May. How much time does it take you to produce videos? How do you get ready for filming?
John Hammond: Video production time really varies between the kinds of videos, and how much I am willing to edit. A large majority of my content is a raw, uncut, screencast, where I purposely don’t edit the footage, so all the rabbit holes and mistakes are included. That ultimately takes as much time as it does to record the actual content – it could be 8 minutes, it could be 20 minutes, or it might be a whole hour.
I still create my own thumbnails, so then tends to add in another hour or maybe less – and when I do edit footage, it takes way more time than it should. Rendering and uploading also add to the time, so maybe 3-5 hours is a decent timeframe for fully producing a video? It is fuzzy, but it always ends up taking more time than I expect.
As for how I prepare for filming, I try to put myself under some weird sort of spell and just convince myself I am ready to roll. It takes a little bit of time to get myself in the right headspace, so I might honestly start and stop the beginning of recording over and over again until I feel like I found the right groove. You would think, after a decade of doing this and presenting to people, the nerves would go away – but no, they never leave. I still get anxious!
I know that you hate thumbnails, the editing process, and all this annoying side of content creation. Why are you still doing it by yourself?
John Hammond: I really struggle with “creative control.” Thankfully, I do have some colleagues and friends that are willing to help with the process – and trust me, I have tried to let them build out thumbnails or the small minutia of production… but it doesn’t often match what I envisioned or what I like. I try to go back and forth on some suggestions or changes, but I don’t want to annoy them or trivialize their work – so sometimes I think it might just be easier if I do it myself. That really adds to the time sink, but I just haven’t found the sweet spot yet for letting another individual create the work that I want to put out.
Fortunately, I like to think I at least acknowledge the fact that I do that, and I am trying to be better about it. I am still slowly trying to find the right extra hands to help with content creation.
There is a constant rivalry between cybercriminals and cybersecurity specialists. Have you ever been hacked? Did you get any threats or anything like this?
John Hammond: Surprisingly, I can’t think of a time where I’ve ever been legitimately “hacked” (which probably means I have been and I just don’t know it, to be honest). Given my role, I know to take the barebone basics of cybersecurity hygiene seriously – I use a password manager, multi-factor authentication, and I’m super cautious about inbound emails.
I do get an extreme amount of fake advertising or sponsorship offers in emails, but my eye is trained a bit to spot these easily enough. I have never gotten any threats or seen much malicious intent towards me online, but I suppose we will see if any come up in the future.
Could you share some key steps to cybersecurity hygiene in your opinion?
John Hammond: I hate to have such a boring and trite answer, the same thing everyone else says — but honestly, that’s the right answer. Use a digital password manager so you can generate long, random and complex passwords unique to every site or service, be extremely cautious when opening unknown files, emails, or links, and just generally know what kind of threats are out there. The best thing you can arm yourself with is just the knowledge and education and then be just cognizant of everything you do on your devices.
Your YouTube channel has a lot of content for education. How many hours of videos should one watch to become a malware analyst? Are certificates or a degree still important?
John Hammond: Videos are just one resource to help someone learn – it is nice to see the process and get engaged with something that shows the real effort, but it can’t compare to hands-on practice and doing the real thing. Gauging “how many hours of videos” one should watch isn’t the best metric, in my opinion, it should just be a supplement to your own learning and playtime.
I would certainly say a degree and certificates can help get your foot in the door, but they are not a necessity. If you put in the hard work and build up your skillset enough you can prove your merit, you don’t always need the stamp of approval from a degree or certification.
You have more than 14 certificates. What was the most challenging? Is there a set of certificates that each malware analyst needs?
John Hammond: Truthfully, a lot of the certificates that I have worked through lean more towards emulating the adversary or understanding the threat actor – they are more focused on offensive security. Considering I don’t do penetration testing for my own occupation, I sort of translate these to the realm of incident response and malware analysis.
With that said, one of the most challenging (but rewarding) certifications for me personally was the Offensive Security Experienced Penetration Tester (OSEP) because it did showcase a lot of evasion techniques that attackers (cybercriminals as well) use to slip past antivirus, EDR, or other preventative security mechanisms.
I remember learning about how managed executables and .NET assemblies can be compiled and run on the fly with LOLbins (living-off-the-land binaries) but how they could leave behind some artifacts depending on how the process is invoked. The very next day at work, I found some of those artifacts while investigating a malware sample – and seeing that “in the field” was a really cool moment for me.
If I could shoutout one training that malware analysts might get a ton of value from, it is certainly the Zero2Auto course from Vitali Kremez, Daniel Bunce, and Jason Reaves. It is a phenomenal lesson in all the ins-and-outs of common malware families and offers a ton of hands-on and practical real-world case studies.
Another love of mine would certainly be some of the SEKTOR7 training that showcases the other end of things… that does present itself as more of a “red team operator” class, but change your perspective while you go through it. It showcases how one can build and develop malware, and you really see where defensive gaps are and how attackers do what they do – so you can better defend against them.
What is a typical career path for a malware analyst?
John Hammond: You aren’t going to like my answer, but honestly I don’t have a good step-by-step path to offer. There isn’t a “ladder” or a laid out and guided way into the work. Finding your way into an industry you love is not always a straight line – it is squiggly and curved with random detours or unexpected turns… but it is all part of the process.
Whether you are a system administrator, a programmer, a help desk technician, or a security professional in whatever niche, you can still take the jump into malware analysis if that is what you want to pursue. The best I can offer is a gentle reminder that your career isn’t on railroad tracks… you are in control, and you can dive into malware analysis to help find the vocation you love.
What is the best lifehack for beginners in malware analysis based on your experience?
John Hammond: Here is another bad answer that might not be what everyone hoped for, but it is the real truth: have fun. My best advice is to enjoy doing what you do, and if you don’t, then pivot to something that you really find joy and fulfillment in. I think a lot of folks would agree that passion in this field can help you tremendously—and if that passion starts to fade, bounce to something new that you find fascinating.
If I can offer one sort of lesson: eventually, once you turn what you love into your job, there will come a time that what you once loved will start to feel like “work”. It might turn mundane or feel like drudgery, and you just aren’t all that excited about it anymore because it got twisted into something else. That might happen in a year, that might happen in 5 years, maybe 10 years… it is different for everyone. But the thing to aim for is to delay that the best you can or fight against it, so it never happens at all.
When you are cutting through malware, or just getting your feet wet, make it fun. Play. Explore and love the process.
Hacking, pentesting is something you are known for. How to choose a side? Blue team or red team?
John Hammond: Again, this ultimately falls to your own personal interests, but I’ve found the best approach is a sort of mix between both red and blue. I do love ethical hacking, red teaming, penetration testing – but I want to make the security landscape better. It is one thing to break things, but it is another to fix those things and work to prevent or better detect them in the future. My best advice is to find the niche that you love, whether it be offensive or defensive, and work with others to bolster the community.
Having this impressive CTF background, could you share the best strategy to win the game? Or an interesting case that you had?
John Hammond: Joking a bit here, but if I could make a certain callback to the 1983 film WarGames, “the only winning move is not to play.” And I don’t mean that literally, I’m not saying don’t play CTFs… but don’t play to win, play to learn.
When I participate in a CTF, I don’t really care where I am on the leaderboard, or if I come in 1st place or whatever – I want to absorb as much information as I can and come away with new tricks, new tools, or new techniques. If you learn something new in the process, you have already won. Now you are better armed against the next malware sample you analyze, the next investigation you are on, or the next engagement or next pentest or CTF or anything.
I can share one fun story of a different style of Capture the Flag that I participated in the past.
It was more of a social-engineering competition mixed in with hands-on-keyboard technical know-how. This was an in-person event where teams were tasked to dig up intel and compromise a simulated company, where we could find employees online through social media and their public web presence. There were people designated to play the parts of these employees, so we as participants would create sockpuppet accounts and message them through LinkedIn or Facebook or craft phishing emails to get them to run on our own malware.
One element of the game was literally walking into another building under the guise of some maintenance staff and sneaking through rooms to rummage through file cabinets or place a Raspberry Pi for later remote access… it was very cool. One task I vividly remember was setting up a credential harvesting website, cloned to look just like an online email provider that this “company” used in their day-to-day, and calling one of the “employees” on the phone to fool them into “resetting their password” so we can gain their credentials.
This was during the very last few minutes of the competition, so we were rushed and trying to balance pushing the person to move more quickly, while still keeping up the charade. In the last few seconds, we had the adrenaline rush and energy that came from being so close, and we did finally see their password come through across our listeners. We were jumping up and down, high-fives and fist-bumps and cheering, and we could submit it for points just literally seconds before the end of the game. After those points were in, we took second place in the competition.
Great takeaways of CTFs are the fun and fulfillment of not even “winning” the competition but just doing something new
With that, I think there are a lot of great takeaways – the value of team-building and comradery that comes from playing CTFs with friends, peers, and colleagues… the fun and fulfillment of not even “winning” the competition but just doing something new… and especially, the lessons learned on how social engineering is always an attack vector. People can be the biggest vulnerability, and it just shines the spotlight on how much we need cybersecurity education and awareness.
What is the best CTF that you can recommend? Where can junior specialists prove themselves and learn?
John Hammond: Capture the Flag competitions tend to lean folks into a more offensive security side, finding and exploiting vulnerabilities, often in a Linux environment… but the reality is, most everything in the industry is in the Windows realm and deals with more defensive “blue team” work. I think the closest thing I could suggest for budding analysts or junior folks in malware analysis and the incident response would be the “Blue Team Labs Online”. That resource has a lot of great free material and is really approachable for anyone jumping into gamified security learning.
What are you working on right now?
John Hammond: Truthfully, I have just made it back from Blackhat and DEFCON, and during Blackhat I was fortunate enough to attend the “Advanced Windows Exploitation” course from Offensive Security. That dives deep into kernel exploitation, browser sandbox attacks, and virtual machine escapes… crazy wild stuff. I hope to be studying for that capstone challenge into the new year, and I’ll still be trying to push out YouTube content and develop Capture the Flag challenges for competitions and events that I help host. For my day job, I’ve been tinkering with how we can better assess the attack surface from an external perspective, examining open ports and hunting down the “low hanging fruit” that too many organizations still get compromised by. It all keeps me busy
And the final question – what is cybersecurity for you?
John Hammond: To me, cybersecurity is a certain kind of pulse. It’s a heartbeat. It is active and constant and always on and it is something I feel like we have to earn and be with it. That is a tough ask because we know the threat landscape moves quick – but I’m up for the fight. I love being a part of the community and surrounding myself with others that are in the trenches just as well. Stopping threat actors, hunting down adversaries, finding and fixing problems before the attackers do… it takes a village and everyone playing in concert together. That is cybersecurity to me.
Thank you for taking your time, and good luck!
Thank you so much for letting me join you and be a part of this!
Don’t forget to subscribe to John’s YouTube channel!