Today ANY.RUN has a special guest for our Q&A –Renzon Cruz, a Principal Consultant at Unit 42 by Palo Alto Networks and co-founder of GuideM. We will discuss DEFCON’s experience, lifehacks for a talk, and what certificates you need to get into cybersecurity.
Could you tell us about your job and the projects you run?
Renzon Cruz: I’m part of Unit 42, the consulting arm of Palo Alto Networks. I am working as Principal Consultant – Digital Forensics and Incident Response. My job mainly focuses on IR and forensic analysis to help our customers with any cybersecurity issues they may encounter.
I’ve handled many cases such as ransomware, business email compromise, cloud breaches, insider threat, APT attacks, and financial fraud. And I was initially part of a national cybersecurity team back in Doha, Qatar, where I’ve responded to onsite engagements, mainly in government sectors during incidents.
How did you get into cybersecurity?
Renzon Cruz: I found this career back in 2014 after my first job. I had to admit that I didn’t have any idea of a cybersecurity career back then, so after my day job, I studied a lot and attended multiple meetups and conferences to blend into the ecosystem.
After months of continuous study after my daily job, I got a call from a big tech company as they needed someone who could help them to do the SOC job. And from there, I’ve seen a lot of real-world breaches that made me think and curious about how they did all of these things and how we can detect such attacks. At that point, I kept researching different methodologies, reached out to many industry-known folks from infosec, and asked about anything related to cybersecurity.
With more than 8 years of working experience in cybersecurity, you have tried different sides: Threat Hunting, DFIR, teaching and creating educational courses, participating in CTF. What is your favorite part of cybersecurity?
Renzon Cruz: I love solving puzzles and connecting data points to create a story based on the massive data I’ve been dealing with daily. So doing incident response and digital forensics is a core task that I always enjoy doing on my job. Creating educational courses and teaching every weekend also gives me genuine happiness, especially in helping people to get into the field.
I love receiving feedback from my students after the bootcamp. Messages like they just got a job, passing a final interview, and acing technical assessment (hands-on exercises) as part of their interview due to enormous hands-on lab workshops we give them in our boot camp.
There are 13 certificates under your belt. How to choose which one to start with? And are you planning to get a new certificate in the future?
Renzon Cruz: You don’t just focus on the certificate, especially if you are new to the field. Once you get comfortable with fundamental skills, then adding certification is not a bad addition to your belt.
Get your hands dirty into fundamentals such as networking, system administration, scripting, web applications, and cloud. This is more important than just jumping into the certification world.
I love eLearnSecurity as they provide a hands-on type of exam. SANS is a top-notch cybersecurity provider, but it’s a high price that not everyone can afford. You can also do a “work-study program” where you can act as a moderator of any SANS courses, and it will reduce the course fee up to 70% of the total price. Yes, I plan to take a new course from SANS or any vendor that suits my needs. I’m getting two new courses and certificates before this year ends.
You have been a speaker at conferences like BSides in Vancouver, London, Doha, ROOTCON Hacking Conference, etc. DEFCON29 is one of them – what was your experience there, and why did you decide to join it?
Renzon Cruz: Sharing knowledge with a global audience has always been my dream. I started this plan in 2018 when I decided to fight my stage fright syndrome. I plan to submit a talk internationally at least twice per year. So far, I have achieved it and met many new folks from the field each time I have my talk outside of my home country. It’s also a good feeling when you meet new folks with the same interest and passion as it helps you to grow, be more inspired to do better in your craft.
Your DEFCON29 presentation was about the key forensic artifacts in cloud storage services. What made you choose this topic? And how did you prepare for your speech?
Renzon Cruz: Cloud breaches are on the rise, so forensicator still have a hard time dealing with forensic evidence. One main goal of a threat actor is to perform data exfiltration from the systems they’ve breached.
One goal of my talk is to provide insight on how to analyze cloud storage services if the threat actor is using these to upload and download sensitive data, such as google drive, box, dropbox, mega, and iCloud. During my preparation stage, I gathered a lot of existing topics from multiple security researchers and did a bit of experiment on my end to understand the whole scenario and prove all the theories mentioned in each research.
Numerous applicants are willing to talk about their research at DEFCON – and only a few get in. Could you give advice to candidates and future speakers?
Renzon Cruz: I would say that if you want it, then do it. DEFCON is a big crowd, so make sure you have something unique when submitting CFP for them. Try to get in touch with different villages as well. In Defcon, there are other villages for each specialization, such as the blue and red team village, the social engineering village, and the list goes on. Most of these villages have their Discord channel, so I would advise you to join these channels and start having conversations with the mentors and goons.
If DEFCON is too much for you, I suggest you search for the available BSides in your area or even the online ones. BSides conferences are an excellent start to gaining a bit of confidence when giving a talk to the public.
You are a co-founder of GuideM IT Training Center. Why have you started this company?
Renzon Cruz: We started this training center to help others get into cybersecurity. We noticed that most cybersecurity training, at least in our country, is expensive without giving real-world concepts and experience. That’s where GuideM comes into play.
We created a series of modules, theoretical topics related to real-world scenarios, tons of lab exercises and without breaking the bank.
Here all students can experience how to perform dedicated tasks such as:
- threat hunting
- forensic analysis
- penetration testing
- social engineering
- vulnerability assessment
GuideM has more than 600 alumni students from 15+ countries. What makes the center so attractive for them? What are the advantages of the training?
Renzon Cruz: Our approach to the real-world scenario makes us very attractive to the market, where you can immediately use all your knowledge from our boot camp once you get back to your work. We also tell our students much of our real-life stories, lessons learned from different incidents, and best practice approach to all aspects of our topics.
We offer a free mentorship program where we assist all of our alumni during their interview preps, upcoming interviews, and CV review and guide them on their career path, which is part of their perks once they enroll in one of our courses. So we’re not just a typical training center. We really care about our alumni and help them as much as possible.
Qatar, Philippines, and Dubai, UAE – you have worked in all these countries. Is the cybersecurity market different in these countries? How do you manage to balance your work there?
Renzon Cruz: There are differences in how each of these countries approaches the cybersecurity landscape in terms of employment, support from the government, and the demand for different talents. I love the community we built in the Philippines, where I was one of the admins of a 40k members infosec group, which we use as a platform to help people with any questions and as our collaboration tool to discuss insightful infosec topics. Qatar is serious about getting the whole country to be more resilient. Dubai gives you a lot of opportunities as there are tons of tech companies in the UAE.
What are you working on right now?
Renzon Cruz: I am busy with my full-time job in Unit 42 as a principal consultant, analyzing and handling so many cases. And I am also teaching blue team courses every weekend; other than that, I plan to create a new advanced IR/forensic course that matches the enterprise-scale setup, which might take me 6-8 months to finish. Aside from that, I’m also studying many malware analysis topics, including reverse engineering of different malware variants and many more.
And the final question – what is cybersecurity for you?
Renzon Cruz: Cybersecurity is the art of protecting data, assets, networks, and devices to ensure the confidentiality, integrity, and availability of information. Cybersecurity is also not a luxury, and it’s a necessity.
Renzon, thank you for taking part in our series. Good luck with your future projects, and hope to see more of your presentations at conferences!