Cyber resilience is vital for organizations of all sizes across all industries; it is no wonder the cybersecurity industry is evolving at such a rapid pace. Ethical hackers, security researchers, and professionals play one of the most valuable roles in safeguarding organizations from malicious actors. While organizations embrace new technologies and recruit more security professionals to aid, one aspect often remains overlooked.
Burnout, depression, anxiety and a slew of mental health issues are becoming more common among cybersecurity professionals. Although workplace stress follows every industry, cybersecurity seems to be particularly susceptible to it. The fact that there is stigma around discussing mental health in the security community does not help either. The modern superheroes who make the internet a safer place for everyone need support in protecting themselves. The industry, as a whole, has a long road ahead of promoting better mental health practices and addressing the issue.
Ben Sadeghipour, also known as NahamSec online, is the Head of Hacker Education at HackerOne by day and a hacker and content creator by night. He is known and loved for his Recon Sundays, YouTube channel, and NahamCon security conference and has helped companies identify over 700 security vulnerabilities across hundreds of web and mobile applications. One of the world's top ethical hackers, he has invested his time back into the security community by creating a community of 30,000+ active hackers on Discord and hosting international conferences dedicated to hacker education and collaboration.
Addressing and spreading mental health awareness in the industry, and sharing his own mental health struggles, is the latest aspect of his content creation. In this candid interview with Ben, we go over his vision for NahamSec, work at HackerOne, the importance of available resources for new hackers, and of course, personal tips on dealing with burnout, stress and depression.
SecurityTrails: How did the idea for NahamCom come to be? What was your vision for the event when conceptualizing, and did it change when it started to form and come to life?
Ben Sadeghipour: It all started in 2020 with VirSecCon while also participating in the Leukemia & Lymphoma Society's (LLS) fundraising campaign. The original goal for VirSecCon was to hack and donate my bounty earnings to the LLS campaign, because the pandemic left many people unable to contribute at the level they had previously hoped. But thanks to the hacker community and people like Heath Adams, who raised over $10,000 alone, we donated over $50,000 to the LLS because we participated in the VirSecCon event.
But once VirSecCon was over, I missed going to cybersecurity conferences due to Covid-19 lockdowns. As someone who spent a majority of his time at conferences, I know what I liked or disliked about each I ever attended. I used those experiences to organize an event focused more on the hacker community and culture versus vendor halls and selling products. I am not saying booths and vendor halls are bad ideas, just that hackers typically do not want to spend their time talking to sales folks. Hackers want to hear talks they can learn from and relate to. They want to learn something new that can help their hacking skills or take their careers to the next level.
So we worked with our sponsors and partners to create something for everyone: Career Corner (thanks to INE/eLearnSecurity), Villages with exclusive workshops and talks (thanks to folks from HackTheBox, IoT Village, and Red Team Village), and of course a CTF where everyone can have fun (thanks to John Hammond from CTF4Hire and our sponsors like HackerOne, Amazon and Google). I also wanted to make this a community effort where everyone felt involved. I personally reached out to all the bug bounty platforms, sub-communities like UHC and TryHackMe, and services that were popular amongst bug hunters to get them involved in the Hacker Games Show, and meet my goal of giving back to the community and making it as inclusive as possible.
ST: What were some of your favorite moments from NahamCon2021?
Ben: My favorite moment was when my Discord admins/mods Joe, d0nut, and Securibee pinged me to let me know we had reached our Discord limits, and not everyone was able to join the Discord villages. I didn't expect such a big turnout for villages, especially not through Discord! Luckily we figured it out, but at some point, I remember sitting in my office and thinking, holy crap, this has become a lot bigger than I ever expected!
ST: Congratulations on your new Udemy course! We know it's currently a beginner bug bounty course and there are many already enrolled, but what can they expect to learn from your course, and what sets it apart from others like it?
Ben: For now, the Udemy course is geared more towards beginners, but I'm hoping to have a few more updates where students can learn more than just the basics. If you already have some background in web application or networking and want to get into hacking, this course may be a good starting place. Think of the course as if you were studying a new topic in college. You start with the beginner class and then move on to the more intermediate stuff, then the advanced stuff, and so on. In the current course, I show how I look for different vulnerability types by sharing my experience and the tricks I have learned over the past few years. Most Udemy courses don't come with both examples and labs. However, mine includes a fake infrastructure/organization where students can practice their new hacking skills. While I designed the course for beginner hackers, I plan on creating more content for people with different skill sets and or levels of experience in the future.
"If my platform can help one person change their life through hacking and bug bounties, then that's good enough for me."
The Udemy course doesn't promise to make you rich or a top hacker. Instead, it provides something I wish was available when I first started eight years ago — content based on my own real-world experiences, thought processes, and approach to hacking on web applications.
ST: With so many resources and tools available online today, essentially anyone can teach themselves technical skills and how to hack. But what are some of the inherent skills hackers must have to be successful?
Ben: I think hacking is beyond tools, resources, or even skills. While it's easy to learn what causes these different vulnerability types or how to exploit them, hacking is more about your creativity and out-of-the-box thinking. Hacking is thinking about what something is NOT supposed to do and then finding a way to do that exact thing. It's a combination of problem solving and puzzles mixed with creativity and endless frustration (but the good kind)!
ST: You actually ended up putting yourself through your senior year of college relying solely on bug bounty earnings! How did you discover hacking was something you wanted to dedicate your time to; something that can be both fun and profitable?
Ben: Well, I always loved hacking as a kid but never thought of it as a career. The 16 years old me would have been mind-blown, if he knew there was an entire community and industry where people get paid to hack on big companies like Snapchat, Lyft, Apple, or Red Bull! When I was going to college, I attended many different cybersecurity clubs and meetups hosted on campus. One of them was specifically for recruiting people to work for the US federal government. While I did not believe I had a chance to work with the US government, I still attended the event for marketing reasons and for a better understanding of how the recruiting process works for cybersecurity jobs. During this seminar, I told one of the recruiters involved that I eventually wanted to get a job in cybersecurity, but I did not think I had what it took. He told me to go home and search the words, bug bounty, and see if I could do anything with that.
Back then, only companies like Yahoo! (now Verizon Media), Facebook, and Google offered money to find security bugs in their products. So I started participating in their bug bounty programs. Mostly to have something to put on my resume and show I could learn things on my own while gaining some hands-on experience. I submitted my first few bugs with Yahoo! and earned $250. Eventually, there was a point where I was finding vulnerabilities regularly and was paid $9,000 for 3 SQL injection bugs ($3,000/report). Being in college and earning $9,000 was a huge deal for me. I never had that much money in my bank account before, aside from when I had to pay my tuition each semester. I used a big portion of that first bounty money to buy myself a new car. I also realized at that time that I had gotten involved in a very young industry that could probably help me do a lot more than earn $9,000 in one night. So I took a chance and decided to dedicate a few years of my life to bug bounty hacking, and here we are!
ST: You were once a full time bug bounty hunter, but today do it as a side gig. How did your outlook on bug hunting change with that switch?
Ben: I think there's a difference between doing bug bounties for fun and extra cash and relying on it to pay your bills. I still dabble in bug bounties and do pentests on the side (for fun and extra money). But I also enjoy my 9-5 job since it's related to the same field and allows me to make an impact in the world. My outlook didn't change much, other than seeing how much work goes behind these different bug bounty programs or platforms to make them work. It gives you a sense of appreciation to see how many people spend countless hours to make these programs work.
ST: What are some of the ride or die tools in your stack that you don't see yourself replacing soon?
Ben: I think most of the people that have seen my live streams know I'm a die-hard crt.sh fan and use it pretty regularly. I also love tools like dirsearch, ffuf, meg, getallurls, waybackurls, Burpsuite, kiterunner, and of course, seclist for anything wordlist-related.
ST: And what are some new tools you recently integrated into your workflow?
Ben: Recently, I've been playing a lot with project discovery tools like nuclei, httpx, subfinder, and aquatone. I typically try to stay away from automated scanning tools these days because I learned they can make you lazy and, ultimately, you don't learn as much. There's a difference between knowing why and how a tool works versus just blindly using it.
ST: How do you approach a target when bug hunting?
Ben: That depends on the scope. If it's a wild card scope, where every subdomain is in scope, I do recon by looking for different subdomains, port scanning, screenshotting, and some directory brute-forcing. Then I organize them based on how interesting they look. Is it a dev site? Is there an API? Does it have a registration page with different permissions? Those factors all play into how I pick what I hack on.
On the other hand, if it's a singular app, I like to browse and use it as a normal user. The things I look for are: what are the different functionalities that exist? What is the app supposed to allow the user to do? What is the user not allowed to do, and how do I find a way to exactly do that?
ST: Your job is actually to educate and bring forward a new generation of hackers at HackerOne. But what are the resources that helped you the most when you were starting out?
Ben: There were not a lot of resources when I first started. I wish there were resources like Hacker101 or high-quality YouTube content that included insights from hackers, but that did not exist back then. What I had to do was read practically any write-up or bug report disclosed on HackerOne's hacktivity pages. I also dedicated some time to reading a few books like the Web Application Hacker's Handbook, Red Team Field Manual, and the Hacker Playbook. On top of that, I spent a lot of my time just hacking. Whether it was on programs like Yahoo! with a bug bounty program or vulnerability disclosure programs (VDPs) that only gave you points in return for your findings. I really wanted to learn and get better at hacking, so every opportunity to hack was a good learning experience for me.
"Hacking is thinking about what something is NOT supposed to do and then finding a way to do that exact thing. It's a combination of problem solving and puzzles mixed with creativity and endless frustration (but the good kind)!"
ST: You are one of the most prominent content creators in the hackerspace. What made you go into content creation?
Ben: As I said, I've always loved helping others learn about hacking. Hacking and bug bounties had a huge impact on my life. It opened up a lot of doors for me and made a lot of things possible, things I never expected. I'm a big believer in paying it forward. I'm just creating things I wish I had at my disposal when I first started with bug bounties. If my platform can help one person change their life through hacking and bug bounties, then that's good enough for me.
ST: Today, hackers have a lot of opportunities to leverage their bug bounty experience and go into other ventures, such as content creation, application security, offensive security, etc. What do you think was a large contributor to that? And what advice would you give to someone first venturing out?
Ben: I think there are a lot of ways people can benefit from participating in bug bounties. People have this misconception that bug bounties are like a get rich quick model, but the reality is it comes with countless hours of work and studying. The difference is you are only really investing your time, not a whole lot of money upfront.
I know people who have gotten jobs at companies like Uber, Google, or Shopify by simply listing their bug bounty experience or actually hacking on their bug bounty programs. There are also hackers like Shubham Shah, who have created attack surface management platforms based on leveraging their hacking knowledge and experience gained from bug bounties. I have also met hackers who have saved up money to help their family members launch their business by investing in it!
I think the best advice I can give anyone is to take a moment and really think about what it is that you want to accomplish. Is it that you want to get a job in the industry? Do you want to start your own thing or invest in someone else's company? Or do you want to do bug bounties full time? Once you figure that out, you need to create a plan and be honest with yourself about what you need to do to get there. Success does not happen overnight, it takes time and patience. Consistency is key!
ST: How did you land your job at HackerOne? What makes it exciting each day and what direction do you anticipate future hacker education trends will go?
Ben: That's a very long story, but here's a tl;dr: Originally, I was a big critic of HackerOne and really vocal about it. One day I was invited to their office to talk to them directly and gave them a ton of feedback. I went home after the meeting and realized I was a bit too harsh and direct. I messaged Jobert Abma (one of the cofounders) and apologized for being so direct, and asked if they would be willing to hire me to help with all the things I criticized about them. That started my internship at HackerOne back in 2016, and I have been there ever since.
"The first step to getting past the version of ourselves we hope the world sees is to admit we are no different than anyone else and be open about our experiences."
I can't speak about the future of hacker education outside of HackerOne, but I think there's more to CTFs and the old-school video content with slides. One of the biggest things I have focused on with my role at HackerOne is finding different opportunities for hackers. That can be more than just bug bounties or jobs. It could be creating education content, CTFs, or workshops for Hacker101 and getting compensated in return.
ST: What can we expect from NahamSec in 2021? Are you going to be speaking at some events, maybe some content goals?
I honestly don't know. I want to create more content and share my experience as a hacker, but I also want to share other parts of my life that people would find relatable. Mental health has been a big focus for me lately due to my struggles with it, and I'm hoping I can help others who are also dealing with getting through difficult things. Who knows, maybe I'll go back to offering training again.
ST: Today, depression, burnout, and other mental health issues are becoming more common among cybersecurity professionals. What can we, as an industry, do to work on mental health awareness and help those dealing with it?
Ben: We are all humans at the end of the day. We all go through similar things and deal with some trauma or dark times at some point in our lives. In the security community, I think there's a stigma around seeking help and discussing mental health. Unfortunately, with how much we rely upon and use social media, we see people's best moments without seeing what goes on behind the scenes. The first step to getting past the version of ourselves we hope the world sees is to admit we are no different than anyone else and be open about our experiences.
As an industry, we can do better about promoting mental health more frequently at conferences and events. I try to do this at Nahamcon, dedicating tracks and panels to dealing with depression and mental health and partnering with professionals to find different approaches or solutions that work with our cybersecurity lifestyle/schedule.
ST: And what can we, on an individual level, do to help ourselves in dealing with mental health issues? Can you share some tips that helped you on your path?
Ben: This is such a good but loaded question. I'll try my best to share my experience:
I have not talked much about this publicly, but in April/May of last year, I battled really bad depression and anxiety that led to some major life changes. What made it even harder was I thought I could still go through my day-to-day tasks and ignore the situation until it went away. It's a lot harder to deal with depression when you slap a smile on your face and pretend like it's not there, and I tried to do that for quite some time. Eventually, I learned it doesn't just go away until you sit down and really ask yourself what it is that's making you depressed and face it. I think deep down, we all know the answer to that question but we don't want to admit it to ourselves.
Anyhow, it takes time to get through it. One thing a lot of my friends told me was, it's okay not to be okay. At the time, it was such a cliche thing that didn't make sense, but eventually, it all made sense. To me, that meant temporarily not being too hard on myself and taking things day by day. My first step was to sit down to write a list of the things that played a role in my depression/anxiety, including my habits, the environment I was in, and my daily routine. I'm not suggesting to change who you are, but honestly, for me, there was a reason why I was in that situation and mental state, so some things obviously needed to change:
Create a daily routine that works for you. Make a list of things you want to do everyday that make you happy. Mine are: wake up early, make my bed first thing (the first task of the day!), do some sort of exercise, and read 15-20 pages of whatever book I enjoy reading. I even have some weekly rituals where I start my week by getting coffee at a specific place and ending it with dinner/lunch from another particular place.
Dedicate time to yourself by participating in new activities or activities you enjoy but haven't done in years. These could be physical activities like working out, hiking or biking, playing an instrument, reading, or meditating.
This goes hand in hand with the last item: do stuff off of the screen. If it helps, do what I do and charge your phone starting at 9:30 PM in another room (like your kitchen) and try to avoid going on your phone for the first 30 minutes of your day and when you wake up.
Try meditating (again!). I did it for a long time, but then I realized meditating doesn't just mean sitting down for 15 minutes and listening to someone tell you to breathe in and out. It can be done in different ways. Find something to get your mind off of whatever is happening in your life, even if it's for 10-15 minutes.
Take a trip every few weeks (even if it's a road trip) and do something fun that forces you out of your day-to-day routine and comfort zone. Bonus points: do it alone and enjoy your own company!
Tl;dr put yourself first and do what makes you happy.
While saying that it's "okay to not be okay" might sound like a cliche, but it's important to remind ourselves of it. We hope that you've enjoyed this candid sit down with Ben and that you have drawn some lessons in mental health awareness in cybersecurity, and it's importance for our perseverance. After all, how can we save the internet without saving ourselves first?