Switching from Offline to Online Trainings

AI Generated Summary

This podcast interview from Miho’s “Make It Happen Online” podcast features Anant Shrivastava discussing his journey from researcher to security professional to trainer, and the transition from offline to online trainings.

Guest Background

• Anant Shrivastava: Close to 15 years corporate experience, about 17 years training experience
• Living and breathing information security: For about 12 years now
• Before that: Server admin, hooked up to geeky stuff Linux since 2000 onwards
• Active in community circuits: Ranging from older days of Linux user groups to current scenarios of NULL, Garage for Hackers, OWASP, other initiatives
• Equal contributor: In corporate space and community space
• Defines self: As researcher, trainer, and infosec professional
• Open source projects: Tamer Platform (dedicated around Android security), Code Vigilant (around code-assisted pen testing), Hacking Archives of India (collects anyone and everyone talking about infosec in public spaces)
• Teaching and training: For very long time - starting from Linux Administration to nowadays dealing with Android security, web application security, infrastructure security, DevSecOps, supply chain security, niche areas
• Trained at: Smaller events like private gatherings, Indian conferences (NULLCon, KOKON), International conferences (Black Hat, DEFCON), bunch of different places

Key Topics Discussed

Journey from Researcher to Security Professional to Trainer:

No Pivot from Researcher:

• Wouldn’t say: There was pivot from researcher to security professional
• Researcher background: Always there
• Infosec part: Also there
• Pivots that happened: Different

2000 - Introduction to Linux:

• Introduced to Linux: It was like cool thing
• Computer teacher: Basically said “Hey I don’t know what this is but people who know what this is are cool people”
• That was kind of: Start of journey into Linux circuit
• Installed, played around: With Linux
• Remember back in those days: 75 megahertz processor speed, about 1 GB hard disk space was like luxury of those times
• From that point onwards: Got involved into community circuits, got interested into admin space
• Initially: Whenever anyone starts with Linux or computers generally, people start with programming aspects of things
• Programming was never: Area where wanted to focus a lot
• Started focusing: On admin piece - getting environment ready for people to basically do whatever want to do

Microsoft Crackdown:

• Remember the switch: Microsoft did crackdown across all colleges and schools
• Somewhere around 2005-7: Did crackdown across all schools and colleges saying people using pirated copy of Windows
• That’s when suddenly: Gujarat government (was studying in Gujarat itself) took turn saying “Boss now would want to promote open source, let’s do let’s play”
• Suddenly book changed: From Windows to Ubuntu
• Nobody as teacher: Also
• Things started: With being cool factor to point where “Okay I subscribed to philosophy, subscribe to why doing way doing things”
• Started realizing: Because able to customize things, have more power in hands
• Compiling kernels: Was like child’s play at that time - would play around with kernel compilation and whatnot
• Those were learning days: Then got very much interested into administrative aspect of things
• Started working towards: Red Hat Enterprise Linux, Debian on other side, building portfolio around that

First Company:

• First company where worked: Partially also responsible for managing small setup had
• Was server admin: Of that space
• Started reaching bottleneck: Where admin work was mostly offshored work which meant late nights, night calls, night timing, pager duty, all those stuff around it
• Getting into zone: “Okay what are other options?”
• This happened around 2010: While trying to explore other options
• Realized: “I know how to configure systems, generally try to configure them in way in which others cannot do some damage to system”
• Interesting: “Why not start focusing on what is in that space?”
• Started looking: At how to defend systems
• Then was far more easier: To start learning how to attack systems because “Defense is hard, attack is easy”
• True: In this controversial statement but “Defense is hard, attack is easy”
• Became part: Where started looking at “Okay what are options? What are possibilities getting into infosec space?”
• That is where: Got first job - contractual job working for bigger firm
• That’s where doing: Lot of log monitoring from different sources
• So it was: AV logs, Websense logs, different softwares installed in environment
• All logs: Were pulling in
• Not effectively attack focused: Infosec job
• First job: More of SOC and log analysis kind of job
• From here: Then moved into more pentesting kind of roles
• Parallelly: Because had interest into server admin and interest into Android security, started branching out into that area on personal time
• That’s where whole: Having development exposure, having admin exposure, knowing about security gave better picture and better understanding of environment
• That was first major shift: That happened

2017 Time Frame - Second Shift:

• One more shift: That has happened
• Around 2017 time frame: 16-17 time frame
• Full-time trainer: But effectively joined company called NotSoSecure
• First time: When basically not just doing work for self but also leading team
• Grew team: Between 2015 to 2021 when left - team grew from “I think was first employee” to having about 60-70 odd people purely into information security pen testing space

Role at NotSoSecure:

• Just like every other startup: There were too many hats that was wearing
• Most prominent hats: As regional director for NotSoSecure, basically handling all technical operations
• Other side: Company dealt with trainings and pen testing
• Dealing with: All pen testing operation as well as was leading trainer for most of cutting edge courses
• Would basically get courses out: Would be guinea pig to demonstrate courses for first few instances
• Everything works fine: Then other people would come in
• Couple of other good trainers: Along with - Sunil was there, bunch of other people
• All collectively: Would form training wing of NotSoSecure
• Role was more of like: “If need be I’m server admin, if need be am janitor, if need be am director” - whatever works

Multiple Hats in Startups:

• Even like: “I’m 26 and done around 8 internships, done failed twice, well thrice in own startups”
• All learned one thing: Even if God forbid something goes wrong and have to go back to working, definitely go back to startup
• Wearing multiple hats: Is biggest achievement think one can have
• Would really suggest: Everyone in audience - if never work with setup, go work with startup
• That’s difference: Not just for entrepreneur but also for each and every employee
• At least till startup grows: To say 40th or 50th employee - yes it is very multiple hat kind of thing
• After 51st employee: Starts gradually starts very granularized and siloed working
• But before that: It’s great way to learn and grow
• Fondly remember: One of internships at Oyster where coincidentally met co-founder as well
• Person co-founder: With was Jimish
• Different journey: All together in that sense as well

First Training Experience:

2016 - First Training:

• Fun story: 2016 was teaching Linux (think it was RHEL 3 at that point)
• Supposed to teach: Class about Red Hat Certified Engineer course (RHCE)
• As luck have it: Had class full of about 20 people, them having 20 years of experience in Unix environments
• Is UNIX that old?: First question - “Unix is all Unix is old”
• This was 2006-7 time frame: Unix has been there since 70s or 80s
• These people: Basically dealt with internals of systems
• Supposed to take class: Teaching them about how Unix and Linux are different, what are advantages of Linux
• Class went: Most of time like “Yeah buddy we know this, move forward”
• Was like: Just like have ragging session as first day of college - that was ragging session

AHA Moments:

• There were couple of things: Fun part was with Unix they were very much hands-on, doing lot of things
• With Linux also: There were other aspects where exploring
• There were differences: In way tools would operate
• Some of those differences: They were not aware of
• Other thing where first learning came: “If don’t know something just say it out that I don’t know, get back to them with what know, don’t try to put it around”
• True: Even if take step back more and just try to understand, probably understand audience well, go very specific to audience rather than going product like that
• See lot of course creators: That speak - “I’m like who is your TV? Because anybody wants to learn LinkedIn marketing but if go with anybody as word, would also come across digital marketing, also come across as student, even also come across housewife” - all three require different set of curriculum, different set of workloads

Prerequisites:

• In training courses: Define set of prerequisites
• Very common prerequisite: Put out is person should be well versed or at least hands-on with command prompt
• Lot of trainings require: To type commands
• If have to teach: How to open command prompt in administrative mode or how to open command prompt itself, then not target audience for me
• Would prefer: Not to have in class and do disservice to you, do disservice to others
• Prerequisite: Very very important on trainings

Cracking Conference Trainings:

Trainings is Business:

• Couple of points: To keep in mind
• Trainings is business: True for conferences - trainings is business, that’s how they earn money
• Can’t go to need: In training, can’t go to broad inner training
• Like today if start saying: “Hey going to offer training on how to hack ChatGPT” - conferences might not be interested in that because “This is way too much novelty right now, too many unknowns, don’t know how many people would be joining”
• But if then go and say: “Hey how to write creative prompts for ChatGPT” - people might be interested
• But at same time: If go and say “Going to teach how to write report” - no one interested because that’s very sort of topic which cannot be converted into lot of hands-on activity
• Whenever in conference space: Provide training, people prefer doing hands-on training
• Reason being: There are already talks happening - if bring through lecture, why would someone sit for eight hours or 16 hours to listen to lecture? Would much rather listen one hour lecture and be done with that
• True: Expanding material into class format
• Important bit: Keep topic
• Also have to start looking: At market space
• For example: If conference is around Android security and submit talk or training which is around Android and iOS security, and someone else submits training which is around Android security, very high chance iOS security portion would be negative thing for you
• So read the space

Finding Events:

• Taking step back: How did in first place find events where trainings happening?
• Very early on signal: But for me discovery is man and that’s already too late
• Bunch of different things: Been doing - not 100% accurate method
• One is: In space there’s very common site called cfptime.org which is basically for tracking conference call for papers
• It’s not: Call for training tracker but call for papers tracker
• Problem: Mostly paper call comes after training call has ended
• So this does not works: Directly
• But if today go and look: “Okay what were calls open nine months back? What is current status of those conferences?” - because if did call for paper nine months back, right now might actually be doing call for training
• That’s one angle

Second Angle:

• All social media platforms: Most conferences active in Twitter and LinkedIn spaces
• Twitter and LinkedIn: Both allow to search for keywords
• Call for trainings, CFT: Common keywords that basically have like tabs open with those hashtags in them
• For Twitter: Use TweetDeck which allows to follow hashtag
• Have hashtag fall foreign open: Get list there
• Similarly Google Alert: Can just set Google alert for “call for trainings” - as soon as page comes up online and Google indexes it, get alert on inbox “Hey called for training pages there”
• Makes sense: Then tweak things around

Third Angle:

• First is to get: Set of conferences where apply
• Once applied, once started looking: At it
• Other angle would be: Look at resume of people who are training in conference of choice
• What are other places: Where they have trained?
• Most of them: Would list that as resume entry, as crowd point
• Like started with NULLCon, KOKON: Then talked about Black Hat, DEFCON, bunch of other names
• Look at all those names: How are they accepting call for trainings?
• Lot of times: Done this multiple times - would mail conference “Hey don’t have training track, deliver training at XYZ conferences, would like to do training track? There are XYZ advantages - just have to get hotel space, arrange people, people will pay, get extra money from it, pay some money to trainers, win-win for everyone”
• True: Couple of conferences actually started doing trainings because approached them, had discussion, they liked idea, floated training offerings
• At times: Look at it from passive model
• At times: Approach them
• Worst thing: That can happen is won’t get selected
• I agree: Basically think this is very good learning as well for when say as entrepreneur - have to ask, if don’t ask nothing happens
• If don’t ask: Then anyway not getting anything
• If ask: Might get something
• Be persuasive: But be cautious, don’t overdo it
• This is also called: As effectuation
• Power of effectuation: That’s where - wouldn’t even leave packco passenger on flight, will just probably approach them politely saying “I have something to share, what do want to believe in to talk?” - that ask basically opens up lot of doors

Trainings at NotSoSecure:

Numbers:

• Can’t share revenue numbers: But can share some of number of trainings
• Would say: Was at one point doing about three trainings a month
• One training: Would basically be about four day training, four or five day training
• About seven eight people: In company who were mostly doing focused on around trainings
• Also responsible: For ensuring people not getting overworked
• From doing three trainings: Or spending three weeks in month, basically aiming for having person do maybe two trainings at max in month, then spread it over to multiple people
• Within single class: Think biggest class taken is Black Hat training class for Advanced Infrastructure Hacking training session - took four day class with head count of about 170 people in single setting
• Makes sense: That’s biggest

Support in Training:

• Because most of hands-on: Most of trainings are sort of about 60 to 70% hands-on, then there’s video and audio media around it
• That being: Standing on stage or other trainers standing on stage and talking about it
• Hands-on part means: Everyone has to do same set of exercises
• Fun is: When put humans in mix - every human does things differently
• Have done testing: Tested material, know if copy command and paste here in right space, this is output
• Can guarantee: About 50% of people would have some differences in output whatever be reason
• That’s point: Where people start getting confused - now need someone to double check with, now need guidance
• What did: Set up ratio - take 15 people at max associated with one support trainer
• If teaching class: Of say 30 people, would have on stage and one more person available
• If classes say: Like 170 odd class, would have about 10 support staff available
• Important bit: To ensure communicate in very beginning to everyone that is marked as support staff does not means they are anyways lower knowledgeable than me
• Is because: Someone is on stage, assumption goes this is knowledgeable person, everyone else is notch down
• Think India: It’s not India, it’s everywhere - have trained in Australia, United States, UK, bunch of different European countries, Singapore - everywhere it’s same
• Students trust: Person who is talking
• Right at start: Basically introduce support trainers, tell them “Hey you know what am monkey who basically likes to talk so am on stage, everyone else is equally capable, rather require their support in certain areas where not knowledgeable, so can ask them questions, they’ll be able to answer freely”
• Other part: Background goes each one of them have gone through same course material 20 times, would have encountered every single type of errors can think of, have shared notes with each other
• Most of time: Support staff would be in position where walking by, will see error screen, response would be “Hey buddy did that wrong because already encountered that, seen that, in position to give accurate pinpointed statement to move forward”
• That’s support thing: That worked

Transition from Offline to Online:

March 2022 - Everything Shut:

• Cut to March 2022: Everything shut, nothing going off, nothing coming in-house
• How did transition go: And when did strike to that “Good boss will have to do transition for sure”?
• Bunch of things: Were anyways working towards
• Were working towards: Establishing channel communication channel, working towards creating gamification system in picture
• What realized: Labs were via VPN or via communication media, everyone needed to be on internet to work on labs
• Key pieces: Ensuring people actually learning, ensuring when have problem, doubts are solved
• Everything else: Around it was more or less easy because were anyways delivering over internet labs part of equation

Biggest Challenge:

• Moment take person away: From stage and put behind computer screen
• Biggest challenge: Had was companies were like “Hey you know what instead of doing atar class, why don’t do two-day class into four days of four hours each?”
• Did couple of runs: Of those and basically put foot down - “Nope not doing”
• Very limited number: Of sessions did that way because was waste of time for everyone
• Or online: If marked for four hours, this was online
• Doing zoom call: Or doing GoToMeeting or whatever media available, giving session to them
• Company would say: “Hey do or something can happen next day”
• Problem that comes: With that is because employee is only four hours on training, remaining four hours supposed to work
• Which means: Emails are on, Slack is on, never able to focus on training itself
• So made sure: “Hey if doing it, do it in two-day straight set for four day straight set, give employees time to actually work on it”
• True: That was way handled it
• Not trying to solve: That same problem in slightly different manner - will talk about that later

Communication Tools:

• Biggest problem now: Earlier could just roam around and see what people having as problems on screen
• Now needed media: By which can share this
• Think would agree: On this and every trainer would agree on this
• GoToMeeting, Zoom: Pick up any software of choice for audio visual communication - they are crap at chatting
• They are crap: At ensuring able to communicate properly through
• They have met: They’ve been made that way that should be focusing on rather than chat, should be focusing on video or audio communication itself
• Like design: That way that get irritated of chat and move them to audience which not quite possible for every scenario
• Right exactly: If also session after it, easily matchable thing
• But if doing training session: Which supposed to last for two days and have question window of like five minutes in which can answer questions, giving stage to someone else basically takes out two three minutes of it, won’t be able to answer all questions
• True: Needed separate channel
• That is where: Discord, Slack, Teams - experimented with all of them
• Every one of them: Have own advantages
• Discord: Very good as open thing, as easy to approach thing
• But because Discord: Also something people use lot aggressively for gaming and whatnot, IDs generally connected to lot of things, get annoyed with associating that with something of learning
• Slack on other hand: Gives very cooperative feel, most of time these companies would also have Slack channel, so if in case activate that, can basically do sync up there
• Dark Horse: For us was Teams
• No one loves Teams: But loved fact about Teams - there was inbuilt feature
• Different opinion: “I do love Teams and trained 10,000 books to use tea, love it because of fact know what powerful thing have”
• With Teams: There’s inbuilt feature of auto translate
• Have trained people: Who won’t be able to speak in English, won’t be able to speak in their language
• But start day: With good morning to each other in own languages
• Then able to see: In other person, other person seeing own language what have been trying to say
• Only caveat: Can’t construct like complex Lindy sentences - sentences limited to like
• That is also improving: In Teams right exactly
• Even if that not there: Problem that comes is way translation works - different languages may not even have word for saying, to do discussions in simplest words possible
• But that’s where: Used Teams lot and able to sort out discussions

Important Bit:

• Generally what happens: In Discord and in Slack is people create channel, everyone can join in, everyone can ask questions
• Problem realized: Different cultures have different expectations about asking questions
• Asian culture: Do not want to ask questions in public and be sounded as fool
• Lot of people: Have different mindset of asking questions
• That’s what: Was acknowledging
• Understand: That lot of people won’t either want anonymity while asking questions or second they want it to be very personal kind of communication with trainer itself
• Middle layer: Also won’t work for them even if equally knowledgeable or something of sort

Three Major Changes in Communication:

First Thing:

• To convince people: That not losing out if on online media
• Because everyone was like: “Physical trainings gives me training, online is basically just looking at screenshot, track anything and do anything”
• That’s where: Gamification thing came up
• What did: Created web page on website describing all of these things
• Was talking about: Creating channel
• What did as part of channel thing: Created private channels where individual would be there, would be there as trainer, support staff would be allocated
• Support can answer: Questions async
• If there is question: Need to answer which is like common question coming up, will be flagged to, will answer that on live environment
• Interesting: All those
• What did: Created page which showed “Yes can communicate in language, can ask questions privately, have document available where all answers are there if doubt, there are support staff available”

Gamification:

• Also introduced: Gamification angle in terms every challenge or every hands-on assignment had dedicated end result goal
• That goal: Could then be tracked into system
• They would solve challenge: Get key, take that key, put into other system
• Other system: Would then tell them “You scored 10 points”
• At any point: During class can actually see “Okay how many points achieved? How many points left? What are challenges pending?” and can see how other people doing
• Makes sense: Problem is in virtual world because not there to egg them to do things, need media to have that sort of competition
• That’s where: Capture the Flag setups come into picture which basically tell “Hey someone else able to score more than me, so should be in top” - then people start working on those things

Summary:

• If submit up basically transition: From online to offline - there are couple of things
• Offline to online sorry: There are couple of things to keep in mind
• One is basically: Communication has initial focus has to be in letting people that “Okay boss offline is equal to online, don’t worry about that”
• Yes: Second adding choosing right tool to do content is depending on complexity of content going to deliver
• Yes: Third choosing right way of gamifying and making it more engaging for folks to be around in particular call as well, particular session as well
• Fourth one: Would be to ensure that able to get support in multiple ways - be it personal, be it group, be it in video format or something of sort as well
• Fifth word: Would be to keep in touch with them after session and getting bringing together to accessible community
• Think this is good checklist: For people to follow if transitioning from offline to online

What Building Today:

Siphonoid Research:

• Right now building: Company called Siphonoid Research
• Based on years of experience: Realized wanted to teach innovative stuff to people
• Company: Research-powered training company
• Main focus: Would be on research
• Any research activity: Do comes out in form of training courses
• Right now doing: Two training courses
• There’s: “Attacking Different Android Applications” course
• Right now in process: Of launching “Breaking and Fixing Real Web Applications” course
• Think by around April end: Would be ready to go to market with that
• Both courses: Geared towards people who want to understand how to find flaws in system, how to fix them, how to keep them secure - holistic picture of security
• Then there are newer areas: So this is what coming out
• Way things work: Start researching, then maybe in six months or one year time frame content would become training
• Right now research: Going on around decentralized web, around supply chain security
• Hopefully in next couple of months: Would have courses around that
• DevSecOps again: Would be combination of all covering and in single package as course

Places Looking for Help:

• Interesting people: Who are willing to do research work with us, collaborate with us - more than welcome to figure out way can collaborate with each other
• If people interested: In areas talked about and trying to build something around this, would love to have chat with them
• Anyone: In product space or building own companies and have own security concerns - would be more than happy to talk with them, give guidance from side, experience
• Because want to create content: Which actually going to help them in longer run
• So if get more exposure: To all tricky scenarios that folks facing, would try to cook answers for them in content itself
• Makes sense: In year’s time don’t actually have to ask those questions
• Makes sense: Makes sense

Last Two Things:

One Code/Quote:

• It’s not one but two quotes:
  1. Don’t idolize people: Everyone has own journey and own life, everyone working towards own goals, don’t try to just idolize someone
  2. Be open in saying “I don’t know”: But then go back and figure out what don’t know
• Makes sense: Makes sense - those are two quotes

Book Recommendation:

• Book would suggest: More of personal thing
• How to say no: That’s very important
• Learning that early on: In any businesses
• There’s book: Not remembering exact name, can share that name in minute
• Book is about: 365 ways to say no
• Effectively multiple scenarios: In which how can say no
• Interesting: Will look it up and add in description as well

Key Insights:

• Journey: Linux (2000) → Server Admin → Security (2010) → Trainer/Team Lead (2015-2021)
• Defense is hard, attack is easy
• First training was “ragging session” with 20-year Unix veterans
• Prerequisites are crucial - don’t teach basics if not target audience
• Trainings is business - conferences earn money from it
• Multiple ways to find training opportunities: cfptime.org, social media hashtags, Google alerts, looking at trainer resumes
• Ask conferences - worst thing is won’t get selected
• Support ratio: 15 people max per support trainer
• Biggest challenge moving online: companies wanted 4 hours/day instead of full days
• Teams has auto-translate feature - useful for multilingual trainings
• Different cultures have different expectations about asking questions
• Gamification important for online trainings
• Siphonoid: Research-powered training company

Actionable Takeaways:

1. Don’t idolize people - everyone has own journey
2. Be open saying “I don’t know” - but then figure it out
3. Prerequisites are crucial for trainings
4. Trainings is business - understand market space
5. Multiple ways to find training opportunities
6. Ask conferences - worst is won’t get selected
7. Support ratio: 15 people max per support trainer
8. Full days better than 4 hours/day for online trainings
9. Teams has auto-translate - useful for multilingual
10. Gamification important for online engagement
11. How to say no - 365 ways book
12. Research-powered training - Siphonoid approach