Josh Johnson

Josh Johnson is a SANS Certified Instructor and course author of SEC586: Blue Team Operations: Defensive PowerShell. He has been working in the Information Security industry for over 10 years in varying roles with responsibilities ranging from penetration testing to incident response. Josh was Purple Teaming since before it had a name and used his offensive security skill set to find and pursue his true passion - Blue Team. Since then, he has been helping organizations of all sizes, and in varying industries from healthcare to retail to finance, improve their cyber defense capabilities.

More About Josh

Profile

Josh Johnson was in an undergrad Computer Science program when he took part in a programming challenge where he had to write an application that would not fail if someone 'sat on the keyboard' and he wondered why input validation was so important. This led Josh into the obsession and rabbit hole that is cybersecurity. He’s spent countless hours since that point, first learning how to exploit vulnerabilities in applications, and then transitioning to the Blue Team challenge of cyber defense.

For Josh, no two workdays are the same. What starts out as a normal day can immediately turn into 36 hours of incident response. Another day can be spent with headphones up, deep in thought, and coding a new tool. Other days might involve working with a team of engineers to design a new solution that provides protection against modern threats.

Josh has broken into and defended massive, complex networks, worked on large-scale engineering projects and helped teams better organize their defensive practices to align with the threats they face. He’s designed and implemented security solutions within very different environments with different goals. Most importantly, he’s had incredible mentors who have taught him how to work with people beyond the technology to truly make a meaningful difference.

A former student recently reached out and told me that one of my favorite defensive techniques had just helped them find and address a threat that had otherwise been completely hidden from detection.

“I didn't know I wanted to be a SANS Instructor, but as part of the MSISE program within STI, I gave a talk on Application Control implementation techniques. A few weeks later, an attendee emailed me saying that they had just completed a successful pilot using the guidance I provided. I never wanted to give that talk at a SANS conference due to some struggles with impostor syndrome. However, when I read that email something clicked, and ever since that day, my primary goal has been to help people within our field” said Josh.

Josh spends significant time hands-on with every tool/technique discussed so that he has a deep understanding of nuances in implementation, potential roadblocks, and design options. He also prepares for each course run as if it is the first time he is seeing the material. He asks himself, "Where might students want to drill deeper on a certain topic?" and then prepare bonus material for those areas.

Josh has presented at major SANS events and information security conferences such as DerbyCon. Through his own research, war stories, and demonstrations, he enjoys sharing what he has learned with others.

Josh has most recently authored the SANS SEC586: Blue Team Operations: Defensive PowerShell course.

Josh holds a B.S. in Computer Science from St. John Fisher College and an M.S. in Information Security Engineering from the SANS Technology Institute. He is a CISSP and holds 8 GIAC certifications including the GSE, GCIA, GSEC, GCIH, GWAPT, GCPM, GCFA, GREM, and GDSA.

Josh enjoys contributing to the information security community by sharing research and tools that help bolster blue team capabilities, and these tools have been used in preventing and detecting large scale incidents.

WEBCAST

FREE TOOLS

  • Author of Update-VMs: Automatic framework for snapshotting VMware VMs and patching them. Supports custom health checks per VM with automatic rollback of failed healthcheck and default healthcheck is to see if the server comes back online.