Inside the Mind of a Threat Actor: Beyond Pentesting

okay thanks everyone for for joining today uh awesome to be coming back to besides knoxville looking forward to presenting there in person someday i've heard that the it's a really cool uh venue and a really cool conference so thanks everyone for for attending my talk so a little bit about me if you're not familiar who i am i'm philip wiley i have my cssp oscp and my sans gwpt t-certs i'm an offensive security instructor at ine i'm also an adjunct professor at dallas college i'm the founder of the pune school project which is an education based meetup that was originally focused on offensive security topics but over the years we've transitioned to more general cyber security because there's a

need for people getting started in the industry i've been in it and infosects for over infosec for over 23 years specifically in security for a little over 17 and the last nine years working in offensive security as a penetration tester i've done web application pen testing mobile pen testing wi-fi pen testing as well as performed as a red team lead i was featured in the tribe hackers red team book and also the co-author of the pentester blueprint starting a career as an ethical hacker which i gave the talk on here last year i'm a co-host of the uncommon journey podcast and just started my own new podcast called the hacker factory and i'm an innocent lives foundation ambassador and

champion and hacking is not a crime advocate and board member so my offensive security path is a little unusual compared to to most uh i started out as a pro wrestler out of high school because i didn't know what i wanted to do for a living and i was a power lifter uh big muscular guy so people said hey you should be a pro wrestler i thought that sounds good i just really didn't uh didn't plan on college and didn't go to college so i wrestled professionally for a while and then in 98 i got married and i needed a more stable income and a lifestyle more conducive to marriage so i worked in retail sales i worked in manual labor

i worked in restaurants and really just didn't find anything that i liked so one day i was watching television and one of the trade schools advertised their autocad program so i went to school i became a cad drafter and through cat drafting i found out sysadmin work i found out that it was it seemed more interesting than the cad drafting and before drafting i had no exposure to computers and found out that i was pretty good with computers and had more of a talent with the computer itself than i did in drafting so i taught myself how to build computers took a nobel network class and became assist admin uh did a windows 95 and network 411

rollout for a national company and so that's kind of how i got my start there then in 2000 january 2004 i moved into infosec and network security in 2005 i moved into application security and application security is where i found out about penetration testing i ran vulnerability scanners and different type of vulnerability scanners and also learned about the field of pen testing and so i got laid off in 2012 and i went to work consulting as a penetration tester and then one of my last defensive security roles that i moved into was a red team lead doing more of the adversary simulation so the agenda so we already covered my offensive security career path one of my

purposes for doing that is some people think sometimes that i don't have the i don't have the potential to be a pentester i like to share if someone is a former pro wrestler uh meathead weightlifter can learn how to be a pentester that anyone that puts in the time and effort can be a pentester so i like to share that part of my story not really necessarily needed to describe my path but i think it's helpful to help others and hopefully motivate you it's also an agenda we're going to discover what we're going to discuss what is defensive security the offensive security domains red red team intro red team tools a red team blueprint to show you how to

become a red teamer and also some resources learning and certification and book wise so this first slide i like to share with my students each semester and i'm a hacking's not a crime advocate so i also share that hacking is not a crime if you have permission you know hacking is a skill set and being an advocate for hacking's not crime we're trying to help the media uh the news and other people outside of the security area to realize that hacking is not just a criminal activity it's used for good during pen tests so in this slide i got this quote from spiderman with great power comes great responsibility uncle ben was telling peter uh giving him this quote i think this is

a good one for the hacking skill set so only hack if you have permission and even better permission hacking without a crime is illegal hacking without permission is illegal so you'll make sure you have permission uh you don't want a criminal record to affect you getting a job and that not only affects getting a job as a penetration tester or other defensive security professional it can also affect other areas of id so what is offensive security offensive security is assessing the security of a target using adversarial tactics techniques and procedures also known as ttps commonly known as ethical hacking so we're going to cover the different domains of offensive security there's two major domains but under pen testing there's a lot of

different areas that can be pen tested and some of these can fall under the red team domain as well so yeah pen testing uh pen tests are performed against networks including wired and wi-fi networks applications cloud people through social engineering and buildings through physical security you may have a very secure environment but anyway if you uh you if you're not if your physical controls are not secure your people are not prevented you know checking people's badge when they come to building not letting people tailgate and someone gets their hands on the keyboard the likelihood of a breach is more probable and so also hardware hacking vehicles vehicles have become very popular in a needed area to to pen

test so red teaming doesn't necessarily mean equal pen testing because over the years you've you've heard red teaming generalized as penetration testing while it falls under that realm true pen testing is is a little more specialized just kind of like the blue team not everyone does the same thing under offensive security there's different different specialties in different roles and red teaming is more adversary simulation and as we get further into this talk we'll describe why that is and what the differences are so the commonalities so you'll see by these two uh descriptions there that the commonalities are very similar you have exploitation on the hacking piece social engineering phishing physical security exploitation and some of these are not always part of

a penetration test but it can be but some of these things like the social engineering physical assessments and fishing are done more commonly in red team engagements so the difference is so uh while threat actor emulation is not really done in a pen test you are using some of the threat actor type of techniques although you're not emulating specific uh threat actors and so also uh detection avoidance you're trying to avoid detection in a red team sometimes this can be part of a pen test but not always include included red teaming is less restrictive scope pen testing is more restrictive and more vulnerability focused where red teaming is more focused on things that can be exploited well these

are there's some dif some similarities and differences both type of these tests are required

so uh you know with the the red team engagements you're trying to find all the vulnerabilities that you're trying to find vulnerabilities that can be exploited lead to a breach whereas a pen test you're trying to find all the vulnerabilities they can be exploited exploit them with the red team engagement you may try to find more than one way in to exploit those systems because something happens you lose your access you need to maintain access so having more than one way to get in is sometimes helpful so tool commonality so we'll see the tools here are very similar so linux attack platforms windows attack platforms linux windows based tools metasploit malware and exploits command to control

but we see on this other side vulnerability scanners during a red team engagement you're trying to go undetected so if you fire an expose or nessus there's a good chance you're going to be detected so you're trying to avoid those and both of these engagements are going to be based on the amount of time so with a pen test you normally have more time and the scope is usually bigger so you need to cover more things so vulnerability scans are a must and needed and then you're with the red team the more heavily uh reliance on exploits and malware are used before you're still going to use exploits on your pen test but it's a

little more needed command and control is more heavily utilized during a red team engagement as well so kind of a little extended intro here is red teaming is scenario-based security assessments emulating threat actors and even specific apts for advanced persistent threats a goal of a red team operation is to simulate a real world breach not only is this not only is the operator testing the security of the technology they are testing the people in the processes a good description one of the best and more simplistic descriptions i've seen of red team was given by the dallas hackers association founder wirefall he described red team as red team tests the blue team so this goes back to the people

processes and and technology so you're testing to make sure the people are reacting the technology is detecting the activities so red team operations take more time to plan and perform they rely heavily on ocean to enumerate information on target technologies employees employees are leveraged through social engineering and phishing to gain an initial foothold and the target environment when you're internal to a company sometimes it's easier to exploit and get a foothold during red team engagements a lot of times you're starting out from the internet there may be some physical uh exploitation involved for the building in social engineering but some cases it may be all remote in a lot of cases you're starting remotely so be able to get information on

employees to be able to perform phishing exploits against the end users and deliver malware payloads to get an initial foothold is important so detective detection avoidance is very important to be successful and red team operations were impersonating a real world threat agent this could be anywhere from script kitty to hacktivist to nation state to organized crime it's a red team ttps red team operations will i have my malware palettes to gain initial footholds so sometimes you have to be a little more creative and something uh a little more past the realm of just metasploit evasion obfuscation is very important for malware success command and control or c2 is important as an important tool to control compromised systems deliver

payloads elevate privileges perform lateral movement and pred and maintain persistence uh like using like uh cobalt strikes sometimes if you lose connection to your target sometimes it's easier to connect back when you use a like purely metasploit or other manual exploits then you may have to exploit the systems all over again and so sometimes the nice thing about cobalt strike you lose connection then it's sometimes easier to reconnect so red team operations planning so planning red team operations can very be very detailed to be very detailed and mapped to apts from the minor attack framework and tools like vector vector utilizes the minor attack framework to plan out like your red team engagements and a way

to map the progress as you go through that red team engagement and red team ops can be less complicated as far as mapping to specific apts it can be more creative just using different types of tools and techniques because before these apts are known and mapped to minor the real world attackers or threat actors are coming up with these so you could emulate that yourself by using common techniques and even if the apt is not mapped out you can actually go through and see common type of tools that are used in your specific industry so maybe in an ics ot environment you may see things that are more common commonly used there and you may

use those as well as things totally outside of the realm of that that area so additional benefits a major benefit of red team red teaming is testing the people process and technology during the operation if the activities are not detected the red team can work with security to tune the security defense system to detect malicious activity spotting more into like a purple team engagement so this is really important because if you can go through and you're able to detect these type of tools then this will help mature your defenses because you know not every end user needs to be able to run tools that are powershell based uh you know you don't want uh mimi cats to run your environment so

just by simply testing these and just do a red team engagement expanding your purple team you can go through and detect those items and learn how to block if it's not being detected then tune those endpoints and edr solutions to be able to detect those and so becoming a red team operator this is one of the more popular portions of this talk because a lot of people wanting to get into if they want to know where to start it's so much similar to pen testing red teaming is is very similar so you need to build the base so your your technology basics uh your networking operating systems and active directory understanding operating systems from a

sys admin level you know be able to breach security of a system you need to really understand windows and linux from a sysadmin level if you're able to get a shell to a system having that command line access if you can shut down firewalls or services then you know that can help you and your exploitation efforts and uh active directory is widely used in enterprises and also active directory in the cloud for azure uh pen testing solution or active or azure pen uh cloud solutions that uh it's important to know that so a lot of enterprises use that so you really need to learn that area uh more pen testing specific and hacking techniques learn the different tools and techniques

programming scripting can be very important when starting out you necessarily don't have to be able to be fluent in scripting and programming but to take your your skills to the next level and become a really good pen tester red teamer it's really good to be able to uh write some exploits or write simple scripts in python be able to execute powershell scripts or you can build your own powershell scripts and then using tools like golang and c-sharp and even c to learn how to write exploits or modify exploits so red team focused skills so red teaming is kind of a specialization of pen testing and so we see some of the skills here that you really need to work

on although you're using malware and exploits be able to write malware or modify malware and exploits is important obfuscation and invasion is very important to be able to be successful using these exploits active directory exploitation as we mentioned in the pen testing skill is is very very much needed command and control because this is a very popular and widely used tools you can even see some of the popular c2s like cobalt strike used by threat actors so this is a good way to emulate a threat actor using c2s like cobalt strike fishing social engineering and physical security exploitation these are ways to improve upon your skills starting out as a pen tester you may not

be doing much phishing or social engineering or even physical security but these are skills to kind of enhance your security there's people that specialize in certain areas that may not be careful may not be comfortable on a phone call trying to social engineer someone but sending an email may be something they could do physical security they may not be into but some people really specialize in these areas so if you're someone who specializes in social engineering and physical security exploitation then red teaming may be a way for you to enhance those skills learn more the hacking piece and do more red team focused uh engagements it kind of just to take a step back to with

the need for red teaming that i kind of forgot to mention over the years the scope of pentest has become a lot more narrow with pci different compliance they focus more on the compliance piece of being compliant and not so much on uh the true need for pen testing and uh and making sure the systems are secure they're trying to check that box and be compliant and due to that people have gotten away from some of the pen tests you know one time more pen tests were closer to a red team engagement more of an adversary simulation and they kind of got away from that so this is really open up the reason and popularity for

this area in this specialization these areas were getting overlooked due to the narrow scopes of pen tests so if you've been doing pentest for years a way to mature your organization's security is through red team operations so as far as the learning paths so the hacking skills uh when i started out as a ped tester i had experience with vulnerability scanners and i had worked in application security and network security had cis asthma background but i didn't know how to hack so i went through the oscp to gain my hacking skills uh there's play there's you sort resources out there like hack the box you try hack me that you can learn and practice those hacking skills

and then learning social engineering is a good one to add to your your secure hacking skills uh red team learning pass pentester academy red team labs uh elearn security now ines penetration testing extreme course is labeled as penetration testing schemes extreme but it's actually a a red team course and hack the box pro by rosco labs was one of the first red team courses out there he went on to create his own zero point security red team ops course and so these are good uh ways to learn some of the red teaming side of things and so apt planning so to plan abts we mentioned miter so the miter attack framework is a good place to map

your apts for your red team engagements and then vector io is a good tool for planning that with planning that out it has the different uh apts in there so you can map out your your uh red team exercise and then command to control the c2 matrix and if you have the time if you look up anything from george ortiz he does some really good talks on the c2 matrix uh the cme c2 matrix has a list of different c2s out there some of these are commercial some of these are free and you can go through there and look at it and see which one c2s fit your environment better and then over the time you may use other

c2s and not stick with one specific you know a lot more people are starting to catch cobalt strike although some of the payloads and stuff you're using such as more the powershell stuff you may go more towards the uh c-sharp stuff but there's also open-source solutions like silent trinity empire and then damio c2 which is fairly new damios came out last year right before defcon and it's a c2 written and going and then operating systems slingshot linux from sans they have a vm and similar to kali linux pair os it's a hacking distribution but it also has some of the c2s built into it as well as vector so the vector tool is already installed

so it makes it a little easier to get that installed and up and running so kali linux and paired os as most people heard of for hacking platforms a lot of times people overlook windows so i like commando vm it's a script by fireeye that you're able to install hacking tools on windows a lot of times hacking your active directory environments and be able to leverage the powershell tools although you can install powershell on linux and mac os it's nice to have it in a native environment of windows it's as well as some other windows administrative tools that are helpful during a red team engagement or penetration test so with your attacking rig you'll want

you know a linux vm as well as windows so different courses that you can take hack the box prolabs by rasta mouse pentester academy's red team labs and institute.sector7.net they got a lot of stuff it's more based on malware uh it's there's the what the malware uh creation piece is not is widely available although more of this is coming out but it has some really good stuff on malware development and then zero point security by rascal mouse uh elearning security penetration testing extreme by ine is a good one and then the spectre top spectrops adversary tactics red team operations uh if you haven't heard of spec drops they're a consulting company that they one of their specialties is red team

engagements and some of the people are team such as harm joy as written tools uh like some of the powershell tools for exploitation so that it's a really good course especially if you're using cobalt strike it's heavily based on cobalt strikes so keep that in mind when you take the course i got to take that last year and it was a very good course and really showed you how to really leverage cobalt strike and red team engagements for north security they have an initial access operations and intrusion operations so they get more into breaking down to red team and some of the malware development such as also silent break security their dark side ops so the malware dev and then also the

dark side ops 2 which is the adversary simulation so as you advance you know kind of starting out more the red team side is what you'll learn as you learn more development and understand that area you can get more into the malware development learning how to obfuscate your code to be able to evade detection and then the sands red team exercise is an adversary emulation there's another course out there that's red team based and then cobalt.cobaltstrike.com has videos and content on cobalt strike it's a free resource and very helpful uh getting you up to speed on cobalt strike and here's a list of blogs red team journal red team.guide thread express is actually part of the

the project the red team.guide which joe vest and his co-author wrote a book which we'll cover here in a minute uh they got some really good tips on red teaming out there red team journal's a little bit older but still useful information i don't know that it's been updated in a while but it's definitely a good resource because a lot of the basics stay the same just some of the attack techniques and tools kind of uh evolve over the years but it's still a good place to start and then bite bleeder the creator of crack map exec he's got a really good blog a lot of good use on using the crack map exec tool

which is a good password hacking tool and then harm joy from spec drops his blog is a good resource vc security they took over uh maintenance for powershell empire powershell empire the version 2.7 python version was deprecated and bc security took over maintaining that and they updated it to use uh version 3 x of python and then the spectreops post uh postdoc spectrops is the blog for the spectrops team rasta mouse's blog and then hossack uh ryan cobb from spec drops that's a good resource silent break trinity and 40 north security these are a couple consulting companies that do a lot of good red teaming work so these are good blogs to follow ired.team is a really great resource

this is one i've relied heavily on and vincent u he's got a really good red teaming blog out there so these are all really good resources to follow it could save you some time learning and kind of point you in direction of things to to learn and different types of tools that you need to learn and then far as books goes there's not as many books out there while the pen testing skill set there's a lot of books in that area but uh the red team ops development operation is a practical guide by joe vest and james tuberman dr tubberville this is a good book there it not only gets into technical stuff it kind of

shows you kind of the documents that you need building a red team so if you don't have a red team in your organization this is a good resource to build your red team but then hands on red team tactics a practical guide to mastering red team operations this one is interesting because it actually gets into cobalt strike you don't see a lot of resources in a book form that will that uh shares cobalt strike information so that that's a good one and especially for that and then the hacker playbook three uh that while the hacker played with one and two are focused more on penetration team penetration testing the third book is the red team edition

focusing more on red team so those are good books the the the hackers playbook i have both version two and three i highly recommend those as well as the red team development operations book listed there so certifications there's not a lot of certifications out yet the red team focused but i'm sure that will that will grow over time and it's a pen testing specialization so zero point security the certified red team operator is a really interesting cert i actually went through that that training as well as the pentester academy certified red teaming expert course and the ine certified penetration tester extreme so these are some certifications out there uh that are offered for red teaming and

then more pet testing focused so a lot of the red team jobs will be looking for specific pen testing certification since red teaming is a specialization so having the offensive security certification sans and elearn security certifications are good to have that are focused on on pen tests pet testing and still like the elearn securities titled as penetration testing extreme is still a red team certification and so here is my contact information so we will open this up for questions but feel free to connect with me on social media or email me i'm happy to answer any questions before i started teaching i started out mentoring and just sharing advice and techniques and tools and stuff that i

used things i used to learn to become a pen tester so i still like to do that so feel free to reach out to me on linkedin or twitter or email me i'd be happy to answer those questions so with that being said uh we can open up the questions all right let's see what we've got here which uh which books do you use in the courses do you teach which books do i use i actually have the ones back here mentioned as far as like uh as far as red team stuff i actually use the red team development operations and the hackers playbook two and three uh when i started teaching at dallas college i used georgia weedman's book

penetration testing i believe it's a hands-on guide to hacking but george's book is really good for someone who's getting started out in pen testing because it actually takes you through through building a lab as well as teaching you pen testing and of course the hacker's playbook you know as far as uh the the path to take with those i would start out with george's book and progress to the hackers playbook and as far as the courses in inee i'm teaching i'm updating content i actually just taught a boot camp today we were offered a cloud pen testing boot camp so just starting to create content for them but at dallas college jumps to jump

okay what are your thoughts about the comp tia pentest plus is it worth it i think it's good for someone starting out i like the comptia certs because it's really heavy on methodology because you compare it to something like the ch this is how you use a tool and they really don't change stuff together and so the thing i like about the pet test plus it's really heavy on methodology they cover like the penetration testing execution standard which are things you should understand and so that's a good one and actually with my course i used to use georgia georgia's book the first semester but then comptia came out with the pentest plus the the beta of that

exam came out like the summer of 2018 and so i went through like a train the trainer course through comptia and based on some of reviewing some other comptia content i really liked it because our college did a lot of comptia courses security plus and the the cysa plus courses and i really liked comptia because of the methodology going through and seeing some of the real tools used in the real world i was really impressed with it so i think it's good as far as certifications go some entry-level positions may look for it but it's as far as getting a job i don't know where it really helps that much there but as far as getting you know the

education and understanding methodology i think it's a good place to start and are you planning on sharing these slides or have you already yes i can share those lights yeah you get so many resources in it like it's just a gold mine you know a bunch of people have have asked that same question i really need to do it sit down and consolidate because my pentester blueprint talk i got resources on that as well and so yeah so yeah i can share that the pdf okay great yeah and there should be uh we can put it on the the sched page you know i know it's designed for you to just upload uh to the the page for this talk and

we we could probably drop it into the the discord as well okay um let's see is certified ethical hacker still worth getting i know i've seen that on on like some hiring folks um still put that on there yeah it seems to be a popular one with hr and then it's one of the dod certs which pen test plus is now on the dod list of certifications and that's where it's been pretty popular when i was consulting uh at one point my employer we were looking we were bidding on a government contract and they asked me and i was oscp certified and at the time and they said would you get your ceh for this contract

so sometimes you know it's these government contracts they want certain certifications and that's it's so funny though like if you understand what the certs are it's like you know like like i've got this cert uh we need you to get this certain health so it's like that's like saying you you've got a phd but we want you to go back and get an associate's degree in the same thing right right like you know would you go back and take this high school course yeah and that's like the cissp too you see a lot of these technical jobs and you know it's really more of a management based certification and you really wouldn't have enough experience to even

set for the certification that's the big thing with hr sometimes in management just not understanding the certifications yeah the other thing i've heard about ceh um direct feedback i've heard from folks who've taken is is they were shocked at how outdated it's become in the fact that it apparently they they haven't uh put much effort into updating it but yeah some of the questions are apparently very very old and that's one of the things when you're looking at different companies for training and stuff i know like for instance you know that i need we have we routinely we're in the process of updating older content and then like offensive security and sans they're constantly updating and that's

where when you're using like resources on udemy and stuff you have to really look at the date and see if it's been updated because you know some of these courses like the ch and it's really funny because i actually had a friend wrote a ce ceh course and had on udemy and he gave me a voucher just to kind of review it for him and they were kind of using some tools you know from back early 2000s and stuff so so i can see where things aren't being updated yeah um what was the book you mentioned about building a lab uh georgia weedman's book penetration testing a hands-on guy i think it's a hands-on guide to hacking or an introduction to

hacking so that is a really good one because that was one like i said i used that and actually that book came out uh in 2014 after i'd got the year after i got my oscp and i wish it would have came out sooner because you know she covers a lot of topics in there even covers some mobile pen testing as well she's supposed to be in the in the process of updating the book as well but it's been a pretty popular one if you look out for the hum the hacking humble bundles usually it's included there yeah okay uh previous presentations have spoke about the danger of red team and pentester burnout what can trigger that

burnout and how do you avoid it yeah i think burnout is going to depend on the hours that you're putting in and i know someone in my community that really got burned out and it depends on where you're working if you're working as an internal resource usually companies are going to be a little more realistic to your schedule they're gonna try to go for a work-life balance sometimes in consulting they may have you booked on multiple engagements at one time so that you know can affect that so the things you can do yourself is if you've got a really heavy workload at work make sure to take breaks because as professionals we have to constantly

improve our skills so on the weekends take some breaks from it you know get away from this stuff and i have to do that myself sometimes so just take breaks away from it you need to constantly study but realize if you it one of the ways i like to describe it is just the way athletes train uh you know you're over trained if you're not taking some rest so you have to kind of actually schedule in rest so make sure you're taking time in before you get burned out because you want to get burnt out where you you don't like what you're doing so just scheduling some time away from it that's a great example i've heard i

forget where i heard this but you know even that like the olympic level level some of these athletes train like 20 hours a week or 25 hours a week it was much less than you'd think yeah you know because i i guess like you can only push your muscles so much and your body has to recover whereas mentally like we can we feel like we can push it more you know but you know and and then we burn out we we're like what happened an interesting thing when you look at sports too you can actually get central nervous system burn out from sports much the same way you can thinking and stuff so that's a lot of times why people need

to to rest and you know there's times of course that when you're learning you'll have to put in some time but make sure to to get some rest in and because one of the things that that probably one of the things i looked at in in later in my career that i kind of got burnt out with pen testing and just kind of turned me off is sometime the hours because you know sometimes you have to test after hours and i had a client when i was consulting that i had to when i tested them unfortunately it's like four four weeks out of the year so my test hours were from 6 pm to 6 a.m

and then you have those customers that you can't start until midnight or 2 or 3 a.m in the morning yeah and unless you're a night owl sometimes i push back on this stuff

hopefully you're charging extra for that yeah yeah that's yeah so unfortunately the companies i was working for i don't know if they were charging more for that but the thing is always annoying and i know you have experience in in the area but doesn't it always involve the engagement managers that come up and say do you want us to test after hours instead of just saying what time do you want us to test and let them guide it you know because then if the customer has any fears of you testing during production hours they didn't they may have it now so you know and the point that we made in those cases is okay so we're gonna put one of our

pen testers on third shift okay if they do break something are you gonna have people there to fix it yeah maybe your users aren't there but you know guess who else isn't going to be there anybody that can fix it when we break it how hard is it going to be to get a hold of someone after hours is the application or environment you know people come in the next day yeah we had adam compton giving a talk earlier and i i distinctly remember it felt like two or three months he was on third shift basically and i almost never saw him because he had an office right next to mine uh yeah i almost never saw him in that

time and uh yeah we we had plenty of pen testers um you know that that would just turn down certain things like yeah no i'm just not going to do that um it was interesting um so on on the topic of burnout just sharing my a little bit of my own experience here when i started a consulting organization me and a a buddy of mine kyle um i started volunteering on friday mornings at an animal rescue and because otherwise i was just working seven days a week like because with your own company like you you're not only doing the engagements you're doing all the sales you're doing all the marketing you know it's like you know we we used to joke that uh the

paying work was what we did in our spare time like outside the normal 40 hours when we actually landed work but um but yeah i found for me at least i kind of have that personality where i can just get sucked into it uh and forget to take breaks and things like that so for me i have to actually schedule something that forces me away like actually sign up for a 5k or something like that that that i'm forced to train for you know yeah definitely make it especially you know you get in some projects and you're really making good progress and really getting into it sometimes it's hard to break away just like even studying because i

remember going through the oscp process back years ago you know it's kind of hard to do it now i'm like 55 years old so nine years ago it wasn't as difficult man when you start getting over 50 it gets a little tougher to stay up late and i used to easily stay up to 3am in the morning and go to work the next day but now it's i can't pull all nighters anymore no i can't either i fall asleep yeah one more question here uh in your experience is there a particular operating system that seems more resilient or is it mostly a matter of context as far as withstanding a pen test or not crashing during a pen test i

don't know it's we need more context for that one yeah maybe because we could be you could be talking about a target what's withstanding a pen test yeah so so i guess maybe you know one that's easier to defend i would say as far as less issues and probably be more resilient it's been my experience like linux based systems seem to hold up better against it but during my pen testing career there was one instance that i had some systems reboot it actually was a couple of firewalls that were just kind of old and outdated and i was running math scan everything else held up okay but then mass scan rebooted those two two firewalls that's a rite of passage

as a pen tester we all have lists of things that we cause to reboot accidentally and how we cause them to reboot like i remember polycom phones uh you don't want to send any web requests to older polycom phones uh you know with over a certain amount of characters in in the or certain length in the actual uh because they get a web server on them yeah and and because it's a real-time os running on them you know if if you crash any process running on that thing and like old cisco routers same way and like the firewalls you're talking about you know if if you uh overflow any buffers there the whole thing just

falls and that's one of the things you learn as you as you progress in your career get used to things and what helped me as a as a foreign assist admin is always always careful environments not to take things down because you know when you get started sometimes you can be a little gung-ho and you're just more concerned we'll get domain admin a route to a system and you don't think and take things down so that's one of the advice i give anyone starting out is be very careful and your your customer or your employer is going to respect you more for not just going there recklessly taking stuff down so you don't want to have those calls

when you you know rebooted a firewall or took something down yeah the organization i was at was renegotiating their contract with the federal government and um that was 100 of the revenue was that one contract with the federal government and uh they were using those polycom phones when i took them down they were in all day meetings trying to negotiate that contract and uh every one of those phones went bloop yeah i might probably more more than most times i probably i guess so my first uh denial of service situation or taking the system down was back in my sysadmin days i remember working in rack of servers and getting ready to reboot a server and

actually reboot a production server instead push the power button yep uh get another question here what would be what's a good entry-level role for someone that wants to eventually develop into a red tamer so yeah of course you're going to want to get the pen testing experience but places you can even start that people don't think about sometimes is some organizations have teams that do nothing but vulnerability scanning and i worked for a bank before we had like a team that did nothing but vulnerability scans and we also had a remediation team so you could graduate from vulnerability scanning to the remediation team and the remediation team would just go back and do rechecks on the vulnerability to

see if they're still vulnerable before having us do a re-test so those are good places to start uh some other areas i think they're kind of good uh a local test for the dallas community so those may be familiar with tinkersec on twitter he started out as a sock analyst and moved from a sock analyst to a pentester but during that time he used his time really well during pen tests he used to really monitor the traffic and then work on tuning the systems to detect that kind of traffic so that's where these skills make people better at their jobs and why it's good to understand it so while you're a stock analyst understanding the attacks are going to

make you a better stock analyst if you're in digital forensic sensitive response understanding the attacks are going to make you better at your job but even like a sock roll was good uh sis admin wasn't bad that's really where i got a lot of uh my knowledge but you know same here like i'm vulnerability scanning team and one of the things that to share too because a lot of times people say who have to be assist admin you know you don't necessarily have to have that experience and i'd say take whatever job you can if you're not in it it's going to be easier to get a security job if you were a cis admin

than just going in with no experience so take whatever job help desk or sock to get in and then you know just kind of advance from there sometimes you know like when i moved into security i was assist admin if i'd been outside the organization i probably wouldn't have had a shot at getting the job so so i think take what you can to get in there and get the experience because all experience is valuable in pen testing if you're doing development if you're doing sys admin work if you're doing network administration that's going to help you as a pen tester and they're not cis admins anymore they're cloud engineers now yeah things are changing yeah those youngins they keep

changing everything i i really need to talk to somebody who does that i i keep seeing cloud engineers like uh being like an entry level you know cloud security engineers and and things like that being entry-level roles and i'm really curious as to what they actually do you know what how their day-to-day differs from like an old sysadmin gig yeah so that'd be interesting i need to talk to someone some of my former sis admin friends co-workers did get out at they just kind of stayed with i need to hit up some of them and just kind of see how that world's changed because a lot of them early on virtualization became a big thing because right as i was getting out

of being an assist admin virtualization been around but in like january 2004 is when i moved out of sysadmin work but we were it was really nice june 2004 for me cool i just got one other question i guess as long as we keep going here they're going to keep firing questions um yeah is there a such thing as an effective pen tester with no programming experience yeah i think so i think some of the some of the tools uh you know a lot of people get you don't have to be a pen you don't have to be a programmer to get started uh i can modify scripts and i've modified exploits but i really

don't know how to how to code so you can do it i think a lot of the tools and you know you've been in this for a while adrian that how things have evolved that at one time you kind of needed to be able to program the script but with things like burp suite like brute forcing logins and stuff it's easier to do a burp suite than trying to figure it out with even using tools like hydra and and you know metasploits help automate certain things so there's tools that's helped automate the process but if you're interested in programming i think it would be good to learn and it's only going to make you a better

pen tester but you don't have to have it to get started yeah i would agree with that i think it makes you more efficient um so in my career i haven't done a ton of programming you know i i have uh written scripts and things like that on and off and uh and done some programming work but i've i've done a lot more reading it you know so i think it's it's you know the quicker you can open up the source on something and understand what it's doing you know whether it's an exploit you're running or a web app that you're pen testing against and you're using the inspector or something like that or burp

um it's really important to at least be able to read that stuff and understand what it's doing yeah that's a good point too like if you happen to come across a jar file or apk file that you can reverse it then you're able to see what the code is doing and that's one of the things i do i've modified you know scripts in some code but a lot of it just like reverse engineering reading code and see what it does that's pretty much extent will be writing a program well said all right i think we're good that was excellent thank you uh a wealth of resources um yeah just um if you want to put the pdf

on on your skid page um you know as soon as you have it up somewhere we'll let let everybody know where to where to find that sure sounds good thanks for moderating my session it's good to see you again i look forward to getting to hang out with you in real sometime yeah likewise likewise looking forward to next year yeah thanks all right thanks phillip