The Pentester Firing Squad

hey everybody we're uh about to get started uh we got a couple minutes looks like uh i see uh hey there's heath got luke and michael here so we're probably just waiting for eric to come back he didn't know i think he was going to do double duty this uh and b size this year so we'll uh give him a minute or two and uh we'll get started at uh 2 45. michael bryant what's going on hello sir how are you how you been doing pretty good good good trying to survive the homeschool rona times yeah how that's been going for your kids thankfully it was every tuesday yeah we're trying to my granddaughter boy she

she struggled because she's a social butterfly and so she's smart but i think we're going to be doing some extra work this summer yeah same here i mean it it's interesting the environment was not conducive right because he associates home with with right play and relaxation and not necessarily school right so i think he needs that structured school environment that's a separate from here right exactly yeah yeah they all do i think and he was he's playing football wasn't he before uh baseball yeah all that stuff got cancelled and yeah it's been yeah nothing anybody else hasn't experienced i'm sure right exactly i can't do anything about that so what's going on luke are you sure

how you been pretty good thanks for handling that other tracker earlier i appreciate you stepping in for that my pleasure for sure so he's adam's boy long time to see how's it going gentlemen how you been good sir how are you good oh now we can definitely hear you perfect how's that not homesick oh it's busy over there it's uh it's going crazy yeah i bet i bet i saw i was looking at uh tom nom noms uh word list slides when he posted those up so yeah there's some good talks going on yeah good yeah i can't wait for uh jason's doing his thing tomorrow too so that uh yeah the methodology version four

yeah yeah i remember when you did the first one yeah super hyped so i'm ready for that too yeah so be very cool yes i've been we were mentioning that earlier so i'm so glad we had uh quite a few folks show up for uh b-sides today so a few folks you're flipping back and forth so good glad that everything's going well over there so for sure i don't see eric but we'll uh we'll go ahead and yeah he's joining he said he's getting connected very cool all right and then we got about what 45 50 minutes so i'm really excited for those of you that uh weren't at b size last year we did the pen test firing squad the

year before that was our first year and michael actually talked and a poor guy was up there by himself and he just got hammered by questions left and right and then the idea was instead of putting him up by himself in front of the firing squad that i would actually bring couple folks together um to to answer questions and talk about what we do as penetration testers and a little bit of how we see the industry and how we see our clients and and some of the things that they do well and some of the things that maybe they don't do so well so that's a big part of uh kind of how the the firing squad evolved after

after that first year so i was really excited that we got everybody from from the group last year to come back so it's actually the same same group i can still see everybody sitting on on the stage so it was sad we couldn't do it in person but uh but that it worked out so i think i'm gonna go back as i see us on the stage so um we're gonna go around real quickly and uh what you'll let know uh everybody know uh who you are and uh okay what's going on in your world and what's changed over the last year since we talked to you so uh i'm going to go left to right from the

old stage day so luke you want to go first my name is luka puska i'm a penetration tester with verizon these days same as last year so mike you sent us a list of questions i'm just going to go down that list as you set them unless you want us to do intros and then you want to circle back around yeah we're going to do one of those one at a time so let's just do intros and then we'll kind of cycle through everybody and then come back okay i think that's it for me all right i appreciate that i think keith that makes you next boy lots less change for you in the last year year and a half hasn't it

yeah it's been a crazy year uh so my name is heath adams i also go by the cyber mentor online and i'm a pen tester and i guess cyber security instructor on youtube and udemy and uh yeah last year has been crazy crazy growth uh and started my own pen testing company everything else so it's been been going really well that's awesome glad you made it back for sure thank you and michael yes i'm michael bryant i am with secure works i'm one of the managers of our adversary group so we do all of the offensive related activities for secure works you know red teaming purple teaming wireless all that good stuff i think you guys

heard from eric earlier today with uh him and mata worm uh they they both work with me uh yeah and it's outside of i mean outside of the rona you know business is still business for us i mean it hasn't really changed much uh everybody still get everybody's still getting hacked and wants to be hacked so only more so it seems so yes thanks guys there's eric we actually got him on video look at that yeah i gotta i had to reboot i couldn't i don't know why i [Music] you sound like a horrible smoker you guys come um here if you didn't hear my talk yeah i'm sure it was recorded but um yeah i do like to do our uh wireless

testing and leverage to get internal so yeah yeah like uh we appreciate that we can make it out it's just like it's almost like a like an old like battlestar galactica robot it is old school battle stars that's right yeah it does sound like a smoker with the uh little device up to

so like uh luca mentioned yes uh we did send out a list basically the same questions that we had started to talk about um last year so curious to see how you guys have seen penetration testing grow and change over the last year year and a half and you know just penetration testing but also bug bounty since we really see those two fields um not become necessarily one but there's so much overlap and and so many great i think resources and tools that both of those traditional like different communities can can take from each other so luke you want to start start us off certainly i think overall the evolution is following the demand of the client

the demand of the customer and certainly the latest demand has been an exodus outside of actual physical offices into homes into the employee's home so i noticed that we're doing a lot of different testing related to that we're doing less physical less wireless less internal pen testing on site and certainly more external and more phishing and vpn testing definitely it's um it's interesting that you bring up the the bug bounty aspect of this bug bounties and pen testing is of course very closely related uh just recently i read a i guess a report you could say that bug crown put out and bug crowd was saying that they're trying to get into the crowdsourced pen testing

field for better or worse it may have some some interesting implications for our field and i'm not saying that it's a bad thing i'm also not saying it's a good thing but i definitely encourage them to at least try so there's some some slow um shifts in the field i think um overall i believe the the theme of embracing change is necessary it's a necessary mindset in our field yeah we definitely don't have a choice about embracing change these days so absolutely and coming from a company that uh you know we we shifted 20 000 employees pretty much overnight to work from home it definitely uh was an interesting exercise but i can imagine uh what you see across

your different clients and and how that has definitely changed so all right thanks for well uh you heath what do you think yeah so uh spot on a lot of that because ever since corona is hit i think that it's only been externals and web apps and cloud-based uh assessments that we've been doing i haven't had a single internal since cronus hit nobody's in the office so you can't really uh do do the same that you usually would um and then to i guess to add on to that with the crowd source and from bug crowd and those i am actually this week actively working on one of those platforms crowdsource pen testing so they are doing it

um they are moving forward it's very interesting how they're doing it um and i think it's i think it's a step forward that they're they're getting into the game too so um there's gonna be i think a lot of players um and they're kind of merging from not just bug bounty hunting but also doing pen testing and we're doing bug bounty hunting is all about impact so what can you find me and how is it impacting this application where pen testing is like best security practices overall so um i mean it's it's weird being on a platform like that and not hunting for impact but actually going back and doing you know pen testing and finding low bound or low

things you would never get a bounty for but just low findings and everything and reporting those too so um it's definitely interesting and they're definitely they're definitely coming into the the pen test game as well yeah interesting yeah it can be very curious to see how it evolves over time all right eric what about from your perspective oh we can't hear you now can't hear you uh i've definitely seen it in this last year um i feel like a lot more mfa before it used to be one of those things that um you know i feel like it was the exception that that clients had to factor but i feel like everybody's been moving um more like office 365 like platforms

which are a lot easier to set up mfa and that you know they all have either rolling codes they do some kind of duo um so i've seen a lot more of that which is great i mean at the end of the day it uh definitely makes our testing a little bit harder but um but it's way better for our clients so that's always good to see uh things trending and moving in the right direction um definitely i would say that like all of our physical stuff has obviously slowed down just because no one is in the office um but but as far as uh you know people doing bad things i mean there's there's still plenty of

adversaries out there and we still do all of our internal external we we have a remote you know wireless testing platform thing so we still even even with that we still get some wireless stuff um here and there uh but i think i feel like especially to um given some of the major hacks this year that that it's it's becoming more commonplace you know if i say like i'm a pentester to somebody like a general human you know not in our industry we'll know what that is right which is which is kind of surprising um and you know people are more concerned i feel like about their data and like you know like my younger cousins who you know are

internet natives um they're like i'm not gonna give this you know i'm not gonna sign up on this forum with my email like who knows what i'm gonna get right so i feel like people are becoming more aware um they're understanding the value of of their data and what that means um so that's kind of my personal feeling as far as the whole uh bug crowd and you know crowdsource pen testing um honestly i think the more people we get in the space the better i think uh you add more people all boats will float so that's good yeah no i think yeah definitely the more the better it's interesting how yeah i think pin testing is evolving

traditional fantasy is evolving in some aspects about growl it is or i said that bug bounty programs are are evolving i always say that um and and we can see a lot of tools especially i think from the traditional pen tests that that come out of the the the buck bounty uh community so i think it's pretty pretty incredible but uh and it's it's good to hear that your cousins aren't already uh disenfranchised by reach fatigue so sounds like they're actually learning their lessons instead of uh kind of ignoring them so that's good yeah and those are honestly my favorite clients where you come back year over year and you can't just reuse your last report because they've patched

this you know they've disabled that password policies get harder you know and so those are my favorite ones where you know they're making meaningful impact and they're using your report and your findings to actually like incrementally check things off and definitely some some findings are not easy for them to patch but uh just actually watching people care care a lot more you know i like it it actually puts me into our jobs yeah where your work is actually being used yeah becoming meaningful since you mentioned it what uh you know issues and in having remediation and some things that are difficult to fix what are some of the difficult issues that uh you see your customers having

i i mean i personally see a lot of people just have you know smb remote desktop open on devices that they don't need it on like it doesn't need to be on a ton of different services and devices um and it's on by default i see a lot of you know smbv1 still out there a lot of just internal windows things you know lmnr netbios all that stuff's still enabled even though um you know it's not really needed or it can be configured around uh those are some of those legacy things that just honestly makes it makes my job as a pen tester a lot easier without them things would be a lot more difficult um

it's as far as wireless goes i still see a lot of people using wpa2 psk um or or people using um you know what's called wpa2 enterprise without client server certificate validation um which is which is killer it's almost even easier than psk sometimes so um when you see that kind of stuff out there it's it's industry is not something that can change overnight and um i'm the luxury as an attacker to not uh you know like i just have to use a new tool and spin it up and go i don't i don't have to worry about you know a dozen sites across the country that i have to keep updated keep supported make sure devices enroll

themselves so um it's definitely harder to to you know migrate to some of that stuff it's not as easy as hey patch this and you're good to go um because there's a lot of other business requirements that that i'm not privy to right so that that's just kind of what i see though yeah now i had a couple follow-up questions but we'll pop i'll save those and we'll circle back so all right and uh michael what's been uh maybe how things changed uh from your perspective over the last year or so well the echo everybody else obviously we're seeing a lot of you know everybody went from going to the office to all of a sudden

working from home i mean i've i've been fortunate in that in my role i've been remote working for 14 years and a lot of these organizations are you know overnight had to figure out how to support remote work uh and not all of them were necessarily educated or architecting their things enough to secure what they were rolling out right so what we've seen a lot of is again you know even companies rolling out multi-factor in mass it's not being necessarily rolled out in an effective format i mean we we rolled out a kind of a scaled-down external penetration test that just targeted like remote access points uh whether that be vpn or citrix or remote desktop whatever right whatever

it looks in remotely and a lot of those clients had multi-factor in place and yet we still were able to compromise their perimeters uh you know if you're if you're listening to this and you're using push notifications on your multi-factor then you're doing it wrong uh because we will just annoy your users until they accept us uh into the environment uh so we're seeing a lot of that and you know traditional pen testing we're still seeing i mean i'm surprised a lot of clients are still you know we're doing some of those internal testing we've always i mean we're kind of ahead of a curve a little bit because we at least in our organization you know we've been doing

remote internal penetration testing and internal wireless testing for years at this point so we've kind of been ahead of the curve there and now we did run into the point where clients you know everybody left the office so there was nobody there to actually provide us an attack surface which kind of was a challenge but i think even eric you know with wireless we still can we still can attack your wireless even if there's people there right so we're still doing some of those uh and from our you know for clients who are a little more on the higher level maturity scale we're starting to see more of those collaborative engagements where it's more of a you know i hate to use

the term but purple team right we're doing more purple team activities where we're working closely with their with their defenders to just make them better at what they're doing right so as opposed to just going in and giving a report of here's all the bad things that you have going on good luck fixing them you know we're actually working with them and then they fix something and then we turn around and maybe we'll run the same things over and over again until they get better detecting those and responding to them is there one of those purple team tactics or exercises that seem that would seem to benefit most of your clients uh we've been approaching that for more

of a uh instead of a point in time type engagement more of a continuous type engagement right and i think that's where the real benefit comes from uh so instead of you know okay we're gonna do this one thing for you this month and maybe we'll see you next year hopefully you know you get better and when you fix it you know we're doing month-over-month exercises with those clients to where they're getting to practice on a regular basis i mean i often you know attribute it to you know we we don't get a lot of practice in our field right you know if we're practicing it's because the house is burning down around us uh you know it's not it's not a good

learning environment so those type of activities allow those organizations to kind of get get some reps with their own tools and with their own network and their own environment and to understand you know where they need to look and what tools you know what they need to tweak in order to see if an attacker is actually coming after them yeah okay yeah that's interesting when uh when you do go back if you're doing kind of that month-to-month for the customers how how many hours are you doing each month just out of yeah uh it's it's really dependent on the client right so you know it's how much can they consume because obviously they're they're still having to keep their ship

afloat and deal with their day-to-day activities uh a lot of times we'll run a scenario a month and that may be you know anywhere from 10 to 20 hours worth of activity on our part for them to go and detect right sure that makes sense i was just thinking yeah i mean i think most of the shops i'm familiar with you know they're uh might have a 40 maybe out 80 hour pen test that's done you know once a year and it might take them six months to nine months to even fix those those sauce i if you're coming in every month and you probably don't even have time to fix all the issues before you're already

back at the next you know the three four weeks later for the next uh next round yeah it's it's really more about the the tooling right because it's a it's less about like fix these inherent issues in your network and more about the detection piece right so what can you tweak on your tool to see an attack as it's happening or where do you where do you lack visibility now that obviously requires a little more remediation time if you just don't have the tool in place right so that's a little harder to fix but but typically the the turnaround time with our with the the feedback is a lot quicker so they're able to actually

respond and be you know we weren't able to see this particular attack we can tweak our tools and now see it so then we can quickly turn around and redo that same exercise and they can validate whether or not they're still you know it did that fix work or do they need to do something additional in order to find out something's going on so it's a little less about you know let's fix all the things within the network and more about do we see all the stuff happening it's good it sounds like it makes make some real change and does move behind just uh fix xyz and we're done until next spin test yeah awesome i appreciate it okay

yeah i definitely appreciate that um just a reminder too for the folks that are listening in because i know we got quite a few folks uh do me a favor and if you have questions for the panel uh don't forget this is really why we put the panel together is put them in discord and let us know because uh this is your opportunity to ask these guys anything and everything you've ever wanted to know about pen testing and whether it's about getting into the industry um working as a pen tester different types of tools or tactics and that's why uh why we're here so definitely uh those questions in the the chat channel so one of the other questions that we

wanted to uh talk about is you know over the last year and i actually took really a couple great things out of the last panel that i took back to the office you know and you know added you know from a red team perspective and then also from a defensive uh blue perspective but what are some of the things that you see your clients that are are doing right and what are some of your clients or that what are some of the things that your clients should be doing a better job at um that they're not necessarily right now so luke wanna start us off it's interesting you bring that up because i think you just answered it you took

back something that you learned from the panel and you you applied it to your daily business that's something that a lot of businesses i think don't do for whatever internal bureaucratic or political reasons which it tends to be that they don't they don't quite digest the report or maybe that's not getting to the right people or something is not executed correctly something is forgotten whatever maybe the pen test was originally just a check box a um an exercise in in making sure that it was done because it was for pci or something and then they just move on and not really really focus on the overall report there's a lot of value there that i think a lot of people

are missing a lot of people inside businesses what um what other companies are doing really well i think are becoming more interactive with us now you had mentioned a red team blue team um with michael said that and i like that i like um having that dialogue that conversation and in fact i have a remote internal coming up in a couple of weeks that i've been told the client is like they they want some feedback they want a conversation every day i've been in some some engagements where i'm just walking into their office in the morning i do my work i might see the point of contact once or twice a week they don't really find it necessary to

hear from me during the week they don't ask for it they don't offer much feedback now maybe there's a positive out of that maybe they trust us to the point where where they know us well enough that we're not going to destroy their network or do anything that that would cause them an impact in their business so the trust trust level is good but i like the um the more interactive feel that's one thing that i'm going to miss about a lot of the on-site and internals because i like to talk to the customers and i like to understand how they feel what their risks are and what they're worried about what's keeping them up at night so i can

help sort of mold the um the report best to their needs rather than what i think they need yeah now uh i have one powerpoint gotta plug that in like go go so you know things you know one of the things that stuck out i remember from the the last panel last year was you had mentioned you just um your clients not looking at separating domain admins from server admins um and that was one thing i was like oh you know what that's something that we we don't do and especially you know having a uh outside party that manages the vast majority of our network infrastructure um you know going back and doing that exercise getting that cleaned up really

i think helped strengthen our posture from from that perspective and and helped from a detection perspective as well all right thanks uh heath what do you think about uh one of the positives and negatives you're seeing across customers today yeah so i'll kind of repeat what eric said on the mfa front we're seeing a ton more mfa um i mean it's just impressive to even like i've had a couple startups that i've i've tested lately and i mean they have mfa one had mfa on literally even changing an action so if you had to go change your address or anything mfa across the board so um just super impressive that people are starting to think about

security and another point that he made i had an electrician come out a week ago and he was talking to me said yeah what do you do and i usually do my spell like yeah i'm an ethical hacker it means this you know and he's just stopped me he's like yeah i know that is one of my other clients is one of those so yeah uh i think the the community just people as a whole are becoming more aware of what we do and like cyber security and just it's becoming more important so that's a good thing uh the bad thing i'm gonna go outside the box here a little bit is uh i still

see clients kind of treat us like the enemy when we're trying to be on your side so that's that's the one thing is like we're here when we we do a pen test we're here to help you improve we're here to get better ourselves and we're here just overall make sure you have the best security we're not here to uh point fingers we're not here to take you down we're not trying to get you fired we're trying to make you better make you understand and make uh you as secure as possible so if you're watching this you're having a pen test done we are your friend we're not your enemy we are absolutely trying to to help you

succeed as best as we can that was very true we had a great conversation the other day in the pin test workshop that we did through b-sides greenville and uh one of the questions was and i made the comment that uh i hate auditors and then it was like well no you know we don't hate otters i have some friends that are auditors it's but we do hate that that adversarial tone that can happen between us as defenders and auditors or pin testers and uh defenders so it's yeah it's um especially in i've been in over the years some pretty ugly meetings when we have you know especially four or five years ago most pen testers seem to be

much more technically savvy but have poor soft skills and so the the communication was was lacking where to i we even had a um well we had an executive even hang up on a final findings call because uh he just wasn't feeling the five let's say of of the pin tester that was doing the niner nine or niner i got domain admin access on your network and you suck you know that's that's not what i don't think any of us want to be portrayed as so definitely uh appreciate that so thank you so uh eric yeah so uh gosh yeah even luke hit the nail of all on the head um you know the the

point comes across that you know we are like our team is called the adversarial group right and really you're hiring us not to be an adversary for you but to think like an adversary on your network and and i think my personal goal is for all of our clients is to take somebody who's you know maybe up in an office or you know uh you know a typically stuffy client that like to lose credit he said like oh maybe they see you a couple times a week to try and change them over so i'm like if you need anything at all like you have me for a week two weeks a month like utilize me

if you have any questions like it doesn't just have to be you know with specifically this finding it could be about you know just overarching architecture it could be about you know why i use this tool over this tool you can literally watch everything that i do and i try and take them from somebody who's not really that engaged to the i want them to text me i want them you know to have an inside joke with them like i want to you know develop that rapport because at the end of the day they're they're paying a ton of money to have a pen test on and the more you know back and forth the

more communication we have first of all you you negate any any possible miscommunications if your client is is comfortable enough with you to send you like a gif like you're solid like at that point there's not gonna be a miscommunication and you can be open and honest about findings that you have you know lather rinse repeat on something during the pen test um so i think i think just building that rapport i've seen that a lot more that people view this as less of like oh my gosh you're going to get me fired you want to get me fired and like yeah like let's roll i'm interested to see what's happening um so there's definitely that um

yeah i you know yeah heath and luke said it perfectly i mean that's pretty much it i completely agree yeah i really like that that idea because i yeah yeah i i do pin testing i hire pin testers you know for floor and i've you know been doing this for 20 years at this point and i've seen some really good pin testers and i've seen some really really really bad ones and i think just by you describing how you work with your clients is amazing you know we just don't just don't see that type of interaction typically that those soft skills and and just that caring about your customer and i think everybody on this

this panel does um you know that's that's something that makes a top-tier pin tester it's not necessarily the the technical skills or getting domain admin in five minutes or less it's it's really how you work and with and and care for the customer yeah definitely and and keeping in mind they're like you said they're paying a lot of money so make sure they uh get their money's worth and you help them and we use these companies too like we test com like i tested my mortgage company right like like like we like there's so many companies that like we test that i like see like in the mall walking around like i go to these places

like these places have my data so at the end of the day it's not just a vacuum of like some random company that like i'm not involved with at all like i use these products these people these companies like i want them to be secure because my data is there and i want my parents information my grandparents information to be secure like at the end of the day like if you help them you know it'll all come back around in some weird karmic way right so i don't know that's how i see it maybe it's a little uh fluffy but no i i i i i don't think so at all i don't think anybody does

that no that makes sense yeah yeah it's interesting yeah like when you get to work with your customers or i had actually just done a pen test prior to going to floor on against one of our biggest competitors and then you know i had no idea i was coming to work for floor and realized oh i knew kind of exactly the type of environment i'm going into and and because i had done that previous test so not exactly the same but kind of related all right all right michael what do you think yeah so i you know i don't know i see i see clients doing more proactive stuff with regards to testing and security in general right i mean i feel

like i don't know i feel like a lot of organizations were just you know to luke's point just trying to check that box like a few years ago right there they got compliance issues somebody's forcing them to go get a pen test and so they reluctantly go do it uh but i feel like you know over the last year or so i'm seeing more clients that are you know i we always ask the question you know why are you doing this test right and you know is it pci is it hipaa what's the reason and a lot of times we're getting that answer back it's just you know we just want to know you know

where our weaknesses are and what we can do better right and i feel like that is a big change uh for for everyone right as people take security kind of more serious and less of uh a love burden uh so i think you know more more of that mentality will will help both your organization as well as you know to to your and eric's point to all of us right because we're all client we're all we're all customers of most of these organizations right you know when i see people some i get breached i'm just like great you know there's another hopefully that password strong and thank goodness it's random right you know uh you know i get the same feeling with

those as well but yeah i think the the proactive approach that i'm starting to see with a lot of clients is kind of heartening to me at least and then again if you know as far as what they're doing wrong it's it's similar things unfortunately you know uh you know the the passwords are still they still suck uh they you know we still get in with whatever i guess it's summer 2020 now so you know we still get in with that password so someone at your organization is still using that password um and again even with the multi-factor you know it's not a silver bullet it is not going to keep everyone out if you do not have it

configured correctly right we're still abusing your perimeter with your two-factor authentication that you do not have configured correctly so even though you go by the tool or you know have spent money on something make sure you take the diligence to make sure that it is configured correctly and working the way it's supposed to and then you know you may need to hire somebody to think about you know a threat model of all the different ways that that can be abused because maybe you don't necessarily have that experience but you know there's definitely people out there like us who are thinking of ways to abuse all the things you have in place uh and we will find those those

weaknesses for sure and password spreading for the win right yeah yeah always yeah yeah i mean you know two factors slows us down until we can annoy your until we can annoy your users with their push notifications and then it wins really really well for that you know somebody just leans over it's like i'm just making styles all right yes yeah it's quit bugging me bugging me and then we've also we you know we we have seen with the remote access engagement we do we actually ask because we're we're doing it in a short time period so they can find out what's wrong quickly and we actually ask for a user list up front and we we we often find users

which you know a they're not enrolled in two-factor even though the organization has two factor and then they are for whatever reason enrolled in the remote access group we had one that was a print fax service account that didn't have two-factor authentication enabled for it but also was in the remote access group and we guessed the password for it it's like why is that even a thing right i mean something somebody set up like 10 years ago probably forgot about uh yeah pretty much yeah that's thanks for the wave right now we have a couple questions coming in so i want to um throw a couple of these out for uh for anyone uh so see question from uh charlie

uh in the past couple of months instead of blue red or purple shirt how do you think or have you seen that covid and work from home has had an increase on the other side of the coin like in script kitties or horizon hackers i think we kind of know what you're looking at but um i mean it's like any any event right i mean the low-hanging fruit is let's go take whatever's going on and wrap our attack around it right so let's find whatever scam we can use with with covid and target those people who are going to respond to that i think we see a lot of that going on still for sure for sure yeah definitely yeah

what covid scams have just they continue to grow exponentially so everybody just wants to click on this and click on that so anybody else want to take that one or not all right another one and i think this is kind of one of the other questions that we had wanted to talk to but for uh guys for someone who's new in the pin testing industry how can he or she approach a company and talk about his service as a pen tester so is this is this like somebody who is trying to sell themselves as a pentester to a company is that the yeah that's what so probably somebody uh and maybe maybe they're more junior maybe don't

have a lot of experience under their belt uh how would you suggest and how they they actually start getting some work as a as a as a pen tester i think uh so i think at least for me a little bit of that is just start talking to people right like just start going to conferences talking to people going to companies not don't go in with the expectation that you're trying to sell just go in with the expectation that you're gonna have a conversation with somebody and just start asking them questions um people like to answer questions um and then shut up and listen uh i think i think that's really what comes down to

and depending um how junior the person is find where your weak spots are and see if you're if you're lucky enough you can find a company that'll pay you to learn on the job um you know i mean i i learn every single day so that's one of those things that i'm i'm incredibly fortunate to work in an industry and for a company where it's just like i have no idea what i'm doing luckily i have a lot of smart people that i work with because it's impossible for everybody to know everything so and then and then try and swallow the imposter syndrome as much as possible because um every single day i feel like well

someday they're going to figure out that i don't know what i'm doing [Music] i agree i mean i still have imposter syndrome and you know much to your point mike i've been doing this for 20 something years too so you know sometimes i like wow people still pay me to do this stuff this is crazy um but you know i think from i i struggle as a as a manager hiring people that are junior because we're all remote right so like i don't have somewhere where i can bring like junior people to like train them or teach them how to do what we want to do which is a little bit of struggle for us

but i would say you know if you want to be a pen tester you know you may have to play more of a long game right because it is hard to get that experience without having the experience right so you have the chicken and egg problem you know maybe you got to play a long game where you identify the company you want to go do pin testing for and maybe they have other entry level positions that you can get into whatever whatever that may be uh you know maybe that's the play to get into it so then you can then show your passion and for us you know because we do that internally right you know our

entry level position with secure works is the the sock analyst right that tends to be the people that we hire out of college fresh you know fresh into the workforce uh and for me you know we brought over quite a few people from the sock that have shown you know hey i mean they'll contact this they're interested in pen testing they show the passion you know they've proactively gone out to get you know the offensive security certifications uh you know that kind of stuff plus you know networking i mean at the end of the day it's all networking you know who do you know you know how do you how do you influence them to

right to help you in your career yeah i mean that's big part of why we have b sites right i mean so yeah exactly why i started you know uh iso you know in greenville because when i moved out from san diego i remember leaving san diego and people telling me hey here's my car we have offices out here one of one of the guys actually was from secure works said hey we have offices in like charleston of course nobody knew where greenville was but i mean it was just awesome to have those connections and and realizing now that you can have have that that network and and that's how we get most of our jobs so yeah definitely

definitely suggestions okay well i was gonna say ironically my last in person b-sides was beside san diego in march so what was it yeah yeah always good to go home so what do you think yeah so um networking's been touched on quite a bit and that's kind of where a lot of my interviews came from when i was you know just first getting started was being in discord channels being in slack channels being helping out other people and just getting known that way and being that passionate person that michael was talking about just wanting to get into the field and people recognize that and you never know who you're going to talk to or what seed you're going to plant

that might show up a couple years later even jobs i got after that were just people that i've known met worked with and you have to make sure that you don't burn any bridges and you just make friends and network and it'll turn out really well on the um on the technical side from from one perspective is you just gotta put yourself out there so who cares all these job applications say five years ten years experience supply nobody cares just apply if you get rejected so what just you know reply again like it's just keep applying something will stick you'll get an interview you're gonna do terrible you're gonna get beat up you might not get the job but you have

the questions in front of you that you just got you can go back study where you were weak and come back and try again another advice for interviewing is always write down the questions that you don't know don't ever lie about it just say hey i don't know but i'm willing to go learn that go write them down and i've had second interviews specifically north state actually where the second interview brandon martin asked me questions from the first interview that i didn't know to see if i went back and i was learning and i wanted to actually care about the position so managers will do that and they will if they see driving you they'll um

they'll take a chance on you too so put yourself out there otherwise technically osep is is a good way to get your foot in the door but still not enough you got to learn active directory learn some web app really just kind of focus in on what to do next always be studying and learning because that's the kind of field we're in if you're not studying and you're learning you're going to get left behind even if you're the best hacker in the world right now if you don't study for a year you're going to get past behind they're passed up so you're going to get left behind really quick um sure i think that's all good

all all good advice so another thing i would mention too especially if you're junior i you know for me back in the day when i first started uh and it wasn't like i could show up and say hey let alone you know people are like pin testing what's that or you want to break into my systems what um i actually did a lot of free work i volunteered my services you know and just to get that experience and and was able and i know i have some students currently going to class that that's what they've been doing and you're gaining that experience if anything might not be making any money um but it's you know not about the

dollars today but what's possible in the future so just a just a thought there so i know heath you mentioned the oscp of course so that's probably and it sounds like i mean is that would everybody agree kind of what you're alluding to that's almost like these days it's you have to have the oscp to get a a full-time gig as a pin tester um i don't know if you have to have it it's a gatekeeper for a lot of places though so it's it's almost like education where i don't think you need a bachelor's degree but does it help to have on your resume it does um same thing with the oscp you can get a job without it it just

helps to have it on your resume and get get past the gatekeeper and get into those interviews yeah and we don't use it for a gatekeeper necessarily as much as like if i see it i know i mean you know eric and i both have it and i'm sure you guys probably do too i know what it took to get it right so i know that's not like i just took a multi-choice test and i also have the oacp so you know we do look at it a little bit closer but it's not necessarily a gatekeeping point for us like we we hire plenty of people that don't have the osce uh you know we would like them to get it

but it's you know because it just it just shows that level of dedication to to the to the industry that makes sense um since we're talking search are there any other search that you guys see a benefit i know i mean there's seems like there's a few new ones that pop up here and there there's some of the older tried and true ones but are there any any particular ones that that stick out these days to you guys i mean i'll leave i mean to his point only if you're trying to get past gatekeepers in my opinion i mean install a resume you know get past the firewall right i always ask because most of the folks i

work with are students right with no experience trying to get into the field so that's you know one of the the routes that they can go i think i think one of the things that would be super helpful is and i tell everybody who wants to get started in pentesting to do this but if you're interested in it start a blog start documenting at the beginning and then basically document your entire progression from you know you know normal joe to pro because if i if i was you know hiring person i've been on you know i've interviewed plenty of people and when i can go and i like you know google somebody's name because that's

what everybody does and i can see oh man this person like has a bunch of blogs of stuff that sure maybe there's 100 other blog posts that show you how to run this tool but the fact that they've documented it for themselves because they're just trying to learn that process i think i think that's super solid and it shows kind of exactly what he'd said of just they care about this they're interested in learning and that that to me is one of those things that if you're a student if you just document every single thing that you learn uh you'll be shocked how in five years you've forgotten everything that you documented and you'll be googling

something and your own like post will come up and you're like oh snap like right that was smart that's kind of my thought like it's it's cheap easy if not free um it just requires the time but but i think uh there's so few people that actually do it that that if somebody was really interested in it it's a really really easy way um to you know separate yourself and from the pack of other people yeah no i could definitely understand it and you think about if anything at the end or down the road you have this body of work that you can can demonstrate to your not only your knowledge but putting yourself out there and that

definitely goes a long way to helping get you hired as well so appreciate that we probably have a question time for another maybe one or two questions before we wrap up and then maybe if you guys have time if you jump into the discord channel and chat with folks um but um let's see what suggestions do you have for a blue teamer to get better at understanding red team methodology without uh formally doing some type of purple team exercise i guess so what can defenders do to better understand red team or the attacker methodology yeah i mean i think there's tons of tons of courses out there cheap you you could do as cheap as udemy you can do

the ocp just to get that mindset um i see a lot of blue teamers do certifications just to understand what the red teamers are thinking and how to defend against them so if you don't have the opportunity at work to work in a purple team engagement i mean google is your best friend so just start looking up the methodologies and how a pen tester acts and there's tons and tons and tons of material out there from this cheapest free up to certification level yeah definitely no and i mentioned that you bring it up you know he has actually a couple of great courses on on udemy i am in the oscp one or the i guess the

general pen test course and i actually did the windows private esque uh course i had a lot of fun with it so there's a lot of that out there yeah no i thought you did an excellent job i appreciate you putting that together it was a lot of fun um so yeah there's so much out there but definitely can't say uh enough about about his stuff so highly highly recommended so anybody else i think a fast track would be to consume some of the material that's out there specifically for certifications like certified ethical hacker i'm not saying that one certification is better than another but some of the material is easier to obtain ceah pen test plus or some of the others

oscp is a little more difficult to just go out and buy the book from amazon for 50 bucks or less but some of the others you can't and that gives you a really good foundation for some of the methodologies some of the terminology that's used some of the ethics and and other important legal concerns that one should definitely focus on when going into this um changing more from a blue team to a red team sure sure charlie makes a good point in the discord channel talking about um i think the ideas yet making videos uh for your uh employees and showing them a hack i've done this at floor and these typically tend to be

help employees understand right it hits home it's like here's how we get your password for wi-fi right or here's how we get your your active directory like you mentioned the summer 2020 or we do uh floor 2020 right or 2020 floor or so having those videos and showing them that or if we have phone calls recorded of us social engineering our own employees over the phone and you can play that back when someone gives their username and password over the phone now that really really hits resonates with uh folks one last question and then again hopefully you guys can jump into discord but what kind of home lab environments do you use for practicing pen testing and what

elements do you find most useful for home lab setups anybody i can start um so i've got a just vmware and you got to have space like ram and stuff for it but i've got like one active directory um one domain controller and a couple of windows machines that are all spun up in a vm can practice active directory attacks um people have actually gone out there and made blog posts about this on how to do an azure and azure gives you like 200 bucks for free for a year so there's ways to do this for free without utilizing any of your system resources and you can still go out there and do it um so i always if i want to practice

something or a new trick or technique that i see i'll just go through it in the lab and and give it a go awesome man yeah that's a great idea anybody else i would suggest testing your own home network first nessus offers a license i think they give you up to 16 um ips that you can scan your own network this is one that i recommend because it seems to be the defective standard as a vulnerability scanner so once you get used to the idea of running nasa's reading the reports and understanding how it's running how it's consuming your network and your local resources that's a great place to start and it is your home network so long as you're not

attacking an outside home network this should be um within the bounds of ethics because it's it's your stuff um definitely get used to running vmware or virtualbox whichever you prefer uh you can easily load up a copy of kali linux since it's available for download just um be careful with with um how you run it and i would prefer not running your your personal information and personal um accounts on it use it only as an attack platform don't use it to shop don't use it to check your own email until you understand exactly how it works and how it's built by by design as being a very wide open platform without any firewall protection at all which is good for my pen tester

perspective not so good from a consumer perspective so definitely look up the um active directory vms as eric mentioned uh i think it was eric or heath it was mentioned i mean definitely um definitely a good one i was i was thinking of the same thing as you were speaking through that there are a lot of um web application testing platforms like juicebox by owasp or um you name it if you were to google vulnerable web application pen testing you'll find quite a few out there web application pen testing is definitely on the rise that i noticed because developers are quick to put out web applications and in some cases that they're not um they're not following

good standards in terms of of securing those so there's definitely the infrastructure there's the web app pen testing you can also attack your own home wi-fi uh be careful with that because you may have other wi-fi networks in the area and some of these software tools that i find are somewhat difficult to to calibrate and point directly at your network sometimes they will attack every network in sight and that's probably not something that you want to be doing but wireless um testing is definitely something that you can do from a home lab environment as well yeah eric made the point in his talk earlier this morning you know that's definitely the the best thing you can do is hey hack

away at your own home network i mean it's everybody's got wi-fi at home so that's a great idea i also throw out there you know with vmware or oracle box at home and the nice you you know we used to have to even just couple years ago have to download so many different you know vulnerable machines to to hack away at not that there really there were that many that existed back in the day um but and how you know with hack the box um try hack me um you know there's some great resources that are you know either super cheap or free um that you can definitely get that experience and and will help you know i get the experience

maybe you're studying for the oscp those are some great resources as well um but also it also reflects in some real world scenarios which is all great so um gentlemen thank you very much i really appreciate you guys for for all of uh all of you from coming back for b size this year hopefully um you guys will be able to do this again next year we can see what changes over between now and 2022 hopefully we'll be able to meet in person um might not happen again but we'll have to see play that one by ear but thank you again very much and again if you guys got time to hang out on the discord and answer

some questions uh there's definitely a few more out there for uh that the crowd is asking for um and uh i'll catch you on the other side but i really appreciate it thanks for the time stay safe out there thank you thank you appreciate it all right take care bye all right so yeah that was awesome it was good to get the uh the band back together so to speak so thanks thanks uh for for luke and michael and heath and eric for for coming back that was

awesome