cyber work with InfoSec has recently
celebrated its 100th episode thank you
to all of you that watch and listen and
subscribe to both the audio podcast and
our YouTube channel we're so grateful to
hear from all of you and we look forward
to speaking with you more about all
aspects of the cybersecurity industry
celebrate this milestone we have a very
special offer for listeners of the
podcast we're giving 30 days of free
training through our InfoSec skills
platform go to InfoSec institute comm
slash skills and sign up for an account
or just click the link in the
description below
while you're there enter the coupon code
cyber work one word all lowercase
cy ber wo RK when signing up and you
will get your free access you'll get 30
days of unlimited projects - over 500
cyber security courses featuring cloud
hosted cyber ranges hands-on projects
customizable certification practice
exams skills assessments and more again
check out the link in the description
below and use the code cyber work cy BER
wo RK to get your free month of
cybersecurity training today thank you
once again for listening and watching
now let's get to the episode welcome to
this week's episode of the cyber work
with InfoSec podcast each week I sit
down with a different industry thought
leader and we discussed the latest
cybersecurity trends how those trends
are affecting the work of InfoSec
professionals offering tips for those
trying to break in or move up the ladder
in the cybersecurity industry spend a
while since we talked about penetration
testing an defense-oriented network
security on the show and I know that
some of you've been asking for it so
today's your lucky day on the show we
have dr. Wesley McGrew the director of
cyber operations for horn cyber we're
going to talk about going on the
offensive is a good defense the current
state of pen testing and the raw work of
reverse engineering malicious software
and vulnerability testing if you're
looking for the type of job that gets
you out on the cybersecurity battlefield
and fighting the bad guys you're gonna
want to give this episode your undivided
attention
dr. Wesley McGrew is the author of
penetration testing and forensics tools
used by many practitioners he is a
frequent presenter at Def Con and
blackhat USA at the national forensics
training center he provided digital
forensics training to law enforcement
and wounded veterans as an adjunct
professor he designed the course he
teaches in reverse engineering to
students at Mississippi State universe
using real-world high-profile malware
soft samples this effort was undertaken
as part of earning National Security
Agency CAE cyber app certification for
the University he has presented his work
on critical infrastructure security to
the DHS Joint Working Group on
industrial control systems
Wesley earned his PhD in computer
science at Mississippi State University
for his research in vulnerability
analysis of SCADA HMI systems used in
national critical infrastructure he
served as research professor at MSU x'd
Department of commuter science and
engineering and distributed analytics
and security Institute Wes thanks for
being here today your problem I'm glad
to be here so I ask every guest you know
how they got into computers in tech for
the first time so I want to ask you that
but I really want to know how you got
interested in pen testing forensics
reverse engineering and the sort of
offense as defense school of security
what was the draw there so so I've
always been better at breaking things
than anything else and so as a child I
was always the one that took things
apart and learn to know how things work
and how I suffered things you know I
grew up learning kind of teaching myself
how to code on Commodore 64 and early
speeds and such and and actually I made
sure it was in the frame but in 92 I saw
this maybe sneakers nest the laser disk
copy of it on my show how about that yes
and moving change lives and I was like
you know I won't Robert Redford's job
and that there you go TV pentesters and
yes that's that's that's what I set out
to do it's funny I like I saw that movie
at that time too and I never made the
jump to like you could actually do that
as a job you know I think it's kind of
like you see a rock star and you're like
well I couldn't actually get on stage
but it's like people do it all the time
so it's interesting that you were like
yes this is for me right so so I went to
school for computer science in
Mississippi State and in grad school I
helped out with developing the computer
security program there and some of the
coursework and some of the research
programs there for that and then use
that as a springboard into computer
security work okay so you've been doing
it for a while obviously you started
the Commodore 64 era how is the practice
of pen testing and computer forensics
changed and evolved in 2020 versus when
you first got involved I'm edge and it's
order of magnitude more complex now or
is it are you still basically doing the
same things well
networks have gotten more complex okay
so the number of posts are much greater
and where before you know it used to be
a very particular thing to have
computers controlling physical processes
it would be an industrial control system
situation or in critical infrastructure
situation but I would say that most
organizations have some sort of cyber
physical system being an HVAC and
cameras and and access controls for
buildings and things like that and so
more and more as we compromised things
on these complicated networks we gained
a physical presence inside the target
organization through the things that
we've compromised through microphones
and cameras and ability to impact
elements have been fired and so I would
think that I would say that it hasn't
gotten any harder or any easier but it's
more complicated and we we have more
people on our teams doing that it's not
going to do it so up for a long time but
now right you don't do a large network
without it being a team does it require
more complexity of thought or more
complexity of tools or both it requires
a lot of interesting management of
resources right so for each of our
penetration testing engagements we have
four or five people per engagement and
it's important that we make sure that
they don't duplicate effort and it there
they each have specialties and say in
ICS or in web application security or in
network protocols or something like that
and so we've got to make sure that
they're working on the right things even
though they all have a breadth of
experience to take you know triage look
at anything right okay so for listeners
who are looking to break into the area
in this particular sort of career field
especially in regards to building up
their skillset what are some types of
jobs or study search labs projects or
other tasks that you recommend to learn
the raw skills of pentesting reverse
engineering
gulnur ability analysis
like that I think to identify
vulnerabilities you can you can identify
publicly known vulnerabilities easily
most of the vulnerability information as
documentation on how to test for a
specific vulnerability to find new
vulnerabilities you need to learn how to
code you need to learn how networks work
need to get a little bit of systems
administration experience and that can
be hands-on they can be in a home lab
right you know there's lots of online
capture the flags and virtual machines
and things like that but I really
encourage people to get into this to
learn how to code learn networking
protocols TCP and all that at really
in-depth expenses when you're finding
vulnerabilities in these systems it's
because you understand things at a at a
lower level of abstraction than the
people who developed it you're
exploiting their misunderstandings about
that underlying system and so it's
important that you that you get a very
low level of knowledge of the systems
that you're developing for more detailed
knowledge that it's okay can you can you
sort of that's a really interesting
phrase can you break down the sort of
notion of understanding the sort of
errors of lower-level people like that
or I remember exactly what you said but
that's that sounded like something that
requires a little more a little more
unpacking so so it's it's all about
levels of abstraction so if a general
non computer science person uses a
computer you know they see it as they
did they click on the Start menu and
they hit the word icon and that's their
interface of computer how a computer
works to them is by navigating menus and
opening up programs they have this sort
of model of how programs work in Windows
and things yeah if you're a developer if
you're just learning how to write code
say URIs say you're a C programmer and
you are writing code based off of what
you've learned in a book on C
programming and it's teaching you about
allocating memory Furlow
variables or global variables or things
like that and and it's giving you a
model of how memory works under the
scene under the hood how the compiler
generates code that allocates memory it
doesn't exactly work like that and
that's why things like buffer overflows
and memory corruption exploits the
person who wrote the code doesn't
understand how it's turned into machine
ice and processor runs so that's where
that's where a lot of the
vulnerabilities come from is is people
who don't have that sort of like cross
cross technology or whatever right and
so and it works all the way down right
and so you're writing code to to if
you're running code in an assembly
language level the operating system is
hiding off memory from you from other
processes and so the the lower and lower
you go in that stack and understand it
in a more detailed way the better and so
I encourage people to learn to pick up
some reverse engineering understand
moaner abilities better so if you were
looking for someone you know you're
looking at applications for people who
you know would join your team what are
some some absolute must-have experiences
or certs or you know degrees or just you
know things that they've done that you
would say I have to have someone who at
least knows how to do this to join my
team well we recruit heavily from
Mississippi State University and other
cyber operations
I started five schools and so that would
but we don't necessarily care if
somebody has a degree or not right but
it does help having that computer
science background somebody who can who
can write code somebody who has some
interest in reverse engineering and some
interest in vulnerability analysis and
has demonstrated that somebody who can
write code or read code at least in
multiple languages and be able to to do
both application security testing in
vulnerability analysis on networks as
well okay
so I want to sort of talk about some of
your the various hats you wear and and
and you know areas of interest that you
have so to start with just so I'm sure
we're all on the same page what do you
by offense oriented network security I
mean it really sounds like you know this
is something you want to get into if you
are looking to bring the fight to the
hackers so there's two things going on
here and both of them are interesting
and talk about the what we're talking
about mostly when we talk about offense
oriented security is in identifying
where to spend resources for security by
taking an attackers view of your network
and that's penetration testing
application security review social
engineering all sorts of things if
there's you know a thousand
vulnerabilities on a network but only
some small percentage of them are
actually exportable in a real world
threat model by real-world attacker
right by taking a penetration testing or
red teaming view of the network you can
identify those vulnerabilities remediate
those spend your resources there it's
easy to spend money in the wrong
direction in security you can spend a
lot of money on things that are never
gonna happen okay the other side of that
what you're talking about is essentially
what people refer to as a back where
you're where you're going on the
offensive against the actual attackers
and the legal frameworks for that or not
really in place right now though there's
been some bills introduced for that and
that's talking about hacking back into
either of the attackers
command-and-control or their their
intermediate nodes in order to capture
attribution data and that's that's
that's an interesting thing as well that
would it would involve some rollback as
some of the more extreme or some of the
more broad restrictions the Computer
Fraud and Abuse Act for people who are
investigating computer crime okay you I
mean do you see those those laws
changing anytime soon
I don't know that any of those bills
will be successful I was tracking one
for a while but I don't I don't know
where when to be all to be perfectly
honest with you you know it's
interesting and in Fassett community
about this there's a lot of strong
pushback on Hank back but at the same
time there's lots of people in the
community who who
who have you know the attack command and
control and have taken a look at command
and control servers and recovered data
from those things and would probably
appreciate some reduction in the scope
of the Computer Fraud and Abuse Act for
computer security professionals right
that there's there's there's a there's a
balance there somewhere that we've got a
phone okay so what I guess you mentioned
some of it you know penetration testing
and red teaming and stuff but what are
the primary tools in your arsenal for
offense oriented security well we've got
a custom build of Kali Linux that we use
we've got so we've got all the normal
tools that are in Kali Linux they're in
maps new meds courts and and all the
things that we can pull in from those
repositories the most important thing
for us is that we deal with large
networks you know tens of thousands or
hundreds of thousands network we need to
be able to manage that and so we have
our own internal management system where
individual pen testers in an engagement
can check out areas of networks and
check them back in file reports on on
things and there's really nothing like
that in the in the public domain that I
know of that works on a large scale like
that you know it's important that you
have something like that and that you
have a system for managing these large
engagements ok so that's sort of like
the umbrella that and all the other sort
of things work underneath it sounds like
yeah yeah it's a framework for it
another thing that we have that's really
important for us is that we're able to
reduce the amount of on-site time that
we have of clients or even eliminated in
some cases with our internal test by
deploying an appliance that we've
developed that not only so many
fantastic appliances like a proxy a
socks proxy or an SSH tunnel into the
network we have a the ability to have a
full VPN connection from our office into
a client network through our penetration
testing appliance and so we can drop
individual VMs on the
networks through that so you can do a
lot more from where you're at yeah it's
a little more transparent seamless and
there's not as much configuration with
the tools
okay so fewer because yes it's through
an encrypted tunnel okay so I'm sure it
varies from from client to client but
can you kind of walk me through like on
average like you you get a new client
you have to either visit them in person
or virtually like this like what what
are your sort of first steps in
diagnosing their problems or setting up
a pen test or setting up a system for
deciding what needs to happen next
we try to work with and so this like red
teaming and pen testing can be an
adversarial thing but it shouldn't be
right okay our goal is to empower the
client to get the resources that need to
make changes and so we talked to them
about what they're doing with security
now we talked to them about what their
what they would like to see out of a
penetration tester they trying to get
resources for a particular type of a
program are they trying to use it to
improve things we'd rather not be a
gotcha against somebody we'd rather be
hired by some way to make your IT staff
look bad but nobody wins in that yeah
and so we talk to them about scoping we
talk about external ranges and internal
ranges we try to get a feel for anything
in their environment that they own that
they do not own things that are
third-party on that we can't touch we
talked to them about sensitive systems
that may have fallen over in previous
pin tests on their other vendors so that
we have an idea of what we can do
without causing a lot of operational
disruption we just educate them about
our process and about how we try to do
this in a secure way that provenza's we
don't want to leave the network in a
worse state than it was from the guy
here yeah or make people use that make
people feel bad about themselves or
their lack of knowledge right yeah we
talked about reporting and how what that
reports going to look like for them and
who that's going to be is the target
audience for that report be talking
about all that and then we start laying
out emergency contacts and getting
getting things shipped out and getting
them to
patrolling and then it's communication
throughout the engagement usually with
me in the client directly and I liaison
for the team that's actually doing the
engagement so that at any point they can
if they see some weird activity on their
network they can contact me I can verify
yes that was us or nope that wasn't us
we found something yeah you know we
started talking to guests about red
teaming about under a year ago and it's
it's funny how the sort of Mythology of
it sort of grew and then dissipated
because like when it started like there
was all these these rumors like I think
someone kidnapped a CEO you know like
how far can you go can you break windows
can you blah blah blah you know but yeah
clearly this is all a consent based
thing and obviously yeah we're not
looking ruin somebody's day
no no exactly or like cause actual
terror so yeah okay so yeah so again it
sounds like it's very yeah it's aimed at
education and it's aimed at it sort of
you know against a consensual situation
here so it's that's very important the
goal is to identify the phone abilities
they're most likely to be used by real
attackers right and and as you said that
before I wanted to sort of get back to
that what are some of the things you
said that a lot of people spend a lot of
money protecting against things that are
never gonna happen can you give me some
sort of key examples of that well I mean
in you know you can spend a lot of money
on very nice firewalls and intrusion
detection systems pointed towards the
outside world like measured by looking
at that traffic coming into your
external IP address but in reality you
know you may have one external IP
address everything else is data through
and nothing externally can make a direct
connection anyways you should be more
concerned with individual hosts inside
your network getting compromised through
malware and phishing and other scams
like that right and once the attacker
gets access to one of those internal
nodes being able to move laterally in a
way that that external firewall
intrusion detection sensor can identify
and so it's been a lot of money on that
external without without realizing that
that's not how the attackers going to
come here right do you do a lot with the
sort of social engineering and phishing
type things are you like
but in us we use in the parking lot and
stuff like that yes we have the
capability of doing that sort of stuff
and we'll do it on some engagements you
know generally the the thing is is you
can you can run a social engineering
engagement and do something like fishing
and then and you'll the first time we do
it with a client we'll get say a 20% hit
rate of people submitting credentials
right it's a really good pretest
together like 20 30 percent we give them
the report we say okay we did this many
people thirty percent of them fell for
it Yuni our recommendation is did you do
user education and awareness and all
this sort of stuff and anything you know
year rolls around we come back and we do
it again on the new engagement and now
it's dropped down the 10% and then the
next time it's 5% but you never really
get any better than 5% it doesn't matter
how how much you train your users right
it's gonna be a good pretext there's
gonna be somebody having a bad day yep
everybody's gonna fall for something at
some point right yeah and so the trick
is we tell our clients you know the
trick is through social engineering
through zero day attacks through
whatever or pick any random node on your
network assume it's compromised if
somebody's got control of that are they
limited to that are they gonna run the
board on the rest of year now there you
go and so we do social engineering and
we test that out for their awareness and
they're kind of tracking but in reality
we tell them to assume that it's gonna
work at some point and so there's a yeah
there's a limit to it how useful it is
so we talked about this a little bit
before it I want to be a little little
deeper about this but you your
background list of special occasions you
know specialist specializations we're
talking you know offensive network
security pentesting vulnerability
analysis reverse engineering computer
forensics traffic analysis you know it's
all sort of a spectrum of related skills
and tasks but is it is it common to have
experience in all those areas or do a
lot more people just specialize in one
thing malware analysis or just pen
testing well I think that when you're
working off it's you don't really have
the looks
picking what stuff your target yeah you
don't have the luxury of picking your
target honking it's not like a surgeon
where you're just dealing with veins
like you got to have to know everything
yeah you kind of have if you're doing
pen testing red team you kind of have to
have a at least a little bit of
knowledge and a lot of things right okay
so we have people with specialties right
we have folks that specialize in web
application security we have folks that
specialize in you know windows closed
exploitation we have folks like me that
specialize in reverse engineering and
first particular engagements you know
this that's come into play more often
not but all of us are able to do a
little bit of all okay so your specialty
is reverse engineering out of all of
those things yeah I would say that
that's sort of the deepest dive part of
it for me okay could you can you talk a
little bit about what that what that
kind of job is like because I don't
think we've had anyone on here who who
had that as their specialty and I know
people would be interested in knowing
like what's what's the day-to-day of
working on malware like that so for for
us the day to day for me for reverse
engineering is in reverse engineering
ransomware we have a we have a product
called threat runner that aloud that
provides our customers would be
weaponized ransomware that allows them
to simulate the spread of ransomware on
their network in order to see what the
impact would be see who has too much
permission on the network what's weirder
things and things are too connected here
and so I will look at ransomware
variants as they come out to identify
how they work see if there's anything
you need that needs to be worked into
our modules we also do reverse
engineering for the purposes of
vulnerability analysis to identify how a
compiled binary program works in order
to find vulnerabilities in it or to find
you know hidden functionality and and so
that's that's sort of the day-to-day of
it to get into that you know a teach a
reverse engineering course across the
highway at Mississippi State University
on occasion where where we use the the
practical
we're analysis boats of course in homing
Road for no starch press
it's the textbook for that and and we
lead in teaching that it's a matter of
uh we teach I teach it as a form of
design recovery so the software
engineering process in Reverse so
software engineering you have you have
your requirements for a piece of
software you have the design for that
software that implements those
requirements you have the implementation
it's a code that implements that design
and then it's deployed and document and
things like that for normal software for
malware the deployment does not want you
to know the design or the intent or the
requirements and so you have this chunk
of code and you know nothing about other
than it can run on a computer it can
probably screw it up right yeah and so
you use static analysis and dynamic
analysis techniques to recover the
implementation details of it and from
that you can kind of gain some
understanding of the design of it and
then hopefully determine the the
requirements was was the purpose of this
piece of code what is the how does it do
it does how do we detect it what are its
capabilities who wrote it that sort of
stuff
okay so in general what are some of the
parts of your job that you love the most
and like what are the aspects that get
you excited to start a new week and
conversely are there any parts that you
dread having to do like reports or
paperwork or you know a lot of people
don't like reporting but you know we've
really worked hard here on streamlining
the report generation process and since
that report is what's delivered to the
client as a deliverable it's important
that it's right and so I spend a lot of
time working on the wording of those
working on sort of the language we use
and the way we present our findings
making it easy to read make it easy to
read for a variety of audiences c-suite
all the way to the technical photos
right so we have to demonstrate business
impact and I think it's interesting and
so I enjoyed the report stuff a lot you
know what gets me
interested is the the managing the
process of this now having being able to
have four or five per engagement very
talented people on staff where I can
sort of direct them and say a you look
over their shoulders and say it any
given moment all of them finding you
know different findings on networks and
being able to troubleshoot problems and
anything they're having technical issues
that we're having with our
infrastructure looking at things that we
suspect to be vulnerable but haven't
proven yet you know that it's a it's new
puzzles every day it's different things
we see on networks every day that are
that are interesting and it's that the
most entertaining part of it is the
success rate of finding vulnerabilities
you know we see so many networks and so
many posts that it's hard to say if
there's anything that we haven't seen on
a network and and so every time we see
something new it's interesting so we you
know for example one day I looked at her
shoulder of one of my team members and
he was at a basic prompt like a computer
basic like the basic programming lingo
you know what 10 print hello world 20 I
go to 10 type things right yeah sure I'm
like what are you looking what is this
the true and now it's time it was a
serial to Ethernet converter and the
configuration in for it and was
implemented in the basic interpreter or
something and so I was like well coming
from the Commodore 64 move aside and
interesting form abilities and things
and it's just a it's an intellectual you
know actually rewarding yeah so I
I mean you sort of hour answering my
next question here but I know you sound
like you enjoy actually sort of being
for lack of a better word the puppet
master in terms of like you know
directing other people but you know a
lot of times we speak to people who have
become you know directors other
organizations or reached a certain point
in their career chain you know they find
that the nuts and bolts of the thing
that
like to do gets taken away and turns
into days full of you know big picture
projects meetings with clients top-down
planning allocation of projects to
others but it sounds like you sort of
have found a balance there how much
hands-on pen testing and vulner to do
and how much you spent on these sort of
macro tasks and is that an acceptable
balance to you well I'm lucky I get to
sort of define that myself right so I do
enjoy the big picture stuff and so I do
mostly that but you know I'm able to dip
into the nuts and bolts of pen testing
and write vulnerability analysis or
reverse engineering as much as I want to
as well and and it's important that I do
that for my research and for you know
presentations at conferences and things
like that it's important that a new work
and so it's important to set aside a
small percentage of time for research as
well as management of engagements and so
that's just it's a time management thing
and and sometimes you have to sometimes
and you have to to state that and
command that rather than waiting for
somebody else to give you the time for
it to give you permission for it right
yeah yeah you don't have to take charge
of that yourself you got to put your
foot down yeah so you're a frequent
presenter at Def Con and black hat which
are kind of national holidays for folks
in our line of work what are some of the
more memorable events or presentations
that you've done at these conferences
recently so I wish somebody tell me that
it was a holiday a lot of work yeah it's
a lot of so I do a lot of presentations
I've done a lot of training workshops
and things like that out there in
meetings and such so I stay pretty busy
you know one thing I've really enjoyed
out at DEFCON is present at blackhat is
presenting some of the work that I've
done on vulnerabilities and penetration
testing processes so it's operational
security for pen testers and red teamers
essentially so the tools and processes
and things that we use are no more
secure than and then the software they
were attacking often and so yeah looking
at the communications security operate
security of our engagement so that we're
protecting our clients data in transit
and in state when we're doing a pin test
is important and I've really enjoyed
talking about vulnerabilities and
pentesting software and hardware at this
conference it's a little bit of a
different thing you know I've also I've
also done some reverse engineering
workshops out there and EGIS and that's
always a lot of fun and it's just a you
know it's it's good to see everybody out
there yeah I guess that's the holiday
aspect of it is yeah the whole family
gets together you know that's right
and hopefully you know at the kids table
so your your bio notes that at the
national forensics training center you
provided digital forensics training to
law enforcement and also wounded
veterans can you tell me more about this
is there like first of all with law
enforcement do you feel that law
enforcement as a whole is using tools
like computer forensics enough in useful
situations or is it still seen sort of
as a novelty or thing that everyone does
or gets to do so when we were doing the
training in this it was primarily law
enforcement that we would also go to the
Walter Reed Hospital to do for wounded
veterans and our focus was on just sort
of the basics of computer forensics the
basics of computers in general leading
up to the point that somebody could at
least do
search and seizure of computer evidence
and imaging of computer evidence and
then a very basic investigation it
turned out that that what we taught was
just enough to wear her most law
enforcement that went through the
training could do their own child
pornography investigation on their own
right and say okay I you know given a an
alert to their department about somebody
sharing it on a peer-to-peer network
they could go out serve the warrant
seize the equipment image it you know
hash out all the files identify the
stuff that's known child porn and put
together the evidence into a case give
it to a prosecutor and and and present
that and so
that's what they mostly did with it and
so anything more complicated than that
you know they would be able to identify
that it was more complicated and seek
additional help and we would
occasionally assist with law enforcement
on some more complicated engagements in
investigations that was the main impact
of that and it's been a while and I
think that that law enforcement and at
least at the state and local level which
is where we did our training that's
where that's where they focus anything
anything the thing about the Computer
Fraud and Abuse I had anything hacking
related or anything like that
automatically starts crossing state
lines and involving computers involved
in there in interstate commerce or
whatever and that becomes sort of the
fbi's thing and obviously they have a
lot of capability there for
investigating and prosecuting those
crimes okay and the wounded vet project
part of that is that was that sort of a
skills retraining to enter the workforce
yes so you get a soldiers coming back
from Iraq and Afghanistan with injuries
and during their rehabilitation they
would go undergo this training so they
could then go into the private sector or
go work for state or local law
enforcement assisting you know with
these cases sounds great so we talk a
lot on our show the regular kind topic
here about the skills gap in many cyber
security sectors is your area of
expertise feeling that pinch as well
well we're lucky like I'd say we're
right across the highway from the
University okay
and so we recruit heavily from there you
know we we have managed to keep
ourselves well staffed for for pen test
and application security testing and
things like that
yeah it's just though right yeah it's by
knives edge basically okay and so it's
it's hard to to it's it's hard to find
people with these skill sets but to me
when I talk to people about careers in
cyber security he telling me
it's yours for the taking because of
that right you know if you can find the
time and resources to scale up and in
programming and reverse engineering and
vulnerability analysis and pen testing
and things like that you can find that
time if you're privileged enough to have
that time you can you can sort of make
your way into it through that give any
thoughts on getting people interested
and involved in this exciting field you
know I don't think like it's an
interesting field to work in so I don't
think interest is the problem yeah it's
it's the sort of the prerequisite
knowledge and skills that have to be
built up to get into it that's the issue
okay so we mentioned a little bit about
before about infrastructure but we had a
we had a previous guest on the show
Emily Miller talking about security
issues with national infrastructure and
I noticed you know that you've presented
your findings on critical infrastructure
security can you sort of get me up to
speed about the current state of this
crucial security battlefield so the work
that I did was primarily focused on
vulnerabilities found in the human
machine interface portion of the
software and so like your your
touchscreen control panels and things
like that the neat thing about hacking
into those is when you get into
something like that you've got you know
an operator's view of the network you
have some documentation there built-in
as to what does what the current state
of that is it's still sort of a little
bit of a it's still kind of wild because
you have all these control system
networks that that were assumed to be
isolated or designed to be isolated and
then slowly over time wife of finds away
and they wound up getting connected to
corporate networks and one way or the
other or other organizational networks
either for data logging for process
improvement or billing or you know for
remote access for maintenance vendors
things like that and so it's hard to
assume the network's isolate I mean ask
the folks who were running the Tanz
enrichment facility and I ran about
isolating networks right yeah
it's there it turns out to be very
difficult to really isolate a network
and so all the assumptions that were
made about the isolation these networks
and the obscurity of the protocol turn
out to be you know not accurate and so
the vulnerabilities that you find in
control systems software and hardware
are the sorts of things that you would
fund in mainstream IT
hardware and software in the 90s or
early 2000 and it's because there
haven't been as many people looking at
those systems for vulnerabilities okay
even though there's a lot of interest in
ICS security it just doesn't see the
same amount of hands-on attack or
hands-on vulnerability analysis from
security researchers as more mainstream
software and so it's a little bit behind
because of that outside just a resource
issue or skills issue or it's in an
access issue right mainstream IT
software I can go download that and
start banging away at it if I want to
play around with PLC I've got a fine one
it's not an orthodoxy
yeah I've got it on the eBay or
something like that yeah and you know
you know a lot of money on one brand new
it's an access to hardware and software
as well that invents it from seeing a
lot of research interest do you have any
sort of magic wand recommendations that
you would sort of put in place to sort
of tighten up infrastructure security
well I think that anybody who has some
sort of control system network like that
needs to engage in offense oriented
testing with firms that are experienced
in doing that for ICS networks or and
have the capability of finding
vulnerabilities that are not in public
databases because as that's a very small
percentage of the vulnerabilities that
are actually out there on these sorts of
networks would that would there be a
benefit to someone creating a startup
that just specialized in updating like
outdated systems like that a cross
possibly yeah yeah anything can be done
to
the problem is is it people hesitate to
implement changes on their control
system okay it's so scary to do that
because it's gonna increase the
potential for down time it's going to be
operational issue right or what if we
made it worse yeah what if we make it
worse
so for our listeners that feel
overwhelmed by their choices in we
talked about so many things today what
are some inexpensive or easy steps that
they could start taking today that would
get them on the path to working and you
know in the realms of offensive security
and pen testing so to get into pens yeah
just just you know I don't know where to
start what's that what's a you know
maybe like a real basic tutorial or a
real you know youtube or whatever you
know like where do you sort of like get
where do you begin begin you know number
64 is anymore so getting getting a hold
of getting a hold of the Kali Linux
distribution getting that going on a
virtual machine and getting into some of
the capture the flags and vm's that are
out there and the dam vulnerable web app
and and some of the other metal just to
give yourself a target to shoot at
basically okay you know just just
getting started playing around the tools
in there and not just playing around
with live the attack sitter that are
there in Kali or exploit DB or anything
like that but look look at look at the
vulnerabilities and understand how the
code in this particular PHP web
application made it vulnerable now try
to find that kind of vulnerability in
something else right like start
recognizing the patterns of
vulnerability applying them to other
code and and I think taking an interest
in reading the exploits instead of just
launching them it's probably important
okay
so as we wrap up today where do you see
the task of offensive security going in
the next five or ten years there are
things on the horizon that are exciting
to you well I think that the networks
are going to continue to get more
complicated and more complex more nodes
more interactivity more to do on these
things and so it's going to be more and
more important that for security reasons
that you have that sort of
actors you because again there's gonna
be a lot of a lot of things to be
worried about and worry about securing
and when you're really should be more
focused on what the attackers are really
going to use I think in offensive
security especially I think we've got to
move from just giving them the list of
vulnerabilities into some more analysis
network-wide of these things and so we
talked about having security analysts
and things like that but we never really
defined what analysis means and so the
idea is that with so many tens of
thousands of nodes or whatever on a
network you're generating a lot of data
our database of findings and scan
results and things like that are very
large per client that the question is is
how can analysis be used to generate a
report off of that that gives them some
actionable information on not just where
their vulnerabilities are but where
they're likely to have owner abilities
right and this part of your network is
very complicated and maybe one person or
organization understands it right so
yeah that's something you should be
concerned about and so it's not a fix
for a vulnerability but maybe you need
better documentation there so that
everybody understands it a little bit
better do you have a sense if people are
starting to sort of do their training
and sort of get involved now are their
skills that they should be sort of
learning now that are gonna be sort of
coming to the fore and five years ten
years you know just having that sort of
low-level knowledge like if you if if
everybody's learning how to program in
Python you need to know how the Python
interpreter works you memorize
programming it's the unique how the
compiler generates code from that and
said I would say look at whatever's
being implemented and so a couple of
years ago I did a talk at Def Con on on
docker or security looking at just just
how are people creating docker
applications made out of multiple
containers and how they communicate with
each other you know if you're going to
attack a docker application and anything
learn how docker works
learn how the networks are implemented
on the back end of that learn how those
VMs are those containers rather can talk
to each other
wherever wherever you see the trends
going in development start looking at
how those technologies are implemented
so that you can understand it better
than the people writing the code for it
okay so let's let's wrap up and and tell
us about horn cyber what is what does
your company do your primary products
and your statement of purpose so horn
cybers primary focuses on this offense
oriented security the penetration
testing red teaming application security
testing vulnerability analysis that sort
of stuff we also provide a cyber
security sauk as a service and so we'll
do network monitoring for some of our
clients through that service our first
product that we've developed and put out
there is threat runner which is our
ransomware simulation product that sort
of embodies some of that reverse
engineering knowledge of different
ransomware variants giving you the
ability to run those on your network in
order to see what the impact would be
like like what systems is it going to
spread to what files are going to
encrypt how fast gonna do it that sort
of thing this particular user has access
to tons of shares they have no business
accessing so if they get hit by
ransomware then everything everything
gets on very quickly and so it gives you
a little bit of a view on that and so
that's that's the product but the
primary focus is on that offense
oriented security okay and if our
listeners want to know more about what's
on the grew and hoarding cyber where can
they go online so horn cyber h0r in ecy
BER dot-com okay also it's on Twitter's
horn cyber threat runner is on Twitter
and also my my twitter is at makrooh
security okay lots of interesting
insights there very good well we'll have
you all everybody go follow Wes thank
you so much for your time today this was
really fascinating no problem it was a
pleasure and thank you all for listening
and watching today if you enjoyed
today's video you can find many more on
our youtube page just go to youtube.com
and type in cyber work with InfoSec to
check out our collection of tutorials
interviews
and past webinars if you'd rather have
us in your ears during your work day all
of our videos are also available as
audio podcasts just search cyber work
with InfoSec in your podcast catcher of
choice and right now we are offering a
free month of our info sex skills
platform so just go to InfoSec institute
comm slash skills and sign up for an
account like you normally would and in
the coupon line type cyber work all one
word all small letters no spaces for
your free month thank you once again to
dr. Wesley McGrew and thank you all
again for watching and listening we will
speak to you next week
[Music]