Hitch up the wagons and polish your spurs because it's high noon and the searchers, are looking for a way into your network. October is national cyber security awareness month and infosec, is helping to tame the wild wild net with our collection of free, training resources. That will make your employees, the masters, of the cyber frontier. And bring cyber security, to the forefront, of your organization. Go to infosec. Institute, dot com slash. Ncsam. 2020. To download, our free toolkit, containing, a, coach full of provisions, to run month-long, security awareness campaign. Including, posters, infographics. Newsletters, email templates, presentations. And more. Grab cyber security awareness month by the horns with this wild, bunch of free material, from our award-winning, lx labs team. Just as the wanted posters in the wild west help the public recognize, the region's most notorious, villains. Our free training kit reveals the identities, of common cyber threats, to help prepare your employees for the real attacks they face. Again go to. Infosecinstitute.com. Ncsam2020. Or click the link in the description to get your free collection of training materials. And help spread, security, awareness. And now, let's begin the show. Partner. Welcome to this week's episode, of the cyber work with infosec, podcast. Each week i sit down with a different industry thought leader and we discuss the latest cyber security trends how those trends are affecting the work of infosec, professionals. While offering tips for those trying to break in or move up the ladder in the cyber security industry. The story of my guests today, is as they say ripped straight from the headlines. Gary democurio. And justin nguyen both of the company coal coalfire, were arrested, at the dallas county courthouse. In iowa while doing red team pen testing for the state of iowa's judicial, branch. The story is fascinating, i'm going to, let them tell, tell you all about it. But for cyber security professionals and red teamers in particular, it's a nightmare scenario, and like many of these wrong place wrong time situations. Uh there's a chance that it could have gone a different way if law enforcement, had been a bit more understanding, to the nature of what needs to be done to, ensure a strong security profile, so, i'm going to talk to our guests. Not just about the story in all his details, but i'd like to see if we can get a sense. Of some of the legal gray areas, currently around red team operations, futures of such activities. And the ways that it can be made more safe, without reducing, effectiveness. Gary d mercurio, runs one of the largest, groups, in coal fire labs as a senior manager working with technologies.
Every Day, his expertise, focuses, on social engineering, physical testing, and network devices. At coal fire gary manages day-to-day, business, involved with fedramp. Pci. Hipaa, and penetration, testing. While helping to spearhead the physical and social engineering, portion, of testing. As a senior security consultant. Justin nguyen is responsible, for actively, compromising. And reporting. On virtual environments, typically, encountered, at fortune 500, companies. Justin performs, wireless. Physical. Red team and social engineering. Engagements. Justin also conducts, research, to include, production, of open source models. For printing, milling to aid in red team engagements, as well as. Specific, regard to tool gaps. In the lock sport industry, as well as master keys for access control, and elevator overrides. Currently justin is researching, security, vulnerabilities. In various rfid. Devices. Gary and justin thanks for joining us today on cyberwork. Thanks for having us thanks. Cool. Uh so i want to start with your background we got a little little bio there but, how long have you both been in the security, industry. And, how long have you been red teamers specifically, and what was your path to that type of work. All right let me let me go first because gary has an amazing, background, so he always stumps me if i'm not first so been in the industry for about five years. Broken from scratch i was a marketing major coming out of college and then trying to realign, what i wanted to do with my life, i really liked urban exploring. Um, everything to do with physical security, uh military, type stuff and i wanted to see how i could make this work in the civilian, uh career style so, um ended up figuring out a lot of this is all virtual work that's where a lot of the money comes from pci, and hipaa um, that's how we keep our jobs most of the time, um and then on top of that if you can get in a physical security position, really coveted, very difficult. Uh but the way to break into the energy. Into the industry was virtual, so i started getting my certifications. Um studied on my own while i had some other jobs and eventually just started sending out applications, and coal fire was kind enough to give me a chance. Cool. How about you gary. Uh in my former life i was a helicopter, pilot for the united states marine corps, and uh we have. Now if you know much about marines but we have about 50 jobs each. And, one of those jobs was building and maintenance, and for the building and maintenance, i was also responsible, for the super volt that we have in the squadron, so. At some point my my oic, came to me and said hey you think he can break into this and i said well sir i built it i know exactly how to break into it so. I broke into it i was successful, and then and from there i kind of, kind of was asked to do another and another and another so that's that's kind of the genesis, of my, of my breaking and entering. Um for my life and then i got out and i became an engineer, and did something else in another life and then. That started to get really boring and really easy and i thought to myself, was like, i wonder if i could break into stuff for a living and so i started doing some research, and lo and behold that's when i found red teaming and yeah i said well how hard could that be and so i went out and. Got a master's, degree, in, in. All things computers. And and uh coalfire, gave me a gave me a shot not having a whole lot of experience. Um, at least in in consulting, and things things of that nature and then. The rest as they say is history. So it sounds like uh you know justin you mentioned specifically, interest in physical security, do you do you guys each have sort of like us. A, sub specialty within red teaming like you know you're the physical security guy and you're the computer. Security, guy or do you sort of, uh. You know, do you guys work as a team all the time. And um when we can it's definitely preferable, we have just good team dynamics. It's really strange every time you go out on a red team um. Your partner is very important, and how you guys flow with everything so a lot of times like once you work with somebody like gary. It almost becomes nonverbal, so you just kind of nudge them they know they're going one way you're going the other and you're working towards the same objective. And of course yep definitely have different skill sets different things that we focused on in the past so. I'm pretty heavy in the virtual stuff networking, rfid, and gary's great and all those too, um and gary's a great lock picker uh excellent physical bypasses, and social engineering so yeah we just kind of bounce off each other in that role.
Thanks. Uh so you know i know you've you've, been on you know the promotional tour and you've, recounted, this a million times but if you don't mind could you walk us through the event, uh yourself if you don't mind can you reconstruct, the work, you were doing at the courthouse, the moment you tripped the alarm, to the authorities, and the response when they arrived. You want to take a g. I suppose. Uh. So, let's see um. If if we're just going over that portion of it we we actually arrived, at, about 11, 30ish. If, i if i recall, correctly. Um we kind of did a walk, uh, walk around of the building when i say walk around typically when you go to a building and you haven't been there before you walk around and you check the whole thing out our walk around was we parked in the back and walked to the front. Um, when we got there the the sheriff's department's actually right across, the street from the courthouse, so it wasn't like it wasn't like a surprise, that we knew that the, police were close by, right um, yeah we walked up and and, justin. Was trying the door at the same time. I was trying a badge that we had taken from another building just to see if they had, multi-building, access. And so i was, beep and then justin opened the door i'm like did it work. It was like. No it was just open i was like oh okay. Just just. Just shut the door and then we proceeded, to bypass, the uh bypass, the door just to just to give them the benefit of the doubt the. In this. Uh i don't say the scenario but this engagement. Overall. There was an overlying, theme which was, really easy access to everything. Okay. And so. This was another one of those times where we just kind of shook our head said okay let's give him the benefit of the doubt. Let's what would happen if, there wasn't a mistake or what would happen if somebody didn't leave the door wide open somewhere else. Which again was a recurring theme so yeah we yeah we shut the door and then and then just went from there. Was it just that the door had like not closed all the way or something like that, yep that was that was it old door right yeah. Real super super old courthouse. Right um they still have they literally still have the, um. The, the original, latch, on the doors, from right a hundred years ago probably. Okay, they've they've of course saved up there's my dog. I'm on cue, they've they've upgraded, the guests on the show today yeah. They've upgraded, things. Um. In in uh, putting a crash bar on the back of the door itself but the the actual, old-school, locking. Mechanism. Of the door is is still there. Okay, and i think that's actually what, what interfered, with the old locking mechanism, of the of the old door handle that was there and then the latch wasn't able to. Right, if i remember right i don't know i could be wrong but, so you heard the alarm going off and you're like okay we're just going to wait until they get here and we're going to explain ourselves and then they. They arrived, and they didn't want to hear an explanation. Kind of actually there's there's a little bit more to it than that we as soon as we went to the door there's an arm panel around the side and part of what we do is to make sure that people aren't using default codes. Right um because a lot of people set up their alarm and they never change their yeah one two three four or something yeah right and it's always the same depending on on, what what uh, what company you're using what companies installed, okay instantly learn panel so that's the first thing we did was try make sure they're not using default codes. Um, usually have 20 to 30 seconds depending on the alarm system to, to punch in said code. After we did that after we went through the the codes, that i could remember. Um, we actually set the arm offs ourselves. I just kept hitting the same, number. Over and over and over again to see if it had a lockout, on it and probably, the, third, code i think i tried excuse me, third coat i tried. Um or i should say the third entry, of. The bunk code i knew wasn't going to work. Actually set it off so it did it went off about 10 seconds early so as soon as the alarm actually went off in earnest, and, and started blaring. I turned to justin justin was actually there.
For. Um, kind of a i don't want to say a training regiment, because the guy is brilliant but, it was, like the next step in the evolution, is he was he was supposed to take over, the physical, aspect, of, of testing a coal fire and so part of the. The lead of that is to teach, others. And so that is basically what it was for is is that was supposed to be justin's. Justin's. Um. I don't know what do you want to say certification. Nutrition. Yeah. Yeah whatever, whatever you want to call it where, where i kind of i came and gave them the ominous dominus you're good to go and you can go and train, train everybody and take over the. Physical world this is what it was so yeah i was making him. Making him i was letting him make all the calls right so, what do you want to do do you want to you want to bounce or do you want to stay here. And, again, still under the training guys to see which which he would do but i, you know i i, i helped, i don't to say i trained because i definitely didn't do that but i helped train justin, on a lot of things so i know he makes the right decisions, because i helped him make a lot of those decisions, earlier that's correct so, um but again once again his, decision, making was impeccable. Um and he's like no we're not doing anything wrong we're gonna get out of jail free card we're we're here under the you know order of the customer so let's just wait and, see if. Uh. Law enforcement, shows up and so that's what we did i mean it and to be honest it's the right call there's a lot of a lot of people in the industry. That would have left. Right and and there's a lot of people in coal fire that would have left and that's the wrong choice. Yeah. Yeah, you're you're sort of saying you're you're telling a different story than you mean to be telling i imagine, yeah oh yeah. Yeah, you look like now you look like perpetrators, is running yeah. Yeah, there's there's, yeah there's this uh and we've actually given, we've actually given talks on this is there's a lot of people out there who have this, this pride. Welled up of never being caught. And, it's it's if you're never really ever getting caught you're never really pushing the boundaries and you're right. Testing every, aspect, of the customer, that you should be testing you're you're letting your pride get in the way of well i've never been caught i've never been yeah no one's ever got me it's like well, you're not testing right if you've ever been caught, absolutely i've got to identify that threshold. There's one one other thing that went into that decision-making, process too this was kind of midway or almost towards the end of the week-long engagement that we've been working on, and every other facility we were in no alarms were set off no response. So this was kind of the first time we're hanging around we're like all right we need to see if law enforcement shows up and actually you know uh responds to the situation, at hand. Yeah that's i mean and that's something for the report right there is if you know if an alarm goes off and they're like oh no it's probably fine like that, because it has happened before yeah yeah they can imagine, like the same proximity, to the police station they're just not wired up to dial out, right, so i mean you know. In an ideal version of this you know the the. Authorities, would have come and you could have said you know we're here doing a red team we have paperwork, we have contract whatever and they'd be like okay fine. But there was a sort of a perfect storm of misunderstandings. Here and and it sounds like some county versus. State jurisdiction, rivalries, and maybe a desire to sort of teach you a lesson, and so how did that lead to a night in jail and punitive veil. Well you know it's funny that you mentioned that in another scenario that would have happened, because you're right. Except it did happen and it happened in this scenario. Right they did show up they did let us go, they did. Everything was fine until the sheriff showed up, the responding, deputies, were extraordinarily. Professional. No one was was as they put john wayne nobody did anything they shouldn't have done nobody pulled a weapon. Everything was, 100. Cordial in exactly, the way, that if we were going to write it up in, a training seminar, to give to new, new physical pin testers, is exactly what we would say you should do and that the.
The Cops the police should react. And, that's exactly what happened and it wasn't, and, it wasn't until in our, our talk that we gave in black hat we actually show the body cam footage, of them letting us go saying yeah you guys are good to go and somebody said are we going to wait for the sheriff. And now their officers, said i was deputy because his deputy shares. Another deputy said no no they're yeah they're good we verified them they're okay, and so they let us go and it wasn't until the sheriff showed up, and he said no you hold them they're going to jail i don't know what forbes is going to go jail for some. And then he walks away and he gets on the phone and he decides what he's you know. Charged he's going to trump up us up trump up on us and right and so yeah and that's that's when the whole. The county, versus, state came into play when was. The boss the sheriff showed up and he was the one that was upset no one else was mad, everybody, else knew we were under contract. Right and then then the the judge say something like she didn't know what what what, red teaming was but it sounded bad or whatever and then they sort of bumped your bail up. She didn't even say that that would have been nice. She was, she was you all need a different story. You know did i fall off the turnip truck yesterday, type of thing, wow like this this you you're gonna have to come up with a different story because this is a ridiculous, guy so she was like oh red teaming right i guess yeah yeah. She just straight up thought we were criminals, wow. Oh my gosh, yeah i i don't think she had been given all the details, of the night prior when we went up in front of her she said oh you're breaking, this courthouse, this is how the state does it we don't do this type of work this, you guys need to come up with another, story this is just wow that's crazy that you think i believe this, so it became very clear you know the sheriff everyone the previous night had, verified, us called our point of contact, knew that we were there on contract we showed them contracts, and documents everything that we had, so they they knew we were verified, and then none of them. When i walked up, my understanding, was or at least what i would think, was. Um, that the sheriff would have said something or the prosecutor, would have said something, prior. Or even during would have said, hey ma'am you know this this is a this is a situation. Of. Of. State versus, county. And these gentlemen, are working for a private company and they were hired by the state however. They shouldn't have been there or, however, we, believe. X y and z that's, that's the way that we thought it was going to go and it did not go that way the sheriff. Knew we were verified. Spoke to our spoke to the people that sent us there, our contacts, himself. So he says. And then he just sat there in the gallery. With his arms crossed with with a smile on his face, a smile, you know a, smug grin. Yeah yeah yeah, and, and. Didn't say anything, and even when even when the the judge was. Saying, this is ridiculous, this doesn't happen we don't do things this way. Completely, contrary, to everything that the sheriff knew to be true, he just still just sat there and said absolutely, nothing, wow. So yeah, you know obviously stories like this send off you know all the alarms in cyber security professionals, brains because you know it's not only the worst case scenario. Of you know a legitimate, and consensual work process uh project but, you know also because of how it looks to the outside world you know that we're you know, just hackers that are breaking in and then retroactively. Constructing, an alibi, so, you know uh you know we've had these, i've had a bunch of red team people on the show before and i always like to ask like what's the line you cannot cross because in the outside world, you know red teaming looks indistinguishable. From actual hacking, and you know when people think well they're, kidnapping, the ceo, or they're smashing windows or whatever but, you know obviously there's a whole lot different to it but i want to get a sense of how. You know you mentioned a little bit of how this could have been prevented. Uh, in more of a macro way not in this specific situation, but like, what information, or processes.
Could Have been put into place that would ensure that you could still do your work as secretively. As possible while still keeping yourself, safe from inappropriate, intervention, from law enforcement. So i think all the typical processes, were in place that have always been sufficient for any encounter in the past and we had client contacts, we had signed contracts, we had a letter of authorization, to get out of jail free card, and that's been sufficient, for every single engagement we've been on except for this one and, honestly i don't think there would have been any way to prevent this other than having maybe law officials, or law enforcement officials who respect the law and use their authority, appropriately. It probably could could have been prevented, if a particular official had been notified. But historically, that almost always reduces, the effectiveness, of the engagement, in the testing, so you'll be working an environment that's more secure for that week while you're on site, than it ever realistically. Is in the day to day, and the point of that testing is to emulate, uh real life threats, and in a realistic scenario, so, anytime, i've ever been on engagement where the client notifies, the security, team, every door is locked they're doing patrols, that just all 24 hours that never happens so, it kind of degrades the value, yeah it's, when the restaurant, knows the food critic is coming you know everyone's exactly. Clean behind the fridge and everything like that so yeah, um, so, uh. Yeah is there is you think there's any kind of, before and after moment about, the way red teaming, just can't be done the same way now or is this just an outlying. Event that uh, you know we can learn from and move on to. I'd say red teaming needs to be done this way that's why, why we do these engagements in an offensive nature, um i mean kind of the modern. Red teaming, um, evolution, came from dick marchinko, from uh seal team six who invented red teaming, and part of his job was breaking the military bases, or planting, bombs near air force one and there's no way you're gonna identify, those kind of weaknesses. Exist unless you're doing an offensive. Test in nature, so i think this was a teachable moment. That there's some places across the states that maybe aren't up to speed as some, other states may be and i think this was more of an isolated, incident. But it's something to be mindful, of that we're still not there maybe some other things have come a long ways. Hackers are still fighting the the age-old fight that we always have been that we have this huge negative bias, in the public perception, that we're the bad guys when reality most hackers are good. Yeah now i mean. I mean this sort of speaks to also. A need for a baseline, level of of. Cyber security. Understanding. By law and you know, not not. For law enforcement but like everyone in in, in government because you know you hear, stories about sort of you know, congress people who are passing, you know laws about like privacy, and security, who don't quite know how the internet works and things like that but, you know this sort of speaks to those, sort of wide gaps in terms of, uh you know people who are, adjudicating. On, security, issues but don't quite know. The sort of ins and outs of that i mean do you have any sort of, prescriptive. Uh suggestions, in terms of uh, you know just a baseline of security knowledge for people who are in charge of laws. I don't know if there's any hope there to be honest with you yeah. It's it's. To take it down a level from, from. Just. The political level, right. Um you you've got the, you know we'll call them the defensive.
People Right so you get your facility, management your your, uh the people that are in charge of just the facility, in general they have. They have. If you go out and you look at, indeed, or something. And you look at facilities, management, or a facilities, director, or something of that nature the people that are supposed to be responsible, for making sure that buildings are secure. Um they have lots of defensive, titles they have lots of certificates, that they're supposed to have and, all these things that there's, all the training. A lot of times you say hey we want somebody who's prior law enforcement, or who was in who is in government, secret service or the fbi, and the reality, is, none of those people have any idea what the heck they're doing and i'm sure there's a lot of them out there that are getting mad at me for this but it's true. Um. We, we crush them i we don't we don't win we don't beat them we crush them, we walk right by every single thing that they have in place. Because we know we know the weaknesses, and so it's it's idle. That this stuff gets tested because there is no, i don't want to say there isn't defense there isn't a current defense, outside of hiring, somebody like us. Or somebody like us in the industry. To actually put your defensive, measures in place. Because they they you're they're using old, archaic. Antiquated. Systems. And and procedures, that have been around for years and years and years that never had to stand up to rigorous, testing, like this and that's what's in place. And so a lot of times especially, when you have. You have lobbyists. Or you have, um. Or even when you have politicians. A lot of them are older. And a lot of them. Fall back to some of these antiquated. Positions, or to, think that, the best person to secure a building is going to be a secret service agent right you're right the best person to secure a building. For an individual, target going into that building to make sure that they're not attacked, is a secret service there you go yeah the best person to secure a building to make sure that nobody can get in is not a secret service agent because that's not their job that's not what they do that's not what they're trained for but yet we have this archaic, knowledge. Or notion that they're the best ones because they protect. An individual, asset, not. Not a building, so, you got to start there first. And then work your way up because they're those are the ones those are the people that, that the government speaks to those are the ones that the politicians. Rely, on to give them knowledge and they're giving them outdated, knowledge that is not accurate. Yeah. Yeah and, sort of i want to pull back a little bit in terms of. You know the general, concept, of of red teaming, uh. Something i ask a lot of red teamers do you think that red team, red teaming is is over prescribed. And by that i mean, you know there might be a perception that every company organization, of a certain size needs to get red teamed in order to show their, you know their security system is impenetrable. You know but they might not have even really done the work necessary, leading up to it you know whether it's basic pen tests or, simple fixes like improving the key card or the door lock system. You know and so i it, almost has kind of like a badge of well we we're big enough we got to get a red team you know on here do you think organizations, need to know more about their own system. Uh first before hiring red teams, to attack them. We do. We do and justin, has. The perfect, solution, for that don't you justin. Trying to anyways, um, so. I'll say no i don't think it's over prescribed, totally understand your point absolutely, you need to eat your own dog food show up your own bases as much as you can, and you're going to get more value out of a red team or a penetration, test at that point, um so do your volume scans first and then once you guys have applied your own knowledge and fix what you know how, bring in the experts who can take it to the next level because because nobody knows everything and that's that's why you need these types of tests. Um, there are different approaches.
So Maybe, uh before you have your first red team engagement where you have absolute professionals, coming on board and they have 30 different attack patterns that they can breach your facility. Do a a whitelisted, walkthrough, so hire a company like coalfire, to come on site and we'll walk through with the security team and then walk through every point of ingress, and work through all your technology. Show them the vulnerabilities, hand on the report in more of a blue team manner rather than the red team manner that we're typically familiar with, um so that's that's one thing we're trying to do to try to bridge that gap but overall i'd, say no under under prescribed, more organizations. Need this. And that's that's both from outside people coming in and doing these assessments, and then also having their blue teams apply that knowledge and raise that threshold. Okay and, how i'm sorry good, no i was just going to say. The reason that we're so vehement, about people doing this is. The. The individuals, in the companies that we work with, are the ones that are that are kind of hitting their chest. There well there's two there's ones that are hitting their chest saying, we're, invincible. And then there's the other ones that want to, to affect some sort of change. And so they want, us to show. Whoever, their their ceo. Or whoever is the decision maker is how, vulnerable, they really are interesting, and those are our favorite ones because they want us to do everything and they give us free reign, um the other ones that you can't break in here we're a bank. Right we work we work with the people who think they're the best, and we walk right in almost every single time, right every single time i have to imagine they might be a little more sore losers, and maybe, less likely to sort of like take your prescriptions. If they you know if they if they feel that their feelings got hurt or something. Yeah it's it's weird they they hire you but then they don't really want you to do the best job you can possibly do it makes them look bad but yeah, and again that goes back into. Which. What what experience, do you have in this you have, this old experience, that doesn't work, and right and, they tell you it does and they tell you if you do x y and z that. It's it's going to be nearly impossible for anybody to get in and the reality is not that, so yeah, we it's, under prescribed. Because. Of. Uh over confidence. Right. Especially with the case of the the courthouse, here but in general like how long does a red team. Operation, take is it a matter of weeks months. How long do you think this one would have taken the iowa courthouse. So we were given a week which was. Some of the reasons why things went the way they did we had five buildings. In five days which is just kind of insane if you're doing a job properly you have your recon enumeration, you know all the detail schedules, of all the staffs and entities that are working in that building, um, so, you can get up to a week for a building which for for us a coal fire would be pretty generous but that's that's very common at other organizations, so if you're looking to break into a museum. You may need a month to set up everything get everything in place and do the proper reconnaissance. So this was a condensed timeline, i'd say most most engagements, are about, five days and it varies based on the facility. And number of buildings. Okay. Uh so uh you know the the primary focus of the cyberwork podcast, we like to obviously, talk new stories and and cool things like that but we mostly want to, sort of impart, on behalf of our listeners who are just considering the cyber security industry are looking to move up in their, jobs or careers you know get some some ideas for them so i wanted to ask about working in red teaming and pen testing as a whole, what advice would you give whether, about education, or skills training or, areas of inquiry. Or just things to make yourself. Uh more knowledgeable. That you'd recommend for people who want to get into red teaming. Right now in 2020. So yeah i mean it's a modern era i started about seven years ago but i did start from scratch so i think i have a really cool story about coming from nothing and knowing nothing about the industry or even that this industry existed, and then becoming a senior security consultant. Um so part of that path was just a lot of long nights i'd be working. 10 12 hour days and then coming home and studying for another eight, and my progression path was, learning the foundations, first absolutely had to lay that foundation, with the comptia, a plus which was a 1200, page book read every page of it, and then network plus same deal 1500, pages right every page of it we're then working towards security plus and ceh, so certs definitely have a place if you don't have any prior experience, or knowledge, that's something great you can take to a potential employer and say hey i did pass this i may have some of the requisite, skills for this.
Um, So studying on your own absolutely, and then just shooting your shot so getting involved in the community. One of the big things that got me in was my hobbyist, interest in software-defined, radio, so showing. Different skill sets and different interests across the board and then networking, at the security conferences. And eventually just sending out all the applications, that you could and when it was time for me to apply a coal fire, i told them because you know i'm new i didn't have really anything that i could show for myself i had to be there in person so i flew out to colorado. And did my interview in person in the office so i could kind of demonstrate. Not social engineering, but you know sociable skills that's part of the consultant role right along with technical. Acumen as well so, bring that all together and then once once i finally got the job i was. Extremely, fortunate, to meet the people that i did, who raised me so these were hackers that have been hacking for 20 or 30 years and just, really took me when i had like no business i wasn't even reading error output and like trying to diagnose, the issue and these guys were walking me through and telling me like this what you need to look at this is how you learn and grow. And it's been a transformative. Process, like really has reshaped my mind because of, uh kind of the, trial by fire that those guys put me through and and i loved it so absolutely i would recommend the career to anybody. Um and you can do it even if you start from nowhere it's just going to take a little bit of time and hard work, thanks. Um okay, oh go ahead. If if you don't mind i've got i've actually got an employee that didn't finish high school, okay and he he later went to get his ged. Um but, but traditional, high school he just wasn't, it wasn't his thing. And and uh i'm gonna call his name on his name is marcus and he's brilliant, he uh. He's got, he's got the the tinkerer's, mindset, he's constantly, working on things he's, putting together. You know boards from 1980s. Re-soldering. Them seeing if he can bring him back to life. And, as, as a hiring manager. The one thing that you're looking for is is that. Hobbyist, attitude, or jobbist. That we used to say at coal fire. Where, where you want to bring that home and you love, exploring. And fixing, and, and learning new stuff and doing it on your own and. Um, the majority of the people that i've hired, that have turned out really really really well that didn't have a lot of experience, for the ones. That did exactly what justin's talking about is is they went home when it wasn't their job and, and learned it and not only learned it but loved doing it it was exciting it was fun for them. And they put a lot of extra effort into it so for for new people out there that are looking to get hired by, someone like me or somebody, else, in the job and get started. You're not going to get hired, because, you can break into a building, and you're an excellent. Um physical, penetration, tester because there just isn't unless you're you know you're like red team alliance or something that that has a lot of that job or a lot of these jobs yeah there's not a lot of places to practice that otherwise. You're, you're gonna have to, you're gonna have to get the base skill set of just being the network. Application, penetration, tester so that that's really where you have to start but, man every every time somebody walks through that door and they're excited. And and, even if it has nothing to do with pin testing if it's something technical, or something with computers. And they can show some sort of, experience. And, and desire, to learn that and the passion. Man that that that trumps that trumps, anything. Yeah almost every single time we've had guys walk in the door that were super smart. But just wrong attitude, and they were you know a8, through the gate i'm done after this i don't want to do anything else i'm not really interested in it but i just happen to be good at it.
I'll Take a i'll take a passionate guy like marcus who grows up and, ends up becoming, a great great pen tester any day, that's great and you know that's that's a thing that we're trying to sort of change in the industry, is this, you know these sort of hr gatekeepers, of you know who who only want to see, people with you know college degrees, or certain, you know. Academic, or experience, levels but it's, it's sort of a slow, hard, sort of sea change to get lots of people to agree that, you know you have to look beyond. Uh certain letters on the person's resume or whatever and sort of look to their passion. So. Um, so yeah. It sounds like you say, again that this is you know hasn't changed things, much necessarily, but, do you think there are any suggestions, for making. Uh tasks like these red teams. You know safer and more transparent from now on has coal fired changed their process, at all based on this incident to, sort of. You know go one layer up in terms of letting everyone know what's happening and preventing these sort of incidents. So, i'd say just like you're never going to have an environment that's 100, secure there's an inherent risk that comes with. Especially physical red team engagements, oh yeah. And you're never going to get rid of that so i mean it's good for the testers to be aware, gary and i both know it's it's a very real possibility, that we could be arrested, on the job or potentially, shot. I think the chances of that are almost minimal based on our training, and how we encounter, and approach and work with law enforcement, in those scenarios. Um. And it. Is absolutely key but as far as coal fire and, process changing it's coming up on a year. And we're still working on changing some paperwork, and getting some other things moving but, finally now we have a dedicated, task force. Towards this and we're trying to get community involvement, to. Either get some laws on the books change so i think that's a great way to speak to the politicians, that speak their language, and just like you have, a safe harbor law or a good samaritan, law we need something similar for red teamers and while it may not prevent, an arrest, like in a situation, like this, it may give us more recourse, down the road to have charges immediately dropped or just walk away from things cleanly without it dragging out for six months like it did. Um so work is being done um i know chloe mustagi, does a lot of work in this arena too so we're trying to partner up with some, key thought leaders around the industry, and make positive, change both internally. And and, at the legal state and federal level. So i i noted in some of the uh the articles, reported, on you know that reported the story that that coal fire ceo, tomic andrew was praised for not hanging you guys out to dry or distancing, himself from you and, the controversy, which implies to me that other companies, might not have been so understanding. And and might have hung you out to dry so is, would, would that be a common response, you know if you're going to go to work as a red team or are there things in your contract that you need to be, watching out for, sort of you're on your own clause in there or something like that. Well. The unfortunate, thing about contracts, is it doesn't really matter what's in the contract.
Come Come to that. That uh, that crossroads. And if you're. Uh. A ceo. With less of a spine than tom is in in legal says. Leave them in there like. Ours did. You know the next next ceo might just say okay. Because that it and illegally. That this is a terrible thing to say but legally, it's not necessarily. The wrong thing to do right right, you don't know what your pen testers, did you don't know if they actually did something wrong yeah okay so, leave them in there until we find out what they did wrong because we don't want to hitch our cart to that horse. Just in case it's the wrong horse, type of thing. Fortunately, for us. Tom's, known, us for a very long time, and and, we are. Pretty good at what we do. And so tom was hedging his bets that we didn't do anything wrong that that he's seen enough of us. Um, he's seen enough of our work to know that that we don't do. Things that would involve us getting arrested, when we're on the job. Uh, so that that was, good on him for, having the wherewithal, to say. Find me an attorney, who says bail them out, and then walked away which was you know great, my favorite part of my story or favorite part of this entire story is when tom said that to the executives. Yeah. That's a great table top exercise, for employees to run through with their employer, hey what's going to happen if anything like this did happen or if i'm out of scope because a client gave me a wrong ip, and i have authorities knocking at my door what is the company going to do for me in this situation, so, absolutely review your contracts, tabletop, exercises, uh with your employer, and then, dave kennedy's, trusted, sec open sourced a lot of their documents, especially pertaining to physical penetration, testing, so i'd review those and see kind of what protections, they have in place and then see if you can get your legal team to adopt some of those as well. Nice and and really what it's going to do it's going to protect you after the fact. So even if they decide to leave you in jail the recourse you're going to have later is is a civil suit against your company for not doing what they said that they were going to do in the contract, but, as far as making sure that they're going to bail you out hey. That is that's the one thing you want to make sure make sure you're working for the right company the right people. Okay, so. I want to sort of jump sideways, a little bit then, you know if you don't have, an opinion on this this is fine but there's something else that, i read in the news that sort of speaks to a greater issue, between the courthouse and this other story but, uh you know the, the company talk space, you know there was a security researcher, named john jackson, who found. An apparent bug in the company sign up function that allowed him to get a a free membership, without vetting whether or not he he qualified. Uh, it's a you know insurance, thing for a psychiatry. Website. Uh you know the bug discovery, was rejected, by talk space as not real and then sent him a legal threat for pointing it out, so i'm wondering if you know things like bug bounty programs and aggressive pen testing methods. You know are often finding these issues that companies, don't like to think about is there anything to be done, to help organizations, like this accept responsibility. Or are these just always going to be. You know there's just going to be people who, who don't get it. It's it's a very real issue that hackers have been fighting since the dawn of hacking right for decades this has been going on, um, i would really, here point to, disclose.io. And a lot of chloe miss doggy's work she's working on an initiative, to have companies, adopt, um, these type of programs where they accept bug bounties and i had to mature those companies so, she has all sorts of stats i think it's like 60. Of vulnerabilities, that hackers identify, in a bug bounty type situation. Don't report it because maybe they were slightly out of scope or the company wasn't receptive or didn't have a, program whatsoever. And she she's a great person to work with and work through to, accomplish, that change whether it's at that company in particular. Or to try to disclose, response. Vulnerabilities, in a responsible, manner. Yeah and part of the issues with with bug bounty is that at least i'm i'm personally, saying. Um. Recently. Is that is that. Companies, are doing the bait and switch they say oh yeah if you find anything it's good to go just let us know, and then you come by and you're like hey check this out they're like nah that doesn't count.
Yeah And they're doing that a lot lately a lot oh that doesn't count okay don't look over there. Yeah, and and and so and then they take this information, and they they will typically, go back and they'll fix it, but they won't reward, the pin tester, that turn around and found it so there is a huge, swath, of the population. As far as as far as bug bounty, hunters, if you will, um, that, aren't doing it anymore it's just they're just like no because every time i turn a bug every time i show something they say it's it's not it doesn't count you're like it's specifically. Right here in your rule set that says, this is what you're looking for you're looking for cross-site scripting i've found cross-site scripting, oh yes but that's reflective. It's still, cross-site scripting what are you doing and then they don't pay them so yeah there's a lot of people and it's dangerous, to do that, they think they're going to get they're going to get free stuff and i guess they think that that hackers are dumb and it's the exact opposite, but, um. Lots of lots of companies have been doing that lately and it's it's. The wrong thing to do, yeah yeah it makes you look bad, so um i want to talk uh we're sort of sort of wrapping up here a little bit but um in terms of um. Hiring, people you know as red teamers are, part of your team and stuff can you sort of speak about some of the ethical and social issues that cyber security pros looking to get into red teaming. Need to keep in mind because i think this can be a very. Sort of exciting and glamorous, sounding thing and you do have that sort of like you know, once once we're go once we're in we're on our own and you know and and we got to take care you know whatever but, i've talked to enough red team leaders to know that none of them are terribly fond of loose cannons on their team either so what are what are some things that like potential, newcomers. Need to know so that they don't you know, go to sort of wild style on these on these sort of operations. You're you're there to do a job and just like, uh. Just like the people that you're testing you're supposed to have, rules, and you're supposed to have some sort of, you know sop, that you abide by, and, as a social engineer. The people that you want to go after are the ones that are going to bend or break the rules. You know well this is our policy. But. And then we've got them as soon as they break from policy, then you've got them and as, as, especially, as a physical pin tester you've got to stay. Within the policy, that you've got set forth through the rules of engagement, through the customer through your company. You can't break those, at all, um the other part of that is you have to be able to be a sociopath, with an on off switch.
This Is the simplest way that i can put it yeah um. And you you you walk, like literally it is it is our job to walk up to somebody. And manipulate. Them like there is no tomorrow. Um, and and you have to do it with an absolute, clear conscience, you can't feel bad about it, um and you've got to you've got to take advantage, of of that person's. Something that is innately, great, and wonderful, about that person. And twist it and use it as a weapon against them. To destroy, whatever it is that they've got in front of them in order to get get the goods right. But you've got to be able to turn that off too and and there is. If if anything, else that's the thing that you do not want on your team is the guy that can't turn it off or girl, that can't turn it off, that that's that's a huge, a huge thing because people will use their superpowers. Later, when they shouldn't be using them and you don't want those people on your team either you've got to be able to turn it on and off and you've got to be able to do it and look somebody in the eye and straight up lie to him and then, turn around and shut it off and go back to him and say, i'm sorry. You know, like this this i promise you this is for your own good and this is why and being able to sit down and have that conversation, but you got to stay with the rules of engagement, but i know justin has something else. Um, i i just say yeah it's up to uh red team leads to kind of identify, the personal dynamics, of their team and then for newcomers, to to just listen, and and be aware that, you know it's not ocean's 11, and you can't do active shooter threats or right hold the fire alarm i mean rules engagements sometimes there's a time and a place for it but typically not, um and destructive, entry things like that so it's really about, the team lead knowing the team dynamics, and getting a good feel for that candidate before he's brought out in a live exercise. Which is another great reason uh to the point we're making earlier going on in a in a blue team manner. And assessing, things in in that way then you can have somebody on site and see kind of how they, interact with customers, and what their thought process is so, yeah there should be a thorough vetting process, uh to it but at the same time don't want to limit it so much that we're not doing this type of work um, it's just like bug bounties, it's a really big issue, that you know on a global scale the united states is falling so far behind, because we can't do this type of work our, too much red tape and our hands are bound, that we're correctly. Losing, the the state of security in our country, okay can you talk about that a little bit what are what are some of the the red tape issues that are that are, a problem right now. Well i mean just going back to bug bounties, if people with 60, of them aren't disclosing, vulnerabilities. Right maybe they're taking that and selling that to. Other government agencies, or other malicious, entities that may use that for a nefarious, uh act instead of getting with the company, um and telling them hey here's your issue and this is how you can fix it and, that company comes back and says, one doesn't exist but two we're gonna sue you for showing that this existed but we're denying, it, um no nobody wins in that situation. Um so a lot of reform needs to take place and we're still again fighting that fight that's been going on for decades. Yeah and we've of course we've got the example. From iowa, right. If we want to pull from something we've got, you've got a bunch of legislation.
That Was passed from people who have. Who have no idea. About. Fintesting, or even red teaming for that matter and then they go out and they hire. A third party, which was a law firm, to give them advice, on it, so you've got people that have don't experience. Hiring somebody with less experience, than they have giving them advice on what they should do, about something that no one has any experience, on yep that's how they're passing laws. From a legal point of view which is like almost the exact opposite of a red team like you need to be able to bend the rules to find these vulnerabilities. I mean. You're not going to find out that you plant 500 pounds of explosives, near air force one, if you're trying to approach that in a legal, standpoint, right so, that's, realigning, those perceptions. Well this was a blast and i'm, i want to wrap up a little bit and, send you guys on your way but what are your your current, plans and activities, do you have any any projects, uh that you can, talk about at the moment. Um, yeah so. We're full scope testers, a lot of our work is virtual, and especially right now quarantine, everything else going on we're not really on site uh. Hopefully do have some fun engagements, coming up where we can do those whitelisted, walk through fiscal assessments, on school districts which would be a great time, to assess like five different schools, um, but yeah it's business it's normal the majority of our job is is virtual testing my job anyways, gary's in a little bit different role being a manager. Okay um, but yeah kind of kind of business as usual just on the virtual front. Yeah, we're actually, we're, starting to, make more of a push, uh, in kind of the. Um. Essential worker. Section right so things like things like like the banks and in, areas like that financial, where where they're going to be open and you've got employees, there is doing those white listed walkthroughs, and, trying to, trying to teach some of those essential workers some some anti. Anti-social. Engineering, techniques. Um. The the unfortunate, truth when you have a situation, kind of like we have with with, the ongoing, pandemic. Is, there's a lot of people that are out of work, which means there's a lot of people that haven't had money in a long time and then that translates, to a lot of people that are desperate. And and that's, that's a lot of what we do is mimicking, desperate, people.
And And. Do never confuse, desperate, with unintelligent. Um, you get you get some, some person who, hasn't had money for, you know or hasn't had a job for four or five months they've got a family they're trying to feed them and and you'd be amazed, at what they can find on youtube. You know, uh you can you can pretty much. Find find your way through youtube in and of itself. Uh especially, just with some of the stuff that that in and this is this isn't a knock on deviant whatsoever. Um or even drew porter, the some of the things that they have out there and the stuff that they say is brilliant stuff. But if a semi-intelligent. Person watches that, and practices, it at home. Because they're desperate enough to try to do something, dumb because they don't have any other choice, there's a lot of damage, that they can do so that's kind of the mindset that we're trying to taking right now is, is to teach people the techniques. Um, that somebody like that, might be able to do or accomplish. And showing them, number one how it starts up what to look for. And and how to defend against it. Uh so one last question here if people want to know more about either of you or about coal fire where can they go online. Yeah we are pretty active on twitter or linkedin, there is ancient ain, chance, um red team wins. Coalfire.com. And then if you want to get involved with the protecting, ethical hacker initiative i think that's coalfire.com. Protecting, attack ethical attack hackers. Um and that's how you can get signed up with that petition and then get involved in that work group okay could you talk about the petition a little bit, yeah so that came after our black cat talk um it's something that we're launching again to try to get those safe harbor or good samaritan, laws on the books so we're approaching. We're, really formulating, how we want to approach that, and right now it's looking um like we want to approach individual, states the state level to try to enact those types of changes. Federal level it can take three to five years to get you know the laws that we're looking to have past, um actually enacted, so. Uh yeah it's it's open to everybody if anybody has insight or you're just curious and why not want to hear kind of where things are are shaping up that's the place to be that's great all right well uh gary justin thank you so much today uh for joining me and and sharing your your thoughts and insights. Yeah thank you so much chris, do you mind if i give a shout out real quick to our our vp, mike weber, we've actually been, we've been doing these talks and we've been talking a lot about stuff and and the thing that we, i don't want us necessarily. Forgot but we did not mention. Um, was, our vp. Of labs, mike weber at the time right after we got arrested, he was, an amazing, advocate, for us within coal fire itself, he was moving mountains and he was yelling at people and he was trying to get stuff done for us. Internally. And, and unfortunately, that that part has never come up what, internally, was happening at coal fire after the arrest. We've never really had a chance to to bring up his name but yeah he was, he was amazing, and he fought for us and it was it was great and unfortunately, we've never been able to. Say thank you, yeah. Outwardly. So people knew what an amazing vp that mike weber was but, but yes thanks chris, you know appreciate, being able to. Say thanks for that great yeah shout out to mike that's awesome, and uh yeah thank you uh both for your time and and thank you all for listening and watching today, uh if you enjoyed today's video you can find many more on our youtube page just go to youtube.com.
And Type in, cyberwork, with infosec, to check out our collection of tutorials, interviews. And past webinars. You'd rather have us in your ears during your workday all of our videos are also available as audio podcasts, just search cyberwork, with infosec, in your podcast catcher of choice. Uh and if you are on one of the big ones itunes, stitcher, etc. A rating and review would be very appreciated. As mentioned in a video at the top of the show we want to hear from you about what you want to see more of on the show, so please go to www.2. That's. Www.numerl2.infosecinstitute.com. Survey. And you'll find a short set of questions about your listing habits and interests if you take the survey you'll be eligible to win that 100. Amazon gift card, that's. Www.infosycinstitute.com. Survey. Thank you once again to gary, der mercurio. And justin nguyen and thank you all again for watching and listening, we will speak to you next. Week. You.
2020-10-08