Jan 7th 2018 by BrandonMohan • 27 Questions • 180 Points
I am an infosec professional and "red teamer" who together with a crack team of specialists are hired to break into offices and company networks using any legal means possible and steal corporate secrets. We perform the worst case scenarios for companies using combinations of low-tech and high-tech attacks in order to see how the target company responds and how well their security is doing.
That means physically breaking into buildings, performing phishing against CEO and other C-level staff, breaking into offices, planting networked rogue devices, getting into databases, ATMs and other interesting places depending on what is agreed upon with the customer. So far we have had 100% success rate and with the work we are doing are able to help companies in improving their security by giving advice and recommendations. That also includes raising awareness on a personal level photographing people in public places exposing their access cards.
AMA relating to real penetration testing and on how to get started. Here is already some basic advice in list and podcast form for anyone looking to get into infosec and ethical hacking for a living: https://safeandsavvy.f-secure.com/2017/12/22/so-you-want-to-be-an-ethical-hacker-21-ways/
Proof is here
Thanks for reading
EDIT: Past 6 PM here in Copenhagen and time to go home. Thank you all for your questions so far, I had a blast answering them! I'll see if I can answer some more questions later tonight if possible.
EDIT2: Signing off now. Thanks again and stay safe out there!
The best part of the video for me is when the singer is playing the crowd and you start slowly building a drum roll. Is that something they do regularly, or was that improvised?
How effective are the interventions, and in your opinion does the presence of cameras and being shown on TV seem to help, hinder, or have no effect on the addict's willingness to work on breaking their addiction?
In percentages, how much of your work is hacking in the old sense, like reverse engineering, digital tampering and usurping some kind of computer or other electronic gadget? How much is social engineering, role playing and in general would not need a keyboard?
The build up is something they have been doing since the Day and Age tour, its just something I practiced while learning their live rendition.
80-90% of people involved in interventions go to rehab the day of, so pretty successful. It depends on how strong the family in order for the addict is to stay in treatment and stay sober after treatment.
Information gathering, pretexting and recon usually (there are exceptions) takes up 3/4 of the time spent on a job. Actual time on the customer network itself is usually only a few days compared to the many weeks of preparing phishing and social engineering scenarios because we will already know where the systems are we have to access and already have gathered so many credentials to be able to access them. Most time spend after that is actually finding the target data we are after versus what user accounts and roles give access to what. Good question.
Have you ever gotten in trouble with the law? I mean as in, the police got involved before you could pull out whatever papers allowed you to break in etc?
I went to the back of General Admission to enjoy the rest of the show. Ted Sablay (the touring guitarist) messaged me afterwards saying " Way to go tonight!"
I wasn't nervous while I was on the stage. Once I sat on that kit and had all those wonderful people cheering my name I felt comfortable. Surprisingly, I only felt nervous before I held up the sign.
What is some of the craziest shit you've done while breaking into buildings?
Well I can confirm that it wasn't pre planned and I felt like crying afterwards. Rocking out with The Killers distracted me from crying on stage haha.
Anyone that is asked to come in and intervene on someone, it’s that bad. If there’s a question at all, it’s that bad. It’s difficult to select who to intervene, because so many people need this help.
There are a lot of examples that come to mind. If I had to pick a few: breaking into an ATM in the middle of a mall while hundreds of people pass you doing their shopping (and not caring because you are wearing the ultimate cyber weapon: a fluorescent vest). Walking through the basements of a dark data center of a financial institution after business hours and almost getting locked in. Replaying an employee's fingerprints on fingerprint access control readers using toilet paper. I'm sure there is more stuff that I am forgetting but those are the first things that come to mind.
Have you ever seen the show White Collar? If so, what are your thoughts on any of the cons on that show? Your story had me thinking of the ep where Neal/the FBI break into a bank to demonstrate weak points in its security.
I would love to tackle Green Day's "Jesus of Suburbia"
So a white hat hacker? Also whats the easiest way you've broken In?
What was the size of your red team when you started. Do you have a team that competes in CTF events?
Ronnie is for sure a Dancer haha
For me it’s knowing that recovery is a process, and even though I have over 28 years sober, I still have to work a program and do things myself. There is no destination, recovery is a process.
A red team assigned to a job usually consists of 3 to 4 people depending on the skill sets that are required with 2 people being on the job on a constant basis over a period of a few months in order to ensure realistic results and responses from the target company. We sometimes compete in CTF events if we have time.
What does your hacking kit look like? Could you list some (or even your favorite) tools you're using in your daily job/life?
The few times I glanced over he was cheering me on "Yeah! Yeah! Yeah!"
How did you learn to do everything including experiences and education history?
I’m a Department Manager under the Loblaws banner by day, gorilla filmmaking drummer by night!
Love the show and the amazing results it seems to produce! Are you close with the other interventionists? Any memorable experiences with Jeff/Candy/etc? Thanks!
This sounds like a dream job. when it comes to legal means in attacking networks. Are there any tool, methods that are actually illegal?
Yes! I love seeing them and Donna as well. As you can see we run into each other at different events. Candi and I just did a video together that we posted on the Intervention Facebook page.
If you think this is a dream job, we are hiring: https://www.f-secure.com/en/web/about_global/careers/job-openings
What does it mean that this seasons participants are “interconnected”?
Sorry if this already got asked, but what’s your opinion on shows like Mr Robot? If you watch it, how possible is a scenario like that? Do you feel like the show addresses all parameters required to pull off a hack of that scale?
Normally, we fly all over the country and intervene on individuals, but this season they will be all connected by living in the same community.
Mr Robot is being praised for its realistic portrayal of hacker tools and attacks and it is indeed a fun show in how they show how simple it can be to compromise something. They get the occasional thing wrong and I always find it refreshing to hear Sam Esmail and team talk about how they actually fix the things they got wrong afterwards. But it is and remains a show. I don't think we are going to see anyone trying to melt backup tapes anytime soon but I like the cyberpunk aspect to it ;)
how do you feel about contractors contracts significantly limiting your attack surface?
We usually get in pretending to be the contractors themselves
How do I protect myself as a normal user best from cyber attacks?
I read that you are from Belgium. As a Belgian Computer Science student who is also interested in (Software) Security, is there any University in Belgium that you recommend for getting my Masters?
I am no longer living in Belgium I'm afraid and my school days are long over. It all depends on your interests and what it is you want to with information security.
What are the books that you would recommend to people who are already into hacking and who would like to acquire more knowledge on different hacking techniques as well as the way of thinking?
It kind of depends what domains you want to get better at. Most of the skills that are required are expert sysadmin skills, being able to program and script things together and having a solid understanding on how the technology works. But, also understanding what the caveats are of that technology being used in an organisation and how it can be used against that organisation. And for that you need to know what the daily tasks are of a sysadmin, network administrator, developer and deployment environments, how code gets distributed from the IDE to the production environment, how email environments work, etc. Basically how a company works and how it functions.
Rather than going the "hacking exposed" and other book series way which are more tool related and which will not help you in understanding; I am a big proponent of playing war games or hacker challenges. Learning by doing and getting your hands dirty on your own lab, writing your own tools and code is going to be the most productive for you to learn new things. But from a pure technical side I always recommend the following books as a bare minimum:
- The art of software security assessment
- Exploiting software and how to break code
- The tangled web
- O'Reilly's Network security assessment - latest edition
- The web application's hackers handbook
- The browser hackers handbook
- Mobile application hacker's handbook
- Grayhat Python
- <Any book on your favorite operating system>
- <Any book on your favorite programming language>
- <Any book on TCP/IP>
- <Any book on ITIL and IT processes and procedures>
- All the books I forgot for which you are all facepalming right now
What are your favourite ‘war games’ and ‘hacker challenges’ ? From a 2nd year comp sci student looking to go into security!
Try http://overthewire.org and http://cryptopals.com and get involved with their communities. Look for any kind of challenge be it system or network based. SANS.org usually has a recurring hacker challenge e.g. their holiday challenge, as do the major conferences which they archive for later download and replay. As far as originality I like http://www.pwnadventure.com a lot.
Are there any programming languages that are better to learn specifically for ethical hacking?
If I had to pick two, python and powershell will help you the most, in no particular order.
Is protocol fuzzing something you leverage in your approach? How common is fuzzing in hacker community?
Red teaming seems to be a method of finding the weakest security links possible, but what about slighty more difficult vulnerabilities that you dont attempt to find bc they take too long to discover or you just miss them? Do you suggest more significant security program change within an organization after you exploit the low hanging fruit?
Fuzzing is more useful if you want to find vulnerabilities in a certain piece of technology. It is extremely rare we use fuzzing as part of a red team test but it has happened that we were able to fingerprint what software a company was using as part of their daily tasks, find vulnerabilities in it and then exploit those in a way that advances us towards our objective.
There will always be things that we do not find as part of a red team. We only need to find one way in. If a customer is interested in finding as many vulnerabilities as possible in a given solution, technology or process then we can offer that service to them as well but it kind of goes beyond what a red team is trying to achieve. Which is to test the resilience and monitoring capabilities of an organisation against a targeted attack where the attacker picks the attacks, not the defender. Once the detection mechanisms reach a certain maturity and most low hanging fruit is found, then and only then as part of an iterative process can more controls and processes be introduced.
Do you enjoy your job? I work server administration and I find myself disliking it more and more everyday. I would rather be breaking in than patching holes constantly it seems. I would like to learn more hacking do you have any educational sources you recommend?
I do - because I get to use my own creativity in order to see how far I can push a scenario that might result in compromise and use/develop some custom tools and techniques along the way.
What's an invaluable piece of equipment we wouldn't think of?
Physical access to equipment grants you an open door to the entire system...that is easy
Has the government ever used your services? DoD, NSA, etc. Places where if you are caught attempting entry you’ll meet a 556/762 or 9 round...
Without physical access, what is your success rate?
Then, also...what industry typically has the best hardening?
I am based in Europe so we do not deal with DoD or NSA etc. For places where physical entry is very difficult we try to get as close to the target as possible. That means dropping USB thumb drives on the parking lot or just sending employees backdoored USB gadgets using postal mail with a thank you letter for their attendance to <conference they went to last week and made a big thing about on LinkedIn>. That can also include phone or email phishing to entice employees to give us their credentials so we can re-use them to log on to their services such as VPN end-points, web portals, etc. As far as the success rate of physical access, it is very hard to put a number on that but on average 4 out of 5 companies can be compromised with a physical premises access attack as the initial breach. Although we do not stop there and try the other methods as well e.g. phishing, wifi "evil twin" setups etc