How to become a penetration tester

Chris Sienko: Cyber Work with Infosec has recently celebrated its 100th episode. Thank you to all of you that watch and listen and subscribe to both the audio podcast and our YouTube channel. We're so grateful to hear from all of you and we look forward to speaking with you more about all aspects of the cybersecurity industry. To celebrate this milestone, we have a very special offer for listeners of the podcast. We're giving 30 days of free training through our Infosec skills platform. Go to InfoSec institute.com/skills and sign up for an account or just click the link in the description below. While you're there, enter the coupon code cyberwork, one word all lowercase, c-y-b-e-r-w-o-r-k, when signing up and you will get your free access, you'll get 30 days of unlimited access to over 500 cybersecurity courses featuring cloud hosted cyber ranges, hands on projects, customizable certification, practice exams, skills assessments, and more. Again, check out the link in the description below and use the code cyberwork, c-y-b-e-r-w-o-r-k, to get your free month of cybersecurity training today. Thank you once again for listening and watching. Now let's get to the episode.

Welcome to this week's episode of the Cyber Work with Infosec podcast. Each week I sit down with a different industry thought leader and we discuss the latest cybersecurity trends, how those trends are affecting the work of Infosec professionals, while offering tips for those trying to break in or move up the ladder in the cybersecurity industry. It's been a while since we talked about penetration testing and offense oriented network security on the show and I know that some of you have been asking for it, so today's your lucky day. On the show we have Dr. Wesley McGrew, the Director of Cyber Operations for Horne Cyber. We're going to talk about going on the offensive as a good defense, the current state of pen testing, and the raw work of reverse engineering malicious software and vulnerability testing. If you're looking for the type of job that gets you out on the cybersecurity battlefield and fighting the bad guys, you're going to want to give this episode your undivided attention.

Dr. Wesley McGrew is the author of penetration testing and forensics tools used by many practitioners. He is a frequent presenter at Def Con and Black Hat USA. At the National Forensics Training Center, he provided digital forensics training to law enforcement and wounded veterans. As an adjunct professor he designed a course he teaches on reverse engineering to students at Mississippi State University, using real-world, high-profile malware samples. This effort was undertaken as part of earning National Security Agency CAE Cyber Ops certification for the university. He has presented his work on critical infrastructure security to the DHS joint working group on industrial control systems. Wesley earned his Ph.D. in computer science at Mississippi State University for his research in vulnerability analysis of SCADA HMI systems used in national critical infrastructure. He served as a research professor in MSU’s Department of Computer Science & Engineering and Distributed Analytics and Security Institute.

Wesley: No problem. I'm glad to be here.

Chris: So, I ask every guest how they got into computers and tech for the first time. So, I want to ask you that, but I really want to know how you got interested in pen testing forensics, reverse engineering, and the offense as defense school of security. What was the draw there?

Wesley: So, I've always been better at breaking things than anything else. And so I, as a child, I was always the one that took things apart and wanted to know how things worked and how to subvert things. I grew up learning how to, teaching myself how to code on Commodore 64 and early PCs and such. And actually I made sure it was in the frame, but in 92 I saw this maybe sneakers and that's the laser, this copy of it on my shelf back there.

Chris: How about that? Oh yes. And you change lives.

Wesley: And I was like, I want Robert Redford's job in that and either you go to your pen testers and that's, that's, that's what I set out to do.

Chris: That's funny. Like, I saw that movie at that time too, and I never made the jump to like, you could actually do that as a job. I think it's like you see a rock star and you're like, well, I couldn't actually get on stage, but it's like people do it all the time. So it's interesting that you were like, yes, this is for me.

Wesley: Right. So I went to school for computer science at Mississippi State and in grad school I helped out with developing the computer security program there, and some of the coursework, and some of the research programs there for that, and then used that as a springboard into a computer security work.

Chris: Hm, okay. So, you've been doing it for a while. Obviously you started in the Commodore 64 era. How has the practice of pen testing and computer forensics changed and evolved in 2020 versus when you first got involved? I imagine it's an order of magnitude more complex now, or is it, are you still basically doing the same things?

Wesley: Well, networks have gotten more complex. So the number of hosts are much greater in where before it used to be a very particular thing and to have computers controlling physical processes. It would be an industrial control system situation or in critical infrastructure situation. But I would say that most organizations have some cyber physical system, the HVAC and cameras and access controls for buildings and things like that. And so more and more as we compromise things on these complicated networks, we gain a physical presence inside the target organization through the things that we've compromised through microphones and cameras and ability to impact elements of the environment. And so I would think that, I would say that it hasn't gotten any harder or any easier, but it's more complicated and we, we have more people on our teams doing that. You could do it solo for a long time, but now you don't do a large network without it being a team.

Chris: Does it require more complexity of thought or more complexity of tools, or both?

Wesley: It requires a lot of the interesting management of resources, right? And so for each of our penetration testing engagements, we have four or five people per engagement. And it's important that we make sure that they don't duplicate effort and they each have specialties and say in ICS or in web application security or in network protocols or something like that. And so we got to make sure that they're working on the right things, even though they all have a breadth of experience to take a triage look at anything.

Chris: Right. Okay. So for listeners who are looking to break into the area in this particular sort of career field, especially in regards to building up their skill set, what are some types of jobs or study certs, labs, projects, or other tasks that you recommend to learn? The raw skills of pen testing, reverse engineering, vulnerability analysis, things like that?

Wesley: I think to identify vulnerabilities you can identify publicly known vulnerabilities easily. Most of the vulnerability information has a documentation on how to test for a specific vulnerability. To find new vulnerabilities, you need to learn how to code. You need to learn how networks work. You need to get a little bit of systems administration experience and that can be hands on. It can be in a home lab. There's lots of online capture the flags and virtual machines and things like that, but I really encourage people to get into this, to learn how to code burn networking protocols, TCP in all of that to really in depth the stand. Because when you're finding vulnerabilities in these systems, it's because you understand things at a lower level of abstraction in the people who developed it and you're exploiting their misunderstandings about that underlying system. And so it's important that you get a very low level knowledge of the systems that you're developing, for a more detailed knowledge that is.

Chris: Okay. Can you...that's a really interesting phrase. Can you break down the sort of notion of understanding the sort of errors of lower level people like that? Or I remember what exactly what you said but that sounded like something that that requires a little more, a little more unpacking.

Wesley: So, it's all about levels of abstraction. So if a general or non computer science person uses a computer they see it as they click on the start menu and they hit the word icon and that's their interface to the computer. How a computer works to them is by navigating menus and opening up programs and they have this model of how programs work and windows and things. If you're a developer, if you're just learning how to, to write code, say you're a C programmer and you are writing code based off of what you've learned in a book on C programming and it's teaching you about allocating memory for local variables or global variables or things like that. And it's giving you a model of how memory works under the scene, under the hood. How the compiler generates code that allocates memory. It doesn't exactly work like that. And that's why things like buffer overflows and memory corruption, that's what happened, is because the person who wrote the code doesn't understand how it's turned into a machine code, that the processor runs.

Chris: I see. So that's where a lot of the vulnerabilities come from is, is people who don't have that like cross technology or whatever.

Wesley: Right, and so, it works all the way down, right? So you're writing code to, if you're writing code at an assembly language level, the operating system is hiding off memory from you, from other processes and things like that. And so the lower and lower you go in that stack and understand it in a more detailed way, the better, and so I encourage people to learn, to pick up some reverse engineering to understand vulnerabilities better.

Chris: So if you were looking for someone, if you're looking at applications for people who would join your team, what are some absolute must have experiences or certs or degrees or just things that they've done that you would say, I have to have someone who at least knows how to do this, to join my team?

Wesley: Well, we recruit heavily from Mississippi state university and other cyber operations certified schools. And so that would, but we don't necessarily care if somebody has a degree or not, but it does help having that computer science background. Somebody who can write code, somebody who has some interest in reverse engineering and some interest in vulnerability analysis and has demonstrated that. Somebody who can write code or read code at least in multiple languages and be able to do both application security testing and vulnerability analysis on networks as well.

Chris: Okay. So I want to sort of talk about some of your, the various hats you wear and areas of interest that you have. So, to start with just making sure we're all on the same page, what do you mean by offense oriented network security? I mean it really sounds like there's something you want to get into if you are looking to bring the fight to the hackers.

Wesley: So there's two things going on here and both of them are interesting to talk about out. What we're talking about mostly when we talk about office oriented security is in identifying where to spend resources for security by taking an attacker's view of your network. And that's penetration testing, application security review, social engineering, all sorts of things. If there's, oh, a thousand vulnerabilities on a network, but only some small percentage of them are actually exportable in a real world threat model by real world attack or by taking a penetration testing or red teaming view of the networking, you can identify those vulnerabilities, remediate those, spend your resources there. It's easy to spend money in the wrong direction in security. You can spend a lot of money on things that are never going to happen.

The other side of that, what you're talking about is essentially what people refer to as hack back where you're going on the offensive against the actual attackers and the legal frameworks for that are not really in place right now though. There's been some bills introduced for that. And that's talking about hacking back into either of the attackers' command and control or their intermediate nodes in order to capture attribution data. And that's an interesting thing as well. It would involve some rollback of some of the more extreme or some of the more broad restrictions, the Computer Fraud and Abuse Act for people who are investigating computer crime.

Chris: Okay. Do you, I mean, do you see those laws changing anytime soon?

Wesley: I don't know that any of those bills will be successful. I was tracking one for a while, but I don't know where it went to be all, to be perfectly honest with you. It's interesting in InfoSec community about this is there's a lot of strong push back on hack back, but at the same time, there's lots of people in the community who have attack, command, and control and have taken a look at command and control servers and recovered data from those things and would probably appreciate some reduction in the scope of the Computer Fraud and Abuse Act for computer security professionals. So there's a balance there somewhere that we've got a phone.

Chris: Okay. So what, I guess you mentioned some of the penetration testing and red teaming and stuff, but what are the primary tools in your arsenal for offense oriented security? Well, we've got a custom build of Kali Linux that we use. So we've got all the normal tools that are in Kali Linux. They're in maps and your medic sports and, and all of the things that we can pull in from those repositories.

Wesley: The most important thing for us is that we deal with large networks. You know tens of thousands or hundreds of thousands of devices on the network. We need to be able to manage that. And so we have our own internal management system where individual pen testers in an engagement can check out areas of networks and checking them back in file reports on things. And there's really nothing like that in in the public domain that I know of that works on a large scale like that. But it's important that you have something like that and that you have a system for managing these large engagements.

Chris: Okay, so that's sort of like the umbrella that all the other sort of things work underneath it sounds like.

Wesley: Yeah, yeah. And it's a framework for it. And another thing that we have that's really important for us is they were able to reduce the amount of onsite time that we have of clients or even eliminated in some cases. We have our internal test by deploying an appliance that we've developed that not only, so many pen testing appliances allow Like a proxy, a socks proxy, or an SSH tunnel into the network. We have the ability to have a full VPN connection from our office into a client network through our penetration testing appliance, and so we can drop individual VMs onto client networks through that normal conductor testing. So you can do a lot more from where you're at. Yeah, it's a little more transparency and listen, there's not as much configuration with the tools. It's secure because as it's through an encrypted tunnel. Okay.

Chris: So, I'm sure it varies from client to client, but can you kind of walk me through like on average, like you, you get a new client, you have to either visit them in person or virtually like this. Like what, what are your sort of first steps in diagnosing their problems or setting up a pen test or setting up a system for deciding what needs to happen next?

Wesley: Well, we try to work with, and so this like red teeny and pin testing can be an adversarial thing, but it shouldn't be. Right. Our goal is to empower the client, to get the resources they need to make changes. And so we talk to them about what they're doing with security now. We talk to them about what their, what they would like to see out of a penetration test. Are they trying to get resources for a particular type of program? Are they trying to use it to improve things? We'd rather not be a "got you" against somebody. We'd rather not be hired by somebody to make their IT staff look bad. But we talk to them about scoping.

We talk about external ranges and internal ranges. We try to get a feel for anything in their environment that they own, that they, that they do not own things, that are third party or that we can't touch. We talk to them about sensitive systems that may have fallen over in previous pen tests under other vendors. So that we can have an idea of what we can do without causing a lot of operational disruption. And we just educate them about our process and about how we try to do this in a secure way that prevents it. We don't want to leave the network in a worse state than it was when we got there

Chris: Or make people feel, like you said make people feel bad about themselves or their lack of knowledge, right?

Wesley: Yeah, we talked about reporting and how, what that report's going to look like for them and who that's going to be, who's the target audience for that report. We talk to them about all that and then we start laying out emergency contacts and getting things shipped out and getting the engagement rolling. And then it's communication throughout the engagement. Usually with me and the client directly and I liaise, I'm the liaison for the team that's actually doing the engagement so that at any point they can, if they see some weird activity on their network, they can contact me. I can verify yes that was us or nope, that wasn't us, I think you've got something else going on.

Chris: We found something.

Wesley: Yeah. Accidentally. Yeah, we started talking to the guests about red teaming about a little under a year ago and it's funny how the sort of mythology of it sort of grew and then dissipated. Because like when it started, like there was all these, these rumors, like I think someone kidnapped a CEO like how far can you go? Can you break windows, can you blah, blah, blah, you know? But yeah, clearly this is all a consent based thing and obviously...

Chris: Yeah, we're not looking to ruin somebody's day.

Wesley: No, no, exactly. Or like because actual terror.

Chris: Right. So yeah. Okay. So yeah, so again, it sounds like it's very yeah, it's, it's aimed at education and then aimed at sort of consensual situation here. So that's very important.

Wesley: The goal is to identify the vulnerabilities that are most likely to be used by real attackers.

Chris: Right. And as you, you said that before, I wanted to sort of get back to that. What are some of the things, you said that a lot of people spend a lot of money protecting against things that are never going to happen. Can you give me some sort of key examples of that?

Wesley: Well, I mean, you can spend a lot of money on very nice firewalls and intrusion detection systems pointed towards the outside world, like measure, like looking at that traffic coming into your external IP address. But in reality you may have one external IP address that everything else is added through and nothing externally can make a direct connection anyways. You should be more concerned with individual hosts inside your network getting compromised through malware and phishing and other scams like that. Then once the attacker gets access to one of those internal nodes, being able to move laterally in a way that that external firewall intrusion detection sensor can't identify. And so you can spend a lot of money on that external without realizing that that's not how the attacker's going to come here.

Chris: Right. Do you do a lot with the sort of social engineering and phishing type things? Are you like dropping USBs in the parking lot and stuff like that?

Wesley: Yes, we have the capability of doing that sort of stuff and we'll do it on some engagements. Generally the thing is you can, you can run a social engineering engagement and do something like phishing and then, and you'll, the first time we do it with a client, we'll get, say a 20% hit rate of people submitting credentials, right? And so a really good pretext, we get like 20, 30%. We give them the report, we say, okay, we did this many people, 30% of bell for it. You need, our recommendation is did you do user education and awareness and all this sort of stuff, need anything? And then a year rolls around, we come back and we do it again on the new engagement and now it's dropped down to 10% and then the next time it's 5%.

But you never really get any better than 5%. It doesn't matter how, how much you train your users, right? There's going to be a good pretext. There's going to be somebody having a bad day. Everybody is going to fall for something at some point, right? And so the trick is, we tell our clients the trick is through social engineering, through zero day attacks, through the whatever, or pick any random node on your network. Assume it's compromised. If somebody has got control of that, are they limited to that or are they going to run the board on the rest of your net?

Chris: There you go.

Wesley: So we do social engineering and we test that out for their awareness and their kind of tracking. But in reality, we tell them to assume that it's going to work at some point. And so there's a limit to who it...

Chris: There you go.

Wesley:  ...to how useful it is.

Chris: So we talked about this a little bit before and I want to be a little deeper about this, but you, your background lists of special engagements, specializations. We're talking offensive network security, pen testing, vulnerability analysis, reverse engineering, computer forensics, traffic analysis. You know, it's all sort of a spectrum of related skills and tasks. But is it, is it common to have experience in all those areas or do a lot more people just specialize in one thing? Malware analysis or just pen testing?

Wesley: Well, I think that when you're on a working offense, you don't really have the luxury of picking what stuff your target, you don't have the luxury of picking your target often.

Chris: It's not like a surgeon where you're just dealing with veins. Like you kind of have to know everything.

Wesley: Yeah. You kind of have, if you're doing pen testing, red team, you kind of have to have at least a little bit of knowledge and a lot of things, right? And so we have people with specialties, right? We have folks that specialize in web application security. We have folks that specialize in windows post exploitation. We have folks like me that specialize in reverse engineering and first particular engagements. Those come into play more often than not, but all of us are able to do a little bit of all of it.

Chris: Okay. So, your specialty is reverse engineering out of all of those things?

Wesley: Yeah, I would say that's sort of the deepest dive part of it for me.

Chris: Okay. Can you talk a little bit about what that, what that kind of job is like? Because I don't think we've had anyone on here who had that as their specialty. And I know people would be interested in knowing like what's the day to day of working on malware like that.

Wesley: So for us the day to day for me for reverse engineering is in reverse engineering ransomware. We have a product called Threat Runner that provides our customers with de-weaponized ransomware that allows them to simulate and spread of ransomware on their network in order to see what the impact would be and see who has too much permission on the network. What are some things that are too connected here? And so I will look at ransomware variants as they come out to identify how they work, see if there's anything unique that needs to be worked into our modules.

We also do reverse engineering for the purposes of vulnerability analysis to identify how a compiled binary program works in order to find vulnerabilities in it are to find hidden functionality. And so that's sort of the day to day of it to get into that, you know I teach a reverse engineering course across the highway at Mississippi State University on occasion where we use the practical malware analysis, both Sikorsky and Honing wrote for no starch press as the textbook for that. And we, in teaching that it's a matter of, we teach, I teach it as a form of design recovery. So the software engineering process and reverse. So software engineering you have your requirements for a piece of software, you have the design for that software or that implements those requirements. You have the implementation, that's a code that implements that design. And then it's deployed in, in documented and things like that for normal software.

For malware, the deployment does not want you to know the design or the intent or the requirements. And so you have this chunk of code and you know nothing about other than it can run on a computer and probably screw it up. Right? And so you use static analysis and dynamic analysis techniques to recover the implementation details of it. And from that you can kind of gain some understanding of the design of it and then hopefully determine the requirements was what is the purpose of this piece of code? How does it do what it does? How do we detect it what are its capabilities? Who wrote it? That sort of stuff.

Chris: Okay. So, in general, what are some of the parts of your job that you love the most? And like what are the aspects that get you excited to start a new week? And conversely, are there any parts that you dread having to do, like reports or paperwork or other things?

Wesley: You know a lot of people don't like reporting, but we've really worked hard here on streamlining the report generation process. And since that report is what's delivered to the client is a deliverable it's important that it's right. And so I spend a lot of time working on the wording of those working on sort of the language we use and the way we present our findings, making it easy to read, make it an easy to read for a variety of audiences, C-suite, all the way to the technical folks, right? So, we have to demonstrate business impact. And I think it's interesting. And so I enjoy the report stuff a lot.

You know, what gets me interested is the managing process of this now. Having, being able to have four or five per engagement, very talented people on staff where I can sort of direct them and say, look over their shoulders and say, at any given moment, all of them finding different findings on networks and being able to troubleshoot problems and anything that they're having, technical issues that we're having with our infrastructure looking at, at things that we suspect to be vulnerable but haven't proven yet. That it's new puzzles every day. It's different things we see on networks every day that are interesting. And it's the, the most entertaining part of it is the success rate of finding vulnerabilities.

You know, we see so many networks and so many hosts that it's hard to say if there's anything that we haven't seen on a network yet. And so every time we see something new, it's interesting. So we for example, one day I looked over the shoulder of one of my team members, and he was at a basic prompt, like a computer basic, like basic programming, like 10 print, however old, 20th guaranteed 10 type things. And I'm like, what are you looking...? What is this? It was a serial to ethernet converter and the configuration for it and was implemented in the basic interpreter or something and said, I was like, well, coming from the Commodore 64 move aside kid, I've got that. I know what to do with this thing.

Chris: That's great. Yeah, you're on my turf now.

Wesley: You see new things every day and interesting vulnerabilities and things. And it's just an intellectual, intellectually rewarding.

Chris: Yeah. So I mean, you sort of are answering my next question here, but I know it sounds like you enjoy actually sort being, for lack of better word, the puppet master in terms of like directing other people. But a lot of times we speak to people who have become directors of their organizations or reached a certain point in their career chain. They find that the nuts and bolts of the thing that they like to do gets taken away and turns into days full of big picture projects, meetings with clients, top-down planning, allocation of projects to others. But it sounds like you sort of have found a balance there. How much hands on pen testing and vulnerability research do you get to do and how much you spend on these sort of macro tasks? And is that an acceptable balance to you?

Wesley: Well, I'm lucky I get to sort of define that myself. Right? And so I do enjoy the big picture stuff. And so I do mostly that, but I'm able to dip into the nuts and bolts of pen testing and vulnerability analysis and reverse engineering as much as I want to as well. And, it's important that I do that for my research and for presentations at conferences and things like that. It's important that that be new work. And so it's important to set aside a small percentage of time for research as well as management of engagements. And so that's just it's a time management thing and sometimes you have to state that and command that rather than waiting for somebody else to give you the time for it to give you permission for it. Right. You have to, you kind of have to take charge of that yourself.

Chris: You got to put your foot down. Yeah. So you're a frequent presenter at Def Con and Black hit, which are kind of national holidays for folks in our line of work. What are some of the more memorable events or presentations that you've done at these conferences recently?

Wesley: So, I wish somebody would tell me that it was a holiday. You end up doing a lot out.

Chris: A lot of work. Yeah.

Wesley: It's all, it's a lot of, so I do a lot of presentations. I've done a lot of training workshops and things like that out there and meetings and such. So I stay pretty busy. One thing I've really enjoyed out at Def Con is presenting, and at Black Hat is presenting some of the work that I've done on vulnerabilities and penetration testing processes. So it's operational security for pen testers and red teamers essentially. So the tools and processes and things that we use are no more secure than, and than the software that we're attacking often. And so looking at the communication, security, operational security of our engagements so that we're protecting our client's data in transit and in, in state when we're doing a pen test is important. And I've really enjoyed talking about vulnerabilities and pen testing software and hardware at those conferences. A little bit of a different thing. I've also, I've also done some reverse engineering workshops out there, Vegas, and that's always a lot of fun. And it's just, it's good to see everybody out there.

Chris: Yeah. I guess that's the holiday aspect of it is like the whole family gets together and hopefully you're not at the kids' table. So your bio notes that at the National Forensics Training Center, you provided digital forensics training to law enforcement and also wounded veterans. Can you tell me more about this? Is there, like first of all, with law enforcement, do you feel that law enforcement as a whole is using tools like computer forensics enough in useful situations? Or is it still seen sort of as a novelty or thing that not everyone does or gets to do?

Wesley: So when we were doing the training in this it was primarily with law enforcement that we, but we would also go to like Walter Reed hospital to do it for wounded veterans. And our focus was on just sort of the basics of computer forensics, the basics of computers in general, leading up to the point that somebody could at least do a search and seizure of computer evidence and imaging of computer evidence and then very basic investigation. And it turned out that what we taught was just enough to where most law enforcement that went through the training could do their own child pornography investigation on their own, right? And so giving an alert to their department about somebody sharing it on a peer to peer network, they could go out, serve the warrant, seize the equipment, image it, you know hash out all the files, identify the stuff that's known child porn, and put together the evidence into a case, give it to a prosecutor and present that.

And so that's what they mostly did with it. And so anything more complicated than that, they would be able to identify that it was more complicated and seek additional help. We would occasionally assist with law enforcement on some more complicated engagements in investigations. That was the main impact of that. It's been awhile and I think that law enforcement and at least at the state and local level, which is where we did our training, that's where they focus. Anything, the thing about the Computer Fraud and Abuse Act, anything hacking related or anything like that automatically starts crossing state lines and involving computers involved in interstate commerce or whatever. And that becomes sort of the FBI's thing and obviously they have a lot of capability there for investigating and prosecuting those crimes.

Chris: Okay. And the wounded vet project, part of that, was that sort of a skills retraining to enter the workforce?

Wesley: Yeah, so you get soldiers coming back from Iraq and Afghanistan with injuries and during their rehabilitation they would undergo this training so that they could then go into the private sector or go work for state or local law enforcement assisting out with these cases.

Chris: Oh, that's great. So we talked a lot on our show, it's a regular con topic here about the skills gap in many cybersecurity sectors. Is your area of expertise feeling that pinch as well?

Wesley: Well, we're lucky. Like I said we're right across the highway from the university and so we recruit heavily from there. We have managed to keep ourselves well-staffed for, for pen tests and application security testing and things like that. And it's just that, right? It's by a nods edge basically. And so it's hard to find people with these skill sets, but to me, when I talk to people about careers in cybersecurity, I tell them it's yours for the taking because of that. Right? If you can find the time and resources to skill up and in programming and reverse engineering and vulnerability analysis and pen testing and things like that. If you can find that time, if you're privileged enough to have that time you can, sort of make your way into it through that.

Chris: Do you have any thoughts on getting people interested and involved in this exciting field?

Wesley: I don't think... like it's an interesting field to work in. So I don't think interest is the problem. I think that it's the sort of the prerequisite knowledge and skills that have to be built up to get into it that's the issue.

Chris: Okay. So we mentioned a little bit about before about infrastructure, but we had a previous guest on the show, Emily Miller, talking about security issues with national infrastructure. And I noticed that you've presented your findings on critical infrastructure security. Can you sort of get me up to speed about the current state of this crucial security battlefield?

Wesley: So the work that I did was primarily focused on vulnerabilities found in the human machine interface portion of the software. And so like your touch screen control panels and things like that. The neat thing about hacking into those is when you get into something like that, you've got an operator's view of the network. You have some documentation there built in as to what does what the current state of that is still sort of a little bit...it's still kind of wild because you have all these control system networks that were assumed to be isolated or designed to be isolated. And then slowly over time life finds a way and they wind up getting connected to corporate networks in one way or the other or other organization networks, either for data logging for process improvement or billing or for remote access for maintenance vendors, things like that.

And so it's hard to assume the network is isolate. I mean, ask the folks who were running Natanz Enrichment Facility in Iran about isolating networks right? It turns out to be very difficult to really isolate the network. And so all the assumptions that were made about the isolation, these networks in new security and the protocol turn out to be not accurate. And so the vulnerabilities that you find in control system software and hardware are the sorts of things that you would find in mainstream IT hardware and software in the 90s, early 2000s. And it's because there haven't been as many people looking at those systems for vulnerabilities. And even there's a lot of interest in ICS security just doesn't see the same amount of hands on attack or hands on vulnerability analysis from security researchers as more mainstream software. And so it's a little bit behind because it's...

Chris: Just a resource issue or skills issue or...?

Wesley: It's an access issue, right? Mainstream it software, I can go download that and start banging away at it. If I want to play around with a PLC, I've got to find one, right? Yeah, I've got to buy an old one on the eBay or something like that, or spend a lot of money on one brand new. It's access to hardware and software as well. But I'm seeing a lot of research interest.

Chris: Do you have any sort of magic wand recommendations that you would sort of put in place to sort of tighten up infrastructure security?

Wesley: Well, I think that anybody who has some sort of control system network like that needs to engage in offense oriented testing with firms that are experienced in doing that for ICS networks or, and that have the capability of finding vulnerabilities that are not in public databases because that's a very small percentage of the vulnerabilities that are actually out there on these sorts of networks.

Chris: Would there be a benefit to someone creating a startup that just specialized in updating outdated systems like that?

Wesley: Possibly, yeah. I mean anything that can be done to it. The problem is if people hesitate to implement changes on their control system. Now it's so scary to do that because it's going to increase the potential for downtime. It's going to be an operational issue.

Chris: Right, or what if we made it worse?

Wesley: Yeah. What if we make the worse right?

Chris: So for our listeners feel overwhelmed by their choices and we talk about so many things today, what are some inexpensive or easy steps that they could start taking today that would get them on a path to working on in the realms of offensive security and fantastic.

Wesley: So to get into pens and into...?

Chris: Yeah, just I don't know where to start. What's a maybe like a real basic tutorial or a real YouTube or whatever. Like where do you sort of like get, where do you begin begin? There's no number 64s anymore, so.

Wesley: Getting a hold of the Cali Linux distribution, getting that going on a virtual machine, and getting into some of the capture the flags and VMs that are out there, the dam vulnerable web app and some of the other, Metasploitable, and things like that. Just to give yourself a target to shoot at basically just, just getting started with playing around with the tools in there and not just playing around with the attacks that are, that are there in Cali or Exploit DB or anything like that.

But look at the vulnerabilities and understand how the code in this particular PHP a web application made it vulnerable. Now try to find that kind of vulnerability in something else, right? Like start recognizing the patterns of vulnerabilities and find them to other code. And I think taking an interest in reading the exploits instead of just launching them is probably important.

Chris: Okay. So as we wrap up today where do you see the task of offensive security going in the next five or 10 years? Are there things on the horizon that are exciting to you?

Wesley: Well, I think that networks are going to continue to get more complicated and more complex, more nodes, more interactivity, more to do on these things. And so it's going to be more and more important that for security reasons that you have that sort of attacker's view. Because again, there's going to be a lot of things to be worried about and worry about securing and when you're really should be more focused on what the attackers are really going to use.

I think in offensive security especially, I think we've got to move from just giving them a list of vulnerabilities into some more analysis, network-wide of these things. And so we talk about having security analysts and things like that, but we never really defined what analysis means. And the idea is that with so many tens of thousands of nodes or or whatever on a network, you're generating a lot of data. Our database of findings and search scan results and things like that are very large per client. The question is how can analysis be used to generate a report off of that that gives them some actual information on not just where their vulnerabilities are, but where they're likely to have vulnerabilities, right? This part of your network is very complicated and maybe one person at organization understands it, right? And so that's something you should be concerned about. And so it's not a fix for a vulnerability that maybe you need better documentation there so that everybody understands it a little bit better.

Chris: Do you have a sense of people are starting to sort of do their training and sort of get involved now, are there skills that they should be sort of learning now that are going to be sort of coming to the fore in five years, 10 years?

Wesley: Just having that sort of low level knowledge. Like if everybody's learning how to program in Python you need to know how the Python interpreter works. Everybody's programming in C, you need know how the compiler generates code from that. What I would say, look at whatever's being implemented. And so a couple of years ago I did a talk at Def Con on Docker security, looking at just how are people creating Docker applications made out of multiple containers and how they communicate with each other. If you're going to attack a Docker application and anything, learn how Docker works, learn how the networks are implemented on the back end of that, learn how has VMs or those containers rather can talk to each other. Wherever you see the trends going in development, start looking at that, how those technologies are implemented so that you can understand it better than the people writing the code for it.

Chris: Okay. So let's wrap up and tell us about Horne Cyber. What does your company do your primary products and your statement of purpose?

Wesley: So Horne Cyber's primary focuses on this offense oriented security the penetration testing, red teaming, application security testing, vulnerability analysis, that sort of stuff. We also provide a cybersecurity sock as a service, and so we'll do network monitoring for some of our clients through that service. Our first product that we've, we've developed and put out there is Threat Runner, which is our ransomware simulation product that sort of embodies some of that reverse engineering knowledge of the various ransomware variants. Giving you the ability to run those on your network in order to see what the impact would be like what systems is it going to spread to, what files, is it going to encrypt, how fast can it do it, that sort of thing. This particular user has access to tons of shares they have no business accessing. So if they get hit by ransomware, then everything gets on very quickly. And so it gives you a little bit of a view on that. And so that's the product. But the primary focus is on that offense oriented security.

Chris: Hmm. Okay. And if our listeners want to know more about Wesley McGrew and Horne Cyber, where can they go online?

Wesley: So Horne Cyber, H O, R, N, E, C, Y, B, E, R .com. Also, it's on Twitter. It's Horne, Cyber Threat Runner is on Twitter. And also my Twitter is @McGrewsecurity and lots of interesting insights there.

Chris: Very good. We'll have you all, everybody go follow him. Wes, Thank you so much for your time today. This was really fascinating.

Wesley: No problem. It was a pleasure.

Chris: And thank you all for listening and watching today. If you enjoyed today's video, you can find many more on our YouTube page. Just go to youtube.com and type in Cyber Work with Infosec to check out our collection of tutorials, interviews and past webinars. If you'd rather have us in your ears during your workday, all of our videos are also available as audio podcasts. Just search Cyber Work with Infosec in your podcast catcher of choice. And right now we are offering a free month of our Infosec skills platform. So just go to Infosec institute.com/skills and sign up for an account like you normally would and in the coupon line type "cyberwork", all one word, all small letters, no spaces for your free month. Thank you once again to Dr. Wesley McGrew and thank you all again for watching and listening. We will speak to you next week.