[00:00:00] CS: Every week on Cyber Work, listeners ask us the same question. What cybersecurity skills should I learn? Well try this, go to infosecinstitute.com/free to get your free cybersecurity talent development eBook. It’s got in depth training plans for the 12 most common roles including SOC analyst, penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder and more. We took notes from employees and the team of subject matter experts to build training plans that align with the most in-demand skills. You can use the plans as is or customize them to create a unique training plan that aligns with your own unique career goals. One more time, just go to infosecinstitute.com/free or click the link in the description to get your free training plans plus many more free resources for Cyber Work listeners. Do it. infosecinstitute.com/free. Now, on with the show.
Today on Cyber Work, Cyberis’ Matt Lorentzen joins me to talk about all things pen testing, red teaming, the changing roles that red teaming has, and fine tuning and interrogating modern security, and why you don’t have to stop doing the fun stuff even when you climb the career ladder. This episode is really inspiring, folk, so don’t miss today’s episode of Cyber Work.
[00:01:20] CS: Welcome to this week’s episode of the Cyber Work with InfoSec podcast. Each week, we talk with a different cybersecurity thought leader about cybersecurity trends, the way those trends affect the work of InfoSec professionals while offering tips for breaking in or moving up the ladder in the cybersecurity industry.
Our guest today, Matt Lorentzen has over 20 years IT industry experience and has built his skills from the ground up. He is a self-confessed geek and a principal consultant at Cyberis, where he delivers red teaming and pen testing to a broad range of clients and sectors as a CREST simulated tech specialist. Matt’s early consultancy experience comes from running his own IT consultancy company, delivering network infrastructure project to commercial and education clients. He has presented at many conferences, release several open-source tools, focused on lab and technical skills development, and is always enthusiastic about the role. I heard about Matt and we’ll get into a little bit of how this all came together. But yeah, I just want to talk about – we’re going to be talking about red teaming, intelligent pen testing and whatever else come up. Matt, thanks for joining me today. Welcome to Cyber Work.
[00:02:31] ML: Thank you very much for being here.
[00:02:33] CS: So I want to start out like we do with all our guests, with your origin story. You described yourself in your bio as a self-confessed geek. What was your initial – when did you first get interested in computers and tech? What was the original spark of inspiration? Because I know, going all the way back to grammar school, you were doing network management. It must have been pretty early, right?
[00:02:58] ML: Yeah. I think I’ve always been around computers. I mean, my parents bought me an Amstrad 464 when I was quite young, the old tape drive and stuff.
[00:03:07] CS: Absolutely.
[00:03:08] ML: I was messing around with basic a little bit and trying to make sort of tech space game, where you’d ask a question and that sort of stuff. It kind of started there, but a lot of my hobbies orientate around computers as well. So I’m very much into graphics, and music and things. Everything always seems to stem back to using a computer in one way or another. I’m just fascinated by them. I just think that they are incredible tools for so many different outlets. That’s just kind of never stopped, really. I’m really interested in how things work. I like to try and understand things. I like to sort of push my levels of learning. So yeah, I think it was always going to be computers for me, for sure.
[00:03:51] CS: Yeah. I always feel like when I look through our guest’s LinkedIn career histories beforehand to get some clues. Looking at your career highlights, it’s pretty clear sort of where your proclivities lie. But one job title, especially comes up several times, both in your current role and past role. You described yourself as security consultant. When you ran Lorentzen Ltd from 2016 to 2013, your primary client base was IT consultancy. I think most listeners to the show understand the concept of a consultant, especially with a contrast with a full-time employee. You’re going from company to company and taking care of things for them. But what for example does it mean to be a senior and then primary security consultant for Trustwave, SpiderLabs? What does that type of consultancy work entail?
[00:04:45] ML: There’s obviously brackets of role definition. When I initially joined SpiderLabs, I joined as a senior consultant. I think it’s a more business-friendly term than a hacker or – those sorts of things aren’t particulary useful for people to understand what it is you actually do. Ultimately, it’s all consultancy for me. We’re trying to solve problems for people. They’re looking for support in whatever challenges, or goals they have in in procuring your services. The definition between a senior, and a principal, in terms of my experience was, once you get to a principal level, there’s more requirements for you to look at the wider business and how you can have improvement of product lines, bringing other team members on.
I wouldn’t say necessarily that your technical responsibilities changed at all, but you do fulfill more of a mentoring role, and you’re very much seen as, “Okay. Well, what are we doing now? How can we do it? How can we do it better?” Taking some ownership of some of that development. Maybe there’s tooling gaps. That was my experience, certainly, within SpiderLabs, getting more involved in the European part of the company, which is where I was based, and how I could have a better influence over the overall, that part of the business essentially.
[00:06:10] CS: Okay. That definitely helps. I’m trying to sort of imagine this kind of hierarchy within sort of the pen testing, red teaming space here. If you’re a hacker, pen tester, red teamer, you’re just doing the job that’s in front of you. And you might think, well, the part where you take charge of it would be manager, but then you’re – the level up is that you’re just managing the pen testers to do their job correctly. Am I right in thinking that the consultancy aspect of it sort of pertains to you’re doing more of the problem solving and the decision making? Am I getting that right?
[00:06:46] ML: Yeah, kind of. I mean, it’s all still very technical. I mean, all of my roles have been very hands on. It was obviously a natural career progression there, moving from like a senior level position into a principal, which in terms of a career track, that was sort of a top level to aim for, for me in my current roles. That allowed me to maybe have more control over how we do things like, I was the [inaudible 00:07:10] red team lead as an example. So part of my responsibility was to determine, well, how would we conduct these. I still very much was the person hands on keyboard doing the actual activity, but trying to understand how we could control things more easily and maybe how we wanted to approach reporting. It kind of gave me a more position of influence in the overall end product and how we interface with those customers.
[00:07:39] CS: Where maybe like a pen test manager would be managing other pen testers, a pen test consultant would be managing the process of the pen test.
[00:07:39] ML: Yeah, exactly. I mean, managing pen testers is quite a challenge. I don’t know what the role is on that. I don’t know [inaudible 00:07:54] day to day.
[00:07:58] CS: We’ve had so many pen testers and red teamers in here. The day that one said, “If you’re not getting arrested, at least once in a while, you’re not going hard enough.” I was like, “Ooh, these are different. These people are on a different level.” Anyway, to that end, well, I mean, that brings up a side question, but it feathers nicely to my next question. Which previously, about a year ago, we had a previous guest from Cyberis, your colleague, Gemma Moore, who similarly had a vast knowledge of and passion for all things pen testing. Going way back, we talked about what pen testing looked like in 20044-ish and stuff like that. It was a lot of fun. Can you talk specifically about your love of penetration testing, red team operations, and all the processes that go along with that. I mean, it’s rare that we get someone in your position, who sticks with the get your hands dirty work of pen testing for so long. I want to kind of dig into what keeps you going at it.
[00:08:53] ML: I love it. It’s great. I mean, I love the technical challenge. I think I speak to people and saying that if you’re not that sort of person that doesn’t like chasing the carrot, but never actually get to the carrot, you’re probably choosing the wrong job. For me, very much, it’s a vocation. It’s a vocational role. I love that learning new things, new technical challenges, understanding. Things change so quickly. I mean, I found that throughout my career that you can’t be stale, really, like approach is change. I mean, I could see that even in my business days, that kind of deploying, and setting up things for people like buying tin and deploying those on sites.
Those days were numbered, because people were starting to adopt cloud approaches even way back then. You can see, “Well, if people don’t need me to come on site anymore and set up a server for them, then what will they need next? Where is everything going?” I think I’m pretty good at thinking about that in terms of my career. I mean, I feel very much that my career is the only thing that I actually truly own and I can direct it in in the right direction. If there are skills I think I need to learn, then I can take that opportunity to gain those skills and sort of build myself up. I mean, that’s why I said to kind of build myself from the ground up. Because I think there’s a lot of opportunities for that out there. Collecting vendor certifications, and really understanding the types of platforms that we see. You can arm yourself with that knowledge. I think that’s great. I mean, I love it. I mean, it’s just a great job.
[00:10:30] CS: Well, I like that. Your answer sort of popcorned four more sort of observations into my head. But one of the things that we talked about, I talked to a lot of CISOs, and CEOs and owners of companies. There’s a fairly consistent through line of people who got into this line of business, because they liked to get your hands dirty, get into the scrum and really like go with it. But then there’s also that sort of feeling that, well, fun time is over. Now, you have to be a manager, now you have to interface with clients. Some of them are like, “I like that better” and others are like, “Well, I do what I can to keep my hand in the space, but it’s just not possible to me.”
Looking at your guitars back there, I feel like there’s a split between the idea in the 50s of like, well, once you grow up and have a family, playtime is over. You don’t get to do the fun things and it’s not a viable career anymore. But I think our listeners are going to want to hear from people like you, Matt, because I think – there’s a false binary there. You don’t really need to be – like the only path up is not manager. Like you said, you can offer a lot of value to your company by not just being client-facing, or manager facing. You can still be the person who’s learning, as you said, learning new tools, learning new processes, learning new technologies, and hopefully, companies continue to understand that.
[00:12:04] ML: Don’t get me wrong. My role is massively client-facing. I mean, that’s what I do day to day, that’s where the consultancy piece comes in. I deal with customers all the time. I’m involved in some sales processes within our company as an example. I mean, there’s always that customer interaction. I just don’t see that in my career. I’m 45 now. Will I be a pen tester in another 10 years’ time? Who knows? Who knows what the path will look like? But I do know, I think I can stay quite categorically that it will always have a technical slant. I will always be technically orientated. Wherever that’s a technical lead, or that’s bringing other people on. That’s very much part of the fabric of who I am.
Much like the guitar, some of those guitars are like 35 years old. I’ve started playing and I’ve just never stopped. I think that’s one of the things that I do quite well. Once I pick something up, I don’t kind of then stop doing it. There’s always more to discover.
[00:13:04] CS: Always things to add.
[00:13:04] ML: And layers, and then you kind of go through this sort of circle of learning where you start off, and you’re very primitive, and then you kind of get some understanding, and then you build some technical skill around that. Then you can become quite creative with those abilities. But then, all of a sudden, you discover something new, and then that kind of starts the whole cycle around again. I really love that constant evolution of what I’m doing, particularly in my role, and yeah, that’s something I strive for.
[00:13:37] CS: Absolutely. Again. Yeah, I understand that. Definitely sort of client interfaces is a big part of your job as well. But I think also, a point to be made that we don’t always hear on the show or in talks about careers is that, if you’re sort of – as you said, your career is the one thing that you own. If you make your career the work that you want to do, I think when you hear people say, “Well, I don’t want to be a manager, necessarily, but that’s just the next step on the list. I think there’s a difference between being carried along by your career and actively putting the input into your career and saying, “No, no. I don’t want to do this thing only. I still have these things to offer.” Whether it’s this company or the next one you go to, you can be very sort of aggressively forward about what you want to contribute, and what would make you happy. It’s good to see that people are starting to sort of understand that in the space as well.
[00:14:37] ML: Yeah. I mean, those skills are yours to maintain. I mean, there’s that use it or lose it mentality. I appreciate as you get further up at any career track, not just InfoSec. That balance is right. I’ve got young family. It’s difficult to continue finding the time for that. But I think the one thing that you cannot lose in this is like enthusiasm and passion for it. For me, it doesn’t feel like work if I’m tapping away on a Friday night on my laptop while my wife was watching something on the telly. That’s absolutely fine. That’s how I choose to use my time. I don’t see that as a difficult investment. But there is a balance to be struck as well, because I think you have to be very clear what you want to achieve. I mean, it’s not possible for me to say I want to learn every aspect of all of what InfoSec has become now, because it’s just too vast. So you know, you need to focus your attention on where those things are most important to you. For me, it always comes back to infrastructure and the evolution of infrastructure. That’s kind of where Red Teaming fits into that space quite nicely. But at heart, I’m a sysadmin. That’s kind of how I started my career and I’ve just built on from there, really.
[00:15:52] CS: Love it. Matt, when you were introduced to me. One phrase that you discussed as a possible area of conversation that intrigued me was intelligence-led penetration testing. I hadn’t heard it described that way before. But when you explained it, like it made sense. So you said, “Intelligence led pen testing is red teaming.” But the term tries to underline that these activities are guided by real world threat intelligence, about the types of attacks that are current against various sectors. This then allows the focus on introducing these techniques into delivery to determine where the threshold of possible detection could be. Most regulatory schemes for red teaming globally have an element of threat intelligence as a basis for the engagement. This was intriguing to me, but I’m hoping you can explain it a little further. If I’m hearing you right, this particular method for red teaming isn’t just about the sort of getting in by any means possible. But by using the frame of Red Team operations as a way to test specific types of attacks come into the industry or business that you’re working with, and seeing where exactly these tailored threats get in. Am I reading that correctly?
[00:16:56] ML: Yeah. I can speak, I’ve worked globally, and you see this a lot. I’ve worked a lot in Asia, and obviously, a lot in Europe and the UK, and we have these regulatory frameworks set by things like the Bank of England, CBES framework, or the government, GBAS systems, GBAS framework. Essentially, what that looks at is the types of common attacks that are occurring against these organizations, and the types of tactics and procedures that these attackers are actually using. The purpose of Red Teaming is really to determine where that threshold of detection is. It’s great. I’ve been on red teams where people have been very open and said, “We just want to see what you can do, whether you can get in and what you can get to.” Those types of engagements are great.
Other people are like, “These are the things that we’re so concerned about.” Certain things are in scope, and you definitely get this a lot with regulatory processes, frameworks, where there are certain things you have to demonstrate access to. In some examples, people actually want you to emulate the types of attacks that people are seeing. For example, maybe historically, phishing kind of evolved into people using ISOs, as an example. Word documents were gone, ISOs were much more difficult to detect. They removed some of the metadata from the file. That’s a specific example of things that threat actors were using to gain access to environments. So a customer would say, “Well, I’m specifically interested in whether we can detect those types of attacks as an initial point of entry.
Ultimately, it’s up to us to determine the best possible approach. But it is about finding out where that detection threshold is. Sometimes that kind of get in at all cost and get in, get out before anybody sees you. They’re good, but they provide minimal value to the customer if that’s happened very quickly, and it’s quite easy to achieve. Because where do you start with that if you can achieve your objectives. So what we like to do is we focus on initially achieving our objectives, and then we have conversations with the customer around, “Okay. Well, let’s ramp up the noise a little bit. We haven’t been seen. We haven’t been detected. Essentially, its mission accomplished. Let’s find out what we can do to actually determine where that threshold is. Can we get caught? I think it was Raphael Mudge, the creator of cobalt strike.
I watched a video of his, where he was very passionate about, it should be hacking to get caught. The idea is, where is that? That kind of really resonated with me as an approach, because ultimately, it’s not really about me. It’s about kind of understanding where that threshold of detection is for a customer. I think that’s why purple teaming has become so much more popular, because at least it’s collaborative, and you can kind of see where that that threshold actually is.
[00:19:51] CS: I think that’s something that never quite set right with me when I would hear – when I first started learning about red teaming, was that it does have this sort of like blue – I got a blue ribbon at the farm competition for having the best fence. No sheep can get through this or whatever.
[00:20:14] ML: That’s not true, though, is it? Because in reality, there’s always a route through. I mean, the problem with red teaming is it becomes very focused on an external entity trying to get access internally. But really, the conversation should be, “Well, there’s numerous routes that somebody can become embedded in an organization. Go and get a job. Now you’re part of that. The threat model has to be keyed. I think that’s kind of where we, as a company placed a lot of importance on that initial access factor. Should an attacker be successful, then what? That’s always a good place to start, then what, because that’s essentially going to be the starting point for whatever good or bad will happen. Sometimes, we de-chain, and we start from that initial point of access. Other times, customers or regulatory frameworks mandate that, phishing is a part of that.
I think you just have to be mindful of what you want to achieve, what the goals are of the overall. Because these are truncated timelines. They’re not indefinite timelines. They’re not fully realistic of real world, because we’re not criminals. We’re bound by scope, and there’s certain things that we can do, and there’s certain things that we have to consider. So yeah, I think that kind of intelligence piece is important in terms of trying to identify the types of threats that you’re emulating.
[00:21:38] CS: Well, this felt like a new enough spin to red teaming. Is this type of intelligence-driven pen testing common? Or is this kind of a new way of thinking about the red team, blue team paradigm? Because like I said, I feel like I had this piece of the sort of the strata of – you do pen testing first to make sure that the guts of your machine are tightened right, and then you do red teaming to make sure that no one can get in. But I literally don’t think I’ve ever heard of someone saying, “You, red team, do these specific goals, not just the sort of big game of cyber paintball.”
[00:22:18] ML: Yeah, it’s certainly common, as I said in regulatory framework. Examples of that would be, “Well, threat actors.” For banks, for example, if you do any of the CBES work, either in Europe or Asia. Specifically, obviously, people are attacking them to try and get access to money. It’s very common for people to say, “Well, we’re looking at attack paths. That’s what we’re trying to devise here, attack path for somebody to be able to get to the Swift infrastructure as an example. If people can get to that infrastructure, that’s a really, really bad day. That’s the sort of stuff that we’re really concerned about, and we want to understand what the metric of detection is for an attacker as they move towards that goal, mindful of the timeline that’s been customers, set through.
As I said, a lot of the frameworks, it’s very common for either of the company or provider, a third-party threat intelligence provider to say, “Okay. These are the things that we found out about the organization. These are the types of common attacks that are happening in the sector. These are the things that are relevant to you. These would be a good basis for types of attack scenarios that would be relevant. That’s generally a starting point. So yeah, I think it’s good. There’s some good value. There’s good value in that, essentially, in terms of determining whether people can detect specific types of attacks.
[00:23:43] CS: I always like to talk to red teamers, because they always have good – not worse stories. Maybe that’s a little overly aggressive. But can you talk about some noteworthy experiences you’ve had working this way or interesting insights or interesting sort of attack vectors that were a surprise to the people that you were working with?
[00:24:02] ML: Yes, kind of. Let me think what I can and can’t recover. I think a lot of initial – most people think that because there’s logging and everything in place that we’ve turned on the fire hose and that’s there. But actually, a lot of the time, people have too much information. What they haven’t done is spent the time looking at what it is that they actually want to be alerted on. I mean, there’s been some interesting situations where I’ve deliberately created noise in another part of the network that looks anomalous traffic in order to divert attention and resources away from the areas that I’m specifically focused on. Those types of approaches, you have to you have to really kind of understand where those detection metrics are really. A lot of the times, to be honest, people kind of come and think these things aren’t possible. It’s not going to be.
That’s generally a conversation that people feel very confident. They’ve invested in security products, and they’ve got controls in place. They feel that these types of attacks aren’t actually going to be viable. It’s always an interesting development, as you go through an engagement, where you can prove that certain things are actually possible. It depends on the customer as well. I mean, some customers really want you to go sort of full force and be able to demonstrate that the impact of some of these attacks, because ultimately, it facilitates them trying to make a change within the business. They can get executive buy in or more budget, et cetera, to be able to maybe address some of the problems that they know were there, but they can’t actually sort of move that needle. So yeah, I mean, it kind of evolves. I wouldn’t say there’s a one-size fits all approach to any of this. It’s very creative in terms of thinking on your feet.
[00:26:03] CS: To that end, what type of businesses or industry sectors does your team interface with most commonly. Do you have sort of lanes or types of industries that you especially work with or it’s just across the board?
[00:26:18] ML: It’s across the board. I mean, we work a lot with government, UK Government, a lot of it is stemmed from the frameworks that were involved in. Certainly, the regulatory frameworks, there are a smaller subset of companies that are eligible to be part of those schemes. That’s a common area that we work in, but I wouldn’t say there’s a specific sector. There’s a broad range of clients that we have from fairly small shops all the way to large, global, multinational companies, and all the challenges of those things that come in between. It’s a very client base.
[00:26:52] CS: The risk of trying to simplify things too much, are there certain types of gaps in the security perimeter that you’re finding across a lot of different sectors these days?
[00:27:01] ML: I would say so. My experience is really how it has evolved in terms of cloud adoption. I see a lot more of that attack surface now. Some of it may be through lack of configuration, or an understanding of types of decisions. But other things, purely for new modes of working. The perimeter has gone. We’ve spent a lot of time building walls around this sort of stuff. Actually now, for freedom of movement, and being able to work with people in different countries and be more agile. A lot of those barriers, and a lot of those perimeters have been removed. So that creates an interesting set of challenges.
Commonly, lack of kind of understanding as to where that data is now. I mean, I find a lot, particularly talking about network attacks, people say, ” We want you to go and get this flag or this particular file of a server. I’ve had instances where this file is buried in like a 10-terabyte share, and it’s taken forever to sort of iterate through to find this file. But hey, I got the flag, you know. I’ve proven that. But actually, these little data pockets and data silos, it’s the hidden spots that people don’t realize. I mean, how much data is sitting in your local outlook instance, in terms of place that an attacker has access to? There’s a wealth of information that we think is centralized. But actually, it’s kind of tacked on to us and follows us wherever we go. So those are the interesting things, I think.
[00:27:01] CS: Yeah, absolutely. I love that. As with previous Cyber Work guests, Mike Wilkinson, I know that you’ve also done a fair amount of work around security in the education sector. Just to catch you up in the past episode, we discussed the LA County School District’s recent breach and ransomware attacks and came to some interesting conclusions. I encourage our listeners to go back to the episode titled K12 Security Protecting Schools from Cyber Threats. Matt, in our initial correspondence, you mentioned making the case for real world cyberattack simulations in schools. Can you talk more about this and what it would look like? Is this something that you’re saying would be done, like tabletop style with your team or with direct interaction from the schools being educated or tested?
[00:29:30] ML: I know Mike Wilkinson, actually. I used to work with him at SpiderLab. I will definitely go back and absorb all of that episode. That sounds really interesting. Obviously, I started my career in education, the education sector. This is something that I’ve been very passionate about for a long time. We felt that looking at how schools have evolved, and I think this is globally, I think this applies globally. They’re using the same technologies that businesses are now using. It’s common, they’re all running Office 365, or Google platforms, et cetera. In many ways, schools are now just essentially businesses with a whole different set of challenges. We spoke about that at length as a company, and we decided that we wanted to run a pilot. This isn’t a tabletop exercise for us. We’ve actually engaged with a local multi-academy trust, which is the UK equivalent of a centralized entity that manages multiple schools. We performed actual pen testing. We went on site, plugged in, threw packets around and we used a lot of the scenario-based approaches that we have, or red teaming tactics. And wanted to demonstrate where those vulnerabilities are, what are the possibilities of a student account compromise, and what does that mean for the environment.
That was really useful for the school. They’ve never had anything like that done before and that facilitated deep conversations. We worked in tandem with them, we generated some white papers on our findings, both executive and technical. But I think this is just a trend that’s going to continue to kind of move forward. We’ve certainly seen a lot in this country in the last couple of years of attackers targeting schools in order to perform ransomware attacks, and the impact on those is significant both from the educational perspective, society perspective, in terms of school closure is bad for business, bad for parents. I think that we will just continue to see these types of attacks evolve.
The reason is, because what how do you implement some of the best security practices that we recommend to companies, for example. It’s not really feasible to implement multi factor authentication across a student population, and their kids. You expect them to choose weak credentials, et cetera. There’s a whole set of challenges around that. We wanted to draw light on that, and kind of use this as a mechanism to try and start conversations. That’s where we’ve been working. Last month, I presented at an academy trust conference with head teachers, and I wanted to understand well, do they understand the threats? Do they understand what they’re up against? The general consensus is that this is an emerging area that people are starting to recognize, but it’s a real significant challenge for these organizations to be prepared for the types of attacks that can have such a significant impact?
[00:32:32] CS: Yeah. Well, speaking of weak credentials. My next question is about security awareness, specifically. Obviously, so much of the current ransomware threat comes down oftentimes to good security awareness practices and having everyone know not to click on the item that can bypass your security system, by you letting it in of your own free will. But by comparison, the threat scenarios, sometimes the actual attack part seems further down the list in what you’re testing. Can you talk about ways that school districts who might be targets and even those that thinks they might – [inaudible 00:33:03] too small can make adjustments in their security posture that can minimize the damage, even if someone does click the fake invoice in a moment of distraction?
[00:33:13] ML: Yeah. Well, it’s difficult, isn’t it, the whole clicking argument? Because we’ve built our entire work streams around people clicking things. You sent me some documentation, I opened that. If you’ve got a shell on my box now, I’m sure you’ll enjoy. Those sorts of challenges.
[00:33:31] CS: I know. I’m addicted to Word files, I’m sorry.
[00:33:34] ML: But my point is that, users as an initial security boundary is not really a workable solution. Yes, we can educate people to a degree in where you’re expecting this. This is unsolicited, et cetera. But ultimately, somebody’s going to have to interact with links and things that they receive. Because even if it’s not teams telling you that you’re missing a conversation, we’re constantly being dragged back in. I’m quite opinionated on the point that that’s not the only place to focus. I think, for schools specifically, on my earlier point, you have to accept the fact that children are going to choose weaker credentials than for a number of reasons. So, there’s no reason why you can’t focus your attention around your staff population. That is where you can say things like, “Right. We mandate multi-factor authentication, because staff would be warranted to be able to use devices, et cetera.” It’s not to say that there aren’t things that you can do that elevate that security posture, looking at the types of permissions that people have, particularly on staff devices, do they require administrative access?
Well, there’s a whole to and fro about the impact of them doing their job. But the security angle is that, well, if you have limited privileges on your device, shouldn’t attacker gain access in the context of you, then they too are limited into the types of things that they can do on that device. Now, that might not necessarily means that completely circumvent a compromise, but it could certainly slow them down. In terms of students, I think the only real solution is to be able to implement much more obvious monitoring around those accounts. All of these cloud providers give you a lot of this introspection of what’s going on in the environment. Obviously, you can geo locate. So if you’re an American school, there’s no reason why a student would need to be able to log in from another country. That’s not to say that there aren’t ways to get around that and pivot through, but it’s just another layer that an attacker needs to go through, meanwhile, giving you the opportunity to be able to protect some of this sort of stuff.
I think a lot of the time we find that, particularly in the pandemic, and I don’t know if it’s the same where you are, but a lot of people were just running around, trying to get some semblance of normality in providing provisions, both in business and education. A lot of this stuff has been stood up hastily, and quickly with a need and that’s fine. Now, people are now going back through and maybe reviewing some of the initial decisions that they made about certain technology choices, and whether they’ve got them controlled in the ways that they would need to.
[00:36:13] CS: Yeah. Well, you’ve certainly made the case for this being a very fun and satisfying area of career. I obviously want to pivot over to the worksite of Cyber Work and ask you some advice. For newcomers, for listeners who want to get into pen testing, red teaming, threat intelligence, and more. What are some suggestions you have in terms of learning experience, specialization, reporting that would make you more desirable to potential employers, even if you’re brand new out of school with no work experience,
[00:36:48] ML: Well, reporting is great. I mean, it’s very often that people sort of don’t see that as an important part. But actually, good reporting skills and understanding how to convey technical information at the right level is absolutely vital in the job. A lot of the time, that’s the only thing that a customer sees, is the end report. Looking at how you can improve writing and conveying that information is definitely recommended if you move into this as a role. I guess some of the challenges around learning is that there is so much information out there for people now that it’s difficult to understand, well, what does good look like? Personally, I’ve curated some sort of YouTube playlists for people that I really enjoy watching and that’s good. I read a lot. I think you have to read a lot as well.
But in terms of specialism, I think you just have to acknowledge that you’re not going to be able to do everything. I’m a proficient and I would say good app tester, but it’s not my area or specialism. I can test the mobile app, et cetera. It’s not my area of specialism, but I enjoy things like breakout testing, which is kind of a bit of both. I love all that sort of stuff. I can write malware. I’ve taught myself those types of aspects. It’s kind of focusing on what you want to achieve and then go from there.
The main thing is, a lot of the time, we see with the newer generation coming into the industry, that it’s a very Capture the Flag Focus, Hack the Box, Try Hack Me, Go and Get this Flag. You see that less in the real world. You don’t see vulnerabilities in isolation. You generally see a broad vulnerability as part of an attack chain. Whilst those things are really important to learn in a fairly esoteric skills, my recommendation wouldn’t be to just focus on those types of platforms. I would say build things, build labs, understand, like build this sort of stuff. It just helps you progress, because you’ve got that firsthand experience of what it means to pull that sort of stuff together.
[00:38:56] CS: There’s rarely a flag at the end of your whatever thing you’re working on in the real world there. You have to understand why you’re doing it. You don’t just need the sort of the dopamine hit. You need to really think about –
[00:39:10] ML: Exactly. Expenses is love show. There’s nothing better than that.
[00:39:14] CS: Yeah. Also, again, we have a huge archive of write ups of old Hack the Box, Try Hack Me, [inaudible 00:39:23] on our site. I always sort of think of them as hint codes, like if you’re doing it yourself, this is – but I think part of the actual benefit of it is also what the writer did, rather than what someone else does in reading it, and thinking about it is that you’re reporting on your own sort of mental process and things like that. I think maybe that’s one of the –
[00:39:45] ML: Yeah, absolutely. If you’re doing something like this, maybe it’s less important to say, “Well, I beat this thing, and more important to sort of document how you did it. Because obviously, there’s a million ways to get to the finish line.
[00:39:56] ML: Yeah, I totally agree. I’m not sort of like that, I like these sorts of challenges. But it’s not about me sort of winning. For me, it’s always about the learning. I think looking at other people’s approaches and perspectives is really great, because, then that kind of forces me to look at my own approaches to things. Then, that’s free skill development right there, because there’s always a different or a better way of doing it. Or it’s just enjoyable to see how other people approach problems, basically. Because that’s all it is, it’s kind of problem solving. How can I get through this brick wall? Once I’m there, what’s the next brick wall look like?
[00:40:34] CS: Yeah. It’s feel like when you move to a new town, and especially if you’re like public transport bound. The first few months, you’re taking a very convoluted way to get to a place, and then three months you’re like, “Oh, I could have done this, and I just take this thing, and it cuts an hour off of my time.” I think there’s a similar aspect to it. Like if you get sort of shunted into, “Well, this is the only way to get to this thing. You might be missing out on all these other options that develop your own sort of understanding of the entire map.
[00:40:34] ML: Yeah. I totally agree. Take your own way, enjoy acknowledging other people’s approaches, as well. But also, be mindful that actually, there may be a brand-new way of carving through that nobody else has looked at yet and be prepared to kind of go through that. Even if it ends in a rabbit hole, that’s absolutely fine. Because that whole sort of learning experiences is worthwhile. That’s kind of what I said earlier. If you feel that sort of person that is quite happy to chase things, but it’s not necessarily about you winning and being able to do that, then that’s a good kind of mentality to be in. Because you constantly want to be progressing forward.
[00:41:46] CS: I don’t like to necessarily take such big insights like that, and try to squish them down into a bumper sticker or something. But I do feel like that’s worth highlighting that if you want to get into pen testing, red teaming, threat intelligence, all this stuff. There’s this sort of one level of – you’re doing these things to help this business become safer. But in the reporting process, and in the learning process, you’re sort of adding to this library of knowledge that we’re all sort of building together. I think that can be a pretty noble way to think about it. You’re not just going from job to job, like a mercenary bounty hunter. You’re contributing to writing the basically the insight – the dictionary of pen testing.
[00:42:36] ML: Yeah. That’s definitely my approach. We’re standing on the shoulders of giants, really. I think about a lot of the tools I use. Other people have written some of those tools. I’ve had the opportunity to rip them apart, because they’re open source, and learn just from somebody else’s approach. I mean, it’s a great time to be there, and it wasn’t like that in the beginning. It was very close. And all of a sudden, certainly, in the last sort of 10 years or so, there’s been a huge influx of people being prepared to share and bring other people along. That’s a great time to be in there. I don’t have to be the smartest person in the room. Quite often, I’m not. But what I do love is learning, and I’m always enthusiastic about learning and I will learn from anybody, essentially. I think you have to have a very open mind when it comes to this industry as to how you’re going to build your skill set.
A good peer group is vital to that, where it’s not necessarily competitive in the sense that you have to have a winner. You have to be prepared to work in a synergistic relationship. Because, then everybody wins. That kind of challenge response approach is important. Some of the best tricks I’ve learned, I’ve learned from fellow pen testers sitting on data centers at three o’clock in the morning. It’s like, “What? I didn’t even know that you could do that.” I learned a trick from IPsec video. I was watching an IPsec video the other day, I was like, “No way. I’ve been using Windows for 25 years now and I didn’t even know that was a thing.” It’s like, those little tidbits, that’s the good stuff. That’s the really good stuff.
[00:44:21] CS: And that keeps it exciting, even decades in.
[00:44:24] ML: Yeah, exactly. I’m looking to the future, where do you see the threat landscape going in the next five or 10 years? Are there trends, or AI enhancements, or other tech, or procedural changes coming that you think will make 2020 to look as strange or primitive in someone pen testing in 2032 as 2022 would have looked at someone pen testing in say, 2006?
[00:44:45] ML: Yeah. I think it’s going to continue with this cloud adoption to the point where we’re just going to consume, not even consume devices, but just consume data from layers. Obviously, AI is a significant benefit, threats. I read the Rule of the Robots by Martin Ford. That’s a great book, really recommend it, brilliant book. We’ve seen things like GPT – I can’t remember the name right now. Chat GPT, I think it is. The AI model around language learning that’s recently been released, and it didn’t take long for people to start training that model to make very realistic machine learning-based phishing scenarios and stuff. We’re going to see that deep fakes. We’re going to get to the point, graphics, et cetera. These videos, these teams’ meetings that we’re having now, it’s going to be very difficult for you to be able to discern whether I am actually the Matt Lorentzen you should be talking to.
That whole perception, all of the things that we take for granted, they’re going to melt away. I think that’s going to be a really interesting time in trying to determine security, particularly when you’re trying to influence machine learning models and attacking. I also question whether there will be the skills within the market to be able to be prepared for how quickly that will happen. As with all things at the moment, there’s so much development in pushing the technical capabilities along what will happen inevitably, as it always has been. Then there’ll be a moment where people are like, “Oh, actually, that could be a risk, or that could be a problem.” Then there’s a big scramble to try and grab people to understand actually how we can mitigate that. But you’ve essentially opened the box at that point. How do you solve the problems that are already out there? Interesting times. I think it will be very different for sure.
[00:46:39] CS: Yeah. A lot of open boxes, right? Exactly. As we wrap up today, I want to give you an opportunity to tell people about your company, Cyberis, what your company offers and some things that Cyberis is looking forward to in 2023.
[00:46:53] ML: Cyberis, cybersecurity assurance provider, our bread and butter is penetration testing, application testing, traditional pen testing. I’m the adversary simulation lead, so my world is red teaming. We’ve recently gone through a rebrand this year, sort of uplifted the company, and defined very clear goals about where we want to be. We’ve got a strong, loyal client base. A lot of our reputation is based on that customer interaction and understanding customer needs. I think we’re going to continue to grow. We had an academy program that we ran this year. So fresh out of university graduates come into the program, and then various members of senior members of the team ran courses with them internally to supplement other external learning and that was great. I ran the active directory core stuff that was brilliant, got people building stuff, and forest trust, and real-world hacking.
That was really cool. I think we’re going to continue to sort of grow the company and build on that basis, really? So it’s a good time. We’re really happy with the progress we’ve made this year and it may continue.
[00:48:02] CS: All right. Well, one last question. If listeners want to learn more about Matt Lorentzen or Cyberis, where should they go online?
[00:48:08] ML: Well, for Cyberis, it’s cyberis.com. For me, I’ve kind of keep on meaning to put together, mattlorentzen.co.uk of like a collection of all of the work that I’ve done over the years. But for now, probably the best place is Twitter @lorentzenman. I talk a lot about lab tools and some of the stuff that I’ve released. Yeah, like generally quite passionate about anything pen testing based. That’s where you can catch up with me if you want to.
[00:48:39] CS: Well, Matt, thanks for joining me today. This was a really fascinating conversation. I appreciate your time.
[00:48:42] ML: Thanks very much for having me, Chris. Really enjoyed it.
[00:48:44] CS: As always, I’d like to thank everyone who is listening to and watching the Cyber Work podcast on an unprecedented scale. We had an end over end jump in in subscribes, and watchers and listeners this year. Completely off the charts and we’re happy to have you all along for the ride. Before I go, I just want to let you know to go to infosecinstitute.com/free to get your free Cybersecurity Talent Development eBook. It’s got in-depth training plans for the 12 most common roles including SOC analyst, penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder and more. We took notes from employers and a team of subject matter experts to build training plans that align with the most in-demand skills. You can use the plans as is, or customize them to create unique training plan that aligns with your unique career goals.
One more time, just go to infosecinstitute.com/free or click the link in the description below. Get your free training plan, plus many more free resources. Do it. Infosecinstitute.com/free. Thank you once again to Matt Lorentzen, and thank you all so much for watching and listening. We will speak to you next week. Take care now.