[00:00:00] CS: Hitch up the wagons and polish your spurs, because it’s high noon, and the searchers are looking for a way into your network. October is National Cyber Security Awareness Month, and Infosec is helping to tame the wild, wild met with our collection of free training resources that will make your employees the masters of the cyber frontier and bring cybersecurity to the forefront of your organization. Go to infosecinstitute.com/ncsam2020 to download our free toolkit containing a stagecoach full of provisions to run month-long security awareness campaign, including posters, infographics, newsletters, email templates, presentations, and more. Grab Cybersecurity Awareness Month by the horns with this wild bunch of free material from our award-winning LX Labs team.
Just as the wanted posters in the wild west help the public recognize the region’s most notorious villains, our free training kit reveals the identities of common cyber threats to help prepare your employees for the real attacks they face. Again, go to infosecinstitute.com/ncsam2020, or click the link in the description to get your free collection of training materials and help spread security awareness.
Now, let’s begin the show partner, partner.
[00:01:16] CS: Welcome to this week’s episode of the Cyber Work with Infosec podcast. Each week I sit down with a different industry thought leader and we discuss the latest cybersecurity trends, how those trends are affecting the work of infosec professionals while offering tips for those trying to break in or move up the ladder in the cybersecurity industry.
The story of my guests today is, as they say, ripped straight from the headlines. Gary Demecrcurio and Justin Wynn, both of the company Coalfire were arrested at the Dallas County Courthouse in Iowa while doing red team pen testing for the state of Iowa’s judicial branch. The story is fascinating, and I’m going to let them tell you all about it.
But for cybersecurity professionals and read teamers in particular, it’s a nightmare scenario, and like many of these wrong place, wrong time situations, there’s a chance that it could’ve gone a different way if law enforcement had been a bit more understanding to the nature of what needs to be done to ensure a strong security profile. So I’m going to talk to our guests not just about the story in all its details, but I’d like to see if we can get a sense of some of the legal gray areas currently around red team operations, futures of such activities and the ways that it can be made more safe without reducing effectiveness.
Gary Demercurio runs one of the largest groups in Coalfire Labs as a senior manager working with technologies every day. His expertise focuses on social engineering, physical testing, and network devices. At Coalfire, Gary manages day-to-day business involved with FedRAMP, PCI, HIPAA and penetration testing while helping to spearhead the physical and social engineering portion of testing.
As a senior security consultant, Justin Wynn is responsible for actively compromising and reporting on virtual environments typically encountered at Fortune 500 companies. Justin performs wireless physical red team and social engineering of engagements. Justin also conducts research to include production of open source models for printing milling to aid in red team engagements, as well as specific regard to tool gaps in the lock sport industry as well as master keys for access control and elevator overrides. Currently, Justin is researching security vulnerabilities in various RFID devices.
Gary and Justin, thanks for joining us today and Cyber Work.
[00:03:24] JW: Thanks for having us.
[00:03:25] GD: Thanks.
[00:03:26] CS: Cool. So I want to start with your background. We got a little bio there, but how long have you both been in the security industry and how long have you been read teamers specifically, and what was your path to that type of work?
[00:03:37] JW: All right. Let me go first, because Gary has an amazing background. So he always stumps me if I’m not first. I’ve been in the industry for about five years, broken from scratch. I was a marketing major coming out of college and then trying to realign what I wanted to do with my life. I really liked urban exploring, everything to do with physical security, military type stuff, and I wanted to see how it can make this work in the civilian career style. So I ended it figuring out a lot of this is all virtual work. It’s where a lot of the money comes from, PCI, HIPAA. That’s how we keep our job most of the time. And then on top of that, if you can get a physical security position really coveted, very difficult, but the way to break into the industry was virtual. So I started getting my certifications. I studied on my own while I had some of the jobs, and eventually you start sending out applications. And Coalfire was kind enough to give me a chance.
[00:04:22] CS: Cool. How about you, Gary?
[00:04:26] GD: In my former life, I was a helicopter pilot for the United States Marine Corps. And we have – If you know much about Marines, but we have about 50 jobs each. And one of those jobs was building and maintenance. And for the building and maintenance, I was also responsible for the super vault that we have in this water. So at some point, my OIC came in and said, “Hey, you think you can break into this?” And I said, “Well, sir. I’ve built it. I know exactly how to break it too.” I broke into it. I was successful. And then from there, I kind of was asked to do another, and another, and another. So that’s kind of the genesis of my breaking and entering for my life.
And then I got out I became an engineer and did something else in another life. And then that started to get really boring and really easy, and I thought to myself, I was like, “What if I could break into stuff for a living?” So I started doing some research, and lo and behold, that’s when I found red teaming. I said, “Well, how hard could that be?” And so I went out and got a master’s degree in all things computers, and Coalfire gave me a shot not having a whole lot of experience, at least in consulting and things of that nature. And the rest, as they say, is history.
[00:05:37] CS: So it sounds like, Justin, you mentioned specifically your interest in physical security. Do you do guys each have sort of like a subspecialty within red teaming? Like you’re the physical security guy and you’re the computer security guy? Or do you guys work as a team all the time?
[00:05:55] JW: When we can, it’s definitely preferable. We have just good team dynamics. It’s really strange. Every time you go out on a red team, your partner is very important and how will you guys will flow with everything? So a lot of times, I’m going to work with somebody like Gary, it almost becomes nonverbal. So you just kind of nudge on. They know they’re going one way, you’re going the other, and you’re working towards the same objective. Of course, you have definitely have different skillsets, different things that we focused on in the past. So I’m pretty heavy into the virtual staff, networking, RFID. And Gary is great in all those too. And Gary’s is a great lock picker. Excellent at bypasses and social engineering. So yeah, we you kind of bounce up each other in that role.
[00:06:28] CS: Thanks. So I know you’ve been on the promotional tour and you recounted this a million times. But if you don’t mind, could you walk us through the event yourself, if you don’t mind? Can you reconstruct the work you were doing at the courthouse the moment you trip the alarm, to the authorities, and the response when they arrived?
[00:06:46] JW: Do you want to take it, Gee?
[00:06:50] GD: I suppose. So let’s see, if we’re just going over that portion of it, we actually arrived at – I don’t know, 11:30-ish, if I recall correctly. We kind of did a walk around on the building. When I say walk around, typically, when go to a building and you haven’t been there before, you walk around and you check all the things out. Our walk around was we parked in the back and walked to the front.
When we got there, the Sheriff’s Department is actually right across the street from the courthouse. So it wasn’t like a surprise that we knew that the police were close by. Yeah, we walked up, and Justine was trying the door at the same time I was trying a badge that we had taken from another building just to see if they had multi-building access. So it was, “Beep!” And then Justin opened the door and I’m like, “Did it work?” And he was like, “No. It just opened.” I was like, “Oh, okay. Just shut the door,” and then we proceeded to bypass the door just to give them the benefit of the doubt.
In this – I don’t want to say in this scenario. But this engagement, overall, there was an overlying theme, which was really easy access to everything. And so this was another one of those times where we just kind of shook our heads, said, “Okay, let’s give them the benefit of the doubt.” What would happen if there wasn’t a mistakable? Or what would happen when somebody did leave the door wide open somewhere else? Which again was a recurring thing. So we shut the door and then just went from there.
[00:08:18] CS: Was it just that the door had like not closed all the way or something like that?
[00:08:21] JW: Yup. That was it. Old door, right? Super, super old courthouse. They literally still have the original latch on doors from hundred years ago, probably. Of course – There is my dog. I’m on queue. They’ve been upgraded things
[00:08:42] CS: We’ve got three guests on the show today.
[00:08:43] JW: Yeah. They’ve upgraded things. In putting a crash bar on the back of the door itself, but the actual old-school locking mechanism of the door is still there. And I think that’s actually what interfered with the old locking mechanism of the old door handle that was there and then the latch wasn’t able to latch, if I remember right. I could be wrong.
[00:09:08] CS: So you heard the alarm going off and you’re like, “Okay, we’re just going to wait until they get here and we’re going to explain ourselves.” And then they arrived and they didn’t want to hear
[00:09:17] JW: Actually, there’s a little bit more to it than that. As soon as we went in the door, there is an alarm panel on the side, and part of what we do is to make sure that people aren’t using default codes. Because a lot of people set up their alarm and they never change their –
[00:09:30] CS: 1234 or something like that. Yeah.
[00:09:31] GD: Right? And it’s always the same depending on what company you’re using, what company is installed into the alarm panel. So that’s the first thing we did, was try and make sure they’re not using the default codes. Usually have 20 to 30 seconds depending on the alarm system to punch in said code. After we did that, after we went through the codes that I could remember, we actually set the alarms off ourselves. I just kept hitting the same number over and over and over again to see if it had a lockout on it, and probably the third code I tried, or I should say the third entry of the bunk code I knew wasn’t going to work actually set it off. So it did, I think, went off about 10 seconds early. So as soon the alarm actually went off in earnest and started blaring, I turned to Justin. Justin was actually there for kind of – I don’t want to say a training regiment, because the guy is brilliant, but it was like the next step in the evolution, is he was supposed to take over the physical aspect of testing at Coalfire. So part of being the lead of that is to teach others.
And so that is basically what it was for is, is that was supposed to be Justin’ – I don’t know what do you want to say. Certification training –
[00:10:47] CS: Initiation or – Yeah. Okay.
[00:10:47] GD: Initiation. Yeah, whatever you want to call it, where I came and gave him the ominous, the ominous you’re good to go, and you can go and train. Train everybody and take physical world. This is what it was. So I was making him – I was letting him make all the calls, right? So I turned to him, “What do you want to do? Do you want to bounce or do you want to stay here?”
Again, still under the training guys to see what he would do. But I helped. I don’t want to say I trained, because I definitely didn’t do that. But I helped train Justin on a lot of things. I know he makes the right decisions, because I helped him make a lot of those decisions early in his career.
But again, once again, his decision-making was impeccable. And he’s like, “No, we’re not doing anything wrong. We’re going to get out of the jail free card. We’re here under the order the customer. So let’s just wait and see if law enforcement shows up.” So that’s what we did. And to be honest, it’s the right call. There are a lot of people in the industry that would have left. And there are a lot of people in Coalfire that would have left, and that’s the wrong choice.
[00:11:49] CS: Yeah. You’re telling a different story than you mean to be telling, I imagine.
[00:11:54] GD: Yeah.
[00:11:56] CS: Now you look like perpetrators who’s running. Yeah.
[00:12:00] GD: Yeah. And we’ve actually given talks on this, is there are a lot of people out there who have this pride welled up of never being caught. And if you’re never really ever getting caught, you’re never really pushing the boundaries if you’re testing every aspect of the customer that you should be testing. You’re letting your pride get in the way of, “Well, I’ve never been caught. No one’s ever got me.” It’s like you’re not testing right if you’ve never been caught.
[00:12:25] JW: Absolutely. You got to identify that threshold. I will add. One of the thing that went into that decision-making process too. This was kind of midway or almost towards the end of the week-long engagement that we’ve been working on, and every other facility we were in, no alarms were set off, no response. So this was kind of the first time we’re hanging around, we’re like, “All right, we need to see if law enforcement shows up and actually responds to this situation at-hand.”
[00:12:46] CS: Yeah. I mean, that’s something for the report right there, is if an alarm goes off and they’re like, “Oh, no. It’s probably fine.”
[00:12:53] GD: Which has happened before. Yup.
[00:12:54] CS: Yeah, I can imagine.
[00:12:54] GD: The bank is literally like same proximity to the police station and they’re just not wired up to dial out.
[00:12:58] CS: Right. I mean, in an ideal version of this, the authorities would have come and you could have said we’re here doing red team. We have paperwork. We have contract, whatever. And they’d be like, “Okay. Fine.” But there was a sort of perfect storm of misunderstandings here, and it sounds like some of the county versus state jurisdiction rivalries and maybe a desire to sort of teach you a lesson. And so how did that lead to a night in jail and the bail?
[00:13:23] JW: Well, it’s funny that you mentioned that and another scenario that would have happened, because you’re right, except it did happen. And it happened in this scenario. They did show up. They did let us go. They did verify us. Everything was fine until the sheriff showed up. The responding deputies were extraordinarily professional. No one was, as they put John Wayne, nobody did anything they shouldn’t have done. Nobody pulled a weapon. Everything was 100% cordial and exactly the way that if we were going to write it up in a training seminar to give to new physical pen testers is exactly what we would say you should do and that cops, the police should react. And that’s exactly what happened. And it wasn’t until in our talk that we give in Black Hat, we actually show the body cam footage of them letting us go saying, “Yeah, you guys are good to go.” And somebody said, “Are we going to wait for the sheriff?” And now their officer said – It was a deputy, because it’s deputy sheriffs. Another deputy said, “No. No. Yeah, they’re good. We verified them. They’re okay.” And so they let us go. And it wasn’t until the sheriff showed up and he said, “No. You hold them. They’re going to jail. I don’t know what for. But they’re going to go to jail for something.” And then he walks away and he gets on the phone and he decides that his charge he’s going to trump up on us. And yeah, that’s when the county versus state came into play when it was the boss, the sheriff showed up, and he was the one that was upset. No one else was mad. Everybody else knew we were under contract.
[00:14:46] CS: Right. And then didn’t the judge say something like she didn’t know what red teaming was, but it sounded bad, or whatever? And then they sort of bumped your bail up?
[00:14:54] JW: She didn’t even say that. That would have been nice. She was, “You all need a different story.” Did I fall off the turnip truck yesterday type thing? You’re going to have to come up with a different story, because you’re ridiculous guys.
[00:15:07] CS: So she was like, “Oh, red teaming. Right. I get it.”
[00:15:10] JW: Yeah. She just straight up thought we were criminals.
[00:15:12] CS: Wow! Oh my gosh!
[00:15:14] GD: Yeah. I don’t think she had been given all the details the night prior. When we went up in front of her, she said, “Oh, you’re breaking this courthouse. This is how the state does it. We don’t do this type of work. You guys need to come up with another story. It’s crazy that you think I believe this.” So it became very clear. You know that sheriff, everyone the previous had verified us, called our point of contacts, knew that we were there on contract. We showed them contracts and documents, everything that we had. So they knew we were verified and they knew that this was never going to make it to the magistrate.
[00:15:41] CS: Wow! So when I walked up, my understanding was, or at least what I would think, was that the sheriff would have said something, or the prosecutor would have said something prior, or even during, would have said, “Hey, man. This is a situation of state versus county, and these gentleman are working for a private company and they were hired by the state. However, they shouldn’t have been there. Or however, we believe X, Y, Z.” That’s the way that we thought it was going to go, and it did not go that way. The sheriff knew we were verified. Spoke to the people that sent us there. Our contacts himself, so he says. And then he just sat there in the gallery with his arms crossed with a smile on his face.
[00:16:31] GD: A smug grin, if you will.
[00:16:32] CS: Yeah.
[00:16:35] GD: And didn’t say anything. Even when the judge was saying, “This is ridiculous. This doesn’t happen. We don’t do things this way.” Completely contrary to everything that the sheriff knew to be true, he still just sat there and said absolutely nothing.
[00:16:49] CS: Wow! Yeah, obviously, stories like this send off all the alarms in cybersecurity professionals’ brains, because it’s not only the worst case scenario of a legitimate and consensual work project, but also because of how it looks to the outside world that we’re just hackers that are breaking in and then retroactively constructing an alibi. So we’ve had these – I’ve had a bunch of red team people on the show before, and I always like to ask like what’s the line you cannot cross? Because in the outside world, red teaming looks indistinguishable from actual hacking and people think, “Well, they’re kidnapping the CEO, or they’re smashing windows or whatever.” But obviously there’s a whole different to it.
But I want to get a sense of how – You mentioned a little bit of how this could have been prevented in more of a macro way. Not in this specific situation, but like what information or processes could have been into place that would ensure that you could still do your work as secretively as possible while still keeping yourself safe from inappropriate intervention from law enforcement?
[00:17:49] GD: I think all the typical processes were in place that have always been sufficient for any encounter in the past. We had client contacts, we had signed contracts, we had a letter of authorization, the get out of jail free card, and that’s been sufficient for every single engagement we’ve been on except for this one.
Honestly, I don’t think there would have been any way to prevent this other than having maybe law officials or law enforcement officials who respect the law and use their authority appropriately. It probably could have been prevented if their official had been notified. But historically, that almost always reduced the effectiveness of the engagement and the testing. So you’ll be working in an environment that’s more secure for that week while you’re on site than it ever realistically is in the day-to-day. And the point of that testing is to emulate real-life threats and in a realistic scenario.
So anytime I’ve ever been on an engagement where the client notified the security team, every door is locked. They’re doing patrols. They’re just on 24 hours. That never happens. It kind of degrades the value of the test.
[00:18:41] CS: Yeah. It’s like when the restaurant knows the food critique is coming, everyone neatly clean behind the fridge and everything like that.
[00:18:47] GD: Yup.
[00:18:49] CS: So. Do you think there’s any kind of before and after moment about the way red teaming just can’t be done the same way now? Or is this just an outlying event that we can learn from and move on to?
[00:19:06] GD: I’d say red teaming needs to be done this way. It’s why we do these engagements in an offensive nature. I mean, kind of the modern red teaming evolution came from Dick Marcinko from SEAL Team Six, who invented red teaming. And part of job was breaking the military bases, or planting bombs near Air Force 1. And there’s no way you’re going to identify those kind of weaknesses exists unless you’re doing an offensive test in nature.
So I think this was a teachable moment that there are some places across the states that maybe aren’t up to speed as some other place maybe. And I think this was more of an isolated incident. But it’s something to be mindful of that we’re not still there. Maybe some other things have come long ways. But hackers are still fighting the age-old fight that we always have been, and that we have this huge negative bias and the perception that we’re the bad guys. When in reality, most hackers are good.
[00:19:52] CS: Yeah. I mean, this sort of speaks to also a need for a baseline level of cybersecurity understanding by – Not law enforcement, but like everyone in government. Because you hear stories about sort of congress people who are passing laws about leg privacy and security who don’t quite know how the internet works and things like that. This sort of speaks to those sort of wide gaps in terms of people who are adjudicating on security issues but don’t quite know the sort of ins and outs of that. I mean, do you have any sort of prescriptive suggestions in terms of just a baseline of security knowledge for people who are in charge of laws?
[00:20:37] JW: I don’t know if there’s any hope there to be honest with you. To take a down level from just the political level, right? You’ve got the – We’ll call them the defensive people, right? So you get your facility management and the people that are in charge of just the facility in general. They have – If you go out and you look at Indeed or something, and you look at a facilities management or a facilities director or something in that nature. The people that are supposed to be responsible for making sure that buildings are secure. They have lots of defensive titles. They have lots of certificates that they’re supposed to have and all these things, all the training. A lot of times you’d say, “Hey, we want somebody who’s prior law enforcement or who is in government secret service, or the FBI.” And the reality is none of those people have any idea what the heck they’re showing. I’m sure there’re a lot of them out there that are getting mad at me for this, but it’s true.
We crush them. We don’t win. We don’t beat them. We crush them. We walk right by every single thing that they have in place, because we know the weaknesses. I know that this stuff gets tested because there is no – I don’t want to say there isn’t defense. There isn’t a current defense outside of hiring somebody like us or somebody like us in the industry to actually put your defensive measures in place, because they’re using old archaic, antiquated systems and procedures that have been around for years and years and years that never had to stand up to rigorous testing like this. And that’s what’s in place.
And so a lot of times, especially when you have lobbyists or even when you have politicians, a lot of them are older and a lot of them fall back to some of these antiquated positions or think that the best person to secure a building is going to be a secret service agent. You’re right. The best person to secure a building for an individual target going into that building to make sure that they’re not attacked is a secret service agent.
The best person to secure a building to make sure that nobody can get in is not a secret service agent, because that’s not their job. That’s not what they do. That’s not what they’re trained for. But yeah, we have this archaic knowledge or notion that they’re the best ones because they protect an individual asset, not a building.
You got to start there first and then work your way up, because are the ones, those are the people that the government speaks to. Those are the ones that the politicians rely on to give them knowledge and they’re giving them outdated knowledge that is not accurate.
[00:23:09] CS: Yeah. I want to pull back a little bit in terms of general concept of red teaming. This is something I ask a lot of red teamers. Do you think that red teaming is over-prescribed? By that, I mean, there might be a perception that every company organization of a certain size needs to get red teamed in order to show their security systems impenetrable, but they might not have even really done the work necessary leading up to it, whether it’s basic pen tests or simple fixes like improving the key card or the door lock system.
And so it almost has kind of like a badge of, “Well, we’re big enough. We got a red team on here.” Do you think organizations need to know more about their own system first before hiring red teams to attack them?
[00:23:52] GD: We do. And Justin has the perfect solution for that. Don’t you, Justin?
[00:23:57] JW: Hmm, trying to anyways. So I’ll say no. I don’t think it’s over-prescribed. I’m totally understanding your point. Absolutely. You need to get your own dog food, shore up your own bases as much as you can and you’re making more value out of a red team or a penetration test at that point. So do your rolling scans first. And then once you guys provide your own knowledge and fix that you know how, bring in the experts who can take it to the next level, because nobody knows everything. And that’s why you need these types of tests.
There are different approaches. So maybe before you have your first red teaming day dream where you have absolute professionals coming onboard and they have 30 different attack paths that they can breach a facility, do a whitelist of walkthroughs. So hire a company like Coalfire to come on site, and we’ll walk through with the security team and then walk through every point of ingress and work through all your technology. Show them the vulnerabilities. Hand them the report in more of a blue manner rather than the red team manner that we’re typically familiar with. That’s one thing we’re trying to do to try to bridge that gap. Overall, I’d say no. Underprescribe. More organizations need this, and that’s both from outside people coming in and doing these assessments and then also having their blue teams apply that knowledge and embrace that threshold.
[00:25:02] CS: Okay. And how – Oh, sorry. Go ahead.
[00:25:04] GD: No. I was just going to say, the reason that we’re so vehement about people doing this is the individuals and the companies that we work with are the ones that are kind of hitting their chest. There are two. There’s ones that are hitting their chest saying, “We’re invincible.” And there’re the other ones that want to affect some sort of change. And so they want us to show whoever their CEO or whoever is the decision-maker is, how vulnerable they really are. And those are our favorite ones, because they want us to do everything and they give us free reign. The other ones is you can’t break in here. We’re a bank. We work with the people who think they’re the best and we walk right in almost every single time, every time.
[00:25:46] CS: I have to imagine, they might be a little more sore losers and maybe less likely to sort of like take your prescriptions if their feelings got hurt or something.
[00:25:55] GD: Yeah, it’s weird. They hire you, but then they don’t really want you to do the best job you can possibly do, and it makes them look bad. Again, that goes back into what experience do you have in this. You have this old experience that doesn’t work and they tell you it does and they tell you if you do X, Y, and Z, and that it’s going to be nearly impossible for anybody to get in. And the reality is not that.
Yeah, it’s under-prescribed because of overconfidence, I would say.
[00:26:27] CS: Specially with the case of the courthouse here, but in general, like how long does a red team operation take? Is it a matter of weeks, months? How long do you think this one would have taken, the Iowa Courthouse?
[00:26:38] JW: So we’re given a week, which was some of the reasons why things went the way they did. We had 5 buildings –
[00:26:44] CS: That’s a narrow one.
[00:26:45] GD: 5 days, which is just kind of insane. If you’re doing the job properly, you have your recon enumeration, you know all the detail schedules of all the staffs that work in that building. So you can get up to a week for a building, which for us at Coalfire, would be pretty generous. But that’s very common at other organizations. So if you’re looking to break in to a museum, you may need a month to set up everything and get everything in place and do the proper reconnaissance. So this was a condensed timeline. I’d say most engagements are about 5 days and it varies based on the facility and the number of buildings.
[00:27:14] CS: Okay. So the primary focus of the Cyberwork podcast, we like to obviously talk new stories and cool things like that, but we mostly want to sort of impart on behalf of our listeners who are just concerned in the cybersecurity industry or looking to move up in the jobs or careers, get some ideas for them. So I wanted to ask about working in red teaming and pen testing as a whole. What advice would you give whether about education or skills training or areas of inquiry or just things to make yourself more knowledgeable that you’d recommend for people who want to get into red teaming right now in 2020?
[00:27:47] JW: Yeah. I mean, it’s a modern era. I started about 7 years ago, but I did start from scratch, so I think I have a really cool story about coming from nothing and know nothing about the industry or even that this industry existed, and then becoming a senior security consultant. So part of that path was just a lot of long nights. I’d be working 10, 12-hour days and then coming home and studying for another 8. And my progression path was learning the foundations first. Absolutely have to lay that foundation with the CompTIA A+, which was a 1,200 page book. Read every page of it. And then Network+, same deal, 1,500 pages. Read every page of it. And then working towards Security+ and CEH. So certs definitely have a place. If you don’t have any prior experience, knowledge, that’s something great that you can take to a potential employer and say, “Hey, I did pass. I may have some of the requisite skills for this.”
So studying on your own, absolutely. And then just shooting your shots. So getting involved in the community. One of the big things that got me in was my hobbyist interest in software-defined radio. So showing different skillsets and different interests across the board and then networking at security conferences. And then eventually just sending all the applications that you could. And when it was time for me to apply at Coalfire, I told them – Because I’m new. I didn’t have really anything that I could show for myself, I had to be there in-person. So I flew out to Colorado and did my interview in-person in the office so I could kind of demonstrate not social engineering, but sociable skills that’s part of a consultant role along with technical acumen as well. So putting that altogether. And then once I finally got the job, I was extremely fortunate to meet the people that I did who embraced me. So these were hackers that have been hacking for 20 or 30 years and just really took me when I had like no business. I wasn’t even reading error output and like trying to diagnose the issue, and these guys would walk me through and tell me like, “This is what you need to look at. This is how you learn and grow.” And it’s been a transformative process. Like really has appreciated my mind because of kind of the trial by fire that these guys put me through, and I loved it. So absolutely, I would recommend the group to anybody. And you can do it even if you start from nowhere. It’s just going to take a little bit of time and hard work.
[00:29:41] CS: Thanks. Okay. Go ahead. Okay – Go ahead. Sorry.
[00:29:45] GD: If you don’t mind.
[00:29:46] CS: Please.
[00:29:46] GD: I actually got an employee that didn’t finish high school, and he later went to get his GED, but traditional high school, it wasn’t his thing. And I’m going to call his name out. His name is Marcus, and he’s brilliant. He’s got the tinkerer’s mindset. He’s constantly working on things. He’s put in together boards from 1980, re-soldering them, seeing if he can bring them back to life.
As a hiring manager, the one thing that you’re looking for is that hobbyist attitude, or jobiest that we used to say at Coalfire, where you want to bring that home and you love exploring and fixing and learning new stuff and doing it on your own. And the majority of the people that I’ve hired that have turned out really, really, really well that did have a lot of experience were the ones that did exactly what Justin is talking about, is they went home when it wasn’t their job, and learned it. And not only learned it, but loved doing it. It was exciting. It was fun for them. And they put a lot of extra effort into it.
For new people out there that are looking to get hired by someone like me or somebody else in the job and get started, you’re not going to get hired because you can break into a building and you’re an excellent physical penetration tester, because there just isn’t, unless you’re like red team alliance or something that has a lot of those jobs.
[00:31:13] CS: Yeah. There’s a lot of places to practice and otherwise.
[00:31:17] GD: You’re going to have to get the base skillset of just being the network application penetration tester. That’s really where you have to start. But, man, every time somebody walks you that door and they’re excited. And even if it has nothing to do with pen testing, if it’s something technical or it’s something with computers and they can show some sort of experience and desire to learn that and the passion, man, that trumps anything almost every single time. We’d have guys walk in the door that were super smart but just wrong attitude and they ate through the gate, “I’m done after this. I don’t want to do anything else. I’m not really interested it, but I just happen to be good at it. I’ll take a passionate guy like Marcus who grows up and ends up becoming a great pen tester today.
[00:32:02] CS: That’s great, and that’s a thing that we’re trying to sort of change in the industry, is this sort of HR gatekeepers of who only want to see people with college degrees or certain academic or experience levels. But it’s sort of a slow, hard, sort of seed change to get lots of people to agree that you have to look beyond certain letters or a person’s resume or whatever and sort of look to their passion.
So yeah, it sounds like you say, again, that this hasn’t changed things much necessarily. But do you think there are any suggestions for making tasks like these red teams safe and more transparent from now on? Has Coalfire changed their process at all based on this incident to sort of go one layer up in terms of letting everyone know what’s happening and preventing these sort of incidents?
[00:32:56] GD: It’s just like you’re never going to have an environment that’s 100% secure. There’s an inherent risk that comes with – Especially physical red team engagements.
[00:33:03] CS: Oh yeah.
[00:33:04] JW: And you’re never going to get rid of that. I mean, it’s good for the testers to be aware. Gary and I both know it’s a very real possibility that we could be arrested on the job or potentially shot. I think the chances of that are almost minimal based on our training and how we encounter and approach with law enforcement in those scenarios. Experience is absolutely key. But as far as Coalfire and process changing, it’s coming up on a year, and we’re still working on changing some paperwork and getting some other things moving. But finally, now, we have a dedicated taskforce towards this and we’re trying to get community involvement to either get some laws and the books change. So I think that’s a great way to speak to the politicians and speak their language and just like you have a safe harbor law or a good Samaritan law. We need something similar for red teamers. And while we may not prevent an arrest like in a situation like this, it may give us more recourse down the road to have charges immediately dropped or just walk away from things cleanly without dragging out for six months like it did.
So work is being done. I know Chloe Messdaghi does a lot of work in this arena too. So we’re trying to partner up with some key thought leaders around the industry and make positive change both internally and, yeah, at the legal state and federal level.
[00:34:14] CS: I know that in some of the articles that reported the story that Coalfire’s CEO, Tom McAndrew, was praised for not hanging you guys out to dry or distancing himself from you in the controversy, which implies to me that other companies might not have been so understanding and might have hung you up to dry. So would that be a common response? If you’re going to work as a red teamer, are there things in your contract that you need to be watching out for? Sort of you’re on your clause in there, or something like that?
[00:34:43] GD: Well, the unfortunate things about contracts is it doesn’t really matters what’s in the contract. Come to that crossroads, and if you’re CEO with less of a spine than Tom has and legal says leave them in there, like ours did. The next CEO might just say, “Okay.” This is a terrible thing to say, but legally, it’s not necessarily the wrong thing to do, right? You don’t know what your pen testers did. You don’t know if they actually did something wrong.
So leave them in there until we find out what they did wrong, because we don’t want to hitch our cart to that horse just in case it’s the wrong horse type of thing. Fortunately, for us, Tom’s known us for a very long time and we are pretty good at what we do. And so Tom was hedging his bets that we didn’t do anything wrong, that he’s seen enough of us. He’s seen enough of our work to know that we don’t do things that would involve us getting arrested when we’re on the job.
So that was good on him for having the wherewithal to say, “Finally, an attorney who says bail them out,” and then walked away, which was the favorite part of my story – Or favorite part of this entire story is when Tom said that to the executives.
[00:36:04] JW: It’s a great tabletop exercise for employees to run through with their employer, “Hey, what’s going to happen if anything like this did happen?” Or I’m at a scope because a client gave me a wrong ID and I have authorities knocking at my door. What is the company going to do for me in this situation?
Absolutely, review your contracts, tabletop exercises with your employer. And then Dave Kennedy’s TrustedSec open sourced a lot of their documents, especially pertaining to physical penetration testing. Review those and see kind of what protections they have in place and then see if you can get your legal teams to adapt some of those as well.
[00:36:33] GD: And really what it’s going to do, it’s going to protect you after the fact. So even they decide to leave you in jail, the recourse you’re going to have later is a civil suit against your company for not doing what they said that they were going to do in the contract. But as far as making sure that they’re going to bail you out, hey, that’s the one thing you want to make sure. Make sure you’re working for the company and the right people.
[00:36:52] CS: Okay. I want to sort of jump sideways a little bit. If you don’t have an opinion on this, this is fine, but there’s something else that I read in the news that sort of speaks to a greater issue between the courthouse and this other story. But the company Talkspace, there was a security searcher named John Jackson who found an apparent bug in the company’s sign up function that allowed them to get a free membership without vetting whether or not he qualified. It’s an insurance thing for a psychiatry website.
The bug discovery was rejected by Talkspace says it’s not real, and then sent him a legal threat for pointing it out. So I’m wondering if things like bug bounty programs and aggressive pen testing methods are often finding these issues that companies don’t like to think about. Is there anything to be done to help organizations like this accept responsibility or at least just always going to be – There’s just going to be people who don’t get it.
[00:37:47] JW: It’s a very real issue that hackers have been fighting since the dawn of hacking. For decades, this has been going on. I would really here point to disclose.io and a lot of Chloe Messdaghi’s work. She’s working on an initiative to have companies adapt these type of programs where they accept bug bounties and have matured those companies. So she has all sorts of stats. I think it’s like 60% of vulnerabilities that hackers identify in a bug bounty type situation. Don’t report it, because maybe they were slightly out of scope or the company wasn’t receptive or didn’t have a bug bounty program, whatsoever. And she’s a great person to work with and work through to accomplish that change, whether it’s at that company in particular, or to try to disclose vulnerabilities in a responsible manner.
[00:38:27] GD: Yeah. And part of the issues with bug bounties that at least I’m personally saying recently, is that companies are doing the bait and switch. They say, “Oh yeah, if you find anything, it’s good to go. Just let us know.” And then you come by and you’re like, “Hey, check this out.” They’re like, “No, that doesn’t count.” And they’re doing that a lot lately, a lot, “Oh, that doesn’t count.” “Oh, that doesn’t count.”
[00:38:48] CS: Yeah, don’t look over there. Yeah.
[00:38:49] GD: Yeah. And then they take this information and they will typically go back and they’ll fix it, but they won’t reward the pen tester that turned around and found it. And there is a huge sloth of the population as far as bug bounty hunters, if you will, that aren’t doing anything more. They’re just like, “No.” Because every time I turn on a bug, every time I show something, they say it doesn’t count. You’re like, “It’s specifically right here in your rule set that says this is what you’re looking for. You’re looking for cross-site scripting. I found cross=site scripting.” “Oh, yes. But that’s reflective.” It’s still cross-site scripting. What are you doing?” And then they don’t pay them. Yeah, there’s a lot of people – And it’s dangerous to do that. They think they’re going to get free stuff, and I guess they think that hackers are dumb, and it’s the exact opposite. But lots of companies have been doing that lately, and it’s the wrong thing to do.
[00:39:40] CS: Yeah. It makes you look bad. So I want to talk – We’re sort of wrapping up here a little bit, but in terms of hiring people as red teamers or a part of your team and stuff, can you sort of speak about some of the ethical and social issues that cybersecurity pros looking to get into red teaming need to keep in mind? Because I think this can be a very sort of exciting and glamorous sounding thing, and you do have that sort of like once we’re in, we’re on our own, and we got to take care, whatever.
But I’ve talked to enough red team leaders to know that none of them are terribly fond of loose cannons on their team either. So what are some things that like potential new comers need to know so that they don’t go too sort of wild style on these sort of operations?
[00:40:23] GD: You’re there to do a job. And just like the people that you’re testing, you’re supposed to have rules. You’re supposed to have some sort of SOP that you abide by. And as a social engineer, the people that you want to go after are the ones that are going to bend or break the rules. This is our policy, but – And then we’ve got them. As soon as they break from policy, then you got them. And especially as a physical pen tester, you’ve got to say within the policy that you’ve got set for through the rules of engagement, through the customers, through your company. You can’t break those at all.
The other part of that is you have to be able to a sociopath with an on/off switch. That’s the simplest way that I can put it. Literally, it is our job to walk up to somebody and manipulate them like there is no tomorrow, and you have to do it with an absolute clear conscience. You can’t feel bad about it. And you’ve got to take advantage of that person’s – Something that is innately great and wonderful about that person and twist it and use it as a weapon against them to destroy whatever it is that they’ve got in front of them in order to get the goods, right? But you’ve got to be able to turn off that. And if anything else, that’s the thing that you do not want on your team, is the guy that can’t turn it off for a girl, that can’t turn it off. That’s a huge thing, because people will use their superpowers later when they shouldn’t be using them, and you don’t want those people on your team either. You’ve got to be able to turn it on and off and you got to be able to do it and look somebody in the eye and straight up lie to them and then turn around and shut it off and go back to them and say, “I’m sorry. I promise you, this is for your own good and this is why,” and be able to sit down and have a conversation, but you got to stay with the rules of engagement. But I know Justin has something else.
[00:42:20] JW: I just say, yeah, it’s up to our red team leads to kind of identify the personal dynamics of their team and then for new comers to just listen and be aware of that. It’s not Oceans 11 and you can’t do active shooter threats or the pull the alarm. I mean, rules of engagement, sometimes there’s a time and a place for it, but typically not in destructive entry, things like that. So it’s really about the team lead knowing the team dynamics and getting a good feel for that candidate before he’s brought out in a live exercise, which is another very reason to the point we’re making earlier. Going on in a blue team manner and assessing things in that way. Then you can have somebody on site and see kind of how they interact with customers and what their thought process is. So there should be a thorough vetting process to it. But at the same time, you don’t want to limit it so much that we’re not doing this type of work. Because just like bug bounties, it’s a really big issue, that on a global scale, the United States is falling so far behind, because we can’t do this type of work. Too much red tape and are hands are bound and we’re proactively using the state of security in our country.
[00:43:17] CS: Okay. Can you talk about that a little bit? What are some of the red tape issues that are a problem right now?
[00:43:23] JW: Well, I mean, just going back to bug bounties. If people, 60% of them aren’t disclosing vulnerabilities. Maybe they’re taking that and selling that to other government agencies or other malicious entities that may use that for a nefarious act instead of getting with the company and telling them, “Here’s your issue, and that this is how you can fix it.” And if that company comes back and says, “One, it doesn’t exist. But two, we’re going to sue you for showing that this existed, but we’re denying it.” Nobody wins in that situation. So long reform needs to take place, and we’re still, again, fighting that fight that’s been going on for decades.
[00:43:55] GD: Of course, we’ve got the example from Iowa, right? If we want to pull from something, you’ve got a bunch of legislation that was passed from people who have no idea about pen testing or red teaming for that matter. And then they go out and they hire a third-part, which was a law firm to give them advice on it. So you’ve got people that have known experience hiring somebody with less experience that they have giving them advice on what they should do about something that no one has any experience on. Yup, that’s how they’re passing laws.
[00:44:27] JW: From a legal point of view, which is like almost the exact opposite of red teaming, like you need to be able to bend the rules to find these vulnerabilities. I mean, you’re not going to find out that you can plant 500 pounds of explosives near Air Force 1 if you’re trying to approach that in a legal standpoint, right? So that’s realigning those perceptions.
[00:44:44] CS: This was a blast, and I want to wrap up a little bit and send you guys on your way. But what are your current plans and activities? Do you have any projects that you can talk about at the moment?
[00:44:57] JW: We’re full scope testers. A lot of our work is virtual, and especially right now, quarantine, everything that’s going on. We’re not really on site. Hopefully do have some fun engagements coming up where we can those white list of walkthrough physical assessments on school districts, which would be a great time to assess like 5 different schools. Yeah, it’s business normal. The majority of our job is virtual testing, my job anyways. Gary is in a little bit different role being a manager. Yup, kind of business as usual just from the virtual front.
[00:45:26] GD: We’re starting to make more of a push in kind of the essential worker section, right? So things like the banks and areas like that, financial, where they’re going to be open and you’ve got employees there is doing those white listed walkthroughs and trying to teach some of those essential workers some anti-social engineering techniques. The unfortunate truth when you have situation kind of like we have with the ongoing pandemic, is there’s a lot of people that are out of work, which means there are a lot of people that haven’t had money in a long time and then that translates with a lot of people that are desperate. And that’s a lot of what we do is mimicking desperate people and never confuse desperate with unintelligent. You get some person who hasn’t had money or hasn’t had a job for 4 or 5 months, they’ve got a family and they’re trying to feed them, and you’d be amazed at what they can find on YouTube. You can pretty much find your way through YouTube in and of itself especially just with some of the stuff that – And this is a knock on Deviant, whatsoever, or even Drew Porter, some of the things that they have out there and the stuff that they say brilliant stuff.
But if a semi-intelligent person watches that and practices it at home, because they’re desperate enough to try to do something dumb because they don’t have any other choice, there are a lot of damage that they can do. So that’s kind of the mindset that we’re taking right now, is to teach people the techniques that somebody like that might be able to do or accomplish and showing them, number one, how it starts up, what to look for and how to defend against it.
[00:47:09] CS: So one last question here. If people want to know more about either of you or about Coalfire, where they can go online?
[00:47:17] JW: I think we’re both pretty active on Twitter or LinkedIn. Gary is Ainchant, red team wins, coalfire.com. And then if you want to get involved with the protecting ethical hacker initiative, I think that’s coalfire.com/protectingattackethicalattackhackers. So you can get signed up with that petition and then get involved in that work group.
[00:47:35] CS: Okay. Could you talk about the petition a little bit?
[00:47:37] JW: Yeah. So that came after our Black Hat talk. It’s something that we’re launching, again, to try to get those safe harbor or good Samaritan laws on the books. We’re really formulating how we want to approach that. And right now it’s looking like we want to approach individual states, the state level, to try to enact these types of changes. Federal level, it could take 3 to 5 years to get the laws that we’re looking passed actually enacted. So yeah, it’s open to everybody. If anybody has insight or you’re just curious and want to hear kind of where things are shaping up, that’s the place to be.
[00:48:07] CS: That’s great. All right. Well, Gary, Justin, thank you so much today for joining me and sharing your thoughts and insights.
[00:48:13] JW: Yeah, thanks you very much, Chris.
[00:48:14] GD: Do you mind if I give a shout out real quick to our VP, Mike Webber? We’ve been doing these talks and we’ve been talking a lot about stuff, and the thing that we, I don’t want to say we necessarily forgot, but we did not mention was our VP of labs, Mike Webber the time right after we got arrested. He was an amazing advocate for us within Coalfire itself. He was moving mountains and he was yelling at people and he was trying to get stuff done for us internally. And unfortunately, that part has never come up what internally was happening at Coalfire after the arrest. So we’ve never really had a chance to bring up his name. But yeah, he was amazing and he fought for us, and it was great. Unfortunately, we’ve never been able to say thank you outwardly so people knew what at amazing VP that Mike Webber was. But yes, thanks Chris. Appreciate being able to say thanks for that.
[00:49:07] CS: Great. Yeah, shout out to Mike. That’s awesome. Yeah, thank you both for your time and thank you all for listening and watching today. If you enjoyed today’s video, you can find many more on our YouTube page. Just go to youtube.com and type in Cyber Work with Infosec to check out our collection of tutorials, interviews and past webinars. If you’d rather have us in your ears during your work day, all of our videos are also available as audio podcast. Just search Cyber Work with Infosec in your podcast catcher of choice. And if you are on one of the big ones, iTunes, Stitcher, etc., a rating and review would be very appreciated.
As mentioned in the video at the top of the show, we want to hear from you about what you want to see more of on the show. So please go to www.infosecinstitute.com/survey and you’ll find a short set of questions about your listening habits and interests. If you take the survey, you’ll be eligible to win $100 Amazon gift card. That’s www.infosecinstitute.com/survey.
Thank you once again to Gary Demercurio and Justin Wynn, and thank you all again for watching and listening. We will speak to you next week