Keynote

thank you everybody I've been asked to do an upbeat talk to get you in the mood for B-side Lancashire to do something thematically relevant to the talk I'll get everybody ready to go and I noticed today there's a number of talks on artificial intelligence I thought I'll give you my opinion about artificial intelligence and I'll be as upbeat as I can about this topic but that's how it's going um I also noticed something during the introduction that there's going to be a session with the recruiters who were described as being fenced off so that was something I noted but no I'm going to talk a little bit about AI I've only got 20 minutes and I'm going to basically do what I do for all of my talks for anyone you see me talk before I'm going to rant about things that people have said to me recently that has annoyed me so here we go and I did want to mainly because it's a bit of a cop-out and mainly because it's thematically relevant get gpt4 to write this entire presentation for me but as you heard it's not that good is it so it is useful in several ways and I'll give some examples of what is useful but I did put into gpp4 who is Holly Grace Williams and I was amazed by the first line of output that effectively started polygrass Williams is a British cyber security researcher and I was like whoa AI knows who I am what the hell and it says specializing in the theater of threat intelligence and I was like not quite I'm a pen tester and as it went down it just started giving me accolades that I didn't win or anything so it said there's a one of Forbes 30 and the 30 and a small part we went was I and I had to check and it wasn't so that is the thing I want to talk about here is it's not getting it better but it's not getting it that's what I'm talking about is things like AI are useful tools so I'll give you some examples of how I use them in my work to hopefully Inspire some people to play around with these things but yeah I saw a a meme I don't know as an extra CV or something it was a comic on Twitter that were talking about how um somebody had a one-line email to send but they use chat GPT to pad it out a bit and they sent it to somebody who didn't want to read all of that text or gave it to dpt4 to summarize and yeah so there's some good uses but it's it's it's not great for those who haven't seen me talk before and don't understand that no I'm not in the pubs 30 and 30. my name's Holly Grace Williams I'm a penetration tester I break into computers for a living let me talk a little bit about fantastic stuff and and hair how AI impacts that um but one of the funny things that has actually changed recently is a few years ago it was not uncommon for people to say not this exact phrase but you know do you think AI is going to um take you out of a job and this might seem a bit silly now to people here but I've been on panels that have been recorded where this essentially was one of the questions do you think AI will put you out of the job within the next five years which is fascinating to me because very recently we've had some very public AI platforms who massively jump forward the capability of just off-the-shelf Ai and people have stopped saying this to me so that's unusual but do I think AI will put me out of a job soon well I've prepared a presentation for you using Ai and what I've done is I've taken the slides that I've put together and replaced them all with AI generated slides I release the images they're AI generated so we'll see how that goes and some people might know that a Kimbo call my company's mascot is a Pangolin you might not know that AI this is uh Dali Dali 2 that we're using with this only has a very tangential understanding of what a Pangolin is so when we asked it to generate I must go for us this is the best that it did I think I think uh it took me 15 or so goals with with uh Darley to get it something where I'm like that's a pretty good image I can take that it started that Eldritch Horror well I don't know maybe people have seen uh one of the ways at the moment no doubt they'll train this out of detecting if an image is AI generated or not ai's not very good at generating hands so if you see for example there's a photograph put online saying uh Elon Musk has been hanging around with AOC and oh look at this isn't this interesting and if you look at them supposedly holding hands but there's far too many fingers involved one of them's got at least seven fingers and at the moment that's a quick way of detecting AI images it's not very good at generating jewelry it's not very good at generating uh hands and those kinds of things all pangolins they were terrifying but but don't worry so I wanted to do a talk about how AI is going to impact my career and answer that question of will AI put me out of the job in the next few years so uh I asked AI how will AI affect the field of penetration testing in the next years and it says AI developments will have a significant impact on the field of penetration testing penetration testing being the practice of testing computer systems networks applications to identify vulnerabilities that could be exploited by hackers and AI will change where the penetration is penetration testing is done in several ways automating some tasks enhancing testing capability increasing efficiency changing the skill set required I was like it's quite a good answer but it also strikes me as four paragraphs of not really saying along it's like how will I change things well things will change with AI so um it did come up with the kind of answer that I was gonna put I do think it's true that AI will enhance testing capabilities and it'll automate some tasks do I think air is going to replace me no I'm going to answer that in in a couple of ways I'm going to talk in a second about the creativity of pen testing and how awesome I am as a pen tester and how no artificial system could ever achieve this but also I'm going to talk a little bit about just like the realistic side of cyber security and sometimes when we come to events like this our impression of where our industry is as a whole is maybe distorted a little bit because there's going to be some very intelligent students giving some very high level talks a very good detailed talks on what's coming next and what I actually deal with day to day is a little bit different so um some of you might have heard of a vulnerability called SQL injection which I've put down here is like first released on Christmas day of 1998 and uh Frac magazine number 65. it's not really of course for somebody to write an easing article about vulnerability it must be known about already it's been around since about 1998 making it like a 25 year old vulnerability I'll do the maths in your head Holly in front of a crowd it's an old vulnerability and I want to say it's a high impact vulnerability because the vulnerability that led to the top targets that's the one that everybody goes to um I actually think uh the hack against the Illinois State Board of Elections in 2016 is a better example but we do like laughing at companies when they get breached so talk talk someone on the side point being ancient vulnerability I can tell by looking at some of you in this room this vulnerability is older than you [Music] when was the last time I found SQL injection on a pen test Friday [Laughter] so yes AI is going to be fantastic and we've already seen some tooling coming out in particular on the defensive side of things looking at um things that machine learning is good at and normally detection those kind of things just pointing out stuff like hey this is weird this user did a weird thing but this user doesn't usually do can a human look at this anomaly detection on the defensive side of things AI is is really good but if you think that pen testing uh pen testers are going to be out of a job soon no no we're not because of course even though this telling is available even though it's very accessible at the moment there's still an awful lot of companies out there struggling for whatever reason be it lack of resources be it a lack of Team size not enough people no money what have you uh we're not as far along as an industry as we think we are or I wouldn't have to keep writing the same pen test report about SQL injection to be clear I'll see what thinking about getting into pen testing thinking oh man I get to develop AI systems that's really cool and then you see this I didn't go it's still just SQL injection I'm not saying that I find it a lot I'm not saying that I find it very often but I do occasionally find it and it just so happened that I found it on Friday which is very funny to me so for me what what is AI and how is it going to impact these things and where do I use it as a pen test well really it's just new tooling and it's going to help us start building additional capabilities and as chat GPT say enhancing some testing capabilities and automating some tasks it's a really humble where for the AI to describe itself but I'll give you a couple of examples in a second as to how I've used it one more rant though before I get on to that and this is the way that we talk about information security in general uh I did tell you this presentation would be made up of things that people have said to me that annoys me so here's the second of those often hear people um say things like oh it's back the Pangolin terrifies me um the the chain is only as strong as the the weakest link what we're often talking about here is uh this idea on the defensive side of things that if there's any individual system that is flawed on everything there can be a problem there but one of the developments recently we're starting to see people talk about the attack chair starting to see people talk about this stage is that pen test result of cyber criminals go through when when uh delivering a penetration test and and the same I'll put up with some examples in a second um but one of the things that prescribes me is how um organizations often talk about breaches and things like that as if it was a single event hearing people say things like our ransomware attack I'm quite vocal in the fact that I don't think there's such a thing as a ransomware attack ransomware is a payload if you think about the stages that I go through on a pen test and where I have written at the bottom Capture the Flag if you want to change this to the stages that a cyber criminal goes through instead just change where it says capture the platter money laundering and then it's roughly the same uh oh destroy the evidence or whatever you want to finish with but to go through these stages and this is a pretty typical um pen test for me uh this is the infrastructure side of tests so if I'm going to like plug into a network and see how far I can get or if I'm going to compromise and then use a device to a phishing attack customers I'm not going to go through General stages like Network mapping compromising user accounts for the destination Network propagation those kinds of things and to change it from these kind of high level titles to an example of the kind of thing that I do these are generally the stages that I would go through for what I would describe as babies first pen test so this is like if a company don't have vulnerability scanning don't have vulnerability management those kinds of things they're just like well we're big enough now that we think we should have a pen test can you come in and hack us I'm going to hack them in exactly three minutes and I'm going to use it using responder any of the pen testers in the real or like yeah you couldn't go and it hacks the company it's brilliant but these are roughly the stages so form an interception attack that could be through something like responder it could be through something like R3 replay or through like a IPv6 routing attack or something like that okay just some uh credentials usually through something like ntlm that's file transfer on Windows I'll probably find a bad implementation of the principle of least privilege so users probably have administrative privileges somewhere very often for example I see web developers have local admin of their own machines so they can install tools or localized Dev service those kind of things you've probably got reused local admin passwords or propagate across the network find a domain admin who's logged in he shouldn't be steal that hook and amadorian admin so we go through these stages with companies and what I like to do is present in the report these are the stages that I've gone through and these are effectively the places in which you can slow me down I'll stop me so when it comes to things like name resolutions and those kinds of things hey you turn off multicast name resolution we could go through each step of this will be something that you can do hey I'm doing um SMB relay attacks that's the second line here you should turn on SMB signing and what I'm trying to do is implement this idea of depends on depth right this is the stuff that I did and here's at every stage aware that you could have either prevented me slowed me down or increased your detection and I show this to a customer and a fancy pen tester pod that I've written for them and they go oh damn users picking weak passwords you cracked a password hash didn't you oh God what was it was it Finance one with a capital f yeah it was actually ah it's all the user's fault this might surprise some people if uh if you don't play around directly with pen testing in those countries very often when they talk about weak passwords like Chile we've solved quick passwords with like multi-factor authentication and long passive lengths and guidance on three random words and things like that and again you have just like SQL injection I'm not saying every user on the network has a weak password but I find it pretty much every time someone somewhere will have a weak asset I mentioned at the beginning actually as the as the founding team we're talking at the front uh last week I hacked a CCTV system in a lecture theater like this but a private one in a conference space uh admin admin because of course it was and uh the reason I was reminded of that is just before I started my child had a little bit of nervous energy getting ready to give my talk and that was what I saw and I logged into their remote access the recording of previous talks there's another speaker before um dancing so yeah we still see weak passwords and stuff like that so one of the things that I'm getting at here is of course you think we need AI when I still hacking foot c250s with Finance one with a capital s uh I don't think it was supposed to 250 but they've measured their revenue in billions so it's a big company that I act um and of course the point that when I show you a methodology like this it's not one thing there's a series of things don't think about security as oh we just need to break this chain in the attack chain because if I don't get all the way to domain now just get that low privilege user as an iPad we just crack a finance user or something but probably a whole bunch of Artful stuff that I can do to your network pen testing shouldn't be getting to domain admin even though most pen testers do that then feel like we're finished uh it's demonstrating impact to the organization and generally you don't need to go the whole way through the chance to do that another thing is very often reports are written and those reports are very good at sharing information that might be useful to organizations and protecting themselves but sometimes that data can be misinterpreted so this is from the Verizon breach report 2022 which I've terribly not cited on the slide the Verizon debt research report 2022 and it says the human element continues to drive data breaches this year 82 of breaches involve the human element and it gives examples of what they mean by that uses dollar credentials phishing misuse or simple error that could be I was looking at some healthcare breaches which were just basically staff members in the NHS sending files to the wrong person and stuff like that still the data breach still a human involved average somebody made him a snack um and I think the problem with this is very often we hyper focus on this and we've got if we can just solve passwords because these people keep choosing weak passwords but it's not actually in my interpretation what this statistic is saying it's saying the breach involved credentials right so we stole the credentials crack Metals it's not saying the whole thing happened because that guy picked a bad password it was one aspect of the attack chain so when we think about networks and those kinds of things we need to think about breaking the attack chain at every step not just uh one of those things and then finally when we think about as security testers as penetration testers how can we Implement AI into these things we shouldn't be thinking about how do I write a gpt4 that is just pen tester is it just like get the chat bot and then hook and map into it or something like that it doesn't have to be it could be throughout this methodology these snaps that we take that I've talked about throughout this presentation where can I increase Automation and that's it and very often when I talk about automation within security testing um people look down on it and I think some of this does come from pen testers trying to increase their job security where we say things like hey can we use more Automation in pen testing and then you'll hear a pen tester talk about how vulnerability scanners are nowhere near as good as humans and things like that because they can't contextualize vulnerabilities they probably can't change vulnerabilities and those kinds of things and that's true but automation is bigger as a field than just click go in a scanner so for example um not an AI example but just an example of where we use automation group posting passwords do you think when I'm bringing passing passwords and I guess that admin admin I sat at the login box and typed admin password no no admin password one no it automated it of course I did and so when we're looking at automation that can be uh many many different things throughout the process one of the things that we're working on at the moment in Kimbo is um automating interacting with your vulnerability information so on our vulnerability management platform to have natural language processing so you can ask our platform about your vulnerability data so you can log into the platform and go have any more high impact vulnerabilities been found and for the platform to be able to answer that question quote can you show me a graph of the missing patches in our system that's the kind of thing that we're working on it's automation it's helping people out and also in part on our openability management platform when I'm doing a pen test against an organization and adding vulnerabilities to our platform I very often realize that customers log in for about six seconds and I think that's because there's a pen test going on and they're logging in to see if I found anything or not so having a system that you can ask for specific questions out is going to be useful and that is automation but it's not automation to replace the whole pen tester and it's not click and go in a vulnerability scanner so there's a lot of ways to say that AI doesn't have to replace a human to be useful it's just another tool in the toolbox and we should be looking to implement that throughout of course this is fantastic Focus if you're not a pen tester whatever field you work at break those tasks down and see where AI can benefit you so aside from the natural language processing or asking questions about vulnerability information I wanted to give you one more example of where we've had just really good success of just like finding a machine learning problem um and uh just before I