From Builder To Breaker

you my name's Gavin Johnson Lin this is my presentation from Bill data bryggen so a quick introduction to myself Who am I currently I work as an offensive security specialist at siege sage is a company that writes accounting software as a 4100 company I mean a software developer for a very long time career spanning about 20 years professionally as a software development the last I've I've also been working at siege before I worked at siege security wasn't a very big factor in the software development that I did as I could see it be could became more important I started doing a lot more security I support local security groups I see squid or spy always try to attend

I very much tried to work smart all the time so I tried to find ways to be more efficient and I'm a total imposter certainly as a software developer I always felt like it and impostor he believes to say I was pretty good software developer but I was never quite sure that a believer so quick note on the presentation its kind of split into two pieces the first part is how I got onto we're a team and the second part is a few of the interesting things I've done since I've been on a red team as a software developer I felt like in kind of a roadblock so as I see a unit develop for a long time I wanted

something different certainly as a software developer I didn't just do software development I like to so understand the areas around it I like to try to look at improving testing and improving user interfaces learning patents thing about architecture DevOps that sort of things so I like to understand the areas around it but none of those really did it for me that much I want something new something exciting at the time I thought changing direction I want to be a software architect and so soft we already take this kind of a natural progression from a software developer a lot of the same skills it's a kind of a high level job there are much less for

fewer software architects out there and it's a bit more interesting you tend to get to do more interesting things I don't see I wanted more money as well so I thought how do I get these things usually when you work for a business you tend to get push the in a direction by the business maybe not intentionally but you you work they they want you to do certain languages they wanted big things in a certain way if they decide to change the language they're using on a project then you can have to learn that language and go in that direction I wasn't really what I wanted I wanted to choose find my own direction I wanted to

be very clear on my own direction so I thought I need some goals they have them do this so January 2017 I made a plan obviously I was still working as a software developer so I continued my dear job I decided to stop working on the improvement of the software developer side and work on other things that would move me towards being a software architect I wanted to sprinkle some security in there it looks like there's a lot for a sprinkle of security really the the security aspect was to because to be a software architect certainly where I work there's a security requirement you need know a reasonable amount about security you need to run threat modeling sessions you

need to understand security implications both on a software development side and kind of a devops side and and all that sort of stuff so it would be useful to get me there so understand a lot about security so to do that I wanted to start going to watch sessions I c-squared sessions it's a certification called CSS LP which is the certified secure software lifecycle professional so that's very much aimed at software development lifecycle and put in security in there so obviously that leaving quite well with what I was doing so it was elements of software development it's a software architecture that sort of thing but lots of security in it also where I work there there are

security champions so in software development teams they have software developers software testers and software architects architects you'll often take on the role of a skier you come in for a project and this means that they're essentially pushing security for the software that that we're writing on that team so I wanted to take a market at four and become a security champion on the software architect side it's very difficult to get a job unless you've got experience doing the job but it's difficult to get experience doing the job unless you've got the job so I I said about trying to get some experience and thought how do I did that so I talked a few people and they said so I I

asked and they said yes he will give you some some work as a software I could take which kind of stood me it was that simple I just had asked okay so I got these some interesting projects on the Software Architect site I want to do a piece around blockchain which was very Universal and also blockchains got elements of security units for that that was really useful towards the security objective as well so what did I learn from all that so obviously there was a lot of food in there so I learned a lot of security act on from a point where I was working as a software developer on a payment based project so it had some security in name

but I was by no means doing lots of security work all the time and went from that to actually hey I don't want to say know lots about security I think there obviously lots of people they know a lot more about security than I do but certainly from where I'd been I knew a lot more about security I also looked at different ways of learning so that this is part of the kind of working smaller stuff that I did so I try to look at different ways of being better at learning things one of those in the inner top layers and each so that it's kind of a space reputation tool it helps you learn by repeating things different

intervals to try and get them into your brain I tried using different mediums so I was reading books on the subject I was using things like plural science ivory which are video based Pluralsight I'm a big fan of that was probably the first kinda online course I did around security was on field site I also I kind of immersed myself in security really so even in the car when I was driving the word I listen to podcasts in the car about security so I was just doing security stuff all the time also in terms of different ways of learning and I was trying to think about more technical ways of getting things in hebron so i was looking at they're

purely thrown from google searches have you have you learned things more quickly things like memory passes mind palaces all sorts of different techniques of learning lists of things came up and that was really useful and those sorts of things continue to be useful now one of the big things i then was the most acutely i did the more I enjoyed it so I really got to enjoy a few you started become passionate but security I was doing more and more and I think I was just kind of it and worse than it and I was because I liked it so quick note on the certification I did so I started doing revision for it in January 2017 I

passed it in December 2017 so that's kinda year like I said I'd look at different methods of study so it'd be really helpful not just in terms of security but I think I've put in about an hour of the ADIZ with a bit and that was something like 350 to 400 hours across a year which looking at it now makes me think I actually work really hard on her I don't think I'd realized that other time but that's like ten weeks of full-time work right so that worked on putting on certifications so obviously I've gone from a point of not actually knowing much about security and I wanted to get to a point where I I

knew lots about it and how you get there the only way that made sense for me was the kind of structure that a certification gives you sort of that structure was really useful and really necessary for me which is why I chose to do the certification it was also interesting that by telling people I work with that I was doing this certification the personal security work in my direction so I was actually getting more experience while I was doing the certification so I wasn't just getting knowledge I was getting experience of using that knowledge as well which was really useful so recap on the timescale January 2017 I stalled on the CSS LP December 2017 I passed it October 2018

this time I'd been getting more and more experience at work more and more kind of security work had been coming my way [Music] really I was thinking am i slim and for software architecture maybe I want to be a security role so I set myself a different goal I changed my mind I told myself I want the pure security role by October 20 21 I I came to fill in the details of how I was gonna get there and December 2018 came along and I would be advertised a lot of security roles so I went through this cane and mental a roller coaster of I'd really like one of those jobs and I have enough

skills or experience for those jobs but really like one of those jobs but really I there's no way I'd get one of those jobs and I eventually convinced myself to apply for the job and somehow got it again go back to impostor syndrome so takeaways I got from this it was really hard work I put a lot of effort in but it was certainly worth the effort the fact that I enjoyed the subject so much me the hard work and worthwhile women smart was also really useful to me now yeah I think I've got skills that I can now he's going forwards and not just security skills and for me it was a read into the industry so again going back to

this how do you get a job that requires experience without having experience so I painted being in the dev role I've done some security work I push myself to learn more and more one get the skills and get the experience and eventually led to it - we into a security job so switching the beam part of a red team so I've got an L played over there again bisaya been in the job six months I am by no means some fantastic pen tester or red teamer so just looking at the team sides of the job so we're not 100% red team the job I did a lot of pen testing as well it's interesting to look at the two

sides of pen testing and red teaming and see that they're just totally different parts of the job so pen testing is a part of a job where you're eating because like as you like you can find as many vulnerabilities as you can and it's it's more kind of tick boxes I've tried all these things and red teaming is it's very much different there's a lot of planning to it there's a lot of thought goes into it there's a lot of and if we want one one way in what happens if things go wrong we want to be nice and quiet and then and not get caught doing things so it's really interesting to look at the the two sides that are very

different parts of the job but they're also useful to each other I saw a lot of the things I'm learning on the pen testing side is very useful on the red team inside a lot of the thoughts are on the red team worthy I have an impact on on how do you think about pen testing as well so it's doing very different kind of sides of the same coin but it's it's it's really interested to be part of that and it keeps the job really nursing as well so you said you're not doing just one job certainly not doing one thing over and over again so under some of the things that I've done that I've

really enjoyed as part of the job there was a red teaming a piece of red teaming work that we wanted to do and we were planning for him and part of this work we were planning to tle into the building and you've got to realize okay our plan was the teal here into this building for a number of these so we were going to be kind of tailgating in tailgating to lunch tailgating to the toilet every time you wanna go over the toilet the thoughts were maybe some people are going to start noticing us maybe people are gonna realize we're just tailgating all the time so we get around that what's a good way to get around that so I thought

standard cloning ID cards saw ID cards the kind of standard card you get just to put on a plate and that was a door for you so we started to try to understand what would be involved in cloning an ID code today that means this device a proximal first thing we did was look on YouTube and find lots of videos and all those videos most of those videos where he can press the little button you waive the ID card at it and it's called Matic really really really not that simple so over the following weeks I gradually learned more and more about cloning ID cards and started to understand how there were so many different kinds of ID cards some of

them had security vulnerabilities some didn't have any known ones so really we put a lot of work in and eventually got to a point where we could clone some ID cards and that kind of moment when you eat evil a couple of weeks work into something feeling like you just bang any hit on a wall not understanding it - getting there actually owning an ID card was brilliant at that moment you put the card on the door and the light turns green and you can open the door freely it said that on the job we took it on we couldn't put on the ID cards but it was interesting the next thing we did we we

made a hardware implant so this was a device we could plug in the network to get easy persistence on other networks or took an idea 45 in power and hopefully we'd be on the network and have some sort of position box on the network this was made out of a Raspberry Pi we had 4G connectivity on it and really served as a command and control I quite like this picture because you can see the screws all sticking out so this is the actual picture of the implant in place and you can see the screws stick and I hope that came in because you thought that the the nature of how we build the tools and and just the canid

it was just interesting that it lets put together later that's what we used that force or when we first put me in the network the idea is it calls out to a box that we've got on Azure and we can essentially remote into the implant fire review the first thing that happened was SSH was blocked on the network we were using so we couldn't get through into it luckily we could change that to use HTTPS instead so we could still get into it we were we using Microsoft teams for a lot of the kind of messaging we do and we made it so that this fox could talk to us by Microsoft to use so that that

essentially the first time we connected to the network its and it's a message see I've connected he which was but also other notifications so we we had it giving us a heartbeat Spokane of every couple of hours it would send us a message to see I'm still alive I'm still on network everything's all right so that that was really useful and all these things like file exfiltration that sort of thing it was really useful for that the last thing I'm looking at USB rubber ducky so I think a lot of people probably already know what a USB robot IV is in case you don't it is a device where you can essentially program it to

type things really quickly so you you have it in your own computer you tell it what it's gonna type and then you take it to an unlock workstation you plug it in it types those things really quickly so you can use it for typing in scripts to execute or you can get it to download a script off the internet to execute or you can just do silly things like change people's backgrounds and things that so it's a good tool but that for me wasn't the best bit about this tool the best bit was actually finding someone to use it on so a lot of what we do is against systems it's against the network it's

against website and API of building that sort of things but this is actually using it against a specific person so maybe you've seen someone get up and go to the toilet and leave the workstation unlocked and you've kind of got a thing is anybody looking I'm gonna go I'm gonna put in ones if somebody comes back what happens if their friend comes along and says what are you doing so this was really scary it was exciting it felt was cheevus it was a roller coaster emotional spot meeting by far the most fun thing I've done so far and I look for reason again so finally would I want to be a developer again in software developments

nowhere near as exciting as this is I get the listening big questions you mentioned about the light loss that were complete beside us or watching YouTube videos was that a ski that was a lot of variety so some of it was kind of reading and making notes some of it was plural fight or cyber videos I didn't actually include the kind of podcasts in that so it was using the the kind of speech prepetition tools so I I was just in a waiting room for something I could use that to go just on my fall and just it does kind of flash cards yeah so yeah a wide variety of things yeah yeah that's a good question I don't think

that I dressed that well enough myself in my own mind yeah I think it's something along the lines of IT supports you report an issue write anything but yeah that needs more thought definitely yes okay thank you very much you