The Hackers Mindset with Outlier by Damian Simpson

All right. Thank you, Delinia, for that introduction. Uh, well, let's go ahead and hop right into it. Uh, my name is Damian Simpson. Uh, I'm a red teamer. Been hacking for, you know, 10 plus years. And um this kind of presentation is going to be more interactive, right? Um I'm going to ask you a question real quick and uh after this. So we're going to start thinking outside the box. We're going to try to change your perspective, think about creative thinking, and try harder. All right. So quick question. Let's think outside the box. How would you fit a whale into a refrigerator? And this is going to be an interactive kind of presentation. I want to hear what you

guys have to say. How would you How would you try to fill a fit a whale into a refrigerator? >> I would cut them up. >> Cut them up. Okay, we're getting a little little uh interesting there. >> Incinerate. >> Incinerate. All right. Ch try to change the mass. >> Build a bigger refrigerator. >> Build a bigger refrigerator. Okay. >> I would just open it up, put the whale in there, and then close it. >> Okay. So, you're going to switch it up a bit. Interesting. All right. So when when you ask that question a lot of times your brain thinks okay hm that's not really possible the whale's too big refrigerator's you know it's too small

it's a s silly question to think about right but I when you really really dive into it and you start to think differently I didn't specify the size of the whale right I didn't specize specifies the size of the refrigerator that's up to your own kind of creativity right so what we have a tendency to do is to stop ourselves from being creative. It could be a potentially a toy whale. You know, I didn't specify that. I just said a whale. And what we do is start to put constraints on our own minds and put ourselves in our own kind of boxes. And this is the same thing when it comes to red team and

hacking. Uh we take all the information as as much information as possible and we just don't take it for face value. We start to question the question. Um, a lot of times I'll I'll talk to a siz and um, they'll we'll have a conversation back and forth about worst case scenarios. Um, and when we're building an attack vector, it's kind of outside of the box. A lot of times they're not really thinking about that kind of vector of attack. So, as we start to question a lot of these different types of things, we start to break out of our own conventional thinking because we have a tendency to put constraints on how we're thinking about things, right?

It's so interesting, right? You just want to break out of that box. And how do you do that? By applying and try to gain as much information as possible, but then don't constrain it just to one simple thing. It could just be a simple whale. It could be a toy whale. We can change the size of the refrigerator. We can change the size of the whale. And once you start to think about things in that frame of manner, you start to understand that you can break outside the own box that you put inside of your head. So let's try to change your perspective. Right. Um, so what do we have here? >> Door. >> A door. Okay. Um, so is there anything

wrong with this picture? >> It looks normal. Well, okay. So, we have we have a kind of a keypad here. What? What else? Is there anything wrong with this picture? >> Is it on the inside or are we on the outside? You're

>> bingo. Bingo. Right. So, as you start to think, is there something wrong with this picture? Why are the hinges on the outside of the door? You can literally just pop those hinges out and remove the door. So, it's the same thing with security. A lot of times we think something is safe. We focus on the lock because that's expected. But as you start to kind of move outside of the picture and you start to really visualize what you're trying to attack, they might have the hinges on the outside and just a free win. Okay, let's let's have some more fun on this one. Is there something wrong with this picture? Thank you. Thank you. Thank you.

It's too funny. I I talked to my wife and she's like, I don't see anything wrong with that. It has like a there's like a you know the tablet pad right there. It looks like they have some sort of like camera. But when you when you don't just focus on just the security aspect of it and you zoom out a lot of times you start to see you know your door is actually a ladder. So we're going to do some creative thinking now. Um say you want to attack an organization. Let's just say call it Acme Inc. What are some ways that you would want to attack it or how would you try to attack it?

>> Fishing emails. >> Fishing emails. Okay. >> Get a job there. >> Get a job there. Oh, okay. Now we're getting like deep in. Okay. Anyone else? >> Social engineering. >> Social engineering. Definitely. >> Osen. >> Osen. Okay. So, we're starting to dive into like pulling as much information as we can on a organization. Um, well, I have a story. One point in time. I tried fishing. I've tried everything to gain access to an organization and I just had to do a little bit of ointent. I went on to their website and interestingly enough to his point as well they had join our team now hiring apply inside. Right. So as an attacker what does that

mean? So I I go into the organization and um >> wow >> what is wrong with this picture? Are still >> bingo. There you go. So, what does that mean? As an attacker, if I I I actually had a USB stick with some of the malware I created. I also had like a website that I would go and check and see if I can pull the malware down. But sure enough, they are running XP. But there's also some other things as well. What What else is wrong with this picture? >> All workstations are unlocked. >> There's another one. Anybody who in the organization can walk up to these computers here and do whatever they want

with it because it's not locked down. There's no sort of security for those. So yes, to your point, that is what's wrong with the picture. All right. Um, we're going to kind of highlight some more. Um, say they had a data center and, you know, they had their their key uh badge. You can badge in. Um, but could there ever be something wrong with this picture? >> It's all glass. >> Uh, that Yeah, you could smash and grab maybe. um those magnetic door lock sensors, you can usually >> like trick them to open from the inside. >> Okay. Yeah, you're starting to to get hit hit the money right here. So, yeah, we always focus on the security aspect

of that, but uh a lot of times they also have motion sensors on the outside the back end of the door. So, you could potentially um you know, and I'll show it on the next slide, uh find interesting ways to kind of bypass motion sensors, right? So, creative things to do with whiskey. All right. Well, let's see what we can potentially do to kind of bypass something of that nature. I love this video. It's so funny. Um, so here we go. How to break into a bank with whiskey.

Yeah. So that's being creative, thinking of how how do mechanisms work uh in our everyday life and being able to, you know, think outside of the normal conventions of we have we have a motion sensor. It's meant to be to allow people to exit, but could somebody fit something through and you know maneuver or set make some motion and um you know trick the the sensor into opening up. Um I know a lot of newbies always hear this in regards to you know hacking and and trying to get into the industry about the try harder mentality. Um you know I I think personally it's it's not just try harder. There's more to it. You need to become more perceptive, more

creative, more persistent. Um, and it's not really trying harder. It's you're actually trying to think differently. It's not so much just banging your head against the wall, but sometimes we need to take a step back and try to think about it from a different perspective. Just like how when you're looking at that door, from the people on the outside, it looks locked. From the people on the inside, they can just enter in. So, it's just thinking about the perspectives of things and how you're able to uh think differently and and get to your end goal. So, how do we think differently, right? There's so many it's like a puzzle piece. There's so many different options

to choose from in order for you to uh achieve your goal. Um it's like so many things we can choose. How many how can we get into an organization as a bad actor or even if you're joining it and you're you're there's so much things you need to learn how do you how do you start well start starting always starts with failing right and that's the problem I I know for me it was I failed a lot it was it was a a lot I would try I would fail I would try I would fail and what you start to notice and over time is you know you have to embrace failure. That's it in its nutshell. You

you will fail but then you will succeed and over time you will fail less and as you fail less you ultimately get to your own success, right? So I think overall um you you have to and this has happens a lot of times when I I talk to like new people get into the industry. They're like where do where do I start? There's so many different things to learn. You just try to find what highlights you or what is your passion. Um for a red teamer like me, I really liked C2s, malware development and that was one of my infrastructure building like botn nets and things like that. That was one of my things my passions and you have to

find your own passion and once you do that you will hyperfocus on it. Yes, but you will also start to love it and you'll start to fail a lot less. So, how do I apply the hacker mindset to my everyday life? Like, how do you think outside the box? Right? It's it's easier said than done, right? We someone could just say, "Oh, just think outside the box." But how? You have to learn to dive into the rabbit hole of whatever you love. And once you start to do that, you'll start to realize there's more. It's more complex than we actually think it is. There's more to it. You know, starting off in it, I learning I learned

networking. And then after let networking learn telefan and then work system administration and when you start to learn more and more about different things you start to understand how they work. Like we use cell phones every day right but we don't actually know if you don't dive into it how does that actually work? How do you get a website on your phone? You know what are the inner workings of the the communication uh for your our everyday lives? Uh changing our perspective. You know, when you see a door, think about the op the outside of the door. How is somebody entering the door? How is somebody exiting the door? How do you can bypass the mechanisms associated with the

security controls of different things? Uh creative thinking, you know, just like how we we talked about a whale and a refrigerator. Um, are you thinking about things um just for face value or are you trying to kind of break outside the box and think differently and creatively? And lastly, you know, try harder. Um, I want to kind of end uh my talk. I know it's a little quick. I I do have some sort of like ADD where I want to want to talk really fast and things like that, but I really want to say thank you guys for for joining my talk. Um, and I want to kind of leave with this quote here. Our greatest weakness lies in giving up.

The most certain way to succeed is to always try one more time. And that's it, right? We if you don't give up and you try one more time, you're never really failing. You're just getting one step closer to succeeding. Um, and just want to thank you all.

So questions. >> What's a good real world example of when you came from an obstacle and had to kind of change your perspective? >> Um that's a very good question. Uh I would say at one point in time um change my perspective. Okay. Yeah. There is a uh red team engagement that I had to do where um I'm trying to not use too much uh specifics, but initially one of the um networking guys uh would give each um employee that worked remote a uh a sort of a router uh that would VPN directly into their network. Um and the networking guy told me that it was locked down. You couldn't gain access to it. there's no possible way that you can

do that. You know, we have our keys. It's completely secure. And I told him, "Hey, give me the networking device that you give to your remote employees, and we'll see if I can gain access to your network." And um sure enough, um I got I got access to the router. And uh doing enough research, I found out there is a reset functionality for the router. And I thought that it would clear um the firmware um that's uh that they have for that router and it would remove um a lot of the uh configurations for the VPN that reverse back into their network. And so I just tried it uh and sure enough the configurations didn't reset

or delete afterwards. So I can get their whole VPN credentials and then put it on any device I wanted after um you know gaining access to the the router. I got I got root access to the router. I got all the configurations for the VPNs and then from there I could, you know, pretty much uh VPN directly in without any issues. So, um sometimes people will tell you things and you can't take it for face value. You have to really dive in and try it for yourself because you don't know um you know how far you can go until you try. Thank you. Any more questions? All right. All right. Well, thank you so MUCH