Weaponizing Systems Administration: Leveraging IT Skills In Penetration Testing by Jayme Hancock

uh thank you everybody for coming um as paul said i'm jamie this is weaponizing systems administration uh we'll be talking about leveraging i.t skills in penetration testing um excited to be here at b-sides dublin virtually i had a chance to visit dublin a few years ago and really really loved it so happy to be a part of this so a little bit about me to start off i work in offensive security in the financial industry um this talk is not representative of my employer's opinions or stances um but i do work in that industry um a couple of certifications in information security uh general systems administration some other things as well i have a heavy systems administration

background um prior to working in security i worked as a systems admin for fortune 100 companies i worked for some smaller organizations as well kind of as the solo i.t administrator network administrator kind of everything in between and live near dc and i am jaime on twitter so a little bit about this talk before we get going i've had a lot of people ask me how to get started in offensive security and specifically in pen testing and my usual answer is do some time as assistance administrator or an nit operations and kind of learn those underlying technologies that you'll be attacking and pen testing later and the more that i thought about that the more

i realized it really is true there's a lot of overlap between systems administration and between hacking or penetration testing and wanted to build out this talk to kind of explore some of those i wanted to show value in an i.t operations background and just as a disclaimer this is mostly given from a network fantastic point of view uh if you're looking specifically at like web app penetration testing your mileage may vary but i think a lot of it still holds true and this talk was originally given at besides dc a few years ago it's been updated since then but just in the interest of full disclosure

so by now it's probably pretty common knowledge that uh people make mistakes even systems admins so they may not want you to believe that um most breaches that you hear about are due to weak or incorrect configurations in systems um when we look at the news and we hear about breaches a lot of things that are really trumped up are zero days and you know talking about apt groups that spent months years whatever trying to develop this one exploit for this one particular system but oftentimes it's the result of really mispatched cycles or a temporary workaround that ended up being not so temporary each year rapid7 puts out a report called under the hoodie and this describes their internal

engagements for the past year their penetration tests and the vulnerabilities that are found and i'm not going to dive too deep into this but if we look at all the vulnerabilities that they list here most of them are misconfigurations or reconfigurations and honestly probably the other category too right it's just not specifically labeled out but we're seeing things that would probably be caught by a penetration test a really thorough security assessment or just adhering to best practices and being consistent with those best practices so what does this all mean um defenders and attackers are looking for the same thing you're looking for vulnerabilities caused by misconfigurations again we're not seeing zero days here we're seeing things that really would

have been caught by these misconfigurations

so i want to talk for a second about the traits of a penetration tester these are things that i think are really important to somebody who is successful in that role um the first being the ability to break down problems into multiple components if you think about it from a hacker's perspective you find an exploit let's say in a web app that allows you to access a file you shouldn't be able to access well you need to break that that factor that concept down into its components um how are you going to get the payload across to actually read this file um how would you verify the file is read only or if you have write access

um what context is the vulnerable service running in if you upload a file where does that actually land so there's a lot of individual pieces to this that you have to be able to kind of troubleshoot and work within the constraints of to successfully exploit the vulnerability you found um a penetration tester or hacker needs to understand workflow um being able to identify how attacking one system could attack excuse me could affect another system if you're attacking a database what does that do to the login flow on your end users um interface right and you need to be able to identify why an attack isn't working and troubleshoot that um a lot of times exploit code

will be pretty basic um and might not work right off the bat so you might have to figure out what do i actually have to do why isn't it working what's the remediation and how do i get this working or identify a workaround altogether and finally you need to be good at communicating complex technical info to audiences that are either very technical like the engineers you might be working with or completely non-technical like maybe a cso or another business executive who is not necessarily hands on keyboard every day but still needs to understand the concepts and understand what you found and how to fix it

if we look at the traits of a systems administrator you see that there's a lot of crossover now systems admin needs to be able to break down problems into its individual components as well how many times has a system and received a ticket that says email doesn't work and has to determine okay is that the client is at the server is it dns probably dns um is it a routing issue is it a hosting issue right you have to be able to look at all of these things and really break it down to find the root cause i think that a systems admin really needs expertise in troubleshooting and that's that's really where they shine is being

able to take those problems and break them down and troubleshoot each individually and rule them out they tend to like solving problems finding workarounds um finding creative solutions to problems and that's especially true if like me you've worked for an organization in the past that maybe didn't have a big budget for it you find out how much of your organization can really be kind of held together with bash scripts and creativity right and then they also need to be communicating technical information to technical and non-technical audiences you have to be able to communicate with vendors with support with escalation staff but you also have to be able to tell your boss at the end of the day what

happened why was there downtime how do we fix that that type of thing so this is a sysadmin job post that i pulled off of craigslist maybe a year ago or so and just taking a look at this this is a very common type of systems administrator job post that we would see uh here in the states and look at how many individual technologies are covered this person that's being hired as a systems admin needs skills in linux and windows troubleshooting patch management configuration windows servers security third-party assessment tool or excuse me third-party tools um virtualization backup disaster recovery there's a lot of different concepts here that honestly could be expertise expertise is in their own right

that's a lot for a person to take on but if we look at a more recent penetration test from a few years ago that i did this is the technologies that were encountered on a single slash 24 network it's a lot of those same things windows linux mac we have email deployment pipelines virtualization looking back here there's a lot of crossover there too right

so in the end when it comes down to it there's not a lot of difference between these two pictures um the person on the left maybe going through a disaster recovery scenario i need access to this database but i don't have credentials versus somebody trying to maliciously access the data underneath i need access to the database but i don't have the credentials right the difference there is the intent of what they want to do one of them may be trying to bypass security controls to bring the system back online whereas the other might be trying to bypass the security controls to steal and exfiltrate data the processes they use are probably going to be very similar

this is one of my favorite tweets and quotes of all time which is sometimes hacking is just spending more time on something than anyone else might reasonably expect i 100 believe that um anyone who has worked in i.t in any capacity via security or operations can attest to have spent many hours on something when they knew it was either a lost cause or there was a faster way to do it just because you wanted to fix the problem right that's really what hacking is it's not settling for the answer no when you try to access the system or gain access to data and continuing to spend time trying to get creative and trying to get around

those controls in security we hear this a lot especially on the offensive side which is think like a bad guy right and they tell you that on the on the blue team side as well think like a bad guy figure out what a bad guy would do in this situation what a criminal is going to do to try to get access to this and i think there's a lot of value in that i do think it's a great mindset and very necessary but i'd also encourage you to think like you manage the system what processes are in place and what controls have or have not been implemented um and what would you be most concerned

about if you are responsible for securing that system and then figure that out i think at some point we've all managed a system where we knew there were skeletons in the closet and we knew that there was something that kind of kept us up at night and we thought well if anyone ever finds this i'm done the system is done think about where that might be and look at that to start your attacks as a penetration tester so i want to talk about a few skill sets that i think are core to it but have a lot of crossover in penetration testing this is by no means all of them but it gives us a good idea

of kind of how everything fits in so first off server administration knowing how operating systems are configured by default how they're typically configured that's invaluable knowing what services are typically enabled or what services need to be enabled for something else to work is very helpful when you're trying to attack those services um installation of software looking at config files looking at where they're stored what's in them do we have credentials stored inside the config files are they encrypted are they encoded with base64 or are we storing them in the registry how can we quickly retrieve those and then leveraging that to break into the system or escalate privileges versus just setting up configurations um how do systems

interact with other services do users log in directly are they logging in through a client are they logging in and then accessing a backend server how are things updated what network ports need to be open if you take a look at a server and see that port 8443 is open do you know right away oh that's because software x is running and can you kind of infer what else might be running on that system active directory and group policy active directory is super important it runs pretty much everywhere these days excuse me look at things like bloodhound tools like bloodhound go through active directory and parts out permissions and they look at all of the stacked uh

security groups and figure out how to get to domain admin fastest right but how can that be leveraged in other locations or another in other situations can we look at a user and figure out if that user has elevated privileges by looking at other groups that are members of look at active directory procedures in general how are the user roles actually managed is it somebody going in and adding users to every role is it a user administrator going in and adding groups security groups to a user um how is all that enforced and where are the domain controllers what's on the domain controllers how is this integrated with other services that's an important one because

if you're brute forcing a login page and it's tied to active directory maybe you're actually locking out all of the users on the penetration test if you're doing and not just trying to find the password right realizing not realizing that you're actually locking out users

network demonstration understanding network protocols is huge even just the difference between tcp and udp um understanding firewall rules and the difference between like getting a reset packet and a finish back to back right wireshark and tcp dump are huge two tools i use all the time it's very helpful for finding out what's happening under the hood when you're running an exploit or looking at a particular piece of traffic actually knowing what the packets are doing and being able to interpret that is really helpful but as a systems admin it's also something that you're doing all the time to figure out what your network is doing in general um routing and switching do you know what protocols can traverse a broadcast

domain and why a certain attack might not be working do you understand the routing and switching a systems admin will typically have at least a basic understanding if you have a network admin background probably you need a better understanding of those types of things and then multi-home systems um there's a lot of pivoting in modern networks uh not all networks are flat anymore so if you end up exploiting a web server that has several network cards are you comfortable being able to pivot into another network or are you stuck online network software and script deployment this kind of ties back to gpo in in a sense scripts and their physical locations are defined by gpo and do you know

that you can actually access those scripts as a domain user by just going into the system folder um you know furthermore d there's a group policy object for some legacy systems that pushes out the administrator password to the system folder and encrypts it with a really weak key 32-bit i think it is um knowing where that's stored and that you can go in there and pull that administrator password out of a potentially open smb share that's that's huge to know um other things like system configuration uh cron jobs and schedule tasks and third-party options there's a lot of smaller shops that use things like pdq deploy and ps exec those are also things that attackers

will use ps exec in pen testing is is pretty common um so it's good to know how that works and how it all fits together so i learned scripting and programming in general much later in my career than i would like to admit i think it's something that is absolutely a must to learn to at least read the code um you don't necessarily have to program or have to be able to write code but to grow out your career and do things consistently and do things quickly and at scale writing code is definitely a must um one of the ways i learned was to grab some proof of concept code from exploitdb and just try to customize it exploitdb

has a ton of proof of concept code out there that's not super well written it works in terms of triggering the exploit but it relies on some manual work so i would take that code and i would start commenting each line you know this is where it's setting a variable this is where it's sending the payload this is where it's defining the payload to kind of see what i understood and what i didn't and then figure out what i didn't understand and then customizing it too um can you make it so that an ip address is in line on the command line rather than having to go in and edit this file every time you exploit the system

you can really pick whatever language you want um python ruby python go python all popular for penetration testing and a big python fan but um in all seriousness they're all very popular for penetration testing and for security in general knowing any of them is really going to help up your game um there's also kind of a like prideful resistance in learning powershell for a lot of systems admins but it's not really going anywhere um learning how to learn it if you don't want to learn it outright i think it's just as important learning these two commands get command dash down and what you're trying to do and then get help dash name the command you just found and examples

that gives you probably 50 of what you need to start writing some basic powershell and here i'm going to say something that's going to sound really sarcastic but honestly it's not uh do some time in tech support i don't think i have ever in my life seen so many creative ways to dodge security controls as when i was working desk side support with users in the case on the right here this was an actual real example friend years ago where users realized they couldn't send exe files over email so they would open up wordpad create a document drag the exe in there save it send the rtf document to another user over exchange and that went through because

rtf files weren't being blocked and the user on the other side would download it drag the file back to their desktop and they had bypassed our security controls um it's not something i ever would have thought of but it's a it's a valid method of exfiltration as well right if you have dlp that's blocking certain files but you can send an rtf out and that's a lot listed maybe that's the way to go malware there's really not a lot of difference between fighting malware and fighting system restrictions for edr or antivirus those things do not like to to be shut down and they will fight you they will try to spawn in the background they'll try to

prevent you from closing them out entirely or removing files or removing some sort of persistence that they might have it gives you a lot of experience finding malware that you'll see as a penetration tester landing on a box that has a protective software installed on it and even looking at where malware persists and how it kind of hides and and you know stays running after reboot and all that that might give you some ideas as a pen tester on how do you actually maintain persistence on the system that you've exported it also gives you a great understanding of how systems work being able to really dig into a problem and dig into the logs and looking at how software interacts

with each other i think is really important there tends to be uh kind of a desire to just wipe a system back it up format it when there's an issue and i think if you can avoid that and actually do the troubleshooting and try to get to the root cause you learn a lot that's really valuable later

so native tooling relying on hacking tools means you have to get them on a compromise system you never want to end up exploiting a web server and realizing that you can't do anything because you don't have that split installed not a good place to be in standardizing your processes on built-in tools really help you build processes that are repeatable that are probably not on block lists probably allowed and parts of normal systems administration so to the left here we have some metasploit modules until they write their native equivalent on various operating systems these are all types of things that assist at system admin is going to do pretty regularly as they're going through managed systems

um it's kind of intuitive to add a user through maybe net user or user adam linux for somebody who's done that hundreds of times actually adding real users

but that said tooling does exist for a reason and you need to understand how it works you need to have a plan b so you can use that native tooling but at the end of the day your client or your organization is paying you to cover as much ground as possible in the length of time you have so don't let that pride of well i don't need to use this tool because i can do it manually take priority um use whatever provides the most value in your situation i think learning nmap scripts and metasploit framework are fantastic time savers and saves you a lot of effort and just one last note on on native commands

there's often multiple ways to accomplish a task relying on tooling means that you have maybe one module or one thing you can run but if you look at all of these different commands these are all different ways to transfer a file off of a server and these are just the ones i could think of in a couple of minutes of writing slide there's probably a lot more and knowing all of these and knowing different ways to move um to move files off of a system gives you options when one fails if scp fails and that's what you're most comfortable with there's 15 other ways to do the same thing

so i'd like to go through a few real real world instances where i've been able to leverage system administrator skill sets in pen tests so none of these use any sort of exploits it's just built-in commands knowledge of how systems operate so this is unfortunately a real scenario and i know this because this is a past job that i had this was my scenario it was a small business about 50 employees the longtime systems administrator was fired and i knew he was going to be let go i was interviewing for his replacement position what i didn't know is that i would be onboarded the same not only day but pretty much the same minute that

he was being fired in another room i was walking into the office he was walking into a conference room so very awkward first day of course this person wasn't happy so there were no notes documents no network diagrams didn't give me credentials when he left he just walked out of the building so i'm new to my position brand new company first day i'm the network administrator and i have no way to administer my network so what do you do at that point well you hack it so i rebooted his laptop put in a password reset cd reset it as local localhost reset his local admin password started looking through folders and finding some scripts that seem to have

hard coded credentials for a backup exec user anyone who's ever dealt with backup exec can probably attest that the backup exec user needs a lot of access um what i've seen in the past was most people will fight back at exec for a while trying to set permissions and then ultimately give it domain admin permissions call it a day so i figured that was a good place to start and i saw some credentials that were based on a year so i started incrementing them ended up finding one that worked logged in as backup exec and found out it was in fact a member of the domain administrator so reset the admin password created an account for myself

found out what was running on that server that i was on and started doing some scanning figuring out what other hosts were on the network what were they running um what other users were around what types of just kind of gaining some situational awareness in general and then documenting it all again this is day one and i need to figure out what i actually signed on for but if you look at all of these phases that's essentially the same as a penetration test we have initial access by resetting the admin password we have privilege escalation by finding a user with a higher level of privilege and then escalating to that we have persistence by resetting the domain

admin password creating a new account local enumeration identifying all the services running some recon figuring out what else is on the network and then reporting by actually documenting everything and as it turns out taking over a system is not much different than taking over a system um you're doing the same things now compare this to a typical pem test cycle life cycle these are out of order but they're all there we're doing the same things so let's look at another one this was a goal-based pen test with heavy social engineering i was asked to phish or wish for initial access and then pivot off the user network get access to a private code repository on a developer network

this is a very very large software organization they're in a bunch of countries tens of thousands of people and um extremely security aware right they undergo anti-social engineering training and anti-phishing training quarterly and have to be certified in it so i was in for a little bit of a tough time so to set up the scenario i had to perform a bunch of tasks before the engagement started registering domains for c2 and phishing as youtubing command and control and phishing spinning up web servers spinning up my c2 infrastructure my redirectors cobalt strike configuring security groups mail servers all of these different things are tasks that a systems admin is going to do regularly right maybe not installing cobalt strike

but installing software on a server that you've spun up in aws or gcp or what have you and configuring it so that everything flows and everything works when the scenario actually began i ended up phishing users for initial access got some reverse shells found the domain user that had pretty decent access and decided to log into their system start enumerating again just getting that basic situational awareness and found some web servers that were on that sensitive network that dev network so i used rdp and the credentials that i had logged in as the user after hours and i started just browsing to these internal websites found an out-of-band management console in this case they were even dell so it

was idrac if you use hp it's ilo that same type of thing has a default password um 10 points if you know the i direct default password um which would be kelvin and then the admin user was logged into the console so the issue with this is console access is literally console access if you can log into an out-of-band console and the user is already logged in it's effectively the same as sitting down at their desk with an unlocked computer with the keyboard in front of you and they're logged in so now i'm the admin right so real quick cat bash history and i saw a database server that i didn't know existed yet hadn't found it

um on another host and they put the password in line so that was easy um ssh to that other host and that worked grab etsy shadow cracked it and noticed that my sequel was running on the server that i had compromised initially so i tried that same password and what do you know there's code signing keys private and public code repository credentials api keys and lateral movement everywhere with the same username and password so that's a lot to get out of catting one file right nobody wants to be the organization that has to tell their investors that the elite hacking tool that took them down was big cat but sometimes that's the case

so another scenario here this was kind of fun in its simplicity there was a web application that connected to active directory uh did authentication over ldap uh the web app had domain admin credentials saved in the config form but the user that logged in was able to change the server address that it pointed to without entering a password so some of you might know where this is going already but we know that ldap is clear text it's not ldaps we know that we can control where this goes where this credential goes and we know that we can hit the test button to see if it connects to ldap and when there's an ldap query like that

it sends the username and password in this case in cleartext to the server so all we need to do is run slash bin slash nc on a server we control change the ldap server address to our own server and hit test and sure enough the domain admin credentials came on over captured them in clear text and was used to escalate privileges from there so this is the last one it was an ubuntu web server there was a vulnerable vulnerability in the app that let me access the underlying file system with uh write access so i could write to files um i could do this as root because the application was running as root so that's

really not good um no interactive command execution because again i could just write the files but the great thing here is it's linux so everything is a file a user is basically three lines and three files that's easy shadow etsy password and etsy group and if you enter the right information in each of those you effectively have created a new user on that system and you control the password because you're generating the hash yourself so the server was running ssh i went through modified these three files ssh into the new server and now i'm on the server interactively executing commands and got root access

so where were the hacking tools in any of these we didn't really use anything we were basically troubleshooting all of these systems but with a different perspective and intending on a different outcome if we take the penetration testing life cycle that i showed you a few slides ago we can reframe that and just ask questions at each of the steps that maybe a systems admin or a network admin would be asking and we can go through that process so let's take a look at that again um recon is just what's on the network enumeration what's on the server what's it running initial access how do i log in and you can answer that as creatively as

popping in a password reset cd and rebooting or brute forcing or what have you but a lot of different options there exfiltration um you can ask how do i back this up remotely how do i get this off of the system with whatever restrictions are in place persistence how do i make sure i can get back into the system later the last thing you want is to gain access to a system get disconnected and not be able to have a way to get back in and then lateral movement what else can i access from here um when i was in the first scenario i had admin on the system that i had logged into but i had no idea what the other servers

in the back were doing so can i move to those other servers and start enumerating them and prove ask how do i log in as root i'm already logged in but how do i log in as a user with more permissions and then finally you have the reporting phase how do i explain this to my boss or how do i explain this to another systems admin two different audiences and they're going to have two different types of explanations but that's the same as essentially writing an executive summary in a report and writing the technical details so we'll switch gears a little bit um talk about making the jump to an offensive security role from a system's admin role i'm going to

give you my experience and things that i've seen that work so your mileage may vary but we'll talk about each of these um the thing i would recommend most is take on security projects within your role definitely ask you know work with security if you have a security team and talk to them about what you can help them with but also think about what you can do within your own role if you're a systems or network admin maybe scanning the network for systems and services and seeing if anything new pops up or if anything is running older software older services remediating that that's a security issue right um inventory is asset inventory is maybe the most boring thing you could possibly

do in technology but in security it's one of the most important i can't tell you how many pen tests uh red team operations and bug bounties i've seen started off with somebody discovering a system that the it team had forgotten about and hadn't patched hadn't hardened didn't even know was there until the vulnerability report came in autumn account access look at your file shares see who has access to what look and see if you can anonymously log into sensitive shares that's things that penetration testers are gonna do regularly looking for hard-coded passwords and scripts and in files again super common um scripts are usually stored on a network share so leverage number two with number three

and then test deployed application for default passwords if you went through your network and found every web interface and just typed in admin admin and admin password you would probably be surprised what you find a number of applications that i've gained access to were using default threads that would make a attacker's life much more difficult if you were the network admin of the system's admin finding that first and fixing that first you can even kind of pick the jump to offense starting in technical support look at phishing campaign reports and look at the evidence look at what phishing messages make it through your your security controls versus what do not make it through your security controls having that insight

helps tremendously when you're tuning the controls themselves but also when you're generating phishing campaigns on your own when you get a system in look at the user account and see if it's over privileged see if it's in a maybe a security role or security group for a previous role use your position to deep dive into system tools i mentioned earlier that if you can avoid just wiping the system and restoring it you can really gain some insight into how the underlying systems work and how the different tools on board work and i mentioned that asset inventory was the most boring thing in security the second most boring is probably building out documents and procedures but

it's also one of the most important being able to replicate something consistently very very important in security and having documentation also is important for being able to show that you know how to write the first pen test job i ever got the interviewer asked me for a writing sample and being able to provide a document that i had written the technical document is one of the things that helped me get that job

but how do you do this without actually going through the steps and lapping out some of the situations that you would find there's a ton of premium offerings you can find for lab environments to do penetration testing kind of practice or learning the ropes offensive security proving grounds are a great one hack the box try hack me um i believe hack the box has a free version as well as does try hackney but there's other free resources you can download virtualbox or vmware download some linux isos and some trial images of windows servers just set up your own environment for cloud cloud is huge right now any experience working in aws azure gcp is going to be huge on when

you're making the move to offensive security looks great on your resume and all of those services give out a certain amount of free time in the cloud so i think aws does like 12 months of free micro service azure does a hundred dollars for the first year or something along those lines so leverage that use the free trials and the free credits available to you and spin up some servers you've also got intentionally vulnerable systems vuln hub hack the box metasploitable those all have walkthroughs available you can look at either online youtube or on individual blogger pages i have a resource page coming up that lists some of those out and finally just unpatched windows and

linux systems throw a old xp box on your network don't patch it and see how many different ways you can export it in terms of exploits read about them understand how they work lab them out install a vulnerable piece of software and then change some things change some variables uh for ms 1701 out the eternal blue exploit try disabling smb1 try disabling it entirely firewall it off enable defender look at these different things and determine how does it look on the attack side what what responses do your payloads and your exploits give you and how does that change as you go through each piece that'll help you later kind of infer what's going on on the

other end when you're doing a zero knowledge penetration test and then lastly consider reframing your resume but be honest because interviewers will know when you're just pulling their leg um but you can change some things around to be more security focused so instead of creating system inventory scripts tell them you built out a procedure for detecting these systems on the network tell them what you enumerated what you did from there who you reported it to or how you handled remediation instead of just saying you administered active directory say that you created group policies you managed security groups you audited account access again all things that are really important to the security role and finally if you're at a smaller shop

and you're responsible for running let's say qualis what have you talk about configuring the jobs talk about reporting the findings and how you manually verified or if you manually verified how you handled remediation how you passed all that off it's all really important and it's the type of thing that offensive security professionals do every day and then finally just some resources i will post the slides on twitter after the talk so you're welcome to grab the slides and take a look at some of these resources and that's it i really appreciate everybody spending your saturday with me and discussing systems administration i've got a couple of minutes left so if there's any questions i'm happy to take

thank you so much jamie great insight and with one question here it's asking do do you think that the demand for blue team staff will outpace that for red team in the industry and you know we always hear about the technology skills shortage and and the likes but it seems to be a little bit asymmetric the demand seems to be more for blue team and if you think that is the case do you think purple team is the future sure so i think there's always going to be a need for blue team and for red team um i think of it kind of like as a as a boxing match right you've always got the

person that's doing the boxing but you've also got the trainers and you've got the people that are standing in the ring and they're they're helping them get better that's kind of what i see the the red team and the uh offensive side doing is really helping the blue team understand what the attacks look like from a practical aspect in the real world i think there's definitely a need for both and i think honestly folks that are good at red teaming have done some sort of blue team before whether that be sock work or systems administration knowing both sides of it gives you a tremendous leg up i think there's a ton of value in purple

teaming and i think that we'll start seeing that even more than we are now um doing purple team exercises in addition to doing like the zero knowledge red team tests or doing penetration tests it really levels up your defenders and helps them understand what they're going to see and what they should be seeing but in a way where they can ask directly and say was this you um is this specific ioc something we should look out for and it also helps your red team because now they know what types of defenses and detections are available

so hope that answered the question yeah i don't think there's any more questions and yes so um yeah there's no more questions there so appreciate that and thank you very much for your time today great thank you very much and i hope everyone enjoys the rest of the conference thank you