Attackers Perspective: Dangers of Relying on Marketecture Exploring the Risks and Strategies in ESA

you songs we start at 60 seconds for about 60 seconds if you want just wax philosophical I did theom yeah well I'm very shy so y'all be very kind to me right I'm just kidding so yeah is that good enough you feel good all right thank you all for being here are we priming the mik is that what we're doing Prime primee okay five three Y no you go ahead Bob I'm you're still in my thunder but go ahead all right welcome everybody to the 1330 the 130 presentation for track the discussion here is about ta perspective the dangers of relying on Market texture exploring the risks and strategies in the Enterprise security architecture or

Esa U I'm going to turn over to Darren Freddy's do presentation and he can do Anu thank you hey thanks Bob well guys thanks for coming out really sincerely I really appreciate it I always get excited whether there's one person in the room two people in the room I'm just excited to talk about it I'm a bit of a compulsive obsessive freak when it comes to technology I love it I'd probably do it for free uh or Scooby Snacks which means that's my funny way of saying that if you give me a compliment I usually love that you know um we're going to talk about the attacker's perspective of the dangers are relying upon marketecture you're

probably wondering what the hell does that mean so I'll explain it to you as we go along it's a clever hook to try to get you interested in what I'm talking about but it has more meaning than that and I'll explain that as we go through there but you know I'm going to brag about myself because everybody seems to do this and this is my time so here you go um I've been in the industry accumulatively over 20 years it's probably longer but we'll just go with 20 that's it plus security uh I've worked in multiple diff disciplines I've been a CIO before uh one of my biggest projects or one that I did with

infrastructure that makes me qualified to really talk about this topic is I did the Love Field modernization project I did most of security product in that building uh I've worked with large infrastructure small infrastructure I cut my teeth in telecommunications I've worked in banking Finance I've been a pentester for six years uh I also ran under the name of birch Klein where you're going to get to hear that was a label that I was working under nobody knows I did the pin testing and I did that for six years at the same time I teach at a college Dallas College I teach the ethical hacking class I also uh teach another class so I've been in

the industry of a while and how this topic really came about is that I was having a hard time articulating what I was trying to say and I didn't have quite my thesis worked out and what I was thinking about is that I knew from an attacker's perspective when I would attack things and I would do pin testing which going to see a lot of use cases that there was this lack of vision for the Enterprise security archit and matter of fact I was having a hard time putting a word on it because when I would say security architecture people would go are you talking about offensive security architecture and then I noticed there was no headcount you know in the old

days there were CTO Chief technology officers and they were heavily involved with the CIO now we don't have those anymore so and I noticed this lack of vision for your architecture and and then I noticed this immaturity and I thought to him that you know it's funny because all your security controls and everything come from your architecture but yet nobody really kind of understands the way all these come into play and that's where all your security controls are so I ran across this term and it was called architecture and I said that's it because Luke Hoffman was describing from the software side and what he was doing is he was trying to divide his Camp into

two camps and what he was saying is that software you know architecture was a portmanto it's two words concatenated together right that's what a portmanto is and what he was describing is the ability to sell software put your best foot forward and sell the software it was definitely marketing and then at the same time he split the other Camp into architecture and he was talking about technical architecture and that's the world he was coming from and so there two camps and if you've ever built security architecture or you've been a p tester and you've been in this I don't know if you've ever had this problem but you're going like I just want to know what the

hell it does you know and when you're a tester it it it becomes very important so what this talk is about I want to reconceptualize Enterprise security architecture and I want to look through the lens of an attacker and we're going to use that and we're going to look at the security architecture we're going to keep our eye on that and the entire thesis we're talking about is about whether offensive Services can help us with our security architecture okay so let's rock and roll here's our questions we're looking for are our security controls as effective as we think they are right simple and then can we trust Security Solutions based on marketing claims alone and then the last one how do we

ensure that our security strategies are evolving with the threat landscape and that's a big one because I would propose that architecture is not static it's Dynamic it's changing all the time and so if you're never if you're not changing with your security architecture and keeping it up to date and you don't have anybody mining the store with this vision of what your architecture is going to be guess what it does it grows organically and you have these overlapping softwares and spending more money doesn't necessarily mean better security right and then you have to trudge through all the marketecture to get down to the part you know what is a d and does it really work and that's

called efficacy it's a term I use and I talk about that l so what I'm proposing here is I'm telling you that I believe that offensive security testing at scale and adop an offensive security testing and leveraging continuous automation which is what we're looking at today's world uh wire file called it a lift think of it as the next wave but a tenous pin testing is definitely here to stay we're going to talk about that and that this continuous testing is not only important I would say it is critical and that's the whole talk that's what we're going to talk about and hopefully by the end of this talk I will have brought you over to my side of

the fence and then we'll be talking about now how do we get it done done so let's look at a couple of use cases to make this interesting I this has got two stories to it okay I told you that I worked for birs Klein and I flew under that so a lot of these cases you're going to see these are actual pin tests I'm the pin tester I want have done this and this is called Full scope avisar ulation and I'm going to repeat that again full scope avisar ulation and I would say that it's sad that I had to put those terms together just to explain to you what what H testing should be

okay and I'll explain that in a minute this this story has two stories the first story is the actual event and I was asked to do full scope aviser emulation for a school this is a rather large school I can talk about it because a it's been judic and B it was in the news and that report you see up in the far right hand corner where it has the news Outlet is actually my report and if you go look for the link you'll see that you'll see the investigator reporter throw it across the table and it'll spat out and and that's the second story we're going to talk about the first story is by the

time I finished this test I started from the outside and this is this is what happened they had a pretty good architecture pretty good standing but by the time I was finished I owned the doors the cameras the air conditioning system the police department full control and I had persistent data exfiltration and that's called the full life cycle of a p test the entire life cycle of a pentest okay now you're probably thinking red team but wait we're going to come back to that okay so that's the first story and the important part of the story is that happened in 2020 about 2020 sometime uh three years later A buddy of mine named Philip Wy

comes to me and he says hey you're not going to believe what just happened the news is calling me and they they want me to do this interview on your test and I was like I knew about it because he didn't know at the same time I was talking to the FBI and I wasn't the one talking my colleague was because I kind of stay in the shadows not because I'm trying to be mysterious but politics gets messy and I didn't really want to be involved in there I was kind of half in half out and I was doing all the work and so I we knew that the real story and the real story was the one I

would encourage you to go look at the media but the the story was that a a a teenager had hacked a school and took it over and and the investigated reporter you see over there to the left was interviewing the people and they were uh you know that was security theater and this is going to come a a common theme about security theater and that and that story sounded much better than what was really happening what was really happening is that even though I delivered the repor in that they didn't secure it properly the student supposedly the student they thought it was the father maybe wasn't sure that he had got a hold of the report and he used it like a a

blueprint in order to hack them how do we know that because he was spitting it out on the floor and taunting them as they were doing that and so that was the real story going in so what does that have to do with the topic well it has a lot to do with the topic because for one thing this organization had they not asked me to do this they'd never know the state of their entire architecture right because it was full scope adversary ulation was a test the second part of the story though it's more than just knowing it's doing something about it so they didn't do anything and unfortunately this got hit again and became a part of another news

story later on so it's not hard to find you can go look at it and take a look at it but I thought it was Germaine to our conversation so let's rock and roll to the actual topic this is based on Bruce Snider's talk Bruce Snider had a talk that he did and he was talking about the Mirage and he was talking about that when humans are dealing with complex topics that they need a model and and they have to have a model in order to understand risk so if we're crossing the street we don't really need a model for that right we intuitively know that crossing the street we need to look both ways or you

know damage could happen but when we're dealing with more complex topics models are what help us balance reality and and what really is going on with our security my proposal is to say Can security can offensive security be a model that helps you do that and the answer is absolutely yes that's what it's for and what it helps you do is align the two because the problem is when you're an organization that does align the two you're going to you you run the risk of be the consequences of not having that alignment you have a false understanding of what your security is why because you're not testing or you're only testing very limited this is the human side of it

okay and I'm going to use myself is for this model and this exportation I'm going to use myself so when Automation and pin testing came around I meant I was a bit critical of it and I and and it would go like this there's no way you're going to replace a pentester now I wasn't coming from the perspective of the model saying here that my identity was tied into it I was coming from the perspective that the risk the false understanding of pin testing and relying upon automation 100% without a smme involved in it and the risk that was going to create for for the industry and that was my concern but when we're dealing with trying to move

people to New World ways of thinking you have to be aware of this human side and let me give you another example how this model is useful in order to change the World Views when you're trying to move people around World shifting different paradigms is that some people are in a habit here's an attacker's point of view I attack them I can visualize what they're doing I know the guy tanium is falling off the line I know the guy in the sock comes in and his job is to sit there in a chair and and spend you know half his day trying to figure out why the agents aren't checking in that's habit and that becomes that becomes

memorialized and it becomes habit and you need to ask yourself is that useful why not deal with the roote issue why the hell why don't you make a better product why the hell is your you know your agent falling off in the first place you know things like that so this and then the other one's power and that that's human nature too right you're going to take away my identity my revenues tied into it you know that's power and you have to deal with those so sometimes we fail at our companies on shifting them and helping them deal with risk not because it's not the right thing to do but because of the human side so we have to be aware of

this and it's complex your architecture is not what you think it is and I this is just kind of a a pretty graphic to kind of show you you got multi-tenant you got multi uh Cloud you got Niche Cloud you got the cloud providers you know and all of that your Esa your Enterprise security has got to cover all that it can't be Legacy stuck on Prim because you're no longer buying the prim right zero trust right so you have to have an Esa that covers all this now cnap is an up and cominging we're not going to talk about that but we will talk about the concept the concept is one paint of glass right in order to

govern this this complexity or this right because now we're doing deep Dives this is what we're really dealing with so your security architecture has got to cover all of this not just your on Prim and the swivel chairs that you have in your organization attackers like me love to take advantage of that if you have 50 people in the chair and they're swivel chairing mining the store with all these Behavior avors with software and everything attackers know you do that because they are you I mean you think about it they're you they're they used to be admins they they think like you they take advantage of that here's another case this company is wanted to

was a government company under Burch Klein they were worried about their elections they wanted me to come in and to attack them I had it was a two-man team and they wanted me to attack them and they said hey we're really concerned concerned that you know an attacker could eventually you know impact our local elections that's your goal we'd like you to attack us kind of find that out we don't want to hold you back there's no limits you know and that kind of deal so we started in stage one you see there and by stage one complete we had already completed the goal and I'll show you that the second phase was the bonus plan and that's where I take over

I I gain persistence I dig in so deep that you can't get me out of there even if you wanted to and that's what attackers do that's what real world attackers do or atps and things like that we're emulating real threats the last stage wasn't to tell you that I was lead but we had compet to go so fast that we gave them time back we don't need it and that's what the last phage is here's kind of a non-comprehensive view of that but we'll just walk through the easy stuff think of it as chess so the whole time you're hearing this think of this as being a chess piece or a chess board so in the first stage I'm

doing a password spray your traditional passord spray I gain access to the account right away so I've got a pretty good working CL by that time I'd already ENT them ENT means that I'd use open source in intelligence I knew where their VPN is I knew a lot of things from there I pivoted to the desktop and because they didn't have some setups in their Azure properly I I did all my Recon outside the company sitting there I knew who had vpns who didn't you know all those things were work out then we moved to the next stage and what I'm doing on a full scope adversary emulation is that it's where it's a little different than a red team

exercise is I'm trying to find as many attack paths as humanly possible and I'm I'm not trying to be covert I'm being overt and I'm trying to identify all them as I go along and I'm looking for misconfigurations in the architecture and things like that so what you're seeing on the screen is a a product that they use and it's called Horizon so what I did is I needed to gain persistence because I can't tell you how many times blue teamers misunderstand a red team exercise versus a pin test so I always do that I always do that anyways on my test I try to gain persistence just in case you block my account I want to

continue my test and I don't have to escalate so I had done that the way I did that is I went to the hor Horizon what they call the Horizon survey I I don't think I'm saying that it's VM Horizon Weare it's like citric but it's a VM version and the reason why I chose it is because I suspected that the admin had a blind spot and he did it they had a published app and I was able to get in it because I had already owned account right and then when I did a breakout and landed on the server the server didn't have the same protection as the published apps and the vdi and that

became my foothold and that's where I set up shop I I'm I can do I can do things in silent there but just to be safe I pivoted over to the VPN and made sure that I had access to that one and then I start bearing in the top right of your say I think it's your right yeah the top right the green is me just doing a VPN access from Ukraine why is that important well because I can go to wifall or person in the room and say do you do business in Ukraine what does that have to do with elections you know it it's it's reducing the threat landscape and that goes in my report

because I'm talking about security architecture and things like that I'm talking about the entire model an entire threat landscape and remember red team may not do that and we'll talk about that in a minute so by that time it looks like this I want to point to the middle see the Cerberus and the golden ticket that's what they call Golden Ticket and this isn't a comprehensive talk about hacking if you want to go look that up there's a lot of great people that do that go look it up but what it means here is that the reason why the Cerberus ticket was able to do it is because their Foundation of their active directory at

that time was 2012 they can't possibly be rotating the Kerber's account automatically because it doesn't exist and so that goes in the report see because I'm talking about a layer defense and remember when you talk about architecture you got Enterprise security architecture that's the it side and then our scaling for Enterprise security architecture scaffold on top of that and they interact with one another so when I'm doing the offensive testing I'm doing the efficacy and trying to show all the different misconfigurations that make it possible for the entire life cycle of an attack to occur so more of the thing so not going to go through all this I'm just going to tell you just know that by the time I

was finished I owned the cloud on one side so I went in then I went up to the cloud I own the Azure side of one domain I own both domains and I own the other Cloud on the other domain and then my goal comes in and if you look really close on this slide look down in the left hand corner you see the polling software right here and then you see the email with the attachments I'm read reading the email of the conversations between people and I'm doing it because it's called looting I'm looting the environment and I'm taking the passwords of them having a conversation with the developer of this company right now I can't legally pop

this company so this is just a demonstration that I could have and so now the question comes did I achieve my goal and it's plausible it's plausible somebody with this type of access why would I take on your encryption out in the field I'll just wait for you to bring all your data back in and if I can just Jack with the Integrity you got a problem on your hands you need to explain to the American people I've just jacked with the Integrity of your election and that alone is problematic so when we're talking about security I want you to I told you let's talk about it think about it as chess okay so the the n

is unpredictable he can get into places that you normally can't that represents the pentest and then I want you to look at The Rook The Rook is your traditional Audits and you combine those two together we'll talk about at the very end I'll show you how that's called a hybrid pin test on an application layer but you combine those techniques together these offensive techniques and and you combine them together and that's what's you're doing is protecting the King right that's your prize possession so I want you to kind of keep that in your mind when we're talking about playing chess here's another use case this one's called uh human operated um um ransomware and so the company was

concerned about that so what I did is i c I'm fast forwarding I'm inside the company and the thing you're seeing up to the top left the right is the kill chain right and then the left you see up there with the pretty Graphics is me inside their backups so how did I get in there well it's called security architecture when you do a single sign on you you you get choices you make a mistake on that and I'm in your environment and you forget that you have local accounts going on too you better have secured that because that's all I did I went in and I looked at their architecture I said I wonder I wonder if

these guys even know that they they have local authentication too tried it boom I'm in what did I do with it I restored their backups to a drive that I wanted to and then I looted through them and started poning everything else too you know and so I own the environment and then when I sent the ransomware notice in there to do the simulation I used a new technique one because it made me chuckle you know I'm using teams and it's kind of fun you know it's kind of lead you know I send my ransomware notice through team but the reason why I'm doing it mainly is not because I'm trying to Pat my ego

I'm doing it because there's a vulnerability there the company had allowed external sharing and they had setups in their Azure that made that possible so that's why I chose the route it it just so happened it was funny but it but it also showed them a problem with their architecture a weakness in their architecture and a misconfiguration that was going to cost them dearly with social engineering and I could combine all of these threat Landscapes together stitch them together in order to show this attackers don't normally do what you think they're going to do okay attackers really Microsoft did a pretty good job of showing you that attackers you know they really don't care whether you think they're impressed

because they got domain admin if I can steal your password I don't care if you think I'm Elite I'm there to make money you know and it's not about domain admin and they take the PA of Lea resistance and so you need to keep that in mind when you're you're dealing with your security architecture you're dealing with architecting why would I take on your firewall you know when there's other low-lying fruit that I can attack through here's another CA a simple case of this I was looking at this company and I was doing a pinest and the first thing that got my curiosity is I want you to listen to the mind of the hacker

is I said wow you know they're using why do they PR fresh fresh Works fresh works is used for knowledge base that you would share outside and then you would have an internal he desk and these guys don't have a product why are they using it that's what's going on in my head and then I said oh well I wonder if they have a vulnerability I look oh they got subdomain takeovers that's really interesting maybe I can leverage that then I thought oh you know what I bet they don't even know that the KB could be their knowledge base could be exposed outward and I thought you know what I think I'll just create a a fake account

so I created a fake account went into their knowledge base with a fake account started reading their knowledge base and lo and behold they had the Wi-Fi password written in their knowledge base to them they think it's it's only me right it's yeah they didn't they didn't know so what does that happen well you know the end of that story jump in the car get close to the environment game over and that's and it and the all of these things that I've showed you so far are all preventable every one of them these are simple hacks that are catastrophic so they start out simple and then they blossom into losing the entire company and there's a thing that

Microsoft is pedling and they're calling it friction um poy shell in the room can tell you what a Oda look is but to keep it simple what you want to do is you want to raise the cost of somebody getting into you and you want to create so much friction and it be so painful for the attacker to get into you that we just I'm just going to go to somebody else is easier and think of it as friction but in order to do that you have to have offensive testing and know how you're being attacked so that because you think about only having 3,000 soldiers against a a million sounds impossible but it's not

you just need to prioritize and that's what offensive Services allow you to do you can't be everywhere so you have to line your security controls up at the proper places you have to be very smart and strategic about their placements and that's what this is talking about it's talking about strategically placements of um of real security that actually works and efficacy testing so when we talk about offensive security types this is the part where we're going to Define what I've been saying over and over again the only one I want you to really pay attention to is two of them right here Philip Wy does a really good job of explaining to you what a pinest

is I'm not going to read it to you it's it's everybody knows what a pinest is you should have a good understanding but if you don't make sure you do but I am going to talk to you about the second one because I've said it several times so full scope adversary emulation for me is a comprehensive security testing approach that goes beyond compliance-based pin testing period That's what I'm saying and I'm not I'm not talking to you about red teaming let me explain this the guy sitting right in this chair his name is wifall he has a definition of pen testing love it it's beautifully simple red teing is the ability to you are testing the ability of the defender

to respond to your test you're not necessarily trying to find every attack path and and then Joe vest expands that definition of red team if you want a better explanation or or more lengthy one Joe best does a really good job of explaining that but the point is who gives a darn whether I'm doing red teeming or whatever name it is the point of it is the benefit from doing those points of test okay so now you know my definition in this context you understand purple teaming so let's look at a a a what it would look like so if you're doing this type of test where you're doing vulnerability assessment scanning things like that I would argue

that you're kind of really only doing the minimum preparedness you're you're not really doing a life cycle that looks something like this if you're doing what I'm talking about modern offensive testing where you're proactive and continuously and holistically testing your environment you're actually doing an advanced security posture and you have a threat informed testing it's not based on what you think it's doing it's based on actual fact driven models that help you align the difference between what you perceive your security to be versus what it is here's another example this one's kind of a fun one this organization did all the uh police department um they ran all of the the helicopter in the air did all the

helicopter testing I mean all the they provided that service for many people around the United States police departments things like that so they the copters in the air and other people can see where the the guy they're trying to rest on their phones you know that kind of deal and it was in the air and I was asked to test it so what I did is um the first thing you see here is I didn't know anything about helicopters and thing it sounded really cool and I was really excited about doing the test but I knew absolutely nothing so for me it starts with ENT Recon so I went it goes like this oh well you know these are

taxpaying money you're spending here so I went out look if you're spending taxpayer money you're required to tell the public what you're spending the money on and I said I bet these people have told them everything so I start searching through municipalities of with these key words and everything and what you see down at the right the map is me teaching myself the topology so I still that I Loop the topology now I have a really good understanding what you see up at the top uh right where it says internal server era is the when I was in the I had ented this person that was a developer and I thought maybe they had something to do with it but I wasn't

sure and there they threw an error message with an email address and that gave me a clue of the email which led me back to the G GitHub and I read through all that and I noticed some key words this person was using and their lexicon the language is very specific and I went hm it's interesting and then I thought well I'll probably use that for a Brute Force if I need it and then over to the left you're seeing a mobile phone that was branded that was white labeled and a person was bragging about the UI and all the work they had done in college you know for this company and I tied it back

in I go oh you know what that's that's the software they're using right up in top top left you're seeing the PHP that's pretty traditional you know Recon and understanding what you know software they're using so the next thing is you see me popping I'm going to speed up you see me popping the inside uh deal there was a vulnerability of software I get in there I Brute Force the the interface with the ladies credential the password that gets me in the middleware of the software by the time I'm finished I'm here me let me show you here I'm here I'm sitting back I'm watching popcorn watching people get arrest arrested around the United States pretty cool job

here here's the pz part and the two I got circled think about it if if if I'm wrong and uh persistence and everything has nothing to do with pent has nothing to do with pentesting then why the hell is it on the post exploit and persistence and everything and I I think I know the answer to it is it's mainly because you know compliance is kind of dumbed down our pin testes where they're not really what they used to be and I'm saying that they're absolutely critical when you're talking about your security architecture as a whole one more use case and I'm going to gloss over this real fast but this is more of a purple

team exercises them loading up what's called credential guard and it and the only thing that's important here is humans let me explain that I said are you ready to test we're ready are you sure you're ready to test ready a third time right what you see up to the left is they had it configured but it wasn't running so the test has already started then that becomes part of the story and that's what I'm trying to tell you you absolutely have to do efficacy testing and this collaboration between offense and defense is not an option for you you you have to if you don't want to be the victim so real quickly here we go th

this is the end of that story and I'm going to go through this is the slide I was talking about and I'm going to do it really quickly all this is is if you're doing OAS top 10 you're doing the bare minimum and what I would say is that you need to be doing application verification standard for your most critical apps and that's when the hybrid that's when you take the Knight and you take the Rook you put them together it's called a hybrid pin test you don't hear people talk about it but what you're doing is you're auditing and it goes like this this show me your security requirements for the app show me this

and that's more audit and you're doing the pin test and that allows you to measure back the other way to see if you actually are shifting left this is why it's important okay to do this and I'm running out of time so I'm just going to go past this if y'all okay with it and we can talk after last story a fun one okay so I was in a test I was watching I had control over the KVM I watching a guy do his work and I just know I know exactly what's going to happen he's going to get a box that's halfway installed and he's going to go home and I waited for it sure enough that's what

happened I I corrupted the tree I poisoned the tree he deployed it into his Fleet but at the same time I used his box and I ran in Bay and I sprayed the area in order to collect more credentials and this stuff goes on so you have to know that the enemy is among you many times here's a solution and we're done I have to give a solution so think of it as shape and I'm going to leave you with this last thought if you're not testing your defenses don't worry about it because attackers are going to test it for you so I would say if you don't want to be the consequences of that and

suffer from that then you need to be actively testing your your talk and and I'll take questions from here out the door so I appreciate it any other questions we're we're done I'm sorry to speed through [Applause] that did you add the last slide on there while answer question yeah yeah sure absolutely okay I think you said last slide this one yeah okay will you be posting the slides yeah I can yeah there's nothing confidential I can talk about the tests they're all redacted these are tests I've done I've done on I've done a lot of pin tests under Birch Klein and uh like I said I I just don't talk about a lot but these these you

can what other come on y'all got

questions yeah I do he his question is it's a great one he says do I have any recommended uh tolling tools I try not to talk about software because I'm trying to be vendor neutral um but I have preferences I've wrote actually papers uh competitive analysis for companies um software I do don't talk about a lot but I wrote one with red teing it got bought by IBM I wouldn't use them just being real direct I sorry to be so blatantly obvious but I just wouldn't do it I I would encourage you to get a hold of the test and I can tell you this guy that just asked question question does that I'd get a hold of the

test and see what where where it ends and where it starts and there's some good t software out there that does it I use them one I will give you is trius trius is a pretty good tool especially if you're doing large scale pin testing you can automate a lot of things another one is Phil wet works at a company that's another tool that's real it's not that I actually work and and he's right you have to do this at scale or you have to hire people like me that know how to attack that way it's it's a different way of attacking it's more living off the land techniques um you know it it it it does cater more to Red

teaming which y hear red teaming is being it's just a different way of attacking you know like I don't you know I'll start hacking right from a Windows box you know because that's in reality that's really what happens you know in the real world people you know get us home they don't pull roll up with their Cali box and I mean they use them but but that's kind of the way it goes on what else any other

question yeah that that would let take outside uh it's a great question and I definitely want to answer it but um it's it's a long it's not the same prescription for every person it it's different I would say if I had to give you a short one right here I'd say take your own own inventory know what your strengths and your weaknesses are and then uh kind of use those to kind of go in there that's what I did and actually my buddy recognized it in me before I did and he said dude you'd be really good as a pentester and I went dude I I'm I'm weak I can't be a pentester and he was like no you you can be you'll be

really good you just don't know it yet and so I I I would do that I would look at your inventory of like what you have what your strengths are and then kind of trying to align it and then there's tons of resoures out there if you want to bet pin it's not the easiest job and it doesn't pay the most nowadays so uh there's a lot of options I'm not trying to discourage you from it but there's a lot of options out there any other questions we got two minutes

or to make yeah I I that's the part where I told you I was cognant biased emotionally uh because my fear wasn't worried about it taking my job because I would argue that where do the hell you think automated pentesting came from it it came from pentesters pentesters have been automating things for a long time you know that's how it evolved because they can't it can't do it all so they've automated things and and AI uh the answer to your question is yes there's definitely a validity in tools to an automated especially a lot of the hacks that you see here I would call those lowline fruits and but they won't fix broken business logic like let me give

you an example let's say that you're you're an accounting firm right and you're posting to your general ledgers and you have a configuration problem you allow all your clerks to post to the general ledger and when they post to the general ledger they post through the general ledger and what that means is in accounting terms is that you can't just delete that you make a mistake you got to do a journal entry so let's just say you're a publicly traded company and I just want to jack with you and I start posting all kinds of crap to your general ledger and you're on your baring base you have bared money and just the mere fact that

I've been messed with the Integrity of your books is going to cause you huge amount of problems and automation won't catch that you know autom I one time I had data export trade use grammarly to do data exfiltration I did that because it's a way of bending people's mind and that's what attackers do they don't attack you where you think they would do if it was that easy we would have solved it a long time ago but automation does help you do things that scale it it will do a lot for um the AI will do a lot for automation like this I use it myself I'm I'm a little weak in coding but that's

my time guys so if if we want to talk let's talk out in the h way and I really appreciate you coming to my talk