Johnny Q. CISO Just Got a New Red Team, Bug Bounty Program, and S Class

extortion what would we die well we're concerned about judge Judy's oh she's got me Ricky my math class why we Wizzle thing together at last sir senses all the things a shiny optics programs expenses the question is what we're chasing ye chases and IUD Heidi bucks so you have your easel to hear they're smaller from trade rag lingo if you'll get it wrong no it isn't it that all right tell me I'm abilities don't I don't know Mercedes I will gladly drive yours I having a bike you know how to graduate my Germans on the art doesn't go to a studio and even though that means anyone know what that means okay anyway enough about the cars

full of Gideon Allen here just to this one it's actually interesting because one of my pieces actually has an s-class and at the debug money program and a humorous and program and he doesn't set not fair that resemblance so anyway I'm going to in your giant enable Tecton working directory fortune one I want to say fortune one any of the fortune 500 dollars or whatever it is anyone know where that is with small chain stores the Houston altitude Michael Cretu tours degrees tonight revealing the engine get all damn sure I am a can see wristlet here for five six years - there I got one wounded all right there we go so first of my Brent I'm obligated

with the dents this was recent run since my personal pan and in no way like my employers made every night I did it computer that you just go Google of course and want to figure it out see all your advice all my advice at your own risk do not run with scissors and any resemblance to a natural civilian IQ is complete happenstance essential but he actually got found on the last conversation where we talk about where if you hope to people job is here right so especially the opposite reprograms all the news shine is he thinks risking from teaming will develop high rank versus outsourcing straight off blue values and if you're interested it's for a career

aspiration we talk about all the tough stuff we're not hacking an S Class oh this is create you bleep about a year ago or so you can actually you can see this in the paper state s collapse 1.13 actually have some really cool tools up there go finest week so first of all what is off sick a believes a traitor just a training company anybody go through and try harder yeah okay do you have company because it's not we're here to talk about of course we're just talking about discovery vulnerability up before the bad guys get dumped right so whether the law school or process or human or social or whatever so classic boring definition of magnetic austerity

inscription notice this but we'll do it anyway I'll even read to you to draw the thought the practice of testing a new system application or network define correlation factor with exploit Tuesday and we can keep even a Christmas candle determine right so it doesn't really can't right though what if I told you at the built in designing Govinda I think there's at least one person in this room that knows exactly the constellation when I first threw his name around and I guess we should turn it this before her every particle additional abilities right interact have to do something because there are bugs out there that aren't equitable and maybe we don't care about right so this nothing probably

does include I clicked on it you're probably at the bar but you could do I work right this is where it gets kind of gray area if you're dealing with things like serious research there's some cool firms out there they go do my hair analysis odd products most people you can have that's arm to be getting into the virus is serious and of course the testing is great when you can come up with the SDLC solve a lifecycle that's a whole of the talk and we're really not even talking this we're just getting into the specific thing so you can comparative reviewing some other stuff so John Key says hey I can hire you just

for you if you hire investors the first of what one will support things the desire for curiosity creativity right so the best ones I've ever seen have development backgrounds but now although some of them with all themselves go as a result of becoming a pet duster right of don't feel at all stories I have guys that work for me that have basically dropped out by school and I got the work that old pata PhD and all on its way right so just depends on on the person more than education if you're you the astok rocky review and applications it really really really helped a lot is that a dead matter even if you're not it's even Panola those other reasons

than just a teller stamp developer was thinking at the time of prey the network side course you will have Enterprise Systems knowledge anything gene C major scale we're not talking about hacking a single Linux box on a lab we're talking about scale right join you also hate heck yeah the osep right give you you're going to hear the speeches of some of these band of all stick programs a lot less of a fan of the other train firms are out there the ghcn first and we good I not ask you to go TPM idea and just they know the deviation it's not just a knowing so judge this here's a Cruces right if you're interested in this participate in

Fiji I do capsiplex s resist we asked them today in a 3-2 when we can there are alive great learnings grants right Goodrem both hackers will social media I learn probably 3/4 of the things that are emerging from Twitter these days so definitely call and we follow make sure you replicate the latest attack in your lab it looks really cool let's move little like I'm character power something you're not confused something really cool if you believe it actually does it is to me if I'll actually play the digits technology and I always be right but if I actually go through it our member genik eat this pay absolutely if you purchase things but many programs this great way

to get in there and knowledge improve your capability through a way that you know buy a pocket with a little bit also a good way to fill up your may I see the budget Ramsey shirt stand over there buddy guilt Dario I'll definitely do it to you right so approachable perspectives I see things like that slipper and with I brought here to be buried like just why because domestic mr. Dino McCarroll's 22 Frank so John cute is a happy get affinity for any place keep all tired right so Ricky a very controversial topic there's been a lot of chatter tweet or about what the difference really is in some ways reckoning is a response to that could end up being if they're

watered down tears and you can call it every white hall if you we call it you know looking we all wonder what the point is the actions that would be a certain uh certain things and my deafness here we're talking about stimulating an adversary appeasing the package techniques from seniors right this is important is that really when you start comparing and contrasting it with nothing so let's do it just think it's difficult limited scope right you got here your empty range or maybe a host or cluster here's your application here's your Mallory's Whitney generally is practically unlimited over the large scope right so in pictures here's your nuts EBSCO is your wall your little thing is the hey

it's really hard to get up in there right it looks like a cure I can't feel it and all their drama car out here with it but there were three how do you break you killed it the whole thing right like we going on that's really interests just what mine's personal here right and walk back around and we find the things there that were generally out to go for one or another could have been just the wage of the project first sold out occur then who knows right so the thing is setting anarchist code repeating is really testing a part of organization that's very very important there although they just simply whitelisted right you coming through a no whole trumpet and

they go through and maybe you know to write to the power role my dances and everything else and it just doesn't stuff which is kind like what's the point over all layers in the solution right repeating its full fury attack so we'll now we don't go on language this known you know if you the core courses as we come in as we come the waves of the actual accurate katenka actual adversaries would write every soul in testing can be noisier than brittany is always going here but it tends to be more annoying because you're old I went through everything is extinct at the same kind of acoustic come on a puppet writer on do whatever I'm going

to run method editor or whatever it is and get go stages Mac and diddle ethic my actions and then I love you - my stuff right Ricky be much more covert insisting is really aimed at preventing breaches the whole notion is hey we're going to apply these breaches are these forms before the bad guys actually breach them repeating is really got this mentality and at some point you're gonna grease if you're not already let's assume that briefs let's and modeled every if it's nice a little out to be here you guys have never seen the three before I'm sorry but you gotta get it now right so do them no date a hell of a

kiss for day teach a man to fish no on a kiss for life from the garage right so that's the reason why we modeled it because you can kill do a pickup and you can find that O'Day and that custom web application or whatever that's great let's do the six done the deal is there's always gonna be something clicking okay right so that they accepted technological receive ten can also go beyond that with physical social sharing right so it's not very often that you're a lot of necessity or loss to actually go and look specifically in your salary by rules of games go also needs to hang on from you know over here I can help them helped us

reset my password or whatever it is or off site and actually just start yeah what if I could just walk know it that's what they're generally is proud pause and a scope Limerick in each area into it since this thing is all about X 20 bucks repeating TV abuse flasher right bugs are not required humans may just click on the thing or there may just be equally three to walk right in and drum lock all the network and they don't care right just cuz they're not going to challenge it bugs are not required and just stop to the show how do you have to speed up in this report and like we ran into the wheel succesful the thing again

I just upload a lot much clustered cereals look I madman the end right that's where rescue me starts right right this okay a nutshell I got a shell what other shows I get where time go to what can I do alright so as a result that assistant whereas writing is really about this post exploitation conflict but what do I do beyond that so again versus lateral movement I looking at people to have to realize this thing's really generally the regulatory side when you guys come / like egi or whomever or internal politics Isis building entities thanks goodness that's all things that the brothers come out ringing how about that I have never seen is anyone here seen a wrecking manigott

from any compliance regular regulation and then he died I've never heard one and there's a reason for that it's really about training and improvement not just really cuz you're testing a whole word right so what do you think you're hiring for like it's a regulatory impact how much you want to make sure I've got full coverage of this particular allegations come on we'll make sure that we're actually connecting it correctly we're not missing any about auto have door before get turned on ready means you don't hire aristocracy that you hire with you to learn about yourself and this is something that a lot or think they might if there's a really subtle thing for anyone that

didn't claim to be a few earlier might ask don't answer this just because Johnny keeps you though and the other word is now is three agree to your breakfast monthly meetup so gang our theme don't go a new one just to get PITA because you're gonna learn something about yourself evening I'll know I be only be ready to do it when you're actually really really really ready to like so alright this bridge I reverse me but not that kind of person when windows like Mac mobile DNA's infrastructure shelter bruising on her term shelter who's that alleged some guests so it's really important to have a very diverse team because there might have a lot of some

and the beer theorize them or also a lot of stuff you're going to have so you don't want how to see this like nine guys that all get it out there because you're not to be very good what you really want is when you're stamping out a team you want to make sure you've got all of these things covered as well as you can can go through and actually go and do an audit so stuff like what feels do we not have on a team and then go bar supply McCullough in that in sigil are suppose to climb fillet and hire them minded hire beacon fire per

second still go go by foot has those gaps in the bring them in another one thing there's something magical about the number three the word is wrecking stop red couple not red pair it's not rich person it's red team something magical happens about three people one after one example how many people like to work more than eight hours a day and just a general like you yeah yeah just a handful but most people you know like eight hours ten hours would have a private all of them no politically interesting about an organization is that they have to be security why tomorrow's the day one neat little thing about having a team debrief if that can be split up into three

eight-hour shift and if you work a little bit longer than your overlap your hand out there to help that's just one example another thing is you need to have people rolls just like the diversity commented minute ago so there's something really how snuffle about three so if you're sitting talking to Johnny fuse diesel and he says I'm going to go step up wrecking you go open up to Rex to FTE Rex for this ready no don't don't what your time start at three or don't do it so there it is if you're one of these events start with setting real real world Croesus real world preaches that's hard to say this is the part because if you joined your

what we're trying to do so we're trying to model a real robust as we can we don't want to go up some theoretical preacher where this guy if I'm writing a unicorn and I said on one good I shoot an arrow that's what they show will appear this is you gotta make sure that it actually looks like something that's actually been done right so you look at things like hey we just thought that the reason happened to be empty they I'm still RAM you can't move Brantley to get moved ramming against moved away Mendel tickets elevated I got the real breach mythical things also have a background impending right it's not required by I do a lot people like

to be really good at Rick getting without but having a background in sanitation this seems kinda weird right but there's ample that presented if you are a really good admin then you will know how to be a really good malicious happen and it'll be helped on your team with this guilt of knowing how exactly box it gives you or social engineer to get a shell and go do that and if you know what we're looking at and come in and actually just manage all shell this day or just managing machines and a covert team we both got away so it's good to have a background on that of the stock market but absolutely you know to learn how to

collaborate with team if you can collaborate with the ink again work with the team that you're not going to have a team of three minimum you're going to have three minutes whatever it is ms1 and you're jerks and you don't need ability collaboration is extremely important so make sure you can do that if you can't do that don't get another thing it this is a really crazy day learn how to live off the land a well dispraise there's a really good reason for the Lobos to meet as well the visionary threat actor is indistinguishable by competent system administrator why would I drop a tool to have a feature that's got such a bunch of stuff on machine when go making is a

good morning I can almost Megaman now user this Matt whatever I can well whatever's needed this power so that I can run that you're just the length of our items using whatever available batch if there's a configuration master tool in the air price and I can just make it over it just use that at my command control that at all so those are the types of things that they need looking at this tool by schools right environment responder all kinds of needle tool to administer the next level sort our bilateral a business flurry also on you're noticing custom seating right this design development so let's say feet um you can control these are skills that I think any new rhythm at some

point is going to hit their limitation as to what C tools they can use right if you go buy an off-the-shelf or if you go use an open source one at some point you're going to eventually get the organization where they have signatures for all irons your head drop and I have signatures for all as I don't know traffic goes across associated with it and you're going to string Li limited whereas a real reactor is going to go about something new right and when they develop something new you should be doing the same sort of thing so looks like hiring personnel for us and just give someone controversial so first the room is the direct hire right so

obviously you can retain knowledge Frank you hire somebody and you keep them in the org ignoring the environment you get deeper expectation after each iteration about three you also get flex lead time for testing so how many people dealt with a capital finger but it said well yeah nobody for us both weeks and you're like but I want to now it doesn't work another probe is used you to not stop all year-long testing you can't just go well I can hire the people over here and I can test this quarter 12 you know I took a week your mouth and then I can wait another you know week after that get another one of their other project

whatever right Oh another one no golden mycrop right so how many people they don't like here's your here's your report thank you for your check I'm out right so that when you get you correctly on Deficit that's a pro you don't you don't have this this comes right wdv if expensive right do you have to pay for in extent you know an MP salary must about this all year long right let's just let's just say it's just one condition there will come a time where that doesn't make that right also there's conflicts of interest if you are social and you want to have fun that's got skill set on board and they're also here system engineers

they're either going to be actually things that they put me in right or they're going to be number you know like you're either if you really get resistors that dismiss you're gonna be really just engineer patent Assessors you can't take two dollars right so delicate a few masters bring the whole thing so it's just accomplished another God here put the one you brought right so did you hire these guys they're here they're on your team you need to invest in the training if you don't invest in the frame you don't have a budget to do that go guess what uhyes with this level they're know we're going to progressed beyond that level and so you're going to

have these officials have coverage and all that stuff so that's a column now there's all the specialized hardware right and you're going to apply it so it's not just difficult hiring so a pretty much these days if you're another thing you're not using a MacBook Pro is probably because you're not touching a variety of things that was your Morse message just an example you might have me in cosmos maybe the wireless different gear whatever you're gonna have extra stuff you make sure you have that much of the another con that some people look at is the same device right so I hired these three people and they go I think there's things to prize that

will existence all the time and if they say these eyes of state strengths and same weaknesses and so the things that they find every time might be the same thing to five times right in itself because they're not familiar with it or whatever it might be is a lack of nothing every right so whether it's the road now for C as well Jesus neighbor was need to it was done 65 365 is which is doing at the e-type but not necessarily would not outsource right this is everyone when you create that that you name guidance on Twitter that took like a last year in New England he also installed this problem routine calendar how many people remember those

because it says I'm going to push in terms every single year just because that we have that diversity and our way in every way you know you can do that kind of thing you can also be real for your skill set there's only I think two people that I know that I would trump as a right this point to go actually Hackl an apron because there's not really people have that built this a lot less common right so this will just come to that right so you get much concerns so let's just say for example you hundred thousand dollars this year your small shop and aimed it poorly pen set to three Delta P because I think is actually a little bit

on the low side depending on what you doing and then so it happens like the band rules like 24 car drives in a day and oh no we need to go buy a bunch of stuff still reallocate money there is $50,000 a JQ from the attenti budget because you have expenses yet if go on so now your left is to use semi-annual pendants right that's that's the one by the other way you look at it take a chimera nice little metric seller a business training and really probably come out all thing and they accept all your offering you know what my or like it am I getting a better test or not it really depends try if your little

testers not fine as many days but if you get a count of low-hanging fruit there might be a better investment of money it's just an example deputy a tower that you don't black out they're not going to come in for the day for I said your level dirt underneath method right and for all of the consulting people in the room all the monsters ain't no attention to the slide I'm going to debunk the how how that stuff works right so when you hire people this is the number math roughly to have to buy the science behind the things right they consult our dentists and whatever training in the hardware system and all that stuff that goes with it feee you're

still paying for a chunk of that right they've got I've got to be painful sore so that's out there we briefly take all that I let you down with for 2,000 hours gear multiplied by the number of engaging hours they expect you know they say hey we got you for a month that means 40 hours so we're going to go to you right that happens to you a kingdom the other side I think is buildings I think so and of course your spot you're larger than air wherever it is I'm throwing 40 percent I hear some shops team or so many love and then of course you got to travel expenses to marketing your head still Commission's attorney's

office training free from we don't go against what you're paid for it your company is right all in there they go through whatever is all there right so at some point you're going to say hey might be exceeding point you're hired perhaps it's the responsibility just a pen and of course this is my heroin consultant bench expected

Fred hard like stone you got my uncle review right how many people inverted line of one don't worry Jeter still has a white line to the pencil to sculpt I one point I was the junior consultants that did not have a lifeline but would pull a hell lifeline to the crystal consoled I've seen that happen that's usually like hey he Honda's um when you're hit free player me and any you know as a consultant that kind of environment with a living soul he knows sometimes you don't get to tell because your ear been difficulties billable just like you are he's gotta building his classes and helping you out is time that he's not billing over there and then you

know these centers are wrong it's just it's just a big problem right so just Hannity icon so the fire has been created staffing our budget so if you're slick Johnny gives you the live recommend you do IRA junior mid-level etc then go and contract out for senior level people to come help you know burning short reporter engagements and then just have that fve on staff showers consultants we guess what you're going to be very careful with your language and with the provider you choose because it's not all consulting shops are going to like this idea but it's all work with y'all think like this so the question is to hire outsource I'm not even answer it

depends right it's really dependent so it's the end of the day early I would get anyone sick of your internet working today these DeSimone hey that's your that's your burial will need a home I don't have to agree on I loved it I've got to borrow the Quran with the bully country or whether I love those great image all right thank you so obviously red plus blue equals purple or elemental TPMS equals one team I like just explain to you people that this is just a really simple example of not doing this she'll just take whatever you got like the consultant side and just throw it over the wall and say here you go guys here's your important right like

the notion that breakers can help fix to and that you know your goal is to move a needle it is some sort of a needle it might be on a dashboard that shows the mcclellan senses which seems exactly it's still to move it forward I find this is press the impossible without source adjusting and retaining unless of course you get one particular thing a very large very specific expensive style because the reason is you're not going to buy multiple both Penn tech consulting shops are ready to do that trauma contract with you we're in America and tested I I know there's exception to the rule but vaults are the people is now literally just ran are

jerks and blue are willing to listen and if you do that you go from right that's special at the end of it so what value programs this is how sources by definition right the whole idea is I'm going to crowdsource my offset program or leads me to this notion of I've got many eyes looking at my stuff but I only have to be allocation when actually find something or as I like to say looks like a dollar an hour right you have valve hours she reticle reviewed or site and you pay off thousand dollars a good value there you go here's your dollar an hour I don't really into this that a lot people looking to grasp is a mechanism for

responsible disclosure when you're video I get an email out of balloon from Sony uses bhai I want security researcher I found a way to steal credit cards on your website and he goes hey accompli I'm poker right that's a problem we take this towards over the you know CEO and the CIO eventually heads over the whatever that has degree particular business unit and they did all that for nine months and then forgot it legit and they go to youtube and they publish how to do it that's a big that problem right that was geologists division um so if you guys really like like this is late you get any things you just say hey guess what come over here electronic

program just help them get your detail over here and we'll go three on your life everything and if you are just a lying sack of food that's trying to go over the pockets or trying to contract or whatever you're after you might just know I am I insist you over here in PP waiting executives and I can put you in a spot where somebody's technical game can kind of validate you write those decrees indels go to media to Twitter to using bought to the proper age of maker media puppet of the right now so we can feel if you're going to use a public eye burger but surely if you end up buying some actually reports just if you don't

you'll have this you'll pay twice I made an experiences where there are businesses that you know or we have appointment to come in and the Mon Valley researcher says paging again professor Daniels lab and like or will not yeah one hears three reports in the last four years for that was there you're going to take actually our streets around that's awesome flower to find addiction right so so like this make sure you just just free pick this the open and second on you ideas I'm not sure to calculate whether it's FTE or contracted out or whatever it is just a clean operation look like a public versus private matter grams first with that so another roll

Nelly Yuki different dispense with the name your help me but the LTC take the public the payoff for VA sure progress always something is track for that payment provider that point about a provider it's all there and a private world you only see the advice you can see this or I think of any of my list and there's some problem verification in the different the minor student different way the course I got it is specific it is a good segue welcome all the sponsors recently without a thing and it's really a costly making me for therapy for saying that flood bounty is eating commodity mess up in many ways and my first reaction is Duff is a way

but in anyway if you don't mess it all doing is putting an externally facing web app and you've got just a handful thing there's not a lot of difference because day except for the incentive model and I'm a big fan of incentives and but look 90 programs connect return this that is around bring a final obviously problem initially do is that in a less expensive way it does a I'll be up there yet but you can put something to watch watch for this is where this is headed still resist perspective John teeth to say yeah look on either good progress there good experience definitely go after all if nothing else like if you're fresh out

of college here or your early new career here we're talking over again that that the world and you go say hey I went to one I'm not going to be any bug bounty program moderators you to one of those people just make you feel like I did this I found these volatilities a lot of that score and go verify else all the time stuff you get like a reputation value out dating is dang I knew the deal I have a guide led to feel gas planet look I wanted this work in its verifiable I mean it's a hey you know what you're not just some three out of college gated has no strength to you

you've got something of the value we can really help you out in that regard I wish this stuff is around fresh out of college because this was a really big achievement ANCA model back when I get so to rehab we have shiny Olmstead programs all of these we talk about rescuing triple teaming outsourcing versus hiring and of course Boyd Alex so with that are there any way okay so that's not a different answer any question I'm attracted to the what up the octave higher yet extra value if I understand you correctly if you go to outsourcing route or ripping how you make sure you get the extra value out of the recommendation correct through above about beyond bases so I if I were

to hire an outsource red team to do an engagement I will look at the reputation of that girl that me would be everything so we decide to stuff that they they produce the types of publications before they shared back with the community and also would look really heavy into the methodology they might not discussing with you I would just take any labor on the mill for that and again just like I said this is a loaded subject there's a lot of people that claim things are ready my talk people if they hammer theme okay with my favorite answer is actually if there's getting shot alone you work to work he's next and in which Donald say what is risky

mean to you every time I've ever heard him off with somebody hey yeah we just blow all over and guess what does that mean to you and you make them to buy a first and then he'll tell you what whether or not that is the definition on you just know people that rhythm is or beliefs of some people rhythm is just rip your heads up and some people it like and that's with a little bit sampling in the movement and other people is like I am going hardcore I'm going to mimic these particulars right actors with this exact type of GDP these exact techniques right and with these very specific objectives if not I'm going to go pump shell it's doing them

in pretty shot it and get out that's not that's not good enough it's going in there and saying hey I'm gonna come and I'm going to look like this particular organized criminal type of group of make it out by name but you saw her actually I know the point where they're like naming different attributes by name like they're gonna say a t28 we're going to go do exactly what they're doing we watch the corner speed it may be too far down the other side but going into hey I would act like an organized criminal group I'm going to come in my target objective is to get credit card data HR data whatever that is in exit rate it

notice that it's a my my objective is to get to a hat and generate a gold ticket I dance around and give you screenshot right that's not it because they'll say right now yeah if I know that you're watching things like don't we have any gold tips and I am my objective is to gauge our data and on dictation 1hr announce that have access to HR system and without doing admin at all axle grease all the detail I win right at the back end so that would be my my objective would be to go as low as low suit so it really get their links in a very very mature model about the objective not with you what I would

choose something comes Haley was yesterday in club programs yes in my family programs how do you limit the risk of on better resources this is a question I cannot like so this is the thing I think is the one last hurdle and I can tell you I had all my conversations with some of you is high only one particular blackberry for the whole name and what do you need to say they were other researchers I'd only like the final doggy paddle catchers whatever you want all but they use the term researcher it runs through the null program for any time is that also certain level of ability they established based on like the types not

just the size defining for the divine Jenner they're valid that generally accepted their time value the quality to deal with the client versus Michael leg all those sorts of things get kind of scores and kind of build a reputation of that person or degree time and then at that point I Pacific for talking about we're going to have a private Lake Valley program in place of a standard pen test program active force in $1.00 to me or whatever and you're going to give us the sort of trusted access and then that bug bounty program in exchange as I understand it we would say we're going to take off of that risk we're going to identify you from this bad

actor we're going to value this person we're going to do some sort of outside third-party validation even though they may be a prolific in the state country right they're going to be some sort of a we know who to first this we know where they were they really know how to pay them and we've seen quality resort results so speed up the lateral of the reputation piece and it will pursue they really figure them out and really know how to market to tell it I think you're gonna see a lot of generic access shops that you say and when it and here you go out of here you'll start to go out the window in exchange for

these I'm getting a deeper bug kinds of models I think it sounds different so that's a great way at the attack with my optimism I get over that that one issue is all that and then maybe I would be too long cause I'm completely okay all right so I have a certain different and he gets without elation exaltation how I get results on that convoy how to get our license object we have fallen for it so restated question back so brandy blue team branding program not security company regular tomorrow industry and I want to do some sort of perimeter of analysis right so the first of all for analysis I don't know that we even

necessarily go to the RISD model first first thing is first i which is both camp from outside I would go to orderly as a service first because if you know we don't really rely on their being Arab of codex is for building in a on your network if expose Internet we find them we like it when we find them we actually do a little damp because this is that rare these days right that's actually find something like that in fact or more like they find get some weird subtle thing that is there that is combined with two or three other weird things then we can get code execution and that's the only reason why you haven't

stopped by it alright it's not likely you're going to go find like Tomcat add an admin default friends with full like upload a war file against shell on your honor boxes on it dull days unfortunately my old age poor ceiling are gone from a testing perspective when you want when your goal to get it up you know obviously if this works a bit so what I would do that's right there I would saying all right ball campers just pods out there let's figure out what our services alarms where it's just basics here here a what aim is where we have look what vulvar there go get those first and then I would only consider risky when I'm really ready to look at

that use email second because that whole idea of a Brenner you know everybody knows here that that's not really something anymore freshness their makeup yeah how do you get the purple effect out so um whatever you is I would make it up front let's just say you're whether you're dealing with Jenny convert us out I would make it up front that I will have to go through what a digital hours basically so you're telling your client or your business partner your consulting firm that hey I want to digital hours at the end of this for an outreach where we're not just doing it a talk and you're not just doing in slide back in your whatever

they're just this down one is only on the knowledge either side and you're gonna walk through the it leaves my three or four or five major steps in the exploit chain that were actually eat w deal and talk about what those are so you see it for both live free burritos was talking earlier to people what we do and after our tests we call up these things purple team controlled advocate these tests the ticket that these things are just able to paint we do see this why not a pro here how will we hear how to see this money anyway [Music]