The Red Teamer

Speaker 1: Adam used to be a red teamer.

Speaker 2: I entered the industry at some point as, you know, an ethical hacker.

Speaker 1: He would get hired by some big organization, and it was his job to play a part in a simulation, to play the role of an attacker.

Speaker 2: We were basically the team that you would call in if you felt like your security was really, really good and you wanted to experience what it was like to undergo an attack from a really sophisticated threat actor.

Speaker 1: He shows up, tries to break in, and in doing so, reveals the vulnerability so they could fix it before someone else uses it.

Speaker 2: So we would very often simulate, like, you know, Russia or China or whatever adversary someone wanted, like a state government sponsored, attack group.

Speaker 3: He had a really interesting way when he was describing their old job because I don't know if you listened, but he was talking about how they used to get paid on a per milestone basis. So they'd get contracted by these companies and they'd be like, you have three months to try and transfer the money from this account, and we're gonna pay you this exorbitant amount of money if you can do it. And he's like, sure. Great. Forty eight hours later, they'd have done it and be like, give us all that money. And they're like, well, we thought it would take you three months. He's like, well, that's not what the contract says.

Speaker 1: And over time, he starts to watch this shift happen.

Speaker 2: You know, attackers always goes to the point of the lowest friction and so just going after the weakest link because you've raised expense of an attack somewhere else.

Speaker 1: People in these roles often talk about the idea of, like, an attack surface. It's the sum of the different points where an attacker can get a toehold into a system. And they're watching the attack surface of all these organizations they've been paid to breach, start to change. In the early two thousands, that attack surface was the network. Securing it was like locking down open ports and stuff like that.

Speaker 3: Yeah. Firewalls, infrastructure side, keeping the walls of the fort big and strong.

Speaker 1: Then it starts to shift to the user's device what they called endpoints that became the battleground the way you would get in.

Speaker 3: Then you got things like EDR endpoint detection response which is looking for like malicious code running locally and like grabbing it and containing the problem before it becomes an issue.

Speaker 1: And Adam starts to get this sense that he can see a turn coming. Another shift in the attack surface from the network to the endpoint to the browser and specifically the identities that we use in the browser.

Speaker 3: We the technical term identity to to really boil that down to something that most people understand it's their logins, user credentials, login password, multi factor authentication, things like that can build up and constitute one's digital identity in this case.

Speaker 1: And why would you spend heaps of money developing malware when you could phish or even just buy some leaked credentials and immediately get to work? Last year, the world kinda had this moment in the form of the Snowflake breach. There was no lab developing malware, nothing that complicated, just an attacker who bought credentials to some identity, logged in, and got to work. And before you know it, hundreds of businesses are exposed based on just an identity in a browser leading to one of the biggest data breaches of all time.

Speaker 3: An identity that was purchased probably for a few cents on the Internet.

Speaker 1: That attack surface had shifted again.

Speaker 3: When we were talking through this before we recorded and, like, just kind of, like, having a chitter chatter, the he's like, why would you spend all this time doing all these complicated things, trying to penetrate through all these complicated security systems. When you could just buy some creds on the Internet, write a few scripts, have it ping your Slack notifications when you, like, when it had a successful login attempt. And it's like, you go to the pub, have a beer, and just wait for your Slack to notify you that you've, like, compromised a big international enterprise.

Speaker 1: After he gets back from the pub, Adam goes on to found push security. They're our new sponsor. So disclosure, this is technically sponsored content. That's not your cup of tea. No harm, no foul. We'll catch you in the next one. But we found Adam's story of this red teamer who saw a thing coming. Just absolutely fascinating.

Speaker 3: I will say that this is, I guess, technically sponsored content. Like, this is not contractual. We just wanted to talk to Adam. Yeah. Because, a, he's like a great guy to talk to. B, he's super legitimate. And, c, he's got amazing stories. So, like, we didn't have to make this episode. We wanted to make this episode. We think it is a good episode.

Speaker 1: Yeah. It wasn't part of the deal, but we wanted to do it anyway. So we sat down with Adam to try and kinda understand that evolution we're talking about, about how he learned to think like an attacker and where all of this goes next.

Speaker 3: So if you wanna hear the story of a real high level cybersecurity professional and their journey through this ecosystem, listen to this episode. It's very great.

Speaker 1: Let's get into it. This is our conversation with Adam from Push Security on this episode of Hacked. We were talking about this hypothetical, which is there's a bad actor, and they're trying to get into some kind of big institution, financial, health care, whatever it is. And they're presented with this forking path, this choice they have to make about how they wanna go about it. And I really like the way you put it. I was wondering if you could take us through that that choice of how how they would do that.

Speaker 2: Yeah. Definitely. I mean, it it came a lot from our background as a founding team. Like, this is what we did. So we were offensive security team, basically. So we do attack simulations quite a lot.

Speaker 3: Mhmm.

Speaker 2: And we we lived very much through this era of, you know, when I first started doing it, doing client side attacks against endpoints just wasn't a thing. Like, it was all about external perimeter testing, right? So you were doing things like port scanning and vulnerability scanning across public facing infrastructure and then that was like the wall you had to break through to get into the company. And then as that got better and better and better it started to you get got harder and harder, and frankly, the tests got more boring. And so we went through this this kind of approach where we were like, well, why don't we just hop over the wall? Like, why don't we just, you know, go and apply for a job on the company website? But instead of we'll send them a CV, but let's embed a macro into it and, like, get code execution and take control of the endpoint. And then from there, start jumping around inside the network. Right? So we we went through this this era shift, if you like, where the not just the exploits and the tactics change, but it was like a whole MO change, if I'm a certain. So and we lived through that for a ton of time. And then as we started to come out of the back of, the, you know, decade later, we've seen the shift again. And so we've been talking a lot, recently about now everyone's very cloud and SaaS orientated. If I was an attacker today and I was gonna target an organization today as it was, what is the most cost effective way to break into infrastructure? Is it to go away and set up online infrastructure with a lab with all of the different EDRs and all of the different AVs and create EDR evading malware and c two infrastructure that tunnels out via DNS that gets passed all the network traffic and all this different stuff, and then compromise an endpoint and learn how to persist and then move through the network for a month and months? Or is it better for you to instead take a list of the top 10,000 SaaS applications, write a script, which then goes through and, like, tries username and passwords, and constantly takes clear text credentials off of a criminal marketplace that are up for sale, and just sprays them against everything, and logs in. Right? And so if you think of it, if you think about it in that way in terms of attacker ROI, it's like the second way you can write this automated script, you go to the pub, and you get a Slack alert on your you know, or a message on your phone saying, hey, you've just compromised someone's MDM solution. You can deploy ransomware across everything. So anyway, if we were thinking about this way, we were like, this is actually insane. Like, this this is the way that attackers are gonna start to compromise organizations, and companies are becoming more and more supportive of that in terms of their architecture looks that way. It's very cloud orientated, and And that was why and so so for us, that's why it became like another shift. Just like moving to the endpoint was a shift, now moving to cloud perimeter is clearly another shift that the industry is facing.

Speaker 3: Right. So you guys you guys are targeting primarily or or saying that the the target would be primarily identity.

Speaker 2: Yeah. Like, as in in the same way that in that first era we're talking about, it was open ports on public IP address ranges, and you would port scan them to find Now you're talking about identities, which really we're talking about user accounts, right? So Yeah credentials. And then, yeah and then people say okay well I don't get identity being a new perimeter because we've always had identity, we've always had credentials. The difference is they always used to be inside your network perimeter on internal systems, but particularly in the pandemic they all got just pushed out online and so there's thousands of them sprawled across the internet under your company domain. And now that they're accessible, right? So there's billions and billions being spent on network security in your infrastructure. The attacker is sitting at home targeting identities straight on the cloud. They don't even touch your network. There's no logging, there's no detection. The impact's just as high because there's a SaaS application for everything. You know, you can come even your EDR is SaaS, so you can just compromise that and you can use that to deploy ransomware across across the estate. So this attack surface now is the new attack surface that companies are having to defend, and it's a big problem for the industry that I think needs a lot of attention.

Speaker 1: When we sort of started or restarted the show in and around 2020, just before the pandemic kicked off, just before all of that shift towards these decentralized systems that we use to run our businesses, It did feel like so many, especially the big stories, the big crazy hacks, the nation state level stuff. They were security labs. They were funneling millions of dollars into r and d, all of this man hours, and to try and develop these compromises from nothing. And it's felt like in those five years since, it's just shifted towards, oh, that massive catastrophic thing that happened. That was like a contractor of a subcontractor of a subcontractor who's, like, Microsoft Teams or Slack or something got compromised. Like, it's just that the way the stories are shaped has changed so much. Was was that shift in COVID towards these more remote decentralized team? Was that the thing that shifted this the second time to kinda bore your framing?

Speaker 2: Yeah. It normally, whenever there's a big shift like this, it comes from it comes from two things. It's it comes from broadly a technology shift. Right? So I think the first one the first technology shift was just know, when the endpoint thing happened, it was very more independent workers, some of which were working from home and some weren't. And so, like, the endpoint sprawled out of this, you know, castle wall kind of approach. Right? And so people used to say if you remember in that era, people used to go, the perimeter is dead. Right? And that that's because they were thinking about this castle wall around the infrastructure, and everything was in there, and that was it, and you couldn't go around it. And then people started working from home, and so the perimeter was dead because they just brought outside. So you had to move on to the endpoint to keep hold of that perimeter. So that was the first shift that brought around, and if the profile of a company changes, then the attack tech deep the profile of the attacks change too. And so, yeah, I think then now everyone's moving to cloud. Like, if you look at modern companies, their their office isn't a network infrastructure. It's an Internet connectivity to get you to a cloud infrastructure. And there's nothing in the middle. Like, you don't need proxies, VPNs. You don't need any of those things. So the profile of a company is changing, and so therefore, the way that attackers need to target those companies is changing. Right? So that's the first thing is as those companies become the default, attackers need to think in a different way to attack those sorts of companies. The other thing I think is just literally about, you know, not everyone looks a 100% purely like that. Some people are in that transition, so they might have originally been legacy, and a portion of their infrastructure is like that. Maybe 20% of their company is like that. But because of the fact that the 80% is so well protected, because we've had a whole decade of being security controls around it, that 20% becomes the weak link, and so attackers will just go straight for wherever that's the easiest point. Right? So I'd say, like, one, it's about technology shift and the profile of the company changing. The second is the point of, you know, attackers always goes to the point of the lowest friction, and so just going after the weakest link because you've raised expense of an attack somewhere else.

Speaker 3: So you came from a red team background, and so obviously that that facilitated and built, you know, your perspective into this attack surface. You know, what really what really got you here? What really made you think this way and and and come up with a solution?

Speaker 2: Yeah. So I've I've always loved security. I I don't I actually don't know why. Like, when I was a kid, I just the idea of taking stuff apart was really interesting to me for some reason, and it just happened. It sort of evolved into security and finding a way ways around different things. So, without giving you my full childhood upbringing life story, I I entered the industry at some point as, you know, an ethical hacker, I guess, was the was the thing. And it was a really special company, called MWR Infosecurity. We're in The UK. This place was incredible. Like, the I think the average age of this company was, like, 20 or something. And maybe maybe younger, like, late teens. Just a ton of really smart engineers who'd come out and just found their own way, like, learning how to break systems. And so it was a very research led type company. We were always breaking the boundaries of what would need to be done, and and that's the the kind of culture you need in that sort of company. Right? Because bear in mind, you're really going up against huge behemoths like Microsoft. Right? People who've built these big security controls to not be subverted, and you have to think outside the box to get around them. So everything you're doing is always going into the the new. It's always going into the unknown. It's always trying something that hasn't been tried before. So it's a research organisation, and, I was there for about a decade or so. I was employee 15, went all the way through to I think we were about 400 when when we ended, which is is for a service company is is pretty big, given it's all service oriented. We were just doing things like we were basically the team that you would call in if you felt like your security was really, really good and you wanted to experience what it was like to undergo an attack from a really sophisticated director. So we would very often simulate, like, you know, Russia or China or whatever adversary someone wanted, like a state government sponsored, attack group. And so we do things like, rather than it being like a day rate, companies would pay us a fixed fee over a fixed period of time and it would be goal orientated. Mhmm. And they might say to us that we want you to transfer this money out of this account or we want you to get access to a secret project. And it was there in our interest to achieve those objectives as quick as possible. So very often we'd be given a three month timeline, forty eight hours later we had full control of the whole company. You know it was like Ocean's 11 kinda style attacks. Right? And you know don't get me wrong it had its fair share of application testing and writing reports as well, but what we were known for were those high end those high end red team offensive security engagements and the research we did. Yeah. That that was what we were really really known for. And so that was the background we came to. And then that company got acquired. We left, and my founding team and a lot of the core members, we started off Push. And that was really the mindset. We're like, okay. Well, we've lived through this era shift, of people moving to the endpoint. What now? Like, what's gonna happen next? And we decided to get ahead of the curve, and we could just see that it was gonna be identity attacks were gonna come up to the market. So it was really interesting though because I will say we had a bit of a shock when we came to the kinda came to the real world. Because to us, like, doing an identity attack was just so obvious. It was like, yeah, of course this is gonna happen. I mean, it's completely unprotected. You can just compromise identities in the cloud and Yeah. Take full control.

Speaker 3: If I can buy a piece to the front door, you know, why wouldn't I?

Speaker 2: Yeah. Exactly. It's like we couldn't we couldn't not see it, you know? And, so we were like, wow, this is great, and this is the next big thing. And we went out and we published research, and we were talking at conferences. We were on podcasts, in fact, talking about this and saying about how this big problem is gonna happen. And everyone was like, oh, yeah that sounds like it's gonna be, you know, a future problem. Like at the moment I'm trying to deal with, this stuff. So So I think at the time when we first spoke about this, people always found it very an interesting theoretical future. And the mindset in the industry I mean, understandably, like, why not everyone's a red teamer. Right? But, understandably, it's like everyone's thinking about Microsoft three six five is the thing that I put online, and that is the keys to the kingdom. You know, that's the identity that matters. If someone hacks into Microsoft three six five, they can therefore get down into every other application behind it. You know, it's true for insert here, Okta, Google Workspace, whatever you use, but the primary IDP is what I'm talking about. So Mhmm. The mindset was very much that that's what matters. All the little applications on the outside don't matter so much. And we were saying, well, actually, if you think about the traditional network perimeter, that's a bit like saying, look, I've got, you know 400 hosts on the internet, but as long as I secure my VPN and my website, I'm all good. But every time the way we'd game is the little development server stuck on the side somewhere that had a vulnerability no one knew about, and we'd use that pivot through the MZ and break into the whole infrastructure, and then just come back on the website and the VPN and point everything else. So, yeah, I mean, history just sort of told us that this was true, and we would we did lots of research into showing how you could compromise a trivial application and move laterally from that application through. And people found it very interesting, but really July last year was the point where everyone woke up and they kind of went. And and what happened there was, I think you spoke about this before on the on the show. So just to refresh with people, Snowflake's a big important database. People are fighting lead attackers off of endpoints all the time. Attacker comes along, buy some credentials off of the dark web and clear texts that were up for sale from a, you know, a prior campaign, and logged in. Like, that that was the attack, you know, basically.

Speaker 3: It fixed if it's in there.

Speaker 2: Yeah. Exactly. And there was a huge awakening where all of the research that we've been doing, all the things we've been talking about, we had a lot of people come back and go, hey. Okay. We get it. You know, there are other identities that are out there now. And and for us, it was, it was it was it was a good time because, like, we're in this to improve the industry. Right? We're not in this to, you know, like, we didn't sort of inherit a product and a company, and then we're trying to work out a way to get people to buy it. You know, it was like we saw a problem that was coming, and we've been working a way to figure out how is the best way to solve that problem. And because of our research background, it's been incredibly it's just built in us to sort of research in this way. So talking about it for a long time, it was rewarding. I guess in the same way that, I imagine it's like what an environmental activist feels like, you know? Like, you're sitting there, and you're telling everyone that a comet's coming, and no one will quite listen to you. And then with the day the world's about to turn to cinders, you're probably sitting there going, oh my god. The world's about to turn to cinders, but yes.

Speaker 4: Now you get it.

Speaker 1: This isn't good, but I told you.

Speaker 2: Yeah.

Speaker 3: Yeah. Oh, man. Yeah. That's great. Because the, the other thing too, like, password reuse. So, like, when it comes to identity and credentials, like, one thing we've talked about on the show a bunch is that, like, a lot of people reuse their passwords. So it's like a credential for one system could be a credential for a bunch of other systems. And I'm sure that, you know, facilitates the opening of so many doors in the cloud space. So

Speaker 2: Yeah. A crazy number. In fact, we see that in our in our data now. So it's well over a third of That's crazy. Passwords are reused, yeah, across across all places. And it's problematic because, you know, if you look at the the traditional domain, you know, when you're hacking Windows Windows or Active Directory or whatever, you would break into a trivial server somewhere. And the first thing you do is pull all the hashes off and spray them across everything else in the network. And so it turned a single compromise into mass compromise in one go. Credential stuffing cut when, you know, Sassencat is exactly the equivalent. I mean, you don't get hashes obviously, but clear text password against one, you know, if I've just broken into a wiki, who cares about my wiki? Well, you know, it's not that big a deal. But if you take that and then you spray it across every other application on the planet, you get access to another 50, now it matters. You know, it's a really big deal. So

Speaker 3: Yeah. We've been talking about that since I think Ashley Madison Yep. Was the first time we started talking about because they because I think the the salt or they were unsalted or they had, like, a very basic salt that was also exposed in the hack. So essentially, the password database was cracked, like, really quickly. So all of a sudden, there was all of these identities kicking about, and we've been chatting about that for years.

Speaker 2: I remember that. Yeah.

Speaker 1: I mean, I'm curious for your take on that then, like, you spot this era shift coming. You you spin up this project to try and address it of, like, everything's shifting identity. That's gonna be the new vulnerability. Snowflake happens and everyone goes, oh yeah, this is, this seems like a really big problem, but at the heart of it is those leaked credentials, those marketplaces where people can go buy this information and that sort of like the easy foothold into these systems. Did you watch the development of those marketplaces? Like, what is your sense of these spaces where people can go buy these credentials

Speaker 3: en masse?

Speaker 2: Yeah. It's a good question. So that that is kind of a entire parallel industry, like, the in both ways, both from a criminal industry perspective, but also a cybersecurity vendor perspective, which I I would say is adjacent to us. Like, we we make use of that in our solution, to try to to help solve some of the problems. But the, it hasn't been something I've kept an eye on growing if you said anything because it was parallel to us. But the reason I say that is because they really the the if you think about sophisticated threat group, they kind of break themselves into teams. Like, you've always had an initial access team. Like, somebody who sits there writing exploits and finding ways into companies. Like, they might write a browser ODA that's never been seen before. Like, someone else will write an implant, and then you'll have a team that take the implant and the browser exploit, and they'll gain access, and they'll get a foothold in the organization. And then you'll have a different team that will come in behind that will actually go and achieve action or objectives, and they'll start to move through the infrastructure to actually get to the data they wanted or deploy the ransomware or whatever they wanted to do. So it's in it's kind of in batches like that. And it's similar with the criminal marketplaces is that you'll have one person's job who it is just to go off and just harvest credentials from all over the Internet. So it could be fishing. Right? They just fish people on mass. It could be that you're hacking into,

Speaker 1: I

Speaker 2: don't know, Ashley Madison, like you said, and just pulling out all the clear text password and just stick them up online. And if they're part of the supply chain is steal credentials and put them up for sale, that's it. That's all we have to do. But there's another half of the supply chain of people who just go, let me buy some credentials and use this to go and log in to Sure. Everywhere else. So they're they're two halves. Yeah. So the the people that put the credentials up online are a different group often to the people that take them and use them against different places, in general.

Speaker 3: I think you're the first person I've ever heard discuss the cybercrime thing as a supply chain. You're the first person I've ever heard talk about it like that. Yeah. Like, it's like we all have a role to play, and it's like some people specialize at this role, you know, harvesting usernames and credentials and selling them to other people who will take them and use them. I've never heard anybody refer to that as a supply chain, but it is it is a supply chain. So It

Speaker 2: it it literally is. Yeah. I mean, because you think a lot of the times, it depends on the group. Right? There are different profiles of groups like a nation state actor. Mhmm. They're all gonna be, you know, employed people in one organization, whereas criminal groups tend to be much more distributed. So sometimes you have, like, solo contractors whose job it is to write just a Windows driver that allows you to, you know, embed itself into the operating system to me, and that's it. And then that one person will just feed it back up to, you know, to a malware author. And the malware author's job is just to write and keep this malware up to date all the time. That's very, very different from the 10 threat actors they then passed to malware to to actually use it to go and infect people and and keep going. So I suppose it's not the same as just a normal criminal group. Right? You have mules, you have Yeah. Yeah. Yeah. People who yeah. There's there's just different roles in in a in a big organization.

Speaker 1: That was something that struck me. We've done a couple stories where I get a good sense of what one of these operations is kind of doing. You interview someone, they explain the the the organization of the structure to a certain point. You go like, this is just the company. This is just a large this is a midsize technology company that's goal is just much shadier than the rest. But it has the org chart. It has management. It has suppliers. They seem to have vendors. They have raw inputs and materials. Like someone's smelting aluminum into poles or something. Like, it's it's just a business.

Speaker 2: So, like, the the whole shifting onto the the into the cloud and, you know, identities being sprawled out across the Internet is a fairly recent thing that's happened in the last few years. So that's really broadened the attack surface quite significantly. But the as I said, the actual identity attack or the way you do it hasn't really changed from decades ago. It's like brute force attack, credential stuffing, phishing. You know, it's all the same stuff in terms of actual credential access. But the reason it's always been a big problem, even when we were focused on instant response and the the, infrastructure error, Even then, we were saying that identity attacks were probably one of the biggest problems that we're gonna face the industry. And the reason that we said that was because when we were so one of the things after we did offensive security, just to give you context here, we we were doing detection response, we were doing incident response. So we actually flipped over and started running an MDR service where we were watching attacks happen. And it was really interesting because you had ex red teamers, and it was really cool to see how effective they were at doing detection response because you'd see an indicator, mean, like, I know what you're gonna do next. And then you'd actually be ahead of the attacker and it made it kind of a really interesting battle. But, anyway, point being is that we would watch these attacks play out and it was really effective when the attacker compromises an endpoint because what they're doing on the endpoint is stuff they shouldn't be doing like injecting into a process or dumping passwords from from memory or whatever. Like stuff that was malicious and EDR could quite clearly tell the difference between what is normal and what is not normal. But the moment an attacker steals a password and they move into identity, it's really hard to tell the difference between the attacker and the employee. Obviously, you can see if they the point they stole off the endpoint, but let's just say you were just looking at the identity, like, the logs.

Speaker 3: Sure. Yeah.

Speaker 2: The beacon. Is a login. Yeah. And so you're at this point now where someone logs into an account, like, if you if you just saw that bit, someone logs into an account and they delete something from a database or they delete a file. Now was that a user logging in and doing that because they wanted to, or was an attacker logging in and doing that because it was malicious? Right? And you can't the difference between those two, you can't tell from data because they literally are the employee. They've stolen their account and they've taken it. So the only difference is intent, and you can't measure intent through data if you sort of think I'm saying so we we were like, well, this is a big problem, and this is why I think actually prompting the employee to say, hey, was this you? Is a key part of doing identity attacks. And I think that's that's somewhere that the industry really needs to go as we start to solve some of these problems.

Speaker 3: Sure. So, like, whenever I make a transaction or something and get the little ping up on my phone that's like, hey, did you actually do this? Yes or no? That's that's the, like, verification step that I am who I am.

Speaker 2: Exactly. Yeah. So, hey, this the malicious action was just confirmed. Yeah. Was this you? Like, two FA prompts gonna make sure that happens and and authenticates some of that.

Speaker 3: The, as far as phishing goes, what are you seeing for the level of sophistication and the level of like, how how has that grown in the last ten years from, you know, when it used to be, like, a generic email and, like, a, you know, whatever it used to be ten years ago to what it is now because I'm sure it's much different.

Speaker 2: Yeah. The the the core, like, I guess, attacks, as I said, phishing and everything haven't changed a lot. The way those are being done has evolved quite significantly. And so for example, we what we're seeing now is a huge rise in what are called adversary in the middle attacks or AITM as basically somebody did ask me whether that was a gender neutral man in the middle attack at 1.1, which is not. It's, but, yeah, it's a verse in the middle. So it's a slight variation. So it the concept's the same and that you are still, you know, a man in the middle, but we refer to it the best way to think about it is like phishing two point o. So in phishing one point o, your goal as an attacker is to steal credentials, username, password. So really what you're doing is setting up a clone site that looks like a legitimate one, sending it to a victim, the victim enters their credentials, and you walk off of the username and password. Now obviously, MFA was shouted as the big thing because now I can't use those credentials, and that was the reason that happened. So ITM have come out of this increase in MFA effectively that allows you to bypass MFA. The way that adversity in the middle works is you don't get someone, a victim, to log into a clone site anymore. Mhmm. You get them to log into your actual site, like, to the actual, say, Microsoft three sixty five, but they proxy it through you. If you see what I mean. So you set up a, you've effectively set up a attacker proxy. Yeah. Exactly. You turn it through and you say, hey, send them a link. They connect to you. You fetch the page. You give the page back to them. Because you're in the middle, it allows you to intercept everything including the session token and the MFA, so then you can actually get around it. And there's there's lots of clever ways to make this happen. Like, one of the ones, that's become quite popular is what's called a browser in the middle attack, which is a subcategory of a version of the middle. And what happens with that is you set up, you're familiar with VNC, right, like for remote desktop viewing?

Speaker 3: Yeah. Of course.

Speaker 2: The idea is I set up a server on the Internet and on the eye controls and attacker. And when I set that up, I open up a web browser and I browse to the target, say, Okta or Microsoft three sixty five page. So now what I've got is a server of GM online And you should be that's open. Yeah. So that exactly. So then I can obviously come in and remote desktop into it, and what I end up with is a window on my desktop that shows the target page. Right? Now fortunately or unfortunately, depending on which side of the fence you're on, there's now, like, JavaScript libraries that allow you to run NVENC inside the browser. And so what we see attackers do is basically run you have a browser window, and you send it to a victim, and they open up and they see their fully branded MFA login, which is actually their login page. But when they enter their username and password into it, unknowingly, they're actually doing that on my server, and I can just watch it. Mhmm. Watch it happen. I can pull everything out of it. So they're the sorts of modern attacks that we're we're seeing now happen, and bypassing a lot of these different attacks. Beyond that, those attacks are starting to become a lot, you know, more well known. More recently, we've seen an evolution in detection bypasses. And what we're seeing there is that still the the main delivery vector for phishing attacks is is email.

Speaker 3: Mhmm.

Speaker 2: And so the attacker would send in one of these phishing links like what whatever technique it is where it's phishing one point zero or or later. You send the email into the victim and the email or proxy will scan the email and look at a bad URL. Now, obviously, it can check for domain reputation, if it was recently registered, and all those kinds of things. But those are quite easy to bypass. Right? You just buy domains that have been registered for a long time from a good reputation, all that stuff. So what you're starting to see is they will actually take the link and go follow the link, and query the fish kit itself to get a lot more information. And so we're seeing attackers just doing stuff that simply putting up bot protection in front of their fish kit. Right? So it's like they've got recapture in front of it, and you've got to send particular get parameters to it. Some of them are even presenting you with a login page and getting you to log in first. And if you enter a domain that's not the target company, it will just redirect you off to like a Microsoft live login, like something legit. Whereas if it is from the target company, it will return the fish kit, and you start seeing stuff like that. So you're seeing these things just bypass fish these phishing detections altogether and completely, and even if they, you know, the the victim forwards it off to their IR team and they log in, they're like, oh, no. It looks like a legitimate thing. Carry on. You know? And that kind of stuff. So they're simple techniques, but really powerful.

Speaker 3: So the the detection system is trying to fingerprint the fish kit, but the fish kits actually fingerprinted the detection technique. And it's, like, when it Yeah. Is coming through, it just, like, no. You're we know what you are. Like, you go over here, and, like, this is legit content, like, piss off.

Speaker 2: Yeah. Exactly. So you're, like, it's it's, like, oh, this is not a human querying me. Return friendly page, basically, to get around detection in that way.

Speaker 3: Funny. Smart.

Speaker 2: Yeah. So we're seeing that we're seeing that a lot more. We're also seeing, a lot of phishing, just avoiding emails together. So people phishing people on, you know, LinkedIn Messenger. Obviously, SMS has been a channel that's been happening for quite a long time. But, yeah, we you know, we can you can drop phishing links anywhere, not just

Speaker 3: DMs have been filling up with phishing links more and more and more the like, over the years. It's like I'm constantly getting flooded by stuff that's just not real. Yeah. I actually actually saw a message. Sorry. I'm just pulling it up out of my Slack. I sent it to Jordan this weekend, but

Speaker 1: Oh, yeah.

Speaker 3: The FBI had come out. I don't know if you saw this, saying, essentially, don't open any links in Gmail. Apparently, there's tons of AI powered phishing attacks attacking Gmail accounts and, essentially, don't trust anything inside of your Gmail. I'm not sure if you saw this link at this article. That's Yeah.

Speaker 2: That sounds like an internal security team's nightmare. Like, all employees ever are not clicking any links. Totally.

Speaker 3: But just, like, for imagine how many Gmail users there are, and if people have targeted Gmail as, like, the host to attack, then oh my god.

Speaker 2: Yeah. I feel like

Speaker 1: there isn't a platform where you can receive messages that isn't just inundated with those links. I think of we've done a few episodes on, like, people hacking games, people cheating in video games. And it sounds like if you are 18 and in Discord, you are just the recipient of more phishing attacks than I can possibly imagine. And it makes total sense. It's like, is it the most knowledgeable audience?

Speaker 3: Thankfully, it's all the steel crypto. This is as long as you stay

Speaker 1: at a Yeah.

Speaker 2: That's right. Exactly. Yeah. And and it's it's interesting you said that because we I don't wanna get too far into the future here, but, hey, apparently, we we keep doing that to ourselves anyway. So I don't wanna wanna do it again. But one one of the things we we were thinking about obviously is, like, open a operator got released the other day, and we've seen this as agent runs inside your browser that uses your browser for you. Example they give is, like, hey, here's some food, log into Instacart, and go add all the ingredients and buy it for me just in one go. Really exciting, but obviously, our mind just went straight to, oh, how attackers gonna abuse this. Now I'm not talking about weaponizing operator itself because no doubt they build lots of safeguards in to stop things from happening. But that broad technology and as you start to see open source versions of it and stuff like that don't have it as guardrails, you can kinda scale up those out of email type attacks quite a lot. So imagine, for example, saying, find the top 10,000 most popular subreddits, get involved in the conversation, and then drop a phishing link. Or, like, I don't know, connect on LinkedIn Messenger to everyone from this company, talk to them for a few messages, and then drop this phishing link and that kind of stuff. So I think those sorts of things Be

Speaker 3: really cordial.

Speaker 2: Yeah. I can see that.

Speaker 1: Yeah. Make friends with everyone. Are you good? I never even thought of that.

Speaker 3: I'm sure you could write a LinkedIn recruiter bot that just, like, was, like, hey, you know, we've got some jobs that might be and just flood people and, like, the link would be a phishing link, and you'd get a boatload of clicks.

Speaker 2: Exactly. Or, like, come on come on to the hack podcast, pretend to be CEO for security, and then drop my phishing link at the end. You

Speaker 1: have the ability right now to pull off the greatest prank ever.

Speaker 3: Yeah. Might might cost you a lot, but you could do it. It's Oh, man. So it

Speaker 1: sounds like it's like, we talked a little bit about Discord and these other platforms, which are basically just skinned websites. It sounds like this new era is taking place inside of browsers. Like, these vulnerabilities are taking place in browsers. People are using these credentials and these identities entirely in browsers. Like, talk to me about the idea of the browser as the attack surface that we're currently living in.

Speaker 2: Yeah. Yeah. No. Definitely. You know, full disclosure is this is obviously what we do in our product. But the reason I feel okay talking about this is because as I said before, we didn't sort of inherit a product. Like I didn't just get given it one day and then be told, oh, how can you position this in the best way possible that some people wanna use it? Right? It was much more we came at it from a problem of okay, identity attacks are becoming a problem. We sort of feel a duty to the industry to do this because we've been on the front line sort of defending against these attacks for a long time. What's the best way to solve this problem? And we tried all the ways. And what we landed on through our r and d efforts over multiple years is that it's gotta be inside the browser. And it makes a ton of sense, right, because if you think all those sprawled identities that are out across the Internet, you know, they're you can't just vuln scan them, you can't just enter your public IP address range, you can't write a script that brute forces en mass permanently all your employees credentials hoping you get the username password combination right and reporting about what identities exist. So what do you do? I mean, the thing that all cloud identities have in common is they traverse through the browser. So we were like, well, this is a really effective, you know, enforcement point effectively to to draw telemetry from the browser, and you can start to see employees as they create and use identities, and then therefore you can map them all out. Right? So it was the obvious place to think build a solution. Also because what we were talking about about the phishing attacks, like, as they start to move out to different channels, wherever you click a link under any source, like email or anywhere else, you visit it. And at some point, even if it has the bot protection in it that we were talking about before, at some point, it initiates the payload, the FishKit renders inside the browser, and then you can block it. Right? And you can block it based upon the FishKit itself, but you can also detect employee action. So detect type events and determine before they press enter, they just entered a critical password like their SSO password into it and stop that from happening. So so for us, it was like, it just made so much sense to go there, and to enforce and solve this kind of problem inside the browser. For us, it's it's just a really, really powerful way to do this. I think coupled with this, we were talking about before about architectural shifts, like some companies we started. If you look at Push, like, we do a 100% of the work in our browser. I think the only desktop application I have is Zoom, and it really frustrates me this is a desktop application because why doesn't it run into the browser? But you know, other than other than that, maybe Slack as well, optional desktop application, everything's inside the browser. And so moving into the browser and doing security in there seems to fit the way that companies are progressing as well. So, yeah, that was why we decided to go there. Yeah. It makes a lot of sense.

Speaker 3: Lots of those apps like Slack and Notion, they're all written in on something called Electron, which is essentially just like a HTML CSS plugin for, like, Swift apps and stuff. So they're actually all just web browsers.

Speaker 2: It's the way in there. It's the way it's going. Yeah. It's like when people deploy Chromebooks is always the time when I that's when I really think about that. Right? Because that's, like, the purest version Right. Of what we're talking about here. It's

Speaker 3: like there's no endpoints. Yeah.

Speaker 2: Yeah. Because if you get a shell on a Chromebook, it's read only, there's no files on it. You can't really move laterally. What you can do is talk back out to the Internet. So the whole attack vector is inside the browser. Like, you know, that's that's very pure of this world that we're talking about. But anyway, diversity and that's a

Speaker 1: I think that's really relevant because that, like, that that you can literally use a computer that is a browser and function in the modern world tells you how much of the modern world occurs entirely inside of a browser. So I guess I mean, in simplest terms, like, what is it then that push does?

Speaker 2: Yeah. So push, we we exist to stop identity attacks. We're totally focused on that. And so really it's anything to do with account takeover, which is your user account being compromised. Now that could be phishing. It could be identities being sprawled out across the Internet, and actually mapping out where those are and locking them all down. We even sort of determine we can determine whether someone's using their password manager and if they're actually clipboard pasting their password all the time and where which password manager they're using or if they're syncing it back to their Chrome browser. Anything that is it could result in a user's account being compromised is what we focus on. I I guess the technical version of it, if you like if you like categories, which we get forced into is is I TDR, which is identity threat detection response. I think that's a name that we try not to use categories. We we think about what problem do we solve, and we go solve that problem. But, you know, some people, it helps them categorize and and think about where we sort of sit. So

Speaker 1: You mentioned clipboarding passwords out of password managers and bringing them over to the browser. Yeah. Is that a vulnerability?

Speaker 2: You so, so, I mean, people copy and pasting it from like, I mean, if you think about, account takeover, there's someone entering their credentials into a malicious phishing site, but you've also gotta think about exposure. So if someone's storing it in a place that's not good, like clear text stuck on a document somewhere, that's not ideal. And so the reason that we can encourage people to use a password manager is effectively a vault to safely store them. Mhmm. So the reason we're detecting clipboard paste is because it's pretty obvious that someone's just pulled out out of a document or off of a local notepad, and then we're just pasting it straight.

Speaker 3: Out of a Slack message.

Speaker 2: Exactly. Yeah. Or out of a Slack message. Yeah. Exactly. So we we obviously only have the context at the point they enter the browser.

Speaker 1: So you

Speaker 2: can't tell at this at this stage where it's being clipboard pasted from, but it is just good intel to be like, wow, there's a critical account, you know, like an AWS admin account, and someone's clipboard pasting it in regularly. Probably should go and have a word with that person and and see how they're handling passwords.

Speaker 3: The the other thing too is, like, the clipboard is account accessible. So, like, anywhere inside of the account, it's like a universal memory register. So it's, like, it's not secured. So if there's a password sitting in there, any of the applications running technically have access to it. So if you were copying and pasting passwords through your clipboard, you're kind of sharing it to every other piece of code on your user account. So there is technically a vulnerability there, but you'd be hard pressed to find somebody smart enough to write a way to exploit it well. Maybe we have him here.

Speaker 2: So it's funny talking about clipboard posts. This is a complete tangent, but you just made me think about what you're saying there. We did you see, I can send you the link after you see it, but there's a there was a phishing attack that got shared around a couple of months ago. It was really bizarre, but really, you have to give them top marks for creativity. And basically what happened was it was like a phishing link to a GitHub page, or what looked like a GitHub page. But when you landed on the page, it popped up with a recapture prompt, but the recapture prompt was written in JavaScript, and it said it said press like these these different combinations. You had to go command c. Yeah. Command c, control command r and then control v enter. And it popped up, it said thank you you've done recapturing that you're in. But what it done is when you visited the site injected PowerShell into your clipboard. So when you then control c, you pulled it out onto the clipboard and then control r. Exactly. Then you run it locally. I do like, I mean, it's like someone probably probably fell for that, and they've never told anyone because it's such an unfortunate thing to fall for. But and I was just like yeah. But I just thought for creativity, I was like, can't hats off for, like, trying. You know?

Speaker 3: Yeah. But this is, like, that's even that's a good thing. Like, the so the JavaScript itself wrote to the to the clipboard. So JavaScript can probably read from the clipboard. So if you've got passwords hanging on your clipboard, websites can read them too, I assume.

Speaker 2: Yeah. I don't actually know with that. I know there are clever models built into the the browser. I need to look into I would hope that there are protections for pulling them back out Yeah. In the other direction. I think it might be read only and pushing one direction, but I might be wrong about that. Yeah. Me too.

Speaker 3: I don't know.

Speaker 1: I was I was reading about a 2023 study. I have it in my notes here because I wanna talk about it on the show at some point, but it was a 2023 study that described CAPTCHA as tracking cookie farm for profit masquerading as a security service. And it was saying that the the success rate of bots currently is higher than the success rate of humans, which means they're ineffective it's a I think it was eight hundred and nineteen million hours of human time lost clicking on just traffic lights and it has generated $1,000,000,000,000 for Google I feel a backlash growing. Last time we were talking you were talking about something called cross IDP impersonation. Just to start with defining what IDP is and then what does that impersonation mean?

Speaker 2: So yeah, cross IDP impersonation was a very recent bit of research that we did. Actually, our VP of R and D, Luke Jennings did. And this was really interesting because it shows the complexity of the identity attack surface. There's not just as simple as sprawl identities and you logging into them. So IDP is, an identity it's shorthand for an identity provider. So really you're talking about SSO. So Microsoft three six five, Okta, Google Workspace, any of those. Now the idea is that, ideally, you'd have your SSO provider with your one user account per employee. And then when you log in to that SSO provider, you'd have MFA, you need to have YubiKeys, you have phishing resistant MFA and all those things. So you have a really, really hardened identity. When the employee logs in, you get presented with a tile, and you click on one of those tiles and it logs you into the downstream SaaS application. Right? And that's that's how everything should be set up. So Luke looked at this and kinda went, well, if you were trying to target someone who had really, really hardened SSO accounts, what would you do? And what he determined is rather than going after the IDP directly, it was actually the SaaS applications behind that were the target. So what he figured out was you could just ignore the company IDP altogether, set up your own one, and create an account which is the target company. So let's say you were trying to target acme.com. Mhmm.

Speaker 1: You

Speaker 2: set up a new IDP with an account for, you know, sarah acme dot com, and you can just log directly into the SaaS applications behind the IDP, and they just let you in. Right? So basically they don't

Speaker 3: check Interesting.

Speaker 2: Which IDP it came from, which is wild that that's actually the case. There's some nuance to it, and there's some complexity which we can get into, but the top level is is that, is that you can, you know, it doesn't the SaaS applications behind don't effectively check which IDP it came from, and they'll let you authenticate.

Speaker 3: So it sounds like the red teamer never leaves never leaves you once you once you leave the red team.

Speaker 2: Yeah. It's like Not helpful.

Speaker 3: So it's like you kinda created your own exploit here to solve it and protect for it in your in your solution now. It's kind of what it what it sounds like. Is that true?

Speaker 2: Yeah. Well, interestingly, the way the way that we discovered this vulnerability wasn't from an offensive security mindset. We actually saw in our data that legitimate employees were doing this. Mhmm. So what what I mean is, like, there was a company who had Microsoft 365 as their primary IDP log in to downstream SaaS applications. And they came back to us and said, hey, like, there's always Google logins into these different SaaS apps, and I can't understand why because we don't use Google. So we started looking into the information, and we said, oh, wow. You know, employees, what they're doing is going to the SaaS application and they're presented with like a login with Google button.

Speaker 3: Of course.

Speaker 2: And so they're just clicking on that and then creating a personal Google account but under the company domain like under acme.com and then just logging in because it's easier. And then that's the workflow they used to. So there's hundreds of people just logging in directly to these downstream SaaS applications just log in with Google when they should have been going through Microsoft March. So you now got two login methods to the same SaaS application, but obviously the second one's got no MFA on it and that's it. So, so we saw this state and we was like, this is crazy, I mean actually we could probably use this for malicious purposes. What if I went to create an account on Google and just logged into the SaaS application? Oh look it works. That was kinda how how the whole thing came about. So, yeah.

Speaker 1: So that's just purely an issue with those, login like that's purely with the SaaS companies.

Speaker 2: Yeah. Exactly. It's nothing to do with the IDP. And it makes sense, right? If you if you if you take a SaaS application you wanna sign up to, they give multiple login methods. So you can pick, and you can say, log in Microsoft, log in to Google, log in with like Apple. You can do whichever one you want. And if you go and set up a, you know, SSO to to log in to those, that's that's great, but it doesn't necessarily disable all the other login methods and the things that you can get to. Right? So now that there is some nuance to this, like I'm trying to give you the top level, so you can understand, like, how this works. The the nuance with this is that let's say for example, I was gonna break into this acme.com company. I go to Microsoft three sixty five. I try to break and I go, wow, this is really locked down IUP. Then I go off and create, I don't know, Apple. Apple's got its own SSO provider. So I create acme.com on that. Now yeah. Exactly. And so the the thing is you in order to create an account under acme.com, it will you need to verify that account. So it will send a verification email back to the victim, and they need to click on the link. So you have to overcome that hurdle. But the thing is is getting someone to do that is way easier than doing a traditional phishing account. Right? So the example that, he gives in the blog post is you send an email to someone and say, you know, hey, you know, hey, John, whatever, here it is. I'm from the IT team. We're trialing company iPhones. Would you like to be part of the crew? Oh, yeah. I'd love to. Thanks. That'd be great. Great. I'm gonna send you a verification link to verify. Here it comes. Yeah. Click on the link. Yeah. Because they're not entering credentials, they're not being asked to give a sense of movement. They just click on the link. It's not a big ask for people. You only have to do that once. So now once I've got that, I can just log into every SaaS application downstream and and actually get to this. So it's it's just an interesting it shows the complexity. Now the way you'd solve this problem is is down to the SaaS vendors. Like, the best in class SaaS vendors, when you log in to the settings, you can actually choose which login methods it will allow, and you can disable everything but the one you want for the company. But unfortunately, that's in the minority, and more people should do that to protect against this. So the action that people can take today to solve that is actually to go and pre register the accounts. So go off and create, you know, an Apple one and a a Google one. And lock them out. And create them. Yeah. To actually claim them. And then people come and say, hey, there's already something under the domain. We have seen people writing email detection rules to say, like, if they get verification email from an IDP that's not the known company one, you can do that as well. Yeah. So that's the way you have to deal with them because it's just a fundamental problem in the way SaaS applications, and you're not gonna get all, you know, hundreds of them all to get on board to solve this. So that's how you'd take it into your own hands.

Speaker 3: So the, so you guys started push because you saw the attack surface changing. Do you see any changes coming now? Are you guys making any adaptations you can talk about? Or are you guys looking at other fields where you think that the industry is gonna go? Or is that something that's kind of you're holding your cards close to chest now that you're a company that will probably get bought or go public at some point?

Speaker 2: Yeah. I'm happy to talk about. I think, the things at at the moment, the human identity problem Mhmm. Is such a big problem, and fishing continues to be a huge problem. Now with evolutions of of fishing and everything else, it's becoming an even bigger problem. So right now, there's more than enough to keep us busy just building better and better and better versions and better and better controls around some of those problems. And we're really, really focused just on that because we're we're meeting the market where they are now, the pain points that they're seeing today.

Speaker 3: Mhmm.

Speaker 2: But you always have to keep one eye on where things are gonna go next. And so, obviously, we take spoke a lot about these computer using agents technologies, you know, like OpenEye operator. And if they start to scale up, what will happen? Like, we're already focused in that area, like stopping phishing directly in the browser and just sort of keeping an eye on that because we might see those things scale up. But ultimately, even though we're building into the browser, we don't orbit around browser. Like, we're not a browser security platform. We're an identity security platform. So really, we'll go wherever identity goes. So we'll be pulling it we're pulling it from the browser now because it's incredibly valuable telemetry source. But, you know, that isn't the thing that restricts us. We'll take identities from mobile and from endpoints and from, you know, AWS and other places as well. So I think it's mainly gonna be about going deeper and deeper and solving the current problems in a much better way than anyone else using our red team experience, and then going broader across more and more platforms so we get wider telemetry, and we can solve the problems, you know, a a bigger scale.

Speaker 1: This is, there's a good chance I'll just chop this out, but I'm curious because you brought up operator. I feel like every time I hear people talking about agents and operators in the security space, it's on the offensive side. It's the it's the sort of, like, fantasy of being, like, go get their credentials, fish this person, blah blah blah blah. The thing that I keep wondering about is on the victim side. The idea that it could be a vulnerability where I tell some agentic program to, like, go respond to my work emails, go do this, go do this. And it just sort of inadvertently, like, oh, I need to validate this Apple credential login thing. And so, like, could those operators and those platforms function as a vulnerability in themselves?

Speaker 2: Well, I have so I haven't done all caveat and that we haven't done any research on this. So this is just me thinking off the top of my mind. But I have been thinking about what happens where like at the moment, the thing you're trying to do with an attacker is to trick an employee to perform some action, like enter their credentials to a phishing site. And if an agent is effectively acting on the person's behalf, like is it possible for you to trick an agent to enter the employee's credentials into a phishing site? If you said to me, like Yeah. And that feels like how that actually works depends. Is it is it like, you know, cross site scripting? I don't know if this is like where you can inject stuff into a existing website. Can you do that to sort of do prompt injection and get it to I don't know. This is this is not an area that we're searched into. And I think it's such early technology at this stage. It's hard to to know, where that's gonna go. But I do think, like, anytime there's a technology shift, it it changes the types of attacks that are possible. So it's something to keep an eye on for sure.

Speaker 3: Yeah. There's been so much research into social engineering and changing of, you know, exploiting of human behaviors. You know, what is the the shift into essentially controlling and, I don't know, manipulating robots into doing our biddings.

Speaker 2: So Yeah. Yeah. Exactly. I think, I mean, it's good for a defensive perspective as well. Right? Because you can have, like, a security trained agents, which will look and go, hey. This looks suspicious. We're doing research into that kind of thing as well at the moment. So actually looking at the page and understanding the visual processing, like, is this page trying to look like a Microsoft login? And then taking other context of, you know, what what's happening in the in the actual page itself and how the user's interacting with it and passing that through. So I think, like, AI scales up on the offensive side, but it also scales up on the defensive side in parallel. Just hopefully the defensive side wins, scales up more.

Speaker 1: Hopefully, the defensive side wins.

Speaker 2: Yeah. Right down on the wall. Get get the t shirt. Yeah.

Speaker 1: Yeah. Get that t shirt. Get that merch going. Appreciate you taking the time to sit down and talk with us.

Speaker 3: Yeah. Thanks for coming on.

Speaker 1: Maybe maybe I'll end with this. Let's end at the beginning. It's way back when you're you're in that that role as a red teether playing the part of this advanced actor in these simulations. We do a call in show called hotline hacked where people share their fascinating tech stories. What's the, what's the craziest war story you can responsibly share with us here

Speaker 3: to close it out? Good question.

Speaker 2: I do you know what? I'll actually share because I think this is is amusing and it's a bit more relatable, I'll actually share one of my colleagues' stories instead. So my colleague one of the parts of the offensive security side we did was social engineering. So it wasn't all technical. It was also to do with sort of breaking into buildings and trying to trick people. Now my colleague had got he well, my teammate had he's really, really good at social engineering. He's just really likable guy that everyone trusted and, like yeah. Yeah. You've seen the program traitors. Like, he would win straight down. They would just trust him immediately. And, he did multiple engagements like this and, you know, it was kind of normal office block. But there was one time when he came up against a very well secured facility with gates and guards. It's like, well, okay. This is the biggest challenge. Yeah. So he went off. He set up his own website, his own business card. He turned up with a clipboard and spoke to the guard, and then they rang into the reception. Hey, there's a health inspector here. Were you expecting this? It's like, well, of course they're not expecting me. I'm a health inspector. And I'm like, okay, send him in, send him in. So he sent in, he checks in to the security, they phoned back again to the chef, like, hey, we got the security guard. You can imagine, you know, quickly scrapping away all the pots and pans and on he goes. So anyway, he goes into the room, and he doesn't know how to do a health inspection. He's got no idea. So he's like walking around like wobbling the shelves and like checking stuff and everything else.

Speaker 1: Turd and stuff.

Speaker 2: And, he goes around. Yeah. He does his whole health inspections. Well, I'm in in a building. And the chef says to him, okay. Well, like, how do we do? Like, am I am I okay? Like, have we got this whole thing passed? Sorry, man. I mean, I have to go back to the office, and it takes me about a week to process. And I can let you know. He's like, well I mean if you give me access to a computer, I could probably do it now if you like. And oh yeah yeah sure. So he logs him on. Do you want do you want some dinner? I was like, oh that'd be great. So he's sitting on this computer hacking the network, eating food. The guy's name.

Speaker 3: Provided by

Speaker 2: Yeah. Takes full control of the network and writes it back. And it was all done in good faith. Like whenever we do these engagements, we make it really, really clear to the team that, you know, people are gonna get tricked, and it's not their fault, and, like, you know, it's just we're pros at this, and we've done this a lot. You're always gonna get people. We make sure that those individuals aren't victims from this, but it's a good learning exercise because by experiencing that, it just heightened their level of awareness. But it was a really fun engagement and it made a really really good story when he sort of came back to the office and anonymized it and and spoke about it. So, yeah, I thought it was thought it'd be a good one to share.

Speaker 1: Oh, that's a good one.

Speaker 3: That is a good one. I love that they fed him. That's the that's the icing on. Right?

Speaker 2: Yeah. Free food. Yeah. Exactly.

Speaker 1: Sitting there, you're like, there's no way I could get into this network and linguine.

Speaker 3: Yeah. What what was the bonus points on the contract for getting fed by the by the team? It's like, not only did we acquire, like, all of the mission goals, but also, like, you fed us and, like, gave somebody gave me a car, like,

Speaker 2: That's a pencil. Exactly. I never actually read the report at the end, but I don't know whether the whether there's, like, a picture of the food that you got. Yeah. And by the way, thank you for the meal. Yeah. Totally.

Speaker 1: That's good. Adam, thank you for sitting down with us. This was a lot of fun.

Speaker 3: Yeah. Thanks for coming

Speaker 2: on. Yeah. Thanks for having me. It's great. A lot of fun.

Speaker 5: Still waiting in line? Again? That's time you'll never get back. Save time and money with stamps.com. Over 4,000,000 businesses have skipped the line with stamps.com. Join them to save up to 90% off carrier rates from your computer or phone right now. Print postage for certified mail, registered mail, and packages in seconds, then schedule a pickup right from your home or office. For a limited time, go to stamps.com and use code podcast for a free welcome gift. Taxes and fees apply.

Speaker 4: The biggest tournament in soccer is finally here, and I've already started planning my watch parties. My go to move before kickoff is stopping at Total Wine and More to grab drinks for the whole crew. Wine, beer, seltzers, maybe a few ready to drink options. Everything we need for a full day of matches. With this many games, it definitely helps knowing you're getting the lowest prices. Total Wine makes it so easy because I can grab everything I need in one stop. Get match day ready with Total Wine and More today so you're set from kickoff to the final whistle. Spirits are not sold in Virginia and North Carolina. Drink responsibly. Must be 21.