Combatting Commercialized Adversaries: Continuous security testing and how to get it done

Yeah, no, perfect. So, Dahvid Schloss, for people who have heard me introduce myself, this will come to no surprise, but I usually describe myself as the emulated mob boss of a group of emulated criminals. The reason I put it that way is I haven’t done the fun cool stuff for a little bit of a minute now. It’s been a while, but I’ve been leading teams in the red team space for what, seven, eight years at this point. Love the job. Never feels like a job. So super excited to be out here and being a shirt twin right now. I’m still loving this design.

We’ve gotten good compliments from everybody who’s been guests, but yeah, no, thanks a bunch. So let’s just dive in, you know, because I think our prep session for this was really intriguing. So I’ve been really looking forward to chatting about it. But so, like, you know, your experience around, like, obviously you’ve been leading teams and diving deep and helping customers and organizations get better. And the whole goal, our whole goal, obviously, in penetration testing and kind of adversary emulation is really to help identify the key gaps in people’s networks or applications or whatever we would be testing.

But it sounds like you’ve seen a shift in the need to continue to progress towards this continuous testing. Maybe talk to a little bit about your experience there and then, you know, we can go from there.

But yeah, no, I think we definitely are seeing a shift in the industry as we’ve kind of gotten a little bit more mature over post-COVID age. Right. I think if you asked me in 2018, you know, what’s the, what’s the potential of getting people to do more continuous testing? It would have been very hard to even convince anybody of doing so. But we’re starting to see a shift of the guard, right? We’re getting new executives, younger executives, people who understand technology much to a deeper extent.

Cybercrime has come to a position in which it is so close to, you know, real everyday companies that they’re starting to, you know, organizations out there are starting to realize, like, oh, there’s some, “uh, oh, SPAGHETTIO” moments happening where it’s no longer a question of if, but really like when this is going to happen and, you know, start to integrate some of these new, better tools out there. Right.

Like just to name one, Horizon 3 off the top of my head, just because I love those guys, right? Like, you start to get more of these automation platforms that enable this at a much better capability. Now we’re starting to see CISOs, CIOs, CTOs out there going, oh, it’s starting to become a little bit more affordable. It’s starting to realize like, that one point in time is not a good idea anymore because Log4j happens, or God forbid, the next EternalBlue happens. It’s not feasible to just have a single point in time. So I think people are starting to recognize that, realize that. And that shift is starting to really push us in the direction of, okay, these are the services that we need to start focusing on.

Yeah. And I would say, I mean, I agree and I think that the barrier to entry to at least be able to do continuous testing has lowered. You know, the bar has been lowered substantially and it’s more cost effective. You may not have to have a full team of Red Teamers to be able to, you know, at your disposal, to be able to at least have some form of a continuous paradigm.

But I think also, like, what we had talked about before too was just the threat groups and the threat actors are continuing to advance as well as like almost commercialize. Right. I mean, I think you, you’ve got some exposure to that, right?

Yeah, No, I think the best example of that is like if you go back and you look at Conti, you know, when the, the Russian-Ukraine war popped off and Conti butted heads because, well, they’re Russian and Ukrainian. They split and just released all the data. They were just like, all right, so I don’t know if it was the Russians or the Ukrainians, but one side got really mad and was like, we’re not doing this anymore. And they released all their internal documents. And if you read the documents, it’s fascinating because like they operated exactly how you would expect a consulting firm to operate, right? Just with no morals.

They had an HR team that did recruiting, they had payroll, they had like your equivalency of a CFO, CTO. They’re so well organized, right. And you start to recognize that like Conti is not the only group that’s doing this. Like we have a trillion-dollar industry on the cybercrime side and the reason why we call it an industry is because they operate just like it, right? Initial access brokers aren’t just like one twosy people out there that are finding what they can and selling it. Like it’s a, it’s a group of, of, you know, dedicated individuals going out, finding those access points and then selling it to other dedicated groups of individuals. And so like these ransomware groups, these initial access brokers, all of them operate in this very similar mentality where you see that they are really no different than any other company out there.

So they’re getting better organized or organized. English is tough today.

And it’s so impressive because it’s not anything that we would have expected 20 years ago, right?

Yeah, the paradigm of like, oh, this is just some hackers that got together and are just trying stuff and then maybe have like a shared bank account that they’re, they’re dipping out of, you know. But no, I mean, yeah, it’s, it’s like a true industry.

Yeah, it’s just fascinating. I think what fascinates me is the fact that they have like an HR team. Like, it’s like, it was really funny to read that about something like, you’re a criminal. Like, what do you want us to do? It’s, it’s so wild too, because you look at it and you’re like, okay, they’re putting out job adverts and you’re like, where’s the dark webs job postings? You know, like, I came back, I was in, I was in England a couple weeks ago and I came back through customs and they’re like, oh, what were you in England for? And I’m like, international crime.

And the guy got really like mad and actually like stopped me for a second. But like the, the even better part was like, wait a second, dude. Like, do you think the mafia just has like a job fair going out there? Do you just walk in and hang out? Like, that’s how I imagine Some of these cyber crime groups are, right. They’re, they’re, they’re coming in, they’re like, oh, well, we have a job fair. Come work for Conte, come work for Cozy Bear. You know, choose, choose who you want to work for. But it is wild.

Yeah, but world’s changing. Yeah, but like you said, I mean like, they are going to continue to be persistent if we, you know, if anything, you know, that’s, you know, that’s the right name for those kinds of groups. Like, hey, they’re going to be, they definitely are advanced, right? They have talent and like they’re going to continue to be persistent. And so how do we counter that on the, on the defensive side?

I’m always a big fan of like your, one of your best defenses is a good offense. So being able to be proactive and so we have to, we like things like that. I mean, that’s not going to continue to change. I mean, as long as there’s money to be made and you know, there’s other markets that circulate around, you know, penetration and exploitation. So as long as that’s going to be there, like it’s going to be persistent. Right. And we need to continue to get people in the mindset of annual tests or even the quarterly test, you know, may not be enough to be able to highlight your defenses and be able to be prepared.

So I mean, I think that’s, I think that’s a really good point. I think we’d also kind of like talked about like the notion of AI and what AI, you know, what impact it’s having on these threat groups, you know, to accelerate their, you know, their capabilities and time to attack and stuff like that too. So it’s just, you know, it’s an interesting world that we live in. Right? Yeah.

The skills gap’s getting quicker and quicker to be closed. You know, it used to be back in the day where it’s like you get, you were a script kitty and you really couldn’t get a job. Right. Because you didn’t understand the in-depthness of it. But I don’t want to like make it so that, you know, everyone’s worried about AI because right now it’s far, far bad in AI in code. Let’s be honest, like as a malware dev myself, like if I go and ask AI to write malware, I’m rewriting it. It’s just bad.

But like what it does do is like, it does open up a lot of these barriers of entry around like English or other western languages. If it’s an eastern based organization like out of Russia or China, like they don’t need to have people who know how to speak English now. You can just easily use translation services through AI and whatnot, which does make phishing a lot more of a problem and a lot more of a concern. And you know, that’s why I think like doing the continuous phishing test, which most, I would say most organizations have kind of bought on board today. And I think that’s mostly because of insurance. I think that’s a good first step. Right.

But like we’re recognizing. Sure. While 97% of all external attacks begin with some form of social engineering, there’s still what happens internal. Right. Like what happens when they get inside. Like, it shouldn’t be all reliant on just stopping one item because people are only half the problem. Right?

Yeah, yeah, exactly.

I mean, and like if you don’t have any other defenses, you know, people are people. We, we know that people are going to click on links like that. That’s the, that’s the go to vector. And it’s, it’s really not going to ever change as much as we train. But like, you know, you can try to ward off as much as you possibly can, but like, there’s still going to be ways to get in and you may even have something exposed that can bypass the human element. But if your defenses aren’t there to be able to detect and prevent anything, like you’re going to have a hard time obviously thwarting any kind of activity. So I mean, I think like, it’s fascinating.

I think, I think it’s good for me to hear too like, that folks, outside of what I’ve been preaching, what we’ve been preaching at PlexTrac, you know, like, are seeing it validated in the market as well as like, hey, we need to get into a continuous testing paradigm. So let’s dive deep into like, what are some. What have you worked with your customers in the past or you know, what have been some. I mean, we alluded to it a little bit, but I’d love to dive deep and like, what are some practical steps to like be successful and like, what does a continuous testing model look like? Right. So yeah, I think that the big thing now is like moving towards more organizations that are focused into this, this element. Right. Like the big traditional consulting metrics make it really difficult to do this continuous pentesting as a whole, because well, consulting is based on a per hour basis, on a per cost basis.

Right. So a resource needs to make X percentage over a margin. And so it’s, it’s been predominantly attacked like that. But we’re starting to see others come into the market and be focused in this idea of like you should just do this as subscription. Right. We’ll figure out some way of doing it, but it’s a lot more continuous and we can break it up into a point where it’s not as cost prohibitive. Right.

Like I think, you know, in the past when I worked, when I was working at big four, big four would be like, oh yeah, it’s 350 an hour and we’ll just do that for the whole year. Right. Which there’s 200 or 2080. We could probably do the math. Roll there, 2080 on there. So it’s like $728,000.

Sorry, I’m being pinged here. Yeah, that’s fine. If you want to put it down, it’s $728,000 a year for one individual to do full time and that’s impossible. Right. That’s just not feasible for companies to put in. Unless you’re at the Mickey Mouse level. Right. Or a Google or something.

So for these small companies, how do you get into the ability to do continuous pentesting without spending your entire operating budget for the year? Yeah, right. That’s where we get some of these newer tools, the automation systems like Pentera or Horizon 3. Like that’s a good way to enter, you know, dependent on your size. When we start talking groups and people, you know, true like red teaming elements, that’s something that’s breaking in more into the United States. We’re not, we’re not fully there yet. Europe’s there really well.

Right. So like now I work for Covert Swarm and Covert Swarm has been making its mark over in Europe in the UK really well as like a continuous red team platform. Right. Just like hitting you every single month in some form or fashion as the way that apt emulation would happen. But we don’t have as much of that here in the United States because we’re, we’re beholden to — most companies just do, oh the compliance and regulation aspect. We don’t have laws that force that into us.

So the harder part is really just finding those services and products that can help you do that at a cost effective manner.

They’re slowly making it, but they’re really not there. So then the only other way of doing that is Hiring your own individuals and building a team that way, which I have seen a pretty big push to start doing. Yeah, yeah. And I think even, like, even some, some kind of hybrid with like a partner. Right. So like you, you may, hey, you know, you may have like a bigger consulting firm or just an MSSP that can do so some of that, you know, more like, more continuous testing, but maybe not like every day, every week kind of thing. And then you augment that or supplement that with like an internal, you know, program much like, like what I know what we’ve seen in some of our partners and customers is, you know, supplementing it through the, through the Vuln management team.

Like, you know, because it’s like, hey, we’ve gone out and bought like a Horizon 3 or a Pentera and so that, that will facilitate the actual testing piece. I think one thing that’s interesting is we’re seeing a lot more threat intelligence come into play within, within the testing framework. Right. Traditionally. And I mean this is what I never really did live in the, in the SOC world or the threat hunting world, but I’ve always been exposed to threat intelligence from the reactive side of like, okay, here’s what they’re doing. We should go put an, I like a signature to detect this into whatever sim we have so that we’ll get alerted on, you know, if that thing pops up, if that IOC pops up. But I think we’re seeing a lot more of using threat intelligence to help inform what you should be testing.Have you seen that in any of your engagements or like, you know, with your customers?

Yeah, no, I think that’s actually a perfect call out. Right. So like I have always been a huge pusher of the Tiber EU framework for red teaming. Right. Just because it is so focused on threat intelligence led. Right. Which I think is by far the more important aspect when we talk like continuous testing or just testing in general. Right. Is having an understanding of what would be the impact. Because without the understanding you’re just kind of like, oh, we’re testing for test sakes and that’s not going to help you because if APT 1s, you’re going to be your, your, the threat actor that’s going to attack you. Why are you preparing for APT 37? Right. Like they may have some crossover but it’s not so great. So Europe has that and that’s why I like really do enjoy the EU’s kind of ruling around cyber and how they’ve been trying to push that in the US we’re getting better. We are. Fedramp’s a great example of this, right.

We’re starting to use it in like the NIST 800 standard, which is stating that you have to do threat intelligence LED testing. So we’re starting to get to a point in the United States where it is becoming more common. I think the bigger thing is more so getting practitioners like myself and others to buy into the idea that we’re not just testing for test sake, like what you would get from consulting. We need to really be pushing the idea that it is, culturally, as a career field, it is important to be leading with like the impact and understanding of who is, who is going against our clients. So we’ve done that. I mean that’s the whole principle and idea around Covert Swarm, which has been pretty great, which is why I ended up joining the company. But like, as a culture, as a whole in the United States, that’s something that we all have to kind of start to adopt because it is so important.

Yeah, yeah. And I think with you, if you, if you find the right partners, you could help, you could kind of help shape that program. Like, you know, I mean, I think a lot of consulting firms would love some form of continuity in their, in their revenue, right. I mean, like, oh yeah, any business is going to love more of a subscription service versus not right. Even though there’s really good money in those like standalone assessments. But like, you know, being able to rely on that from a predictability and business, just a straight business perspective. So finding partners that you could actually like, hey, we want to do a continuous program and you know, whether that’s, hey, you’re going to test us monthly and then we’re going to supplement that with like daily, daily testing and breaking that down based on the, on the threat intelligence.

Yeah, I’ve heard, You know, you know, we do at PlexTrac, we do our own internal testing just period. And obviously, what’s the phrase, Drink your own champagne, right, in terms of, you know, using our products and services, but like, you know, being able to shape that program and have a partner that can truly understand your environment. Right. So like they could, they could even supplement some of that threat intelligence capability, right, to help dictate the testing program that you would want to do whether, hey, you know, like whether they are starting to see, like, hey, you’ve got significant weaknesses in maybe detecting exfiltration or something like that. So we should be testing for that and how do we keep mitigating it and use those as like litmus tests for like, hey, over time this is what you’ve tested and here’s how you’ve gotten better.

I guess that’s my, my two cents on how to help people. Continuous testing. And on top of that too. You know, part of that culture shift in mentality, is like, I think you really recognize as an organization what is truly, I don’t want to say rotten. Rotten is a bad word here, but it’s the one that comes to mind, right? What is like truly rotten inside your TTPs? Like if you are finding the exact same type of findings over and over and over and over and then you can start to correlate. Is that from patch management? Are we not doing good patch management?

Maybe you’re an in house development shop. I’ll use you as an example at your expense. But PlexTrac has too many SQL injections. Is that a matter of training to our developers? Are we not teaching them how to properly sanitize this stuff? There is so much advantage beyond just the fact of maturity and security within your organization that you’re starting to improve policies, your processes, your trainings. It’s like overall your organization just gets so much healthier doing it, right? It’s, it is at least night and day difference.

Yeah, yeah. So, so let’s, let’s. As we kind of land the plane, I would say like, you know, some of the tips and tricks that I think that we’re seeing and I think maybe you’re seeing like a people that are doing it, right?

It’s, it’s, it’s truly, it’s kind of like changing habits, right? It’s like first and foremost you have to treat it like, hey, we’re gonna, we’re committing to this and we’re gonna dedicate the time because I think it’s so easy to continue to fall into the reactive mode of security operations and management that the first things kind of, kind of like, kind of like, you know, staying healthy, you know, physically. It’s like some of the first things to go when we get really busy and life hits us is like stop working out, right? You know, like you stop going to the gym or stop, you know, and, and like that’s the wrong, that’s the wrong mentality they have, right? Is like, hey, you know, we need to stay on top of testing.

So dedicating to it, you know, that would be my first and foremost, you know, recognition of folks that are doing it well and succeeding and then the results come later. Right? But I think, I think first and foremost it’s dedicating it. Dedicating yourselves to like making sure that that is like that time for testing or that how much, how much effort you’re going to put into the program is sacred. Right. What would be, I mean like what would be some of your other, you know, tips and tricks for people that are doing it right to kind of reference. So the big thing to do it right it means yeah, definitely to do it.

The other piece I think is really how you communicate it to the organization. Cybersecurity is a team sport regardless if we want to include the finance bros and the HRs and everyone else. Like at the end of the day it’s team sport and we need everyone to buy into it. The, the thing that I found is the best resource and that’s helped me explain value in offensive security testing in general has always, always been IBM’s cost of a breach. I don’t know if you’ve ever read the report. Brilliant report, love it. But you know, they, they truly outline this stuff for people of all walks to really understand.

At the end of the day, by investing in your security, you can save money by not investing. This is how much you’ll lose. And, and I hate to be like always pounding the desk on the alarmist idea, right. Like we need to be putting paranoia into people’s heads. But like we need justifiable and backable paranoia across the board. And if you can explain to an executive or to a senior leader who is not technical on why they need to be paranoid, you will have so much support from people that you would never expect. Right.

And I think that the biggest thing that makes or break a team, whether you work in financial services all the way down to manufacturing, is how can you portray the paranoia to those individuals so that they can back you up? Because they will coach, they will quarterback for you if you need them to be. But like without their support, like then the funding is going to dry up. Like you could have a pentest team for a year and you’re paying X amount of dollars. We’ll throw out 500k. Right. Facetious number, but you’re spending 500k on a, on a pentest team a year and you guys are finding phenomenal findings and you could still be shut down next year because you’re just not explaining it right. Yeah, yeah, exactly.

And like having being able to effectively communicate the risk that you’re mitigating. Right. And the progress that you’re having over time. I think that’s a, you know, here’s here’s where we were when we first started. Right. And so being able to benchmark, like here’s where we were and then here’s how we’ve continuously gotten better because we’ve continued to test these things. It flows into a life cycle around remediation. And so you actually see your security posture improving.

And I know like we actually did a study a while back and research companies that were doing this continuous model purple teaming type of notion and their improvement of their security posture like was drastic in terms over like a same period of time where you know it’s not happening. You’re just kind of relying on like annual testing and whatnot. So being able to communicate that and show show starts to show the value and the return on that investment. Right? Yeah. And I mean that’s probably the hardest thing for us. Like I’ll get it, I’m a nerd too.

Right. And it’s like, oh man. Trying to go from like your, your normal day to day nerd speak to like this is why it’s important is like so it’s so tough. It’s such an underrated scale. But I get it. Yeah, it’s fun. I find it fun.

Yeah, yeah, yeah, yeah. But, and I, but I think what’s encouraging is that, you know, like you said, we’re starting to see everybody start to come on board with this mentality and this notion and I think we’re only going to continue to see more and more products and services out in the market that, and partners like yourselves that can continue to come alongside companies and help get into this in this mode. I, I think you, you, you highlight on two things that I think are going to happen. I mean just, I just, you know, I’m not, if I were a betting person, I definitely bet on. I think there’s going to continue to be more regulation. We’re already kind of seeing that be signaled through like the SEC and things like that around. Just like what being able to report on your general security progress and posture.

I think that’s going to definitely start to have to happen. And then I do think and I, and, and that’ll either come through regulation or through the insurance market. Right. I think insurance markets are going to continue to drive more and more requirements from security teams. Right. I can’t imagine like two, three years from now where we’re going to start seeing insurance agencies.

If you want to get cyber insurance, they’re going to be like how many times do you pentest? How many times do you red team and it’s like that’s going to start providing discounts and all that, but yeah, well, and I would say I would even go take it a step further. Not just how often do you do it, but like, how, like, how effective are you being at like fixing the things that are found, you know, being able to report on that true improvement. Because anybody can get a test, right? Yeah. Oh, we did a pentest. We did. We did 900 pentests and they just came out to be Nessa scans too. But yeah, I guess we’ll have to see, you know, how good insurance can figure out the old, the old cyber.

Hopefully they do it better than the, than the CPAs. CPAs gave us SOCs..

Awesome. Awesome. Well, Dahvid, thanks so much as always. It’s always a pleasure chatting with you. You know, great topic. I think you’re super important and very insightful. You know, is there anything that you’d like to kind of share, like how people can learn about what you’re working on or where to find you and anything else you want to share with the audience? Yeah, as the sweet bar below says.

No, you can definitely reach me on LinkedIn. I love to help the community out in general and how to break into cyber and improve your knowledge in the realm. I’m a big malware dev, so if you have malware stuff that you want to talk with me, always happy to do so. Beyond that, I would feel ashamed if I didn’t call out my current company. Check us out at CovertSwarm. We are breaking our way into the US which is kind of cool, a ton of fun.

Beyond that, definitely check out PlexTrac if you guys aren’t already. Because, you know, shameless plug for you guys. But now, if you guys come out to DEF CON or Black Hat this year, feel free to say hi. I’m the guy with the Hawaiian shirt and long hair. I don’t know how many people are like that out there, but probably not many. It’ll be fun. Yeah, no, it’s always, always a pleasure. So.

Yeah. Hey, looking forward to connecting out in Vegas. Excited about everything that that’s happening. And thanks again for taking time out of your day to join us. If you’ve got any questions or comments, feel free to throw them in the chat. And thanks again for joining us on Friday. Enjoy the rest of your Friday and have a great weekend.