VIDEO Offensive Security Tips & Trends with JTI and PlexTrac Watch offensive security experts Jon Issacson from JTI Cybersecurity and Victoria Mosby from PlexTrac discuss setting proactive security priorities for the coming year while improving pentest reporting time, collaboration, and report quality. Series: On-Demand Webinars & Highlights Category: Thought Leadership BACK TO VIDEOS Transcript Alright. Well, hi. Hello and welcome to offensive security tips and trends for 2024 with JTI and with PlexTrac. Today’s awesome webinar is sponsored by PlexTrac and produced by actual tech media. My name is Jess Steinbach. I’m with actual tech media and I am absolutely thrilled to be your moderator for this webinar because I love this idea of setting a more proactive approach to security. We’re getting back off our heels, right? And we’re getting out on the offensive, and that is so exciting to think about. Now, today we have two top experts here with us to help us set up that strategy because it may not be as easy as we think. Right? We’re going to stop waiting, we’re going to stop reacting, and we’re going to start taking those proactive steps towards setting those priorities. Improving your pen test reporting times, increasing collaboration across your organization with that eye towards security and enhancing your visibility and reporting quality. All of these things are very possible for you and they can help you feel more prepared, more active and on the move, on the go. Ready to head into 2024. So that is, here we are, Victoria Mosby, sales engineer at PlexTrac, and John Isaacson, principal consultant at JTI. Victoria and John, thank you so much for being here with us today. I’m so excited for this fun and interactive chat that you guys have planned. I know there’s a lot to cover and live Q A. We got a lot to do. So Victoria, I’m going to hand things on over to you. Take it away. Sounds good. All right, so welcome everyone, and John, looking forward to having this conversation with you. This should be fun. It’s been a minute since I’ve done a webinar and this is kind of a good one to come back in on. So I’m kind of excited to see what was your 23 like, what you saw, and kind of how we can look forward to 2024. I think that maybe laid the groundwork for everyone and do a little bit of introductions of ourselves. I’ll start. My name is Victoria Mosby, an se here at PlexTrac. I’ve been with PlexTrac just over a year now, but my background in cybersecurity is rather broad and varied. I’ve done things like risk management policy and governance compliance, strategic planning for the DoD, and I’ve been in the mobile security space as well for a bit. So a little bit of column a, column b and column f through z. So really looking forward to kind of digging into things John, how about yourself? Cool. Yeah, thanks, Victoria. So I’m John Isaacson. I am a principal consultant with JTI cybersecurity and a customer of PlexTrac. So thank you guys for having me. But yeah, I’ve got somewhat of a varied background as well. I actually kind of am rooted in offensive security. Worked in a couple of us federal government roles toward the beginning of my career and then moved into some different technical roles. Was a product manager, ran a product security team for a little while, worked at a couple of big name companies. And then I think it was around 2020, around Covid time, when things changed for a lot of people. And also we had our first child, so things were just crazy and kind of reevaluated what I wanted to do and started a consulting practice that really focuses on using offensive security to help organizations protect themselves. So I’ve been doing that for several years now. So that’s us. And yeah, it’s been a while since I’ve done a fireside chat style webinar, so looking forward to the relaxed nature today. Yeah, same, but yeah. Cool. Go ahead. I guess you’re doing the slides, right? Yeah, I’m doing the slides. Sweet. I’ve got that duty. Yeah. Actually, I was going to ask, since you kind of started your own thing, are you liking that more than what you were doing before when you were more prescriptive and under agencies? Do you like doing more of your own work in offensive security? Yeah, there’s all the added running a business stuff that’s fun and keeps you up late at night if you’re not already up late at night. But no, I love it because working for an agency, the work was somewhat varied, but there was a lot of siloing, I guess, as you kind of run into in a lot of larger organizations, working in product and product security related roles was kind of cool because then we had a broader set of problems because we had all of our customers and our customers problems were our problems, sort of. But even then we weren’t really as hands on with our customers as I get to be now as a consultant doing my own thing. So I definitely love the varied day to day work and being able to solve all kinds of different problems and really have a hand in actually solving them rather than just kind of giving advice. As the big guy in the ivory tower at the vendor. Yeah. As a smee who doesn’t actually get to do anything, you can just say, well, you should probably do that, you should probably do this, but you don’t actually get the help. Yeah. Especially on the product security side of things. All of our offensive work was pretty much all in a lab against our products. Right. So we weren’t seeing a lot of variants in threats and the types of risks that needed to be addressed. And the classes of vulnerabilities were all generally the same. I love it. I absolutely love what I do. Yeah. Honestly, that’s great, because you’re in that more expanded role and you have to, for your customers, frankly, look across what’s going on out in the wild. That’s kind of why we’re here. We’re looking at what happened in 2023. What did we see across the different vulnerabilities and the different incidences and then taking that and trying to think forward, thinking for 2024 and even further, how can we be proactive? How can we set ourselves up for success and protect our clients, our companies, our ip, all of that fun stuff. So I kind of use that to segue into the agenda a little bit. I tried to be clever. Hopefully it worked, but yeah. So today we’re going to focus in on trends and threats from 2023. Plexrack did put out a blog, kind of looking backwards over some key areas. We’ll touch on how we can be proactive for the future and general tips and hopefully tricks from definitely your perspective, being out there in the field of investing in offensive security and how you can do that, well, rather it be with a product like PlexTrac or just in general, we want to make this more educational versus salesy. So with that in mind. Yeah, I was going to say, don’t worry, because I’ll be looking for plenty of tips and tricks from you. Also because I’m just one PlexTrac user. So you get to see how 100 other consultants like me and internal security teams and all kinds of different people work with it. So I’m actually interested to get into the collaboration side of things in a little bit. This is from that blog that I was supposed to read. Right? Did you, did you do your homework? I did. Well, okay. Yeah, I think I did. I think it was the right blog. Yeah. Do you want to run through these or should I run through these? How about we tag team? Yeah, I’ll start with the first one. Vulnerabilities and exploits are rapidly evolving because of AI. Yeah. AI is either your friend or your enemy, or somewhere in this weird nebulous space where it’s like both at the same time. It’s definitely one of those things for me anyway, that as much as I’m in cybersecurity and I’ve been doing cybersecurity in various forms and fashion since 2009. AI is still one of those things that I admit I struggled to conceptually I get it and I know how it can function. But making it say, be my friend personally is where I struggle. And that’s not to say that it can’t be. It’s just my brain has a hard time wrapping itself around it. And that might be my age starting to show, but it is wild. The type of exploits and headlines you see about AI starting to be used more heavily in attacks and things like phishing and fake sites and all those things. Well, I think the problems you described are the same problems that a lot of people have, is we all conceptually understand what AI is and how it works. And now, like with Chat GPT, that kind of threw in everyone’s face like, okay, if you weren’t sure what AI could do and what you could use it for, here’s one giant, super shiny use case that everybody can have fun with. And I think that was really a catalyst to kind of get people thinking about what they could do with it and what they could use it for. And then of course you’ve got both good guys and bad guys looking at it saying, how can I use a robot to make my life easier? There’s definitely benefits. I think across almost all industries there’s definitely things that can be done with it. And like you said, especially with phishing Chat GPT, the first big use case is we can have conversational AI now and we can basically have the computer generate text in whatever tone of voice we want or in different writing styles. You could tell it like, hey, write the following paragraph, but I want you to sound like a native latvian speaker. And so being able to do things like that, you can obviously see the nexus into phishing and using it to help craft really targeted phishing emails at scale. So yeah, I think that’s kind of the awkward stage that we’re in now is like everybody’s trying to figure out how they can best utilize it. It’s that awkward teenage stage in high school. That’s what it is. We know this is a thing we need to deal with, but we’re not quite sure how. And the other thing is, I’ve started using GPT and it’s a lot of fun and it does have guardrails built into it, but it’s not the only one out there now. You have other ones out there that are for any number of use cases I saw one recently for writing books. Yeah, people are doing all kinds of stuff with it. The guardrails are obviously there for a reason, but at first one of the big problems was the user interface had the guardrails, but the API didn’t. So bad guys figured out that they could start using the API and avoid the guardrails, and then they fixed that pretty quick. But I think one of their biggest problems as the AI vendors or kind of providers, is how do you remove the guardrails to make it useful to good guys, but not necessarily useful to bad guys. So there’s a whole bunch of different models that are out there on the dark web and things that bad guys can use, like worm GPT. But then there’s also sec GPT now, which basically uses GPT and it’s hosted by OpenAI and it’s made for security practitioners. So there’s a lot of guardrails that have been removed. But how do you remove those guardrails to help the security practitioners without also helping the bad guy? That’s going to be a major challenge for them. Yeah, it goes into just the general concept of a white hat, gray hat, and a black hat. It pretty much is starting to mirror that. You have the AI that the dark web has and they’re developing and they’re building. You’ve got the white hat, which is what’s being built, say, for security professionals and even actual bug crowd. Sorry, not bug crowd directly, but like bug hunters and stuff like that. And then you’ve know, just General Joe Schmo in the middle who’s just curious about it and maybe playing with it. So it is going to be very interesting, I think, honestly, in this year and the next, I’d say two, three years, if not sooner, how vast AI really starts to become incorporated into basically everything. And it’ll be very interesting to see how we can respond and proactively deal with it. Yeah, it will for sure. And I mean, I’m certainly experimenting with it where I can, and I’ve got team members that are helping me try to use it here and there, but I don’t want to jump down too many rabbit holes either, since I’m not an AI consultant, but I’ve got customers with various SaaS platforms and products that they’re actively working on building it into to leverage the benefits of conversational AI. And. Yeah, so it’ll definitely be very interesting to see what the legitimate use cases end up looking like. And I think it’ll probably be two or three years before we figure that out because we’re still in that shock and awe phase where everybody’s like, is this just completely eliminating anybody that does any kind of writing role? And we’re finding quickly that’s not the case at all. It is interesting to read something written by AI or produced by. Generally speaking, it’s pretty good, but then you start seeing wrong syntax and just things. That’s not how English works. Then again, English in and of itself is a very weird language. Yeah, and it’s the same thing with programming, too. What I found is that the biggest skill that everybody needs to develop using conversational AI is knowing how to talk to it and knowing how to ask it for things, because there’s some coding tasks that it’s exceptionally good at. So using it to say, like, give me a python script that iterates through this comma separated list and does whatever it’s really good at, helping out with things like that. But then if you have it do something more complicated, it’s crazy because it can write a lot of code and give you a fully functioning program or like a program that’s like 99.99% fully functional. But then the interesting thing is I’ve run into a couple of cases where the 1% part of the code that’s broken can be impossible to find. And then I’m like, all right, do you spend weeks troubleshooting it, or do you just write the code yourself, those pesky semicolons and spaces that you just can never find? That’s the thing. Yeah, but I’m not a developer, so I don’t know, other people might not have that handicap, but, yeah, no, it’s definitely interesting, and it’s definitely not going away, and it’s going to continue to be a hot topic as it evolves, for sure. Yeah, I would say, honestly, take the next two, because they kind of go hand in hand for me. So the average cost of data breaches in the United States increases to 9.48 million. So it’s interesting where they get these numbers from, because a lot of people might look at that number and just think, like, that’s not relevant to me because they might be in an industry where it’s more. They might be in an industry where it’s less. But what’s interesting, and I think we have a lot of the insurance companies to thank for this, is that the cost of a breach is rapidly becoming standardized to some dollar amount per record or some dollar amount per individual, because the insurance companies know exactly how much it costs to communicate the breach notices and to have legal counsel assess potential regulatory impact and to do a risk assessment and come in and do the mitigations. We’re getting to a point where we can more precisely, I guess, determine the cost of a breach. But that still doesn’t make it sting any less that the average breach. I love that the insurance companies got that figured out faster than the legislative branches figured out laws around a lot of cyber stuff. Yeah, well, I mean, hey, listen, they’re motivated to because they’re the ones paying the claims out, and that’s the legislative side. I mean, that’s a whole nother issue, which looks like it’s your bullet in a minute here. But, yeah, the fact that we can predict the cost of a breach doesn’t necessarily make it any less bad that it’s still, across a variety of industries, could cost nine and a half million dollars. When you talk about the impact of a breach, sure. I guess my thought there is, and this is not to say insurance, the cyber insurance is wrong. I think at this point most companies will agree that you need cyber insurance. There’s just too much out there that if you have an ip of your own or you’re a larger company with a lot of money and revenue and a product, cyber insurance is probably at this point just part and parcel with your normal insurances and everything else that you’re doing. But in my past life, in compliance and just considering things like FSMA and stuff like that, you were required to identify your risk, your likelihood and impact. What was the impact to you? So does that translate to what insurance says the impact is to you from a financial perspective? Like from a quantitative risk perspective, do they line up or is your insurance going to be more conservative because they want to pay less, or are you going to pay more to have higher insurance so that you can actually say, okay, if I say this is worth this much to me, I need the insurance to actually agree with that. Well, that’s an interesting point. You have to take a lot of these numbers almost with a grain of salt. And the insurance companies also, in a lot of cases, don’t, because they don’t need to quantify the impact that they’re not liable for. So if you’ve got like a relatively standard run of the mill breach policy, it’s going to be pretty limited in what it covers outside of, of actually cleaning up the breach. So reputational damage and future sales impact and all that kind of stuff, not only is that just hard to kind of predict and figure out in general, but the insurance companies aren’t super motivated to figure that out. It’s interesting because, unfortunately, most of these numbers are coming from the insurance companies, and they’re the ones that, I guess part of that, too, which is another trend that I’ve kind of unfortunately seen in 2023 and even in 2022. And unfortunately, I think we’ll continue to see it in some industries. A lot of companies are still treating cyber insurance like the same way they would treat general liability insurance, like they’re not really going the extra mile or worrying about things that they actually should be doing to reduce risk. And they just kind of say, like, well, I’m insured, and insurance is I pay for insurance so I can go do my business and not worry about these things. So I think a lot of companies are still kind of looking at it that way, too, which is mind boggling. Yeah, it’s kind of mind boggling, honestly. And I think it’s in a mentality, well, it hasn’t happened to me, so therefore, I’m not a target. I’m too small to be a target, or I’m not that interesting to be a target in a lot of ways. And I think we’ll get into this a bit more in the next slide when we look, like, forward thinking. But it is still kind of crazy that even we’re in 2024, there’s been, like, solar winds and MGM and all these other big name, very big incidences, and people are like, it’ll never be me insurance, and plenty of small ones, too. I mean, it’s becoming harder and harder for you to talk to small business owners who, I won’t say every small business owner that you talk to has been affected. But we’re getting to the point where everybody knows someone that has, and it hasn’t always been that way. But I do know that because of that mentality, and I’m sure it’ll shift at some point because cyber insurance is just going to become unaffordable at some point. But I know that because of the lack of implementing the controls that the insurance companies want you to have, and quite frankly, the controls that you should have. I’ve been hearing customers complaining about their insurance premiums pretty much doubling every year. Every year, when I talk to people, they’re saying, we were paying our premium was 40,000, now it’s 80,000. And the insurance companies are doing their risk assessment, and they’re saying, this is the impact and likelihood, and that’s what it’s worth to us. And at some point, people are going to say, all right, well, I can’t afford 80,000, so what do I have to actually do to get you to bring the premium down? Yeah, but I don’t think we’ve gotten there yet. No, I agree with you. It’s going to continue getting out of hand until it either plateaus or it just becomes so unaffordable, no one can afford it anymore. So they have to bring their prices down. But I think we could probably spend even longer just around this by itself, for sure. Yeah, we’ll go to ransomware. Ransomware attacks hit a record high, and I’ve already seen a bunch of questions about ransomware, but, yeah, I don’t know who didn’t see that coming. It’s been hitting record highs year over year. The cork popped. At this point, we’re just watching the sparkle. Just keep going. It’s not going to stop at this point. It’s not. Yeah. I will say this, the number of ransomware attacks and possibly even the number of successful ransomware attacks will probably continue hitting. And this is just my prediction. I’m not the smartest guy in the world or probably even in the room, but my opinion is that ransomware attacks are going to continue hitting record highs for some time. And that’s largely because the people that are doing ransomware attacks have done the same thing that most SaaS vendors do, and they’ve figured out ways to automate their trade and then they go sell it to other people that want to do the same thing. So there’s a whole marketplace of platforms now where you can go buy initial access or you can go buy lists of places with initial ransomware is a service. Yeah. So the fact that that exists and that that industry is continually growing, it makes it easier for people that could do this stuff to be able to do it. So it’s happening on a much larger scale. But at the same time, as we get better at protecting ourselves, I think the impact from ransomware attacks will hopefully start to shrink. And, I mean, I’m noticing that, fortunately, I’m really starting to notice that in 2023, especially with smaller customers that don’t necessarily have an it department and they’ve got managed security providers that are doing their it, I’ve noticed that now that the managed service providers are starting to take things a little bit more seriously, the blast radius and the impact from a successful ransomware attack may actually be shrinking in a lot of cases. And I think a big part of it is because that in a lot of cases, especially the larger, like the hospitals and the things like that it was because they didn’t have, or it’s not so much they didn’t have controls because hospitals in particular do have a decent number of security controls already in place. But it’s more so that they have a lot of bad practices in place. And all it takes is that one bad practice and that was the end. So it is definitely about being proactive and being better at enhancing and really looking at your risk posture and your security controls and what you’re doing, not allowing for waivers and just risk acceptances anymore and actually fixing the issues that are there or putting controls in around them. So I think that’s one of the bigger pieces there in terms of why ransomware has been so prevalent because people are now realizing, oh, my security is not as good as I thought it was. I just assumed I could put this in place or I have insurance and that’s all I need and we’re good to go. And ransomware is like, yeah, insurance plus waivers equals smiley face. And then they just keep going, yeah, don’t even get me started on waivers. Risk acceptances were like pretty much my life when I was working for a couple of agencies in the past. And the thing is forcing people to do, which this kind of gets into the next bullet, but forcing people to do risk, like legitimate risk assessments where they have to either accept, reject, mitigate, they have to take some action against risks that are identified. It has to be acknowledged in some way. Forcing people to do that in writing is a great thing because in the past if you had a conversation around cyber risk with somebody with a small business owner, for example, they’d be happy to verbally accept any risk that you could throw at them, especially if they have insurance. But then when you actually put a risk register in front of them and say, okay, so we’re going to accept all this stuff. Nobody wants to do that. Now in environments where you can have waivers that just became a non issue because they’re like, no, we’re not accepting it. We’re just getting a waiver. That’s totally different. But yeah, tightening that up so that waivers have to be legitimate and actually forcing people to do risk assessments and actually think about like, are we actually willing to accept this or do we need to do something about it? I think that’s certainly going to help quite a bit. Yeah, I mean, honestly, just to touch on the last two points, because I do want to get to the next couple of slides. The White House revealed another new plan for addressing cybersecurity. I think there’s been at least one every year for the last several years. That’s a good thing. That’s not me saying that it’s a bad thing. And then NIS releasing a draft detailing strategies for incorporating software supply chain security measures into continuous integration and continuous development. I believe that’s what CI CDs. I actually had to look it up because I hadn’t seen it before. Pipelines. Both of those go back to the. Okay, we’re not just accepting that you’re telling us there’s a waiver anymore. We are going to force you to quantify what is your risk. What are you doing to fix it? Or if you are going to waive it for some reason or accept it, what are the mitigating pieces you put in place around it to protect whatever that is or something? You can’t just do nothing anymore. You can’t just say, we’re going to stick it in the corner and bury it under other things. No one will ever see it again because someone is looking for it and they will find it. And then that’s their shoe in and yours route. So I do appreciate very heavily that we have guidance or at least some thought leadership at the federal level. And that does tend to trickle down into private sector, especially in key areas like finances, healthcare and things like that. But one, it’s ever evolving. It will never be fully perfect, but it at least forces the issue of a proper discussion, I feel. Yeah, for sure. The new plan for addressing cybersecurity, I’m totally on board and I like it. And without getting into politics or complimenting left or right or whatever, fortunately, we’ve been fortunate that both democratic and republican administrations have not completely ignored cybersecurity. So I think as long as I can remember, there have been forward looking steps that have been taken. There have been programs funded. We’ve got new agencies. So they’ve been moving in the right direction. But this new plan, I like this new plan because it puts drop dead dates, well, government drop dead dates, so you don’t have to grain salt in there. Yeah, but it puts at least some target date on when these things have to be done for federal agencies and for Department of Defense. And because a lot of the economy revolves around supporting federal agencies and defense, that’s going to drive a significant chunk of the commercial space to kind of follow those same target dates, and not even just the White House, but there’s other regulations that are popping up that have even been popping up before this new, I think it was an executive order, but all kinds of new regulatory stuff. And I’m not necessarily a huge fan of like, we should regulate everything. But for things like this, if you look at GLBA, for example, which is a rule that’s existed since 2005 or 2007 that basically said financial institutions need to have an information security program. And that’s been on the book since like five or seven. Again, somebody don’t quote me on it, but it’s something like that. But it’s been on the book since then. And then they basically reiterated it and made a new rule this year or last year, I’m sorry, last year? No, 2021, two years ago now. But they made a new rule and everybody’s panicking and they’re all like, oh my goodness, why are these new horrible rules coming out? And it’s like, no, they’re just telling you that you should have been doing this for ten or 15 years now. But the fact that people are getting, taking it seriously, putting dates on it and trying to get it done, I think is hugely beneficial. Everything has to be in policy. Unfortunately, if it’s not policy, if it’s not in writing, people are like, I’m not worried about it. And the good news is, as a lot of us know, offensive security is one of the most effective ways to protect yourself because it legitimately helps you illuminate and identify gaps that actually mean something. So not just you’re doing this because you’re doing this because you test it and it was broken. And offensive security like vulnerability scanning, penetration testing, all of those things are included and required in a lot of this stuff. So, yeah, that’s definitely a good thing as we move into 2024 that people are going to be forced, whether they like it or not, to do this very much. So, yeah. So I skipped us ahead because I know we are coming up in time and again, this is the joys of fireside. We just kind of go organically with conversation, but at the same time, you kind of don’t always with this topic. There’s plenty to chew on for a while. All good. But let’s quickly go through this because I do want to give you time to give how things been for you from an offensive security perspective. And maybe we can kind of tie these together. Tied all together. Yeah. But what I will say quickly and then I’ll turn it over to you for it is as far as for it, looking for 2024, the main area things is as lucid like know your attack surface. So that means getting in there and understanding where is my data being stored? What type of data do I have, who has access? How much of this is available via different avenues, like how easy is it to get to this data? Can it be accessed via the Internet? Is only internal, et cetera. Know your attack surface and look at the controls that you have in place to protect that. If you’re a smaller business, for instance, you’re not going to have a huge it team or security team, but you’re going to be utilizing obviously, programs like maybe say workspace or other email Microsoft or things that look at what their security recommendations are for your configurations and things like that. And just be mindful of who you give access to and how you give access. And then as you’re going through from there. Offensive security is a big key for going forward because again, yes, we have a lot of automated tools out there like Nessus burp and things like that that can do automated scanning, but unless you have someone to actually interpret that information and or someone who doesn’t just rely on automated tools, but has the expertise and the knowledge to dig in from real world experience and what they’re hearing out in the news, like an MGM hack or solar winds or other things, being able to take that information and apply to, does it apply here? Your automated tools aren’t going to do that except for if they have like cves to look at or look for. But your offensive security teams of people like JTI, they can actually get in there and look for these things and say, here’s your actual holistic and true risk posture. Well, and just to reiterate your first point, because that’s like the number one security control for literally every security framework ever, whether it’s CIS controls or NIST, TSF or ISO 27,001. Sock. Two, like literally all of them. The first step, which everybody looks at as an annoying admin function, is have a hardware inventory, have a software inventory, have a data inventory. And so when we start talking about those automated tools like Nessus and things like that, you can’t even really use those things effectively if you don’t know what to, you don’t, if you don’t know the extent of your attack surface scanning, part of it might help you fix something on that part of it, but you can’t protect what you don’t know you have. So I just wanted to reiterate that part of it because I can’t even say how important it is. It’s just one of those things that, number four, focus on security, not compliance. That’s not even a compliance thing at that point. That’s just understanding what do you have. And then look at the security around it. Compliance is just check the box of an assessment. That’s a form that goes over there. Yes, you have to do it, but that’s not the issue here. But compliance is built on you actually doing your proper due diligence and protecting your stuff. I could get on a real compliance rant on how compliance is not the enemy. Yeah, I’m sure you can. I’m going to jump us here because I do want your view on things, and I think a lot of what you’ll speak to in the next few minutes will actually touch on those kind of key items for 2024. Okay. Yeah, I think we’ve certainly already talked about a lot of the things that I like to rant about, but when we were talking about what some of the most important takeaways should be regarding offensive security outside of these bullets, the first takeaway is it’s a good thing. It’s a thing that everybody should do regardless of your size, because it’s super effective and it helps you prioritize. But also now it’s becoming required, which is even better. But in order for it to work, you have to define what success looks like. And part of defining what success looks like, again, going back to the last slide is knowing what your attack surface is. Because I have yet to come to an engagement where the IT team or the security team gives me the entire attack surface as the scope. Inevitably, we always go back to them and say, hey, we discovered these other domains and these other IP addresses and they certainly look like they’re coming from your buildings or pointing to your AWS assets. Is this in scope, out of scope? And they’re like, oh, we forgot about those. And I mean, that’s just like every time. But also defining what success looks like is important because look, there are a lot of companies where success for them is just tick the box. This is a compliance exercise and we try not to work with too many customers like that. Not to say that we push customers away, but the results of our engagements are typically viewed in a more positive light by people who actually care about improving security than people that just want to tick the box. But defining what success looks like is important because if your goal is to actually improve security and not just tick the box, then you’re going to potentially find holes and you’re going to have recommendations for mitigations that might be painful and difficult to swallow. But knowing what those things are going to do for security and knowing your customers priorities and how those things impact their business, because if you give them something from a penetration test or a vulnerability scan that you said, oh, we found all these critical super exploitable vulnerabilities in XYZ environment. It’s that environment, it’s a lab environment or whatever, that’s not really successful for anybody. And those findings don’t even necessarily help them that much. So just making sure that you’re aligned with the goals of your stakeholders, whether they’re internal, if you’re an internal security team, or whether you’re a consultant coming in and doing it, just make sure that everybody’s aligned on like, listen, we’re a company that makes brackets. This is what we do. These are the systems that we use to make the brackets. And if these systems go down, we can’t make brackets anymore. So we just need to know that those systems can’t be manipulated. Great, awesome. So that’s important. I’m going to come back to collaboration because I’m going to throw that in your lap, Victoria. So get ready. But control the chaos. The reason I wanted to bring that up is because especially with larger organizations where we’re simulating more sophisticated attacks and even like nation state level type of attack simulations, there’s a lot of chaos going on. Because not only are we potentially impacting systems and causing it people to run around with their hair on fire, but if social engineering and the employees are in scope, then we might also be making employees potentially uncomfortable, or at least they know something’s going on, which then causes people to breathe down it’s neck and it’s sort of just a circle of chaos and everybody’s sending emails and messages and it can be a very chaotic experience. That being said, as a penetration tester, whether you’re internal or external, you need to have just as good a documentation during chaos as you would if you were just sitting and doing your exercises for the OSCP exam. And tooling is critical to making that happen, at least from what I’ve found, and certainly a little plug for PlexTrac here. But a tool like PlexTrac is great for this because instead of writing rough notes in notepad while the chaos is happening and then coming back to them two weeks later and trying to fill in the meat, put the meat on the bone and turn them into a report, rather than doing that in PlexTrac number one, you can have PlexTrac configured to sort of structure everything, but also you can just copy and paste everything in there, whether it’s code, whether it’s pictures, videos of proof of concepts, all kinds of stuff so you can document during the chaos. But one thing I wanted to talk to you about, Victoria, before we spend a few minutes on Q A is collaboration, because PlexTrac especially offers amazing capabilities to be able to collaborate with your internal external stakeholders during an engagement. And these things are crucial to reaching success, especially when you’re testing the response of your soc or testing the response of your security vendors. You got to be able to collaborate to let the testers know what’s working and what’s not working. But I’m curious what your experience has been across your customer base with. How are people using the collaboration features in PlexTrac? And do you think there’s still room to grow for a lot of customers on the collaboration side of things? Because I want to see more of it, but I’m not sure if that’s just me and I’m just hungry for it or kind of what it looks like for some of the other customers that you deal with. Sure. So I’ll go quickly because I know we definitely want to get to Q and A, and I did see a lot of questions come in. Collaboration within PlexTrac happens in multiple areas, so you’ve got the collaboration amongst your team, so you can collaborate on building the report itself, track your changes, comments, go back and forth on notes. You can even save narrative blocks for future reports that you’ve created in one report, and you can plug and play it into another report so you don’t have to spend as much time on it. The other piece of that is being able to collaborate, as you said, between yourself and your stakeholders, or the people enjoying or not enjoying, but, well, I don’t know if they might enjoy but ingesting the findings at the end of the day via track changes and not sure your track changes so much, but finding statuses and substatus. You can create your own custom kind of substatus flow for your findings within PlexTrac so that you and your stakeholders can or ingestors can say, okay, hey, I’ve reviewed this finding, I think it is ready for retest or I’ve reviewed this finding, I think it’s a false positive. Can you validate on your side? You can have a back and forth conversation there. So there’s a lot of ways to collaborate within the platform. We also have integrations with ticketing services like Jira and ServiceNow, so you can issue these findings within an environment, say on enterprise side, and create a ticket within Jira and ServiceNow so that it goes to the appropriate teams to then start doing the validation working and all that, and then bring that information or status updates back into PlexTrac and change it. Say, hey, we’re now ready for you to retest this because we’ve made our fixes or we needed to revalidate it. And I forgot about the integrations. But those integrations are amazing because a lot of times when I initially start engagement, I might give the customer access to PlexTrac. But as we start giving them things to look at and see if they’re ready for retest or mitigation status, a lot of times on the customer side, especially in the it departments, if it’s not in Jira or if it’s not in service, like it didn’t happen, they won’t touch. So, yeah, I’m glad you brought that up. Hey, guys, I’m popping in. This is the music right at the end of the award ceremony. But I wish I didn’t have to play because, holy cow, this conversation has been so interesting. I forgot I was supposed to be moderating, which is sitting here kind of like sitting and absorbing. It’s been so fun. And I know the audience is getting a ton out of this as well because the questions, as you said, victoria, they are flying in. We are absolutely not going to get to all of these in the next five to eight minutes here, but I’m going to try to get into a few. And then I do want to remind everyone out there to keep the questions coming because we’re going to make sure that anything that you ask gets sent on to Victoria, to John, to their teams, so that you’re going to get answers back to any questions that you ask today. So keep them coming in. But jumping right in right away to our wonderful q a here. I think I want to start with this question here because it came in in a few different ways, clearly, and you guys actually brushed on smaller teams a little bit and smaller organizations. We got a few questions coming in about how you might approach this sort of offensive security posture a little bit more, if you would approach it any differently if you’re in a small team. And then also if there’s any tips or arguments that you could give to somebody that needs to convince whether it’s their small team or a small team that they’re working with to put that time and energy into this sort of security planning, what do you have for the folks out there that are in smaller organizations? I’ll go first. So for small organization. So for smaller organizations, rather be a small shop, mid size or what have you in terms of having to convince the powers that be that you need something. Show them MGM. Show them the latest hack. Show them just like, okay, now imagine if this is us, they have all of these resources to come back from this. They’re not going to shut down necessarily because of this. They’re going to have angry folks, sure, because they’ve lost data, but how are we going to respond to that? How are we going to survive a hit like this? Now you may not be able to convince them that you need a in house offensive security team, but that’s what companies like John has that can do those tests for you. You need them regardless of you’re doing it yourselves or you’re having someone come and do for you, because it is absolutely crucial in this day and age that something is done. You can’t just sit in your laurels anymore and do absolutely nothing. So if it comes to needing to convince, have a candid conversation of what happens to us if we fall into this scenario, if this happens to us, how do we respond? How do we, and I’m just, John just sent some links that I’m posting into our chat here with the audience. So if you aren’t watching the feed right now, folks out there head to the chat feed and there’s two links in there from John that might be helpful follow ups. John, is there anything else you want to add? Yeah, no, I was just going to say if you’re small, you still need to do all of the same things that a big organization or a big team would do, but that doesn’t mean that you need to do them to the same degree and using those links that I sent. And you might have to do some clicking around because they move stuff because they’re the government and they can, but they have a ton of free tools for small businesses to help with everything from putting policies together to planning incident response exercises to doing some of your own internal testing. So there’s a ton of resources out there that CISA puts out for small businesses to try to help you be able to do everything that a bigger security department with more people could do because you still need to be prepared if an incident happens and you still need to know where all your stuff is so you can protect it, so you have the same problems, just maybe on a smaller scale. John, I think that’s actually the best way I’ve ever heard that phrase, that you still have to do this. You just maybe don’t have to think on the same scale. Is, I think, the simplest. And it’s kind of like, oh, yeah, of course. What a wonderful kind of summative point there. I’m going to try to hit us with another bit of a summative question. I’m trying to combine like 15 questions into one sort of wrap this up here. I’m wondering. And so, Victoria, I think I’ll have you start here, because I’m thinking that you might be able to give us some insight into how PlexTrac can really help with this. And then, John, I’d love to hear your points or your viewpoint on this as well. I’m sort of looking for first practical steps. Everyone here, clearly, all the questions coming in, everyone’s really amped up and wants to talk about what’s coming in terms of both trends and technologies or threats and technologies as we approach 2024. If you want to give a practical step, or your top practical steps for ways that folks could make this transition into that more offensive strategy, what would that be? And how can PlexTrac help with that? I would say some of the early, easy steps you can take is having a properly documented process. Because as much as coders and hackers and security foes can be a bunch of chaos monkeys, we do need structure because things have to be repeatable. If you find something, you need to be able to say, this is how I found it. These are the steps that I did to replicate it. Where PlexTrac can help with that is allowing you to build out that checklist of what did I do in this instance? It can also help you with putting structure around that reporting process as a whole. So you have your test, you get your results in. So now it’s time to actually report it and actually bring it to your management or to the customer to say, hey, this is what we found. So PlexTrac can help with a lot of that, the reporting structure, making it easier for you to do reporting faster. Bring all of your data into a single aggregated space, analytics around that data, so that you can show that off to management, because we all know management loves their pretty graphs and pictures. And then again, I think one of the best practical first steps is that process. Determining what your process is for, working through your different exercises and engagements, and having that documented and you stick to it. Yeah, I agree. I know this sounds like overly pragmatic or maybe even silly, but honestly, the reason that a lot of the compliance frameworks have written policies and procedures at the beginning is because even if it’s a simple, like, three sentences or two sentences for each area. Having a statement that the stakeholders agree upon on what you’re going to do and how you’re going to do it is super important because people aren’t going to stand behind a policy that somebody else wrote using a template that they don’t agree with. And don’t make the same mistake that I’ve made lots of times. And don’t get a tool and then try to build your business around how the tool works. Have the processes that work for you and that work for your business, for finding the gaps and finding the holes and making sure that you’re able to plug them. And then find tools like PlexTrac to help you become more efficient at carrying out your processes. Doing it the other way doesn’t always end well. It makes you relying on the tool. And if that tool goes away or they change it drastically, then don’t build around tools. That’s great practical advice as this entire conversation has been absolutely fascinating and so many wonderful takeaways. Again, I wish we could keep going with this. I think we’re going to have to have you guys back on for each one of your slides. We could do an entire webinar on, so we’ll have to bring you back again. Before we go though, Victoria, I’m wondering, we’ve got some information up on the screen here, some sort of next steps and resources for somebody that does really want to learn a little bit more about PlexTrac and potentially get started. I saw some requests come in for demos. We have that linked in the handouts tab as well. What would you recommend as a follow up to this conversation? No, most most definitely. Please head over to slash demo. You can request a demo there. You can also take a look. We have a step through environment that you can kind of play around with. Walk through the platform a little bit to get a feel for how it functions, what it looks like. John, this wasn’t here. It’s a little newer, so I’m sure you would have had fun with it. You can still go back and play with it if you want. Also, the YouTube channel has a lot of good demo videos and short snippets of what you can do with the platform and get out of it. But please reach out to us at any time. I believe it is sales@PlexTrac.com. If you really want to get in touch with someone and shoot us an email. And John, if anyone wants to find you. Yeah, if anybody wants to find mean, we’ve got all the social media stuff. But JTI Cybersecurity.com is the best place to start because it’s got information about what we do and also contact page. Awesome. All right. Well, lots of great ways to connect with you folks, and I hope that for me personally, I’m hoping that we get to have you back on again soon because I would love to keep this conversation rolling. But I want to thank both of you for coming and leading us through this very interactive conversation and for sticking around to answer some questions. We are going to make sure you get the full list because I know we’re missing a lot of these today. But thank you for such a wonderful and very interesting conversation. SHOW FULL TRANSCRIPT