The Red Teamer
01:05:13 Share

Adam used to be a red teamer. I entered the industry at some point as an ethical hacker. He would get hired by some big organization, and it was his job to play a part in a simulation, to play the role of an attacker.

We were basically the team that you would call in if you felt like your security was really, really good and you wanted to experience what it was like to undergo an attack from a really sophisticated threat actor. He shows up, tries to break in, and in doing so, reveals the vulnerability so they could fix it before someone else uses it. So we would very often simulate like, you know, Russia or China or whatever adversary someone has.

like a state government sponsored attack group. He had a really interesting way when he was describing their old job because I don't know if you listened, but he was talking about how they used to get paid on a per milestone basis. So they'd get contracted by these companies and they'd be like, you have three months to try and transfer the money from this account and we're going to pay you this exorbitant amount of money if you can do it.

And he's like, sure, great. 48 hours later, they'd have done it and be like, give us all that money. And they're like, well, we thought it would take you three months. And he's like, well, that's not what the contract says. And over time, he starts to watch this shift happen. You know, attackers always go to the point of the lowest friction. And so just going after the weakest link because you've raised expense of an attack somewhere else. People in these roles often talk about the idea of like an attack surface. It's the sum of the different points where an attacker can get a toehold into a system.

And they're watching the attack surface of all these organizations they've been paid to breach start to change. In the early 2000s, that attack surface was the network. Securing it was like locking down open ports and stuff like that. Yeah, firewalls, infrastructure side, keeping the walls of the fort big and strong.

Then it starts to shift to the user's device, what they called endpoints. That became the battleground, the way you would get in. Then you got things like EDR, Endpoint Detection Response, which is looking for malicious code running locally and grabbing it and containing the problem before it becomes an issue. And Adam starts to get this sense that he can see a turn coming, another shift in the attack surface from the network to the endpoint to the browser.

and specifically the identities that we use in the browser. The technical term identity, to really boil that down to something that most people understand, it's their logins, user credentials, login, password.

multi-factor authentication, things like that can build up and constitute one's digital identity in this case. And why would you spend heaps of money developing malware when you could fish or even just buy some leaked credentials and immediately get to work? Last year, the world kind of had this aha moment in the form of the Snowflake breach. There was no lab developing malware, nothing that complicated.

Just an attacker who bought credentials to some identity, logged in, and got to work. And before you know it, hundreds of businesses are exposed based on just an identity in a browser leading to one of the biggest data breaches of all time. An identity that was purchased probably for a few cents on the internet. That attack surface had shifted again. When we were talking through this before we recorded and just kind of having a chitter-chatter, the...

He's like, why would you spend all this time doing all these complicated things, trying to penetrate through all these complicated security systems when you could just buy some creds on the Internet, write a few scripts, have it ping your Slack notifications when it had a successful login attempt. And he's like, go to the pub, have a beer, and just wait for your Slack to notify you that you've compromised a big international enterprise. After he gets back from the pub, Adam goes on to found Push Security.

They're our new sponsor. So disclosure, this is technically sponsored content. That's not your cup of tea. No harm, no foul. We'll catch you in the next one. But we found Adam's story of this red teamer who saw a thing coming. Just absolutely fascinating.

I will say that this is, I guess, technically sponsored content. But, like, this is not contractual. We just wanted to talk to Adam. Yeah. Because, A, he's, like, a great guy to talk to. B, he's super legitimate. And, C, he's got amazing stories. So, like, we didn't have to make this episode. We wanted to make this episode. We think it is a good episode. Yeah.

Yeah, it wasn't part of the deal, but we wanted to do it anyway. So we sat down with Adam to try and kind of understand that evolution we're talking about, about how he learned to think like an attacker and where all of this goes next. So if you want to hear the story of a real high-level cybersecurity professional and their journey through this ecosystem, listen to this episode. It's very great. Let's get into it. This is our conversation with Adam from Purse Security on this episode of Hacked.

We were talking about this hypothetical, which is there's a bad actor and they're trying to get into some kind of big institution.

financial, healthcare, whatever it is. And they're presented with this forking path, this choice they have to make about how they want to go about it. And I really like the way you put it. I was wondering if you could take us through that choice of how they would do that. Yeah, definitely. I mean, it came a lot from our background as a founding team. This is what we did. So we were...

offensive security team basically. We do attack simulations quite a lot. And we lived very much through this era of, you know, when I first started doing it, doing client-side attacks against endpoints just wasn't a thing. Like it was all about external perimeter testing, right? So you were doing things like port scanning and vulnerability scanning across public-facing infrastructure. And then that was like the wall you had to break through to get into the company.

And then as that got better and better and better, it started to, you know, it got harder and harder. And frankly, the tests got more boring. And so we went through this kind of approach where we were like, well, why don't we just hop over the wall? Like, why don't we just, you know, go and apply for a job on the company website and

But instead of, we'll send them a CV, but let's embed a macro into it and get code execution and take control of the endpoint. And then from there, start jumping around inside the network. So we went through this era shift, if you like, where not just the exploits and the tactics changed, but it was like a whole MO change, if that makes sense. And we lived through that for a ton of time. And then...

As we started to come out of the back of, you know, a decade later, we've seen the shift again. And so we've been talking a lot recently about now everyone's very cloud and SaaS orientated. If I was an attacker today and I was going to target an organization today as it was, what is the most cost effective way to break into an infrastructure? Is it...

to go away and set up online infrastructure with a lab with all of the different EDRs and all of the different AVs and create EDR evading malware and C2 infrastructure that tunnels out via DNS so it gets past all the network traffic and all this different stuff and then compromise an endpoint and learn how to persist and then move through the network for months and months? Or is it better for you to instead...

take a list of the top 10,000 SaaS applications, write a script, which then goes through and like tries username and passwords and constantly takes clear text credentials off of a criminal marketplace that are up for sale and just sprays them against everything and logs in, right? And so if you think about it in that way, in terms of attacker ROI, it's like the second way you can

write this automated script, you go to the pub and you get a Slack alert or a message on a phone saying, hey, you've just compromised someone's MDM solution. You can deploy ransomware across everything. So anyway, we were thinking about this way and we were like, this is actually insane. This is the way that attackers are going to start to compromise organizations and companies are becoming more and more supportive of that in terms of their architecture looks that way. It's very cloud orientated and

And that was why. And so for us, that's why it became like another shift. Just like moving to the endpoint was a shift, now moving to cloud perimeter is clearly another shift that the industry is facing. Right. So you guys are targeting primarily or saying that the target would be primarily identity? Yeah, like as in the same way that in that first era we were talking about, it was open ports on public IP address ranges and you would port scan them to find...

Now you're talking about identities, which really we're talking about user accounts, right? Yeah, credentials. And then, yeah, people say, okay, well, I don't get identity being the new perimeter because we've always had identity. We've always had credentials. The difference is they always used to be inside your network perimeter on internal systems, but particularly in the pandemic...

they all got just pushed out online. And so there's thousands of them sprawled across the internet under your company domain. And now that they're accessible, right? So there's billions and billions being spent on network security in your infrastructure.

the attacker is sitting at home targeting identities straight on the cloud. They don't even touch your network. There's no logging. There's no detection. The impact's just as high because there's a SaaS application for everything. You know, you can, even your EDR is SaaS, so you can just compromise that and you can use that to deploy ransomware across the estate. So,

This attack surface now is the new attack surface that companies are having to defend. And it's a big problem for the industry that I think needs a lot of attention. When we sort of started or restarted the show in and around 2020, just before the pandemic kicked off, just before all of that shift towards these

decentralized systems that we use to run our businesses. It did feel like so many, especially the big stories, the big crazy hacks, the nation state level stuff, they were security labs. They were funneling millions of dollars into R and D all of this man hours and to try and develop these compromises from nothing.

And it's felt like in those five years since, it's just shifted towards, oh, that massive catastrophic thing that happened, that was like a contractor of a subcontractor of a subcontractor who's like Microsoft Teams or Slack or something got compromised. Like it's just the way the stories are shaped has changed so much. Was...

Was that shift in COVID towards these more remote decentralized teams, was that the thing that shifted this the second time to kind of bore your framing? Yeah, normally whenever there's a big shift like this, it comes from two things. It comes from broadly a technology shift, right? So I think the first one, the first technology shift was just when the endpoint thing happened, it was very...

independent workers some of which were working from home and some weren't and so like the end point sprawled out of this you know castle wall kind of approach right and people used to say if you remember in that era people used to go the perimeter is dead right and that's because they were thinking about this castle wall around the infrastructure and everything was in there and that was it and you couldn't go around it and then people started working from home and so you

the perimeter was dead because they sprawled outside so you had to move on to the end point to keep hold of that perimeter so that was the first shift that brought around and if the profile of a company changes then the attack tech the profile of the attacks change too

And so yeah, I think then now everyone's moving to cloud. If you look at modern companies, their office isn't a network infrastructure, it's an internet connectivity to get you to a cloud infrastructure. And there's nothing in the middle. You don't need proxies, VPNs, you don't need any of those things. So the profile of a company is changing. And so therefore, the way that attackers need to target those companies are changing. So that's the first thing is as those companies become the default,

attackers need to think in a different way to attack those sorts of companies. The other thing I think is just literally about, you know, not everyone looks 100% purely like that. Some people are in that transition, so they might have originally been legacy and a portion of their infrastructure is

is like that maybe 20% of their company is like that but because of the fact that the 80% is so well protected because we've had a whole decade of being security controls around it that 20% becomes the weak link and so attackers will just go straight for wherever that's the easiest point right so I'd say like one it's about technology shift and the profile of the company changing the second is

the point of, you know, attackers always go to the point of the lowest friction. And so just going after the weakest link because you've raised expense of an attack somewhere else. So you came from a red team background. And so obviously that facilitated and built, you know, your perspective into this attack surface. You know, what really got you here? What really made you think this way and come up with a solution? Yeah, so I've always loved...

security. I actually don't know why. When I was a kid, the idea of taking stuff apart was really interesting to me for some reason and it just happened. It sort of evolved into security and finding ways around different things. So

Without giving you my full childhood upbringing life story, I entered the industry at some point as an ethical hacker, I guess, was the thing. And it was a really special company called MWR Info Security. We're in the UK. This place was incredible. I think the average age of this company was like 20 or something, maybe younger, like late teens. Just a ton of really smart engineers who'd come out and just found their own way, like learning how to break systems and stuff.

So it was a very research-led type company. We were always breaking the boundaries of what would need to be done. And that's the kind of culture you need in that sort of company, right? Because bear in mind, you're really going up against huge behemoths like Microsoft, right? People who've built these big security controls to not be subverted. And you have to think outside the box to get around them. So everything you're doing is always going into the new. It's always going into the unknown. It's always trying something that hasn't been tried before.

So it's a research organization and I was there for about a decade or so. I was employee 15, went all the way through to, I think we were about 400 when we landed, which is for a service company, it's pretty big given it's all service orientated. And we were just doing things like

We were basically the team that you would call in if you felt like your security was really, really good and you wanted to experience what it was like to undergo an attack from a really sophisticated threat actor. So we would very often simulate like, you know, Russia or China or whatever adversary someone wanted, like a state government sponsored attack group. And so we do things like rather than it being like a day rate,

companies would pay us a fixed fee over a fixed period of time and it would be goal orientated. And they might say to us, look, we want you to transfer this money out of this account or we want you to get access to a secret project. And it was in our interest to achieve those objectives as quick as possible. So very often we'd be given a three month timeline. 48 hours later, we had full control of the whole company. You know, it was like Ocean's Eleven kind of style attacks, right? And don't get me wrong, it had its fair share of

application testing and writing reports as well. But what we were known for were those high-end red team offensive security engagements and the research we did. Yeah, that's what we were really known for. And so that was the background we came to. And then that company got acquired. We left and my founding team and a lot of the core members, we started off Push. And that was really the mindset. We're like, okay, well, we've lived through this era shift of people moving to the endpoint.

what now? Like what's going to happen next? And we decided to get ahead of the curve and we could just see that it was going to be identity attacks were going to come up to the market. So it was really interesting though, because I will say we had a bit of a shock when we came to the real world. Because to us, like doing an identity attack was just so obvious. It was like, yeah, of course this is going to happen. I mean, it's completely unprotected. You can just compromise identities in the cloud and take full control. If I can buy keys to the front door, you know,

wouldn't it? Yeah, exactly. It's like we couldn't not see it, you know? And so we were like, wow, this is great and this is the next big thing and we went out and we published research and we were talking at conferences. We were on podcasts, in fact, talking about this and saying about how this big problem was going to happen and everyone was like, oh,

Yeah, that sounds like it's going to be a future problem. At the moment, I'm trying to deal with this stuff. So I think at the time when we first spoke about this, people always found it very an interesting theoretical future, right?

And the mindset in the industry, understandably, not everyone's a red teamer, right? But understandably, it's like everyone was thinking about Microsoft 365 is the thing that I've put online. And that is the keys to the kingdom. You know, that's the identity that matters. If someone hacks into Microsoft 365, they can therefore get down into every other application behind it. You know, it's true for insert here, Okta, etc.

Google Workspace, whatever you use, but the primary IDP is what I'm talking about. So the mindset was very much that that's what matters. All the little applications on the outside don't matter so much. And we were saying, well, actually, if you think about the traditional network perimeter, that's a bit like saying, look, I've got 400 hosts on the internet.

But as long as I secure my VPN and my website, I'm all good. But every time the way we'd game was the little development server stuck on the side somewhere that had a vulnerability no one knew about. And we'd use that to pivot through the VMZ and break into the whole infrastructure and then just come back on the website and the VPN endpoint and everything else. So yeah, I mean, history just sort of told us that this was true. And we did lots of research into showing how you could compromise a trivial application and move laterally from that application to

through and people found it very interesting but really july last year was the point where everyone woke up and they kind of went and what happened there was i think you spoke about this before on the on the show so just a refresher of people snowflake's big important database um people are fighting lead attackers off of endpoints all the time attacker comes along buys some credentials off of the dark web and clear text that were up for sale from a you know a prior campaign

and logged in like that was the attack you know basically big sophisticated yeah exactly and there was a huge awakening where all of the research that we've been doing all the things we've been talking about we had a lot of people come back and go hey okay we get it you know there are other identities that are out there now and for us it was uh it was it was it was a good time because like we're in this to improve the industry right we're not in this to

you know like we didn't sort of inherit a product and a company and then we're trying to work out a way to get people to buy it you know it was like we saw a problem that was coming and we've been working away to figure out how is the best way to solve that problem and because of our research background it's been incredibly it's just built in us to sort of research in this way so talking about it for a long time it was rewarding I guess in the same way that

I imagine it's like what an environmental activist feels like, you know? Like you're sitting there and you're telling everyone that a comet's coming and no one will quite listen to you. And then the day the world's about to turn to cinders, you're probably sitting there going, oh my God, the world's about to turn to cinders, but yes! Now you get it. This isn't good, but I told you. Yeah. Oh man. Yeah, that's great. Because the other thing too, like...

password reuse. So like when it comes to identity and credentials, like one thing we've talked about on the show a bunch is that like a lot of people reuse their passwords. So it's like a credential for one system could be a credential for a bunch of other systems. And I'm sure that, you know, facilitates the opening of so many doors in the cloud space. So yeah, a crazy number. In fact, we see that in our, in our data now. So yeah,

It's well over a third of passwords are reused across all places. And it's problematic because if you look at the traditional domain, when you're hacking Windows or Active Directory or whatever,

you would break into a trivial server somewhere and the first thing you do is pull all the hashes off and spray them across everything else in the network and so it turned a single compromise into mass compromise in one go. Credential stuffing, you know, is exactly the equivalent. I mean, you don't get hashes obviously but clear text password against one, you know, I've just broken into a wiki. Who cares about my wiki? Well,

you know it's not that big a deal but if you take that and then you spray across every other application on the planet you get access to another 50 now it matters you know it's really a big deal so yeah we've been talking about that since i think ashley madison yeah was the first time we started talking about because they because i think the the salt or they were unsalted or they had like a very basic salt that was also exposed in the hack so essentially the password database was cracked like really quickly

So all of a sudden there was all of these identities kicking about and we've been chatting about that for years. So I remember that. Yeah. I mean, I'm curious for your take on that then, like you spot this era shift coming, right?

You spin up this project to try and address it of like everything's shifting identity. That's going to be the new vulnerability. Snowflake happens and everyone goes, oh, yeah, this is this seems like a really big problem. But at the heart of it is those leaked credentials, those marketplaces where people can go buy this information. And that's sort of like the easy foothold into these systems. Did you watch the development of those marketplaces? Like what is your sense of these spaces where people can go buy these credentials on mass?

Yeah, it's a good question. So that is kind of an entire parallel industry, like the in both ways, both from a criminal industry perspective, but also a cybersecurity vendor perspective, which I would say is adjacent to us. Like we make use of that in our solution to try to help solve some of the problems. But

It hasn't been something I've kept an eye on growing, if you see what I mean, because it was parallel to us. But the reason I say that is because they really, if you think about a sophisticated threat group,

they kind of break themselves into teams. Like you've always had an initial access team, like somebody who sits there writing exploits and finding ways into companies. Like they might write a browser all day that's never been seen before. Like someone else will write an implant and then you'll have a team that take the implant and the browser exploit and they'll gain access and they'll get a foothold in the organization.

And then you'll have a different team that will come in behind that will actually go and achieve action objectives and they'll start to move through the infrastructure to actually get to the data they wanted or deploy the ransomware or whatever they wanted to do. So it's kind of in batches like that.

And it's similar with the criminal marketplaces is that you'll have one person's job who it is just to go off and just harvest credentials from all over the internet. So it could be phishing, right? They just phish people en masse. It could be that you're hacking into, I don't know, Ashley Madison, like you said, and just pulling out all the clear text passwords and just stick them up online. And their part of the supply chain is steal credentials and put them up for sale. That's it.

That's all they have to do. But there's another half of the supply chain of people who just go, let me buy some credentials and use this to go and log into everywhere else. So they're two halves. So the people that put the credentials up online are a different group often to the people that take them and use them against different places. I think you're the first person I've ever heard discuss the cybercrime issue.

thing is a supply chain you're the first person I've ever heard talk about it like that yeah like it's like we all have a role to play and it's like some people specialize at this role you know harvesting usernames and credentials and selling them to other people who will take them and use them I've never heard anybody refer to that as a supply chain but it is it is a supply chain

It literally is. Yeah, I mean, because you think a lot of the times, it depends on the group, right? There are different profiles of groups, like a nation state actor. They're all going to be, you know, employed people in one organization, whereas criminal groups tend to be much more distributed. So sometimes you have like solo contractors whose job it is to write just a Windows driver that allows you to embed itself into the operating system to me. And that's it. And then that one person will just feed it back up

to a malware author. And the malware author's job is just to write and keep this malware up to date all the time. But that's very, very different from the 10 threat actors they then pass malware to, to actually use it to go and infect people and keep going. So I suppose it's not the same as just a normal criminal group, right? You have mules, you have people who, yeah, there's just different roles in a big organization. That was something that struck me. We've done a couple stories where

I get a good sense of what one of these operations is kind of doing. You interview someone, they explain the organization of the structure. At a certain point, you go like, this is just a company. This is just a large, this is a mid-sized technology company that's goal is just

much shadier than the rest but it has the org chart it has management it has suppliers they seem to have vendors they have raw inputs and material it's like someone's smelting aluminum into poles or something like it's it's just a business so like the whole shifting onto the into the cloud and you know identities being sprawled out across the internet is a fairly recent thing that's happened in the last few years so that's really broadening the attack surface quite significantly um

But as I said, the actual identity attack, like the way you do it, hasn't really changed from decades ago. It's like brute force attack, credential stuffing, phishing. It's all the same stuff in terms of actual credential access. But the reason it's always been a big problem, even when we were focused on instant response and the infrastructure era, even then we were saying that identity attacks were...

probably one of the biggest problems that we're going to face the industry. And the reason that we said that was because when we were, so one of the things after we did offensive security, just to give you context here, we were doing detection response and we were doing incident response. So we actually flipped over and started running an MDR service where we were watching attacks happen. And it was really interesting because you had ex-Red Teamers

And it was really cool to see how effective they were at doing a detection response because you'd see an indicator and be like, I know what you're going to do next. And then you'd actually be ahead of the attacker and it made it kind of an interesting battle. But anyway, point being is that we would watch these attacks play out

And it was really effective when the attacker compromises an endpoint because what they're doing on the endpoint is stuff they shouldn't be doing, like injecting into a process or dumping passwords from memory or whatever, like stuff that was malicious. And the EDR could quite clearly tell the difference between what is normal and what is not normal. But the moment an attacker steals a password and they move into identity,

It's really hard to tell the difference between the attacker and the employee. Obviously, you can see the point they stole it off the endpoint, but let's just say you were just looking at the identity, like the logs. Sure, yeah. All you're seeing is a login. Yeah, and so you're at this point now where someone logs into an account. Like if you just saw that bit, someone logs into an account and they delete something from a database or they delete a file.

Now, was that a user logging in and doing that because they wanted to? Or was it an attacker logging in and doing that because it was malicious? And the difference between those two, you can't tell from data because...

they literally are the employee they've stolen their account they've taken it so the only difference is intent and you can't measure intent through data if you sort of things i'm saying so we were like well this is a big problem and this is why i think actually prompting the employee to say hey was this you is a key part of doing identity attacks and i think that's that's somewhere that the industry really needs to go as we start to solve some of these problems

Sure. So like whenever I make a transaction or something and get the little ping up on my phone, that's like, hey, did you actually do this? Yes or no? That's that's the like verification step that I am who I am. Exactly. Yeah. So, hey, this malicious action was just confirmed. Yeah. Was this you like to a fake prompt to make sure that happens and authenticate some of that?

As far as phishing goes, what are you seeing for the level of sophistication and the level of... How has that grown in the last 10 years from what used to be a generic email and whatever it used to be 10 years ago to what it is now? Because I'm sure it's much different. Yeah, the core, I guess...

as I said, phishing and everything haven't changed a lot, but the way those are being done has evolved quite significantly. And so, for example, what we're seeing now is a huge rise in what are called adversary in the middle attacks, or AITM, basically. Somebody did ask me whether that was a gender-neutral man in the middle attack at one point, which it's not. Yeah.

But yeah, it's adversity in the middle. So it's a slight variation. So the concept's the same in that you are still a man in the middle. But we refer to it, the best way to think about it is like fishing 2.0. So in fishing 1.0,

your goal as an attacker is to steal credentials, username, password. So really what you're doing is setting up a clone site that looks like a legitimate one, sending it to a victim, the victim enters their credentials and you walk off with a username, password. Now obviously MFA was shouted as the big thing because now I can't use those credentials.

And that was the reason that happened. So ITM have come out of this increase in MFA effectively and it allows you to bypass MFA. The way that Adversity in the Middle works is you don't get someone, a victim, to log into a cloned site anymore. You get them to log into your actual site

like to the actual, say, Microsoft 365, but they proxy it through you, if you see what I mean. So you effectively set up an attacker proxy. Yeah, exactly. You tunnel it through and you say, hey, send them a link. They connect to you. You fetch the page. You give the page back to them. Because you're in the middle...

it allows you to intercept everything, including the session token and the MFA. So then you can actually get around it. And there's lots of clever ways to make this happen. Like one of the ones that's become quite popular is what's called a browser in the middle attack, which is a subcategory of a version of middle. And what happens with that is you set up, you're familiar with VNC, right? Like for remote desktop viewing. Yeah, of course. The idea is I set up a server on the internet

And on the eye control as an attacker. And when I set that up, I open up a web browser and I browse to the target, say, Okta or Microsoft 365 page. So now what I've got is a server VM online with a browser that's open. Yeah, exactly. So then I can obviously come in a remote desktop into it. And what I end up with is a window on my desktop that shows the target pay.

page, right? Now, fortunately or unfortunately, depending on which side of the fence you're on, there's now like JavaScript libraries that allow you to run NoVNC inside the browser. And so what we see attackers do is

is basically run you have a browser window and you send it to a victim and they open up and they see their fully branded mfa log which is actually their login page but when they enter their username and password into it unknowingly they're actually doing that on my server and i can just watch it watch it happen i can pull everything out of it so they're the sorts of modern attacks that we're seeing now happen um and bypassing a lot of these different attacks beyond that um

those attacks are starting to become a lot more well known. More recently, we've seen an evolution in detection bypasses. And what we're seeing there is that still the main delivery vector for phishing attacks is email. And so the attacker would send in one of these phishing links, like whatever technique it is, whether it's phishing 1.0 or later,

You send the email into the victim and the email or proxy will scan the email and look at a bad URL. Now, obviously it can check for domain reputation, if it was recently registered and all those kinds of things. But those are quite easy to bypass. You just buy domains that have been registered for a long time from a good reputation and all that stuff. So what you're starting to see is they will actually take the link and go follow the link and query the fish kit itself to get a lot more information.

So we're seeing attackers just doing stuff that simply putting up bot protection in front of their fish kit, right? So it's like they've got recapture in front of it and you've got to send particular get parameters to it. Some of them are even...

presenting you with a login page and getting you to log in first. And if you enter a domain that's not the target company, it will just redirect you off to like a Microsoft Live login, like something legit. Whereas if it is from the target company, it will return the phish kit. And you start seeing stuff like that. So you're seeing these things just bypass this phishing detections altogether and completely. And even if they, you know, the victim forwards it off to their IR team and they log in, they're like, oh no, it looks like a legitimate thing, carry on.

you know, and that kind of stuff. So there's simple techniques, but really powerful. So the, the detection system is trying to fingerprint the fish kit, but the fish kits actually fingerprinted the detection technique. And it's like, when it is coming through, it just like, no, you're, we know what you are. Like you go over here and like, this is legit content, like piss off.

Yeah, exactly. So you're like, it's like, oh, this is not a human querying me. Return friendly page, basically, to get around detection in that way. Smart. Yeah, so we're seeing that a lot more. We're also seeing a lot of phishing just avoiding email altogether. So people phishing people on...

you know, LinkedIn messenger. Uh, obviously SMS has been a channel that had been happening for quite a long time. Um, but yeah, we, you know, you can, you can drop phishing links anywhere. Um, not just DMs have been filling up with phishing links more and more and more like over the years. It's like I'm constantly getting flooded by stuff. That's just not real. Yeah. I actually, I actually saw a message. Sorry. I'm just pulling it up out of my Slack. I said it to Jordan this weekend, but, uh,

The FBI had come out, I don't know if you saw this, saying essentially don't open any links in Gmail. Apparently there's tons of AI-powered phishing attacks attacking Gmail accounts and essentially don't trust anything inside of your Gmail. I'm not sure if you saw this link or this article. I didn't. That sounds like an internal security team's nightmare. Like all employees everywhere not clicking any links. Totally. Yeah.

But just like for imagine how many Gmail users they are. And if people have targeted Gmail as like the host to attack, then, oh my God.

Yeah. I feel like there isn't a platform where you can receive messages that isn't just inundated with those links. I think we've done a few episodes on people hacking games, people cheating in video games. And it sounds like if you are under 18 and in Discord, you are just the recipient of more phishing attacks than I can possibly imagine. And it makes total sense. It's like, is it the most knowledgeable audience?

Thankfully, it's all to steal crypto. This is true. As long as you stay out of crypto. Yeah, that's right. Exactly. Yeah, and it's interesting you say that because I don't want to get too far into the future here, but hey, apparently we keep doing that to ourselves anyway, so why not do it again? Why not? One of the things we were thinking about, obviously, is like OpenAR Parade got released the other day, and you've seen this agent runs inside your browser that uses your browser for you. The example they give is like, hey, here's some food. Log into Instacart.

and go and add all the ingredients and buy it for me just in one go. Really exciting. But obviously, our mind just went straight to, ooh, how are attackers going to abuse this? Now, I'm not talking about weaponizing Operator itself, because no doubt they build lots of safeguards in to stop things from happening. But that broad technology, and as you start to see open source versions of it and stuff like that that don't have any of those guardrails,

you can kind of scale up those out of email type attacks quite a lot. So imagine, for example, saying, find the top 10,000 most popular subreddits, get involved in the conversation and then drop a phishing link or like, I don't know, connect on LinkedIn Messenger to everyone from this company, talk to them for a few messages and then drop this phishing link and that kind of stuff. So I think those sorts of things. Be really cordial. Yeah, I can see that. Yeah, make friends with everyone.

I'm sure you could write a LinkedIn recruiter bot that just like was like hey you know we've got some jobs and maybe and just flood people and like the link would be a phishing link and you'd get a boatload of clicks exactly or like come on come on to the hack podcast pretend to be CEO push security and then drop my phishing link at the end yeah

You have the ability right now to pull off the greatest prank ever. Might cost you a lot, but you could do it. So it sounds like it's,

We talked a little bit about Discord and these other platforms, which are basically just skinned websites. It sounds like this new era is taking place inside of browsers. These vulnerabilities are taking place in browsers. People are using these credentials and these identities entirely in browsers. Talk to me about the idea of the browser as the attack surface that we're currently living in. Yeah, definitely. Full disclosure, this is obviously what we do

in our product. But the reason I feel okay talking about this is because, as I said before...

we didn't sort of inherit a product. Like I didn't just get given it one day and then be told, oh, how can you position this in the best way possible that some people want to use it, right? It was much more we came at it from a problem of, okay, identity attacks are becoming a problem. We sort of fill a duty to the industry to do this because we've been on the front line defending against these attacks for a long time. What's the best way to solve this problem? And we tried all the ways. And what we landed on through our R&D efforts over multiple years is that it's got to be inside the browser, right?

And it makes a ton of sense, right? Because if you think all those sprawled identities that are out across the internet, you know, you can't just vuln scan them. You can't just enter your public IP address range. You can't write a script that brute forces en masse permanently all your employees' credentials, hoping you get the username password combination right and reporting about what identities exist. So what do you do? I mean...

the thing that all cloud identities have in common is they traverse through the browser. So we were like, well, this is a really effective, you know, enforcement point effectively to draw telemetry from the browser. And you can start to see employees as they create and use identities and then therefore you can map them all out, right? So it was the obvious place to think, build a solution. Also, because what we were talking about, about the phishing attacks, as they start to move out to different channels,

wherever you click a link under any source like email or anywhere else you visit it and at some point even if it has all the bot protection in it that we were talking about before at some point it initiates the payload the fish kit renders inside the browser and then you can block it right and you can block it based upon the fish kit itself

but you can also detect employee action. So detect type events and determine before they press enter, they just entered a critical password, like their SSO password into it and stop that from happening. So for us, it was like, it just made so much sense to go there and to enforce and solve this kind of problem inside the browser. For us, it's just a really, really powerful way to do this. I think coupled with, as we were talking about before about,

architectural shifts. Like some companies we started, if you look at Push, we do 100% of the work in our browser. I think the only desktop application I have is Zoom and it really frustrates me there's a desktop application because why doesn't it run inside the browser? But other than that, maybe Slack as well, optional desktop application. Everything's inside the browser and

And so moving into the browser and doing security in there seems to fit the way that companies are progressing as well. So yeah, that was why we decided to go there. Yeah, it makes a lot of sense. Lots of those apps like Slack and Notion, they're all written in something called Electron, which is essentially just like a HTML CSS plugin for like Swift apps and stuff. So they're actually all just web browsers. It's the way, isn't it? It's the way it's going. Yeah, it's like when people deploy Chromebooks is always the time when I, that's when I really think about

that, right? Because that's like the purest version of what we're talking about here. Yeah. Because if you get a shell on a Chromebook, it's read-only, there's no files on it. You can't really move laterally. What you can do is talk back out to the internet. So the whole attack vector is inside the browser. Like, you know, that's very pure of this world that we're talking about. But anyway, diversity. I think that's really relevant because that...

That you can literally use a computer that is a browser and function in the modern world tells you how much of the modern world occurs entirely inside of a browser. So I guess, I mean, in simplest terms, like what is it then that push does?

Yeah, so push, we exist to stop identity attacks. We're totally focused on that. And so really it's anything to do with account takeover, which is your user account being compromised. Now that could be phishing. It could be identities being sprawled out across the internet and actually mapping out where those are and locking them all down.

We even sort of determine, we can determine whether someone's using their password manager and if they're actually clipboard pasting their password all the time and which password manager they're using or if they're syncing it back to their Chrome profile. So anything that could result in a user's account being compromised is what we focus on. I guess the technical version of it, if you like categories, which we get forced into is ITDR, which is Identity Threat Detection Response.

I think that's a name that we try not to use categories. We think about what problem do we solve and we go solve that problem. But, you know, some people, it helps them categorize and think about where we sort of sit. You mentioned clipboarding passwords out of password managers and bringing them over to the browser. Is that a vulnerability? So, I mean, people copy and pasting it from, I mean,

If you think about account takeover, there's someone entering their credentials into a malicious phishing site, but you've also got to think about exposure. So if someone's storing it in a place that's not...

good like clear text stuck on a document somewhere that's not ideal and so the reason that we can encourage people to use a password manager is effectively a vault to safely store them so the reason we're detecting clipboard paste is because it's pretty obvious that someone's just pulled out of a document or off of a local notepad and then we're just pasting it straight out of a slack message

Exactly. Yeah, or I have a Slack message. So we obviously only have the context at the point they enter the browser. So we can't tell at this stage where it's being clipboard pasted from, but it is just good intel to be like, wow, there's a critical account, like an AWS admin account, and someone's clipboard pasting it in regularly. Probably should go and have a word with that person and see how they're handling passwords.

The other thing, too, is the clipboard is account accessible. So anywhere inside of the account, it's like a universal memory register. So it's not secured. So if there's a password sitting in there, any of the applications running technically have access to it. So if you were copying and pasting passwords through your clipboard, you're kind of sharing it to every other piece of code on your user account. So there is technically a vulnerability there, but you'd be...

hard pressed to find somebody smart enough to write a way to exploit it well. Maybe we have him here.

It's funny, talking about clipboard pages, this is a complete tangent, but it just made me think about it before you were saying this. Did you see, I can send you the link after you see it, but there was a phishing attack that got shared around a couple of months ago. It was really bizarre, but really, you have to give them top marks for creativity. And basically what happened was it was like a phishing link to a GitHub page or what looked like a GitHub page. But when you landed on the page, it popped up with a recapture prompt and

but the recapture prompt was written in javascript and it said it said

like these different combinations. You had to go Command-C. Yeah, Command-C, Command-R, and then Control-V, Enter. And it popped up and said, thank you, you've done recapture and let you in. But what it had done is when you visited the site, it injected PowerShell into your clipboard. So when you then Control-C'd, you pulled it out of the clipboard. Yeah, Control-R, run it. Exactly, then you run it locally. I mean, it's like someone probably fell for that and they've never told anyone.

anyone because it's such an unfortunate thing to fall for but and I was just like yeah but I just thought for creativity I was like can't hats off for like trying you know yeah but this is like that's even that's a good thing like the so the javascript itself wrote to the to the clipboard so javascript can probably read from the clipboard so if you've got passwords hanging on your clipboard websites can read them too I would assume

Yeah, I don't actually know with that. I know there are clever models built into the browser. I need to look into it. I would hope that there are protections for pulling them back out in the other direction. I think it might be read-only and pushing in one direction, but I might be wrong about that. Yeah, me too. I don't know. I was reading about a 2023 study. I have it in my notes here because I want to talk about it on the show at some point, but it was a 2023 study.

that described CAPTCHAs as tracking cookie farm for profit masquerading as a security service. And it was saying that the success rate of bots currently is higher than the success rate of humans, which means they're ineffective. I think it was 819 million hours of human time lost clicking on just traffic lights, and it has generated $1 trillion for Google. I feel a backlash growing. Wow.

Last time we were talking, you were talking about something called cross IDP impersonation. Just to start with defining what IDP is and then what does that impersonation mean? So yeah, cross IDP impersonation was a very recent bit of research that we did. Actually, our VP of R&D, Luke Jennings, did. And this was really interesting because it shows the complexity

of the identity attack surface that's not just as simple as sprawl identities and you logging into them. So IDP is an identity, is shorthand for identity provider. So really you're talking about SSO. So Microsoft 365, Okta, Google Workspace, any of those. Now the idea is that ideally you'd have your SSO provider with your one user account per employee

And then when you log into that SSO provider, you'd have MFA and you'd have YubiKeys, you'd have phishing-resistant MFA and all those things. So you have a really, really hardened identity. When the employee logs in, you get presented with a tile and you click on one of those tiles and it logs you into the downstream SaaS application, right? And that's how everything should be set up. So Luke looked at this and kind of went, well, if you were trying to target someone who had really, really hardened SSO accounts, what would you do?

And what he determined is rather than going after the IDP directly, it was actually the SaaS applications behind that were the target. So what he figured out was you could just ignore the company IDP altogether, set up your own one, and create an account which is the target company. So let's say you were trying to target Acme.com. You set up a new IDP with an account for, you know, Sarah at Acme.com.

And you can just log directly into the SaaS applications behind the IDP and they just let you in, right? So basically they don't check which IDP it came from, which is wild that that's actually the case. There's some nuance to it and there's some complexity, which we can get into. But the top level is that, is that you can, you know, the SaaS applications behind don't effectively check

which IDP it came from and they'll let you authenticate. So it sounds like the red teamer never leaves, never leaves you once you, once you leave the red team. Yeah, it's true. It's like, so it's like you kind of created your own exploit here to solve it and protect for it in your, in your solution now. It's kind of what it, what it sounds like. Is that true? Yeah. Well, interestingly, the way, the way that we discovered this vulnerability wasn't,

from an offensive security mindset, we actually saw in our data that legitimate employees were doing this. So what I mean is like there was a company who had Microsoft 365 as their primary IDP logging into downstream SaaS applications and they came back to us and said, hey, like there's all these Google logins into these different SaaS apps and I can't understand why because we don't use Google. So we started looking into the information and we said, oh, wow, you know, employees, what they're doing is

going to the SaaS application and they're presented with like a login with Google button

And so they're just clicking on that and then creating a personal Google account, but under the company domain, like under acme.com, and then just logging in because it's easier. And then that's the workflow they used to. So there's hundreds of people just logging in directly to these downstream SaaS applications, just log in with Google when they should have been going through Microsoft 365. So you've now got two login methods to the same SaaS application, but obviously the second one's got no MFA on it and that's it. So...

So we saw this data and we were like, "This is crazy. Actually, we could probably use this for malicious purposes. What if I went to create an account on Google and just logged into the SaaS application? Oh, look, it works." That was kind of how the whole thing came about.

So that's just purely an issue with those logins. Like that's purely with the SaaS companies. Yeah, exactly. It's nothing to do with the IDP. And it makes sense, right? If you take a SaaS application you want to sign up to, they give multiple login methods. So you can pick and you can say, log in with Microsoft, log in with Google, log in with like Apple. You can do whichever one you want.

And if you go and set up a SSO to log into those, that's great, but it doesn't necessarily disable all the other login methods and the things that you can get to. So now there is some nuance to this. I'm trying to give you the top level so you can understand how this works. The nuance with this is that let's say, for example...

I was going to break into this Acme.com company. I go to Microsoft 365. I try to break and I go, wow, this is really locked down IDP. Then I go off and create, I don't know, Apple. Apple's got its own SSO provider. So I create Acme.com on that. Now, yeah, exactly. And so the thing is, in order to create an account under Acme.com,

you need to verify that account. So it will send a verification email back to the victim and they need to click on the link. So you have to overcome that hurdle. But the thing is, is getting someone to do that is way easier than doing a traditional phishing account, right? So the example that he gives in the blog post is,

You send an email to someone and say, you know, hey, you know, hey, John, whatever it is. I'm from the IT team. We're trialing company iPhones. Would you like to be part of the test crew? Oh, yeah, I'd love to. Thanks. That'd be great. Great. I'm going to send you a verification link to verify. Here it comes. They click on the link. Yeah, because they're not entering credentials and not being asked to give an instance of information. They're just clicking the link.

It's not a big ask for people. You only have to do that once. So now once I've got that, I can just log into every SaaS application downstream and actually get to this. So it's just an interesting... It shows the complexity of...

Now the way you'd solve this problem is down to the SaaS vendors. The best in class SaaS vendors, when you log into the settings, you can actually choose which login methods it will allow and you can disable everything but the one you want for the company. But unfortunately, that's in the minority and more people should do that to protect against this.

So the action that people can take today to solve that is actually to go and pre-register the accounts. So go off and create an Apple one and a Google one. And lock them up. And create them. Yeah, to actually claim them. And then people come and say, hey, there's already something under the main. We have seen people writing email detection rules to say if they get verification email from an IDP that's not the known company one, you can do that as well.

Yeah, so that's the way you have to deal with this because it's just a fundamental problem in the way SaaS applications and you're not going to get hundreds of them all to get on board to solve this. So that's how you take it into your own hands. So you guys started Push because you saw the attack surface changing. Do you see any changes coming now? Are you guys making any adaptations that you can talk about or are you guys looking at other fields where you think that the industry is going to go or is that something that's kind of you're holding your cards close to chest now that you're a

that will probably get bought or go public at some point? Yeah, I'm happy to talk about it. I think the things at the moment...

The human identity problem is such a big problem and fishing continues to be a huge problem. Now with evolutions of fishing and everything else, it's becoming an even bigger problem. So right now there's more than enough to keep us busy just building better and better and better versions and better and better controls around some of those problems.

And we're really, really focused just on that because we're meeting the market where they are now, the pain points that they're seeing today. But you always have to keep one eye on where things are going to go next. And so obviously we spoke a lot about these computer using agents technologies, you know, like OpenAI Operator. And if they start to scale up, what will happen? We're already focused in that area, like stopping phishing directly in the browser and just sort of keeping an eye on that because we might see those things scale up.

But ultimately, even though we're building into the browser, we don't orbit around browser. Like we're not a browser security platform. We're an identity security platform. So really we'll go wherever identity goes. So we'll be pulling it from the browser now because it's an incredibly valuable telemetry source.

But, you know, that isn't the thing that restricts us. We'll take identities from mobile and from endpoints and from, you know, AWS and other places as well. So I think it's mainly going to be about going deeper and deeper and solving the current problems in a much better way than anyone else using our red team experience and then going broader across more and more platforms so we get wider telemetry and we can solve the problems, you know, on a bigger scale. This is...

There's a good chance I'll just chop this out, but I'm curious because you brought up operator. I feel like every time I hear people talking about agents and operators in the security space, it's on the offensive side. It's the sort of like fantasy of being like, go get their credentials, fish this person, blah, blah, blah, blah, blah.

The thing that I keep wondering about is on the victim side, the idea that it could be a vulnerability where I tell some agentic program to like, go respond to my work emails, go do this, go do this. And it just sort of inadvertently like, oh, I need to validate this Apple credential login thing. Like,

Could those operators and those platforms function as a vulnerability in themselves? Well, I have, so I haven't done, I'll caveat that we haven't done any research on this. This is just me thinking off the top of my mind, but I have been thinking about what happens where like at the moment, the thing you're trying to do with an attack is to, is to trick an employee to perform some action, like enter their credentials to a phishing site and,

And if an agent is effectively acting on the person's behalf, like, is it possible for you to trick an agent to enter the employee's credentials into a phishing site? If you said to me, like, and that feels like how that actually works. Depends. Is it like,

You know cross-site scripting? It's like where you can inject stuff into a existing website. Can you do that to sort of do prompt injection and get it to... I don't know. This is not an area that I've researched into. And I think it's such early technology at this stage, it's hard to know where that's going to go. But I do think like anytime there's a technology shift, it changes the types of attacks that are possible. So it's something to keep an eye on for sure.

Yeah, there's been so much research into social engineering and changing, you know, exploiting of human behaviors. You know, what is the shift into essentially controlling and, I don't know, manipulating robots into doing our biddings. Yeah, exactly. I think, I mean, it's good for a defensive perspective as well, right? Because...

You can have like a security trained agents which will look and go hey this looks suspicious. We're doing research into that kind of thing as well at the moment. So actually looking at the page and understanding the visual processing like is this page trying to look like a Microsoft login and then taking other context of you know what what's happening in the in the actual page itself and how the users interacting with it and passing that through. So I think like AI is

it scales up on the offensive side but it also scales up on the defensive side of in parallel just hopefully the defensive side wins it scales up more hopefully the defensive side wins yeah write that on the wall get the t-shirt yeah get that t-shirt get that merch going appreciate you taking the time to sit down and talk with us um yeah thanks for coming on maybe maybe i'll end with this uh let's end at the beginning

It's way back when you're in that role as a Red Teamer playing the part of this advanced actor in these simulations. We do a call-in show called Hotline Hacked where people share their fascinating tech stories. What's the craziest war story you can responsibly share with us here to close it out? Good question. Do you know what? I'll actually share...

Because I think this is amusing and it's a bit more relatable, I'll actually share one of my colleagues' stories instead. So my colleague, one of the parts of the offensive security side we did was social engineering. So it wasn't all technical. It was also to do with sort of breaking into buildings and trying to trick people. Now,

My colleague who got, he was really, really good at social engineering. He's just really likable guy that everyone trusted. Charismatic. Yeah, yeah. You see the program traitors, like he would win straight down because everyone just trusts him immediately. And he did multiple engagements like this and it was kind of normal office block. But there was one time when he came up against a very well-secured facility with gates and guards. It was like, well, okay, this is the biggest challenge yet. So he went off and

He set up his own website, his own business cards. He turned up with a clipboard and spoke to the guard and then they rang into the reception. Hey, there's a health inspector here. Were you expecting this? It's like, well, of course they're not expecting me. I'm a health inspector. And they were like, okay, send him in, send him in. So he sent in, he checks into security. They phoned back again to the chef like, hey, we've got the security guard. You can imagine they're quickly scrapping away all the pots and pans and on he goes.

so anyway he goes into the room and he doesn't know how to do a health inspection he's got no idea so he's like walking around like wobbling the shelves and like checking stuff and everything else and uh he goes around yeah he does this whole health inspection he's in a building and the chef says to him um okay well like how do we do like am i am i okay like have we got this whole thing passed sorry man i mean i have to go back to the office and it takes me about a week to process and i can let you know he's like

well i mean if you give me access to a computer i could probably do it now if you like and oh yeah yeah sure so he logs him on do you want do you want some dinner it's like oh that'd be great so he's sitting there on this computer hacking the network eating food provided by yeah takes full control of the network and writes it back and it was all done in good faith like whenever we do these engagements we make it really really clear to the team that

you know, people are going to get tricked and it's not their fault. And like, you know, it's just, we're pros at this and we've done this a lot. You're always going to get people. We make sure that those individuals aren't victims from this, but it's a good learning exercise because by experiencing that it just,

it just heightened their level of awareness. But it was a really fun engagement and it made a really, really good story when he sort of came back to the office and anonymized it and spoke about it. So yeah, I thought it would be a good one to share. That's a good one. That is a good one. I love that they fed him. That's the icing on the cake. Yeah, the free food. Yeah, exactly. You're like, there's no way I could get into this network and linguine.

Yeah, what was the bonus points on the contract for getting fed by the team? It's like not only did we acquire all of the mission goals, but also you fed us. Somebody gave me a car. Yeah, exactly. I never actually read the report at the end, but I don't know whether there's a picture of the food that you got. By the way, thank you for the meal. Yeah, totally. That's good. Adam, thank you for sitting down with us. This was a lot of fun. Yeah, thanks for coming on.

Yeah, thanks for having me. It's great. A lot of fun. You're a startup founder. Finding product market fit is probably your number one priority. But to land bigger customers, you also need security compliance.

Obtaining your SOC 2 or ISO 27001 certification can open those big doors, but they take time and energy, pulling you away from building and shipping. That's where Vanta comes in. Vanta is the all-in-one compliance solution helping startups get audit ready and build a strong security foundation quickly and painlessly.

Vanta automates the manual security tasks that slow you down, helping you streamline your audit. The platform connects you with trusted experts to build your program, auditors to get you through audits quickly, and a marketplace for essentials like pen testing. So whether you're closing your first deal or gearing up for growth, Vanta makes compliance easy. Join over 8,000 companies, including Y Combinator and Techstar startups who trust Vanta.

For a limited time, get $1,000 off Vanta at Vanta.com slash simplify. That's V-A-N-T-A dot com slash simplify for $1,000 off.

You are no dummy, but you're kind of acting like one. You used to crush it in school, outsmarting opponents on the field, and now, well, you're still smart, but not exactly challenging yourself. You could be advancing nuclear engineering in the world's most powerful Navy. You were born for it, so make the smart choice. You can be smart, or you can be nuke smart. Become a nuclear engineer at Navy.com slash nuke smart. America's Navy, forged by the sea.