In this episode of the We Hack Purple Podcast we meet Gemma Moore , co-founder and director of Cyberis. Gemma is an expert in penetration testing and red teaming. She started her career in cyber security nearly twenty years ago, working her way up from a junior penetration tester to running the penetration testing practice in a specialist consultancy by 2011. She is a founding director of the information security consultancy, Cyberis.
Over her career, she has held CREST certifications in Infrastructure, Applications and Simulated Attack, and now focuses most of her efforts on planning, running and executing red team and purple team exercises.
In recognition of her outstanding level of commitment to the technical information security industry and the highest level of excellence in CREST examinations, Gemma was selected to receive a lifetime CREST Fellowship award in 2017.
Gemma was a contributing author to the BCS’ “Penetration Testing: A guide for business and IT managers”
Gemma was named “Best Ethical Hacker” in the 2018 Security Serious Unsung Heroes industry awards, and has been honoured by SC Magazine as one of its 50 Most Influential Women in Cybersecurity, and by IT Security Guru magazine as one of its Most Inspiring Women in Cyber.
We talked about everything to do with Red Teaming and PenTester, especially what the difference was between the two, risks involved, setting scope, and several funny and scary stories! We also talked about what people are trying to achieve with a red teaming exercise, and how things can go terribly wrong when we blame everything on the user. This was through and through a fantastic conversation.
You can learn more by reading in Gemma’s blog!
Join us in the We Hack Purple Community: A fun and safe place to
learn and share your knowledge with other professionals in the field.
Subscribe to our newsletter!
Find us on Apple Podcast, Overcast + Pod
#TanyaJanca #SheHacksPurple #AppSec #CyberSecurity
In this episode of the We Hack Purple Podcast we meet Gemma Moore , co-founder and director of Cyberis. Gemma is an expert in penetration testing and red teaming. She started her career in cyber security nearly twenty years ago, working her way up from a junior penetration tester to running the penetration testing practice in a specialist consultancy by 2011. She is a founding director of the information security consultancy, Cyberis.
Over her career, she has held CREST certifications in Infrastructure, Applications and Simulated Attack, and now focuses most of her efforts on planning, running and executing red team and purple team exercises.
In recognition of her outstanding level of commitment to the technical information security industry and the highest level of excellence in CREST examinations, Gemma was selected to receive a lifetime CREST Fellowship award in 2017.
Gemma was a contributing author to the BCS’ “Penetration Testing: A guide for business and IT managers”
Gemma was named “Best Ethical Hacker” in the 2018 Security Serious Unsung Heroes industry awards, and has been honoured by SC Magazine as one of its 50 Most Influential Women in Cybersecurity, and by IT Security Guru magazine as one of its Most Inspiring Women in Cyber.
We talked about everything to do with Red Teaming and PenTester, especially what the difference was between the two, risks involved, setting scope, and several funny and scary stories! We also talked about what people are trying to achieve with a red teaming exercise, and how things can go terribly wrong when we blame everything on the user. This was through and through a fantastic conversation.
You can learn more by reading in Gemma’s blog!
Join us in the We Hack Purple Community: A fun and safe place to
learn and share your knowledge with other professionals in the field.
Subscribe to our newsletter!
Find us on Apple Podcast, Overcast + Pod
#TanyaJanca #SheHacksPurple #AppSec #CyberSecurity
welcome to rehack purple podcast where
each week month a few months in a row we
talk with someone from information
security and they tell us all about
their job what they do Trends we see Etc
and this season season three is all
about application security which no one
is surprised about because I'm Tanya
Jenka I'm your host and I'm completely
obsessed with appsec this episode just
like most of our episodes for quite a
while are sponsored by bright security
with me today I have Gemma Moore welcome
Gemma hi Tanya thanks for having me
thanks so much for agreeing to be on
this is awesome we were introduced by
this lovely person named Rachel and so I
was really excited when you said yes to
be on the show
um could you tell the audience a bit
about yourself because if I do it I
won't do as good of a job
no problem
um so my name is Gemma Moore I'm a
director of the information security
consultancy cyberis I've been a
penetration tester well for longer than
I care to remember so about 20 years now
um and probably for the last sort of
two-thirds of that time I've developed a
very keen interest in red teaming and
that's I I guess one of the really
interesting areas or growth areas in pen
testing is red teaming so you know I've
got a very technical background I've
been working in the application
penetration testing infrastructure
penetration testing red teaming all
sorts for well longer than I care to
think
um so
audience members you can you can totally
tell why I want to have Gemma on um so
could you so for our audience members so
most of them work in application
security or information security but not
all of them and some of them are quite
new to the cybers
is there a chance you could Define what
red teaming is
um and then maybe we could talk about
the difference between pen testing and
red teaming because they're not the same
that's why there's two different names
for them
yeah absolutely and the the problem one
of the big problems we have in sort of
offensive security actually is the
terminology we use because it means
different things to different people
um so when I say this is what pen
testing is or this is what red teaming
is someone is going to disagree with me
probably quite vociferously and that's
okay because we haven't really got good
definitions but generally when we're
talking about pen testing or penetration
testing we're talking about taking some
sort of defined scope it might be an
application you've developed or a piece
of infrastructure or a network and we're
trying to go through the technology and
we're trying to find all the
vulnerabilities we can in the technology
that might lead to some sort of
compromise of confidentiality or
Integrity or availability and we're
trying to we're using a very defined
methodology trying to get full coverage
trying to find all the things that might
be wrong in that Define scope and red
teaming is a bit different because we go
outside of technology so with red
teaming we're not talking about
um sort of attacking a defined scope
we're talking about a whole organization
or a whole business and putting
ourselves in the shoes of the attacker
and trying to attack that business
exactly the same way an attack would so
we Define ourselves an objective to get
to which is it's not going to be you
know find all the vulnerabilities in
this network it's going to be you know
retrieve a record from this particular
customer database you know that's your
objective that's the thing you're trying
to do and you are involving people
you're involving process you're also
involving technology but you're
basically going further than technology
and you're trying to draw an attack path
from an initial Point acting like the
adversary it's normally like an external
criminal gang or it might be you know a
nation-state threat actor or it might be
you know a malicious Insider and you're
trying to join up all the dots to draw
an attack path that gets you to your
objective at the same time evading the
detecting response capability that
you're going up against so you know it
all comes from sort of military jargon
and the red team and the blue team in
military exercise and it's still got
this kind of you know competition aspect
to it because we're normally working
against the blue team and trying to
evade them but because there's so many
different aspects it's really very
different to pen testing and the way you
approach it
yeah I I agree completely and also yep
sounds very military
um yeah I don't know if that I don't
know if that's encouraging or if that
puts people off but
so I feel like there's different risks
in pen testing versus red teaming what
do you think
undoubtedly that is true so um
penetration testing because you're
within a defined scope you can pretty
much isolate where your area of
influence is while you're doing a
penetration test and you can do that
really easily so yes there's always
risks when you do a penetration test
that you know you might find a really
fragile hold server and you might scan
that fragile old server and it might
fall over or there might be an
undocumented feature in an application
that might delete all the content when
you spider it I mean that sounds
ridiculous but it has happened and you
know how can you predict these things
happen things happen
um but with red teaming
um it's a lot harder to actually put the
boundaries in place around where your
risks are because inherently it is more
risky activity so
if you think about when you're
um attacking an organization as an
adversary what you normally start with
is sending somebody a piece of malware
or trying to get malware a foothold into
an organization either by emailing them
malware or getting them to visit a
website and installing it that way or
sending them of something physical they
plug into their machine or you know
stealing their credentials you're
looking to gain some sort of execution
on their machine
but if you think about the ways that we
as a an adversary can sort of simulate
that normally we're sending someone a
link through some route or sending them
an email but if you think about email
just as a good example well if I send
you an email Tanya you can forward it on
to anyone else in the world
and if I've put malware in that email
that I've forwarded you and you send it
on to I don't know your mate down the
road well suddenly the malware that I
meant for you is now with your mate down
the road who might work for another
company have a completely different
laptop
yeah you've lost control of the thing
the implant your piece of malware now
your criminals don't care we have to so
you know we need to make sure that if we
send you malware it can only run for you
and you know it will only run on your
systems at the right time with the right
permissions a whole bunch of risk
management around there and that's just
getting a foothold in the first place
another problem that you have is that
you can't necessarily if you if you're
looking to run a red team
so that you can assess how well your
other teams detect and respond to things
you can't tell them about it
so you've got this risk of escalation
and you need to work out okay how high
if if someone detects an attack going on
how high up our Command tree inside our
organization do we let this go before we
go okay guys it was an exercise it's
okay it's not actually an attack
because if you get that wrong
you can waste so much money with you
know lawyers meetings with Regulators
um all sorts of contracts so even
contracts so if you've got for example
detect and response capability managed
by an outsourced service provider
um if they are charging you every time
they are doing some sort of out of hours
investigation and they see an alert out
of hours you have to weigh up how much
money am I willing to spend to work out
whether they can respond to this because
it's going to cost you to test that
because they're going to charge you for
it obviously so all these sorts of
things you don't have to think about
this in a pen test but you've really got
to think about it when you're doing a
red team and that makes managing a red
team exercise complicated but also
incredibly good fun
I I never even thought of most of those
things I have a friend who's a very very
tiny woman and she did a physical pen
test and she got arrested she showed
them her get out of jail card they were
like we don't care that you have some
stupid letter everyone owns a printer
and so she sent me a picture of her in
the back of a police car she's like this
is how my day's going how's your day
going yep that's another one that I
didn't mention but yeah you know we
always have a get out of jail letter but
really we we never wanted to get to the
point where the police are called but
you know things can go wrong like that
you know I heard a story it's anecdotal
I don't know how true it is but someone
who was in a store after hours having
managed to socially engineer their way
and then nearly got shot
this was in America but you know things
can go wrong you've got to be careful I
can't imagine something going more wrong
than that getting shot pretty terrifying
I enjoy I mean everyone everyone was
fine but you know that's there's
consequences to these things yeah so so
when someone hires you to do a red
teaming exercise like what problem are
they trying to solve like what are why a
red team is so many different reasons
and that's also why it's so much fun
I'll get a bit excited because I really
like what I do but the there's uh so
many different things that you can do
with red teaming and one of the things
if you want to buy a red team if you
want to run a red team it's really
important to know actually what is the
problem you're trying to solve or what
is the question you want answering and
if you think about what you want
answering that's when you get good value
so um you know sometimes I've noticed in
recent years you might get a customer
who wants to run a red team exercise
because everyone else in their industry
is doing it but they don't exactly they
haven't really thought about what
questions they want answered and if you
go into it thinking I've got to do this
thing but you don't know why you're not
going to get out of it what you want to
get out of it but there's so many things
red teaming can do to you so um one of
the really important things is
validating controls so companies can
spend Millions literally millions and
millions on controls that are designed
to either prevent compromise happening
or detect a compromise or isolate system
you know this this detecting and
responding automatically but they
actually have very few ways of
validation teaching whether the money
they spent on the controls is actually
protecting them like they think it is
red team you can go up against those
controls you can see where the gaps you
know all is this thing that we're paying
Millions for actually protecting us like
we think it is you know are there things
we haven't thought about is there a way
into our Network that we've not
protected at all because we haven't
spent the money on it you know are there
assumptions that we've made that are
completely incorrect
um and it can be really helpful for your
detection and response team so one of
the things we come up against over and
over again is that the most effective
way I mean I think this is opinion now
entirely opinion most effective way to
train
um responders I think is to educate them
in the attacker mindset
if your responders know how attackers
work and how they think they're much
better at chasing us down finding us
stopping us from taking the next step
because as soon as they see us take the
first two steps they know where we're
going to try and go next
um and if we run a red team against your
blue team and and this is the important
bit properly debrief your blue team at
the end
that's really important you can teach
them what we did and why we did it and
how we thought that way and then they
can start thinking that way themselves
and then they start joining up the dots
between different systems and different
attack chains and you know they will
stop doing things like
um what have I seen in the past you know
you've got an AV product it gives you an
alert for malware the AV product puts in
the notification in the logging platform
that says we found a piece of malware
but we've removed it we've isolated it
it's okay
quite often that kind of alert if you're
not thinking like an attacker you just
tick it off and go we've resolved that
we don't need to worry about that
anymore it's been removed the threat is
not the piece of software it's not the
piece of malware it's the person that
put it there
and if you find that it's like all right
well what did they do next you know what
was their next file that they put up
there in the application or whatever it
was what did that one do and they
haven't thought oh
well that one didn't trigger a face like
okay well the second one didn't trigger
AV what is that file doing why why is it
there
you know it's that the threat's not the
technology the threat is the individual
and it's that bringing it out from these
individual alerts on
on your on your Tech to what is this
person doing and why
so there's so many different things that
you can do with red team investment as
well sorry Tanya you're gonna have to
tell me to shut up because I will just
pass them away
I've had people try to Spearfish me
before and we catch this we we're like
oh this is a Spearfish so we deleted and
from the staff not the answer but never
occurred to me so there's someone that
sent you a spirit fish and spent all
that time making a custom thing for your
company uh maybe you should figure out
who sent it that like it seems so
obvious when you explain just just
because you've got rid of that one
instance doesn't mean you've addressed
the threat because the threat is that
human being yeah or gang or whatever it
is
and and you know another really good
thing that you can do with red teaming
that other people might not think about
is um trying to work out where best to
spend your money as a business to get
the best protection you know so many
competing products out there so many
competing controls you can
you can invest in and as Security
Professionals we want to stay there and
go buy the lot get everything you know
but that's not necessarily realistic
when you've got a finite budget but if
you do red teaming right you can work
out basically where is your squishy
underbelly what is the bit we really
need to protect the most you know what
what what do we need to put in place
that's most important right now to get
us the most security benefit
understanding of course there's always
going to be a way to do things but you
know what's the low hanging fruit we've
got to protect and red team can help you
answer all sorts of questions like that
it's really great fun
so and so the thing that I've heard
people say a lot is like they'll blame
the user and they'll do fishing
exercises and and trick their employees
and I have a lot of feels about this and
you and I were talking about it a bit
before like why do we blame the user so
much oh it's so lazy Tanya can't blame
the users blaming users is just a really
lazy way to go about things like if your
whole security structure falls down
because one person does something they
shouldn't do you have failed as a cyber
security professional you just have
um like we can't rely on users and
blaming them is terrible
um I think the most dangerous thing any
business can have is a blame culture for
this stuff
um there's there's two realities or
there's there's two certainties that we
need to understand
um one is if you punish people for
saying when they've done something wrong
people won't say when they've done
something wrong
that's obvious yeah and two if someone
is determined enough a criminal is
determined enough they will be able to
convince a user to do a thing they
shouldn't do that's we're all human like
if a phishing attack is good enough I
will fall for it you will fall for it if
someone is determined they will do it
um and I don't think it's reasonable to
expect users to be able to distinguish
between a an attack by a determined
adversary and you know real interactions
with other human beings it's just not
reasonable
um you can train users to detect you
know the most obvious fishing scams and
consent phishing and you can train them
to you know read the email address and
ask questions about whether they're
being pressured and you can do all that
and it's great stuff to do but an
adversary probably only needs to
convince one person to do one thing to
get at their foothold and then you know
your whole house of cards comes tumbling
down
yeah and um
the most successful cultures
um really encourage reporting they don't
blame people for falling victim to
social engineering you know they're not
going to name and shame people for being
human and you know the only the only
indication you might have as a Defender
if you've got an adversary who's really
sophisticated if they know what they're
doing if they've done their research if
they tried before if they've got you
know two-way interaction going they've
got a proper conversation with their
target
the only the only information that you
might get that something is amiss might
be that user going home mulling it over
thinking about it going
I don't feel quite right about whatever
this conversation was or I feel a bit
with funny about the thing that happened
last week I might want to talk about I
should probably talk about this and then
you know they'll talk to their line
manager or they'll talk to you as a
security team and say this thing
happened and I don't quite know I think
I thought it was fine at the time but I
don't know if I did the right thing that
might be the only indication you get
might be your only chance to detect that
something has happened and if you make
people scared to report stuff
you just you're just on a loser yeah
yeah I I feel so um I teach cure coding
training a lot and the last half hour of
the day is always if you see something
say something your security team will
never be angry with you if you report
five things and four of them end up
being false positives
but like you were honestly report but
then the fifth one that you reported you
could have been the person that saved
thousands of dollars or hundreds of
thousands or even Millions you could be
the person that stopped that attack
that's exactly it
um and you know you can't underestimate
as well
um yeah how in MO how emotional people
get when they feel they've done
something wrong that's another thing we
have to be really mindful of when we're
doing this you know we've got to be
really careful about people's feelings
that's not naturally something you do in
cyber security but if you're running
fishing or something you can really
upset people if you cause them to do
something then they find out they've
been manipulated which is basically
let's face it being lied to nobody likes
that and if you're doing that on behalf
of their employer it's even less savory
and then you know if you wanted a
malicious Insider well that's how you
get malicious Insider I mean it's it's
um it's a it's a real Minefield when you
get right down into the weeds of it yeah
someone no I agree with you so much I so
I have another question because you know
as I can
um so red teaming and penetration
testing like over time it's been
changing right like back in the day when
you started it's very different to now
can you like tell us maybe a bit about
how it's changed or changing it's so
different I mean it's in some ways it's
come full circle because 20 years ago
when we did a penetration test
methodologies for penetration testing
were much less mature so a penetration
test 20 years ago probably more closely
resembles what a red team is today for
an organization because you used to sort
of
can't even explain exactly what we used
to do because it was so different from
today but you know you'd Rock up and
you'd do some scanning and you'd find
some stuff wrong and you'd go boom boom
boom and we got domain admin and then we
left and we came back next year and we
did it again and I was like okay and
that's what we did and you know that we
weren't following I mean we were trying
to follow methodologies but
methodologies were much less mature and
it was all infrastructure and we were
still interested in you know perimeter
firewall configuration and all this sort
of stuff because we still found you know
ways into internal networks directly
from the internet which you tend not to
find these days it's still possible but
you know people know about firewalls
these days maybe 20 years ago they
didn't know about firewalls the same way
but one of the really interesting thing
about how all of it is changing is
basically infrastructure and the
pandemic has changed this completely as
well infrastructure has completely
changed infrastructure these days if
you're building something new if you're
doing zero trust it's not really a thing
anymore people aren't buying tin so
if you think about a business that's
building a new function your application
function these days what they're
probably doing is bolting together a
whole bunch of software as a service
Services through Federation routes and
API interactions and all sorts of
different components bolted together to
do a thing that's got a front end on it
and they don't have any servers you know
they don't have a network it's all API
tokens and you know infrastructure is
now applications yes
and infrastructure is code like um you
know you never used to have
code that built you infrastructure I
mean you'd have scripts and things that
bolted stuff together and you'd have
Automation and cron jobs and all sorts
of stuff but now we have infrastructure
as code and we have application security
principles in infrastructure
and all the application security stuff
now is part of how you actually build
a network a piece of infrastructure a
service effectively so it's all gone
massively into this sort of
um
application space if you like
um but the infrastructure principles are
still important because under the covers
obviously it's all still there because
we say it's in the cloud but the cloud
is tin it's just whose tin is it it's
not yours anymore
yeah and that prevents you with a whole
bunch of problems Tanya because
Authority who can grant you authority to
do stuff when your thing that you're
trying to do stuff against is a bunch of
software as a service platforms
that that is now I'm saying I'm asking
you the question like there's no good
answer to it oh yeah generally like
clients ask me about that a lot and I'm
like I'm not pen tester I'm an abstract
person you don't want me to scope your
pen test
permission if you're going to test a
third party thing like if it's a SAS
product it's not yours you have to ask
permission and a lot of them are going
to say no no yeah exactly that's the
thing and that's your problem if you're
trying to do a red team or a pen test
against
um you know these massively Federated
bolted together components you need
permission from every single one every
single one of them's got different terms
of service May well be in different
jurisdictions so you know you've got
other legal issues to deal with there in
terms of what is the law where this
thing is based you know and data
handling as well and where where is the
personal data which jurisdiction is it
in what are the regulations that apply
what can you do what can't you do it is
horrendously complicated such that you
know when you've got one of these to
test probably your scoping process is as
long if not longer than the actual pen
penetration test because you need to get
all of those things right before you can
do any testing of it
yes and your company does more than just
pen testing right so I like when you go
in you're not just like this is how I
smell I will smash your stuff but also
you could probably offer advice on like
here to here is not secure this is what
you can do and yeah yeah so we do we do
penetration testing we do
um red teaming and all the outputs from
that
um we we do sort of vulnerability
assessment as well as we're down the
other end where you've got sort of
automated continuous vulnerability
assessment and things like that and we
also help with sort of instant response
and stuff like that so you know we
really help solve our customers problems
you know with vendor Independence so we
recommend particular products and things
like that we work with everything but
you know the problems are the same and
the application the principles is the
same and really what we're always trying
to do is get our customers to a point
where they are more secure with us than
they are without us which I think is
what we all try and do in this industry
isn't it yes oh my gosh Emma that's yes
Fez are mangle
sometimes I'll talk with companies and
they're like well we need to have zero
risk I know I'm like that's not a thing
that's not turn everything off go live
in a cave that's your zero risk exactly
like let's talk about what risk is okay
for your company like you don't want to
spend a million dollars protecting
something that has a value of a hundred
thousand dollars right so
unless like human lives are uh involved
but most of the time it's not you've got
to know how much risk you can tolerate
and how much money you've prepared to
reduce it and how much risk you actually
want to take because risk and reward
kind of go hand in hand you know if you
don't have any if you don't take any
risk you know you don't grow your
business but it's which risks is it
worth taking and which risks is it just
not worth taking
there's a wise risk I could have you on
for like 10 hours and not get bored this
is so awesome
thank you Gemma we've run out of time my
little timer's like yo wrap it up Tanya
stop trying I'm so bad at this oh my
gosh you're incredible Gemma how can
people learn more about you like do you
perhaps have a Blog
yeah so we have a Blog on our website
which is cypress.com blog I write there
quite often normally about red taming
and normally as verbosiers I'm talking
to you so you know there's some quite
long articles there you can read
um they're all good fun and you can find
me on LinkedIn as well
awesome yeah I'm already sending you a
connection request like right now
thank you so much Gemma to everyone
listening thank you to Bright security
for being our sponsor thank you so much
to cybers for letting us have Gemma on
our show that's awesome and
um I will see all of you in the next
episode which the subject matter is a
secret because it is a surprise so I'm
not telling
um but oh my gosh I'm so excited Gemma
thank you this was so great I learned a
lot
thank you Tanya it's been a real
pleasure talking to you really
appreciate it