We Hack Purple Podcast

We Hack Purple Podcast Episode 61 with Guest Gemma Moore

December 12, 2022 We Hack Purple! Season 3 Episode 61
We Hack Purple Podcast
We Hack Purple Podcast Episode 61 with Guest Gemma Moore
Show Notes Transcript

In this episode of the We Hack Purple Podcast we meet Gemma Moore , co-founder and director of Cyberis. Gemma is an expert in penetration testing and red teaming. She started her career in cyber security nearly twenty years ago, working her way up from a junior penetration tester to running the penetration testing practice in a specialist consultancy by 2011. She is a founding director of the information security consultancy, Cyberis.

Over her career, she has held CREST certifications in Infrastructure, Applications and Simulated Attack, and now focuses most of her efforts on planning, running and executing red team and purple team exercises.

In recognition of her outstanding level of commitment to the technical information security industry and the highest level of excellence in CREST examinations, Gemma was selected to receive a lifetime CREST Fellowship award in 2017.  

Gemma was a contributing author to the BCS’ “Penetration Testing: A guide for business and IT managers”  

Gemma was named “Best Ethical Hacker” in the 2018 Security Serious Unsung Heroes industry awards, and has been honoured by SC Magazine as one of its 50 Most Influential Women in Cybersecurity, and by IT Security Guru magazine as one of its Most Inspiring Women in Cyber.  

We talked about everything to do with Red Teaming and PenTester, especially what the difference was between the two, risks involved, setting scope, and several funny and scary stories! We also talked about what people are trying to achieve with a red teaming exercise, and how things can go terribly wrong when we blame everything on the user. This was through and through a fantastic conversation.

You can learn more by reading in Gemma’s blog!

Join us in the We Hack Purple Community:  A fun and safe place to

learn and share your knowledge with other professionals in the field.

Subscribe to our newsletter

Find us on Apple Podcast, Overcast + Pod

#TanyaJanca #SheHacksPurple #AppSec #CyberSecurity 

welcome to rehack purple podcast where

each week month a few months in a row we

talk with someone from information

security and they tell us all about

their job what they do Trends we see Etc

and this season season three is all

about application security which no one

is surprised about because I'm Tanya

Jenka I'm your host and I'm completely

obsessed with appsec this episode just

like most of our episodes for quite a

while are sponsored by bright security

with me today I have Gemma Moore welcome

Gemma hi Tanya thanks for having me

thanks so much for agreeing to be on

this is awesome we were introduced by

this lovely person named Rachel and so I

was really excited when you said yes to

be on the show

um could you tell the audience a bit

about yourself because if I do it I

won't do as good of a job

no problem

um so my name is Gemma Moore I'm a

director of the information security

consultancy cyberis I've been a

penetration tester well for longer than

I care to remember so about 20 years now

um and probably for the last sort of

two-thirds of that time I've developed a

very keen interest in red teaming and

that's I I guess one of the really

interesting areas or growth areas in pen

testing is red teaming so you know I've

got a very technical background I've

been working in the application

penetration testing infrastructure

penetration testing red teaming all

sorts for well longer than I care to


um so

audience members you can you can totally

tell why I want to have Gemma on um so

could you so for our audience members so

most of them work in application

security or information security but not

all of them and some of them are quite

new to the cybers

is there a chance you could Define what

red teaming is

um and then maybe we could talk about

the difference between pen testing and

red teaming because they're not the same

that's why there's two different names

for them

yeah absolutely and the the problem one

of the big problems we have in sort of

offensive security actually is the

terminology we use because it means

different things to different people

um so when I say this is what pen

testing is or this is what red teaming

is someone is going to disagree with me

probably quite vociferously and that's

okay because we haven't really got good

definitions but generally when we're

talking about pen testing or penetration

testing we're talking about taking some

sort of defined scope it might be an

application you've developed or a piece

of infrastructure or a network and we're

trying to go through the technology and

we're trying to find all the

vulnerabilities we can in the technology

that might lead to some sort of

compromise of confidentiality or

Integrity or availability and we're

trying to we're using a very defined

methodology trying to get full coverage

trying to find all the things that might

be wrong in that Define scope and red

teaming is a bit different because we go

outside of technology so with red

teaming we're not talking about

um sort of attacking a defined scope

we're talking about a whole organization

or a whole business and putting

ourselves in the shoes of the attacker

and trying to attack that business

exactly the same way an attack would so

we Define ourselves an objective to get

to which is it's not going to be you

know find all the vulnerabilities in

this network it's going to be you know

retrieve a record from this particular

customer database you know that's your

objective that's the thing you're trying

to do and you are involving people

you're involving process you're also

involving technology but you're

basically going further than technology

and you're trying to draw an attack path

from an initial Point acting like the

adversary it's normally like an external

criminal gang or it might be you know a

nation-state threat actor or it might be

you know a malicious Insider and you're

trying to join up all the dots to draw

an attack path that gets you to your

objective at the same time evading the

detecting response capability that

you're going up against so you know it

all comes from sort of military jargon

and the red team and the blue team in

military exercise and it's still got

this kind of you know competition aspect

to it because we're normally working

against the blue team and trying to

evade them but because there's so many

different aspects it's really very

different to pen testing and the way you

approach it

yeah I I agree completely and also yep

sounds very military

um yeah I don't know if that I don't

know if that's encouraging or if that

puts people off but

so I feel like there's different risks

in pen testing versus red teaming what

do you think

undoubtedly that is true so um

penetration testing because you're

within a defined scope you can pretty

much isolate where your area of

influence is while you're doing a

penetration test and you can do that

really easily so yes there's always

risks when you do a penetration test

that you know you might find a really

fragile hold server and you might scan

that fragile old server and it might

fall over or there might be an

undocumented feature in an application

that might delete all the content when

you spider it I mean that sounds

ridiculous but it has happened and you

know how can you predict these things

happen things happen

um but with red teaming

um it's a lot harder to actually put the

boundaries in place around where your

risks are because inherently it is more

risky activity so

if you think about when you're

um attacking an organization as an

adversary what you normally start with

is sending somebody a piece of malware

or trying to get malware a foothold into

an organization either by emailing them

malware or getting them to visit a

website and installing it that way or

sending them of something physical they

plug into their machine or you know

stealing their credentials you're

looking to gain some sort of execution

on their machine

but if you think about the ways that we

as a an adversary can sort of simulate

that normally we're sending someone a

link through some route or sending them

an email but if you think about email

just as a good example well if I send

you an email Tanya you can forward it on

to anyone else in the world

and if I've put malware in that email

that I've forwarded you and you send it

on to I don't know your mate down the

road well suddenly the malware that I

meant for you is now with your mate down

the road who might work for another

company have a completely different


yeah you've lost control of the thing

the implant your piece of malware now

your criminals don't care we have to so

you know we need to make sure that if we

send you malware it can only run for you

and you know it will only run on your

systems at the right time with the right

permissions a whole bunch of risk

management around there and that's just

getting a foothold in the first place

another problem that you have is that

you can't necessarily if you if you're

looking to run a red team

so that you can assess how well your

other teams detect and respond to things

you can't tell them about it

so you've got this risk of escalation

and you need to work out okay how high

if if someone detects an attack going on

how high up our Command tree inside our

organization do we let this go before we

go okay guys it was an exercise it's

okay it's not actually an attack

because if you get that wrong

you can waste so much money with you

know lawyers meetings with Regulators

um all sorts of contracts so even

contracts so if you've got for example

detect and response capability managed

by an outsourced service provider

um if they are charging you every time

they are doing some sort of out of hours

investigation and they see an alert out

of hours you have to weigh up how much

money am I willing to spend to work out

whether they can respond to this because

it's going to cost you to test that

because they're going to charge you for

it obviously so all these sorts of

things you don't have to think about

this in a pen test but you've really got

to think about it when you're doing a

red team and that makes managing a red

team exercise complicated but also

incredibly good fun

I I never even thought of most of those

things I have a friend who's a very very

tiny woman and she did a physical pen

test and she got arrested she showed

them her get out of jail card they were

like we don't care that you have some

stupid letter everyone owns a printer

and so she sent me a picture of her in

the back of a police car she's like this

is how my day's going how's your day

going yep that's another one that I

didn't mention but yeah you know we

always have a get out of jail letter but

really we we never wanted to get to the

point where the police are called but

you know things can go wrong like that

you know I heard a story it's anecdotal

I don't know how true it is but someone

who was in a store after hours having

managed to socially engineer their way

and then nearly got shot

this was in America but you know things

can go wrong you've got to be careful I

can't imagine something going more wrong

than that getting shot pretty terrifying

I enjoy I mean everyone everyone was

fine but you know that's there's

consequences to these things yeah so so

when someone hires you to do a red

teaming exercise like what problem are

they trying to solve like what are why a

red team is so many different reasons

and that's also why it's so much fun

I'll get a bit excited because I really

like what I do but the there's uh so

many different things that you can do

with red teaming and one of the things

if you want to buy a red team if you

want to run a red team it's really

important to know actually what is the

problem you're trying to solve or what

is the question you want answering and

if you think about what you want

answering that's when you get good value

so um you know sometimes I've noticed in

recent years you might get a customer

who wants to run a red team exercise

because everyone else in their industry

is doing it but they don't exactly they

haven't really thought about what

questions they want answered and if you

go into it thinking I've got to do this

thing but you don't know why you're not

going to get out of it what you want to

get out of it but there's so many things

red teaming can do to you so um one of

the really important things is

validating controls so companies can

spend Millions literally millions and

millions on controls that are designed

to either prevent compromise happening

or detect a compromise or isolate system

you know this this detecting and

responding automatically but they

actually have very few ways of

validation teaching whether the money

they spent on the controls is actually

protecting them like they think it is

red team you can go up against those

controls you can see where the gaps you

know all is this thing that we're paying

Millions for actually protecting us like

we think it is you know are there things

we haven't thought about is there a way

into our Network that we've not

protected at all because we haven't

spent the money on it you know are there

assumptions that we've made that are

completely incorrect

um and it can be really helpful for your

detection and response team so one of

the things we come up against over and

over again is that the most effective

way I mean I think this is opinion now

entirely opinion most effective way to


um responders I think is to educate them

in the attacker mindset

if your responders know how attackers

work and how they think they're much

better at chasing us down finding us

stopping us from taking the next step

because as soon as they see us take the

first two steps they know where we're

going to try and go next

um and if we run a red team against your

blue team and and this is the important

bit properly debrief your blue team at

the end

that's really important you can teach

them what we did and why we did it and

how we thought that way and then they

can start thinking that way themselves

and then they start joining up the dots

between different systems and different

attack chains and you know they will

stop doing things like

um what have I seen in the past you know

you've got an AV product it gives you an

alert for malware the AV product puts in

the notification in the logging platform

that says we found a piece of malware

but we've removed it we've isolated it

it's okay

quite often that kind of alert if you're

not thinking like an attacker you just

tick it off and go we've resolved that

we don't need to worry about that

anymore it's been removed the threat is

not the piece of software it's not the

piece of malware it's the person that

put it there

and if you find that it's like all right

well what did they do next you know what

was their next file that they put up

there in the application or whatever it

was what did that one do and they

haven't thought oh

well that one didn't trigger a face like

okay well the second one didn't trigger

AV what is that file doing why why is it


you know it's that the threat's not the

technology the threat is the individual

and it's that bringing it out from these

individual alerts on

on your on your Tech to what is this

person doing and why

so there's so many different things that

you can do with red team investment as

well sorry Tanya you're gonna have to

tell me to shut up because I will just

pass them away

I've had people try to Spearfish me

before and we catch this we we're like

oh this is a Spearfish so we deleted and

from the staff not the answer but never

occurred to me so there's someone that

sent you a spirit fish and spent all

that time making a custom thing for your

company uh maybe you should figure out

who sent it that like it seems so

obvious when you explain just just

because you've got rid of that one

instance doesn't mean you've addressed

the threat because the threat is that

human being yeah or gang or whatever it


and and you know another really good

thing that you can do with red teaming

that other people might not think about

is um trying to work out where best to

spend your money as a business to get

the best protection you know so many

competing products out there so many

competing controls you can

you can invest in and as Security

Professionals we want to stay there and

go buy the lot get everything you know

but that's not necessarily realistic

when you've got a finite budget but if

you do red teaming right you can work

out basically where is your squishy

underbelly what is the bit we really

need to protect the most you know what

what what do we need to put in place

that's most important right now to get

us the most security benefit

understanding of course there's always

going to be a way to do things but you

know what's the low hanging fruit we've

got to protect and red team can help you

answer all sorts of questions like that

it's really great fun

so and so the thing that I've heard

people say a lot is like they'll blame

the user and they'll do fishing

exercises and and trick their employees

and I have a lot of feels about this and

you and I were talking about it a bit

before like why do we blame the user so

much oh it's so lazy Tanya can't blame

the users blaming users is just a really

lazy way to go about things like if your

whole security structure falls down

because one person does something they

shouldn't do you have failed as a cyber

security professional you just have

um like we can't rely on users and

blaming them is terrible

um I think the most dangerous thing any

business can have is a blame culture for

this stuff

um there's there's two realities or

there's there's two certainties that we

need to understand

um one is if you punish people for

saying when they've done something wrong

people won't say when they've done

something wrong

that's obvious yeah and two if someone

is determined enough a criminal is

determined enough they will be able to

convince a user to do a thing they

shouldn't do that's we're all human like

if a phishing attack is good enough I

will fall for it you will fall for it if

someone is determined they will do it

um and I don't think it's reasonable to

expect users to be able to distinguish

between a an attack by a determined

adversary and you know real interactions

with other human beings it's just not


um you can train users to detect you

know the most obvious fishing scams and

consent phishing and you can train them

to you know read the email address and

ask questions about whether they're

being pressured and you can do all that

and it's great stuff to do but an

adversary probably only needs to

convince one person to do one thing to

get at their foothold and then you know

your whole house of cards comes tumbling


yeah and um

the most successful cultures

um really encourage reporting they don't

blame people for falling victim to

social engineering you know they're not

going to name and shame people for being

human and you know the only the only

indication you might have as a Defender

if you've got an adversary who's really

sophisticated if they know what they're

doing if they've done their research if

they tried before if they've got you

know two-way interaction going they've

got a proper conversation with their


the only the only information that you

might get that something is amiss might

be that user going home mulling it over

thinking about it going

I don't feel quite right about whatever

this conversation was or I feel a bit

with funny about the thing that happened

last week I might want to talk about I

should probably talk about this and then

you know they'll talk to their line

manager or they'll talk to you as a

security team and say this thing

happened and I don't quite know I think

I thought it was fine at the time but I

don't know if I did the right thing that

might be the only indication you get

might be your only chance to detect that

something has happened and if you make

people scared to report stuff

you just you're just on a loser yeah

yeah I I feel so um I teach cure coding

training a lot and the last half hour of

the day is always if you see something

say something your security team will

never be angry with you if you report

five things and four of them end up

being false positives

but like you were honestly report but

then the fifth one that you reported you

could have been the person that saved

thousands of dollars or hundreds of

thousands or even Millions you could be

the person that stopped that attack

that's exactly it

um and you know you can't underestimate

as well

um yeah how in MO how emotional people

get when they feel they've done

something wrong that's another thing we

have to be really mindful of when we're

doing this you know we've got to be

really careful about people's feelings

that's not naturally something you do in

cyber security but if you're running

fishing or something you can really

upset people if you cause them to do

something then they find out they've

been manipulated which is basically

let's face it being lied to nobody likes

that and if you're doing that on behalf

of their employer it's even less savory

and then you know if you wanted a

malicious Insider well that's how you

get malicious Insider I mean it's it's

um it's a it's a real Minefield when you

get right down into the weeds of it yeah

someone no I agree with you so much I so

I have another question because you know

as I can

um so red teaming and penetration

testing like over time it's been

changing right like back in the day when

you started it's very different to now

can you like tell us maybe a bit about

how it's changed or changing it's so

different I mean it's in some ways it's

come full circle because 20 years ago

when we did a penetration test

methodologies for penetration testing

were much less mature so a penetration

test 20 years ago probably more closely

resembles what a red team is today for

an organization because you used to sort


can't even explain exactly what we used

to do because it was so different from

today but you know you'd Rock up and

you'd do some scanning and you'd find

some stuff wrong and you'd go boom boom

boom and we got domain admin and then we

left and we came back next year and we

did it again and I was like okay and

that's what we did and you know that we

weren't following I mean we were trying

to follow methodologies but

methodologies were much less mature and

it was all infrastructure and we were

still interested in you know perimeter

firewall configuration and all this sort

of stuff because we still found you know

ways into internal networks directly

from the internet which you tend not to

find these days it's still possible but

you know people know about firewalls

these days maybe 20 years ago they

didn't know about firewalls the same way

but one of the really interesting thing

about how all of it is changing is

basically infrastructure and the

pandemic has changed this completely as

well infrastructure has completely

changed infrastructure these days if

you're building something new if you're

doing zero trust it's not really a thing

anymore people aren't buying tin so

if you think about a business that's

building a new function your application

function these days what they're

probably doing is bolting together a

whole bunch of software as a service

Services through Federation routes and

API interactions and all sorts of

different components bolted together to

do a thing that's got a front end on it

and they don't have any servers you know

they don't have a network it's all API

tokens and you know infrastructure is

now applications yes

and infrastructure is code like um you

know you never used to have

code that built you infrastructure I

mean you'd have scripts and things that

bolted stuff together and you'd have

Automation and cron jobs and all sorts

of stuff but now we have infrastructure

as code and we have application security

principles in infrastructure

and all the application security stuff

now is part of how you actually build

a network a piece of infrastructure a

service effectively so it's all gone

massively into this sort of


application space if you like

um but the infrastructure principles are

still important because under the covers

obviously it's all still there because

we say it's in the cloud but the cloud

is tin it's just whose tin is it it's

not yours anymore

yeah and that prevents you with a whole

bunch of problems Tanya because

Authority who can grant you authority to

do stuff when your thing that you're

trying to do stuff against is a bunch of

software as a service platforms

that that is now I'm saying I'm asking

you the question like there's no good

answer to it oh yeah generally like

clients ask me about that a lot and I'm

like I'm not pen tester I'm an abstract

person you don't want me to scope your

pen test

permission if you're going to test a

third party thing like if it's a SAS

product it's not yours you have to ask

permission and a lot of them are going

to say no no yeah exactly that's the

thing and that's your problem if you're

trying to do a red team or a pen test


um you know these massively Federated

bolted together components you need

permission from every single one every

single one of them's got different terms

of service May well be in different

jurisdictions so you know you've got

other legal issues to deal with there in

terms of what is the law where this

thing is based you know and data

handling as well and where where is the

personal data which jurisdiction is it

in what are the regulations that apply

what can you do what can't you do it is

horrendously complicated such that you

know when you've got one of these to

test probably your scoping process is as

long if not longer than the actual pen

penetration test because you need to get

all of those things right before you can

do any testing of it

yes and your company does more than just

pen testing right so I like when you go

in you're not just like this is how I

smell I will smash your stuff but also

you could probably offer advice on like

here to here is not secure this is what

you can do and yeah yeah so we do we do

penetration testing we do

um red teaming and all the outputs from


um we we do sort of vulnerability

assessment as well as we're down the

other end where you've got sort of

automated continuous vulnerability

assessment and things like that and we

also help with sort of instant response

and stuff like that so you know we

really help solve our customers problems

you know with vendor Independence so we

recommend particular products and things

like that we work with everything but

you know the problems are the same and

the application the principles is the

same and really what we're always trying

to do is get our customers to a point

where they are more secure with us than

they are without us which I think is

what we all try and do in this industry

isn't it yes oh my gosh Emma that's yes

Fez are mangle

sometimes I'll talk with companies and

they're like well we need to have zero

risk I know I'm like that's not a thing

that's not turn everything off go live

in a cave that's your zero risk exactly

like let's talk about what risk is okay

for your company like you don't want to

spend a million dollars protecting

something that has a value of a hundred

thousand dollars right so

unless like human lives are uh involved

but most of the time it's not you've got

to know how much risk you can tolerate

and how much money you've prepared to

reduce it and how much risk you actually

want to take because risk and reward

kind of go hand in hand you know if you

don't have any if you don't take any

risk you know you don't grow your

business but it's which risks is it

worth taking and which risks is it just

not worth taking

there's a wise risk I could have you on

for like 10 hours and not get bored this

is so awesome

thank you Gemma we've run out of time my

little timer's like yo wrap it up Tanya

stop trying I'm so bad at this oh my

gosh you're incredible Gemma how can

people learn more about you like do you

perhaps have a Blog

yeah so we have a Blog on our website

which is cypress.com blog I write there

quite often normally about red taming

and normally as verbosiers I'm talking

to you so you know there's some quite

long articles there you can read

um they're all good fun and you can find

me on LinkedIn as well

awesome yeah I'm already sending you a

connection request like right now

thank you so much Gemma to everyone

listening thank you to Bright security

for being our sponsor thank you so much

to cybers for letting us have Gemma on

our show that's awesome and

um I will see all of you in the next

episode which the subject matter is a

secret because it is a surprise so I'm

not telling

um but oh my gosh I'm so excited Gemma

thank you this was so great I learned a


thank you Tanya it's been a real

pleasure talking to you really

appreciate it