Be a Red Teamer to be a Better Blue Teamer: Pen Testing ala Jayson Street
Question: I remember the first time I met you in person, at Black Hat 2014. You social engineered your way into the exhibit floor to come out and give me my first #Awkwardhug. Only exhibitors were supposed to be in there. How did you do that?
Jayson: I just walked through with a bunch of vendors, looking like I knew what I was doing. It wasn’t hard.
Question: So what made you want to be a penetration tester and how did you get started? How many pen tests have you done?
Jayson: I started out in physical security about 25 years ago. I got into infosec in 2000, when I became a network security admin. Got my CISSP in 2001, but didn’t get into the red team side until 2008 or so. I found that I was most effective by thinking about “how I would attack” rather than focusing purely on defense. Until you hack your own defenses, you’ll never be sure how good you really are. I got into pen testing to become a better defender.
I’ve done over 2 dozen pen testing engagements, independent of my regular job as Pwnie Express Infosec Ranger. Pen testing helps me keep my edge, and I only take on very interesting work, like breaking into banks in Lebanon, Jordan, Jamaica & US. Broke into a State Treasury by telling the truth and a research facility during a job interview. Sometimes I’ll take on less interesting work if it’s in a really cool location, like the south of France J
Question: What skills are helpful for pen testing? Is professionalism a big factor?
Jayson: The biggest thing a good pen tester needs is the ability to see things differently. Pretty much anybody can run a vulnerability scan, using a tool, and generate a report to present to a client. That report is likely to be largely ignored. But thinking outside of the box is what makes for great pen testers. A devious mind is the skill that makes the real difference. I think like the bad guys so I can defeat the bad guys.
I’m extremely unprofessional person (I don't adult very well) though that has never hampered me in my pen testing engagements. I view them more as security awareness engagements. My process is to first be successful / then get caught / teach the targets / show the impact. Reports aren’t the big thing. People do vulnerability scans and ignore reports all the time. My presentations to the blue team and management after engagements are deliberately provocative, interesting and funny. I want these folks to listen and fix the problems!
Question: What’s “off limits” for pen testers:
Jayson: It should be nothing. Bad guys attacking you have no high morals or ethics, and good pen testers need to simulate that. Criminals don’t balk at doing whatever it takes. I’ve entered buildings in wheelchairs, and have the client open doors for me so I can get in. Then I point out the error of their ways. They need to have processes that defeat this sort of deviousness.
Question: Have people ever gotten irritated with you when you’re doing pen testing projects?
Jayson: It can be adversarial, but it shouldn’t have to be. As a pen tester I’m in a simulated adversarial role. I’m there to help, and the client’s Blue Team needs to understand. You know, actually, I can provide the voice to management the Blue Team needs to effect change. In a lot of cases, my findings include things the Blue Team was already aware of – but they had been unable to make the changes needed to fix the problems. I can be their voice to management.
Question: Do you go as far as buying UPS uniforms and other sneaky things in your engagements?
Jayson: Definitely not. In fact, I do the opposite. I wear warning labels – things like a Defcon jackets and black T-shirts that say “hacker” or “Your company’s computer guy.” I want to give the good guys a chance to catch me and give them the insights they need for better security.
Question: Who are some of the other great pen testers you know, if you don’t mind me asking?
Jayson: I don’t mind this at all, since I don’t really do pen testing for a living. I focus most on the social engineering and physical security aspects, and really enjoy the engagement. A couple of guys who do pen testing for a “day job” who are excellent pop to mind:
Dave Kennedy of TrustedSec is amazing for all aspects of pentesting. From physical to solely network based.
Chris Nickerson of Lares is a very experienced specialist on physical red team attacks.
Q: What’s the deal with AwkwardHugs?
At security conferences I’ve become well known for breaching people’s personal boundaries (with their permission of course). I think they help me be more approachable and also spreads a little happiness in a very serious industry. Here’s me spreading some happiness with General Keith Alexander:
