00:02
This is CyberSound, your simplified and fundamentals-focused source for all things cybersecurity.
Jason Pufahl 00:12
Welcome to CyberSound. I’m your host, Jason Pufahl, joined today by Dylan Marquis, the Lead Security Engineer for our Offensive Security practice.
Dylan Marquis 00:20
Hi.
Jason Pufahl 00:21
Dylan, thanks for joining. I know that I didn’t give you a ton of time to prepare. We only chatted about this in the last couple of days.
Dylan Marquis 00:26
Absolutely.
Jason Pufahl 00:27
And we’re doing something different, right? We are running this with no headphones. And so we were actually just told, you know, be careful not to touch the table, because we can’t actually hear ourselves. So we’re trying to pay attention to that.
Dylan Marquis 00:37
At my request, sorry about that.
Jason Pufahl 00:39
Yeah, it was a soft touch, but we got it nonetheless. And the other really, though, is we’re gonna spend a little bit time talking about one of our services, and that’s atypical for the podcast, but I’m really proud of what we’re delivering. I think you should be really proud about what we’ve built, and honestly, I wanna showcase that a bit because, partly because we are getting a lot of requests for penetration testing, and I think people don’t really know what it is exactly. They don’t know what makes us, in my opinion, better than a lot of other companies out there, and why they should work with us. So I kind of want to cover that today. Okay, I’m no expert, so I’m going to have you spend a second on really, what is pen testing?
Dylan Marquis 01:24
Sure, so penetration testing is an offensive assessment. It’s an audit just, you know, like any other assessment. But really, what we’re doing is kind of auditing security, can be existing security controls in an environment, and we’re also looking for, essentially, to uncover a risk in the form of vulnerabilities, and then we kind of where it differs from a vulnerability assessment is we’re exploiting those vulnerabilities. So we’re not just identifying them, we’re exploiting them and moving deeper into a network and then kind of storing the whole process over again. We’re trying to find additional vulnerabilities deeper in and then exploiting those, hopefully with the eventual goal of compromising the domain, or essentially pivoting internal from an external perspective, outside the network, into it.
Jason Pufahl 02:04
So, what are the drivers that a company might be looking at as like, you know, why do they need to do a pen test?
Dylan Marquis 02:11
I mean, I think the most general one is understanding risk in the environment. You know, where your risk lies, where you have vulnerabilities, and how you can remediate them. Kind of more specific external drivers would be, you know, compliance frameworks that you’re beholden to, like GLBA, CMMC, things like that. Additionally, cyber liability require, can require, you know, annual or regular penetration testing,
Jason Pufahl 02:37
The regs that we see most common, PCI, probably, I think you said, GLBA,
Dylan Marquis 02:47
GLBA is a big one. HIPAA, I think HIPAA, it does have a requirement. Certainly, healthcare is interested in where the risk lies. So not quite sure if it’s a hard requirement or if it’s just, you know, or not. So,
Jason Pufahl 02:59
So talk about our methodology a little bit. I think, you know, the most common, often, the most common question I get is, there’s AI tools out there. There’s automated tools, AIS, maybe overused a little bit, but, but there’s automation that’s out there. And we, we really talk about our process being much more manual. What’s the benefit of that, in in what way do you sort of utilize automation?
Dylan Marquis 03:25
Sure, so yeah, like you said, our process, we conduct manual pen tests. We do utilize some automation. It’s mainly for identifying vulnerabilities, getting understanding of the your network environment, or organizations network environment, to just kind of get a lay of the land. So we’re coming in cold. Generally, we’ve never seen, you know how an org works. We’re trying to get an understanding of that, so that way we can really kind of gage where risk might lie, where vulnerabilities are, and how it can exploit them. So the automation is largely used for that. They call it enumeration, to kind of get a sense and a handle on things, but exploitation is all conducted manually, kind of by hand. And additionally, the automation is actually, it’s still, you know, hands on keyboard. We really have engineers engaged the whole time. This is, these are tools that are just kind of spun up and then left on their to their own devices. It’s really a hands on process, and we’re really kind of watching it. And there’s a lot of benefits to that.
Jason Pufahl 04:21
I mean, I assume a lot of creativity. You have to really understand an organization think like, think like an attacker, right? That’s really your job.
Dylan Marquis 04:26
Yeah, exactly. It’s to. It’s bringing those sensibilities into an assessment. So we’re assessing an organization the way an attacker thinks, and that kind of sheds light on things. Certainly, defenders are thinking in a certain way. We try to kind of shake that up and think in a different way and uncover vulnerabilities that they might not expect to exist in their environment.
Jason Pufahl 04:27
So as people are thinking through this a little bit, I want to talk a little bit about our capability. So we often we generalize this idea of pen testing, right? But the reality is, you’re pen testing wireless, your application, or cloud, so talk a little bit about, maybe the differentiation between those, perhaps somewhat how they might overlap, but really, where our competencies are.
Dylan Marquis 05:07
Sure. So, I mean, the our I think, are mainly, are we have a lot of strengths and network and application pen testing, so you know, and those kind of blur. But really, we’d love to bring our application sensibilities to network pen testing. I think our clients get a lot of value out of that, but additionally, you know, kind of where they differentiate network. We’re testing your whole network, or internal or external, or both. We usually recommend both, so you get kind of a whole picture of your of your risk. But application is a much more specific sort of assessment. We’re only looking, we’re going very, very deep dive into an application really, kind of picking it apart. And we really do, I think, have some, some very good, you know, some very good competencies there. Additionally, we do wireless pen testing, cloud pen testing, and some other specialized tests, like segmentation testing, things like that, and also social engineering, phishing, phishing assessments,
Jason Pufahl 06:04
Yeah, I would assume that’s a huge component of it with the phishing threat that we have.
Dylan Marquis 06:08
Yeah, absolutely, I mean, that’s, that’s always a good value add, you know, for organizations. And additionally, some of our assessments can be augmented with phishing and social engineering, like the network and cloud sort of mandates it with some of the controls that are in place with the cloud environment. So part of that test is social engineering based.
Jason Pufahl 06:26
So you didn’t just one day decide I’m going to be a pen tester. You, I know, maybe a little bit, but then it took you a long right? So, yeah, you had an application development background. You had an identity background. You then said, I really do want to get more on that offensive side. And you got your OSCP, I’m going to let you describe what that is, but that’s been, I think, sort of fundamental for all our team members. But maybe talk a little bit about, sort of what makes us competent?
Dylan Marquis 06:55
Sure. So, I mean, like you mentioned, certainly we all, all the testers, have a background in kind of traditional IT is what I call it, which, which I believe really does help kind of drive. It helps inform where risk can lie, understanding the way that environments have been deployed, or the way that technology has been deployed in an environment. But, yeah. So, I mean, you mentioned, I have a background in identity access management and application. I mean, certainly we get a lot of good gains and tests through those, through those vectors. I mean, Active Directory, the directory services are deployed so, you know, in almost every environment. So really, I think that that’s where we bring a lot of value, is, is kind of our background experience in that, yeah. Additionally, all of our testers here, all of our security engineers, have OSCPs, which are the Offensive Security Certified Professional certification.
Jason Pufahl 06:57
And just for clear, that took you six months, a year to, I mean, it does huge amount of effort, yeah.
Dylan Marquis 08:00
I mean, with a full ramp up, it was, it was over the course of over a year. So, yeah, it’s, it’s, you know, it’s kind of the industry gold standard for, for, I’ll say, initial pen testing certs. And we, you know, all of our, all of our security engineers that conduct testing currently have one.
Jason Pufahl 08:18
And maybe we’ll end a little bit because somebody’s looking at their statement of work, they scroll past everything we just talked about, and they say, well, what’s cost? And how do you actually price? And that’s one of the real challenges in our industry, right, is the variability of capabilities, and I’d say the variability of pricing. So talk a little bit about how we control that cost.
Dylan Marquis 08:39
So pricing is all time boxed, or, I should say, all the engagements are time boxed. So we test for a certain amount of time, and that’s the engagement, granted you can always add time if need be. But generally, we all always see it kind of fall within the box. We scope it based on the size of your network and how we essentially want to make sure you get a good test. So we don’t want to under scope and make sure and end up producing a bad deliverable. We really want to drive value. We want to give organizations actionable results that really help them understand their risk and help them become you know better with security. So we essentially scope based on how we think you know, based on our experience with testing organizations and how much testing is required based on the types of technologies you have deployed and the size of your network.
Jason Pufahl 09:27
So I want to spend a second on value, because I think that’s an important statement, because I know you talk about it all the time, right? Just distinguishing ourselves based on providing the best product we can within the time frame that we that we’ve structured right? Part of that value, I think, though, is your willingness to meet I’ll call it regularly with a client. So we’re not just doing a test and delivering report whatever. Two weeks, one month later, you’re happy to meet routinely, daily, weekly, whatever. And you’ll go so far as if you identify critical issues, you’ll communicate that prior to thefinal deliverable, because, you know, they’re important enough to deal with, like you’re I feel like that. That’s a real element of kind of that concierge service that you’ve tried to build.
Dylan Marquis 10:09
Yeah, absolutely. We provide emergency contact information. We encourage customers to do so conversely, in case we find something we love to really and, I mean, outside of the emergency aspects, and certainly there’s some things that that touch on, you know, if we find a critical vulnerability, if we find a threat actor spending environment, we want to immediately reach out and kind of close the loop on that. If there’s any kind of issues with, you know, a service goes down during testing. It’s always nice to kind of have us to cross us off the variable as a variable for that. But additionally, we like to talk as much as, you know, we like to converse, whether that’s in meetings or just email. We want to, you know, make ourselves available to clients. We love to talk as much as they want to talk if they have kind of seed detections, if they detect us, kind of moving through in their environment, they’re interested in what we’re doing. We love to explain it to them. And that gives value add to and that it, you know, it can test detection mechanisms. It can allow a client to validate the security controls that they currently have in place, right?
Jason Pufahl 11:05
And then, I think finally, a there’s always a little concern around level of risk that the test might actually bring a service down or cause an operational issue. I’d say the fact that you’re doing this manually really helps mitigate that isn’t go to zero, of course, yep, but you spent just a second on that.
Dylan Marquis 11:24
Yeah, it never goes to zero. But certainly we have, you know, we conduct a lot of these and we have a lot of experience, so we’ve really tuned our tools and processes to be as minimally invasive as possible. We’re always hands on keyboard, so it really we kind of always give the caveat that sure something could happen. We don’t fully understand the environment or coming in when we’re gain an understanding of it. But really, we see very, you know, it’s minimally invasive. We see very few issues. And we really do continually tune our processes to ensure that we’re not causing kind of any, any downtime of services or flooding you with, you know, flooding a client with alerts.
Jason Pufahl 12:05
Anything you want to add that, you know, we built an outline, so I think we’re covering everything. But do you feel like there’s anything you want to quickly add before we start to wrap up?
Dylan Marquis 12:13
Only that, you know, it’s, this is a service that we’re really passionate about. We really enjoy. We love doing it. We love, you know, seeing how clients react to to our product and our deliverables. And so, you know, we it’s something that we’re passionate about, something that we want to keep doing. And so, you know, I hope that that comes through and in the service and the product that we’re producing.
Jason Pufahl 12:33
Yeah, I don’t know that I can add any more to that that, I think that that summarizes it. If, if you know, as always, you know, if anybody has any questions and wants to talk pen testing, you reach out, you know, we’re happy to join a call at any point. And frankly and candidly, it doesn’t have to be a sales call. If you’re just trying to understand, what do I do? How do I do it, and should I do it? We’re happy to chat through that. I agree. It’s a service that we’re really that we’re really proud of. It’s one that we want to see continue to grow. I appreciate all your efforts to do that and and I appreciate you joining the podcast. So thank you.
Dylan Marquis 13:05
Thank you very much.
13:06
We’d love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn, and remember, stay vigilant, stay resilient. This has been CyberSound.