While developing our products we want to battle test them and get feedback from cybersecurity experts. This is how we met Philippe Caturegli, offensive security expert at Netragard and Seralys. Conversing with Philippe is always a very insightful experience and we wanted to share a bit of this through the Red Team Chronicles. The chronicles will be presented through a fly-on-the-wall viewpoint, in order for you the reader to grasp the reality of the battlefield. Philippe will debunk some common misconceptions and share best practices to avoid serious compromise.
So let’s start by introducing the Chief Hacking Officer, as he likes to present himself. Meet Philippe.
Philippe is passionate about Cybersecurity. He kind of fell in it when he was little (this is a typical French expression if you are familiar with Asterix & Obelix).
When he was 16, his parents bought him his first personal computer, and at the time it was really expensive to be connected to the internet via long-distance dial-up calls, so why pay to connect somewhere when you could develop a BBS server and have people connect to you instead and exchange files and messages there… He did not really play games with his computer but was more interested in understanding how everything worked, if there were safeguards in place, and if so, how to get around them.
At the time it was kind of simple. For software for example, serial numbers were only checked by a simple line of code with IF conditions, you just had to overwrite checks, and there you go, whatever the serial number, it was approved and you could install the software.
“The real game was in fact to work around the controls.”
Kind of a rogue teenager, no?
Even if he trained as an IT engineer, Philippe thinks he learned cybersecurity mostly by practicing on his own.
His first experience of an attack was when a website he developed for a client was hacked by an SQL injection. At that time no one understood what an SQL injection was. “As developers, we focused on the final results, is the website working, is it nice… We did not care about security. I started to look at the code of other sites and I noticed that most of them were exposed in the same way”.
His first job was for a global pharmaceutical company. He was responsible for the security perimeter (firewall, IDS). At the time, the typical approach to security was really like building a fortress.
During this first experience, is this when you really grasped the impact security could have on a business?
Exactly, in pharma your core business is manufacturing drugs, not deploying firewalls. Here is an example of what I faced: Changing a firewall is a question of hours, but on the business side it has huge repercussions. I had to update a firewall for a manufacturing site producing cancer treatments and the risk was that if the update failed, the manufacturing line would stop. They could not take this risk, so they took months to build a stock, just in case, and then another couple of months to absorb the oversupply they had created. You understand the difference of perception?
Build, Defend and Attack, Why do you think mastering the three makes you a good offensive security expert?
There are 3 types of experience in cybersecurity: build, defend and attack and I think the best offensive profiles, the ones who strive in Red Teams, are the ones who experienced all three. If you have built and defended, you understand the shortcuts developers and security teams take and you can exploit them in simulated attacks.
You are now an entrepreneur and you specialize in intrusion tests?
Yes I want to be able to replicate real-life situations when performing tests, not simply run scans and deliver a report.
Concerning the attacks that you witness, do you see an evolution in the type of attacks or the way they are handled?
Yes, I have seen a shift with the rise of ransomware. It’s all over the news. Beforehand, the main idea was to get access to the machine and then use it as long as possible, remaining unseen in order to monetize the access over time by joining the compromised machine to a botnet. Now it is often the opposite, as soon as hackers get access to the machine, they encrypt everything and ask for a ransom in order to monetize more and faster.
So what’s the main issue now?
Well, even if budgets and resources for cybersecurity increase, the situation does not get better. Detection time is still extremely long, the average time to detect an intrusion is above 200 days when the average time between the initial intrusion and the irrevocable compromise is 4 hours. You see how huge the gap is. Intrusions are sometimes so difficult to track that they can be taken for internal fraud. I have experienced this with a bank that underwent malicious money transfers. At first, the audit team was sure that it was coming from an insider, as the transfers complied with all internal checks and processes. But in fact, the attackers were present in the systems for over 6 months and had access to most systems and documentation, so they could learn everything needed to behave like an authorized employee, go through operational check and turn their knowledge into money.
Are hackers independent or is there a real “hacking economy”?
The dark web is now well organized, with hackers organized by specialty. Hackers tend to specialize in what they are good at, compared to others. Some will scan the internet for potential vulnerabilities, default passwords, etc. but they are not always able to monetize these vulnerabilities, so they sell the information to groups capable of monetization. There are even some groups specialized by industry verticals (such as finance or pharma), based on the experience of their members.
And what are companies doing to react to this situation?
What I experience a lot is that companies rely on generic solutions to defend themselves. Each vertical has its own specificities and security approaches should take this into account. I can tell you a lot more about this but I guess it needs another episode :-)
As you can see, Philippe has some interesting stories to share as well as some useful recommendations to make. If you are interested, keep following the Red Team Chronicle by subscribing to our newsletter or following us on Twitter or LinkedIn.