Speaker: John Strand
This webcast was originally aired on January 30, 2025.
In this video, John Strand discusses the complexities and challenges of penetration testing, emphasizing that it goes beyond just finding and exploiting vulnerabilities. He highlights the importance of addressing legacy applications and the buildup of obsolete systems within organizations, which often lead to security oversights. Additionally, the discussion covers the need for compensating controls to manage exceptions and vulnerabilities that are difficult to fix, while also touching on the role of cloud services and how they relate to legacy systems.
- Penetration testing should focus on areas beyond automated tasks like vulnerability scanning and exploitation, allowing human testers to engage in activities that AI cannot perform.
- Legacy applications, often neglected by organizations, accumulate vulnerabilities over time, leading to potential security issues when new vulnerabilities or classes of vulnerabilities are discovered.
- Organizations tend to focus on critical vulnerabilities, often creating exceptions for harder-to-fix issues, which can lead to significant security risks if not properly managed.
Highlights
Full Video
Transcript
John Strand
Best, you’re an outright liar and a charlatan at worst. And I know, I know, I know that there are people that I actually care for that are on the other side of this fence.
But I’m telling you right now that if you think the penetration testing is just a vulnerability scan, find vulnerabilities, find an exploit, exploit that vulnerability and then pivot, you’ve missed the entire point of the entire industry.
Yes, that is stuff that we do. Yes, that should be automated, but that type of stuff should be automated so that pen testers can do this type of stuff that AI can’t do, won’t do.
So when we’re looking at these things, it once again comes back to these legacy apps, right? If we’re going to blame these things, we’re going to blame the legacy applications that stay forever, we’re going to blame the servers that stay forever.
And when you look at it also from a vulnerability analysis perspective, I have noticed in organizations that the more like aged an organization is, the more legacy crap build up they have.
And this just makes sense. So I, want you all to envision a great big snowball, but I want you to think of a snowball as a great big snowball of crap. And every year it does a rotation and it picks up more crap, it picks up more servers, it picks up more services, it, it picks up more applications and it just gets bigger and bigger and bigger.
And literally organizations ignore anything that isn’t a critical or a high and they just focus on criticals and highs. And then the lows and the mediums continue to grow, the informationals continue to grow and they get bigger and bigger and bigger and all of these legacy apps kind of fill in to that and then all of a sudden a new vulnerability or class of vulnerabilities comes out and then we start freaking out.
So these legacy apps are things that you have ignored. I’m not blaming you, it’s just that’s the way it works. It’s things that organizations continue to ignore. And it’s something that I’m just going to predict that we’re going to continue to ignore well into the future.
Right? And now some of you may tell me, oh, oh, oh, that’s why cloud services are so much better. I have a special place for cloud, but I’m going to talk about cloud as it relates to legacy services.
I’ve been doing this a long time. I’m not going to name any cloud services not specific to like Microsoft or Azure or anybody like Microsoft Azure or Amazon, or anything like that.
But, but, but, but, but, but, but, but there are a lot of SaaS applications that when you look at the SaaS application, you can see that the code base really hasn’t been touched in five years.
It could be a timesheet application, it could be a project management application, it could be a collaboration application, could be a number of different applic application.
And what we’re seeing with these SaaS applications, and you’ve seen it again and again and again with SaaS applications, and I’ll talk about this more in the cloud, that they too are not immune to the concept of legacy software because they’ve become a cash cow and it’s become ingrained into that application.
And the profit motive is no longer to update and innovate, but just to keep people in that application and milk it for as long as they possibly can. So this lazy application thing exists not just in apps, not just in servers that are hosted, but also in the services as well.
I love all the old man yells at Clouds gifs. because, man, I gotta be honest, it, it totally sums me up today with this webcast. Right?
All right, let’s keep going. Exceptions, exceptions. When we’re pen testing and I talk to other pen testing firms, there is this crazy amount of exceptions that happen.
And this actually does tie directly into legacy apps. Trust me. It absolutely, ties into legacy apps. But you’re getting into the point where there are some organizations in the general BHIS, the, general BHIS customers are usually really awesome.
I’ve noticed that there’s a big amount of selection bias for Black Hills information security penetration testing customers, where they usually know what we’re doing, they know what they’re getting into, and they understand that the goal and objective for BHIS isn’t just to do a checklist exercise and be like, here’s your clean report.
Here’s your clean report. Here’s your clean report. Here’s your clean report. There’s other firms out there that you can go hire that do that, that will do everything they can to give you an absolutely super clean pen test report.
And if we ever have customers that are pushing us to say, if you could just give us a clean report, we would really be happy. We’ve not been paid by customers because they’re like, yeah, we can’t go to the board of directors with this report because you got 23 criticals.
And I’ll usually say, great, fix the criticals. I’ll, amend the report and amend your rating. We can do that. None of these criticals are that complicated. And that gets to the point of exceptions here in just a second.
And they’re like, no, no, no, no, no, no. We, we think that these are all lows. We don’t think that these are critical. We, had one of our testers, I believe it was Melissa, she was testing an organization that had a password reset portal.
From the outside, she was able to bypass authentication, gain access to the password reset portal, and then she found a bug where she could reset anybody’s password in the entire organization.
This is like beyond trust. Like what happened with, the Department of Treasury. It was, not exactly like that, but it was very similar where she was able to get into that portal, she was able to reset everybody’s passwords in the entire organization and gain access to every single computer system in that organization.
And the organization fought us. And they were like, yeah, that’s not, we don’t consider that to be critical. And I remember sitting in the meeting and having that conversation and saying, what do you think critical would be?
And that kind of caught him a little bit, right? And they went back to Josh Wright’s law. They’re like, well, there was no meta exploitable vulnerabilities. Like, Melissa is clearly a very, very high level hacker.
Most hackers aren’t operating at her level, so therefore this must be a low vulnerability. And of course they came in and they’re like, well, if we’re looking at the likelihood of this vulnerability, when we take the intersection of the vulnerability and the likelihood of it attacking with the threat actors and how they can interact with it, we think that the aggregate for this is low.
And it’s like, no, it’s not. It’s critical. Somebody can literally go into your environment, change any of the passwords on any of your systems, gain access to things at will.
And there’s no logging. So one of my friends who happens to own a pen testing company, got hired to test this company.
The next year. They didn’t, they didn’t come back to us, which is fine, right? We probably wouldn’t have done the test anyway, just because they were really, really, really not interested.
And lo and behold, my friend who was testing this company said they created an exception for that specific portal.
Rather than addressing the critical vulnerabilities and aggressing the things. I’m, not going to say who it was. rather than addressing the vulnerabilities, this particular organization simply created an exception.
And they said, you cannot test that portal that has Critical vulnerabilities. And at the end, once again, they wanted a clean bill of health, saying that our organization is secure.
Is it still there? Honestly, I don’t know. we wouldn’t, we wouldn’t go back. Oh, let’s talk about Scope. this is something that happened last week. One of our testers, they were given an IP range, from the customer.
Like, here’s all of our IPs. These are what you can test. These are domains you can test. Tester starts testing them. And as it is in most organizations and most contracts, as soon as we find a critical vulnerability, then we immediately share that with a customer because it needs to be addressed immediately.
And what happened is as soon as we found a critical vulnerability and gave it to the customer, they came to us and said, hey, can we exclude that from the range of testing after?
Now that’s, that’s, that’s tricky by the way. That’s tricky from a customer perspective for us to find a critical vulnerability and then say, hey, that’s no longer in scope, so it can’t be on your report.
Wow. Right. So you look at these exceptions from management, right? Like management and exception would be you can spearfish anybody in the organization except the C Suite.
Here’s all the users in the organization that you cannot test because they are managers, they are the C suite, they are the, the, the sacred cows in this organization.
Who are the first people that hackers are going to go after. Guys who are the very first people they’re going to go after. They’re absolutely going to go after the C suite, right?
They’re absolutely going to go through it, right? They just are. But they create that exception. Exceptions for third party vendors. Sorry, you can’t test anything in Amazon.
Why can’t I test anything in Amazon? Because Amazon said you can’t test and that’s garbage. Amazon’s policy is you can test Amazon, you can test against Amazon, but if you find any vulnerabilities, you have to let them know.
It’s basically, hey, if you’re going to test us, you’re going to test us for free, right? That’s standard operating procedure for most cloud vendors as it exists today. Right? But organizations want to create these exceptions as much as they possibly can.
And this isn’t just for external pen testing firms, right? Internal security terms. See this exact same thing again and again and again. Exceptions for anything hard to fix, like web portals, the DLL thing, that moth found.
for that we’ve talked to a number of vendors that have that Exact same vulnerability and blows my mind. Most of those vendors don’t know how to fix that vulnerability because the original developer that wrote that crypto library is no longer at that firm.
So they can’t fix it. They go to our customer and they say, hey, we can’t fix this vulnerability, but what are you going to do? Huh? Huh? Huh, huh? What? There’s no other product that does what we do.
You can’t go anywhere else. We think we’re in a pretty good place, so we can’t fix it. It’s hard. So just accept it, right?
Just accept it. And our customers are constantly like, what do we do? Right? And we’re like, oh, that sucks. can we go public?
And they’re like, God, no. Why would our customers not want us to go public? I don’t blame them. I think that that’s. That’s what I would recommend. But if you have a vulnerability that a vendor refuses to fix, you don’t want that public.
You don’t want that public at all. And I cannot blame my customers at all because you don’t want these vulnerabilities that have been discovered that showed up to all of a sudden be on some bhis blog post, which, by the way, is coming up later on this webcast.
that all of a sudden now is like, public knowledge to everybody, and the vendor has no way to fix it. That’s tough. That’s a tough decision. Now, honestly, I come from the.
The old school days with attrition, and Jericho and full disclosure. I guarantee you, if you went public with that vulnerability with a lot of these vendors, those vendors would fix it probably within two days.
But that’s just historical. And I’m not going to force that decision on my customers because that’s horrible. That’s meant. And ultimately that’s not our goal and objective as a pen testing firm. Right.
This is a bit ranty, but like I said, 99.8% of our customers are flipping awesome. They’re great to work with. Which brings me to the last point.
Compensating controls. You’re always going to have exceptions. You’re always going to have legacy apps. You’re always going to have these things in your organization that you cannot fix.
All right? You’re always going to have these things, but you always also need to be looking in terms of compensating controls. If we have an application that has a particular vulnerability where it can be compromised, can we put compensating controls where we’re monitoring access to those dynamic link Libraries through something like Sysmon, where we can create specialized signatures in a SIM that can detect whenever somebody is trying to do those types of shenanigans.
If you don’t want me to target your COs, can we put some additional compensating controls to protect them from themselves? Can we do that? If we have legacy servers and legacy services, can we put it through a couple of different firewalls where I just can’t hit every port on the AS400 that we can have it?
So it’s very, very specifically filtered application firewall. Maybe we’re going to put in some like N tier architecture to proxy that traffic going to that device. And that really is incumbent upon us as offensive people where we can now work with customers, recognize that exceptions exist, recognize that legacy applications exist, recognize that they are required for the business to function, but work with the customer to help them develop compensating controls to make the situation better.
Because as much as I’m frustrated everybody, as much as this is a rant and that’s how a lot of presentations for me show up, as is a rant. The number one goal in BHIS and our pen testing company is to make our lives more difficult.
We want to make our customers better. So they make pen testers cry. That is our number one goal. And that means assisting them. That doesn’t mean saying, hey, fix your stuff or you’re stupid.
That means saying, look, we recognize that this decision is above the security team. Many times it’s above the IT team and we have to work with them together to fix these issues and come up with these compensating controls.
And once again, that’s not something your automated pen testing platform is going to come up with. Yeah, I know. What is it, Jack Henry? What is the story? the person that was trying to outdo a steam engine, or steam, like steam, shovel, whatever, I guess.
John Henry. Thank you very much, John Henry. Yep, that’s where we’re at. I think that I’m going to lose this eventually. Probably. We’ll see. that’s an awesome shirt, by the way.
Developers. I, I don’t know how much I need to say about this because I think that whenever people saw it on the beginning of this, they knew that this was coming.
Right? And with BHIS and testing, it doesn’t matter how awesome the security team is. It doesn’t even matter how awesome the C O’s are.
It’s just, you just can’t trust developers. You just can’t. I, was going to do this full Steve Ballmer meme.
and I liked this kind of stylized version of Steve Ballmer because I’m getting a little tired of the sweat and the dancing. but if you haven’t seen the video, I’m sure some people will pop the gifs on discord here in just a little bit.
We’ll be seeing that in just a little bit. But developers could be covered under exceptions, but they’re usually not, which I think is kind of weird. And I think that they’re not covered under exceptions because I think a lot of security teams secretly hate their developers.
they could say you can pen test everything, but over here, these developers and the moon of IO, these are, you cannot land there. attempt no landing.
But it’s almost like security teams are like, yeah, thanks. Yeah, we’re really excited. Bring you guys in. Here’s the rules of engagement, here’s the scope, here’s the IP addresses our developers are on.
Deb Wigley
They’re right over there in that room.
John Strand
Here’s their IP range. It’s kind of, Europa. Thank you. I got that wrong. so it’s so bad that it’s its own category, right?
And when we’re looking at developers, they’re really like horrible LinkedIn profiles. Just lights them up like a Christmas tree in many situations. Like, I’m a full stack engineer.
I can develop in C, C, Golang and Rust. Like their profiles just scream. I am a highly privileged use user in my environment and I will click on every single link that you ever send me.
so please just spearfish me, because I, I have that type of ego because I’m smart enough, that I won’t, I won’t click on any links on that.
I like to sit on a throne of lies. Right, so what are the things that developers do? Like, number one, I think one of the, like, I don’t know, like the most unforgivable sin that a developer can do is production data and dev environment.
This happens all the time. where you’re going through and you’re scanning, you’re finding, dev.company.com and then you break into it.
because the password is like root and password, you get it and as soon as you get in there, it’s just riddled with actual production data. And then when you go to your security folks that your point of contact is almost inevitably, they’re always like, well, they’re not supposed to have production data.
Like they’re supposed to be using test data. Why are they using production data? Because they’re developers. That’s just what they do. Yo. they want to develop, they want to make sure the software is going to work the best it possibly can.
And defend developers don’t get any better than production data, right? I don’t always test, but when I do, I choose to do it in production. So says the world’s greatest hacker.
so we see that all the time. And like I said, that’s kind of unforgivable. The one that’s a little bit more forgivable, local admin. a tremendous number of their products and their tools that are out there today require them to be local administrators.
And this coupled with that LinkedIn profile thing just literally screams dinner bell for hackers, right? It’s just, just ding, ding, ding, ding. We’re all coming down, we’re all excited.
we’re getting our favorite steak sauces, which, by the way, totally a huge fan of the fact that Chick Fil A sauce is something you can buy in a supermarket now. So that’s what I think of whenever you find out about developers.
And they have local admin and they’re basically, advertising, hey, look over here on LinkedIn, I’m, I’m a developer and I have probably local admin on my computer system.
so that’s a little bit more forgivable because so many of their tools require that. and, and I think that it goes back to like, it’s like just lazy developers all the way down. But it’s not, it gets into a lot of the tool developers that developers are using are lazy themselves.
Right? So that’s kind of a, kind of a problem, there. The next thing. And the last thing, or the second last thing is security bolted on at the end. And I don’t necessarily blame developers for this.
And after doing this now for a long time, I can truly understand why I hate, I absolutely hate it. Whenever we get people that call us like, this app has to go live in one month.
And I hate it because the developers are going to hate us. And they’re probably justified at some level in their hate because we show up, we do a pen test, we find a ton of vulnerabilities, and the developers like, well, this has to go live in 20 days.
We can’t fix all of this in 20 days. And that sucks, right? Because you got to blame someone. If you’re a developer, you’ve got to blame somebody, right?
And you’re going to blame the Pen tester, right? I’m the messenger, pull out your gun, shoot me, right? That’s just what’s going to happen. And I expect that. And I train my testers to kind of accept that hate, don’t take it personally and don’t make take it maliciously.
It’s a natural human occurrence, right? But it’s time for us at that particular point to take a deep breath, take a step back and start talking with the developers about triage, right?
If we’re saying, look, if this app is going live in 20 days, here’s the top four critical vulnerabilities that you should address. These are pre authentication vulnerabilities. These are vulnerabilities that anybody running Burp Suite Pro can run a scan, identify these vulnerabilities, and take over your app at will.
Let’s fix those first. Let’s set up the development queue and you can say, hey, you can go live with a handful of criticals, but these criticals, pre authentication, you need to get these fixed as quickly as possible and then prioritize that down and prioritize that out.
Right? And this goes so much for computer security teams in general, right? Like, we cannot be a stopping agent for business, right?
And this is one of those things I learned from Dave Shackelford, for years is we cannot be the people that constantly say no and stop. We can commiserate on webcasts with like 500 people, and we can talk about these things.
But at the end of the day, our job is to make our jobs more difficult as pen testers and our job as security professionals is to help the organization continue to function as a business in the most secure fashion that it can.
And it’s not about doing zero sum, right? Like, it’s not about saying you got to fix everything or we can’t go live because that’s going to get people to hate you and that’s going to get people to ignore you. You got to work, got to prioritize, got to set it up.
You got to come up with a team, plan, work together. What is the. There’s a great book out there called There is no they on the Santa Fe, right? If you haven’t read it, you need to go check it out.
But basically it’s about a submarine captain that takes over the Santa Fe, the worst performing ship, in the Navy, and everybody’s blaming everyone all the time, everywhere.
And he basically killed the word they because everyone was blaming everyone else. We all have to realize that we’re in this together and we need to work with each other as well. Turn the Ship around is the name of the book.
Thank you. If people can provide a link to that, that would be great. Now the problem with developers, and then you couple that with cloud computing, and containers and automation.
Oh my God. it gets to the point where it’s so easy to stand up environments that you start getting a whole bunch of development environments, you get a whole bunch of systems and they tend to get forgotten about.
And so that’s a little bit of foreshadowing for this slide. Cloud services. I’m going to be guilty for this one. Hey, how many are like, can you guys put up, some lists of some RMM tools that have been compromised in the past, let’s say year, year and a half.
What RMM tools have been compromised over the past year and a half? Connectwise, we got Cassia Screen. Connect Tara.
Yep. Any desk. Ninja. I don’t know if Ninja was. I don’t know if I got that one. Bongs R Us. all right, that’s a problem.
then once again, I, when we talk about the cloud, I need to own up to part of this and I don’t know what the right solution is, but I believe, I still believed, whatever, that moving some services to the cloud makes sense from a security perspective.
Okay. It makes sense from a security perspective. Okay. When we’re looking at Outlook, I think that running Office365 is a more secure solution than running on Prem Exchange.
Now, it has been argued to me that on Prem Exchange, if Microsoft put as much time and effort in securing on Prem Exchange as they put in dollars and trying to get everyone to migrate to Office365, it would be more secure.
And I don’t know if I subscribe to that theory, but it’s an interesting theory. But it’s purely academic. It doesn’t matter. Everything’s moving to the cloud anyway. Right. And the idea of the way that this should be is that you have cloud services and instead of installing all the software in your environments and then everybody having to patch an update separately.
Jason Blanchard
Mhm.
All right. John, can anyone hear me? All right, Jason.
John Strand
Jason? Jason. All right, what about John? Can you hear John now?
Jason Blanchard
Can people hear John?
John Strand
Okay, we’re back.
Jason Blanchard
John’s back. All right, John.
John Strand
I thought I was gonna have to do this whole thing in mime,
Jason Blanchard
Like that one time, which I think.
John Strand
It would be easy, Jason. I would just do this for the rest of the 20 minutes. Right. And that would have been easy.
Jason Blanchard
You would have got like $5,000 in the swear jar.
John Strand
I would have gotten like, well, whenever, whenever it got posted to YouTube, all the audio would be there. All right, so when we’re looking at cloud, I think that there’s definitely some wonderful things in migrating to the cloud, but I’ve got some things to say.
first and foremost, let’s talk about logs, timing and logs in general for cloud services. Many of the logs that you get out of Microsoft whenever you’re attacking like Office365, the logs aren’t showing up in our customers queues in a timely fashion to detect the attacks.
They just aren’t. Sometimes you’re seeing logs for some cloud services that are an hour delayed. So the attack is happening, usually completed, usually is successful, and the customer is going to find out about that attack one hour after the attack occurred.
That’s a problem, right? That’s a huge problem. And some cloud vendors, we have launched attacks against them and the logs don’t ship to our customers for up to a day after the attack occurred.
That’s a problem. And like I said, it’s one of those problems we seem to completely ignore. And we need to get to the point where, I don’t know how we do this right, but we need somehow to like name and shame some of these vendors and make it so it’s not okay.
Or getting the right logs costs more money. To get the logs, you need to do the basic level of security in your organization. If you’re in a vendor and you’re looking at the logs as like a cash solution to make more money.
F you. I just, you try so hard in this industry to try to get it to the point where things are improving.
And I do feel like generally things are lurching towards betterment. But we tend to ignore the limitations that our cloud providers put on us and we tend to accept the limitations that we get put on by our cloud vendors as well.
So when we’re looking at these breach of these cloud vendors, I talked about RMM tools, right? And when you’re looking at breach once you gain access to a whole bunch of different services.
And a lot of organizations are looking at these cloud services as a way of like defer the liability to the cloud vendor. And I agree with that. And let me give you an example.
we have at bhis, there’s a contingent, or at least there was not so much. But when we moved over our email services to Google originally, there was a large contingency of People at BHIS that wanted us to stand up our own email servers because they didn’t trust Google.
And then when we moved over to Microsoft for a number of reasons, that we covered in previous webcasts, actually same thing, it was like, why don’t we just stand up our own server? Let’s not trust Microsoft, let’s not trust Google.
And the reason why I did that is because if I run my own server and I get hacked, that is 100% the liability of me and Black Hills Information Security.
Okay, if we’re running in Google or we’re running in Microsoft and they get hacked and our data is leaked or our customers data, then we are another victim to that hack.
The way the news story is, it isn’t BHIS get hacked, it’s just Microsoft gets compromised and one of the companies that was compromised was Black Hills Information Security.
Does that, does that make sense? I don’t think it’s a pre, Corvus era. I really don’t. The, the, I think it was right when she started working with me, because she’s been here a long time folks, and she was with me actually before bhis, which is a long story.
but at any rate, so you’re seeing that deferment of that liability is absolutely is absolutely something that makes sense. And I think that people should do that.
But then we get into questions of who’s actually testing these companies. Like I almost feel like for cloud vendors we need to have a letter of attestation from a third party pen testing firm that is going to stand up and say yes, we tested this organization, yes it was thorough, yes vulnerabilities were discovered and yes they’re being taken care of.
at a minimum, even better, give us the whole report. Give us the whole report, warts and all. And I know that that’s way too much to ask, right, because there’s no company in their right mind that’ll ever sign up for that.
I mean we do have some companies of course for like like secrets type companies and crypto, the security testing attestation for like some of the logic and some of the security stuff around crypto, they publish those reports.
And I think that that is a good idea. It’s never going to happen. But I think it’s a question that we need to start asking. It’s like we’re just blindly giving our data to these monster firms and we’re just like, oh trust us, we have really, really, really good Security teams testing our own security.
I’m going to pick on one. What the hell, let’s go. How about Oracle? Because they’re easy to pick on, right? we’re not picking on Microsoft or Amazon because they don’t act this way, but we do see cloud vendors that do this.
So Oracle, we found a vulnerability a number of years ago and I’ve talked about it in some previous webcasts where we found this vulnerability. We submitted this vulnerability to Oracle and Oracle denied the vulnerability.
And then we went back and we said, no, there’s a vulnerability. Here’s a packet. Capture his screenshots, here’s everything. Here’s the config file from burp, here’s all the things we found. And they came back and they said, no, we need more data.
So then we provided more data with more screenshots with more and bolder call out arrows and they continued to deny it. And when we finally had a call with the Oracle security team and the customer that we were testing at that time, the Oracle security team said, we have the best pen testers in the world.
They didn’t find this. This is not a critical vulnerability. They wouldn’t even entertain the fact that somebody else would have found a vulnerability because of the hubris that they had in their organization of their own skills.
So we said, if it’s not a vulnerability, we’ll just go public with it. At that point they’re like, hey now, hey now, pump the brakes. We’re going to try to fix this. Right? So who’s testing these? Who’s watching the watchers?
Usually no one. They’re just kind of doing it on their own and we’re trusting them. And I think that there needs to be some level of accountability on that as well. And we continue to ignore this.
We continue to ignore this. And I want to give you kind of what I consider one of the biggest mistakes that we made at BHIS is this tool, Graph Runner. it’s by Bo Bullock.
you can get it at Daft Hack. And I know that that sounds weird because it’s an awesome tool that does a lot of cool things. And how in the hell is it a mistake? Well, stick with me.
So we released this tool, we use this tool all the time. And it’s kind of like, if you’re looking for an analogy for it, it’s kind of like Bloodhound but for the cloud. Right. So when you gain access to the cloud, what are all the different tests that you can do within Graph Runner to look at Ways of moving laterally, extend your access and attacking the cloud itself.
Okay, where do I think the mistake happened here? So whenever Graph Runner was released, right, these were all the things that were in Graph Runner, right.
It has the ability to search and export email. Anybody that has over provisioned Inbox, it would pull them down. Search and export SharePoint OneDrive files accessible by the user. Search all team chats and channel visible to the user and export all conversations.
Deploy malicious apps under the context of the legitimate organization. Discover misconfigured mailboxes that are exposed. Clone security groups. Carry out waterhole attacks, which was awesome by the way.
Super cool. Find groups that can be modified directly by your user or membership rules can be adjusted to gain access. Search all user attributes. Leverage a GUI built Graph API to privilege user account Dump credential conditional access policies dump app registrations complete oauth flow during consent grant attacks.
Here’s the problem. We released all of these things in one tool. Now, a lot of these weren’t things that we came up with right off the bat.
Some of these are security research that we saw in other people. Some of these are actually our research. And this isn’t the entire list. There’s more things that we have added to, to this tool.
there’s some more teams attacks and things of that nature. And when we released this, it almost felt like it was kind of like a little tiny pop and we’re like, no, no, no, no, seriously, this tool is bad.
There’s a whole bunch of things, it’s still working to this day. And Microsoft didn’t really come out and try to fix a lot of these issues. And I’m going to get to that in a little bit more detail. And also we don’t see a lot of organizations trying to fix these issues as much as we would like them, to try to fix the issues associated with security within Azure.
And I think we released so much in one package so fast that it was almost white noise and it was easier to ignore when almost any one of these different things absolutely could.
And some of them have been their own webcast dedicated to just that topic. But when you release a tool that does all of these different things and people tend not to actually know what the actual security implications are for a lot of these different things because it’s cloud and it’s not something that we’ve actually been trained in, it’s really easy to ignore.
And further, when we’re using these as pen testers and we’re using these different attacks and we’re still using them to this day. We’re not seeing a lot of people implementing proper alerting, proper logging, proper third party detection services to even detect these attacks.
So we continuously use these particular attacks, post exploitation to greatest success. And we’re testing people that know who we are, we’re testing people that have probably been to a webcast talking about these things and I think it just becomes one overwhelming and I think number two, it becomes something that is, it becomes something that is this abstract weird cloud thing that we put into a bucket of Microsoft’s problem.
Microsoft is going to fix this for us. No, they’re not. I want to talk about this webcast.
This webcast was by Matthew, who is an amazing security researcher, very similar to Bo, very similar to Moth, very similar to a lot of people that do really, really cool things.
And he was talking about a new like way of doing DLL hijacking attacks. And you can find the link, we’ll get the link in there here in just a little bit. But it basically was a way that we could do DLL hijacking attacks, bypass EDRs.
And yeah, that webcast was wild, right? Crazy. Here’s a vulnerability that exists. If somebody can gain access to your system, they can get malware to execute and it’s going to bypass Amzi and it’s not going to be detected.
And what was Microsoft’s take on it? Thank you for your submission. We determined your finding is valid but does not meet our bar for immediate servicing because Even though the DLLs associated with this add in can be delivered by certain users, it only provides a low moderate risk.
However, we’ve marked your finding for the future and we will review it as an opportunity to improve our products. I do not have a timeline for this review as no further action is required at this time.
I am closing this case. So when I set up this webcast and I wanted to do this webcast of things we’re going to ignore, this is absolutely in that category where there’s a ton of vulnerabilities M and there’s a ton of things that are known to the pen testing community and offensive community that don’t have CVEs that companies are using regularly in their engagements.
And a lot of the firms share these techniques with each other like Red Siege, BHIS Trusted sec. Like a lot of us know each other, we’re on each other’s webcasts, we do training, we support each other’s cons, we support each other.
Like I am incredibly blessed that some of my best friends are my competitors in this industry. We share this stuff with each other, we all use it again and again and again and then it’s ignored.
So this is frustrating. And I know, I know it seems like this should be something that we should be excited about because we can continue using these techniques for an extended period of time.
We should be happy about that, right? Once again, what did I say is our number one goal and objective as a pen testing firm? What is my goal as the owner of Black Hills Information Security?
Making my life more difficult, making my testers lives more difficult. That is our goal. It isn’t just to go out and hackity, hack, hack, hack, hack, conquer, hack.
All of the things, drink all the beer, do all of those different things. Those are all fun things to say. But a lot of the people here, we genuinely give a shit about the industry. There’s $5, for the EFF.
We genuinely care about the betterment of the industry because we see the impact of what happens whenever customers get hacked. We see the impact of what happens whenever people get compromised.
Is it marketing? It absolutely is marketing. I mean, it’s all marketing. This is marketing. the T shirts are marketing, the comic book. It’s all marketing at some level. But we can do things the right way, right where we’re making things better, we’re making the world a better place, we’re sparking joy.
We can do things the wrong way with traditional crap marketing or just hoarding all of the vulnerabilities and just saying, hey, here’s something elite that we have that no one else has and we’re better than all the pen testing firms.
F that. That’s not what we’re here for. We’re here to make the world a better place. I’m not going to be on my deathbed and talk about how, oh, I’m really happy I made a lot of money.
No, I want to make the world a better place. Right. I want to make the world a better place. Mfa or lack thereof, I don’t think this one.
we’re seeing a lot of companies that are finally implementing multi factor authentication and I think that that’s great. They’re still using text in some organizations and I’m not as much of a hater on text based MFA as others.
I think your risk model matters. Right? Like we banned it at Black Hills Information Security completely. But look, for some companies, just simply turning on text based multi factor authentication is going to work fine simply because you’re an Architecture firm in Kansas City.
Like the odds of somebody doing SIM cloning to try to steal your text messages to what? I mean, yeah, I mean, it’s possible. Right? And there’s always better ways to do that.
I think that that is truly something that we can always do better. But honestly, if we could just move to some level of mfa, I think that’s really a step in the right direction.
Right. But we’re still seeing attacks where one click style attacks still exist, specifically with your access to cloud services.
Right. we’ve seen a number of these attacks on the IR side, we’ve launched a number of these attacks using, Evil Jinx and all of these different tools where we can create a link, send it to somebody to click that link.
Hold on, turning it off and on again, see if they hear. Jason, I think. Jason. Hello. The audio back.
Jason Blanchard
Hello, Hello?
John Strand
Yeah, here we go.
Jason Blanchard
Hello, Hello.
John Strand
All right, we’re back, we’re back. We’re back in the saddle again. All right, all right, all right. Everything is fine. Everything is fine. It’s all okay.
Right. So MFA is still a thing. Right. And we’re seeing MFA being implemented, but it’s not being implemented absolutely everywhere. And we’re trying to find those areas where MFA isn’t there.
But the problem is, I think that we’re ignoring once again the fact that cloud services aren’t giving us the logging, the telemetry, the detection capabilities that, we need for attacks that are trying to bypass mfa.
And, I understand this is in fact a much more difficult problem to solve than just all they have to do is turn this on. Why don’t they? It is difficult.
Right. especially when you’re looking at you, U2FA, or you’re looking at trying to implement shutdowns of Impossible Travel, trying to restrict the IP addresses.
Because when we got into Covid, everybody basically started working remotely and we needed to make sure that everyone could remote work all the way through.
So this is a type of attack that was, blogged about by proofpoint. we still use it. this is a little bit of a variation in proofpoint’s article.
Again, can anyone hear me? Can you understand the words that are coming out of my mouth? All right, here we go. We’re good.
All right, there we go. So there’s a number of attacks that hit, and we do variations of this where you send somebody, a link to Dropbox, and they’re not really going to Dropbox, they’re coming to some other app that is intercepting that, two, that, that authentication, whenever they click authenticate with Google, authenticate with Apple, authenticate with Office 365 and then we can intercept those authentications and then we can basically steal those sessions and then we can be that person in the environment.
It’s, it’s, it’s bad, it’s bad from the perspective of IR because once again the time frame that you get from the actual attack occurring to the point where we get notification or even getting the point where we’re processing the logs is too long in many situations.
And it’s bad because it works. And just for the record, this is one of those attacks that scares me for my own company. This is one of those attacks that when we’re talking to some of our customers, they’re like, how the hell do we shut this down?
We come up with a whole bunch of things like going through Zscaler and things of that nature. But this is tough stuff. Like we’re back into some like single click compromise, not of an endpoint, but actually of a cloud service.
So we’re kind of at the end. I didn’t hit absolutely everything. And I’m sorry if I seem more subdued than normal. I just got done teaching for four hours and I’m half the man I used to be.
Like John Strand in his late 30s teaching at the Sands Institute eight hours a day for six days a week. I’m clearly not that person anymore. I haven’t worked up that, that that level of stamina to what I used to have.
But kind of going through this. What, what are the things that you feel we’re continuing to ignore? Right. We can kind of throw that up. We can talk about it in post show, but there’s some honorable mentions meeting the minimum.
We’re going to continue to ignore that. Right. Because many organizations when they’re looking at compliance, they insist that we just need to do the minimum associated with that compliance standard to demonstrate due diligence.
Diligence. That sucks. That’s not what compliance was meant to be, folks. It really, really wasn’t.
yeah, I, didn’t mention the OSI model, so therefore I’m okay with it now. no, that is not the case. That is not the case. Right. Focus on ransomware.
The entire industry is still heavily, heavily focused on ransomware. Are we just going to be OSI model memes? Is that what we’re doing here?
Is that where we’re going? Okay, okay, focus on ransomware. We focus on ransomware for a really good reason. Right. Organizations get shut down. Immediate impact and financial consequences for organizations getting, getting hit by ransomware.
But this is the bright shiny thing over here that the magician is showing you. The reality is you’re having nation states that are doing these stealthy attacks or they want to dwell for an extended period of time and we’re not addressing those 1 million InfoSec jobs.
I would love to get Jake Williams on to talk about this. but we’re constantly being told that there’s 1 million infosec jobs out there and you have a ton of people that are probably 2 million people trying to get those jobs and those jobs ain’t happening.
and I have very, very good, like, reasons why I think that that’s occurring. I just got done talking about with my intro to SOC core skills, but I think that that’s something that could be talked about.
Single panes of glass, right? Are we going to continue to ignore. The vendors are trying to sell us an oversimplified solution of what computer security is. Here’s a soar product that’ll solve your security problems.
Here’s an automated pen testing product that’ll solve your security problems. Here’s your, AI that’s going to solve your security problems. I think that that’s something that we are going to. No, it’s not a typo.
That was intentional. I think that we’re going to continue to see again and again and again this type of snake oil selling, out there. It just, it just is something that just, we need to, we need to deal with.
AI is the new next generation that fixes everything. I do believe it’s going to be a fundamental game changer in this industry. I just don’t think that we’re going to be able to properly predict how it’s going to be a game changer. And when you look at AI.
AI. Oh, we’re going to use AI to defend against hackers. The attackers are going to use AI. So literally we’ve just escalated with different tools. It’s an arms race.
And it’s always been an arms race, people. It’s always been an arms race. It was exploits. Yeah, we got exploits. Well, if the attack, if we release the source code for the exploits and people can write signatures for the exploits, then they come up with obfuscation frameworks, then you come up with metasploit, then you come up with better detection, then you come up with edr.
It’s always, always, always been an arms race. And AI is an arms Race. And if you look at it like AI is going to solve computer security, you forget that on the other side of that equation, the attackers are going to use AI to attack us.
Okay. We just have to hope that we can move faster than they can. Right. automated pen tests. I’ve already ranted about that a number of different times.
And then also cash cow infosec training. Are we going to continue to ignore that? Training doesn’t have to be expensive. I mean, aside from anti siphon, which of course I’m very biased about, there’s a lot of great training out there from, like, the Cyber mentor.
Simply Cyber is just doing it for free every day out there. Like, can we, can we look at John Hammond and what he’s doing? Like, can we acknowledge the fact that the world can move on and it can actually be improved and it can be better training at a cheaper rate?
I think that that’s, that’s something that we need to stop ignoring as well. So that is my, TED Talk. And like I said, it came across a little bit more ranty than I wanted it to be. And by the way, I totally, totally, totally thought that the, this was going to be ranty today.
But, I just got done teaching my intro to SOC core skills and, yeah, coming off of that. So I think I’m ready to kind of take a back seat so we can start doing questions.
Q and A for those of you that want to stay around. And also the post show. Let’s do the post show because after the party, it’s the afterparty. I probably need to stop using R. Kelly quotes.
it’s probably not good. Does that count as a swear for the swear jar? I think we might do that.
Jason Blanchard
John, John, if you could sum up everything today, and you just did.
John Strand
Right.
Jason Blanchard
But if you had one final thought, what would it be? And then we’ll move into the post show.
John Strand
I think the thought is, let’s acknowledge that there’s things that we aren’t fixing and let’s start trying to fix those things. Let’s go to the space in computer security that we dare not go and start going and see what stares back at us.
Jason Blanchard
That reminds me of playing backdoors and breaches with people.
John Strand
Oh, yeah.
Jason Blanchard
During that session, like, all of a sudden, all the things that people are like, oh, yeah, we should fix that. We should fix that.
John Strand
Yeah, well, and that happens all the time. And I think that card game really brings out. These are the things you’re continuing to ignore, right? Like where we talk about these are things that we ignore. We could literally just play backdoors and breaches and say which of these things are you ignoring in your environment as well?
Question is, what would you predict for bug bounties and Android iOS mobile devices? I don’t think that we’re going to continue to see very much because trying to pen test iOS and Android devices is incredibly difficult because it’s a closed off ecosystem.
And that was one of the things that I had and in this deck and I removed it. because I think that iOS Android pen testing is a separate webcast for me.
because we’re working on classes at BHIS where we’re going to be releasing some Android iOS pen testing classes and we’re going to be doing some workshops. But yeah, when you’re looking at pen testing it’s not as easy as just, doing pen testing on an Android app.
It’s a closed ecosystem, it’s a little bit difficult. And we’re going to be working with, we’re going to be working with the we’re going to be working with Corelium on that class as well.
So. Good question.
Daniel Lowrie
someone mentioned.
John Strand
Go ahead, Megan.
Jason Blanchard
can you fix Logan’s video? since Logan broke the YouTube stream.
John Strand
we do blame Logan.
Logan Bender
Yes, I’m taking blame John. I will be better.
Jason Blanchard
He is the source. Yeah, the source of the problem.
Daniel Lowrie
The road to hell was paved with his best intentions. John, someone mentioned quantum computing in here.
what do you think about that? You think that’s going to be the next one of the next big things after AI?
John Strand
I think it is. and okay, so. All right, so let’s get weird. so whenever you’re looking at quantum computing, I think that it’s it’s very, very interesting.
For those of you that don’t know, aside from just like quantum computing is spooky. computing at a distance. Whenever you’re looking at like how a particle moves, it can be both a wave and a particle at the exact same time.
And if you can look up the double slit experiment on how radioactive material and light goes through a double slit, basically you have radioactive hits and light hitting in parts where it should never ever, ever hit.
And basically what that means is reality is a probability. it’s one probability out of an infinite number of probabilities. So whenever you’re looking at the way a quantum computing works, when you’re looking at D wave, you’re looking at how you can you actually identify something like A non probabilistic hard problem.
Let’s say you’re trying to brute force. well, you wouldn’t brute force. There’s actually algorithms where you can calculate PI, but you’re trying to calculate, let’s say, a key for a password or crypto or things like that by, running a quantum computer, by not looking at it.
This is essential because as soon as it’s observed, the reality collapses around, what is. But by not observing, you can reach into the infinite number of possibilities and you can pull out the possibility that you’re actually looking for.
If that sounds crazy, it’s because it is. I spent a lot of time trying to hunt down quantum computing experts, try to find somebody that knew exactly how it was working.
And there’s people that can make quantum computing work, but they don’t know how it works. So if you find the actual experts that are doing this, they’re like, well, here we can do X, Y and Z, we can do this.
And then we can pull out an answer and you find the experts and you’re like, explain it to me. How is that happening? They’re like, I, don’t, I don’t know. In fact, there have been Nobel Prize winners whose sole purpose in life and physics was to prove quantum computing was wrong.
And they ended up proving that it is right. So it’s a crazy field and I do believe that it is going to absolutely be something that’s going to change the way that we do computer security.
But understand that Dan Brown’s book Digital Fortress is wrong. Dan Brown should have at least looked up the Wikipedia article. And when you’re trying to look at crypto, especially key based crypto, it’s far more complicated than just brute forcing a password.
When you’re using key based crypto, there’s another layer of obfuscation and complexity associated with it. that makes like trying to deal with quantum crypto breaking a little bit more difficult.
But we’ll be, we’ll see. I don’t think it’s anything in the next five years. I think it’s, we’re probably looking about 10 to 15, depending on what AI does. AI might change all of this crap. But we’ll.
Jason Blanchard
Didn’t we already figure out quantum computers? But that’s in the future and so we haven’t gotten there yet.
John Strand
Oh my God, that’s right. Yeah, we already figured it out, but it’s coming. Okay. Or it happened. Time is a weird thing, that technically doesn’t exist. It’s a construct that we create.
so. Thanks, Jason.
Jason Blanchard
Yeah, no worries.
John Strand
You just want to sound smart, all those smart things.
Jason Blanchard
I just want to re. I want to go back to this video 40 years from now and I’m gonna play it and be like, I’m.
John Strand
Hoping we’re all sitting around on a porch somewhere like I’m visiting you guys out in Baltimore. And we’re like, wow, that was weird. Aged weird. Yeah, we got old.
Jason Blanchard
Yeah, for sure.
Daniel Lowrie
John, I got a question here from Duotech says, how do you approach customers who prioritize prevention over post exploitation finding like graph runner, hounds etc, and how can blue or slash purple teams get movement from leadership to prioritize and fix these issues?
John Strand
That’s super easy. so one of the things that I think works really well with BHIS is a reporting format. In our reporting format, we provide like validation steps. And a lot of good firms do this, by the way.
It isn’t just BHIS provide validation steps and then also the methodology of how we went through step by step by step to create that particular condition. And the reason why that’s critical is we want to enable blue teams so that they can recreate those conditions so they can get to the point where they’re not only stopping those conditions, but they can also work with their detection engineering teams to develop reactive and detective capabilities as well.
So I think that a lot of it is developing a reporting methodology that’s beyond just here’s the exploit, fix it and getting it to the point where here’s a full understanding of how that exploit came to be, how the tester found it, here’s how you validate it.
So you’re equipping the customer to move forward to actually fix the vulnerability and also work on detection engineering around it as well.
Jason Blanchard
Hey John, let’s do two more questions and then we’ll do like, if people want to stick around and want to do business with Black Hills in 2025, how they can. So let’s do two more and then Tom Logan, you and everybody else can chat about that.
Whoever wants to stay. Right. We’re going to give people plenty of time to leave before we mention what it’s like to do business with Black Hills.
John Strand
Yep.
Daniel Lowrie
Yeah. All right, you got one here. John, it says this is from Roswell uk. When doing a pen test, you have a long list of attacks that you run through, skipping those that where the scenario cannot be run.
Or do you get creative? What’s your prioritization? How do you, how do you Figure out what you’re going to do. Is it a. Is it a strict methodology or do you have wiggle room?
John Strand
it’s both. so we have our methodology. hold on a second. I’m trying to find my access token code for bacon.
Are you eating bacon?
Daniel Lowrie
Yeah, but say you just said bacon and now I’m hungry. Thanks a lot. Yeah, really appreciate it.
John Strand
Should be bacon. Just give me a second.
Daniel Lowrie
Somebody posted a gif of a salad in Discord. There it went. It’s just a big bowl of bacon.
John Strand
Let me pull this down real quick.
Jason Blanchard
I have a pork allergy.
Daniel Lowrie
That’s unfortunate.
John Strand
All right. Oh, I just made it go away. That sucks. hold on. Here it is. I have a pork allergy. All right, so whenever we, can, you guys share my screen out real quick?
Okay. So whenever we look at, how we approach, pen testing, this is just an export of our knowledge base at bhis, and this is what we share with our customers at Anti Siphon.
over a certain amount. It’s a thing, but we can share this. And it’s basically the attack methodologies of Black Hills Information Security that are constantly evolving. And we have all the different types of active directory checklists, we have network architecture review checklists, penetration testing, assumed compromise, and we have these different checklists for all these different types of tools and techniques and types of testing that is available for our testers.
Now, the goal of that is not to say that this is the extent of everything that you’re supposed to do as a tester. The goal of that is to make sure that there is a certain due diligence to make sure that you’re meeting the actual standards and practices for the current baseline of pen testing.
So we have checklists for all the different types of tests that we do. And then the testers will go through that. Then they’re going to go through and make sure that the statement of work has been covered, there’s no special items. And then after they get through those things, then they circle back and they start looking for more difficult things, in the environment.
Some of the, kind of interesting shiny things like DLL hijacking attacks and trying to extend what they’re actually doing far beyond than just the basic checklist on that.
So, yeah, that’s. We have those standards and practices that we follow. We have the checklist that we follow, but then our testers go beyond that and we make that very clear to our testers that this is not the minimum that you do.
And then you’re done. this is the minimum to make sure. That’s kind of like a flight checklist to make sure that we’re going through everything that we should before we can get into the really hard, fun manual testing that we do as well.
Jason Blanchard
All right. One more question, John.
John Strand
You bet.
Jason Blanchard
Unless there are none.
John Strand
Specific John questions. Someone wants to make Daniel Lowry’s voice as, voice and maps. that would be cool. That should be.
Daniel Lowrie
I apparently have one of those voices.
John Strand
You do. You do.
Daniel Lowrie
It’s weird when you hear your own voice, you’re just like, yeah, right. And then people are like, you have a very nice voice. Like, well, thank you. I. Is it.
Yeah, I guess that I, I mean.
John Strand
Your voice is great, by the way. But, like, when I hear my voice in webcast, it’s just. Yeah, it’s, I think.
Daniel Lowrie
Right.
John Strand
It’s.
Daniel Lowrie
It’s the worst thing ever. Right. When you hear your own voice. All right, I, I found a question for you, John. This says, why does imposter syndrome hit so hard as one who wants to be the best hacker, pen tester, etc that they can be?
But it seems like the goal, or, the goal post is constantly changing. It’s always moving, making it seem like they’re never going to achieve that goal. I’m sure you get this a lot, but this is a really good question.
John Strand
So I think Neil Young has a great quote that kind of goes with this. When you come to a fork in the road, put it in the ditch. And I, I love that. Because if you’re constantly trying to establish yourself as the best pen tester that you can be, that’s really not a very fulfilling place to be.
it isn’t. And you’re constantly kind of encountering these things like, do I go blue team? Do I go red team? Do I hack APIs? Do I hack this? And trying to do things for the right reasons makes a big difference.
Right? If you’re trying to do it from the perspective of trying to be the best pen tester that you can be, I’m going to tell you, that’s not fulfilling. I, I made it to the absolute.
Like, for me, I had a career goal. Okay. when I started in security, I had a career goal. I wanted to be a Sans instructor, and I wanted to be one of the best Sans instructors I could ever be.
And I kind of remember getting to that point where I had Ed SCOTUS sending me emails, and text messages where he’s like, dude, congratulations, you got the highest scores out of this conference.
And that wasn’t something that was. It wasn’t something that was like this epiphany and I had made it. I actually got really, really sad and I realized that what I was chasing was probably not something that was making me healthy mentally.
And I realized that once I attained it, then the game was going to be keep it. And then it was going to be, how long am I going to keep it? And then who am I going to, have to fight to keep it?
And I got exhausted by that. So whenever we’re looking at, like, things that actually did finally make me happy, whenever I started getting to the point where I was teaching, especially with anti siphon and doing pay what you can, training and helping people out in the community, I think that that fundamentally changed my view of myself in a way that I felt much better about myself.
Not just ego, but, like, what I’m actually doing in the community. I think it changed it for the better for me and my wife and my family and my kids, because I stopped chasing some of, like, be the best hacker, be the best instructor, make the most money, do these different things.
And I could finally find the thing that, that, that, that made me happy. So what I’m going to tell you is don’t be afraid of hacking and doing these things, but do it for the right reasons.
Do it for the love. Do it for the love of the technology and understanding these things. because when you do it for ego, it’s just a matter of time before that catches up with you. And I’m, I’m telling you right now, I’ve been in this game like a long time.
Not as long as some people. And there’s a number of us in this industry that I’ve been, like, blessed to make some of the best friends I’ve ever had. Where they became that pinnacle, where they were keynoting defcon, where they were like, releasing zero days, where they were, at all of these different cons and, you release a zero day, you become the best hacker in an area, recognized.
And then all of a sudden you have a conversation and people ask you what’s next? And you’ve just got to keep on that treadmill. And that treadmill is miserable. And the people that I’ve, I’ve had people that have lost their lives, I’m not joking.
There’s people in this industry that have, that have killed themselves because of chasing that specific dream and feeling that they had to live up to a specific expectation for the industry, for their family, for their friends.
And you can’t do that to yourself. So do it because you love it. And don’t be afraid to take distractions. Try to stay healthy. And, that’s my recommendation. Because if you’re chasing that, if you catch it, you’re going to catch that tire, and that tire is going to run your ass over.
So be careful.
Jason Blanchard
Thanks, John. All right, everybody, here’s what we’re gonna do. you have about 20 seconds to leave. If you don’t to hear what it’s like to do business with Black Hills Information Security as far as any of the services and things that we have.
So in the next 20 seconds, feel free to take off. Thank you so much for joining us today. If you didn’t check in for Hackett, please check in for Hackett. If you didn’t sign up and get your free comic and survival guide, please do that. And if you’re not.
If you’re joining us next week while with Hacking Fest, we’d love to see you in person. Also, stick around here in Discord and, get to know your fellow Discord members. We just hit 50,000 today.
Members on Discord, but they’re not all active, so don’t be over something like.
John Strand
5,6000 that were active today. Yeah, it was your class. It was. Yeah, it’s a lot. Yeah, we had a lot going on. so. But, yeah, get out of here if you don’t want to hear a sales pitch.
And I know that that sounds weird, Jason, why don’t we do this? Why don’t we do the sales pitch at the beginning of the webcast?
Jason Blanchard
Oh. Because then no one would ever come back to webcast.
John Strand
That would just suck. That would just suck.
Jason Blanchard
Whenever I tell other companies, we’re like, yeah, we average, like, 700 to 1500 people per webcast. You’re like, well, how’s your sales team keep up with all the leads?
Oh, we don’t have. They’re not leads. They’re just. They’re not.
John Strand
Leads are gold. They’re not for you. They are friends, not leads. They are. They are.
Jason Blanchard
Yes. Friends, not leads. Just like the, Was it, like, from Finding Nemo? fish.
Daniel Lowrie
Fish, not friends, not food. Yeah.
Jason Blanchard
Yeah. All right, so if anyone has any questions about what it’s like to do business at Black Hills Information Security, feel, free to ask it in the chat. but my first question is, John, like, when you set up the commission structure for Tom and Logan, like, what was your thought behind how they were going to get commissions off of all.
John Strand
Their sales so they don’t get. God, that sounds awful. People are going to totally steal them now. so, so I don’t like commissions and I want to explain a couple of reasons.
So the way that you structure a commission structure in in sales teams is you pay your salespeople so they’re starving as their base salary and then if they want anything above that, they have to sell to achieve comfort.
Like, remember we were talking about chasing the wheel and what that does to your psyche. so number one, trying to do that is really, really hard psychologically on sales teams.
Number two, most of the time, whenever you’re in a commission based sales environment, there’s a conflict between what the test is, what the SOC is, what we’re providing our customers, and the sale itself.
So the sales team is looking for get the sale, get the sale, get the sale, get the sale. They’ll agree to all kinds of different things and they will cut, the cost.
And then it’s up to the implementation team to implement things based on the cost that was sold. So you have these two rooms that don’t communicate really well. Also there’s firms that, that I talk to that have commission.
And you end up with this really perverse incentive structure where the sales team is hierarchical and you start getting it to the point where every contract has to be signed off by this manager, this manager, this manager, this manager, so they all can get their cut.
And my point in all that is it’s miserable for the customer and it’s miserable for the sales team. And we don’t have outbound sales calls. We don’t do that. the sales team receives calls.
It’s funny, they’re almost like, I feel like they’re like, like therapists for a lot of our customers. It’s like we got a problem, we need help and we’re there to try to help it out.
but it’s all about taking the orders and more importantly, it’s about giving people what they need and more than actually getting the sale. And we develop relationships, we don’t develop leads is one of the key points, with that.
Jason Blanchard
So this one. So speaking of sales commissions, do you have a minimum utilization rates for testers?
John Strand
No, we don’t. I also don’t like minimum utilization rates for testers. let me give you some examples. I have some testers like Jeff, that ja is developing malware, right?
So if I do a minimum utilization rate and I start trying to test and Evaluate all my testers. And you have a tester like Jeff who isn’t utilized as much as he was five years ago, but he’s actually working on literally every single test that doesn’t do him any favors.
Or if you have testers like David or Jordan or BB or a lot of our senior testers, they’re actually assisting other testers with the test that they’re working on.
So once again, it’s kind of this perverse thing where the more advanced the tester gets, if you’re expecting them to be more and more utilized and you’re setting up the payment, structure based on their utilization, you’re really, really, really kind of disincentivizing your senior testers to be able to assist the more junior testers in what they’re actually doing.
so yeah, I don’t like those things. We do look at utilization, but it’s more from the perspective of who’s possibly getting burnt out because we have testers that just forget or whatever reason they stop taking vacations and we have to, we have to relieve those testers with pay every once in a while.
Jason Blanchard
So, Logan, do everything about pen testing or what happens when.
Logan Bender
Just enough to be dangerous.
John Strand
So getting pretty good actually.
Logan Bender
Yes, yes, yes. Thank you, John. So usually we like to get calls set up with our clients whenever it’s convenient for them. But as John was alluding to earlier, a lot of times we like talking people out of spending money with us.
I think that’s one of my favorite parts of the job is people reaching out to us like, hey, we want a red team. Or hey, we want multiple applications test. And we’re like, that’s great. But how about we start here?
So we’re big believers in a crawl, walk, run methodology here. and it’s one of my favorite things about the job is, getting on the client calls. We try to treat it like a pre or a post show banter where it’s very informal.
We don’t have a corny PowerPoint that we’re going to go through. we’re not going to send you a bunch of spam emails. We’re not going to slide into your LinkedIn DMS. We’re not going to do any of that.
We just want to have a fun conversation about where you’re at and what you’re looking for.
John Strand
Yep.
Jason Blanchard
So Tom, how do we stay in business, like if we’re not doing all those things?
John Strand
Like that’s a really good question.
Deb Wigley
Yeah, no, that’s a Tough one. You gave me possibly the toughest question of the, of the whole webcast.
Jason Blanchard
Yeah.
John Strand
Actually, no happiness.
Deb Wigley
I mean, it is a business, right? I mean, at the end of the day, we’re a business, but we’re a business that operates based on, like John said, like, friendships, so we’re not looking at leads, we’re not looking at clients.
Brian called the people on Discord friends. And so the thing is, sometimes, there’s an arrangement that makes sense where we can provide a service that, somebody can use.
And so in those scenarios, that’s when, that’s when we’re tempted to make our money. but at the same time, I mean, like Logan said, I mean, we’re, we’re trying to become trusted advisors of people, trying to help people formulate plans.
Like, where do you want to be in five years? how can we help you get there? Sometimes we can be somebody who can assist with that, and other times it’s, maybe there’s another service that they need. That’s not something we could provide.
We have places that we can refer out to in those particular scenarios. But I mean, how we say in business, geez, that’s tough.
John Strand
And I also like it whenever you guys get calls, where it’s like, yeah, we can’t use you guys again. And that’s like, well, that’s a great sales call. who do you recommend? And we can recommend to, some of our friends, just using some examples like Red Siege and Trusted SEC and Open and all of those different firms.
And that’s really, really cool, as well.
Jason Blanchard
So, last question. And for everyone that stuck around. Thank you. And if we have more questions, Cool. But, John, when you take your McLaren into town, what’s the best Thai restaurant in, in, In South Dakota?
John Strand
Okay. there’s one, there’s no McLarens. I don’t have one. And two, there’s no Thai restaurant. And three, I think the cattle in the Sturgis metro area outnumber the people.
so, no, I, I, I, I think that that’s, that’s kind of another thing, talking about, what are you doing for, God, this, this is.
What is with you dropping these funny questions that are actually secretly heavy? Jason, I, I, I, I, I’ve told the story a couple of times, and I’ll tell it again.
Wild west hack infest. A number of years years ago, I woke up and I was a Millionaire. And, I. I remember it was right in the middle of Wild West Hacking Fest was the first time that the bank accounts crossed a million dollars.
And that was, one of the first years that we announced, very, very large bonus checks for everybody. Because Eric and I looked at it as, this, this.
This company is a. It’s a tribe, right? All of us are working together. We. We don’t say family. You hear about that all the time. People are like, oh, we’re a family. Families are horrible.
Like, a family you can’t ever get rid of. That uncle that insists on talking about politics and every joke, he does this.
you just can’t. Right? and I think that families, we put up with a lot more abuse than we should, and a tribe doesn’t work that way. And we really want to make sure that we’re taking care of people, number, one, and number two, Jason.
And, I. I wish I could blame Jason for this, but, I don’t have any backdoors and preachers, but, like, I’ve got all these comic books here. I’ve got backdoors and breaches. We’ve got a publishing company, we’ve got a clothing company.
we’re giving away tons of free training to people out in the community. And I think that we get. We’re once again, we’re incredibly blessed in the fact that we can give to the community and we can share as much as we possibly can.
And we’re constantly pushing that to the limit, like, how much can we give the employees? How much can we give back to the community? How many cool things can we do? And it’s never a conversation with Jason and debate.
Excuse me. Where we’re basically saying, Jason, so we’re going to do a comic book. Actually, we had this conversation when we started the comic book. Jason had this idea. He wanted to do a comic book.
And I said, is it possible to make money on a comic book? And Jason’s answer was, no, not at all.
Jason Blanchard
No, not at all.
John Strand
No.
Jason Blanchard
God, no.
John Strand
Yeah. There’s no way this is ever going to make any money. So that means no McLaren. that means that there’s, maybe there’s a good Thai restaurant, Rapid, but there’s none in Sturgis, South Dakota.
So, once again, what makes us happy and what makes us feel like we’re part of something bigger than ourselves, it’s all of this. And, I think that that’s important also. To that note, can announce bha is now officially a benefit corporation.
we are not an llc. That means our primary goal and objective is not profitable. Our primary goal and objective is the stated mission statement of the company, which is to improve the lives of the security community and the employees.
And that is a big deal too. So, yeah, we aren’t just a company that says, hey, we’re like a family and all this. It’s like, no, we’re actually putting our money literally where our mouth is and making us completely toxic to ever getting VC funding or getting acquired.
So.
Jason Blanchard
So for all of you that stuck around, thank you so much. Tom Logan, thank you for joining. Daniel, thanks for asking questions. Deb, thanks for all the stuff you give away because, we got a lot of request. John, during this, we’re up to like two.
So Justin, the shipping guy right now has like 223 orders just sitting there ready to ship out. So for all the people who got new Hackett Rewards all the people who got comic books and survival guides.
Thank, you so much. And if you’re coming to Deadwood, Denver next week, can’t wait to see. Especially if you’re, if you’re there for the first time, please come say hi. Like, please.
Now if John, if, if you see John moving, he’s got these eyes that are looking straight forward, not to the left or right. John’s on the way to somewhere, so it’s hard to.
John Strand
And when I get, I’ll bite into whatever it is I’m going to. And those cold eyes are going to roll back and turn white. No. Feel free to say hi.
Dark. It’s a Jaws quote. okay, I did not get the connection there. Yeah. So, so, yeah, stop and say hi. Grab, my arm.
Don’t, be afraid to say hi because, it is really, really something to meet you all. it’s weird. It’s weird because we see you on Discord all the time and when we meet you in, in real life and we could put a face with a name, there’s something very special about that.
So we appreciate it.
Jason Blanchard
All right, well, that’s it. That’s enough, I suppose.
John Strand
Well, possible.
Jason Blanchard
John, go take, go take it. You’ve done enough today.
John Strand
I’m done. I’m out. This has been a great week. It’s next week. Next week, guys. If you’re coming to Denver, we’ve got the mechanical bowl. We’re bringing it. So we’ve got the full mechanical bowl.
We’ve got the labs. We. Oh, it’s going to be so good. it’s going to be insane. Thanks.
Available live/virtual and on-demand
