Rachael Lyon:
Welcome to To The Point cybersecurity podcast. Each week, join Vince Spina and Rachel Lyon to explore the latest in global cybersecurity news, trending topics, and cyber industry initiatives impacting businesses, governments, and our way of life. Now let's get to the point. Hello, everyone. Welcome to this week's episode of To the Point podcast. I'm Rachel Lyon. Here's always with my co host, Vince Spina. So excited.

Rachael Lyon:
We're continuing our conversation today with Gemma Moore, a renowned expert in pen testing and red teaming and cofounder of Cyberus, a cyber consultancy that creates personalized security solutions for global businesses. We tremendously enjoyed our part 1 conversation last week and can't wait to dive into part 2 today. So without further ado, let's get to the point.

Vince Spina:
Apologize for stepping on you, but I I wanted to pull that a little bit when you're talking about on premise because, earlier we asked the question, you know, what kind of skills do you need to, you know, be successful in in this world of hacking and pen testing? And you had specifically said, you know, you really have to understand networking infrastructure, operating systems, you know, databases, things like that. I used to run network and data centers in a in a previous life prior to getting into cyber. 

And in my days, most of all the tech and the data was sitting in branch offices or our own data centers. And then, you know, over time now, a lot of customers have there's no borders anymore. Right? Right.

Gemma Moore:
Yeah.

[01:37] Changes in Cybersecurity with Cloud and Remote Work

Vince Spina:
You used to put perimeter borders around that tech and, you know, just keep it secure from the inside, but that's all broken down now with things like cloud and remote working and, you know, we live in a a borderless hybrid environment. Mhmm. How is your job and and what you have to care about and even customers? You know, how's that changed as, you know, those those situations have emerged? 

Cloud has come on, you know, working from home now or in a coffee shop, all that. Like, how does that change how what you think about?

Gemma Moore:
Hugely. But also sometimes not as much as you might think. So there's there's cloud in this cloud. Cloud means a lot of things. So cloud can mean sort of infrastructure as a service. So we're talking like the Amazon AWS EC 2 stuff, the Azure, virtual networks. So all of that stuff, it's kind of the same as if you had your internal network once you're in it. It's just it's in the cloud.

Gemma Moore:
It's not in your data center or your office anymore. The bit that changes is the way that you have this control plane that's web based sort of publicly accessible normally, and you're changing from a situation normally where you're looking for, you know, lateral movement through vulnerabilities when you're trying to move through to that control plane. And you tend to be looking for, lateral movement through phishing of individuals who have tokens who can access that environment. 

And it changes the game quite a lot with 0 trust as well. So in a sort of 0 trust end user device environment, we tend not to be looking to exploit vulnerabilities. You know, we there's still scenarios where getting malware on the device is what you want, but in that sort of zero trust environment, you know, a lot of the adversary tactics are around phishing for credentials, doing adversary in the middle to bypass multifactor authentication, then logging into, you know, the Microsoft portal or the AWS front end using the credentials you've stolen, and carrying on from there without actually interacting with the endpoint device that's got your EDR system or whatever it is that's doing all the good detection. 

And it's interesting to work in that environment because it it ends up being a sort of attack chain that's far more reliant on phishing and social engineering and all the ethical concerns that go with that if you're looking to exercise that in a red team scenario. And if you're looking at, sort of how you do pen testing in that world, a lot of it becomes effectively audit.

Gemma Moore:
It's config audit because what you're looking at is how are, you know, how how are the control planes for these things configured and what controls are you enabled and what does that allow you to do in terms of, you know, prevention, detection, response, and things like that. So, you know, if you are, looking at sort of Windows end user device environments, if you're in a Intune managed zero trust deployment and everything is in Microsoft 365 and you got your SharePoint and OneDrive and that's what people are using in Teams and things like that, you're really highly dependent on that user's login for protecting any of that information. 

And if you're not using phishing resistant MFA for your users and you're not enforcing conditional access policies that mean you have to use a well controlled device that's enrolled in your system before you can access, you know, SharePoint or OneDrive or email or any of those things, you're in danger because you're only 1 phishing attack away from someone having access to everything that's in Microsoft 365. And so it's interesting from the point of view of defense. It's interesting from the point of view of how it all ties together, but it's got its challenges for people that are trying to defend. 

Software as a service can be a bit of an interesting challenge as well. So software as a service platforms. I mean a lot of new businesses that are building functions they don't they don't have infrastructure as a service.

Gemma Moore:
You know there's no there's no systems there. What then a lot of them are doing is sort of tying together via various APIs a whole host of software as a service, products into something that they are front ending and branding and these things are tied together via sort of APIs and, requests and there's all sorts of things going on in the background and integration but what they don't have all the time is a lot of telemetry and a lot of logging. So it's a really big challenge because of the sort of shared responsibility model. 

Now you're generally responsible for maintaining the security of the accounts, using things in terms of service, you know, making sure you're abiding by whatever your conditions are, but you're not responsible for the security of the platform. You're not responsible necessarily for, you know, keeping whatever the application is free of vulnerabilities. That's entirely someone else's responsibility but when it comes to, being able to detect an incident or respond to an incident, quite often if you've got a load of those SaaS apps you're kind of you've got your hands tied. You can't respond in the way that you want as a really, really, obvious example here. 

So if I if you got single sign on and you're using, I don't know, Okta, Microsoft 365, any kind of identity provider and you've integrated your SaaS apps with that identity provider, you might think if you detect suspicious information in one of your accounts that's logged on, if you disable that account, that attacker is then logged out logged out.

[07:06] Challenges of SaaS and Zero Trust Environments

Gemma Moore:
It's not normally the case. Normally, when they, you know, verify their identity with the identity provider, they get issued a token that's got validity for a certain period of time and that token is often valid until it expires. And that validity period can be well, it can be months in some cases but, you know, 24 hours is not unusual even for sort of high security SaaS apps and then you've got a problem because if you're a responder and you identify let's say Vince's account's being compromised. 

Let's say a responder says Vince is doing something weird, I think his account's been compromised, I'm gonna disable that account, that's my containment step. If the adversary realizes that you've done that and they probably will because they won't suddenly be able to log in again, they've got a token that's still valid for 24 hours in whatever the system is. They know they've been rumbled. They escalate and do whatever damage they were gonna do and often with a SaaS app you don't have the ability to just terminate an active session. Sometimes you don't can't even work out who is currently you know, who currently possesses of an active session and that that's the fundamentals of containment there that you can't necessarily do in all cases.

Gemma Moore:
So it's really challenging. Interesting.

Vince Spina:
Mhmm.

Gemma Moore:
Wow.

Rachael Lyon:
Well, it's a lot to lot to absorb. It's, I mean, is it a losing battle, Gemma? I mean, it just sounds like so much, and it's so overwhelming. Is is that a bad thing to ask? But it's you know, I I I like to joke, you know, when you you talk about, you know, infrastructure and and things like that. You know, do we need to go back to, you know, basically, the dark ages and just take everything offline? 

And, you know, it all becomes a manual again. I I just wonder, you know, because these these vulnerabilities seem to be growing exponentially, but we're also getting more sophisticated and, you know, aware of how to address them. But, yeah, I'd be I'd be interested in your perspective there.

Vince Spina:
Rachel's the conspiracy theorist on

Gemma Moore:
the team here.

Vince Spina:
So I'm not

Gemma Moore:
I mean, I'm not saying I wouldn't want to go and, you know, live in a cave somewhere and never be online because I think sometimes that would be attractive. But, you know, the the all of this all of this cloud stuff and the interconnection everything it's been good for society and it's been good for lots and lots of reasons and you know we have I think probably a more inclusive society in some ways when it comes to technology than we did before COVID when everyone had to go remote. 

It caused a huge change in how everyone works and you know that that is a good thing I think on balance but, yeah, there's all these little, problems that open up and I think that the the big assumption that we've got inside of security these days and this is where, you know, red teaming sort of comes into its own is we have to assume that a compromise happens. And if you want to be secure, it's about getting the fundamentals in place, making sure you've got sort of the fundamental controls you need, and it's also about making sure you've got a detection and response process that helps you contain things before they get too damaging Mhmm. Or you know in too much trouble. And I think on balance, yes, adversaries will probably win most of the time for a short period of time but your job is always to sort of cut down their access, cut down their time, and minimize their damage through what I would call sort of fundamental cyber hygiene. 

ou know, if you are, for example, if you're looking at the principle of least privileges, if you prevent people that don't need to have information having access to that information, if one of those users is compromised they don't have access to the information which means the adversary can't get it and it all that type of sort of fundamental cyber practice, helps in that battle and yeah you know people will still win and say I don't think we're ready for the whole deep fake AI tsunami that's coming for people.

Vince Spina:
Yeah.

Gemma Moore:
But yeah on the whole I think defenders are getting better all the time. Mhmm. The controls that defenders have are getting better all the time And it's actually it's pretty hard to get, working malware onto a workstation these days where all the controls are in place and running as they should be. That's that's that's a win. Mhmm.

Vince Spina:
Yep. Yeah. Gentlemen, maybe let's pivot to red teaming because we've we've brought that up quite a bit. Mhmm. First of all, do you know the reference Power Rangers? Do you know what a Power Ranger is?

Gemma Moore:
I know what a Power Ranger is. I wish I did.

Vince Spina:
Okay. So I I wanna bring up, like, when I think about pen testing teams, they're like there's several teams associated. I call pen testing teams the Power Rangers because there's a red team, there's a black team, there's a blue team, there's a purple, yellow, green, white. Did I get them all?

Gemma Moore:
Gold.

Vince Spina:
Gold? Okay. And but when we were, you know, researching you and, you know, we we did a brief and all that, you are specifically associated with red team. And, you know, but you have all these teams. Why is that? Like, you know, what what draws you to that componentry of, you know, this this broader team?

[12:13] The Role and Impact of Red Teaming

Gemma Moore:
Well, you know when I said earlier that you find something that really fascinates you? That's the bit that really fascinated me. So, the the red team, I mean, if people are confused about these this this nomenclature, the red team were the attackers. You know, we're the ones that go after an objective following the tactics, techniques, and procedures of adversaries. And we're typically going against the blue team who are the responders and it's this red versus blue thing that comes from, you know, military military references right down the line. 

And then you've got, when the red team and the blue team work together which is a purple team which makes sense if you did your did your colors at primary school. And yeah then you've got things like the yellow team who were the builders And if you get the blue team, the responders, and the people that were in charge of the instructor, the yellow team together, that's that becomes an orange team where they're talking to each other about how to defend. And when you get the red team talking to the people that build the systems, that can become, go on. Guess?

Vince Spina:
This is a secondary. Is this a primary color or a

Gemma Moore:
secondary color? Green team. Sorry. Yeah. It's it's it's all the colors, and then you get the white team that's over the whole thing. It's it's all it's all a big thing. But red teaming, I what I really love about red teaming is, it goes back to what I said before about being able to teach people things they didn't know and explain why something is important. And it's really good for, upskilling blue teams. So I love that part of it.

Gemma Moore:
After we do a red team, we run through a network. We often have a really in-depth debrief session with the blue team where we explain everything we did, why we did it, you know which direction we pivoted in, what technique we chose, why we chose it, things like this. And we teach the blue team things they didn't know before. That normally makes them better. When we get to, sort of the point where we're intruding in a network and they are actively trying to oppose us it's a really creative process getting around what the blue team is doing. 

And it's exciting and it requires you to think and it's different every time so there's all this variability there that I love. And when it comes to making people more secure if your blue team like I say it's about minimizing damage, minimizing the window that an adversary can stay and reside in your environment, in your network. If your blue team is really good, and red teaming can help make your blue team better, you're in a better place.

Gemma Moore:
And nobody I think I've said this before. Nobody nobody gets good at playing football on their own. You need someone to play against. Like, you can't This

Vince Spina:
is I think based on what you said, I probably already know the answer, but you're you're focusing on the red team and you're from outside of an enterprise. So you're a you're an outside entity and you were probably you know, you get hired by the business. When you're when you're going on the offense, I would assume mostly the blue team and that would be the internal side of it. When when this is all going on and after the fact, how how do you feel like, how does the blue team internally feel? Because quite frankly, this this can be to a certain level a win loss and, you know, whatever you're doing well is is highlighting deficiencies of the security team inside of a company. And I'll and I loved your metaphor on you don't learn football on your own. You need that, but it it could paint them in a bad light. And I'm just wondering It

Gemma Moore:
could.

Vince Spina:
You know, do you get Christmas cards from the, you know, the blue team,

Gemma Moore:
you know,

Vince Spina:
at the end of one of these, you

Gemma Moore:
know, activities. So I like to think when all is said and done and we've done the debrief and I'll we're normally friends with the blue team at the end of it because, it's really important that the blue team are engaged in this process and see it as a positive experience. I I'm a big believer in culture being a really positive influence on security overall. So, the the worst thing a company can have if they want a good cybersecurity environment is a blame culture. You don't blame people because things go wrong. Like, you don't blame people for clicking on phishing. You don't blame people for doing the wrong thing. You educate them and you explain and you try and make them better.

Gemma Moore:
Now when it comes to that, you know, if we have turned up, run through the network in 2 days, run away with the crown jewels and nobody's seen us, that's not necessarily a failing of the blue team themselves. Often it's, you know, they don't have the right controls or they don't have visibility of the area of the network that we were in or the processes weren't written right. And often what we do with those debrief sessions is we actually turn it around and say, right, how can this is what we found. How can this help you to the Bluetooth? 

And often what we find is that there is something they've been trying to tell people and nobody's believed them and you know they can't get investment in you know controls that are monitoring activity on servers. You know, they got the buy they got the buy in to put EDR on all the workstations, but nobody's giving them the license money to put it on all the servers and they've been saying it for ages and here we come and we've done a bunch of stuff internally and nobody's seen it because they literally haven't got the controls that see it and we can help with that. Or they say, well, you know, we we tried but we don't know anything about this technique. We want to be trained. And there's a message that goes, right.

Gemma Moore:
Well, this is something you need to train your blue team to do. Or they say well you know we don't really have any processes written down and then you've got a business case, a rational backed up business case for making investments in these things, you know, learning new things, doing some training and stuff like that and it can become a really positive experience. But, a lot of my job so, I tend to work in the sort of red team management is what we call it area. This is where I'm translating between the techies now and people like the blue team and the white team, the gold team, the senior management level, what's going on and interpreting things. And I think at the end of the at the end of a red team, if I haven't left the responders feeling more empowered than when we started, we've probably done something wrong, because, you know, there's 2 ways it can go. If they catch us at every point, that's brilliant. That's a great news story and we can give them a report that's full of good news. If they Does that

Vince Spina:
ever happen in your career ever, ever?

Gemma Moore:
It does. There are people that are there are there are people that were that effectively respond really well and, you know, sometimes sometimes they're respond really well and you know sometimes sometimes their teams that we work with for a number of years so they may have been less mature when we started but now they're really good and you know in some of in some cases their blue team know us and in some cases their blue team can't tell when we're operating that it is us.

Vince Spina:
Yeah. Gemma's out there. We we we know she's out there.

Gemma Moore:
Yeah. And they'll start with the banter and that's fine. That's actually what you want. It's like, you know, you caught us early. Fine. Great. Well done. Crack on.

Gemma Moore:
Get to the pub. Good. Good. Good. Okay. But, you know, on the other side, if we found if they found nothing we've done, what we've got there is a really good argument for more investment in them, more training, more resources, more controls, everything that they probably wanted to do but couldn't get the business case to back it up. Right. There's a way to spin it that's a win for the blue team every time.

Gemma Moore:
It's just about how you position it.

[19:19] Memorable Hacks and Physical Intrusions

Rachael Lyon:
So I wanna be mindful of time, and this is so much fun, Vince. I could have this conversation all day with Gemma. But I'd love to ask you kind of, do you have a favorite hack? I mean, of of all the years that you've been doing this, is there anything that kinda really stands out at you?

Gemma Moore:
So there's so many. But the one the one the the ones that stick in my mind tend to be the ones that had like a physical intrusion element to them because they're they're often, sort of funnier, I suppose, to to engage in as the one with the physical intrusion, because they bring out the dressing up box normally. So the fancy dress box comes out and things happen that don't normally happen and there was a customer and it's several years ago now, but there was a customer we did a pen test for, sort of red team really, where it was a physical act. 

Can you get into the building? Can you get domain admin? What can you do once you got into the building and got domain admin? It was pretty much the brief. It's here's the building. Crack on. And, you know, we got we got some t-shirts printed up with, fire extinguisher maintenance on, and we went in with a fire extinguisher. And we said to the people on Deception, you know, we're here to do fire extinguisher maintenance.

Gemma Moore:
I'm supposed to be meeting someone in the canteen which was past the gates. They're like, yeah. Yeah. Off you go. Let you in. Let you in. Wow. Because, you know, in into the toilets, chained into a suit.

Gemma Moore:
Out of the toilets, leave the fire extinguisher in the loose, and off we go to the to the to the main offices, plug in, because it's hot desking like most places are and, you know, go make a cup of tea, have a piece of cake from the communal birthday cake there. That's fine. You know, help peep if someone was having trouble with a zip file and, yeah, you know, help them out with some bit of tech support, get access to their unlocked workstation that way. 

There were some other physical workstations around, where, you know, that they were just sort of big desktops that didn't have encryption on, so we were able to compromise those and basically blank the admin password and straighten with local admin on those. At one point, our contact who knew us sort of walked in and saw us sitting at one of these desks and sort of wandered over and goes, oh, you're in then? It's like, yeah. Alright. Fine. Off he goes.

Gemma Moore:
But the fun thing was we found, on the network, we found this door control system, and the door control system was part of the main network, and we'd escalated through I think it was a a sort of default database password we found. We'd escalated to local admin, got to domain admin, but then the question was, you know, what are we doing with this access? And we found the door control system and when we came in, we've been given a visitor's card. What we were able to do was reprogram the door control system. So that visitor's card gave us access to the secure room that was behind a big steel blast door. So, we reprogrammed that, got opened the door, walked in, took a selfie. Hey. We're in. Closed the door again.

Gemma Moore:
Sent it to our contact. He's like, okay. That's not good. And another thing we were able to compromise was the video conferencing system that was in the boardroom. And what we did, it was vulnerable to a sort of remote exploit. It was one of these, Windows embedded systems that never get patched. But what we were able to do was gain access to that device from the network, and, effectively get that phone that that conferencing device to phone us on a mobile phone. So we got the conferencing device to phone us, disconnected from the network, packed up, left, and we got this phone call active bugging the boardroom from there.

Vince Spina:
Wow.

Gemma Moore:
And and then we had a

Vince Spina:
You definitely didn't get Christmas cards from that that company.

Gemma Moore:
Yeah. Yeah.

Vince Spina:
I'm pretty sure.

Gemma Moore:
So and and, you know, that's it it it's stuff like that that sticks with you as being that was a really, really fun experience for for us. Like it. Really fun because you just you don't get to do that stuff legally often, and that's sort of the thing. We've got license to do this stuff, and it's really fun. And, yeah, you you you get arrested if you do that normally.

Rachael Lyon:
It sounds like a movie. I mean, it it's like a wonderful movie plot.

Vince Spina:
Impossible. So

Gemma Moore:
I think it's one of those ones that is closest to sort of the Hollywood thing. A lot of a lot of it normally is 90% of sheer boredom and, you know, I remember a time where I went through I spent 3 days going through about 4000 databases manually for various reasons looking for a particular piece of data. That's not interesting until you find what you're looking for, and then suddenly it's the best dopamine rush ever.

Vince Spina:
Yeah. It's like a stakeout, I bet. Right? You know? Yeah. Yeah. Hours and hours and hours, but

Gemma Moore:
90% really dull methodical stuff followed by 10% of sheer racing adrenaline as you head towards the finish line. It's it's it's I don't know. It it's fun.

Vince Spina:
Well, you sold us. Being on a red tube sounds fun.

Rachael Lyon:
Absolutely. I love it. You know, it's just kinda one final thing. I was, I was watching a, you know, a a thing about a security, you know, I think similar thing that they were doing. And it's amazing that, you know, someone that just walks in. Right? And, you know, maybe they tailgate to get in wearing a suit looks legit. You know, this one company, the guy just started putting, oh, hey. I'm from tech support, kinda your point.

Rachael Lyon:
I'm gonna stick this USB in here, and we need to make some updates on your system. And people are like, yeah. You know? Sure. You look legit, and, you know, you're not like a creepy, scary person. Go ahead. You know? And I I think about that sometimes too, you know, because you don't always know who the tech people are, and they roll up. And you're like, well, this is, you know, card key protected. Surely, they they they are who they say they are.

Rachael Lyon:
So it's

Gemma Moore:
We've done that too.

Rachael Lyon:
Good reminder. Yeah.

Gemma Moore:
But it's, it's see, the thing is if you if you logically if you sort of run down the hole, you've got to challenge people if you don't know them thing, what happens when you challenge someone and say, I don't think you're supposed to be here, and they go, I am supposed to be here, and they start arguing with you, and they get nasty. Like, there is a there is a non zero possibility of getting punched in the face in one of these interactions. Yeah. How many employees are willing to risk getting punched in the face for their companies? It's a good point. Yeah.

Vince Spina:
Not very many. Yeah.

Rachael Lyon:
No. Yeah. Yeah. No. Not not up for that. Well, Gemma, thank you so much. This has been so much fun. I've I've really enjoyed it.

Rachael Lyon:
So many insights and from your time doing this, and you make it sound like a fun, sexy kind of profession, to be honest with you.

Gemma Moore:
I I love it. I always have. So we're still doing it after 20 years, but, yeah, thank you for having me. It's been really lovely to talk to both of you.

Vince Spina:
I flipped. I was pro blue team. I'm on the red team now. I figured that's

Rachael Lyon:
Yeah. Right away. Alright. So to all of our listeners, thank you for joining us again this week, for another awesome conversation. And, Vince, you know, what are we gonna say?

Vince Spina:
We're gonna smash that like button. And please, in the comments, tell us, future topics that you'd like to hear, about.

Rachael Lyon:
Yes. We definitely wanna hear from you. So until next time, everybody. Stay safe. Thanks for joining us on the To the Point cybersecurity podcast brought to you by Forcepoint. For more information and show notes from today's episode, please visit www.forcepoint.com/podcast. And don't forget to subscribe and leave a review on Apple Podcasts or Google Podcasts.

About Our Guest

Gemma Moore, Co-Founder, Cyberis

Gemma is an expert in penetration testing and red teaming. She started her career in cyber security nearly twenty years ago, working her way up from a junior penetration tester to running the penetration testing practice in a specialist consultancy by 2011. She is a founding director of the information security consultancy, Cyberis.

Over her career, she has held CREST certifications in Infrastructure, Applications and Simulated Attack, and now focuses most of her efforts on planning, running and executing red team and purple team exercises.

In recognition of her outstanding level of commitment to the technical information security industry and the highest level of excellence in CREST examinations, Gemma was selected to receive a lifetime CREST Fellowship award in 2017.

Gemma was a contributing author to the BCS’ “Penetration Testing: A guide for business and IT managers” 

Gemma was named “Best Ethical Hacker” in the 2018 Security Serious Unsung Heroes industry awards, and has been honoured by SC Magazine as one of its 50 Most Influential Women in Cybersecurity, and by IT Security Guru magazine as one of its Most Inspiring Women in Cyber.

Follow her on LinkedIn