Hack Responsibly

Hack Responsibly Episode 07: From IT Support to Red Team Lead

NetSPI

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 42:54

In this episode of Hack Responsibly, host Karl Fosaaen sits down with Giles Inkson, Director of Red Team Operations NetSPI, for a candid conversation about the winding path into offensive security, and what it actually looks like to do this work at a high level today. 

Giles covers a lot of ground: getting started in security, exploring AI use cases for red teaming, and navigating an industry that's shifted dramatically from stronger EDR, federated identity, SaaS sprawl, to a security culture that's finally starting to catch up.  

In this episode: 

  • How curiosity (and some questionable game cheats) led to a career in red teaming 
  • Building and experimenting with AI-assisted offense 
  • Living off the land: why built-in OS tools still win 
  • The engagement that went from default credentials to domain admin 
  • Favorite tools, books, cons, and why sleep is a non-negotiable 
SPEAKER_00

Hello and welcome to the Hack Responsibly Podcast, where we get to know NetSpy's technical leaders. I'm your host, Carl Fawson, and today we'll be speaking with Giles Inkson, the director that oversees Red Team Services here at NetSpy. It's a little bit tricky coordinating meetings between Pacific and UK time zones, but Giles and I were able to grab some time and sit down, talk about red teaming and a whole bunch of other things. Here's my conversation with Giles. Welcome to Hack Responsibly, a NetSpy podcast focused on the experience of our NetSpy agents, including insights and trends in the cybersecurity industry. Today I have Giles Inkson here with me. Giles, you want to give everybody a quick background about yourself?

SPEAKER_01

Yeah. Hi. Thanks for having me. So yeah, I'm I look after the sort of the red team function at NetSpy. And you may have detected a British accent. I am based in the UK, but uh um don't don't hold that against me. Um uh my my kind of my background is uh for a long time I was involved in infrastructure uh sort of rollout and support and and sort of moved into cybersecurity about sort of, I think somewhere approaching 10 years ago now, but it's all a bit of a blur. Um and I've sort of worked my way through sort of uh pen testing into sort of red teaming and now look after that function here. Um so that's that's kind of me in a nutshell. Um I've I've got lots of anecdotes and lots of things about uh a history and IT support that as well before that.

SPEAKER_00

So I'm sure we can uh lean into some of that as part of what I do. I'm excited to dig into that. Uh you know, we always have good red team stories that pop up here, so very excited about those as well. Uh speaking of red team stuff, what have you been working on recently?

SPEAKER_01

Uh quite a few things, actually. Um there's there's a lot of heat and noise um around AI, as I'm sure everybody's aware in the world. Uh we've been looking at different use cases that that sort of align to sort of red teaming ethos, um, as well as sort of you know apply how we apply that safely and uh with the right mindset into red teaming. Um, equally, we've done a lot of work um on building a new C2 framework as well. That's been an interesting activity that that we've undertaken within Netspy. Um so there's a lot of excitement and buzz about the capability that that brings to the team. So that that's been a huge part of the last six months or so, really, in terms of of what I do.

SPEAKER_00

Yeah, it's really interesting to see the advancements that are coming up in that space at the moment. Uh AI seems to be changing everything all at once, but also not changing it. It's kind of weird. Uh definitely speeding things up in certain ways, but you know, ultimately we're I would say we're falling back on the same techniques, but you know, it doesn't necessarily change the root vulnerabilities that we're attacking.

SPEAKER_01

Absolutely. Absolutely. And I think um much, you know, much like fashion sense, things kind of go out of fashion and in into fashion again. Um and I think it's it's helping us rediscover things that might once have been lost and sort of you know find old latent information that was in a in a sort of a book that's on your book bookshelf somewhere that you've thought about giving away, but actually might lead to some kind of exploit. Um I know there's there's a lot of sort of com and decom class uh exploits that have been found that way, let's be honest. Uh, but yeah, we're we're seeing some exciting potential there. But there's also, you know, there's natural caution in the industry about, you know, what does this lead to? What's the end state? What you know, what are we evolving into? And and these are normal questions to ask. Um so far it's been positive.

SPEAKER_00

Yeah, yeah, I would totally agree there. Uh and we don't have to get too deep into it, but I believe we're what, about five months into uh Dora at this point?

SPEAKER_01

Yeah, absolutely. That's um that's been a sort of a seismic shift in the region in Europe. Um there's a lot of um, you know, there's a lot of sort of questions about what that will evolve into, um and sort of what what sort of the the financial industries and the the sort of you know this the supporting sector, if you will, you know, what they'll be asked to do, what they're they'll have those companies and the supply chain will have to assert about their security and how will they do testing going forward. Uh it's an important component in the uh in the security of the region. Um and it's it's interesting to see how how many organizations are really sort of jumping into that with both hands and sort of working on quite everything down to the sort of contractual level and the sort of cybersecurity program level, how they how they react to it.

SPEAKER_00

Yeah, anytime there's there's new compliance that pops up, it always seems like there's a bit of a shift and we have to adjust to it to a certain degree. So uh it sounds like that's going well. Yeah, very much so. So uh bringing things back a little bit here, how did you get your start in cybersecurity?

SPEAKER_01

Um that's a fairly long story, if I'm honest. Um, so I I worked for a long time on um sort of infrastructure and sort of transformational change with an IT and IT support. Um, as I as I may have mentioned, the um that led me to become enthusiastic about about network security. I was building sort of uh systems for government and and sort of radio systems and things like that. Um and I'd always had a passion for cybersecurity. So um I did a lot of self-study um and self-starting and then sort of eventually I managed to sort of demonstrate through doing things like hacking labs and those types of things that that enthusiasm had translated into some practical skill. Um, and then um, as many do, I put myself out into market. I sort of promoted myself in that space and uh thankfully landed a job at a sort of a penetration testing company. Um, and I guess the rest is history there, really, to be honest. Um, a lot of a lot of time and effort on training myself and doing labs and that type of thing.

SPEAKER_00

Cool. So, you know, kind of self-starting that, did you always have a background in kind of pulling apart stuff or hacking on stuff when you were younger?

SPEAKER_01

Um I was quite interested in um memory-based exploits in computer games to be able to get um, you know, more coins, more health, all that sort of thing back in the day. Um so that's kind of where I had my first exposure to um some of that aspect of things. Um there's a lot of people in this profession who who dare I say it started by being curious about the games that they were playing, what they could do to gain an advantage in them. Um and I think it's a rich uh source of of many a great red teamer, hacker, pen tester, all that, all that type of thing.

SPEAKER_00

Yeah, I think that might have been probably my first exposure was through uh, I don't know if you had Game Genie or Game Shark. Yep. Uh Super Nintendo, the game genie. I still have the book for it, probably somewhere around here, uh, with all the cheat codes in it and editing memory in there. Had no idea what I was doing at the time. I just knew that I was putting in codes and it was giving me extra lives in Mario. Uh so you mentioned radio. Do you still keep up with any of the radio stuff?

SPEAKER_01

Um, I I don't do a lot of uh SDR-based stuff, which is a uh you know a lot of the hardware sort of side of the fence, but um, I still do keep my my skills sharp from time to time um when when I get the opportunity at the sort of the you know the the sort of RF villages and those types of things at the hacking conferences. Um my main um my main focus actually in the in the latter years has been it's been significant sort of effort and time placed into things like Active Directory and Enterprise Systems. So I've moved on a little bit from there if I'm honest, uh, but still some hobbyist enthusiasm. Um maybe, maybe one day soon I'll I'll get some time to to sort of uh uh figure out how to hack a garage door for my garage because it's broken at the moment.

SPEAKER_00

There you go. That is one that I've always been curious about the whole rolling code thing and how you could you know emulate that or you know, replicate your own garage door opener kind of thing. Uh I think every year for probably the last 10 years going back to DEF CON, I always tell myself, you know, six months beforehand, oh yeah, this year I'm gonna study up, I'm gonna take the ham radio license test, because I always do that at the radio village there. And then I never do it. And I've been meaning to for probably 10 years at this point. And one of these times, maybe it's this year, I'll actually go out and do it. You and me both. So thinking about you know, earlier in your cybersecurity career here, you know, if you could go back and talk to yourself, you know, as you're getting started here, is there any uh advice that you would give yourself as you're getting started or advice you give to someone who's getting started in uh the cybersecurity career path?

SPEAKER_01

Well, this might be a deeply personal reference, but I I tend to push myself quite hard. Um that would be uh don't forget to get some sleep because you are a better hacker if you've had some sleep and you can remember, you can remember those memory addresses. Um that would be one thing is you know, if you're if you're looking to do exploitation, um, you know, having a fresh mind is important. Um, but you know, equally for others in that space, I think uh passion and drive and being able to demonstrate that to others in a way that that sort of is unique. I think that helps you stand aside from the crowd. You know, what have you done? What how have you leveraged your your world experience? What what what breadth the bug in you, if you will, to be able to sort of do these types of things? And I think you know, if I'm if I'm talking to people um, say in an interview process, or you know, they they're keen to join join us, um you can see that that kind of infectious enthusiasm that comes from people. It it's sort of you know passion driven uh is important. Equally, don't forget to sleep, uh, because you know, passion is one thing, but uh passion, a passion into uh into no sleep is another.

SPEAKER_00

I would totally agree with that. Uh having been you know several days into an on-site engagement and you're putting in you know nine, 10-hour days sometimes, and by that last day you're just ready to go home and get some sleep. Uh you you start running out of mental bandwidth to actually do the good and and fun things. Uh it's more about getting the job done at that point sometimes, but totally agree with you on the sleep. So uh you know, speaking of doing engagements here, do you have a tool or technique or approach that you just can't live without?

SPEAKER_01

It's an interesting one. I think um from from a from a sort of a red team perspective, um things that things that kind of blend blend into the background um are really important. So doing using utilities, uh I I have a particularly unusual method sometimes. Um doing things that blend into the background, um, sort of lull bins, lolbass, whatever you want to call them, um, that type of approach has been something that I've always been enthusiastic about. Um I have a a pet tool that I really uh really like. That's a very, very old uh tool. Um it's almost freeware now. It's not quite. You can't you can't actually buy a license, but it never sort of pesters you to be able to buy the license. Uh there's two tools called Lex and Lisa. Um, and they're really good for picking through permissions and active directory attributes. Um, and that they've got some great insights there um in terms of sort of how security is set, and it can really help you sort of um look deeper into things. Equally, you know, they come from a fairly well-known valid source. And I think things like that and AD Explorer, for instance, are you know uh uh gold mines of information that for a long time um weren't signatured, weren't known to the sort of the wider sort of um security tools, EDR, that type of thing out there. Um and so for me, I'd I'd say the tools that are built into the operating systems that you're on are the most important components and learning to use those well is a is a key, key aspect to get right, and and something that I I deeply treasure.

SPEAKER_00

Yeah, same here. Uh one of my favorite types of engagements is the host-based and or like thick app pen testing. And granted, I haven't done one of those for quite a long time here. Uh what I always I always refer to them as stupid computer tricks of like, they shouldn't be allowed to do this, or you shouldn't be able to do this using just a built-in binary that's on the system. But here we are. Uh, you know, it's the weird little tricks to get an explorer box to open, and then you can navigate to cmd.exe and get a command prompt, those kind of things. Not quite lull bin exactly, but uh it's kind of like making do with what you have there and being able to get some of these uh program escape techniques working there. Uh personally love those because it's like that shouldn't work, but magically somehow it does.

SPEAKER_01

I I I love a breakout test as well. Um, and similar types of testing. They are for me one of those, one of my favorites because um there's a there's there's always a way. You just have to find your way to it and use that deduction to be able to get there.

SPEAKER_00

Yes, totally agreed with you there. So the overall field of kind of pen testing and red teaming is has definitely evolved over the years. I can think back, you know, 10 years ago where we were at from a red team perspective. And I think a lot of people actually just got confused between what a red team and a pen test was. I think we probably still deal with that to a certain degree today. But you know, what kind of shifts have you seen in the overall landscape and that space uh over time here? Uh, I guess as you've been involved in the space.

SPEAKER_01

Yeah, um, I think there's quite a lot of change that we've seen. So certain types of change are often technology driven. Um, you know, there's there was a long period of time where SaaS products were the thing that was happening and uh everywhere. Um they're fairly ubiquitous now, but you know, these these types of things are being rolled out more and more. Um we're seeing more sort of uh more use of federated identity as a result of that. So attacks have lent towards federated identity sources um and sort of how how those authentication flows work. Equally, I think um in in the last sort of few years, the the kind of constraints that, and rightly so, one might argue, the constraints that things like EDR place on um sort of red team vendors uh and sort of what's possible, like likewise attackers, you know, it's it's it's developed a lot in the last few years. Um so you know, we've we as an organization and within our red team, we've we've we've worked a lot on sort of building that capability and sort of, you know, what does it take to overcome the the more advanced challenges that we see? Um and I think you know the development in EDR capability has been a big part of it. Likewise, um, you know, not as a technical level, the uh sort of evolve kind of the way that culture has evolved in organizations. We're starting to see people pick up on things that things like social engineering um and certain types of laws more. So there's there's more sort of general awareness that leads to a good baseline of security. Um equally, um, you know, the the big the big two-letter acronym that's everywhere at the moment, um, AI is a huge, huge sort of game changer for a lot of organizations in different ways. Um and for us, I think in terms of the sort of uh the way that it's driving things, it's changed a lot of how detection has worked. There's a lot of sort of um sort of going on from heuristic analysis but into sort of um AI and LLM-based sort of detection metrics and capabilities that look at sort of what we're trying to do and how we're trying to do it with a with a much more sort of um aware lens that you know this could be something in the context of an attack. Um there are gaps, there's always ways around those systems, um, but uh yeah, we're seeing a lot of change there and very rapid pace change.

SPEAKER_00

So I'm curious from a detection standpoint, do you feel like you've run into more situations where you're getting detected, partly because of AI?

SPEAKER_01

Um yes and no. Um it depends, it depends on the application. So um we're seeing a difference in the way that the those detections are being triaged, for instance. That's a that's a key component. So um we had an example um where AI was being used to decide whether or not um an event was false positive. Um, and actually, we were finding that that in this instance AI marked something that was an act of ours that that was malicious as a false positive. So it there could be that side of it. But equally, it is also at the same time becoming more capable at identifying things that are real threats that might just get lost in the noise. So it it's it's more about a fundamental change in um what constitutes OPSEC from a from a red teaming capability perspective. We need to know what's watching us, how us is how it's watching us, and how we adapt our behavior to try and overcome those controls. And I think that's the that's the main thing from from that perspective is it's it's a change rather than an upgrade at this moment in time. We may well see an upgrade in the coming months, but in years, uh there's lots of change very rapid, uh, very rapid change there. But that's something that is is is evolving. So we don't have the full suite of evidence there yet.

SPEAKER_00

Yeah, I have found it extremely useful in building up uh detection rules. So you know, for for everybody else's context, my background from a detective controls testing perspective is more on the Azure side of things and helping make recommendations for you know Azure detections that people can build up. Using AI to kind of build up some of those rules has been really helpful. Uh, you know, in practice, uh, you know, actually detecting those things. I think a lot of folks that are in the Azure space are probably a little behind the ball. And a lot of those Azure attacks are not getting detected, or at least that's what we're seeing in a lot of cases. But to your point about AI, uh, it's definitely been very helpful with kind of building up those rules and strengthening that detection right up front.

SPEAKER_01

Yeah, absolutely. And I think that's that's one of the challenges is there's got to be a corpus of data that those AI sort of items could be trained on to be able to enable them to make those decisions. Um, if it's the AI doing the doing the controlling of those. But for generating, like you say, generating rule sets and likely candidates, you can get a rapid transition of maturity that that comes from that to be able to deploy rules that may take you years to build up through structured testing and you know the right strategic hires into the SOC and getting the right talent to be able to build those rules out. You can do a lot of that sort of acceleration um through things like AI because there's there's evidence that these are the right types of things to build up, but they may not come with the product you buy andor the service that you buy. Uh and so actually it can help you a lot with rapid map uh maturing of those types of services and products.

SPEAKER_00

Yeah, yeah, that's a really good point. So speaking of maturing approaches uh to all of this, uh have you seen clients change how they approach red teaming over the years?

SPEAKER_01

Yeah, yeah, very much so. Um so the awareness of what a red team is or is not on the boundaries of that have improved. Um, we still get cases where people sort of have a thinking that's a bit behind the curve, but our job as educators is to try is to try and help with that. I think one of the key components that, again, that we've seen is, you know, we we're seeing from from our clients a lot of people asking, you know, how do we use AI in red teaming? Um, and what, you know, what does that mean to our data, to your capability? You know, will you let an MCP or an agent or something like that um run wild in our systems as part of a red team? And and we've got a, you know, we've got a hand a duty of care to handle that in the right way with how we use that. So that's been a sort of core component of change, I think, um, in terms of how clients do their due diligence on us to make sure that we're capable enough to handle their data and their systems safely, whilst also, you know, overcoming their um protect protective, preventative controls in their business. Um, and there's a fine line between just absolutely sort of you know sailing past them but using something that's risky and and not appropriate and calibrating to the right level and sort of, you know, uh sort of being safe and appropriate with their data.

SPEAKER_00

Yes. I feel like we're almost coming back to the uh Metasploit Auto Pwn days. I don't know if you ever ran into that or or made use of it. Uh but I remember uh running into some client engagements where a previous pen tester basically showed up and just started running the Metasploit Auto Pwn, which basically just tries everything uh to a certain degree, and it started causing so many problems. And it was not targeted and it was not very smart about you know what was going on, and that firm was obviously not brought back because we were stepping in and taking over the pen test for the next year. And I do I do worry about AI kind of going that direction that the models are getting better and the harnesses around them to do kind of agentic pen testing and red team are getting getting better, but I don't know if we're quite at that level of trust. Everything's very immature at the moment. And I think as things begin to mature and people get a little bit more comfortable with it, I think we'll see much more adoption around that, but it's a very interesting space to be in at the moment. In terms of engagements, are there any kind of common gaps that you're seeing just over and over again, you know, client to client, or is it just very different from each different client?

SPEAKER_01

There's there's a lot of variation in the types of systems that that that we're in, you know, in the types of clients that we're asked to engage with. Um if you're talking about, say, for instance, uh a traditional sort of active directory infrastructure, um, we tend to see the same types and themes of uh of issues that that are in there. That's been a long-standing thing. Um but if you if you you know if if you're on an engagement or we we work through an engagement, for instance, where uh those those companies, for instance, they maybe they use Mac as their endpoints or they you know they rely on SaaS products um to to do most of their sort of most of their business level work, um, that can be quite a different uh quite quite a different sort of um set of things that that that we see. I think the the the kind of the consistent thread is is always going to be there's there's an element of people, um so you know, user awareness, how do they treat things? Are they susceptible to um sort of coercion, social engineering, and and that type of thing? Um, but equally, you know, fundamental things like how do you control credentials, who can use them, how do you manage RBAC, who has access to what when is a is a core component. And we we see that again and again and again. It could be password hygiene, it could be things like that, for instance. Um and and equally it's also about you have uh an organization will often have a security model, what they think they've secured and the ways of this ways that they you know, the controls that they've implemented. There's often gaps in how those are applied, um, or they they've kind of they bought a product that covers a thing and they they don't know exactly how it works, and there's gaps in the way that that product might cover them. EDR is a is a common one where they think you know EDR will discover all the things, it will detect all the things. Um, but much like any other product or any car you buy, it has things it's good at and things that it's bad at. Um, so typically we see um you know organizations invest in in security products, um, assuming that they will do something and and that it doesn't do that function, and that's where gaps appear. Um, and and that's a common one that we see.

SPEAKER_00

Yeah, I would I would totally agree with that. Uh it's it might be a good product, but unless you tune it to your specific environment, it's not really going to give you the full value. Absolutely. So, in terms of memorable engagements, do you have a favorite one that stuck out? You know, obviously without sharing any client data or anything like that, but uh any particularly memorable engagements you've done?

SPEAKER_01

Um I've I've had uh one or two um in my time. One of one of my personal favorites um was was an engagement where um it it was a fairly large uh organization that had a global footprint. Um and they regularly took in um groups of of people um in sort of waves. So they'd take on people in you know two times a year or what have you, um, and they'd do big camps where they set everyone up and sort of get them ready for their business, and then they'd evaluate them if they're good to stay, and then they would sort of carry on going. Uh one of the interesting things is that there was a culture of sort of sharing that initial sort of uh information about sort of how to set yourself up, how things how things work, IT onboarding. Um, and individuals within that business had shared it to a document sharing platform. Um and there was also a YouTube video link embedded in one of those documents. Um effectively, there were sort of, I think it was about three frames within that YouTube video where they showed the default um username and password uh that when users were on board or onboarded, it was set to. Um and so um as a result of that, we were able to understand what their username and password format would be, would be for default users. Um we were also aware as part of this information that when users were reset or that they left the business, their password was set back to its default value as part of their uh as part of their scripting. So we were able to build uh sort of a structured spray uh that would guess from the top 10,000 names um that sort of um who those users might be, the sort of the you know statistically likely users. Uh, but this was very much targeted to the way they structured their UPN format. Um, and we were able to sort of password spray our way in and find users where MFA had been reset, there was no tap code set. Um, so we were able to get initial access um sort of uh to the at the identity level that way. Um the interesting thing is they also used a uh a common sort of zero trust agent um which doesn't publish its uh its its uh installer over the internet. Um we were also able to get that onto a mobile device and proxy through the mobile device to be able to gain access to their systems. Um ultimately um that led us to sort of getting getting sort of the highest level of access. Uh we managed to compromise their domain through um the zero trust network because they'd exposed the internal AD um resources there. It was a really interesting adventure because we had hurdles at every single step. Um they'd implemented the sorts of controls that you would expect to see at the at that particular point in time. You know, we'd found ways to bypass CAP policies, we'd found ways to get past the zero trust network restrictions that they'd put in place. Um so every time there was a challenge, uh we were able to overcome those. Um and this in the you know, this organization had some very spicy, uh, shall we say, um, sort of interesting traps within AD for things like SACLs, for sort of canaries and things like that. Um they'd they'd got a very large organization to come in and consult about how they harden their active directory infrastructure. Um and interestingly, uh the kind of the the the sort of um the the piece the resistance was that uh actually there was at that point in time, there was uh there's a common tool that we use for attack path mapping. There was a parsing error in it. So um it didn't show a particular pathway that existed, and we did manual manual checking to see if it was there to actually be able to find that logic bug in it. And we were able to escalate to domain admin through that method because it was missed by one of the tools that is uh widely used in the industry. So um one of those magic point in time, oh Blimey, actually, you know, we've followed up on this and we've we've done the manual research. And that was a really exciting end-to-end challenge uh for myself personally as part of the engagement. Um, but there's all sorts of interesting things that happen all the time. Uh and that's that's just my own personal experience.

SPEAKER_00

I I love those kind of perfect timing things. Uh, like you did because it sounded like you just had that perfect little window where that wasn't going to be detected, and maybe they hadn't rescanned, you know, with updated software to see where that path was. Uh I had an on-site engagement uh with Scott Sutherland on our team here. This is 12 years ago at this point. Uh but it happened to time perfectly with the release of the MS 14068, the Kerberos, uh was it the pack signing bug? I don't remember. It was with Kerberos tickets, and you could basically re-sign or uh what was it? You could basically change uh permissions within the Kerberos ticket and basically just mint it and take it, and all you needed were domain credentials, and you could elevate up to domain admin effectively. It just happened to come out the week that Scott and I were going on site. So it just perfect timing. It was that nice little window where we had proof of concept code, we could exploit it, and nobody had caught up with the patches yet. And granted, this was 10 plus years ago. You know, those windows I think were a little bit longer back then. I think those windows have tightened up since then. But I love those little, perfect little windows. You get that nice little vulnerability you can make use of and just escalate or get where you need to get to and kind of abuse that little window for a little bit.

SPEAKER_01

Yeah. Time can be your friend as well as your enemy on these things, I think, can't it? And it's uh it's amazing to be able to help clients at that really early juncture as well and make them aware of these types of exploits um really, really early on in those chains. Um interesting, kind of uh another analogy for me. Um this is uh just as um there was a release around the sort of ADCS exploits, um, and there wasn't really any weaponized code around at that point in time. Um, I also have once had a test where we were able to demonstrate that proof of concept and build that manual exploit uh before there was any proof of concept out there. And again, that was a just a point in time of this this subject alternate name abuse was it was had just come into the public awareness. There wasn't really any any tooling or public code out there that would help you exploit it. But when you're able to on a red team demonstrate that there's this kind of uh, you know, this is at that point in time, there's a this advanced thing that people don't really know very much about, there's not general awareness of, and demonstrate that to a client, that's a really exciting feel because it helps them react in a way that they can protect their business really, really soon, really early, really, you know, and avoid compromise as much as possible.

SPEAKER_00

Well, and as much as this might sound like an ego thing, uh it's always nice to be really impressive to a client because clients see that and go, oh wow, you are like really on top of that. You're really smart, like you're on top of all of these security things that are happening. If you can build something that quickly and understand what's going on, uh it's always great to add that additional value. And it's kind of fun when clients are impressed or excited about that. Uh I think those are some of the best clients, the ones that kind of uh nerd out with you on some of the exploits that you're doing. Oh, you were able to exploit that? That is a really cool one. I love that one. Uh those folks are always fun to work with. 100%.

SPEAKER_01

We're all doing it because we're passionate. And I think, you know, when people share that passion, that's an important thing.

SPEAKER_00

Yeah. Yeah. I uh I've certainly had engagements where it's it's kind of the opposite of uh somebody's required to do this pen test and they're kind of begrudgingly doing it. And we're just kind of getting dragged along through it and the job gets done and they're not really excited about it, those are way less fun than ones where people are actively engaged and excited to be doing the testing. Changing things up a little bit here, uh not completely switching out of uh shop talk here, but uh getting to know you a little bit better here. Do you have uh a favorite piece of what we call hacker media, like a book, movie, TV show, anything like that that might be hacker adjacent?

SPEAKER_01

Um I'll be honest, I'm probably one of the few people who who hasn't watched hackers um in the in the hacking community. Um and I I I think I was always um probably uh probably distracted um at some point when when that was going around. But um I've uh Snowcrash is the one that I've read that is in the kind of the Zeitgeist. That's probably the the one that that would say that for me. Um but otherwise, um yeah, no, I'm I'm I've I've so far not actually watched that many uh hacker hacker-related things.

SPEAKER_00

Totally fair and and very good choice with Snow Crash there. I believe somebody else called that one out. I'd have to go back and double check who, but uh yeah, uh we'll have to get you a copy of Hackers. And uh I don't know if you prefer DVD or Blu-ray or uh stream it, but I feel like that's almost required watching at this point in our industry.

SPEAKER_01

It's my shameful secret. It really is.

SPEAKER_00

Well, now it's out. Uh so other uh you know hacker-related things here, uh, you know, conferences being a big part of our industry here. Do you have a favorite hacker con or uh any favorite conferences?

SPEAKER_01

So um I it's really interesting, actually. Again, I'm probably one of those people that's that's not yet uh been to DEF CON. Um this year will be probably my first year where I've been to DEF CON. So excited about that one. Um but as far as as um as far as conferences go, actually, one of the best experiences that I had um of a conference was um one that I attended in the Netherlands. Um it was the one called uh hardware.io. Um and that was a really interesting one because uh that was just as the um the first Nintendo Switch hacks came out, uh, and there were some interesting talks around um sort of how that came to pass and what the individuals were doing to sort of uh Nintendo is famed for its its kind of um intellectual property controls and sort of how stringent they are on that side. So it was a really interesting conference and and to sort of you know be among people who were in the hardware space who were really, really smart at what they did. Um and and I I can pretend uh that I understood all of it, but I I absolutely didn't. There were some really, really, really good, deep, deep dive technical talks there when I went there. Um likewise also SteelCon in the UK uh is another one that's really, really good, well respected um by a lot of people, um, and troopers as well. Um it's sort of uh in in in sort of uh in the EU. Um they're all there's so there's so many good conferences, it's difficult sometimes to choose.

SPEAKER_00

But yeah, I feel like being in the UK, you know, it's way harder for you to get to Las Vegas for DEF CON every year, whereas I live in the same time zone as Las Vegas, so it's extremely easy for me. But uh yeah, I'd I'd love to get out to more of more of the European conferences. I am getting out to troopers this year, so very excited to go out to that one.

SPEAKER_01

Yeah, it's a it's a great conference. Uh it is a really, really good conference, and and people really should uh check it out.

SPEAKER_00

Yeah, yeah, I'm very excited about that. And the the speaker list and other folks that I know who will be there this year, uh I think that's one of my favorite things about just conferences in general, is you get to meet up with other industry professionals that you might just interact with online or through LinkedIn or X or whatever, and just kind of have you know online conversations with and be able to just sit down with folks and kind of talk shop and kind of like we're talking right now, uh just get some some background and bounce ideas, uh so many just so many great ideas that pop up at these conferences. So outside of work, uh a lot of us, you know, here at NetSpy do home labs, servers, other kind of personal tech projects. Do you have any personal tech project things that you've been working on?

SPEAKER_01

Uh so I guess uh kind of qualifies as tech. Uh so I quite like um I quite like listening to music. Um I it helps sort of center me for those those long hours of of red teaming and my and and filling in Excel spreadsheets and stuff like that that I do as a service lead as well. Um, but um I'm I'm actually in the process of um sort of building uh building out for the first time actually a sort of a home home audio setup that uh I'm I'm sort of adding into my new house. I've just moved house. Uh so I'm I'm looking to make it uh sort of whole home audio, which is going to be exciting. Um I haven't gone as far as doing things like home assistant and going you know really, really deep into it. Um strangely enough, one of my colleagues uh recently has he's got a uh coffee cup temperature monitor, uh, so he knows the optimum temperature uh that his coffee is at so he can drink it. Um and he knows how full his mug is based on his home assistant and he's got the little war world for it. Um maybe one day I'll get that far. Um but uh yeah, I'm fairly vanilla when it comes to tech. I I like a good uh a good computer. I've got a water-cooled uh um rig, for instance. Um I've built a custom loop uh for my uh home PC, do a bit of gaming with that sort of thing as well. Um and lucky and I'm lucky enough to have a 5090, so uh that's uh that's something I've been putting putting some some good exercise through doing AI and playing a few games as well. I've been tempted to upgrade.

SPEAKER_00

I believe I have a 3060 in here and would love to upgrade. So one of these days. So I was gonna ask with the the radio things. We've had uh a couple other prior guests here bring it up, but uh are you familiar with mesh tastic?

SPEAKER_01

Well, I I have a passing knowledge of mesh mesh task. I'm not I'm not the the most uh in-depth expert on that side, uh, but yes, I'm aware of it um and the enthusiasm that others have had, let's put it that way.

SPEAKER_00

I got really into it probably six, seven months ago and haven't done as much in the last, I don't know, probably two or three months here, but trying to get back into it uh you know over the summer here as it's nicer. I'm gonna try and get a an outdoor node set up. And it definitely seems like it's picked up adoption-wise here, at least in the States. Uh curious to see uh how things look in the UK.

SPEAKER_01

I think um I think there's some uh some feverish individuals who've been uh going qu going quite deep with it. Um it is one of those things that I think it's it's this pathway that once you start, it's uh yeah, it's a it's a slippery slope, let's put it that way. Uh but um yeah, no, it's uh it there is I think it's it's quite popular within the general sort of hacker community and the sort of the hardware community um quite a bit. Um yeah, very much so. Um but unfortunately I've not yet got the bug.

SPEAKER_00

Yeah, I'm hoping to do uh you know, speaking of home automation stuff, hoping to do some of that via mesh task, just time constraints and life and all of those things kind of get in the way. So uh one of these days I'll I'll get back into it and I'll I'll share it with the folks. I I think that's one of the things I love uh working here at NetSpy is just the open collaboration that we have and kind of sharing some of these things internally, uh talking about video game setups or uh I'm curious about the home audio stuff. We'll we'll have to take that offline uh because I'm trying to figure out some stuff internally here for my house. And trying to wire through my house has just been a mess. So uh we don't have to talk about it here, but uh very curious to see uh what solutions you're coming up with there. But being able to share that internally with folks here and just the collaboration on even non-work kind of stuff, uh chatting about that stuff has been a lot of fun.

SPEAKER_01

Yeah, I I think that that's one of the things I've always always really enjoyed um, you know, from it from the sort of the NetSpy community is is not only the million and one hobbyist uh Slack channels that we've got, but also some of the things that people are doing outside of the hacking world, doing, you know, building passion projects and and sort of doing things. Um I think uh my one of my personal favorites that I saw recently was um there was uh a channel for rock collectors, um, and everybody um made the the the customary Dwayne Johnson um joke about that that's the rock that they collect. Uh but they just just the the amazing things that people get enthusiastic about and sort of how how deep they go. We're we're we're a passionate group of people, and I I think you know, sort of that that personality shines through. Um, you know, in in the region, in Amia in in in the UK as well, the kind of a a lot of the team has has come through sort of you know uh recommendation and through sort of having friendship links and knowing, you know, sort of, you know, knowing people that are good that are sort of really solid in the industry, and there's a really strong sense of of bond within the team. And that's one of that for me, that's one of the most important things in any place of work is to is to sort of you know be able to talk to your colleagues outside of the work loop, but also to be able to sort of engage with them and to sort of have that that that sort of, you know, it's it's a big part of your life that you are spending with these people. You need to be able to talk to them and uh sort of you know share some war stories and to sort of you know have have have have life beyond cybersecurity is often uh you know, it can be a challenge. And I I think it's not here, which is nice.

SPEAKER_00

Yeah, I would totally agree with you there. Well, that kind of wraps up more the the personal side of things here. Uh you know, folks want to get in touch with you. Do you have any preferred social media channels or any way that folks can get in touch with you?

SPEAKER_01

I I'm a I'm a recluse. Um, I I want to stay away from people as much as possible. No, um uh so from my side, um I don't have uh I don't have um Twitter or X, I've got a GitHub, uh, but I will that will remain nameless because there's some exploit code in there. Um but uh reach out to me on LinkedIn. Uh I'm always fairly talkative there. Uh happy to do that. And uh hopefully, you know, if you're enthusiastic about cybersecurity, whoever this is on the other end of the of the recording, um, maybe I'll see you at DEF CON, maybe I'll see you at some of those conferences and uh we can connect in person.

SPEAKER_00

There you go. Yeah, I'd say uh LinkedIn-wise, relatively active over there. I I see the occasional traffic from me over there, but uh good to hear that folks can kind of reach out there. And if anybody does have any questions for Giles or you know general questions for NetSpy, feel free to leave a comment on the video. Feel free to reach out to us through the NetSpy website. And uh yeah. Okay, last question here. Uh any other things that you might want to promote or share?

SPEAKER_01

Um, I mean, if it if I was to do a selfless plug, uh well, no, selfish plug, probably actually would probably be more appropriate. Um, we're doing a lot more stuff in in red team land at the moment, um, and we've got some really interesting things that we're we're building out there um in terms of the capability. So um, you know, it we've we've been looking at sort of how do we do more condensed kind of uh red team type assessments with more focus, you know, that how do we how do we assess preventative controls as much as we do might do detection and response? So, you know, we've been working on quite a bit of uh stuff there as well, something called scenario-based test, um, which is our answer to that issue. Um, and also we, you know, we have a much more sort of uh campaign-focused model, something we call Mass, which is the Managed Adversarial Simulation Service. Um, and that's kind of like a um, you know, it's it's the sort of the halfway house between a continuous test and a sort of a point-in-time red team. A lot of organizations struggle with um operationalizing the outputs of a red team. And so Mass for us is how we can have a stronger link to our clients to be able to sort of um sort of help them along, work through a campaign of sprints or individual sort of tests as as we so as we see it. Um and that could be from any of the sort of any of the sort of uh adversary simulation type uh sources, so social engineering, red teaming, purple teaming, you know, any of the kind of different archetypes of of adversary simulation. And that's a really interesting prospect because it allows us to tell a story um in that relationship. So um definitely I would say um if you're curious about what that might look like or either those might look like, please do reach out. Otherwise, um promotion, otherwise, uh probably um that's it from my side, I think.

SPEAKER_00

Um, that all sounds super interesting. And if that sounds interesting to anybody, feel free to uh reach out. But really appreciate having you on today, and uh we'll talk again soon. Thank you. And that was our conversation with Giles Inkson. Thanks for joining this episode of Hack Responsibly. If you'd like to see more episodes, make sure that you like, subscribe, follow all the things, and check out the NetSpy website to get connected with us. Thanks again, and remember hack responsibly.