The Evolving Threat Landscape with Chris Dale

Show Notes

In this episode of the Entropy Podcast, host Francis Gorman speaks with Chris Dale, Chief Hacking Officer of River Security, about the dynamic and ever-evolving field of cybersecurity. They discuss the importance of penetration testing, the overlooked security risks companies face, and the role of offensive security in today's landscape. Chris shares valuable insights on how organizations can better prepare for cyber threats, the significance of education in the field, and the potential impact of generative AI on cybersecurity training. The conversation also touches on future challenges in cybersecurity, including the implications of geopolitical cyber warfare.

Takeaways

• Penetration testing is crucial for identifying vulnerabilities.
• Reusing credentials across multiple services is a major risk.
• Supply chain attacks are a growing concern in cybersecurity.
• Offensive security plays a vital role in defense strategies.
• Assuming a breach mindset is essential for organizations.
• Network segmentation and least privilege are key security practices.
• Education in cybersecurity needs to focus on timeless knowledge.
• Generative AI can enhance understanding but has limitations.
• Future cybersecurity challenges will involve AI-driven vulnerabilities.
• Geopolitical tensions may lead to more sophisticated cyber warfare

Transcript

Francis Gorman (00:00)
Hi everyone, this is episode 3 of the Entropy Podcast, I'm Francis Gorman. Today I'm joined by Chris Dale, Chief Hacking Officer and Principal Instructor with SANS. Chris, how you doing?

Chris Dale (00:14.727)
Doing good my friend, how are you?

Francis Gorman (00:16.678)
Not too bad, not too bad. Busy week, but great to sit down and have a chat.  Chris, Chief Hacking Officer, really cool job title. What does it entail?

Chris Dale (00:39.771)
Yeah. So basically, managing pen testing teams is a complicated job because there's all kinds of facets to penetration testing. It's a very progressive field, know, lots of changes all the time, new developments, new hacking techniques, new systems, new technology. And to be able to manage such a complex operation to ensure the highest level of quality, to ensure that our pen testers are talented and skilled enough that they get the help needed.

They have the processes and methodologies in place to actually do proper pentesting. Well, that's the chief hacking officer's job.

Francis Gorman (01:17.804)
be a chief hacking officer now you know. Chris, every time I meet you, you're always a ball of energy and you're flying around the country doing the SANS training, different locations, meeting different people. What motivates you? Where do you get that energy from?

Chris Dale (01:19.442)
Hahaha

Chris Dale (01:33.563)
it's a very fun industry we're in. It's like I've, I've, I've done all kinds of work. Okay. Before I did my bachelor's and before I got into computers, I was changing tires of cars. You know, I was in a car repair shop almost. I was working in a hospital's, not a hospital, sorry, hotels, like changing people's rooms and cleaning up stuff. You know, I've done all kinds of jobs and cyber security is just amazing because it's, it's never standing still.

There's something new every day. I go on a two week vacation without my laptop, for example. I come back and the whole feels like the whole world has changed almost. So I find a lot of appreciation in that we're in such a fun industry where we can make an impact on things. are not severely handicapped by governments or regulations. We're able to basically

true vulnerabilities in pentesting. We're basically doing instant response, able to kick bad people out of organizations, almost like what law enforcement would do in real life. So it's such a really cool place to be, honestly.

Francis Gorman (02:47.126)
I feel the same. think we are privileged to constantly wake up and have to re-educate as new topics emerge. It's one of the challenges. You just have to hope the brain sticks in.

Chris Dale (02:57.137)
It's like, yeah, it's like, yeah, it's like WWW. Like at school they teach us it means the World Wide Web, but in real life it's more like the Wild Wild West. And being a part of a Wild Wild West, we're blessed.

Francis Gorman (03:11.586)
very much so. in terms of that, what is, from your perspective, one of the most overlooked security risks companies face in today's technology landscape? Is there anything particular that would jump to the top of your mind?

Chris Dale (03:26.035)
So immediately, immediately my mind jumps to the fact that we're using the same set of credentials in multiple places. It's just not acceptable anymore. But still, people are, even the people in my classes are using a set or a set of few credentials across multiple services. And that's just not acceptable. It just makes it too easy to be a criminal where we simply reuse credentials to log in left and right.

And the second one that jumps to my mind is the fact that the supply chain is open right now. I expect there to be cyber weapons being implanted into all kinds of open source, free open source libraries, products, and so on that is going to have dire consequences in the future when these malicious code implants are being used against us.

Francis Gorman (04:15.854)
Yeah, third party supplier risk. That's a really hard one to control. When you interface with a lot of different companies and clients, how many of them have an S-bomb in place?

Chris Dale (04:26.577)
You know, software bill of materials is not very common to see, unfortunately. And for the ones who do have it, like keeping it up to date and maintained, at the very least, if you don't have tooling or automation to help you keep these things up to date and maintained, it's challenging to say the least. And I guess this is where we got to make compromises on security. We got to say, look, the supply chain is going to fail us, right? There's a zero day. There's a supply chain attack, whatever it is.

Bob, Chris, somebody double clicks, right? We need defense in depth and we need to survive to see, we need to be able to survive to see another day, even if we're compromised as part of the supply chain, which is why we should default to have network segmentation, least amount of privileges, monitoring not just on the hosts, but in the network stack, also in our applications, visibility across the enterprise, so we can pick up.

on when bad things happen because it's not a matter of if, it's about when.

Francis Gorman (05:27.692)
Is this where offensive security should really start to play a role then?

Chris Dale (05:31.919)
if offensive security could play a role?

Francis Gorman (05:34.816)
In terms of if you're defense in depth and then we think about the different components that brings together, if we look at offensive security, for instance, in that perspective, is there a greater role to be played here? A lot of companies aren't doing offensive security. They're doing levels of defense in depth. But it's a complex.

Chris Dale (05:53.16)
Yep.

Chris Dale (05:56.613)
It's very much complex and to me it's all about what kind of value proposition you have and what the customers are left with in values once you're done spending their money. And there's some different facets to this. One thing is the penetration testing or offensive security from the outside looking in. Okay. That is important. It is important that we keep our guard up, that we patch and get rid of the most common pitfalls, the vulnerabilities that allow people to climb through the walls. Yes.

Good job, you need to pen test those things and keep vigilance from the outside looking in. But from the inside, that kind of assume breach, don't particularly enjoy or like exploiting people. Why would I bother exploiting people? They're gonna make mistakes. So we're gonna assume the breach. We're gonna assume that Chris double clicks or there's a zero day or there's a supply chain attack. Now, once we're on the inside,

That assume breach exercise, if you ask me, should focus on width. We need to do broad testing and we need to look for important timeless types of defensive measures if they're in place or not. Like, for example, keeping data locked behind bars. So typically when I'm doing an assume breach, I see terabytes of data. I see hundreds of thousands of files that I don't need to see.

there's not a lot of enforcement when it comes to that internal network segmentation and so on. So we need to start to make sure that that pen test focuses on the best practices, not just pointing out that, you're missing some patches. Hey, we could exploit these books. Your question should be instead, why could I see that books? Why could I even authenticate to that books? Why is there no serotrust type of enforcement here where you have to identify the

user and the device.

Francis Gorman (07:57.134)
It makes total sense. Is that where a lot of companies in your perspective fall down? That they scope a piece of work that's specific to a new piece of infrastructure and then they scope everything that sits around it and boom, you're actually...

Chris Dale (08:10.227)
Classic, classic, right? And it's not very fun to do a seam breach exercises if you don't see the customers improve from one time to another. The scoping issue is a big one, of course, but the reason why they might just scope that new piece of infrastructure could be because they've been burnt earlier in having a wide PEM test done, but they don't have the...

ideas or the tools to actually start to improve those things and they're just like going to see the same issues over and over. I'm not sure, but it could definitively be.

Francis Gorman (08:47.278)
And Chris, in terms of an engagement of this nature, what makes it successful and what just makes it fall flat? What are the parameters you need upfront to really size, scope and put the right individuals behind the keyboard in these areas?

Chris Dale (09:04.851)
So it's a very interesting question, Francis, because an assumed breach should be regarding, so an internal pen test in other words, it should be regarding something that we're actually concerned about. For example, an area where we have a lot of churn, maybe we have like a help desk that has people coming in and people leaving the company quite often because people are done with their studies, et cetera. So we want to test to see what happens when they're compromised. Is there any opportunities to be a malicious insider?

Is there any, like how much of an impact does it have when such a computer or user gets compromised? Or say how Linux tech tips were hacked, right? They have people looking at contracts every single day. There's directors that are reading contracts, signing contracts, and they opened up a malicious attachment. Let's assume that one of our staff, which is in charge of reading attachments and

reading PDFs and double clicking attachments all day, let's assume that such a box and user is compromised. What kind of consequences will that have? And from that perspective, once we've kind of like put ourselves in a more realistic scenario, our job as a pen tester and the resources we assign to the pen test should be able to look at the tools available. And then that's very dynamic, progressive, right?

Is this user, does this user have credentials saved in the browser? Is there any old cached type of mQries authentication tokens that might be used? We'll do some local reconnaissance and look to see what kind of ammunition might we find here? Is there something that can be used inwards towards the network? And then we'll do network reconnaissance and look for openings. Can we speak to one, two, three different services or two, three, 400 services? It's a huge

disparity or difference between having a network which only provides you what you need to have access to versus open flat networks or networks that are not properly segmented. Because that will help define the way of the pen testers next move. And I think that we need to have a dialogue here. Look, once I'm on the inside and I see 100, 200 different services, it's obviously that you're going to have some things that you should improve on.

Chris Dale (11:29.863)
there's probably not enough network segmentation. And that can be challenging to implement and so on. However, what I would do now as a pen tester, I would highlight that as a finding. This is a problem, notable problem. But I'm now going to aim very wide. I'm going to be looking for low-hanging fruits to pick apart whatever pieces of information that might help reinforce why you need to do network segmentation.

Francis Gorman (11:54.19)
Makes total sense. If you were to give companies three pieces of advice based on all the engagements you've had, what would they be?

Chris Dale (12:03.965)
So, three pieces of advice. Assume the breach, yes. So, the attackers are on the inside. Whether it's a trusted insider, malicious insider, or just an unsuspecting user, Chris Dale, double-click something, the attackers are on the inside. So, assume the breach. It's not game over once you're hacked.

So you're going to have to win that fight. The attackers need to win. What are they going to win with? They're going to try to achieve some kind of impact, some kind of goals. What are their goals to ransomware you? Okay, sure. But their goal is not to just ransom you. It is to actually get you to pay. So start looking at how do we survive an attack that is happening from the inside and to fight, for example, ransomware actors. It would be to have immutable backups and look at

building defenses that makes it harder for attackers to spread.

Three different things. want to conclude it with like assume the breach. Yes. But is that even advice? It's not just like, what kind of advice is that? Right. So, so if I were to give advice, three things, network segmentation, principle of least privileges and multifactor authentication or some kind of serocrust that allows you to, to build that network segmentation better. That would be my strategies or maybe tactics. Yeah.

Francis Gorman (13:29.784)
your policy enforcement engine. I remember talking to John Kindervagan, he's attributed as the godfather of zero trust, but his prime example is the motorcade of the president with the four secret service agents, two front, two back. And he calls those their policy enforcement engine, you know, and the motorcade is that the critical asset or the crown jewel, you know, and their enforcement is a big machine gun, but you know.

Our enforcement is firewall policy intrusion detection systems, whatever you have at your remit. And I think when we talk zero trust, the industry made it a bit of a marketing term, but it really is strategic intent. And, know, that that needs to come true. I suppose when we look at these things, you probably have the technologies and the capabilities already within your enterprise to leverage them. You just need to mature them and put the right level of focus on them to get that impact.

Chris Dale (14:16.48)
yeah.

Chris Dale (14:21.299)
100 % agree and honestly just this weekend my CTO, CTO of River Security, he just implemented zero trust in front of a wiki that we're gonna deploy. So using CloudFlare, not Azure's front door, they were too expensive, but using CloudFlare, we basically just said that we're gonna have to identify the device and the user before we can make up a determination if the user will be able to even interact with the wikis.

Dynamic code and and features and functionality and so on and it was trivial to get it done My biggest concern Francis is that we're talking about this now, right? Zero trust cool. We need it but when our peers Look at implementing it in their enterprises. They become Stifled it's because they look at the whole broad We're gonna look at Sarah trust for everything and they do nothing. They become stifled or paralyzed

because it's so challenging getting it done everywhere, right? And even new solutions, new deployments, new infrastructure goes without the best practice. They don't implement the best practice for new deployments because they couldn't do it for the legacy. And that's a big fallacy. You can start doing the right thing today, even if you have old legacy systems that are harder to turn around.

and say enforce network segmentation or TheraTrust or MFAON and so on.

Francis Gorman (15:53.036)
Yeah, it's a real problem, I think, but it's a people problem. It's cultural, you know, know, the business wants to run fast. Security wants to be secure. And, you know, I think the SAP framework is the best one in terms of making sure that the business attributes follow through with the security intent. You know, you need confidentiality, make sure everything's encrypted and, know, your access control is appropriate. You need availability, get your load balancers and your cloud flare or your front door type.

content delivery networks in place, whatever it is, it really is down to the intent. And I suppose being able to execute on that strategic intent needs clarity and clarity needs people to have an ability to communicate. And I think communication is something as secured professionals, we sometimes tend not to be very good at. And it's probably an area where we need more focus, especially through education. Everyone focuses on the hard technical skills, but if you can't articulate...

problem to the people with the money, there's a good chance that you're not getting them implemented in the first place.

Chris Dale (16:55.551)
For sure, for sure. I think we could reason with the upper management on a strategy that we need to protect our confidential information. We need to protect our customers' sensitive data. We need to make sure that we're not ransom, et cetera. We can set together strategies and agree on the long-term leading principles that we agree on, right? But when it comes to the tactics to start to deploy and act on those strategies, this is what I'm mostly concerned about. Which tactics are...

Can we deploy like zero cross-segmentation and so on? And which tactics can our teams actually act on in an operational way? Do they have the know-how, the tooling, the hardware to even start to enforce these tactics? And if you have a discrepancy here, then we got to start with realigning our tactics perhaps.

Francis Gorman (17:48.578)
I also think Chris, that's a really good point and being able to wait your detect case capabilities versus your prevent versus your recover restore, you know, knowing where you're strong, you know, your maturity levels in those areas is probably really important for businesses. You you may be, you may be really poor at recovery, but really strong at, you know, discovery, you know, it's a, yeah, discover quick and hope for the best.

Chris Dale (18:10.941)
for sure.

Chris Dale (18:15.163)
Yeah.

Francis Gorman (18:16.706)
In terms of in terms of education, the field we touch on it there, there a bit and you're passionate about this field. See many videos of being on science courses we've interacted and that's where we first met was in in Amsterdam back a good few years ago now when cloud was becoming a thing. The education around security. Have we got a problem there? Are we too are we too caught up in?

lack of an apprenticeship driven approach and more in certification and that sort of a driver for getting the right talent to the right places.

Chris Dale (18:58.181)
So I strongly believe there is room for apprenticeships, learning on the job, et cetera. Even within pen testing, which is considered to be an expert field of work, like you should be an expert when you're gonna assess the security of a system. There are rooms to enable people to learn on the job type of training and so on. But...

It's something completely different than saying that some junior, some apprentice is going to be responsible for delivering append tests. It's completely different. Today, there's a huge skill gap in the world. There's a lot to go on when it comes to security training. my biggest problems with training today, whether it's from books, and I have a library I'm pointing at here.

or it's from sitting in classes. It's the failure to teach timeless knowledge. It's the failure to teach understanding versus just look at this cool tool, this CVE, run this Python script, see what happens. People are not learning from that. They're amazed. Wow, it worked. I'm root. Why are you root? Why do you have compromise?

and seeking that understanding of things that you can build upon, you know, a solid foundation of talent that can take on new and harder challenges is where I see a lot of training and books and many other resources are failing on today. If you look at universities, for example, they become stale and old pretty fast because they fail to recognize that what they put in a book today is changed tomorrow.

They need to look at more timeless ways of generating knowledge and teaching knowledge rather than saying, here's some cool hacking technique, OVA's top 10, who cares? Right? It's cool, but it's gonna change from one year to another. Instead, we should be teaching HTTP. Okay? It doesn't change. It's where HTTP tree now is all of a sudden running over the Quick Protocol over UDP. How does that work and how is a tax?

Chris Dale (21:17.927)
happening on top of that. How would somebody discover SQL injection without knowing what SQL injection is? That type of questions and answers is what educators needs to look at.

Francis Gorman (21:35.286)
Is Gen.ai going to compound this problem or make it better?

Chris Dale (21:41.975)
So unfortunately, Gen.ai is trained on existing data and material, right? So it's like it's being trained on already material, which is not necessarily the best. So we're going to see good things come out of it and bad things come out of it, whether it's vulnerable code and bad advice to actual things that will help people comprehend the situation much more.

There's no doubt about it. AI will help us greatly. Gen. AI. One of my favorite prompts, Francis, is to say, please say chat-chipity or cloudy or whatever. Teach me this concept, but explain it to me like I'm in third grade, you know? And that kind of dumbing it down or helping getting help to create abstractions or analogies, the AI is superb in doing.

Francis Gorman (22:37.708)
I was talking to Jimmy White on episode two and he was very, asked him the question around niceties in AI. Does he say please and thank you when writing his prompts? And he was very quick to say he used it at the start, but now everything is his directive and he challenged it so that it doesn't bow down to him. So it's an interesting concept. think how we interact with this technology as well is going to have a real...

a real talent to what we get back and the quality of the material. And I think it's also part of, as you said, if it's trained on poor documentation and the individual doesn't have the core understanding of what it is they're actually asking, then no matter what the answer is, it looks genuine.

Chris Dale (23:22.583)
for sure. It's very affirmative in this case. Like, this is the answer you're looking for. Of course I got an answer for you, right? This is what it is, even though it's a hallucination. But what I'm looking for in the future is I'm

imagining more and we're going to not be just utilizing one model in the future. We're going to be using multiple models together in unison. And we're going to be having prompt engineering become one of the most important things that we do. So we're going to, with our prompts, have the same question asked to different models, whether it's Lama, Quen from Alibaba.

and open AI and so on, we're going to be asking multiple models the same question with the same prompt, and then we're going to beam it through one single model that is going to be the best result, sort of, sort of speak. We're going to be beaming the results into a single response that is more likely to be what we're looking for. I think so.

Francis Gorman (24:24.91)
What do you see 2025 is going to bring for us terms of cybersecurity headaches, considerations, or maybe surprises?

Chris Dale (24:33.275)
I think we're going to see that security research is going to become easier. There's going to be more vulnerabilities in software that is not necessarily receiving scrutiny today. We're going to see that AI is pretty good at finding software vulnerabilities in open source code, for example. And some people are going to do the responsible thing to disclose those vulnerabilities, but people looking to make a buck, make profits.

They're going to be using AI to find vulnerabilities in code, which Shodan, for example, or Census is really going to have them. you want 200,000 of instances, public instances of X, Y, and Z? Here you go. And they're going to be armed and weaponized with vulnerabilities that they didn't really have to engineer themselves. AI would guide them into weaponizing vulnerabilities.

Francis Gorman (25:25.742)
That's gonna make things really complex. How do we defend against that?

Chris Dale (25:31.615)
So we're going to have to have that layer defense for us, right? So you put something on the internet, there are a couple of things to remember. Web application firewalls, next generation firewalls in front of it, it will help, sure. But you put something on the internet, you better make sure that you can react and patch it within say 24 hours. So you're going to have to be much speedier now than in the past.

And 24 hours is kind of like almost too slow today. There's a new patch out there for say Atlassian or some product somewhere. Attackers are scanning the entire internet or leveraging pre-existing scan data from Shodan and others. And they're going to be abusing it in less than 24 hours today.

Francis Gorman (26:19.222)
making me feel any better Chris.

Chris Dale (26:21.659)
It's challenging for sure, but defense in depth, layer defenses, use the WAFs, they can disrupt the attacks perhaps, make it harder for the attacks to work potentially, but it's not a single silver bullet, know, it's these systems require love, care and attention, configuration, et cetera. So yeah, it's not easy. Limit the attack surface, limit your exposure. Zero trust.

great concept, identify the users and the machine where machine or their hardware devices before you even allow them to see the infrastructure to interact with it are great tactics to put in play.

Francis Gorman (27:00.882)
Across the span of your career, Chris, have you ever come across anything as part of a breach scenario or a compromised company or system where you just went, that was beautiful. How did they how did they think of it? You know, was there is there any gem in there?

Chris Dale (27:18.195)
I of course do sometimes see attack techniques that make me go like amazing. It's not an endorsement for doing bad, but it's like chef's kiss, know, beautiful execution and everything. And in the beginning, it was more of this, like in my early days of the career, it was more a novelty and you found appreciation of many of the hacking techniques that you see being used against our companies.

Nowadays, though, the consequences are so dramatic and it's harder to... There's also less novelty, right? You've seen it all kind of like it's no longer a big surprise when there's something new. But to be honest with you, answer the question pretty easily, look at Portswigger's top attacks. Year on end now, I think they're on the second year now, they have had a...

rating or a sort of not a competition. I'm not sure what I'm looking for, but they have a top 10 coolest attacks of 2024, 2023. And we're talking about things like dirty dancing in like OAuth flows. We're talking about super interesting SQL injection techniques via overflowing the protocol buffers that are speaking SQL. We're talking about

super cool attack techniques that just goes to prove that we're going to be in this industry for a long, long time.

Francis Gorman (28:50.766)
That is reassuring. And one final question, Chris, and I know we'll be up on time then, so I'll wrap it. We haven't seen anything like a Stokes net in a number of years. With the current geopolitical situation, do you envision we're going to see more weaponized cyber warfare type events coming out of these countries like Israel or Russia or China or wherever?

We're in a very funny time at the moment. Do you think we'll see a Stuxnet that maybe is more harmful or a variant of it?

Chris Dale (29:24.921)
I would not be surprised. I think there are currently being not just developed cyber weapons, but there's also currently being deployed cyber weapons against our countries and also against potential competing countries that may or may not be used in the future. There's already weaponization going on that it might not be enabled, but the supply chain, for example, is definitively under attack.

And who knows if it's going to be used or not, but it could be, right? I think we're going to see something huge, unfortunately.

Francis Gorman (30:03.276)
Yeah, it's the one thing that worries me when every time I go into a car showroom, the cars are almost talking to me. You know, should should our cars be disconnected and how many different vendors and code vulnerabilities and when does it get patched?

Chris Dale (30:15.347)
I don't like it. When I click the button to turn on my lights, just be a hardwired connection. When I want to open up my car, just mechanics. It's fail safe. It's not hooked up to the internet.

Francis Gorman (30:31.67)
Yeah, interesting times I had, Chris. Look, really, really appreciate having the sit down today and the chat and thanks a million for joining me on the entropy podcast. Thank you.

Chris Dale (30:42.353)
My pleasure.