Understanding Identity Threats in Cybersecurity with Filipi Pires

Posted by:

|

On:

|

In this episode of the Security by Default podcast, host Joe Carson speaks with Filipi Pires, a cybersecurity expert with a diverse background in both technical and sales roles. They discuss Filipi’s journey into cybersecurity, the importance of identity in security, and the challenges organizations face with misconfiguration. The conversation also covers tools and techniques used in cybersecurity research, the significance of observability, and the need for continuous learning in the field. Filipi shares insights on community engagement and the importance of respecting the journey in one’s cybersecurity career.

Takeaways

  • Identity is a central theme in cybersecurity.
  • Misconfiguration is a leading cause of security issues.
  • Continuous learning is essential in the cybersecurity field.
  • Tools should be used to understand techniques, not just for their own sake.
  • Community engagement is vital for knowledge sharing.
  • Phishing remains a simple yet effective attack method.
  • Legacy software poses significant risks to organizations.
  • Observability is crucial for effective security management.
  • Respecting the journey in cybersecurity is important for growth.

Chapters

  • 00:00 Introduction to Cybersecurity Journey
  • 02:49 Exploring Cybersecurity Research and Trends
  • 05:32 Tools and Techniques in Cybersecurity Research
  • 08:34 Learning Through Capture The Flag Events
  • 11:28 Identity Threats and Misconfigurations
  • 14:16 Legacy Systems and Their Impact on Security
  • 25:40 Understanding Use Cases in Security Permissions
  • 27:36 The Principle of Least Privilege
  • 29:31 The Complexity of Identity Management
  • 30:28 Challenges in Observability and Access Control
  • 32:16 Navigating Multi-Cloud Permissions
  • 34:07 Tools for Enhancing Security Visibility
  • 36:14 Continuous Learning in Cybersecurity
  • 41:53 Community Engagement and Knowledge Sharing
  • 45:32 Respecting the Journey in Cybersecurity

Companies mentioned in this episode:

  • Segura
  • Trend Micro
  • Black Hat
  • Defcon
  • BSIDES
  • AWS
  • GCP
  • Azure
  • CrowdStrike
Transcript
Joseph Carson:

Hi everyone. Welcome back to another episode of the Security By Default podcast. I’m the host of the show, Joe Carson.

I’m the chief evangelist at Segura and really excited for me, such a fantastic episode today. This is a person who I’ve been watching and listening to and going to his talks all around the world.

So it’s a pleasure and an honor to have a great friend, Filipi, join me for today’s podcast.

So Filipi, if you want to give the audience a bit of a background about, you know, your origin story, how you get into the industry, what you enjoy doing and some of the things.

Filipi Pires:

You get up to today, thank you so much Joy, for having me here and it’s a pleasure again to talk to you. So since the last time that we met, we were together on rsa, I think on rsa.

Joseph Carson:

Even, even Sao Paulo.

Filipi Pires:

Yeah, exactly, Sao Paulo, a few days ago actually. Yeah, I’m getting old man. Sorry for that.

Joseph Carson:

Same for me too. I was like, what was the last time?

Filipi Pires:

Yeah, exactly. So again, thank you so much.

And yeah, so I’m Filipi Pires and I work with the cybersecurity field for last 10 years, I think in technology more than 15 years. Like few things about me, I have the quite different journey in the, in the industry let’s say.

Yeah, because I’m graduate, I was graduated in sales and let’s say the process management. And after that I decide to move it to the technical career.

Why I do that because it’s the normal, the people working technical career and after that they move into the sales but I do the opposite.

arket in the past, I think in:

However, when after to move into the technical career, this was like the passion passion for the first time. Like I, I, I simple, you know, learn how the technical things works and I decide, okay, I can do different here.

technical background. And in:

Actually the, the cyber security chose me. And that’s the real story behind of this or behind the scenes as we, we was talking later.

And yeah, so I work as a defensive side when there Was a sales engineer at Trend Micro. And after that I moved into Poland.

I live in Poland for few years as a penetration tester and was a very nice experience to work in the other side, let’s say in the field because I was a defensive guy. So after I moved into the offensive guy. So thinking in both way actually.

And, and after that into was, you know, came the pandemic and I received an offer to moving to Brazil. Not to moving, but to returning to Brazil. And by the way, I’m Brazilian and. Yeah, that exactly.

Joseph Carson:

Important note.

Filipi Pires:

I’m not, I’m not sure if it’s important or not, but like, you know, I’m like a Brazilian and yes. So now I’m living here. I don’t know where I’m living inside of the airplane, maybe.

Joseph Carson:

I know, yeah.

Filipi Pires:

So actually I’m. I’m now right now I’m living here in Portugal, but I don’t know, tomorrow I’m leaving Dallas.

actually. And, and yes, after:

I was working as a threat research in the Brazilian company and I decided to move into again to another country. So based on that I move into Portugal and I work, you know, has a research. And that time I started to work at Segura and before we.

We call Senia Segura, but yeah, Senate means password in Portuguese language and Segurit means secure. And was a very nice journey. And now I’m head of Identity Threat Labs.

So I’m responsible for, you know, doing investigations and understand how the attacker are, you know, collecting credentials and doing different techniques to explore, you know, identities and how.

Actually this is a very interesting topic by the way, Joey, because so in the past when I was a sales engineer at Trend Micro, so I just, I was studying about the malware, how the malware works. But in fact for the malware, you know, like doing a kind of infection in the machine.

The user in this machine specifically, they need to have a kind of permissions. So we are, we’re talking about identity and in the end of the day everything is about identity and. And that’s the key.

So basically that’s my main role at Segura, you know, do investigations and talking conference based on some research that I’m doing and the presenting conference like Black Hat, defcon, rsa, BSIDES and other conference,.

Joseph Carson:

Some of the most premium top conferences around the world and it’s always, you know, to see you speaking at those events is definitely is fantastic because it definitely means that you’re educating the world. And a lot of the research you’re doing. What’s some of the fun research you’re doing at the moment?

There’s anything specific that you’re looking into, anything that you’re finding that’s hot and interesting.

Filipi Pires:

Actually I’m doing some research about the PDF malicious.

I’m like this specifically topic because usually I like to do kind of research not so specifically for like zero day things that is interesting of course but I’m prefer to study things more practical. Let me just explain more in details. So I prefer to do kind of research focus on use case for example.

So my previous research was about how the attacker are exploring like financials organizations or not exactly organization but the financial team and ATR team or people team or talent acquisition team. Why? Because the normal day they using a lot of.

They need to open a lot of PDFs like for example invoice for the financial perspective, the financial team and for the talent acquisition team we. We are talking about the CVS resumes, you know, so that’s the normal activities. So open PDFs.

So how thinking about the attacker, how the attacker can explore those environments and or how the flow of this type of technology works. Like they each talking about the people team like the ATR team.

So they have a device inside of this device has an application for focus on specifically for HR. So they receive the CVS from maybe LinkedIn on another source. So they receive those PDFs they need to open their machine.

And usually this application requires the administrator access. So based on that this user requires the high privilege from this specific identity. And so this is the flow of the organization.

So thinking about the attacker perspective how the attacker can explore those identities. So so that’s one way that I like to do kind of research and of course another research that I’m doing is about the cloud.

You know how the attacker exploring misconfigurations in the cloud. This is the two main topics let’s say.

Joseph Carson:

Absolutely. And what’s some of the most common tools that you use in order to do the research Using commercial based tools. You know things like.

Filipi Pires:

No, no, no.

Joseph Carson:

Usually open source.

Filipi Pires:

Yeah, usually I prefer using more. I’m getting. Getting old now but like I’m kind of, how can I say that I’m more old school guy.

So I like to use more the open source tools and I like to use to do kind of manual analysis, for example, for the PDF perspective, I like to use the PDF ID to identify how many objects we can find in the object in the object.

And after that I like to use the PDF parser to do kind of parsers and to see if each object I can find it specifically embedded things like URLs or URI or maybe JavaScript encoded, for example. And after that I go, you know, using another tool I can use in kind of, you know, PDF tk, for example, to compress or decompress.

And I know that the one of the guys in one of the conference that I was speaking, I think two months ago, one of those guys came to me and he said that they PI PDF PI they, you know, restart the project again. I didn’t know that, but I didn’t use it because they like archived the project, but they decided to open again.

So usually I like to use more than one tool for specific activities.

Like for example, for if you think about the offensive perspective, for example, I like to use, for example, Dear Buster and WFuz, for example, is the two different tools for the same usability, let’s say. But I prefer to use more than one tool just to compare the results. And maybe one tool works better than another for some reasons.

And something like this, yeah, I’m the same.

Joseph Carson:

I switch between, if you understand the core concept, the fundamentals, and you do it manually, it means that you can easily switch between tools. So you’re not learning the tool, you’re learning its technique. And that technique then becomes universal. So I absolutely agree.

Using things like WFUZ or even fuf, they have different benefits that you can do. Sometimes they’re better sub directories, better domains, subdomains, so they have different kind of values.

And ultimately when you’re basically doing those types of techniques, you can switch between the tool in order to make sure you’re getting the most value and automation that you need. So that’s definitely my preference.

And I think that everyone who’s getting in the industry don’t learn tools, learn a technique and then the technique becomes universal.

Filipi Pires:

Yeah, exactly.

This is a very point, it’s a very nice point that you mentioned because that’s one of my main, you know, let’s say advice for the students and the attendees. I was talking this week, I was speaking at the C Days, one of the most, the most traditional event here in Portugal in Historio.

This is the name of the city. And I was explained to the attendees, I don’t like when I present something and the guys look at to me and say, okay, wow, this guy speaks very good.

And the talk is super technical. And in the end of the day they didn’t understand nothing and they cannot put in anything in practical. So I don’t like that.

I prefer, you know, I like to say, okay, they can put in practical in the next Monday. Like, okay, they learned something in my pitch and next Monday they can put in this thing specifically in their job. That’s my main concern.

When I, when I talk something based on that, I, when I present some tools, I like to share something about, okay, how this tool works, how this tool really works in the deeply way.

For example, the string, when you type some string to, you know, you know, search for some ladder or something like this, usually the string just printing at least four characters, not two or three, at least four.

So because of that, when you try, when you do as, when you execute something like strings for the, the some PA files, for example portable executable, they never print the, the mz, for example, the first two binaries in the file because this is just two characters. And if you see the, the strings just printed just at least four. The same game. The same game, the same thing is about file type, for example.

Joseph Carson:

Magic bits.

Filipi Pires:

The magic bits, exactly. So it’s, it’s easier to manipulate files and to induce the different tools to bring different results.

So when you understand how the tool works or the concept, as you said, it’s totally correct. You can like using more than one tool or you can create your own tool.

Joseph Carson:

Absolutely. That’s one of the things that I learned when I, when I was doing a lot of capture the flag events, um, that I get, you know, I always find it one.

And one of the trainings I give is, is hacking gamification.

And the reason for that is that I want to teach people the method of learning, not just to get the flag and, and get the win and when, you know, be able to compromise the machine or you know, get the root flag. For me, it’s really about the process, the journey that you go through that.

And one of the things I always teach the students is that it’s not even just about learning the method of getting to the flag, but it’s also about understanding why the machine’s vulnerable in the first place.

So even to the point where there’s some machines that I have done in the CFPs or the CTFS is that you go and I try to recreate those machines to understand about what was the configuration, what made it vulnerable in the first place how can I actually harden that system to prevent the actually technique from working and even to the point where sometimes there’s the documented way. And I also like to try and find the undocumented ways.

For example, when I’m doing the capsule flags my preference is to get a elevated shell locally and not doing reverse shells.

So I you know, because connections are noisy but sometimes I like to find is there alternative ways for to do the same thing that allows me to gain access. So absolutely. It’s the journey and the process and the method of learning.

We’re ultimately teaching people how to learn quicker and learn better and become more of basically life. Life students in many cases.

Filipi Pires:

So yeah that’s. It’s CTF is a very nice way to learn mainly nowadays I.

like not if no I remember in:

It was kind of, you know, challenge or some kind of machines was unreal. It’s not exactly the real scenarios, you know what I mean?

And nowadays like the hack the box try hacking me or they are using more realistic environment. So that’s a good way to learn. Like they have specifically rooms. So you and me, we can create our proper room. We can share with the community.

I think that’s way we can learn more the realistic things because like for example steganography, okay. It’s a kind of technique.

Joseph Carson:

It’s an art. Yeah.

Filipi Pires:

So who is the let’s say the apt group that use in this steganography? I’m not sure you know what I mean.

Joseph Carson:

Like it is a very rare use. It’s not something I would say it’s a technique that does get used but very rarely it’s not common.

That’s the thing is that you find that there is ways. So for you know I’ve seen one method of actually distributing malware using playlists from basically music playlists.

Because you’re downloading XMLs hidden within the XML, they can then parse it later and then basically create and compile a piece of malware. So you look at people who’s being creative and trying techniques. But it’s.

It’s definitely a lot of those things are more academic focused than they are real world focus. Unfortunately.

Filipi Pires:

Yeah.

Joseph Carson:

And that’s what I do find is that absolutely the machines I’m seeing more recently are really close to real. Like real Environments.

It’s sometimes for me it’s even like I’ve seen this in an incident that I helped to an instant response for maybe you know, eight, nine months ago. And this is so close to the technique.

So I think definitely getting more close to real world scenarios definitely helps show people what they’re dealing with.

Because for me, the academic way of doing things that I grew up on, definitely it still helps me today because it built that foundational knowledge, but it doesn’t help me in the practical side of things. It has that foundational knowledge, but not the practical sense.

The simulation side I’d like to get into what’s some of the top techniques you’re seeing today in the identity threats? What are some of the most common techniques that you’re finding that organizations are kind of struggling with when it comes to identities?

Filipi Pires:

Yeah, let’s say the thing that I was that I’m being involved for the last few years is not exactly because you know, like the world is super big, it is difficult to see to say like, okay, this is the main technique that I’m seeing, but the attacker that I’m seeing is most not exactly a specific technique, but is involved in misconfiguration. Like we are talking a lot about machine identity and no human identity.

And because the companies are creating difference or they are buying different tools to automate a different process and integrate different things. And okay, we can I. I could like say something like okay, a golden tick attack or you know, pass the hashi or you know, like some man in the middle.

Joseph Carson:

But.

Filipi Pires:

But the thing that I’m seeing and I’m talking with companies is about misconfiguration because let me just give an example. So I talk with some companies in, in Brazil and in Europe, in Germany.

So they said to me, okay, so my developer team, they need to, you know, they are starting to work in infrastructure as a co.

So when they need to start the lambda process like one of the services in the AWS and they go to the policy in AWS they saw the policies about the lambda policy and they using this specifically best practices from the AWS to using Lambda or even if they using no infrastructure as a code, but you’re working in a traditional way working the EC2 for example.

The instance they go to the policy in the AWS they see for the AWS EC2 standard police for example but they don’t care about the bunch of actions that are inside of this specifically you know, permissions, they just enable because it’s the standard from the AWS and that’s the key. So then they came to us and wanted me to us as about me and Segura team. And they okay, so we are maybe doing a kind of suffering kind of attack.

So what happened is. So when we go to the deeply, we saw, okay, so the attacker collected these credentials here.

And when I mean credentials, I mean, you know, secrets and key. And this credentials key has a permission.

And when we go deeply to the policies, we can say, okay, this just attack happened because of this specifically, you know, permission that allow the attacker doing kind of different things and escalate privilege.

So in the end of the day, it’s not a technique like pass the hash golden ticket, you know, using like Kerberos or whatever, but they are using the specifically misconfigurations or, you know, keys and secrets exposed to the Internet.

Joseph Carson:

Yep, absolutely. That’s one of the things I’ve seen quite commonly as well is that when I think about.

I did some research a couple of years ago where I took the top 10 most commonly used software in the world. Like, you know, that businesses typically use from an enterprise perspective.

And I went through the process of, you know, the documentation, I followed all the steps and I did the installations. Nine out of ten of those software required you to have a highly privileged account in order to run the application.

So now you’re already having a service account, a machine identity that’s now running those applications.

So that’s the first step is now these applications are very privileged to have access to sensitive data, typically their HR systems, their large databases, their workforce applications, CRM applications. And they go through and they need privileges to run.

So I went through the next stage was to understand about, okay, if I follow the documentation and I don’t choose it, I don’t do any change in the configuration. I just do next, next, next, next through the installation. And we always hear the term. That’s one of the things.

And that’s why the name of the podcast itself, we always hear the term security by design. And I think it’s great. Design is fantastic. But design must also mean default. It means that the security has to be turned on.

And if I take all of those applications and software, I do next, next, next, next, next. The default configuration is that security is not enabled. And that’s.

Then you get into, okay, there’s ways to break out of those configurations to spawn child processes that are running onto those privileges or to spawn different applications or libraries. They can actually inherit those privileges.

And that’s the challenge to your point is that misconfiguration is causing a lot of these issues where identities get exposed, especially privileged credentials. But unfortunately the misconfiguration is because they’re choosing the default. It’s not turning security on in the first place.

Filipi Pires:

Yeah, and you bring something very interesting because one of my talks is about misconfigurations how the attacker explore how I share sometimes how some, you know, Python code, how they can do using a crawler to collecting, you know like secret keys and other type of authentications things.

And usually when I present something I ask to the attendees, okay, who here work with the AWS, Azure, GCP and wherever and the 90%, 90 0% work with AWS.

And my second question is those 90%, who in the room or you know, in the space know about the AWS web architecture and usually is for this 90% only the maximum that I saw was 10% know about the AWS web architecture.

That’s a big problem because like so this is the kind of guidance to implementing the AWS architecture and by default and they had there a kind of least privileged concept. But it’s a too long framework. And that’s the problem is it’s too long and usually the people don’t like to read manuals.

Joseph Carson:

No one reads manuals. They look at it when there’s a problem.

Filipi Pires:

Yeah, I don’t like to, I don’t like to read but we need it. But I don’t like it. But anyway like so that’s the key. It’s a problem for some people and is advantage for another people like and that’s the key.

Joseph Carson:

I do remember that I think it was about two years ago.

I’m always looking at the Verizon Data Breach Investigations Report as the annual kind of like indicator about how well it’s almost like our last year scorecard into how well we’re doing as an industry. And I remember that misconfigurations became one of the top methods. It overtook everything else. They had it under user error.

But I always say that there’s a difference between user error and misconfiguration. User errors when the user accidentally did something that caused it.

But misconfiguration in my case that I’m always finding is that it’s because the settings are not the default, they’re not elaborate. R is too complex. That will just say it’s too complex, they can’t do it and they’ll just turn it off to get the application working.

Yeah, and that becomes a major problem.

Filipi Pires:

Yeah, it’s interesting.

Another interesting thing is okay so if we go to the like reports we will not, probably will not see anything about big zero day things happen came to the new companies. Usually the big, you know, you know, data breach that we saw is about, you know, no updated software.

I start working the field in:Joseph Carson:

The patch was available for one year.

Filipi Pires:

Exactly. And legacy software.

Joseph Carson:

Legacy software. So massive Achilles heel for the organization.

Filipi Pires:

Yeah. So if I go right now to Paris or Denmark or in US or Argentina and I will ask some companies, oh, okay, do you have any legacy software?

And they will say okay, I have a bunch of legacy software. So after 10 years keeping happen, there’s the same problem. That’s the. And because of that, I think the.

So when you talk about phishing like phishing is so simple for us.

Joseph Carson:

It’s a way, it’s a way that I mean some of the, the more I’d say younger generation of attackers are using phishing to so much of their advantage, you know, you know they can get the user to do what they want by just having a conversation. I do see a lot of times the legacy systems. I see it so often because we travel, we go on planes, buses, trains, hotels.

A lot of times you’re looking around and you’re just like, huh, okay, that’s using Windows XP or aha. Okay, that’s actually even if you think about end of this year, I think it’s Windows 10 is coming up to end of support.

So you have to think about even how old systems are to what, you know, what legacy means.

Sometimes we’re still thinking in my generations is XP, but I still see Windows 7, Windows 8, Windows 10, and it’s only likely that they will be updated anytime soon.

Filipi Pires:

Yeah, exactly. So. And we talk again. So my research is more about the use case, as I said. So if you think about the use cases, simple like this.

So each developer need to use a VS code, for example, and a VS code requires administrator access. And that’s it.

So how the company works, like is it a startup company or even if it’s a bigger company, an enterprise company has a set, so it requires the same thing, the same, you know, permission. So for the use case they need to enable. So how the companies could mitigate that.

So they should give the just a permission from the application level or for the, let’s say the device level. So that’s one way that you can mitigate those type of things. But usually the company, okay, I, I need to give the permission for this application.

Like this is a business, I know that’s a business. But for the to increase the security posture, the company should look in more in details and more deeply for each specific use case.

Joseph Carson:

Just in time is where we really need to get to. It’s where I always remember when I started off in large data centers 25 years ago, I was responsible for 100,000 servers. 100,000 Servers.

And we’re talking about major data centers that had pharmaceutical companies, government systems, financial, mineral mining companies. And there’s me sitting on my laptop with one domain administrator and I can simply just log on to any system that you wanted to.

Because I was seen as the guy who fixed everything. It was like, everyone’s like, oh call Joe, he could fix it. But that was the case.

But I realized that the risk that that exposed was so massive that if you’ve got one domain credential that you’re using on a daily basis to access all those systems, that becomes a massive, basically high risk.

And that was always kind of where I really embraced the principle of least privilege and application control and the value of having PAM solutions do just in time access. Because what I always remember is it was where I got into the world of virtualization and it was a massive time.

In the late:

And during that time I remembered that actually, you know, we also need to move away from persistent privilege to actually just in time, you know, non persistent privilege, meaning that you get the privilege when you need it at the time for the task on the system, for doing that specific, you know, maybe, you know, service ticket that you might have or upgrade or application execution or running a report that really then limits the time that attackers can expose those systems. Because ultimately when attackers have unlimited time and gain access to systems that have persistent privilege, that’s where basically they win.

And we had to eliminate the time window and the persistent privileges away. And that will makes the attacker’s job as difficult as possible.

Filipi Pires:

Yeah, definitely. And that’s the interesting thing. So everything in the end of the day, even for 20 years ago, is about identity.

The thing that we, in the past, we didn’t talk about that. We did talk in a different way, but it’s identity and permission.

Joseph Carson:

Today it’s more and more even difficult because when I was doing 20 years ago I had my one account for my day to day job, my email, my communication, access to company resources and then I had my privilege account. So two accounts.

If you think of today with machine identities, non human identities, bots, agentic AI tasks, backup jobs, cloud workloads, the number of identities just accelerated. I think we look back in the Gartner report. I mean when I did a calculation about 10 years ago it was like one to five.

You had, you know, for every one human account you had five non human or machine identities. Then a couple of years ago Gartner said that it was like 1 to 45.

And now I think even if we look at today it’s almost probably 1 to 100 when we introduce AI and automation. And it’s just the acceleration that organizations have to manage is just unprecedented when it comes to identities.

Filipi Pires:

Yeah. And this. And nowadays we have a two we have a bunch of problems but we can, you know, we can say, I can say two problems here.

The first is observability.

So the companies don’t know about the, how complex they, they know that it’s complexity but how they can protect the environment if they don’t know how each application really works. Like they don’t have observability. These, those integrations and other type of things. Sorry.

And the second thing is about okay, we have a 1 to 100, you know, access. Sorry, what is more easy to do? Okay, let me give the same access level for the 100 identities. Is it better?

Joseph Carson:

Like it makes people’s lives much easier but the risk that exposes astronomical. I completely agree. The visibility and observability is crucial especially in a multi hybrid cloud SaaS model.

Most organizations are using many stacks. To try and do it at a stack level is impossible because you’d have to have an army of resources just to manage those individual stacks.

And that’s where it’s solutions that deliver solid identity security platforms is the way to go because it helps you unify those stacks.

Filipi Pires:

Yeah, I remember I was, I think eight months ago I was talking with the specifically customer and he was explaining us something about the challenge that he had for the gcp, you know, permissions, the Google Cloud permissions. So they saw more than 15 users that they, you know, enable the first level of permission. And it’s very easy to see this.

These 15 guys, they try, they needed to do a kind of task activities in their company, in this specific company but they didn’t get to do this. So this we can saw another custom level of police but didn’t work. Yes.

And after that they give the high privilege for the same 15 guys because like the first level didn’t work. The second custom level didn’t work. The third one level is administrator full access in the G OCP works. Okay, let’s give the full access.

Joseph Carson:

Let’s just leave it as that.

Filipi Pires:mpany has more than you know,:Joseph Carson:

I remember, I remember last year listening to Sean Metcalf’s talk on the cloud for enter ID and he went through and just like did not number of possible permissions and entitlements and privileges that you get is just so complex that most people, the majority of companies just choose the simple defaults with the higher privileges just because they don’t have the time, the resources and the knowledge in order to configure it so tailored that it works in all scenarios.

Filipi Pires:

Yeah. Like when you talk about the on premise environment, okay.

Usually we have the active directory to protect it can be more than one if you have like the another locations and other different countries we can do kind of integrations if you’d like to see more defensive side we can use for example the Hound and to see in the graphs it’s very. It’s nice to see but usually it’s more easy to easy again to manage that type of thing. However, when you talk about the multi cloud.

Multi cloud is man is huge amount of possibility.

Joseph Carson:

I think it’s what Carlos Carlos is creating the purple Panda to help us get that visibility which was also great. And then there’s Lars who does the ADA launch as well, which is also great. There’s so many great Bloodhound’s one of my favorite as well.

Filipi Pires:

Yeah, exactly.

Joseph Carson:

It’s just important though is to get the different perspectives because this is how attackers look at your infrastructure and it allows you to start seeing bringing a lot of those misconfigurations to the surface which is ultimately it’s a starting point to help you map out your journey and how to make sure you get a solid identity security best practices into the organization. But visibility and observability to your point is let’s see how easy it is to find those misconfigurations and potential risks.

Filipi Pires:

Yeah. If you work with the cyber security for example there are a bunch of open source tools. Of course there are enterprise too as well.

And like you said, for example the Hound there are open source and they have an Enterprise version as well. But of course Bloodhound is more focused on Active directory.

You have of course Azure Hound is more is a more focused on entry D if Microsoft didn’t change the name again.

But anyway and for example for the AWS you have an AWS PX for example is another example of the open source and data cartography is another example of the open source project for focus on visibility in the cloud in the graphics way.

Let’s say in this case cartography we can integrate with AWS Azure GCP and but like I like one of these specifically two I don’t remember the name but I can find here during our conversation.

Joseph Carson:

Yeah we can put it in the show notes afterwards.

Filipi Pires:

Yeah exactly. It’s not exactly security tools but they work with the Neo 4G database. It works in the same graph way but you can they have many collectors.

You know like you can connect with AWS Azure GCP and even you can collect for example for CrowdStrike, trend Micro and other different sources of identities.

And it is interesting because this just put is a simple big data source of many identities and once you have these in your environment you have an observability and that’s the interesting in the end of the day.

So if a security guy you can implement something more in the security way but again in the end of the day how you can protect things that you cannot see and don’t know exists.

Joseph Carson:

And don’t know what security is actually protecting them as well. So.

Filipi Pires:

Yep.

Joseph Carson:

So. So question for yourself. I mean this is a massive area and it’s always changing and you always need to stay up to date. What’s some of the.

How do you stay educated? What what’s your method of learning? Where do you go for knowledge Man,.

Filipi Pires:

I do many things like I I have here in my table right now I’m looking this. I have a seven books there from pack for example and I need to read those books by the way. 3 Is about malware, 3 is about.

2 Is about cloud security of in the overseas perspective and one is about elevate privilege.

Joseph Carson:

How can one of my favorite books is the operator’s handbook by NetMux. Let’s if you haven’t read it and you can see my my. My way of taking notes.

Filipi Pires:

Yeah I will put in my list definitely I need to put this in my list.

Joseph Carson:

It is a fantastic.

It’s because it’s great because it gives you not only the kind of Windows and Linux privilege escalation on also Mac but also does a lot of what you’re talking around with the cloud GCP aws. So it’s a great book. It hasn’t been updated in a while and it does take a red team, blue team kind of purple approach. But it is fantastic book.

Filipi Pires:

Yeah. So I read some books and I like to. One of my suggestions for the attendance is to see for the Bird Suite Academy. It’s very nice.

Yeah, this is fantastic. I’m using. Usually I like to share in one of my courses.

When I do kind of courses, I like to use this tool, this platform to teach the people because they bring the theoretic part and after that they bring the labs to put in practical way.

And if you have a kind of challenge, they have a kind of YouTube channel videos and they can bring you how you can, you know, solve those problems and with kind of guidance. So these very interesting. And you can go for different techniques for the offensive security thinking about the web applications.

And there are a bunch of other things that I like to see kind of, you know, YouTube channel. Sometimes what I need to do specifically top like Jason Hymon or Jetix. There are a bunch of guys and I like the Philip Wild show.

Joseph Carson:

Yeah, Philip Wiley is fantastic.

Filipi Pires:

They will publish probably our conversation in a few days.

Joseph Carson:

IPsec rocks.

Filipi Pires:

Yeah, exactly. Because it’s like sometimes because in the end of the day one of the projects that I like is Hack is not a crime.

I’m one of the advocate of this project. Yeah, the idea behind of the hacking is not. Because hacking is really not a crime, it’s about.

Joseph Carson:

It’s a mindset.

Filipi Pires:

Yes, exactly, exactly. Methodology, creative mindset. And that’s the key in the end of the day.

So when you, you know, watching or you know hearing some podcasts, you can bring kind of, you know, new ideas. That’s the interesting thing. So maybe you have, you know, something technical like you know, how you can explore some environments.

You know about the cross site CryptoSQL injections or blind SQL injection, many other techniques. You know how you can do the golden ticket exploitation as pass the hash, you know, hip spray, whatever.

But, but okay, so like you know how the DOS works or DOS works. So how you can use your creative mindset. So that’s things that you can watch in different podcasts and you have different minds. So that’s the.

I’m learning this way. That’s the talk with the people. That’s the things that’s.

Joseph Carson:

That’s my, my method as well is that you know, reach out, make a connection and when I actually run into Challenges. I’m always reaching out and saying, hey, I’m having this problem, you know, do you have any suggestions?

And they’re always willing to take the time because they’re the same as myself and you. We kind of dedicate a lot of our time to educating the world and we like to surround ourselves and connect with people who do the same.

And we’re all passionate about that is passing on the knowledge.

Filipi Pires:

Yeah, definitely.

And one of the things that I want to start to do kind of research, I was talking with one guy in Brazil about the critical infrastructure, mainly the energy and because for the identity threat Labs perspective. So actually Segura has a very nice concern about Station Nation, you know what I’m saying? We totally involved with that.

And I want to start some studies and research about those type of attacks, how it works with specifically energy things, oil, gas. Because I think it’s a kind of environment that we can see many, many legacy environments.

And not only that, but different specifically protocol like scada, like we were talking about that and in Brazil. And I’m starting doing kind of.

I will start, I’m not starting yet, but I think next month it basically will be happening four days next month I will start my research about that.

Joseph Carson:

Fantastic. It’s actually for, you know, for me, absolutely. It’s an area where you think about systems that they don’t have a three year or five year life cycle.

They’ve got 20 years.

When you think about somebody who’s creating a production line for car manufacturing, that’s a long production line that tends to have a long life cycle. If you look at power stations, their life cycle is, you know, 15 to 20 years. A ship, same thing.

So the life cycle of them is much longer than your traditional IT systems because their production, they want to make a return on investment and those return on investments typically is 10 to 20 years. And you know, lots of vulnerabilities and lots of discoveries happen in that time and you just hope that they can patch and fix them.

Filipi Pires:

Yeah, definitely.

Joseph Carson:

So Felipe, it’s so fantastic. I always enjoy talking to you, whether it being in person or online. And we should do this more often. We should make this more of a kind of a series.

Yeah, we will kind of do the latest top trends. What’s happening in the industry. So for the audience, what’s the best way for them to stay in touch with you?

Is there any conferences, events that you’re speaking at in the near future that if they do happen to be at those events as well, where are you going to Be where are you on the road?

Filipi Pires:

Actually I will be talking at the Hacker Summer Camp in August and yeah, I will be doing five talks in a minimal. I received the approval in five. Yeah, that’s a huge.

Joseph Carson:

That’s a. That’s a busy, busy schedule for anyone.

Filipi Pires:

Yeah, yeah, it will be very nice. I like that. So I will talk at Black Hat this year again for the second year. And I will talk at defcon, the Red Team Village.

And I’m a part of the core team as well. This is a super pleasure to me to helping the community. And I would talk at Cloud Village and Adversary Village as well. And I’m still waiting for.

And besides last week as well. So I will do a kind of. So they can talk to me during the conference or in a social media and events. Yeah, I like it. I like to talk with the people.

If they come to me, we can, you know, take some pictures and not only take pictures, but talk about things and again share lessons. Yeah, exactly. I love to learn from the people. And as one of the things that I would like to mention to you is we created in Brazil one initiative.

We call it the Red Team Community. It’s very nice because the idea of this community is to you know, putting every people in the same, let’s say place. We have a discord channel.

We have our. Is a red team.org Red teamcommunity.org is our community. So the idea of this community is to bring the offensive security mindset, you know.

And one of my colleagues that found with me the Oliveira this is a founder of Hakai is an offensive security company focused on Red Team.

The idea of this community is to help in different events like for example bside Sao Paulo hacker 2 Hackers in Sao Paulo and other events in Latin America. And to bring this. It’s a. A piece of red that the DEFCON for on these events. Yeah, last year we.

Joseph Carson:

Bringing it home.

Filipi Pires:

Yeah, exactly. Last, last. Last year we. We. We brought the four people from the Red Team Village to Brazil was a very nice experience.

Not for us Brazilian guys, but for the guys from the US because they. They had experience to know the Brazilian guy. You had this experience this year to. To know how we were. We were very arm, let’s say.

And that’s the key. So it’s a very nice project that we started and I’m totally involved with different communities and another community that I’m involved with.

The Hiasis Cyber is hiatus means root and it’s focused on, you know, Spanish people and Hispanic people. And Brazilian people that speaks Portuguese as well. So as you, I work with a lot of communities.

Joseph Carson:

Please, please do share a lot of the links. I’ll add them to the show notes so it makes it easy for the audience to go and find those resources.

So we’ll make sure that Felipe will share them with me and I’ll make them on the show notes so that everyone can easily find and access them. As always, thank you and I look forward to chatting with you again soon. Any final wisdom for the audience?

Any kind of last words that you would like to lead the audience with?

Filipi Pires:

Yeah, I think my, my advice for the, the, the attendees is the audience is, guys, respect the journey. If you are working with cybersecurity, respect the journey. What I’m saying is, okay, if you start right now in the field, respect the journey.

So, you know, studying those bases, understand how the networks, the network works, how the system operation works, how the identity works, or each part of the technology works. And after that, apply the security concepts. But respect the journey. Like I’m here as we are talking. Okay, talking conference.

But I spent 10 years, not one month, not two months, not one year. Spent 10 years. Joy’s. Joy spent 20 years, more than 20 years.

Joseph Carson:

So that’s what the gray hairs come in after the.

Filipi Pires:

Yeah, he’s getting older more than me. Oh, I’m kidding. I’m kidding.

Joseph Carson:

Family, like, you know, you have to respect it. Absolutely. Because it becomes your life.

Filipi Pires:

Yeah.

Joseph Carson:

It becomes part of you and becomes part of your DNA and culture ultimately and your social sphere as well.

Filipi Pires:

I know that, you know, sometimes the, the people is very looking forward. Okay. I need to move on. I need to, you know, increase my salary. I need to growing my career. But man, respect the journey.

Joseph Carson:

Yeah, enjoy. Enjoy where you are. And for you.

Filipi Pires:

Yeah, exactly. Each part. And learn those bases, Learn those bases about everything.

Joseph Carson:

I think that’s a fantastic words of advice and wisdom to the audience. So again, many thanks. So for everyone, this is the security by default podcast.

It’s all about bringing security knowledge, wisdom lessons, leadership ideas, hot trends and topics with amazing guests like Philippe.

So every two weeks, tune in for the next episode, subscribe, provide your feedback and also if you’re interested in hearing different topics or you would like a special guest, always provide the comments and feedback to me and I’ll be happy to see if they’d be willing to come on the show. So everyone stay safe, take care and until the next time, thank you.

Posted by

in