This Anti-Cast was originally aired on January 15, 2025.
In this video, Tim Medin discusses the challenges and best practices of offensive and defensive security, emphasizing the importance of collaboration between red and blue teams. He covers a range of topics including password management, the significance of multi-factor authentication, and the use of tools like Kerberos for enhancing security measures. The conversation also highlights the need for effective communication and strategy development to strengthen security defenses and ensure a robust security posture in organizations.
- Understanding both offensive and defensive security is crucial for effective penetration testing and system protection.
- Password security remains a critical issue, with many people using weak or repeated passwords across different platforms.
- Collaboration between red teams (offensive security) and blue teams (defensive security) is essential for building robust cybersecurity defenses.
Highlights
Full Video
Transcript
Tim Medin
Thank you all for coming. Especially big thank you to all the fine folks at Black Hills and Antisyphon for putting this on, for putting this out there, for making these things freely available.
It’s so nice to be at a point in my career where I have the opportunity to give back because so many people have given me things. I hate to use the cliche of standing on the shoulders of giants and there’s just so many layers, and I hope to be just a tiny person somewhere in that pillar in the hopes of giving back to, to all of you folks along the way. If you have questions, please put them in the, the Discord channel.
I love interaction. If you don’t interact, I end up going faster and faster and faster because I think you’re all bored. So feel free to post in there. We got Daniel here. Keep this, keep this live, keep this interesting.
Daniel Lowrie
So let’s get funny about the live chat. I was doing a live stream not long ago and I noticed that the chat was moving. I thought everything had froze up and everybody was like, no, we’re just listening intently. Okay, well that’s good.
Tim Medin
Good problem, right?
Daniel Lowrie
Yeah, it was a good problem.
Tim Medin
Yeah. So, quick intro of myself. Tim Medin, founder and CEO of Red Siege Information Security. In the former life, I did some training at another big expensive organization.
Now we’re doing a bunch of stuff with Antisyphon and Black Hills and they’re great groups of individuals. I like the accessibility, of it and of course it’s much better price point. I don’t know if I’m supposed to say that, but whatever.
Cool. So one of the things here now I’m, I’m a Red Teamer, right? Red Siege Red Teamer. I got a red shirt on. My face looks a little bit red in the lights. I need to fix that, maybe get some makeup.
Daniel looks fantastic. I look like I just ran, well, about 100ft, but whatever I look like. It’s important to know that as a Red Teamer, if you’re looking to get in to the offensive space, it really helps having the fundamentals, having the understanding of the defensive stuff and not just defenses themselves, but understanding system admins.
Like if you’re attacking a domain controller, a network, a domain, right. It helps to understand how that’s configured. Where can admins make mistakes?
When you’re given recommendations, understand.
Daniel Lowrie
Some of.
Tim Medin
The difficulties, like you’re going to say, hey, just apply this patch. And it’s oftentimes much more complicated than that. If you’ve got that inside knowledge, you’ve got better context.
You can talk to those sysadmin, those defenders, give them better recommendations, talk through some of the struggles because, some of those struggles, and give some of that feedback.
Good Lord, my camera froze again. That’s okay. We’ll just keep going. The, unfortunate sort of corollary here. Not, not unfortunate, but it’s an important thing to understand is red isn’t special.
And it doesn’t pain me to say this, it frankly empowers me because if I think that, like, I’m the most important thing at your organization, it’s misguided, it’s misaligned.
the only reason that the offense exists is to help the defenders get better. And frankly, if we fail at that, we’ve absolutely failed and everything.
We’re on the same side. And this is something we get far too often where, because I’m the offensive person and I’m attacking your systems, the other, the, our clients. I’m sure the Black Hills folks have experienced this numerous times.
Is sometimes it turns adversarial, like, no, no, no. We’re on the same team. We’re on the same team. We’re trying to figure out what’s wrong so we can fix it. It’s like going to your doctor and being mad when he figures out there’s something wrong with you.
Like, imagine going to your doctor and he’s like, what’s wrong with you? I was like, I’m not telling you. You figure it out. We’re doing a black box style assessment here. Like, your doctor’s going to laugh you out of the office. The whole point is to figure out what’s wrong so we can make it better.
Right.
Daniel Lowrie
So you’re saying, Tim, that we run these tests for not the purposes of patting ourselves on the back and saying, look how cool and lead I am. But we want to try to find out, where the issues are so that we can remedy, those issues get better.
And I saw somebody in the chat really said, don’t, don’t a lot of times. And I have heard this. I can’t wait to get your take on this. A lot of times when you, when someone’s been in that blue team for a long time and they’ve been working those defenses and they’ve been getting their butt kicked from time to time because that’s what does happen over on the blue team because they got so much that they have to try to look after and curate and watch over and make sure it’s tuned just right and they jump over to red team, they’re like wow, you’re a really good red team.
You’re like well yeah, I know where all the stuff is. I know where all the, the, the, the weak spots are. These things are. Would you say that that’s your experience as well?
Tim Medin
Absolutely. 100 like the more that we can work together the better and work together effectively without judgment, without the, the freely being able to communicate.
Because if I say hey, something’s wrong and if you’re scared that oh no, people are going to find out we made a mistake. Yeah, well we all make mistakes and hopefully we fix this. And I see in, in the chat here people mentioning the purple team.
Purple team is a mix of the red and the blue, right. You go to art class, you mix the red together, you missed the mix the blue together, you get purple. That is a very integrated back and forth with the offense and the defense because as offensive person don’t understand the context of all these systems, you as a system admin the defender, you have much more insight there, much more visibility.
You understand the logs and you can see the log bugs whereas I can’t see all of those. So purple team is a, a logical next step in here or logical part of this entire thing.
Daniel Lowrie
I do love the purple team. I think that’s been a phenomenal thing that has come within the last few years to, to really see that start to mature and become something that’s a part of Yes, a lot, a lot more groups than we’ve seen in the past and just that, hey, let’s build something, let’s try to defend it, let’s test those defenses, see where it broke down.
All right, let’s go back and fix some of that all right, let’s try that again. Hey, we passed that test this time. Now let’s move on. Let’s kick the, kick the can down the road a little farther. Lather, rinse, repeat until we have a nice mature security model that goes throughout our industry.
And so really great and especially for people with not a ton of resources like small office, home office, the medium sized businesses out there to build a small purple team that kind of give them some training where they can so they can build that out, start to test their own defenses, see if they actually work before they get an actual audit or a pen test for the year.
It’s been, been phenomenal I think.
Tim Medin
Yeah, great, great point there and a thing to too. I would suggest if you’re looking at getting any sort of offensive services. Use those offensive people. They’re third party. M.
Maybe you’re not a big enough organization to have your own. Ask them questions. Ask them a ton of questions. They are a resource. Use that resource that they’ll give you information, or they should if they don’t find somebody else.
but the whole goal here is to make things better and better. We’ve seen, unfortunately, many moons ago where you would see this at conferences where as offensive people, we would come up with a new cool hack, trick, tip, whatever it was, and just mic drop and leave the stage.
Like, what are defenders supposed to do about it? It’s like, not my problem. But we kicked their butt. And you’re like, well, that’s so, like, did you make the world a better place on the way out? Not really.
Daniel Lowrie
Yeah, change of mindset, right? It’s. It’s a culture thing. I think that once we shift the culture into being more of the, hey, we’re not against each other. We just playing parts on a team.
Hey, I’m going to test that for you. You let me know if you detect it. If you didn’t, we got a problem. We need to figure out why that happened and where these vulnerabilities came from and why that, and let’s create some procedure.
That’s what it’s all about. Moving that can down the road as far as we possibly can. So offensive offense for defense. I do love that. Where do we go next, Tim? What’s the next idea?
Tim Medin
let’s talk about one of my favorite topics and everybody’s favorite or least favorite, depending on which side you’re on. Passwords and how bad they suck. Right. Like passwords, unfortunately, they’re the predominant way to get into networks today.
I mean, I rebooted right before this thing and my camera’s freaking out and it’s not doing. It doesn’t freeze when I’m in, like, a great pose. It frees when it looks like someone has just kicked me in a sensitive spot.
Whatever. so passwords. Passwords are a pain in the butt. Now for the attackers. Passwords. Attackers love passwords. Right? And we see time and time again, like, let’s say I go to LinkedIn, I create an account.
LinkedIn was breached, I think, in 2020, 2019. One of the two. Somewhere around there, maybe 2021 somewhere around that time frame. And, this isn’t specific to LinkedIn, but they’re breached. Bad guys get, of course, the email address.
They get the password associated with it And they start to use that username and password combination all over the place. it’s, it. Does it work all the time?
Absolutely not. Does it work enough to be effective? Absolutely. In fact I would bet that 99.999% of the time when you have a family member who has their Netflix hacked giant air quotes, it’s because they use the same crappy password all over the place.
And so many, with so many of the other services where it’s hacked and it’s just, oh, I use the same secure password. You’re like, well it’s not really that but credential stuffing can be tremendously useful for us.
So it’s always important, use those unique passwords. Daniel, any comments, thoughts?
Daniel Lowrie
Yeah, passwords are an interesting thing. as someone who’s, we do the training, does the training for how do we set a good password? Why is passwords a problem?
It’s still a problem and it’s going to continue to be a problem because we really haven’t come up with a better solution. Right. The best thing we can do is obviously we have passwords plus some sort of multi factor thing.
But I don’t typically hate, for me I don’t really hate passwords. It’s kind of like remember back in the 80s when no one knew how to program their VCR?
It was always blinking 12, right. It was a simple device. Everybody had one, everybody had that thing sitting on top of their TV blinking. But if you ever pulled out the user guide and figured out how to make it actually put the time on, then you could schedule when you were going to record something when you were at work or whatever.
It was mind blowing. This was so like life changing technology. You can, you can get pretty good with passwords as long as right. You don’t fall in the trap of when you google top 10 passwords for 2024, oh God, it will shock you if you haven’t never done that before.
You will be like no, this isn’t real. This is absolutely not real. No one is using 1, 2, 3, 4, 5, 6 as their password. bro, that’s top 10.
That’s what is being used password and variations thereof. Mostly it’s those two things in some variant, maybe year end and season kind of thing going on.
Really ridiculous. Y and it’s because to me the passwords aren’t the problem. It’s that we’re not doing a good job of, of really changing the culture on what we should be learning and knowing about passwords are so important.
They protect your stuff so much that we need a good way to do. I thought password managers was a great step forward in that MFA obviously is another great step forward. When you start to bring things in and you start to learn how to create a good password, then I, I feel like it.
It can’t. It’s. It’s not that big of a problem. We’re just always going to have those stragglers out there that are slow to catch up. That’s. That’s my take on passwords. We just got to do better.
Tim Medin
Yeah. The. Someone mentioned in the Slack. or the discord rather, pass keys. Pass keys are great too. My biggest worry with pass keys is maintaining those.
I’m not convinced that there’s great ways to copy that from device to device. When they upgrade phones, I put mine in a password manager. I think it’s a great solution. I just, I just don’t have that data yet.
you go back, go back to the credential stuffing thing. I, like I mentioned earlier, I took some classes. Went back to. For some business school and rather, prestigious cool was always my, my dream.
I don’t. I hate to say it because you guys are gonna give me crap, as you should, but I went back to school and they at. At Harvard and they, they’re like, hey, does anybody want to do a 15 minute talk on what they do?
And I did a talk on, on passwords or sorry, security. I had 15 minutes crank this thing out, talk super fast. And I talked about password.
Don’t reuse. I can see them. they’re like, we get this crap at work. And then on the next screen, what I had done is I grabbed every single person’s email address, done a dark web search, found the passwords and put them all.
And I’m like, yeah, here’s why you don’t want to do this and just put it to the next slide. And I just kept talking and the collective air sucking out of the room, one lady like, oh my God, that’s. And then you realized she was just telling the whole classroom that their password was on the screen.
But that’s okay because 75% of the rest of the people had their password on the screen. And it’s just a great demonstration. And I’ve done a similar thing. I’ve done talks for other organizations and I’m like, look, here’s a bunch of your passwords.
I did another one for A company in Portugal and we were doing it over Zoom and I saw a bunch of cameras like dark, dark, dark, dark, dark, dark. They just all went off. So I always pick those good passwords.
Right. So it’s important here for you if you want to be, if you’re a defender and you want to test some of these things, crack your own passwords, go to the domain controller, get those passwords, look for things like season and year.
Look for things like password1, your company followed by a number. If, you can subscribe to some of the lists out there, look for some of those passwords, but get those things out of your environment because that’s what the bad guys are going to be trying to use.
Somebody posted like, yeah, well, you need a number.
Daniel Lowrie
Cool.
Tim Medin
It’s add one. We need a special character. What’s the special character? Bang. Right. Go ahead, Daniel.
Daniel Lowrie
Yeah, I was going to ask you what’s your thoughts on and if you have any on using a service like have I been pwned to make sure that your passwords are not in a known breach?
Tim Medin
Yeah, those are great. there’s a lot of different services. Have I been Pony is the most famous of those. but looking for breach passwords for your organization and you can sometimes those notifications are really, really old and the password is, it doesn’t match there.
but knowing and being able to try, be like, let’s try this password here real quick just to, just to confirm it doesn’t actually work and if it does, of course very quickly change it, talk to the user, maybe try to figure out how it was compromised, talk to them about not reusing passwords and of course use a password manager if you can.
Daniel Lowrie
Now, Tim, I, I, I’ve worked in the industry, right? And there was a time when I was in charge of setting password policy for a large organization. And we were pretty strict.
Like you weren’t allowed to use anything that had the business name in it or even the cities that we were in. Football teams, other sports teams, sports, things that were popular around the area.
We, we put that on the naughty list and you could not utilize any of that stuff, couldn’t reuse passwords that were more than, two years old. Like, yeah, they had to be two years old or more.
We put a very stringent password policy that said that was us. And a lot of people don’t do that. And I feel like a lot of, a lot of it admins, sysadmins that are out there that are in charge of setting their password policy in their active directory and doing all that.
They probably want to set stronger password guidelines but they’re not able to. Why, why do we see that? Why is that still a problem?
That in 2025 where, where they’re not making it hard enough for passwords to get, to get cracked?
Tim Medin
Yeah, I mean part of the problem is traditionally with, with just on prem is there wasn’t a built in mechanism to band of those passwords. It just, it just didn’t exist. So there was no good way to do that thing.
Thankfully with the cloud and Entra you can put some of those bad password things in there. The hard part from a user perspective when they select a password now it just becomes, it becomes almost a puzzle.
Like when you add all these unfortunately complexity requirements which NIST recommends against these days because everyone knows take an A, turned it to an athlete etc.
it becomes a puzzle. People are like I don’t know what’s going to work. And they try things like keyboard walks which technically match meet the requirements but everybody knows you use those keyboard walks.
So I think originally it was a lot of their, the tech just didn’t exist. And when going to the cloud now we have more opportunities to add those kind of things. And I think some of it’s too a little bit cultural getting people to do things with passwords especially C levels.
Really freaking difficult.
Daniel Lowrie
Yeah. And when they, when they write people’s checks they, they have a lot of sway I’ve noticed comes to what kind of policy gets implemented and what doesn’t or exceptions.
Right?
Tim Medin
Oh my gosh. Yeah. Kathy’s mentioning in the chat like I mean these, the original ideas were made up in I don’t know like the 80s maybe.
so sorry, someone’s asking about Intra. That’s Entra. Entra is the Azure, the, the identity piece, the login piece. It was called Azure ad they ren to. To entra.
Kathy was mentioning like the password rotation right. Like why is it we do it 90 days and, and literally it’s probably two dudes just made it up. And the idea was to limit the amount of time the bad guys inside the organization.
But if you look at any of the breach reports the, the dwell time inside the organization prior to ransomware being crazy was five to six months which is two rotations these days we’re seeing that ransomware actors moving so quickly.
90 days doesn’t matter, it’s irrelevant. And it forces people to weaker and weaker passwords right where they’re adding the one at the end, they’re incrementing the number at the end, Stuff like that.
Right.
Daniel Lowrie
So what do you think about password managers like, Bitwarden? And I know LastPass has had their sword history, but, they do have password generators. And since the idea is that gun to my head, you couldn’t get my password out of me.
And because it’s all stored in my vault, the only password I know is the one to my password vault is, is this the way forward? Is, is this. I tend to use it myself just to, show my hand, put the cards on the table.
I use Password Manager. I think they’re great. What’s your take on these things?
Tim Medin
I couldn’t agree with you more. I, back when I was younger, I could remember I had a fantastic memory. These days I like to say my brain’s getting full. I’m not getting older, but I know like four passwords.
I can unlock my phone, I can unlock my computer, I can log into my computer and I can log into my password manager. That’s all I know. The rest I have no idea. I got into my head, I’m like, I can’t, I can’t log into Azure without my password manager.
And frankly, it’s faster. Like, I, I do the thing, it does whatever it needs to do the bio, if I’ve got that enabled, it’s faster, it’s easier. The passwords are random, they’re secure.
Daniel Lowrie
Highly, highly recommend, yeah, the autofill alone, that, that person should get a Nobel Peace Prize because it stopped me from going on a, a horrible, like arson spree of my own home.
Tim Medin
Yeah, we use one password. My family uses one. What the heck? Camera, you’re killing me. Anyway, but what we can do here is we can do some password cracking.
try the passwords that we talked about, some of the bad ones that we talked about, local sports teams, et cetera is great there too. this isn’t a full in depth discussion of hashcat, but with Hashcat we can take those passwords, from the domain controller or other systems, perform some cracking against those, identify, identify those weak passwords, train the users and then rotate those passwords.
And this is a little bit more if, if you can’t get the shim in place to check the password for badness when it’s changed, this is the next best thing where we can try to find those after the the fact here and not too late where somebody’s actually already used the thing.
Right. All right. Let’s talk about my baby. If it’s not a Tim Medine talk. Unless I talk about Kerberosi, my marketing guy makes me talk about it. but realistically, this is still effective.
I remember when I came out with this in 2014. We’re coming. It’s JCon. Yeah, he’s the one that makes me say it.
Daniel Lowrie
Oh, is Jake on here? Oh, there he is.
Tim Medin
No, but, 2014, so we’re coming up in September. It’s gonna be 11 years old. I’m like, this is gonna be cool for a while here. what this effectively means is your service accounts have no lockout policy and you can try passwords forever.
what I can do is I can get a ticket for that service and I can do an offline attack, which is effectively go as fast as I want for as long as I want. And of course, how often do people change service accounts?
The answer is, of course, never. And some of those are service accounts, especially things like SQL, people are terrified of changing. So the passwords end up being very, very old, and don’t comply with the password policy.
Daniel Lowrie
I mean, how can we do this? I get it right? Like, if things are working, the last thing you want to do is go throw a rock in your pond by changing something because, no good deed goes unpunished.
Tim Medin
But, yeah, no quicker way to get. No quicker way to get, to have to generate a new resume than taking down the database server.
Daniel Lowrie
Right?
Tim Medin
Right. Like, no, no. Yeah. Not. Not bad things.
Daniel Lowrie
I just. I just. I just, like, it was. It was him. Hey.
Tim Medin
Yeah, I was much more the cowboy side of things back when I was on the system admin side. I got stuff done.
Daniel Lowrie
Right.
Tim Medin
But I may have left trail of burned things behind me.
Daniel Lowrie
Lots of band aid ripping.
Tim Medin
Yeah. All right, so, how can we do this? There’s a lot of different tools. I wrote the original one. My code is garbage. Quit going to my repo and asking me to update it because it’s terrible.
Terrible code. Invoke Kerberos. There’s a number of rubies. There’s a, Impact has tools. A lot of these different things. A lot of different freely available tools out there to extract these tickets.
And, then kind of what we talked about before Hashcat to this Kraken. Now, the Kraken here, you’re going to want to be a lot more aggressive with than you would with the user’s passwords, because the user passwords do have things like account lockout for guessing, and because we can extract this ticket and do an offline crack of the service account.
And realistically those passwords never ever, ever change. We want to be a lot more aggressive in finding those those, those passwords for those service accounts. And those service accounts are going to protect from some very important sensitive systems as well.
Daniel Lowrie
One of my favorite things about Kerberosing Tim is I asked you one time, I’m m like how did you, how did you come up with this? And long story short, it was like I got super interested in Kerberos and was just kind of reading about it and then I went you, you don’t think that.
No. Yep, that works. And to me that was like I was just having a conversation with somebody I think yesterday or day before in a group. Oh, it was the anti siphon student Q A and it was like man, get, get curious people.
Everybody get out there. And I know we gotta, we’ve gotta learn the things that we need to learn so that we’re good at this job and have the skills necessary to do blue, red, purple, you name it, whatever teams we’re on at that point in time and all the cool skills that are coming out.
But like get curious about something that just is interesting to me. It was like I’ve been playing around with hardware, right. I get, got a board right here. I’ve just been diving them like what goes on in this embedded os and it’s that curiosity that’s going to lead you to something new that’s going to make you go hey, you don’t think.
And you’re going to have that Tim Medine moment and you could invent the next Kerberos thing. You could. And it all comes from that. Just like I’m going to hook into this and I’m going to spend some time on something.
So please do not be afraid to do that because that’s going to bring out the next level security, things that we’re going to be doing for the next 14 years.
Tim Medin
Yeah, I can’t stress it wasn’t cool. It is cool but I mean the story isn’t necessarily cool. It was literally some friends that I had met over the years at conferences and folks I had worked with, talked about that community thing.
Super, super important but literally us discussing like hey, how does this work? And I’m like I think this is it and just ended up digging into it and came on the other side with something that works really cool.
But it wasn’t terribly difficult per se. I mean it’s all over the Place the good guys are using it. I remember being excited when they saw the bad guys use it and I felt bad about that.
But, just find that thing that’s interesting, dig into that. I’ve got plenty of things that I’ve dug into. Nothing came on the other side, but I did get learning out of it. It’s the famous saying from Edison when he was trying to do the light bulb.
They gave him crap about trying to build a light bulb. He’s like, man, you’ve got 500 failures. He’s like, no, got 500 ways. It won’t work. I’m getting closer to the answer I love.
Daniel Lowrie
He answered with I didn’t fail. I learned a hundred ways not how not to build a light bulb. Yeah, okay, didn’t fail. Right? He didn’t. He learned failing.
he would have failed if he would have stopped. That would have been a failure if he’d have said, I guess this can’t be done. I’m just going to throw my hands in here and say, oh well. But he didn’t. He kept going and he, he figured it out.
Tim Medin
Yep. Yeah. And if. Don’t be afraid of. I hate even using the world word failure. It’s part of success. It’s not the opposite. It is part of it.
Like look at a kid learning to walk. They will fall on their face a bunch and if they stop the first time, like, well, you’re able to walk and you made a choice not to because the first time you didn’t do well.
No, you, you have to so you can learn these things. I love the quote here from Stranded Slack. Fail more, Fail creatively. Absolutely. Could not agree with that more. It is part of that process.
Daniel Lowrie
Exactly.
Tim Medin
All right, so let’s talk a little bit. Some of you mentioned in this, in the slack here about MFA multi factor authentication. Is that the, is that the answer? It can be.
does it make things better? Yeah, because if someone gets the password they now need a second factor. But unfortunately there’s going to be some systems where that just simply won’t work.
You got a Linux system, some sort of vendor system where it just doesn’t work. We can use. If you’ll notice here, we talked to Bo in the the beginning and I’ve got a shout out here to, to Bo’s repo on MFA sweep.
look around the environment, figure out what doesn’t have it. There’s also might be some accounts where that’s not enabled C levels, or it Was set up for testing and it never got switched back or a user lost their MFA and they turned it off so they could log in and get their MFA and then never re enabled.
That so always important to, yeah, we got mfa, we’re safe.
Daniel Lowrie
Cool.
Tim Medin
But where is it not being used? Where are we missing?
Daniel Lowrie
You think that, eventually Fido tokens in some, like a hardware token is going to be adopted wide scale, and that’s going to be our, our, our white knight, our savior from the sky.
Tim Medin
I, I’m so torn on that because I was a very late adopter on that. and I think it biases me to some degree. I think those are absolutely fantastic.
The old, the, the hardest piece, I think, I think it’s good from a corporate enterprise perspective. it’s gonna be a little bit harder to get like my dad to use that to log into us.
I can’t get to log in in the first place, but to use that kind of a token to, to log into some sort of service. I think they’re fantastic. It’s just it, it is a little bit harder now.
It’s easy to use. Super easy to use. It just means I have to carry this thing and I definitely don’t want to. To lose the thing. Right.
Daniel Lowrie
Yeah. I saw one company was making a, a Fido 2 compliant ring. So this like. Oh, it makes it easy. You just put the ring on and you wear the ring every day and you don’t have to worry about not having it with you.
And I thought, well, that’s a novel approach to it. That could be a definite way to go. Some people don’t really like wearing jewelry. I. Ultimately, at the end of the day, you got to figure out, maybe we make not just a ring, but there’s necklaces and afghan.
we could have all sorts of accessories that are fighting to compliant. So whatever your style may be, we have the Fido for you, so maybe that’s where it’s going to go in the future.
But I do, I, I, definitely applauded them for trying to outthink the problem because, yeah, that’s the thing. It was like, how do you get grandpa? How do you get that boomer out there that goes, you can’t make me put this.
I’m not carrying this thing around. My dad, My dad used to tell me, he’s like, why do they make this so difficult to log into? I go, because security hard. And if we don’t do this, then you might as well just give all Your stuff to the hackers, like that’s just what’s up.
Tim Medin
Yeah, the hard thing there is we’re making it harder for users, make it harder for the attackers too, which is very important. Which then means users sometimes do smart things in quotes here and reuse the same password.
Right. Things along those lines. I saw a question in the, the chat that scrolled by real quick. How often are we getting accounts service, accounts with Kerber roasting it? I’ll give you the short answer.
It still works today. Not as much as in the olden days. Still absolutely an effective approach these days. so going back to that real quick, the mfa.
Look around your environment, you as the defender, look around, see where that is, isn’t in place, understand the risk. Sometimes you’re going to have to accept the risk, but at least where the risk and you can put additional mitigation, better monitoring on logins, successful logins to that system, firewall it off, maybe, et cetera.
Another great tool, Bloodhound. I remember when this first came out, I was like, oh cool, my job is done here. It will no longer exist. I have literally been replaced by a shell script. What Bloodhound does is it gathers information from Active Directory about groups, group memberships, until recently.
You could also get information about who was logged into systems. And there’s still ways to get that into some degr and it builds an attack map of. You’ve compromised this.
How can you get to important stuff, domain admins, database servers, other critical systems here. As an, as a defender, you don’t have to hire the expensive third party consultants.
You could do this yourself. You can do this yourself, right? You need an ingestor. There’s a number of different ingestors available. There’s Python, there’s PowerShell, there’s some C Sharp where we can take this.
We can also use Ad Explorer from Microsoft, sysinternals, extract this information, bring it into Bloodhound, build that attack path.
Because what the problem is here, these are not vulnerabilities in the traditional sense where I can apply a patch. These are someone has created.
It’s not a problem inherent to Active Directory, it’s someone has created a group or a user and they’ve got the permissions. Incorrect. So it’s not a quick fix. Every single one of these issues is going to be a significant meeting and require architecture changes.
These are layer 8 issues I would like to talk about where it’s politics and it’s bureaucracy and it’s Change control. It’s not a quick, let’s patch that thing. It’s going to be a significant discussion.
And if you’re live, fire in a incident response. That is not the time to have these discussions. That is not the time to implement these fixes. You’ve got to have the plan because it can take months and months and months to resolve these issues and figure out ways around some of these things.
one example. Do I have it here? I talked about that. is let’s say we’ve got a help desk person. The help desk person can change passwords for any user on the network. Cool.
That’s their job. What happens now when the help desk person can change the password for domain admin? Well, they become a de facto domain admin. Right.
And how do you fix that? You gotta have a process in place. How do we reset those passwords? We have a domain admin help desk. Do they talk to another domain admin? How do they authenticate themselves to that?
So we’ve got to build some of those, processes here. So Bloodhound is great for the attack paths, which is a little bit more what we see as offensive people, a little bit more what the attackers see.
Another great tool is called pingcastle. What, Ping Castle does is the same, kind of same, not the attack paths, but it will score your ad environment, and help you with that.
there’s also Trimark’s, Vision product that does this. I saw somebody mention Purple Night. I’m not familiar with that one. I haven’t used that. But, trimarc’s Vision is a great one.
Talk to those fine folks. They do the, some of the best, they do the best ad, auditing out, there in my mind.
Sharing is caring, folks. Yeah, except what it isn’t.
Daniel Lowrie
what I’m going to do? I have a GitHub repo with a bunch of ad security stuff. And a lot of the stuff that we’re talking about, is in that repo, plus a ton of other tools. So I’m going to drop that link in here real quick.
I could get logged into, GitHub, but let me grab that for you. Cool.
Tim Medin
Yeah, check that in there. J.R. asked in the slack what the tools I just mentioned. I mentioned Bloodhound. Bloodhound is put out from the by the smoke, folks at Spectre Ops. Ping Castle is on the screen here.
Trimark. that’s T R I M M A R C. Vision is another one. Somebody mentioned Purple Night. I’m not familiar with that there.
Cool. Yeah. So Daniel’s going to share some, some great information. Check out the, the Discord channel for, for this information. If you’re watching this later, come in. Ask the questions in their Discord channel.
I’m sure someone could help you out there, too. File shares. It’s in the name.
Daniel Lowrie
They are.
Tim Medin
We’re supposed to share stuff.
Daniel Lowrie
I like sharing, Tim.
Tim Medin
I do. What kind of. Have you seen the weird stuff floating around in file shares, Daniel?
Daniel Lowrie
Oh, man. Have you seen that meme of. I think it’s, Matthew McConaughey and he’s. He’s like at the thousand yard stare and he’s smoking a cigarette and he’s like, he was the Tor browser.
He’s like, I’ve seen some things. I’m like, yeah, I’ve seen me and you. We came from back when the Internet was the dark web, right? And it was, it was crazy, what was it?
Gore.com and all these other crazy stuff that used to be just prolific now, now it’s like a business thing. but so, yeah, I’ve seen nuts stuff.
I’ve seen a few file shares. I’ve gotten a few of those, those, snap. What were they called? Like grab files or whatever they were. They. They got a little crazy.
I do know that people like to share and it can get interesting.
Tim Medin
They do, yeah. I’ve seen things like, obviously passwords. You see config files with passwords or keys, crypto keys or authentication keys. I’ve seen literally out of public share, accessible to everybody.
The backup for the domain controller. So you pull that down, you can extract keys from there. You got access to everything, phi pii, the, the sensitive information here. It doesn’t have to be all of the pii, the phi.
It can be a little bit, I was doing a pen test a number of years ago for an organization where you had to have, I think it was like 10 or 20 million dollars to knock on their door.
And those were the broke people. Like the people with hundreds of millions of dollars are like, oh, you only have one jet. I have a helicopter to get to my jet to take me to my other jet to take me to my yacht, right?
And I found all over the place, people were creating network shares to share information between each other because they had locked everything down so well, which is good.
But it also meant users got creative. They created their own network shares on their computer, which you can guess how well they were secured. They weren’t, Any access to everybody and bank accounts and routing numbers.
And as an attacker, how many bank accounts and routing numbers do I need with $10 million in it to retire comfortably? The answer is half. Half of. Half of one. Right. I’d be happy with less. Less than that.
Right. So.
Daniel Lowrie
Well, the fact that you’re still here, Tim, is a testament to your character.
Tim Medin
We had a. We were jokingly, we, we called it a, How do we call it? we had some short name for it, but an extradition. Like no ex.
We call it no X. No extradition. Like if we found something that was so big we’re calling no X, it means we find a country with no extradition policy. And we found it was for a, a company.
And we had bank account and routing numbers for like giant organizations where if they lost a million bucks from, they’d be like surrounding error. We wouldn’t even notice. Yeah, right. And we could have transferred, I mean literally billions with a B and it would have been not good.
Daniel Lowrie
And you’re still here.
Tim Medin
Yeah, we didn’t do it. So what can we do? How can we find those shares? There’s great tools. one of them is Power View. Power View has this name is fan is terrible.
find interesting domain share file and it’s going to look for file shares across the environment. Look through those files, look for things, passwords, config files, vmdk files.
You can configure this. Another great tool is Snafler. I like Snapler a little bit better. Same, sort of thing gives you this great output that you can sift through. And again the hard part here is we’ve set up these shares, we want people to share stuff.
We might need to change, permissions on that to lock some of these down and that becomes a layer eight issue.
Right. This is what I was just talking about where the credentials or sorry, the checks all over the place. Mike Saunders on my team had a similar, similar story.
Here’s his blog post we talk a lot about in the offensive space. That domain Entra Domain admin is interesting, but it shouldn’t be the goal.
It is a tool. It’s not the destination. Because like think about that company where I was finding bank accounts or routing numbers all over the place. I didn’t need to pivot, I didn’t need to escalate.
It was all there for the taking. so always remember if you’re doing that kind of thing, both an offensive and defensive state, space focus what’s important don’t focus, and I’m not saying it’s not important, but don’t focus on the domain admin because that’s at least one step away from the important data.
Remember, defend, build the moats, build the wall around the data and everything else will kind of fall into place.
Daniel Lowrie
So you’re saying we can easily lose the forest for the trees by focusing in on. Yeah, if I, if I don’t get da, I didn’t have a. Yeah, a good test, right. Like this was, this was a wash.
It’s like, no, if you found vulnerabilities, if you found exploitable vulnerabilities or leaking information, all that stuff are good findings and they go in the report.
Find as much as you can because time is limited, resources are limited, and if you get bogged down in the weeds trying to get DA and you spend the entire week or two or however long the engagement is, putting all your eggs in that basket.
And yeah, maybe you popped it, but maybe you didn’t. And then what do you got to show for it, right? That I, I don’t think your, your customers are going to see a big ROI on going with that type of pen test.
Am I wrong on this?
Tim Medin
No, I mean, what’s the what’s the term we, we use in pen testing? The offense? When you get domain admin, it may be asking this question poorly.
Daniel Lowrie
Okay, the term we use.
Tim Medin
No, it’s very simple. Like, okay, we call that winning.
Daniel Lowrie
Right?
Tim Medin
Like I won.
Daniel Lowrie
Yeah, yeah, right?
Tim Medin
Yeah, yeah, sorry, it was gonna say.
Daniel Lowrie
So I like to do this.
Tim Medin
Yeah, right. Yeah, we call that win. But realistically, yes, it’s cool. Yes, it’s fun. It’s a cool accomplishment for me, in a very self serving aspect.
But that’s not the important piece. I mean, it is an important piece, but the important piece is that data getting to the domain admin the win. Cool. But you’re still one step away from the data. Go ahead, Daniel.
Daniel Lowrie
I’m going to use a sports analogy. Get ready. My one sports analogy for the year is it’s like being the quarterback on a football team and all you care about is how many yards you throw for. You don’t care if you’re winning, you don’t care if you’re winning.
like getting your team to move forward and doing well. All you care is what your stats look like. That is not the person that people want to play for. That’s not the person they want on their team.
Right. Person they want on the team says, hey, let’s do A good job together as a team for our clients, because we work for them and we want them to go.
You guys did a great job. Can’t wait to see you again the next time. We need this.
Tim Medin
Couldn’t agree with you more. That’s a great. I like that analogy. I’m going to steal that analogy.
Daniel Lowrie
You are welcome.
Tim Medin
Yeah. So I mean the short version here. What do we do? We got to clean that stuff up, right? It might take some meetings. We don’t want passwords out there. We don’t want keys. Some of the stuff may have to live out there. I get it. I’m m not going to pretend that it’s not the case, but we do have to secure that.
Another great way is deception. Like put some juicy stuff out there that no one should access. And if somebody touches that file, you’re like, we know we got a bad guy in the inside because no one should be looking at this file.
No one should be looking at this location. And use that because what happens then? The attacker then has to start questioning everything is what’s real in this environment. It slows them down.
It gives you more time as a defender to identify them and eradicate them.
Daniel Lowrie
That’s when it gets real fun is when you start messing with those oh yeah. Turds that have made their way into your network. Okay, yeah, no one’s perfect. You might get vulnerability. They found their way in and now, oh yeah, we’re littered with canary tokens everywhere.
So go ahead, touch stuff cool to give you.
Tim Medin
Yeah, it, it, it’s. I’ve seen it as a. When I’ve been incident response and they, you can, you can start to see when they’re like, oh, I hit something, they try to go faster and they realize I’m like, they start realizing they’re banging into tripwires all over the place.
And then they just, just sit and they gotta think like, what’s real? Like, where am I in the Matrix? I know too many of you sadly, are too young to have watched that excellent movie.
I can’t wait for a sequel. They only came out with one movie, but you should watch that one.
Daniel Lowrie
That is the best answer I’ve ever heard in my life.
Tim Medin
Because yes, another gift that keeps on giving. Active directory certificate services. This is another one of those issues where it’s not a problem with ADCS itself.
It’s a problem with the misconfigurations. it’s a problem where someone has set the permissions incorrectly, configured it incorrectly. This is not one of those situations.
Where you’re going to go in and just live, change things without understanding the impact. We’ve got to set up those discussions beforehand. just much like the ad misconfigurations, we’ve got to talk this through before we implement these fixes.
It’s not like just apply some sort of a patch here.
Daniel Lowrie
And what can be really difficult about defensive side of things, the thing that really gets your, gets your butt kicked is it’s really easy to do it wrong.
Right? It’s like, okay, everything’s working but you don’t know everything about everything. And everybody’s environment is different. Just because it’s similar to somebody else’s doesn’t mean it’s exactly like that. So there can be all these little caveats and crevices that you didn’t see or didn’t even realize were there.
Which is why you want to, do you want to have some offense come in and check and see can I find crevices? How many? It’s like coding, right? You look, you’re writing a script, you’re writing a whatever and it’s not working, it’s not running, you’re getting an error.
You’re like, what the hell is wrong with this? And so your buddy walks up behind and looks over your shoulder, goes, you forgot the semicolon right there. You’re like motherless son of a. Like I’ve been staring at this for six hours and it’s not working.
And you looked at it for two seconds and it makes you feel horrible, but then you get to move past it and that’s what’s important.
Tim Medin
Yeah. And along those same lines, like when you’re setting up a system, you keep working on it until it works. And that’s what we, I assume has happened with these, these admins with ADCs is they keep clicking until the damn thing works.
And they’re like, cool, it works. But until the Spectre Ops folks came out with their certified pre owned paper, we didn’t know these issues existed. We didn’t know to look for them and of course we didn’t know to handle or mitigate these.
When I first saw this, I’m like, no one’s going to have misconfigurations that allow anybody to change a template that just doesn’t make sense. Then we start using this in our pen test.
You’re like, okay, it’s like one in three, or one of the other ESCs and you’re like, I mean there’s literally for a year between ESC 1, ESC 4, 3, it was like 33%.
Like a third of the organizations had this, which essentially allows you to auto get to domain Admin.
Daniel Lowrie
Well the good news is ADCS is super easy to implement and deploy. Yeah, I’m sure that those people just didn’t do it right.
Tim Medin
Oh my gosh, that’s a true statement. Good news is a lot of great tools out there to identify these issues. So we’ve got Certipy, which is the original. No, Certify was the original from the Spectre Ops folks.
There’s Certapy, the Python version. Sirti is another version. we can also feed this into Bloodhound. there’s another great tool, lockpick.
All of these will identify these issues. So great ways to identify this. A lot of these tools, with the exception of lock pick will also let you exploit it.
if you want to test some of that as well. Typically not in the blue teams realm, but you can play with a lot of the red teamy type functionality here with a lot of these tools just for the identification process.
Let’s take all these things, let’s go back through all these. We talked about passwords, we talked about mfa, we talked about kerberosing file shares. None of these are, none of these are super advanced.
It’s like yeah, it’s the typical stuff. And Daniel talked about this before in the, the, the, the pre show banter. He was talking about his hardware or. No, it was Tim, I think you, you told, you talked about it too Daniel, didn’t you just a little bit ago.
You’re talking about playing with hardware.
Daniel Lowrie
I’ve been playing with hardware. Yeah, yeah, yeah.
Tim Medin
Playing with hardware. And a lot of it isn’t sexy high tech talks. It’s like oh, this techniques rather, it’s like well this, it’s a different format but it’s the same thing that we’ve always seen.
Right? And nothing that we saw, we talked about here is super advanced, super high tech. We got tools to identify all this and realistically that’s what the bad guys are doing.
We hear talk about the apt, the Advanced Persistent Threat. And most organizations are not attacked by apt. They’re not a advanced, they’re not really p. Persistent. They’re just a threat.
And they come, years after a vulnerability. If you look at the CISA and NSA stats on the most commonly exploited vulnerabilities, they’re all ones where patches have been out for a, while, many of them over a year, some of Them up to five years.
The exchange bug is still up there as one of the most commonly exploited vulnerabilities. So it’s not this sexy. You don’t have to defend against the zero days. It’s a lot of the simple stuff that we really have to focus on.
We talked about passwords, password rotation. 90 days. Cool. Look at the Verizon breach reports. People are in for five to six months. That’s not an effective mitigation these days.
We’ve got to work on ways to make things, a lot better. prevention is cool. Ideal fact, right? Let’s keep the bad guys out.
Let’s never let them get into our organization. That is at best, half of the story, because the other half is, can we detect them when they’re in? Especially if we go back to the previous point here.
Look, they’re in for a long time. When those ransomware actors get in, that time window is getting shorter and shorter and shorter before they take the entire organization offline.
And the bad guys are going to get in at some point. The question is, what do we do after? Can we slow them down? We talked about some of the honey tokens and stuff, the deception.
can we detect them? Can we respond to that, along the way, as well? Daniel, do you have any, thoughts on some of this?
Daniel Lowrie
No. I just love the idea of, like, it really seems like we live in a world where there is a much greater than zero probability that you will get popped at some point at some time.
Right? So now you got to start thinking in a different way instead of, I’m going to stop all the hackers. Not that you shared. Somebody got on me for using the word hackers.
Threat actors. Someone, I’m going to stop all the threat actors, all the apt. I’m never going to get hit by ransomware because I got this, this, this, and this. And then they’re never getting past my defenses.
You have to assume that one day that’s going to happen, and it’s all about going, okay, we still build those fences and we still make them as strong as possible. But we have to be doing stuff for detection, deception.
We have to burn them as far as their time and their resources go, send them on as many wild goose chases as we can, because the slower we make them, the more likely it is that we will get to detect.
And if we can detect before they get to do something stupid that we don’t like, then we’re ahead of the game. That’s what makes you a killer in the space to say, cool, come at me, bro.
Yeah, you might find your way in, but all of a sudden you go, oh, this is Pan’s labyrinth here. I don’t know. and now the, the, the, the clock is ticking. I, I think it was Dave Kennedy one time, he said that once you make your way into a network, the roles have reversed, right.
You’re no longer on the red team, you’re on the blue team because you’re trying, you’re, you’re trying to defend, what you’ve got. And they, are constantly out there looking for you.
Now if you haven’t set up those defenses, that’s on you. Right? But we got to make that shift, that paradigm shift in. It’s not just about defense putting up those fences that stop those things.
It’s just as much about detection and that’s wasting their time so that we can detect even better.
Tim Medin
Yeah, I got nothing to add there. That was awesome. Yeah, no. 100, 100. Can’t, can’t agree with you more on that. we’re all in this together in offense, defense against the real bad guys.
And what can we do to stop them? Ideal detect, them, slow them down. Right. All, all of that goes to a well balanced breakfast.
Daniel Lowrie
I like it. I like it.
Tim Medin
Yeah, that’s part of when we were kids, we’d watch the, like, cartoons and they have a well balanced breakfast. It’s like Captain Crunch and then fruit and a bunch of other healthy stuff.
Daniel Lowrie
Yeah, you had, you had an orange juice. Like a glass of orange juice is probably 2,000 milligrams of sugar. Right. Like humans could not consume enough oranges at one sitting to get a whole glass of orange juice.
Like your insulin is spiked to the roof. Your kids are running around like their heads on fire, right. Because they’re so pumped, full of sugar. And then you add the capping crunch on top of that.
Tim Medin
Oh, there’s probably some chocolate milk on that table for the commercial too.
Daniel Lowrie
Yeah. It was heaven, wasn’t it? It was, it was pure heaven. It was very divine.
Tim Medin
Yeah. We talked about this a little bit before too, especially when we talked about the active directory thing. And Daniel had the great analogy with football with get the goal being yards instead of the goal being touchdowns and winning.
And we got to think, what do the bad guys want? What are they trying to do inside our network? What are they trying to get to put the defenses around that and the other things will fall into place around that.
Can we get rid of data? A lot of organizations Love hoarding data. They don’t want to get rid of it. But you can’t lose data. You don’t have get rid of it.
It’s hard. I know a lot of organizations are like, they’re hoarders like once they have it.
Daniel Lowrie
You ever see some like, of these, like HR and C level accounting people’s their inboxes for their outlook. Are you kidding me? How do you have 18,000 things in your inbox that have.
You haven’t even touched them. They’re sitting there. What is this? Why do you have a terabyte worth of data in your outlook? I, don’t understand what we’re doing here.
Tim Medin
My wife has like 12,000 unread emails. I don’t get it. It drives me nuts for a whole different reason.
Daniel Lowrie
For me, it’s like, I’m like I. I can’t stand. There’s a. There’s a number next to one of my boxes. One. One of my folders has a number next to it. We got like, I apparently didn’t read something.
I gotta, I gotta take care of it. Like it gets me. It gives me hives.
Tim Medin
Oh yeah. There’s. There’s two groups of people. There’s the people that have badge numbers in the thousands all over their phone. And as people with zero, I’m Camp zero. But that said, I turned, I turned some of them off so it doesn’t give me the badges.
but yeah, I’m with you. Yeah.
Daniel Lowrie
So this was fun.
Tim Medin
Yeah. Well, we got more. Dan, you’re not done yet.
Daniel Lowrie
We’re not even close. The man is not.
Tim Medin
We’re getting close. Camera decided to give up though. Camera’s done. There we go. So wrapping this all together, we can get better at blue at the defensive side by playing better with some of the red type, red team type tools.
We talked about the invoke curb roasting. We talked about Hashcat. We talked about Bloodhound. Snaffler. number of other tools in here. I’m not just going to go through all them because that’s really freaking boring, but you can practice these offensive tools and make your job better and make a better defense for your organization.
You don’t have to hire the expensive third party consultants. Hello, third party consultants. but you can do this yourself. Do it before we show up. Make my job hard.
John talks about this all the time. Our goal is to make it so that we’re not needed anymore, which is a little bit scary because I don’t know what else I would do. But that’s the, that’s the job, right?
We’re trying to make organizations better. Since you don’t have to use this, and frankly, hopefully, more importantly, keep the bad guys out.
Daniel Lowrie
You think we’ll ever get there, Tim?
Tim Medin
I, what? I. On the side that I think it’s going to. We’re going to get there. But I’m a little bit pessimistic. A lot of folks are like, no, we got plenty of time. We’re going to be retired before that goes away.
So I’m more on the side. Like, 10 years, maybe we finally sort of get there. But then, I don’t know, who knows?
Daniel Lowrie
Maybe it’s that whole thing where the things that we’re worried about today and the problems that we have that we’re working on fixing and making more automated and making it a lower lift, for the average user and admin out there to do.
Maybe we will get there in 10 years, but by then a new crop of crap will pop up and we’ll be like, oh, we got to fix this now. Because, some new technology is right around the corner we haven’t even conceived of.
Like, who, who saw LLMs coming, what, three years ago, as to the extent that everybody in their brother can just go, hey, I need to build a website.
Hey, chap. Tpt. Make me a website. And it goes spit and pops it out. And now, there’s your website.
And it looks exactly like that’s what happened. But at least you have a starting spot, right? And we’re being able to tool it up and use it inside of, offensive and defensive security as well, using it as a tool to make things easier.
And now we can kind of start focusing our gaze on things that are a little more complex. And, hopefully maybe that’s. That’s the way we’re going to go. But, the wheel keeps a turning, as they say, and I’m sure that there’ll just be new stuff for us.
I just saw the meme and discord of the puking. Oh, man, you caught me. You got me good. You got me. It was.
I was not prepared for that level of awesome memory. That’s kind of funny. yep, there it is. There it is.
Tim Medin
That’s good stuff.
Daniel Lowrie
That’s chat GPT right now, whenever I ask it something.
Tim Medin
All right, wrapping it up here as a defender. Look at some of the common attack scenarios. The, Miter attack has groups. look at the groups, see what people are Doing over again. Pick part of that attack chain.
Look for ways to prevent, look for ways to detect, look for ways to. To mitigate and ways to, deceive along those lines here. Remember here, the goal is not 100%.
The goal is to get each layer better. We got layers of Swiss cheese. Make those holes smile smaller, get more layers of the cheese so that there’s no easy path from the, the top to the bottom.
With that, we’re going to wrap it up. We got training out there. We talked about Wild West Hack infest that we’re doing. so we’ll check that out. Offense for defense at, Wild West Hack and Fest.
yeah, we do consulting and stuff. If you’re not using Black Hills, use Red Siege. And, don’t forget, Wednesday offensive. Today we have bbk. So with that, I will, send it over to, I think, Zach.
I don’t know who’s running the show right now.
Zach Hill
Yeah, Daniel and I are here.
Tim Medin
All right.
Zach Hill
That was. That was fantastic. Thank you, man. We appreciate you taking, the time to. Appreciate both of you being here and taking it, taking the time to do this. It’s awesome. I want to ask a question out to the audience, though, who stuck around and watched this presentation today because we changed things up a little bit with, the format, with having Daniel, be involved.
So, just curious to everybody out there, if you just, like, what did you think of the format today? how was it with having Daniel and Tim kind, of bantering back and forth, throughout that presentation?
I thought it was just. I always enjoy it. Like, I. It was great.
Daniel Lowrie
Like, it was a lot of fun.
Tim Medin
Laughing.
Zach Hill
I was just like, I like it.
Tim Medin
Daniel is an artist at this because we do this. We. We do this with some of our webcasts. And I’m not as good at it as Daniel. Like, he’s. It’s an art form that he’s developed, and he.
Probably the first time, going back to what we talked about before, he probably sucked the first time. But you get practice and you practice and you practice and you get better and better and better. And he is an absolutely. Maybe you were good from the beginning. I just wouldn’t be.
Daniel Lowrie
I will say, Tim, you. You are definitely in the upper echelons. You. You have a way with the language and the ability to speak. Like, I’m always, like, I’m always impressed and happy to be on anything with Tim because it’s like, oh, cool.
I can do what I do, and Tim’s going to do the same kind of thing. And it’s going to be a lot of fun. And that’s, we were talking about giving presentations and then you kind of, mentioned about how, you could give this super technical talk that maybe three people in the room really appreciate and that only one can actually implement.
And those are, those are kind of fun. But I, I, I would suggest if you do want to give a talk out there, and this is going to be hard because it’s, you got to push the ego down. What you got to do is take that technical stuff that you really want to talk about and put that in a blog, do a YouTube video or something to that effect.
And that way you can get that out of your system. If you’re going to do a talk on a forum like this or on a stage somewhere, make it much more general and make it inspiring. One of the best talks I’ve ever heard was, the Art of Code.
If you’ve never seen that talk, go watch it. I’m not a coder. I know my limitations. I am not a professional coder, nor will I ever be. But damn, that talk makes me want to be one.
It makes me interested. It inspires me to go and learn more about that craft, even though I know I’m never going to reach that level. But it, every time I need like an inspiration tape, I go watch that talk.
And it’s never gets old because the dude giving it just kills it. He inspires people. He makes it accessible and interesting. That’s what you want to aim for when you give your talk, making whatever your topic is accessible and interesting and fun and you’ll kill it.
You’ll, you’ll have a good time. Your audience will enjoy it and it will. You point to them, to some resources, about that topic and then they, they go do the hard work on the back end.
But they’re going to be super jazzed about doing it. So that should be the focus of what you’re trying to do with your talk.
Tim Medin
100%. I completely agree with you on the talk. Give me, I was trying to do, I did some, improv so I could practice speaking where I don’t have control, because when I speak, I have control of the room and I need to give that up to be a better speaker.
especially when we’re interacting like this, sometimes it’s hard, but as part of that, like, we want to see you right when you give, you’re giving your talk.
Give me your perspective. Don’t just go through the Technical piece. Tell me like, hey, this is how I did this. This is why this was important to me. Like I. That’s, that’s interesting. Show me your passion and that’s where that comes through instead of step, step, step, step.
And frankly that’s the easy part, right? That’s the easy part. You can feel time, right?
Zach Hill
Yeah.
Tim Medin
Pick the thing you’re interested in. And it’s never too basic. John Strand says this all the time. Like the, the most hits we get and not trying to play the marketing guy, but the most hits we get for videos, blog posts are what might be considered quote, unquote basic because that’s what more what people need.
Zach Hill
sorry. And if you guys want more of Tim because I’ve seen quite a few questions and comments here, like we need more Tim. Or have Tim talk more about the, the Wednesday show, please.
you guys are doing that at 1:30. the red Siege Wednesday Offensive. So if you guys want more info, I’ll get a link for you and put it in the chat.
Tim Medin
Red siege dot com. Wed off. every Wednesday, 1:30. We’ve got a very strict, 30 minute time window.
yes, we have a Discord red siege dot com. Discord. Don’t. I hate promoting that in their Discord, even though they’re super cool. oh, there’s a Wednesday offensive there.
Linked as well. But every Wednesday. You don’t have to come every single time. But it’s, it’s a great discussion. Again, we’ve got BB King. I don’t understand. You folks know how awesome BB Is. Dude’s awesome.
Daniel Lowrie
Amazing.
Zach Hill
Yeah, he, I asked him this question. I was doing these instructor interviews with all of our instructors. Okay. and one of the questions, because I really wanted to like catch you guys off guard.
Right. And because Tim, you went through this. one of the questions was explain your class to me. Like I’m five. And the way BB Described web app, pen testing.
His web app pen testing class was just like the most amazing explanation because he used basketball. And I’m not going to spoil it for everybody because I want everybody to watch it. But the way he brought basketball into web app pen testing was the most amazing thing I think I’ve ever heard in my life.
Just the way that he was able to process that and think about it within the span of like literally like 20 seconds blew me away.
Tim Medin
Blew me away.
Daniel Lowrie
Isn’t that like the, the sign of a high, highly intelligent person is that their ability to take very complex things and show you the analogs that you can actually interact with that is on your level.
If you can do that, like, that’s what makes someone at the top tier. For me, that, that they’re able to. To make those connections in ways that I never thought possible and go. Oh, that totally makes sense because like.
Tim Medin
Like, like your bas. Like your basketball analogy or football, analogies. Oh, well, short, very brief, very succinct. And it’s, it’s something that sticks in your head instead of like, well, don’t do ad.
Do the. No, no. Right. Try get touchdowns. Don’t go for. Don’t go for yards. If you go for touchdowns, yards will come along the way. Like, boom. Done. Simple, easy, quick. Great analogy.
Daniel Lowrie
It’s our E equals MC squared. Right? It has a lot and a little.
Zach Hill
Perfect. Love it. Awesome. Well, I know you guys kind of went through a lot of questions during the, the, the show here today, during the presentation. Tim, I know you got to get going here, to get ready for your, the Wednesday.
Tim Medin
I thought we had time for like, there was supposed to be like an AMA or something at the end.
Zach Hill
Yeah, we are going to do an ama.
Tim Medin
I mean, if you want to stick around. Yeah.
Zach Hill
So I was going to give you the opportunity to take off, but otherwise, after all of our webcasts, we go and start our breakout room. So if you have the, Zoom application installed on your device, we’re going to go ahead and get that AMA room started right now.
but I just want to say thank you again for, to everybody for joining us for today’s webcast. We really do appreciate y’all sharing your time with us. It’s always great to see you all next.
See who do we have coming up next week? I already forgot. It was on my mind earlier. And if you ever want to know who we have, like, who’s coming up next week, as you guys can just go to, poweredbybhis.com and that’ll show you what Zach is doing that cloud security.
Yeah, that’s exactly what I did. cloud security adoption occurs with Andrew Krug, so that’ll be an exciting one. I love having Andrew on. so, yeah, I’ll see you guys next week.
And until, then, take it easy. Take care. See you later, everybody. See you in the breakout room.