Cybersecurity Mentors Podcast
In this podcast we discuss mentoring in cybersecurity, information for those that are looking to get into cybersecurity, and tips for those that are looking to advance their careers.
Cybersecurity Mentors Podcast
Hacking the Way Forward with Max Harley
Max Harley's journey into cybersecurity began unexpectedly with a childhood passion for video games, which sparked a deeper interest in programming and security. His competitive spirit emerged through capture-the-flag competitions, leading him to impactful roles at SpecterOps and Prelude, emphasizing mentorship, networking, and continuous learning in crafting a successful cybersecurity career.
• The spark of interest starting from video games and programming
• Importance of competitions like Pico CTF and CCDC in developing skills
• The role of mentorship and networking in career advancement
• Experiences in red teaming and offensive security
• Transitioning thoughts on proactive cybersecurity and evaluative metrics
Mentorship - sign up for a free session
Max Harley's LinkedIn Profile
Max's talk at BSides Charleston 2024
Could you teach me First learn stand, then learn fly. Nature ruled on your son, not the mind.
Max:I know what you're trying to do. I'm trying to free your mind, neo, but I can only show you the door. You're the one that has to walk through it.
Steve:What is the most inspiring thing I ever said to you Don't be an idiot. It changed my life.
John:Welcome to another episode of the Cybersecurity Mentors Podcast. On this episode we're going to interview and talk to Max Harley, who is a senior security engineer at Prelude. But we've known Max for a long time, back to his days as a student working with us and working beside us at the university, and we're excited for you to be here, Max.
Steve:Yeah thanks so much. That's awesome. It's good to have you here, max for sure.
Max:So let's just get started so how did your interest in cyber security, how did that start? Um, let's see. So, like many great people in cyber security, I started playing world of warcraft. Uh, for some reason, that story is so common. Uh, getting started in world of Warcraft. For some reason, that story is so common, getting started in World of Warcraft. I entirely ruined my life in middle school, being hopelessly addicted to it. Hold on hold on.
John:What was your favorite character class If you play World of Warcraft?
Max:Oh, I played Death Knight.
Max:Okay, okay, I was a big Death Knight Played 3v3 arenas.
Max:I was a priest, a shadow priest, when that was cool.
Max:That's before the Death Knight was really on the scene Back in BC, bc Vanilla.
Max:As you know, that game is so addicting. I found it and had a friend that played in elementary school and then he played in fifth grade and then I finally got, you know, talked my parents into getting me a subscription. So, you know, ruined my life, got horrible grades. My dad grounded me and uh, I was like, well, I want to get back on the computer and secretly play world of warcraft, uh, but I'll pretend it's productive. I'm like what if I got into programming? Uh, you know, that's productive, that like there's job opportunities there. So my dad was like, okay, fine, like as long as you're doing programming, you can be on the computer uh and I obviously like played World of Warcraft when he wasn't looking so did that also learned how to do programming.
Max:Later on in high school, I started getting into like programming competitions, doing like javascript, c++, stuff like that and then my computer science teacher talked about he got this email. He was, you know, an educator. He got this email about Pico CTF, which was a high school CTF back in 2015, I want to say, and he sent this email to me. So I put together a team like a high school CTF team from some of the people that I was friends with and did programming competitions with, and he also sent this email to Tilson Galloway, who was three years younger than me, or two years younger than me. He was in middle school and Tilson put together his middle school team. We did Pico CTF and Tilson's team ended up winning. The middle schoolers beat the high schoolers Wow.
Max:And so I was like absolutely not, this is not happening.
Max:Never again I'm going to destroy you next year, never again.
Max:And I just learned cybersecurity the next six to eight months just doing CTFs all the time. I had an internship doing like Linux sysadmin work at MUSC, the Medical University of South Carolina, and in the downtime I would just do CTFs the entire time and then got into, you know, one of the guys at my high school who's the help desk admin. His name is Brian Luce. He was really involved in the tech community in Charleston and he met these three folks, chris O'Rourke, brad Warnick and Glenn Starkman, who owned and like started Soteria, which is a security company in Charleston, and he was like, hey, you know, we have this guy, he's really interested in security. You know, is there any way you could talk to him? And, you know, maybe an internship, something like that? So I talked to them, had a meeting with them, were like, yeah, if you want to hang out at our.
Max:You know they had a warehouse up on Upper King and you know it's kind of a weird.
Max:You know, when I first met them I helped them put together a pool table. It was, you know, a little bit of an eclectic group and they're like, yeah, you know, we're not going to pay you anything because you're not going to do work, but you want to hang out, you know, come over, uh. And so I was like, well, you know I'm getting paid pretty well doing this musc thing, um, or I could go, you know, just hang out with, with hackers, uh, for free. So you know, at the time I thought it was kind of a stupid idea, but ended up doing that, becoming really good friends with everyone at Soterio, and then kind of it all went from there, got really into security, learned about the industry, you know, so on and so forth. So that was kind of my entry into security and then through them made some connections and so on and so forth. But yeah, it was really. I mean, I got into security because some middle schoolers beat me in you know, CTF challenge.
Steve:So the question is did you ever face this middle school team again and did you kick their butts? No so I ended up starting a security team in high school.
Max:Uh, you know my kind of senior year. Beginning of my senior year I made like the the cyber security team and got tilson to join, so he okay okay he joined, we're good friends now. We're really good friends now and all that kind of stuff. I like that.
Steve:We made amends Took more of a diplomatic approach to it.
Max:I mean, he is a genius, he's a total genius. I wouldn't want to.
Max:I need him on my team. You know, if you can't beat him, join him. Yeah, exactly, well, he can join me.
Max:Yeah, my team, you know, if you can't beat him, join him, or yeah, exactly, well, he can join me. Yeah, yeah, yeah um, what?
John:at what point there did you think like this could be a career? Was it like, okay, as you were doing the internships? Or was there a point that you're like, oh, this maybe is a career?
Max:um, yeah, I think I didn't really uh think about that a whole ton sure you know, because I got introduced to soteria pretty early on so I knew I knew it was a career um, you know a possible career um. But yeah, I guess I guess it was. It was really more I with the ctfs. I just enjoyed the challenge of it.
Max:You know it was like a more fun, kind of practical, you know, alternative to the programming competitions. Uh, and then, you know, quickly got introduced to soteria and it was like, oh, actually I could do this for the rest of my life. Yeah, very cool what, um?
John:what was one of the first programming languages that you got into as you were playing warcraft and switching between the two? What was your first entry to programming?
Max:yeah. So the first one, I mean this isn't really a programming language, but uh, uh, the first thing I really looked at was um, was lua, because you could uh, well, lua, luan, I mean this isn't a language at all, but like xml, uh, because I did a lot of botting. You know me and a friend did a lot of world of warcraft botting, uh, and you know you could, I. I thought this was super fascinating. You could script up uh, there's a program called honor buddy and you could script up, uh, like attacks and movement, like waypoint, like move, moving your character automatically, uh, via xml, um, so I thought that was the coolest thing ever.
John:Yeah, and then so you were one of those chinese gold farmers.
Max:I was. I was a chinese gold farmer, that was exactly me
Max:.
Max:I did, uh did herbology and mining, you know nice running around, running around thing, and then yeah, and then, and then you could script it up to like automatically mail your in like all of your inventory to like you know someone who could process those with other professions and stuff like that it was. It was a whole operation, wow, but it was pretty fun.
John:I mean, like you said, I mean Warcraft, but video games and or hacking video games kind of is a great. I think it's a great way for people to get, because most people love video games, they want to play video games, and if you could combine the two it's like well, well, you know back in the day, right like um, you know how do you kill everybody, right like counter-strike or something like that, right, um, but yeah, I think if you can combine that and it hooks, you gets you that little bit of a hook of like, okay, there's ways around the system.
John:I think is awesome, it's a great way to introduce absolutely and like video game.
Max:Hackers, I think, think are at the forefront of cybersecurity whether they know it or not, they are.
Max:I mean, if you, if you have like any Windows internals question, I mean you can pretty much ask any red team, or it's like if you're doing research of any kind, you know, maybe you want to bypass EDR or something you look up a undocumented Windows API function. It's like some game hacking form is going to show up and they've used it before and there's a lot of similarities. Like any of these anti-cheat engines, they're all EDR. Every anti-cheat engine is essentially an EDR, so there's so many combinations.
John:that's a great point yeah, I haven't really thought about it that way, but yeah, I mean, you know there's it's a great cat and mouse game, arms race of the the cheaters versus the game companies, and they're always trying to, you know, keep up with each other. Oh, yeah, yeah, and they use the same methodology. I mean, um, you know, function hooking is like. You know, keep up with each other, oh, yeah, yeah.
Max:And they use the same methodology. I mean, um you know, function hooking is, like you know, a big component of a lot of edr. Um, if you look at the vac engine, which is steam's anti-cheat, uh, it uses function hooking as well like it's all it's all.
John:It's literally the same thing so yeah, game hackers are are crazy, they're so smart, I smart, I've kind of looked up because I'm not. I know enough about programming to be dangerous, but I'm not a programmer. I wouldn't call myself a programmer. But if you look at how to learn how to do game hacking, it's deep man. I mean it's probably like what you're saying the Windows internals and the low-level memory and function hooking it gets deep. So, people, it is a good avenue, but it also you've got to be ready.
Max:It's like you're jumping into the deep end. I have so much respect for game hackers. Yeah, yeah, it's really, really difficult, well.
John:Cooley. I remember, Sim. I remember the first time I met you around this time frame and, um, or at least the first time I either heard about you or met you. So you were a high school student, which was I had a couple of guys come and talk to me at. Chris o'rourke was one of those guys who was visiting um clemson and and then Brian Price was another guy, and they both told me they were like you've got to hire this kid Because they'd heard about the SOC, They'd heard about the student internship. But they said, no, this guy Max, you've got to get him in, give him an opportunity. And I was like, okay, yeah, I mean you guys, that sounds great. So let's get him in here and get him part of the sock. And I think it was good. But it wasn't like your. The defensive side wasn't like your path, it wasn't where you were headed right.
Max:No, no, no, but it was a great opportunity. I mean, I really didn't know what to expect, because I remember the first time we met, glenn and Chris were at Clemson for summer. I don't actually know why they were there. They were like, hey, let's meet up, let's meet in the Watt Center. And so I came over there and you were talking to them and you're like hey.
Max:I work for the Clemson Security Operations Center. Like you know, you want to come tour the SOC. Like just see what we're up to. I was like, yeah, that sounds awesome. So yeah, I remember that that's how we met.
John:Yeah, I remember having that conversation with them in the Watt Center and I couldn't remember if I met you right then or if it was a little bit after, but with them in the watt center and I couldn't remember if I met you right then or if it was a little bit after. But, yeah, I remember that that time frame, so that's awesome. But no, I mean, I think, um, one of the things I remember about and this is like where steve and steve was coming in, right, I think it was the right at that transition time frame, I think I don't remember right. But, um, I was like you gotta watch out for this guy, max, he, he's super smart.
Max:Yes, but you got to keep eyes on him. Yeah, yeah, you should have kept eyes on me yeah.
Steve:No, I remember a couple of things we're not going to talk about that. Max was doing that. I was like what in the world?
Max:And we give this guy extra access. Come on, yeah, yeah, I messed up a couple of times, it's all good, I messed up a couple of times.
John:No, but I remember.
Steve:I remember the max. I was like, yeah, this kid's sharp, we got to watch out for this, we got to watch out for him.
John:Well, yeah, you're sharp, but you also had that mindset right. You had the hacker mindset of like, let's just see, let's explore.
Steve:Can we do this?
John:Boundaries. Do I ask for permission or do I ask for forgiveness Right?
Max:You know, yeah, yeah, I should have asked for permission more.
John:But no, I mean, and even during that time, and then you know you, you got involved with the club and eventually became the president of the club, which was awesome, but the club, the cyber club, that that we have and just being, you know, getting involved with competition.
Max:so you want to talk a little bit about that and your experience there sure, yeah, so two of the the big competitions we did as a club was, um, uh, ccdc, or well, the sec cdc, which is the southeast cyber collegiate cyber Defense Competition, and then PCDC, which is the Palmetto Cyber Defense Competition, and those are attack defend, you sit as the defender, all hell breaks loose. You're trying to defend this network from real attackers and it was just an amazing event, you got to experience a real kind of incident response. I mean, you were doing everything you were trying to do prevention, detecting when attackers were trying to target you, you know, and then incident response, kind of all in one during a, you know eight-hour period period, which a bit of a fire hose, but you learn so much doing doing that, um, yeah, yeah, so it was like some, some really great, great events yeah, I mean I and having been involved with that for a long time now, but I really do think it is such a great opportunity for people.
John:I wish there was a way to replicate that for people that are not at a university and they're probably similar things, but being thrown in and you have to just go through and lock harden, find all the back.
John:You're never going to find all the back doors, you're never going to find all the weaknesses, but you at least are doing your best to okay, here we go right because you know they're coming, you know that you're they're going to get in right there's, no, there's not a way for them not to get in they're going to get in most likely, yeah, um, but then dealing with that aftermath and the back and forth of you know getting access, getting kicked out of your own system, all those kind of things in it and it's um on both sides. It's a great opportunity for red team guys and girls, because it's a different skill right? It's not just like you're not just trying to get in, you were in, now what?
Steve:I have access to everything.
John:Now, what do I want to do right? So it's kind of a different skill there, but no, I think it's a great learning experience and I think everybody you know know that hardening. Okay, I gotta get good at windows, I gotta get good at linux, I gotta get good at whatever the network hardware you're using, the firewall, um, it gives you some good foundations and a lot of people you know they get jobs. Just being part of that competition, people come and try to recruit students having had that, that opportunity oh yeah, yeah, and it's great.
Max:One thing I always really liked about it is that it was competitive. I mean Clemson, if we ever got second place I think we got second place once when I was a freshman and I mean, I hate losing, I hate losing so much. So, having that competitive aspect and, you know, looking forward to it all year, uh, you know, training for it, like what are we going to run into kind of game planning or, uh, tabletopping, like what's going to happen? How can we? How can we defend against this? Uh, like it. You know, it really made us think as students. Um, you know, what do we like? What's the right approach to this? How do we?
Max:I mean, there's, there's some metagaming going on of, like, you know, we've done this competition before, we know sort of what to look for, like how can we defend against this in the future? But, um, you know, all of those scenarios that we came up with are real scenarios. It's like changing default passwords. Yeah, yeah, you should. You should do that across your any organization. That's not just a cDC event thing. Yeah, so it was great, you know, taught real skills and then also getting to talk to the attackers afterwards. I mean, I've always been, like, more interested in the off-sec side of things. So like listening to what the red teamers did, how they penetrated us and you know some of the techniques they used, it was just a great experience all around.
John:Yeah, and, and you helped put together a course right that you guys taught you know. Talk about that.
Max:Yeah, yeah, yeah, so, uh, uh, uh, nick, uh, nick Bullis check, and, uh, weston Belk, uh, and I ended up somehow convincing the computer science department that we should put together a course. This was really just like school sanctioned, you know, and for credit hours it was an elective class for how to do cyber defense competitions. We didn't, we didn't exactly frame it that way, but you know that's effectively what it was. It was introduction to Windows and Linux administration or something like that, and we had an actual professor kind of go over the course material we made. We did it all over the summer and we wouldn't really do a whole lot of course development during the school year. We did it all over the summer and, you know, we wouldn't really do a whole lot of course development during the school year, we would just teach it.
Max:And yeah, I mean it was all about you know how does Linux work, how does Windows work, how do you, I mean doing the basic things like changing default passwords. So every, you know, every class we'd have a little lab for them to do and it was like add users to Active Directory or how do you start and stop services in Windows and Linux, and then, so that was like 2810, I want to say. And then there was 4810, which is the second of these classes. That was a little bit more advanced and would get into kind of the evaluation on these you have. You know, we basically redo PCDC, you know we set up an entire environment.
Max:We have me and Weston, you know, hacking the students they were trying to defend at the same time. So you're just trying to replicate that PCDC, ccdc environment and I think students learned a ton. It was kind of crazy how many different types of students were doing it.
Max:I mean we had some people who they were doing a computer science minor but they were pre-med. You know we had like nursing. I mean, it was people from everywhere you know just kind of interested in it. Yeah, cool yeah. And it was the same in the club. Honestly, it was a lot of you know majority computer science but people from a lot of different disciplines who were just interested in cybersecurity.
Steve:Yeah, we had some of those in the SOC as well. We had people with different majors that were just interested in cyber. That were part of the SOC.
Max:Yeah, yeah, it's always really cool to see.
John:Yeah, and one of the best guys I worked with. It was actually one of the first clubs before the club started. He was a psychology major but just really loved computer science and computer networking and systems and programming and was really good at it too. But he was also really good at just being, you know, just soft skills, just talking. He was one of the team leads in the competition the first competition that we did and he just had a different background but did really well.
John:So I mean, I think from that for others that are listening, you know you don't have to be hardcore computer science Now it helps, right, because you get into the deep stuff. But you know you can mix it up and I think mixing it up is good and in different ways for sure. And or if you're changing careers, right, cause a lot of people are looking to get in to cybersecurity and they had a career and whatever. Um, some of those skills do transfer. You just have to work on your gaps, you know, identify what skills that you're trying to, whatever is you want to be, but look for those gaps and your skill set and and you can get there.
Max:I think most people can get there yeah, yeah, one of the my favorite kind of examples of this is uh, there's a guy, a company I used to work for, spectra ops uh, named jared atkinson, who was a history major in college and I always wondered, like, how do you go from history to cybersecurity? And the real answer is, you know, the Air Force like forced him to do cybersecurity basically, but it was actually a really useful skill set. As he explained it, you know, because in history you read a ton. I mean, you have to be a voracious reader if you're doing history, and cybersecurity is the same way. It's like, if you don't have like, if you're not learning, if you're not reading documentation, microsoft documentation, like 24 hours a day, it's like that that's really how you, how you get the skills, um, and so that you know connection between history and, uh, cyber security is like actually pretty useful yeah, yeah, that's cool.
John:Um, so you want to talk about his transition, steve?
Steve:yeah, yeah, I was gonna ask. So you mentioned specter ops, um, so that was your first job right out of school, is that right? Yeah, yeah. So can you talk a little bit about that, like what Spectre Ops is, what they do, and then kind of just talk about that experience?
Max:So let's see, I guess I'll start with how I got there. So and this kind of goes into the early history of SpectreOps so I got an internship at Fidelity Investments my freshman to like the summer between my freshman and sophomore year of college, and I was doing web app pen testing. I got put on this project for, like, ai tool development and kind of during the end of this internship there was a deal going on where if you purchased Cobalt Strike, which is an off-sec tool, it's a command and control framework If you purchased Cobalt Strike, you got this training class from these really smart people at a new company called SpectreOps. It just kind of came for free. And so, you know, I heard about this and then I looked who was teaching it and it was Will Schroeder, uh, or Harmjoy, uh, on on Twitter, uh, it was Jared Atkinson and then, um, uh, matt Nelson or Enigma OX3. Uh, so I knew these people, like I'd been reading their blogs since high school, uh, and I was, I was super interested in, you know, taking this class, but there were only a certain number of seats, so I had to, you know, somehow maneuver my way to getting a seat in this class.
Max:I'm like I have to take this. I mean, these people are awesome. I have to take this. And so, you know, I talked to my boss. He's like, absolutely not. Like you're an intern. He didn't use these words, but he's like you don't matter, you know, you're an intern. Like, if we're going to give this a seat to someone, it's not going to be you. So I was like well, what if? Let's just say what if I sat in the very back of the class and took notes so that everyone else could pay attention? You know, they didn't have to take notes on their own. Like I could you own, I'll take notes. I'll sit very quiet as a mouse in the back of the room. He's like okay, that's fine, you don't say anything.
Max:You'll be under the radar. I was like okay, perfect, I'm in. And you know, during the first five minutes of class they were like so why don't you have a computer? I'm like you know, I'm just taking notes. Like don't worry about me. And they were like well, we give the slide deck at the end of the class. Like you don't have to take notes. Like go get your computer. So I looked at my boss. I'm like I'm going to do this.
Max:I'm like okay, I'll go, I'll go do that Ended up getting my computer and taking the class just as as anyone else. So that was did that? You know, taking this class I would, it was a four day course did the first, you know, during the day I would take the class and then go home and kind of review everything you know, review all the material we covered that day. And then one of the times I um, you know, review all the material we covered that day. And then, uh, one of the times I um send a you know I was, we were going over. Day three is kerberos, like all about kerberos, and so, uh, you know, kerberos is funny because it's like everything is an acronym, it's all tgt, ap, rec, you know uh all, just all these acronyms.
Max:So I made a tweet joking about that and um, uh, you know, they some of the people at spectra ops ended up finding that tweet. They liked it, shared it around, uh, and they were like, well, you know, like we're really impressed that you took the time to like learn this stuff after, after the course. And so I made a good impression the next year at Black Hat. Everyone kind of knew about Specter Ops just the people, all the individuals there. They all did a lot of research, did a lot of blog posting, so they had a booth at Black Hat. I went up and said hi to some of them. They're like oh yeah, we remember you. I asked if there was an internship opportunity. They said, well, you can talk to Kelly, the HR manager, see if they have anything. I don't think we do. So I talked to her and she's like, eh, I don't know, I don't really have anything on an internship. The company's a couple years old, like we're not doing internships yet. Uh, but maybe. And so I got her email and then just sent her an email, um, every once every two weeks, saying like, hey, is there an internship opportunity? Hey, is there an internship opportunity? Uh, and finally annoyed her enough, where she's like, yeah, okay, fine, there's an internship opportunity and you know started there.
Max:You know I did that summer between my junior and senior year and then worked part-time all my junior year or my senior year and then worked full-time and was able to transition that into a full-time role after that. But you know they do mostly offensive security. You know a lot of research. A lot of you know publishing tools, publishing blog posts, giving talks, things like that. One of the guys over there it was a group of people kind of led by Andy Robbins. They developed this tool called Bloodhound. So you know they were all big users. Active Directory. You know network pen tests, like red team folks. They kind of automated a lot of the discovery of active directory um. You know attack paths and released this tool, bloodhound um, so pretty well known for that um, and you know that's now turned into a product bloodhound enterprise um and yeah, that's kind of kind of how it went, uh, early days of specter ops and bloodhound and
Steve:all that so basically, your persistence led you in the door.
Max:Yeah, and then from there it's history exactly, exactly nice annoying people. You know well when you're. You know when you're in high school and college. Like you know, you get a lot of leeway. You get way more leeway than you should. So kind of abusing that has been really, really helpful for my career. I probably couldn't do that now, but in the same way.
John:But it worked for a while. I mean, you know what do you got to lose right? I mean, you know what?
Max:do you got to lose, right I?
John:mean even now, if it's something that you're really interested in. I don't think it's a. I'm trying to think about what advice to give people, right, should you be annoying? I think you can be tactically annoying, right.
Max:Yeah, that's a great way to put it.
John:Yeah, like, don't be annoying to be annoying, right and just get on people's nerves, because then they're just going to ignore you or tell you go away. But if you're tactical about it and persistent but polite, yeah, exactly trying to get in a new opportunity.
John:If somebody is reaching out to me and they want to, they're eager, excited and showing motivation, also the other things that you did to kind of impress them, right You're oh, hey, yeah, this guy Max, he's doing his homework, he's coming back, he's talking about this stuff. I can tell he's interested and he's learning. I think those things match up well. So when they think about, when they thought about you, like you know that kid he is, he's getting after it and he's smart and he's eager and he's excited. And you know he's being a little annoying, but yeah, that's somebody somebody got to give Max.
Steve:Yeah, Can we get.
John:I'm tired of getting emails from max, right, you know. So I could see that kind of playing out. So it's yeah, I mean I think it's a good thing.
Max:It's just, uh, don't be, don't don't go overboard right yeah, yeah, for sure, and, like you know, I I think for, uh, you know, getting hired or anything like that, there's's, um, you know, it really comes down to like personality and skills, um, and you need one of those two, uh, but having having drive is like a really great personality trait like being able to showcase that in some way? Um, it's pretty important.
John:Yeah, so what? What were you? I don't know if you talked a lot about what you did, what you did at Spectra Ops. If you want to talk about that, yeah yeah.
Max:So kind of my first year and a half, almost two years, I was doing software development, almost purely software development, on this project, aai, which is Automated Attacker Infrastructure. So it was like you know, basically it's just a series like a front end for Ansible playbooks to set up attacker infrastructure. So it was like click a couple buttons and you have Cobalt Strike stood up, or click a couple buttons and you have a phishing setup set up or, you know, phishing infrastructure set up.
Max:So I did that for a while and then kind of realized like you know, hey, I'm at this company that's, I would still say, like world renowned for doing red teaming, like I should use that, you know, use that to kind of advance my career, Like it's really a shame I'm not, I'm not like utilizing that. So and I was really interested in offensive security and I was really interested in offensive security so I asked to transition to be a red teamer and did that for the rest of my time there, two and a half, three years, something like that. So yeah, I was doing red teams and kind of the way we define that is it's like an evasive pen test. Maybe People love giving their definitions of pen testing, red team, whatever, but the way I'm using it is it's an evasive red team. It's not just your pen testing, you're not just finding as many exploits as you can, but you're actually trying to like induce a response by the blue team so that they can test.
Max:Uh, you know what does their response look like? How do they? How do they actively, you know, respond to a threat, a real threat in their environment? Um, so you know it was, it was a lot of the basic um, you know, kind of network pen testing stuff was useful, uh, but really it was more focused on like how do we evade um and how do, how do you ramp up? You know the noise that you make until, uh, you know a response is is given by the blue team. So was there.
John:You know, sometimes you know you had different roles on the team, or is there a specialty? Or were you kind of a? Were you giving you and another person like hey, here's this pen test, or did you guys break it up? How did that structure?
Max:look like yeah, so it was. You know we typically had, you know, two to four people on a, on a red team for um, you know, for I mean kind of the lowest number of weeks we do is four, and then all the way up to a couple of months, uh, and you know it was just whoever had the time slot for it. You know, if you weren't busy, you know you're going to get put on a on a red team, excuse me, um and uh. So it just kind of depended, like they would try to match up skill sets with, you know, the red team that was being done. Like if you're really good at Active Directory, you know a lot of I mean, pretty much everyone had to be good at Active Directory security. But you know, if there was a particular area, like you know, if someone really enjoyed fishing, they'd try to put you on something fishing related. Or if there's a lot of web apps, or, like you know it was an external assessment they try to put people who are good at external assessments. But you know you couldn't guarantee that. You know, maybe all the people who were really good at fishing or really good at external assessments were busy, so you really had to be good at everything because you just didn't know what you were going to be put on Like, for example, one of my really good friends now, nick Powers, and I did a physical assessment.
Max:So we got to fly down to Hawaii, get all the networking, rfid gear and breaking into building gear and did that. I'd never done that before. I have no experience with breaking into buildings but it was like that's something they required. There was a company that wanted that and so we went out there and did it. I had very little experience. Nick had a lot, so he was able to kind of take me under his wing there. But yeah, it was just you didn't really know what you were going to get. You got on a kickoff call for whatever the next assessment is and you're like all right, this will be cool, let's see if we can break this.
Steve:So for that physical security test, can you talk a little bit about that, because that sounds cool to me Did you literally break in? Did you pretend like you were just trying to tailgate behind somebody with a badge or what?
Max:Yeah, yeah, do you wear any costumes.
Max:No, we should have had costumes. There's some good stories of, uh, uh, aren't my stories, but people wearing costumes, but we didn't have anything like that. Um, uh, so you know, it was a. We did two and a half days or three days of of of testing the physical security. Uh, you know, the first day was just reconnaissance. So like going outside the building, you know, using a drone, looking at everything. Uh, you know, seeing where the entrances were, where the exits were. Uh, we drove our car, you know, into the building they had. You know, the company we were testing had a public entrance. That's how their company worked. There was people in service that were servicing their customers, so there was a public garage. So we drove up into the garage in their building, just checked the place out.
Max:So we drove up into the garage in their building, just checked the place out. And then through that we learned, you know, we could get into the you know the place where everyone could. It was almost a public space. We could get in there, but if you wanted to get into the building at all, you had to badge in. So we talked with the point of contact and was like, hey, this is going to be kind of tough. Could you just give us your badge, just so we can see what kind of stuff is on it, to speed up the assessment, not to try, not to waste time or anything.
Max:So we found that our long range RFID scanner didn't work and basically none of our tooling worked. But luckily I brought a Flipper Zero with me and you know that was the only tool that could successfully scan and clone their badges. So I was like, oh, this is going to be tough Because we had a whole setup. I mean, it was an RFID scanner and a backpack and it was like long range, so realistically, like if you just bumped someone with the backpack it would scan their badge, uh. But we couldn't use that. We had to be a little bit more tactical about it because we only had this, this flipper zero, uh.
Max:So nick and I went to staples, got a, uh, a clipboard printed off off some paper that had their company name on it. It had. You know kind of. Our scenario was you know, hey, this badge reader, it's having problems. We're the badge company, we work for the badge company. If you could please write your name down, give me your employee number and then scan your badge on this little device. We literally showed them the Flipper Zero we're like please scan your badge on this device.
John:Why does this?
Max:have a dolphin on it. Yeah, oh my God. And at first the first lady we made contact we, we sat outside the smoker area.
John:Um, and so there was a door right next to the smoker area.
Max:The smokers love to talk, man, they love it, yeah, and so you know, we just like started building rapport with them at first, and then, um, and it was raining at the time, so I was like, oh, it's raining, you know, this sucks. I got to stand out here, you know, capturing badge information, blah, blah, blah, wow. And so the first lady we talked to was so skeptical. She's like, yeah, I'm not doing this at all, like there's no way I'm scanning my badge here, and I think she actually reported us. But before security could come out, the head of facilities came out for a smoke and she was like, oh yeah, I heard about you guys coming.
Steve:You know, everyone here.
Max:I mean, there were probably five or six people there. They're like yeah, everyone here scan your badge on this thing, just so that they can get some data. Oh my God, people there.
Steve:You're like hey, everyone here scan your badge on this thing, just so that they can get some data.
Max:Oh my god, so once we got her badge, scan I mean she had access to the entire building, I mean every single door. So we got, we got her information, and then uh, and then just bounced we're like yeah, we're, we're done, get out uh, yeah.
Max:So we got some lunch and then came back up and tested the badge, got in, you know, took all the pictures of their floor yeah, awesome. And then they wanted to like once we did that they were like, okay, that's good enough. The assessment stopped there. And then we did like network testing for them and stuff like that.
John:Wow, very cool.
Max:Yeah, yeah, it was so fun.
John:The worst place is to go do a pen test, right?
Max:oh, I know, I know like oh, I gotta go go to hawaii, I know well, cool, yeah.
John:So, um, let's talk about you. You were there for a couple years, two, three years and then now you've transitioned to a new company and a new role, so you want to talk a little bit about that and what you, what you're doing and what your focus is. It shifted a little bit from just red teaming. You still get the offensive mindset, but, yeah, talk about that a little bit.
Max:Yeah, so the company I work for now is called Prelude. We've got a few products. The biggest one, the one that we do most, is called Detect, and Detect is like a product where we develop these offensive tools. You install an agent on your machine and you can task this agent with running a series of offensive tools. And we have this functionality called ODP or Observe, detect, prevent, that hooks into your EDR or SIM and checks whether the offensive stimulus that we provided is either observed, detected or prevented in your EDR.
Max:So if you've heard of purple teaming before, it's kind of like automated purple teaming sort of. I mean purple teaming is such a broad I don't think anyone really knows what it means, but what I'd call it is you're checking to see if, given an offensive stimulus you're able to capture. Do we have telemetry for this? Number one? Do we have telemetry for this? Is it observable If it's a known, known offensive action that should be prevented or detected? Was it prevented or detected? And so we just kind of automate that.
Max:So I work on the content team, so we develop those red team tools that provide the stimulus, like all the kind of content for offensive actions that perform a stimulus in an environment. So it's a lot of software engineering, a lot of software engineering, kind of using that red team mindset. I'm also on some other projects that are more like AI LLM focused. It's been a pretty big interest of mine over really the last year. So getting to do a lot of that too in in other ways like nothing, nothing we've we've released yet or really talked about, but, um, getting to getting to work, doing, do a lot of llm like ai stuff, which is fun yeah, I want, I want to ask you, I really want to know, like, which edrs are the best or the worst.
John:But you, you don't have to tell us. I know you probably that's hush, hush, that's some of the secret sauce, but yeah, that's one of the things I want to know. Um, no, no, I mean, I think that's really cool yeah, mde is great.
Max:Uh, you know, mdi is great. Microsoft defenderity, or whatever they're calling it these days, crowdstrike is insane. And then there's everything else All right question and answer.
Steve:Got it, got it.
John:No, I really like that concept and it's cool that you're getting to. I mean, it's kind of like we're talking about with the video game hacking. You're getting to use your offensive skills to test tools, Because that's the reason you do pen testing right, you know, you want to make sure that you can detect, and what if a bad guy did this right?
Max:Yeah, that's a cool approach.
Max:Yeah, yeah, and it's you know. I think one of the funny things you know, having been at SpectreOps, was, you know, just getting to listen to what customers wanted. And this is like not really a fault of SpectreOps. They really we want to do X, y or Z, and it's like there's so many more efficient ways of testing this than doing a red team. It's like, if you're just interested in, do we have telemetry for all of these MITRE techniques? It's like there's more efficient ways of testing those techniques than doing an entire red team.
Max:And this kind of gets into this idea of an evaluative metric. This is an idea I've been kind of obsessed with for the past, kind of too long. But it's this idea of an evaluative metric, like Bloodhound does the same thing. It's, you know it's. It provides an evaluative metric for what is, uh, you know what. Like how does my AD look? Like Is, is AD secure? Um, you know, and you run it once. You can also run it multiple times times. You probably should run it on a you know scheduled basis. But uh, you know, you run this thing and it says x number of principles can reach domain admin. It's like you know, like, do you need a red team for that.
Max:I mean that's, that's a lot of the times that a red team or pen test is is looking for and they'll give you one of those or they'll give you like 10 of those um, but can you comprehensively analyze like, uh, you know are, are all of my ad edges like secure? Or, you know, do they allow anything? Um, you know, this detect platform gives you the ability to say like, do I have, uh, you know, observability into like the correct telemetry? Do I have the right detections? Uh, every single time, for whatever technique you choose, it's like that's so much more efficient than um. You know, like, if your evaluative metric is a red team, like they're going to find one, and if they find one, then you know they're, they're done. Uh, like effectively done they'll. I mean, red teamers love to just hack stuff so they'll keep on going uh, find as many as they can. But it's like, if you have an automated way to perform this, uh, you know that's, you know it's much more effective than doing doing a single pen test.
John:Well, and back that up, like having had purple team assessments. Like you said. People don't necessarily know what that should look like, but it's essentially a lot of times it's a pen test, but they give you a little bit more information. Right, they're like it's we just we did a pen test and we shared additional techniques and the tools and we talked you through what we're gonna do and we checked to see if you detected it. Um, they're not necessarily like sitting with you in the sock now. Maybe some folks do that right, but a lot of times they're red teamers and they don't understand the blue team. Right, they don't understand the detection side of the house. So they can tell you what they did on the offensive side, but they can't really tell you how to fix it. But they can give you more information about how they did it. That maybe it helps you do that.
John:So you pay for all that money for them to come in and essentially it's a pen test with additional things to it. But I mean, I really like being able to do this on a regular basis, like cause. Then you got to. You know how often can you do that. You can only do that so often. A often a full, you know. Bring in an outside party if you're just doing this continuously right, trying to be proactive.
Max:Yeah, and it's the same thing with, like, nessus, you know, nessus, you know, although I have my problems with Nessus, it's like. You know, fundamentally that's the same thing. It's like we have these known exploits. Do the known exploits work? We can run this continually. Um, you know b-bot? Uh, black lantern's b-bot is like an attack surface mapping tool. Um, you know, you can run that. You know every single time. Uh, you know very quickly, in a very automated way. Um, but if I, I'll give you my dissertation on evaluative metrics because I I am, like, obsessed with this idea. So it's SOCON 2024, which is like the Specter Ops Conference. One of the talks and I think this is one of the best talks for recent memory it's Dreadnode's Ghosts on the Node, and Dreadnode is this really cool company. They sit at this intersection of AI, ai and um security. So two of the guys that work there, that founded it, uh, are will pierce and nick landers. Um, you might have heard their names before their uh nick landers has done.
Max:You know udrl, he's done a lot of like windows, windows security research. Um will pierce has done done a lot too. So they got really into AI recently and they started this company. Dreadnode gave a talk and I just wanted to go see this talk. I was at the conference, I just wanted to go see this talk because I really liked those two guys and I really didn't know anything about AI. I was very much an AI skeptic and after their talk just I wasn't anymore.
Max:And one of the big things they talked about was this idea of like LLM evaluations. So you know the idea of an evaluation. There's a white paper called GEval that goes over into how, like how llms can evaluate other llms, um, and the basic idea is you have, you know like llms are like stochastic or like random, uh, you know you give it an input message and it outputs, you know, a, something that's comprehensible but kind of random and so using, if you can create a second system or an evaluative system to evaluate whether that first you know the response from whatever prompt was given and the output, you evaluate whether that output was good or bad, given some sort of circumstances, and you can tune that eval to be as good as a human. So you go through this process of getting the evaluation as close to human evaluation as possible. So this is so fundamental to modern LLM usage because you need to know whether your system, prompt the context you're giving it, is correct or not. So I listened to that.
Max:I think that was early this year, maybe January or February of this year, and then during the hurricane, there was a big hurricane in upstate South Carolina, north Carolina, and I lost power for 15 days. So I went up to Knoxville to go see a friend of mine who's a chemistry PhD. He's a friend of mine from high school. He's doing chemistry. I got to take a tour of his lab. He got to smell all the bad-smelling chemicals. It smelled like feet, it smelled like a corpse.
Max:But then we got to this room and he's like, hey, I'm about to open this door, I'm about to unlock and open this door. This is the besides the physics department they have a room like this, but in the chemistry department this is the second most expensive room in this entire building and I was like, okay, see what it is. It's like some crazy chemical thing. He opens the door and it's all these gray boxes and it's like wow, this sucks, this is like so boring.
Max:But it was all their mass spec machines. It was like mass spec. I'm not a chemist, I don't know what these do, so I'm like so what do these black boxes do? They're like well, they tell us exactly when we create a chemical or create a metal, like they tell us exactly what we made. So, at the end of the day, like these mass spec machines, the most expensive machines in this building are evaluative machines and you know those are physics evaluate. You know they have their own like electron scanning microscopes. Chemists have mass spec machines. Um and so like. Evaluation is such a a core part of like pretty much every industry. Uh, you know L like from LLMs to um. You know chemistry, physics, all the natural sciences. I mean that's what education is like, that's what testing is.
Max:Uh you know we're trying to figure out like, do you know what you're doing? Like those are all evaluative metrics. You know, kind of everywhere you see, evaluation is like a very important thing to know if what you did was correct or not. And in cybersecurity we sort of have the same thing. We have like red teams pen tests. You know these are our evaluative metrics for like red teams pen tests. You know these are our evaluative metrics for you know, is our network secure or is it unsecure? And I think we're starting to get it to this point where you know it kind of started with Nessus. There's probably earlier iterations that I'm too young to know about that are similar to this, but you know, now we have Bloodhhound.
Max:I think bloodhound is like a great. I don't think they'd, you know, sell, sell it in these terms, but it's like right it's an evaluative metric for?
Max:um you know active directory and azure. Um you know we have detect, which is like an evaluative metric for do you have uh telemetry? Can you observe, detect or prevent? Um you know a threat in your environment? You have bbot that does attack surface mapping Again, nessus. So I've been super obsessed with this idea for the last. I've been kind of developing it for the last six months, but I think it's so important for security. We have this network set up. That's almost random. I mean, it's stochastic in a way. It's like people wanted different technologies. They made political maneuvering to get a server set up. So how do we then evaluate whether this network is secure or not? There's just more efficient options these days than we've had before.
John:Yeah, and last thing I'll say about this is I think it's great, thank you for sharing that is it switches the mindset from defensive always you know, always defensive to thinking about we got to stop the bad guys. We got to stop the bad guys, yeah, to offensive minded, right. How do we be proactive? How do we test ourselves? How do we set that up as a continual evaluation to test our controls? And that mindset switch is important because when you're in, you're fighting fires all the time, you're fighting off the, the adversaries all the time. Um, you kind of feel like you're. You know you are a firefighter, you're waiting for the next fire, right?
Max:yeah, and you don't know. I mean, if you could get a percent score of like you take all of these things, you have your Azure setup, you have your Active Directory setup. If you could get a score for that and say, like we were at 15%, we suck, we're an F and we can get up to a C, get up to 70% you know, get up to um, you know 70% or something like that.
Max:I mean that's progress. That you, as a uh, you know someone managing a SOC or just managing a security program uh, it's like you can actually see progress, which is, you know, I feel like um a really difficult part. It's like do we know, do we know we're making progress or not? Um, and if you just get, you know, your your feet kicked or your teeth kicked in, um, you know every, every year, during your your yearly, uh, you know, pen test or red team, it's like that just doesn't, doesn't feel good, it feels like you're not making progress at all.
John:Um yeah no, that's great. Yeah, so last we're wrapping up here. Last things I was we wanted to ask is just what do you, what have you recommended, or what do you recommend for people? I'm sure you get questions like, hey, I want to do what you do, or I want to get in cyber security, um, you know what skills or path, or you know what do you say when people ask you that question.
Max:Sure, I don't know, I think it's. So it's. It's kind of a hard question to answer because everyone needs something different, which, you know, I think is why I mean the whole point of your podcast. Like mentorship is so important, um, and actually I'd be interested in hearing like uh, or we can do this later but kind of kind of how I define mentorship is, like you know someone who provides you inspiration and also tailored, tailored advice. Like not just generic advice, um, but like tailored advice to you know, uh, you have you know um. Like like you're deficient in this skill, like this is what you want to do. You know, to get to this point, you need these skills, you need to talk to these people, so on and so forth. So, you know, I think having tailored advice is a lot more useful than, like you know, generic advice. So, like having someone that can like mentor you, I think is uh, is important, even if you don't see it as like a mentor relationship it's you know, getting tailored advice.
Max:I think it's really important. But just generically, um, you know, I think, uh, having a strong network is is helpful. Um, I just networking generally is really helpful. From what I've seen, a lot of jobs are filled by personal recommendations and they never even make it out publicly. It's like, hey, I need this person, this person is world-class at Azure, let me go hire them, talk to them, hire them instead of putting out an open job opening. So that's really helpful, just knowing people.
Max:But then, as sort of a prerequisite to that, networking is really only useful if you have desirable skills or a good personality skills, uh, or like a good personality, um. Yeah, if you don't, if you don't have either of those you know it's it's like if you're just a dud, you know a potato personality and you don't really know anything, it's like networking's not going to be super useful to you, uh, uh. But you know there's really great ways of sort of like building a network um of you know, kind of showing off skills that you have. I think, like social media is a great way to do that. I think people call this building a personal brand or something like that.
Max:But using social media, writing blog posts, learning things, actually learning things because again, that's very much a prere um, like learning things and then writing a blog post about it uh was really, really helpful in my career to kind of show off like actually I do, I do know things. I'm not, you know, I'm not just here, um, and then giving talks, uh, you know about anything you're interested in. Uh, again, just to show off like, no, I, I do have skills, I'm able to talk about things that I've learned before. I think those are pretty important. I'll give an example Nick Powers and I did a talk at B-Sides Charleston this year about video game security.
Max:So we hacked this little video game and neither of us are video game hackers. It was just something we decided to pick up. You know it's not really useful for you know our daily job, but it was just fun and like something we learned. So we were like, oh, you know, this is something we learned. We're not the best video game hackers. Like, we're red teamers who, you know, decided to pick it up. Um, but we learned something and so I I'm going to guess that someone else will find find benefit from that Um. So we decided to give a talk and uh, you know, I I think that's useful. You know, building, building a brand, um something like that.
Max:And then again just having the required skills. I think going deeper is better than wide for the most part. If you're interested in Windows, microsoft, windows security, being able to read protocol documentation, because all that's public just getting deep skills of, like active directory, how does it actually work? Like how does you know what are the packets that are being sent over the wire when you perform authentication? Like, how does Kerberos work? Like those are the things that are impressive and you know, really useful on a job.
Max:So, yeah, I think generally like having a good network, having skills, um, and then you know, learning how to actually market the things that you learned, uh, through social media, blog posts or giving talks yeah, no, that's.
John:That's really good. We talk about a lot of those same things all the time. Yes, oh, I bet yeah and I do think your definition of mentorship is is great. You know, that's one of the first things we ask is like well, what do you want to do? You know? Like not just general, but you know actually what. And some people will say, well, I want to do information security.
Max:I'm like that's very like low. Well, this sounds bad, but it's like very low quality thinking. It's like you know, just take a minute, what interests you about cybersecurity? You know why do you think you like it and then go pursue it, Like you know, dig into that. Whatever that interest is, Dig into it, try to get really good at it and if you find that you don't like it, I those skills are still going to be useful.
Steve:Um, you're trying to jump on to the next thing yeah, it's tough too, because sometimes a lot of people don't know. A lot of people don't know the different layers that are in security.
Steve:They just see security as one thing and they're like, oh, cyber security. They see it in a tv show or in a movie and they're like, oh, I want to do that, but they don't really fully understand all that comes or all that's available under this. You know, cybersecurity umbrella, so it's yeah, it's, it's fun. I have found it fun to help people identify areas that they're interested in that they did not even know were. Like oh, I could do security in this. Yes, you can, so it's it's, that's cool yeah.
Max:Yeah, there's definitely a lot of sub areas of security, uh, so that's cool, like trying to navigate people through that all right, well, max, this has been great very.
John:Thank you very good, it's good to see you again and talk through your story and I learned some stuff that I didn't know. That was really cool.
Max:Oh, sweet yeah.
John:No, you did a great job and really appreciate you coming on and sharing some of your experience and wisdom.
Max:Yeah, I appreciate you all having me. It was super, super fun Awesome.
Steve:Where can we find your hacking game? Hacking game talk. Is it out somewhere?
Max:oh yeah, it's. Uh, if you find the besides charleston um youtube channel they have okay I think it's called uh, don't play fair, spelled d-o-e-n-t. Because the the video game we were compromising was uh, you're a deer, so don't play fair.
Steve:Uh, besides charleston, something like that okay, awesome, I'm gonna check it out yeah, yeah, you should yeah, the audio quality on.
Max:It's a bit messed up, but just disregard that, we'll do. We'll do yeah yeah, well, thank you so much it's seriously, seriously, such a pleasure yeah, yeah definitely Likewise.
John:Thank you. Good catching up. We'll have to have you back, for sure, yeah.
Max:Yeah, yeah.
John:I love that, all right. Well, that's it Signing out everybody. Yeah, until next time. Thanks for tuning in to this episode. If you're looking for personalized mentorship, click the link below to sign up for a free consultation with us.
Steve:Yep, during this session, we'll talk about your goals, your challenges and how we can better help you. This may include reviewing resumes, career advice, setting up action plans that are tailored for your needs. Yeah, at Cyber.
John:Professional Services. We're here to guide you at every state of your cybersecurity journey.
Steve:That's right. So keep learning, stay secure and we'll see you next time. Thank you for tuning in to today's episode of the Cybersecurity Mentors Podcast.
John:Remember to subscribe to our podcast on your favorite platform so you get all the episodes. Join us next time as we continue to unlock the secrets of cybersecurity mentorship.
Steve:Do you have questions or topics you'd like us to cover, or do you want to share your journey? Join us on Discord at Cybersecurity Mentors Podcast, and follow us on LinkedIn. We'd love to hear from you. Until next time. I'm John Hoyt and I'm Steve Higuretta.
John:Thank you for listening.