Cyber Insecurity Automated Hacking & AI

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
so texas sometimes but yeah sometimes you don't know until you see it you know you get out there and see some of these videos and you see some really cool stuff and and don't always trust just because this one person you saw their presentation on pen testing it looks boring you know some people write in a different way you know some people just suck at presenting [Laughter] so so texas kenny is is somebody gave texas kenny my script for tonight he says are you are you afraid that ai has the potential to knock out a large portion of security jobs in the future don't answer that one we're going to answer that one when we kind of go into our next section like i said somebody you know maybe texas kenny kenny hacked my uh my my one note and and stole my stuff for uh for the stream tonight so with that being said i think what we'll do is um we'll go ahead and head on over to definitely our next topic for tonight um um let's talk a little bit about um uh kind of about artificial intelligence and things like that and so you know as with anything i've got stats and things like that that i go and aggregate to try to keep uh keep the stream backed in in science right so trend micro recently predicted that in 2021 they expect artificial intelligence um to to start to replace humans in cyber security all the way from now until about the time of 23 20 30 so that's a small little minuscule nine years away from now now we've already seen adversaries adapt to adapt ai technologies to accomplish things like their efficacy and phishing campaigns there's there's one really good notable example that i do want to call out right which is um the wall street journal reported that um a set of cyber criminals had employed ai-based software uh to replicate a ceo's voice uh to basically facilitate in a bec or a business email compromise and transfer about 250 000 dollars out of a uk-based energy company and again they used ai-based voice technology as part of this vision campaign in buc and so my question to you to you philip is um now if we can agree right that that pen testing red teaming um you know should be making the best efforts to simulate real hacker ttps how long is it do you think before we start to see the use of ai in our ethical hacking training yeah i think that i think where it's going to help is i think really it's going to help with the tools i mean i don't see anything in the short term when you look at vulnerability scanners you know they're not 100 percent foolproof you see false positives and when you look at web application pin testing you know a lot of companies dropped using a lot of consulting companies dropped just using web app vulnerability scanners and went to to like burp suite to do more manual testing there is some vulnerability scanning functions in it but one of the things we were finding you know one of the companies i worked at my first consulting job we used uh web inspect but there were so many false positives we had to rule out in my next job that i was a consultant at they had quit using the vulnerability scanners and just went with burp suite because there were so many false positives so i kind of compared to that you know they had you know it's hard to find a good vulnerability scanner that's doesn't have false positives so i think what it's going to do is it's going to improve the tools i think it's gonna the stuff the low-hanging fruit the stuff that's really time-consuming that's kind of annoying i think it's gonna replace those things but doing the more manual stuff the more adversary emulation kind of thing i think is going to take more uh actual manual efforts i think it's just going to help help enhance the tools but i don't think it i don't see it replacing anyone any anytime soon maybe like purple team engagements uh emulating you know a malicious actor threat actor emulating those things to test the responses i could kind of see it on that part but i just i really don't see it replacing anytime soon maybe it will at some point but i haven't seen any evidence that but it's going to totally replace everyone right away you know let me let me let me pull on that just a little bit though and before we get to that i do see inside sources thank you very much for the the five tier one subs but you do see that you're out placed on the leaderboard there inside sources i just want to point that out that you're you're getting outpaced on the leaderboard um what do you think a world where you know we start to see you know ai into metasploit or ai into our cobalt strike or ai into our empire c2 and post exploitation frameworks do you think that we'll do you think that that we'll ever see ai into those mechanisms and those frameworks or do you think uh do you think those frameworks will still kind of stay true to hard and still be very manual in that regard i don't know maybe not those directly but i think a competitor for sure someone that's a competitor to it because one of the things you know as you've seen over the years how some of these tools have really eliminated the need to really have to be able to script you know at one time you really need to know how to do perl or python now burp suite automates a lot of things like brute forcing logins that doesn't require you to script things anymore so i see some of the tools and you know like the professional version of burp of not burp suite but i would say the professional version of metasploit you know maybe if they their competitors are starting to use ai maybe they integrated that to make the tools better if those tools don't directly do i think their competitors probably will because you know just seeing the different exploit frameworks come about at one time you had to manually exploit things you didn't have so as things gone has evolved just like your vulnerability scanners and your other tools to mod to to automate make things easier i think it's just a matter of time before you start seeing some of those and then it's just a selling point for someone to you know try to beat out metasploit for some you know sell professional you know because you see some of the places out there like some of the different emulation tools because when i was working at the company uh the consumer product company we had several people trying to sell us products that they said could emulate red teaming that we could use that and when you really dug down into it it did some of those things but it didn't really replace it would be something that you could use along with what you're doing yeah and let's let's let's be clear right we're you know we've got a i do want to kind of cover what you're talking about here in a little bit there's a distinct difference between automation and using artificial intelligence right and machine learning and things like that to do it so so if if an adversary is using ai to do phishing campaigns um do you think you know again getting back to skills to learn and especially for you know even maybe some aspiring pen testers who are listening to the stream or even some pen testers or red teamers that have been doing this for a while do you think they should add artificial intelligence to their repertoire as they go about you know trying to to add some level of that to to some of the pen testing work that they do yeah i think that would be a good idea because if you're one that's good at writing your own code and scripts and stuff like that maybe you can learn ai and come up with ways to to you know speed up your process i in that same study regarding ai they did find that 24 of it leaders claim that by 2030 data access is going to be tied to biometrics and dna data so we're back on this biometric kick that we've been on for years right and and of course these it leaders that they interviewed as part of this survey right um are claiming that these biometrics and dna data tagging and things like that are going to make unauthorized access impossible um now i know hackers and offensive security folks love love to hear the word impossible when it's associated to something getting hacked um what's your thoughts on this and what's what's what's kind of your thoughts on us continuing to say that biometrics and dna data are going to prevent things from from being hackable well i'm going to say my prediction as it is always embarrassing one they're going to say hey hold my beer and they're gonna do that because i mean it's like wasn't it mac john mcafee that had the one uh digital wallet that couldn't be hacked and he said no one could have put it out there and it got hacked you put the dare out there the right person takes up that dare you're someone's going to figure it out you're going to slow down and improve on some things but someone's going to figure out how to act out i mean you figure hacking systems 20 or 30 years ago it wasn't as complicated as it is now although we have tools to make things easier but you know it's there's always someone that figures out how to do that is it's so so i see the question on screen i'll ask that question here in a second i want to i want to make a statement about the ai thing and kind of getting back to the questions asked before about if if we think that we're going to see ai push a lot of us out of cyber security jobs um i guess i guess i would almost take a stance that you know this is this is the the modern equivalent of folks who are worried about robots replacing them on on on the product line and i would say if you're worried about ai replacing you in your cyber security job maybe you haven't graduated to level two of where you need to be to be value in your organization is that too harsh for me to say or what would you say about that yeah i think that's good one of the things also too if you're worried about ai you know replacing it just like you were talking about robots replacing jobs get into ai build the robots yeah look at people there's all sorts of jobs and robotics yeah so build the build ai that's replacing you you know that's right so that leads us i think to the question that did pop up on screen front from from g g called zero one two said with that being said is it necessary to know coding in cyber security it's not necessary but it can be very helpful if you're you know a red team or a pen tester it'll make you a lot better because you look at all the people right creating the tools out there they know how to code you know you take a lot of these really talented people they're able to create some script you know this is how you're finding the o days and stuff so if you're not wanting to find the o days and that sort of thing you'll be fine you can get by without it a lot of these tools have made it easier to do it but if you really want to be really good then it's good to to learn how to code and don't let that hold you back from getting into the industry you can learn coding as you go along and there's a lot of good pen contesters that don't know how to code but so financially i want to pick on that a little bit because and i just i just caught inside sources to say it out the corner of my eye right you know coding versus scripting you know what's the difference between coding and scripting and kind of what's your take on you know where do you need to be in those two arenas yeah coding just to kind of simplify like coding you're writing programs full-fledged programs something that could be compiled your scripting is more like you know smaller one function type small programs that don't have to be compiled so i mean most people i mean scripting is definitely and you know you should get to at some level in your security career coding necessarily build right programs you don't have to necessarily be there most people get by with just writing scripts but one of the things i say as far as languages to learn that i would recommend is go golling okay because you can compile it and you it's almost like a scripting language it's got the simplicity of python but almost as powerful as c you know c because you can compile the code it's portable so you can create portable executables that you can compile it on mac to run on windows or run on linux without compiling those systems so so if you want to learn a language so you can kind of do some small programs scripting style and compile it in googling so um so so it's funny you mentioned that i've had people one of the one of the common questions that we get asked when we start to venture down this coding and scripting languages is what are the three what are the three languages that you should learn so i'll ask you this for everybody who's listening because obviously i've given my take on this as well if you had to list the top three you know that you think a a pen tester should at least familiarize themselves to like a 100 level or 200 level set with what would be your three languages that you think are important for them to learn scripting or coding yeah i'd say scripting or coding especially from pen testing perspective python golang and c-sharp okay because you're in prize environments are using c you know using c sharp and some of the power shell exploits aren't working so more people are getting into the c sharp sided side of things you know most a lot of the environments are pretty heavy microsoft so i think that currently would be a good skill set all right that that's awesome that's definitely vastly different than mine i think i said uh i think i said uh you know bash scripting powershell and python for for those three um i i didn't think about the c-sharp uh versus the the the powershell thing so that's uh uh that's an interesting take on that it's good point good point um question from chad um it's my understanding that my biometrics just creates an underlying hash for the fingerprint am i wrong yeah i'm not real clear i would i'm not really clear on that but i would yeah that yeah i'm really not really clear on the biometric stuff so yeah that's pretty fair i'm not i i wouldn't know too much about that as well that seems that seems legitimate but i think it's i think the math comes really when it comes to the underlying hash i think the math comes in you know the the finite details either of your fingerprint or your eye details or you know you know something like that but yeah i'm not i'm not overly familiar with that one either but as far as it being breached or something it would be kind of like your captchas because your captcha is supposed to secure things but people find workarounds for captchas so probably the the same type of thing you just have to make sure you've got a secure implementation of it well and i think i think that brings up a good point right because you know you look at you look at bruce schneier who's a brilliant you know mathematician cryptographer right and and he tells you you know i think he's got a saying that says trust the math right um it's it's never the crypto that fails um although there's been some cases of crypto failing in the past but but for the most part it's the implementation of the crypto that ends up uh ends up breaking i think probably the same could be said for biometrics yeah i would would agree with that okay um heading back over to uh you know kind of our kind of back onto our topic on on artificial intelligence um um actually i want to kind of i kind of want to move on to to a different topic uh you know and you kind of led into it you know a little bit and it's really around this topic of of automated hacking and yeah i use i use my air quotes with that one and so when we talk about that conversation around artificial intelligence and again i said you know let's not confuse artificial intelligence with automation right um you know we see the rise of companies like safe breach attack iq simulate you know they've all broken into this industry with with kind of this no you know known as this breach simulation or adversary simulation tool um you even have companies like uh pcys pisces right um who straight up claimed to do a hundred percent automated penetration testing um do you view companies like this as an innovation in penetration ethical hacking space or do you find them offensive and more blasphemous uh when you see them advertise the way they do i think yeah i think it could be good and bad you know i think these tools could be leveraged for good but i think the problem is is the consumer education a lot of these c-level executives or directors are going to hear this and they may believe it and buy it thinking it's going to give them all this that in my opinion from what i've seen what it was what it's going to do is this going to let you do some adversary simulation with less experienced people but it's not necessarily really going to do what a true red team is going to do and i think sometimes people get confused because one of the things i i noticed when i was a red team lead this company that some of the managers and some of the people the technical staff didn't know the difference between a vulnerability scan a vulnerability assessment a pen test and a red team engagement so i think it's sometimes it's easier for someone to come in and explain this maybe they're not trying to be misleading or they really think it's this and someone buys that hook line and sinker and they gets it they get this tool and it's not really going to give them everything they need i think these things could be used to along with your manual pen testing and stuff to help things out but i don't say i would really depend on it to totally replace pen testers with with that in mind i think you bring up a really good point too right which is um you know these these companies are obviously you know maybe i'm being a little cynical about this right they're trying to ride that that vc wave or they're trying to ride that money wave that we have in cyber security and so they're they're out there putting money behind their marketing efforts trying to get in front of csos and and make these as valuable tools and things like that to cesos um you know would it be fair to say that that companies like this potentially pose a risk to our to our ethical hacking community because their voices might potentially be louder than say you know you know folks who are offering penetration testing consulting services and things like that yeah i think it i think it could because a lot is the consumer you know the educated consumer and you know you know being a security director or cso you can't be expected to know everything in depth so someone comes along and really does a convincing demo then you may pass on that think okay i can get this product for 500. 500 000 a year and my pen testing needs are a million dollars a year and you're going to think oh that's a no-brainer and not really see it as something to help enhance your program but replace it so i see where it could cause some some confusion and and you know possibly you know affect some companies getting some work pin testing work or prevent companies from building a pen test team because they think they can buy this tool to just automate everything what's what's the conversation you're sitting across from me i'm i'm cecil a fortune 100 company and i've got i've got attack iq or safe reach here telling me that they can do my breach simulation or my my automated penetration testing and i've got you telling me that that you can do it price not an issue price not an issue why do i why do i hire a pen tester well with some of the with pen testers you can actually get people that can come in they can actually perform an oh day against and i know some guys that are consultants that it's that's actually local here in in the dallas area that they've been on pentest and they've discovered multiple o'day exploits so your your automated tool is not gonna do that it's only gonna do what it's fed so that sort of thing there's some things that the automation may not find i mean it's just like when you're testing an application it could be identical frameworks same programming language and all this but the developer puts it together that flows a different way and you know automation doesn't always take an effect that so you need you know the manual the manual testing there as well be able to go through and go through the logic flow the business logic of that application so i'd say the same thing with with a tool like this for up to the minute cyber security news make sure you follow and subscribe to the cyber insecurity channel on twitch and youtube also make sure you turn on those notifications so that you know when we go live you
Info
Channel: Cyber Insecurity
Views: 1,220
Rating: 5 out of 5
Keywords:
Id: 9FLocOXQC6o
Channel Id: undefined
Length: 20min 25sec (1225 seconds)
Published: Thu Jan 21 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.