A Conversation with IppSec: Learning To Think Like A Hacker

0:00 0:00
100
Employee of HackTheBox IppSec discusses the importance of knowing how hackers think in order to defend and withstand attacks.

Mike welcomes hacker enthusiast IppSec, currently working at HackTheBox. Join us as they discuss the importance of understanding how hackers think to defend and withstand attacks. In his training videos, IppSec prefers to go beyond methodology and encourage critical thinking and reasoning when approaching hacking, noting hackers have to go beyond the apparent.

SHOW NOTES

Welcome to In Scope, the healthcare security podcast. In each episode, we bring you insightful interviews, informative technical tips, and a unique point of view on the challenges facing the ever-changing healthcare ecosystem with host, Mike Murray.

In this episode of In Scope, The Healthcare Security Podcast, Mike Murray welcomes a special guest. Going by his Twitter handle “IppSec”, he has become widely known on YouTube for his training on hacking and Capture the Flag events. Rather than focusing solely on exploitation, IppSec’s videos primarily offer training on hacking methodologies, providing valuable education on how to think like a hacker.

IppSec was a system admin blue team pen tester before the challenges brought about by the pandemic forced him to seek opportunities elsewhere. Today, IppSec works for the cybersecurity training platform HackTheBox.

Asked what drew him to the HackTheBox community, IppSec appreciates the fact that the cybersecurity community attracts a large variety of individuals whose areas of expertise run the gamut. At HackTheBox, these wide-ranging skill sets get put to the test.

IppSec defines Capture the Flag, or CTF, as an avenue to level up one’s hacking skills in a gamified way, and the goal is to achieve a certain privilege on a machine. IppSec says, “Security, to me, is all about being able to read beyond the information displayed to you, and make a guess as to how something works on the backend.” CTFs, he says, teach just that.

Mike notes that IppSec incorporates this skill set into his own YouTube videos. “You’re not giving away the answers. You’re showing how you think.” Defending against an attacker is a difficult thing if one is unable to see into that attacker’s mind. This is why IppSec favors using honeypots via ceding credentials in order to lure hackers and gather valuable intel from their behaviors as a result.

In fact, IppSec would sooner use a honeypot than deploy an EDR, which requires a lot of care and feeding compared to the former. “You tell the web server to set up an alert whenever someone accesses it, and then you forget about it.” The amount of upkeep and overhead that a honeypot creates is so much smaller than that of a fancy EDR solution, not to mention that a team needs to manage and keep eyes on the EDR once deployed.

One honeypot that IppSec recommends is hosting cloned decommissioned web pages to see who logs in. He adds that the ideal time to harvest credentials is when a web page is decommissioned rather than when it is in production.

Finally, IppSec speaks on how he believes the cybersecurity industry can continue to improve and evolve. “My favorite thing about this industry is how wide it is, and how you can pretty much bring any skills that you have from a previous job into the industry.” He refers to one of his favorite books, How to Measure Anything in Cybersecurity Risk, which was co-authored by Richard Seiersen (alongside Douglas W. Hubbard) who has no background in cybersecurity at all.

Mike concurs: “If you haven’t done the offensive training—if you haven’t learned enumeration—you don’t have the right instincts.”

TIME STAMPS

– An introduction to IppSec.

– A primer on the HackTheBox community.

– What is a “CTF?”

– Other benefits of CTF to the hacking community.

– Grasping the mindset of an attacker.

– Why honeypots are one of Ippsec’s favorite techniques as a defender.

– Why IppSec would sooner use a honeypot than deploy an EDR.

– Using decommissioned web pages as honeypots.

– How the industry can improve.

– Richard Seiersen on CVEs.

– How to connect with IppSec.

0:00:02.7 Speaker 1: Welcome to In Scope, The Healthcare Security podcast. Each episode, we bring you interviews, technical tips, and a unique point-of-view on the challenges facing the ever-changing healthcare ecosystem. Here’s your host, Mike Murray.

[music]

0:00:20.1 MM: Hi, and welcome to this week’s episode of In Scope, The Healthcare Security podcast. As always, I’m Mike Murray. And this week, we’re gonna go into a totally different direction that I bet a lot of you out there listening have really never explored. It’s one of my favorite parts of the information security community, and we have with us an incredible guest. He goes by IppSec. Love it when hackers go by their handles. I wish I could still do that myself sometimes. He has become widely known on YouTube for his training videos around hacking and Capture The Flag events. And so, I just wanna explore the entirety of that space and all the cool things he’s been doing. So, IppSec, man, welcome to the podcast. In your words, tell everybody who you are.

0:01:03.1 IppSec: I really hate talking about myself. If you ever watch my videos, it’s on YouTube on IppSec. But the best way to go about my videos is go to a website I set up, ippsec.rocks, and you can just type any phrase you want relative to security, and hopefully you find a timestamp of me talking about it in a video. Most of the things are tech-related, but in the videos, I try to teach more methodology than actually… How to actually exploit things. As a side benefit, you learn how to exploit things like… Name any big vulnerability out there. Like, I guess Log4j is big. That’s definitely on my channel. I have a bunch of things. But I think one of the things I do a lot more uniquely is after I do the exploit, either I’ll dig in to show all the things we could have done to enumerate it, because with that one in particular, finding the Java version, things like that, that can make your payloads unreliable.

0:01:52.9 IppSec: So, I dig in to exactly how to poll that, so you can see the version before you throw the exploit and identify if it should work or not. I now work for Hack The Box, which is a training company. I joined them, I believe, this time last year. Before I was working as a sysadmin, blue team pen tester. It was one of those jack-of-all-trade type roles. But COVID didn’t translate well, and I had done these videos for the past, I think, four years. Maybe five years? And I was like, “Let’s try Hack The Box for a remote job, because I do it 10-20 hours a week anyways.” And it’s been a blast.

0:02:29.9 MM: Well… And for the audience here who is probably less the folks that hang out at DEF CON and do CTFs for fun, tell the world what that whole part of the community is about, because it’s such an interesting and neat and vibrant part of our world. And if you haven’t immersed yourself in it, you don’t even really know what it’s about.

0:02:48.8 IppSec: So, this is gonna be one of the crazy things. I haven’t been to DEF CON since 2009.

[chuckle]

0:02:56.2 IppSec: But the community is so large, you expect any hacker in the community to go to DEF CON. But there’s so many other conferences, like DEF CON has a bunch of chapters, there’s B-sides, there’s… By me, I’m in DC, I have ShmooCon, BSidesDC, BSidesCharm, which is Baltimore. There’s one in Delaware. Outside of that, there’s a Nova one, and there’s a few other conferences… I’m always mixing it up, because I don’t have to get on a plane and I can somehow get to a conference every single month of the year, given we can travel and everything’s running, which is just crazy to me.

0:03:32.3 MM: In the normal times, right?

0:03:33.7 IppSec: Yes. The thing I love about this community is security is such an open-ended field, you have people of all different types of skill sets. DAkacki or Daniel, I exactly don’t know how to pronounce his name, ’cause I really rarely talk to him. He’s the one that actually sponsored me to come onto the show, I was gonna go on his Twitch stream. He was like, “I’m now working for this company. You’ll enjoy these people.” I was like, “Sure, let’s have at it.”

0:03:53.7 MM: By the way, his Twitch stream is fun. I’ve been on a few times, and it’s a totally different vibe than this podcast, it’s the, like, “Let’s have a cocktail, and shoot the breeze like we’re sitting at a bar in the lobby.” Like, Shmoo’s lobby con or at Black Hat or whatever, or RSA even. And I love that vibe, and we’ll be doing more with that. We’ve sponsored some stuff with him before, and now that he’s an employee, it’s easier to do that stuff. I love Danny, and it’s fantastic. But super excited to have you on too. But for those out there, what is a CTF, right? And how are they built, and what is it all about? If you’ve never heard of a CTF before. Tell us about it.

0:04:30.1 IppSec: Yeah, CTFs are like a gamification way to learn hacking. It stands for capture The flag, and essentially the goal is to achieve a certain privilege on a machine. So, they put, like, normally a MD5, some… Just some secret phrase in a user’s directory or in a privileged area of the application, and the goal is to find a way to get that. And they often do it through some type of exploit or just misconfiguration, and finding a good CTF can be really tough, because just how you get there. One of the things that CTFs really teach is enumeration, and it’s really hard to teach people enumeration without hampering that. One thing you’ll see commonly in CTFs is something called like todo.txt on a web server that says, “Hey, the web server’s running this version, I haven’t updated it.” And that can be great to guide people along, but it really hampers their enumeration, because they could have got that elsewhere, right? They could have triggered an error message on the web application, and saw it in the metadata there, they could look at Nmap and see the server. There’s a lot of different ways to see that hidden information. If you just get told the information, it’s ruined.

0:05:44.4 IppSec: Like, one of my favorite ones is people that run like Apache in front of Tomcat or Nginx, and in that specific configuration, if you blacklist, like, /admin or /manager, which is Tomcat’s management interface, via Apache or Nginx and don’t do it in the Tomcat config, there’s a service side request forgery or maybe a URL-parsing bug, I don’t know the exact terminology. But it lets you bypass the blacklist on Apache or Nginx and still hit Tomcat. And if you’re just doing an Nmap scan, you see, “Hey, this server says it’s Apache, let’s move on.” But if you cause an error message, you may see Tomcat. If you look at the cookies returned, you see J Session ID, and security to me is all about being able to read beyond what information is displayed on you and make that guess at how something works on the back end, and I think that’s a good thing that CTFs can teach.

0:06:37.6 MM: And it’s almost like puzzle solving, right? It’s almost like… And sometimes giving people too much of a clue as to how to solve the puzzle is ultimately gonna keep them from learning how to solve it themselves, right?

0:06:48.3 IppSec: Yeah. And one of the big problems with CTFs is if you don’t get it, it’s really frustrating to say, “Hey, this puzzle just sucks.” But CTFs are often created by people in the security community, and it’s their way to say, “Hey, I did this really cool thing on this engagement. I can’t really talk about it, because I can’t say who this was and who was vulnerable to it, but I can take the problem I solved on their network and make it available to the public.” And that’s also one thing that I think CTFs do really well, is have a way to give anonymous vulnerability feedback to everyone and bring everyone up to the same page.

0:07:29.7 MM: Yeah, absolutely. And so, it’s funny, ’cause I think there’s so… There’s such a big swath of our industry that’s never participated in these, and I’ve always believed that being on the defensive side is really hard if you don’t know how to be on the offensive side. If you’ve never learned… As you’re talking about enumeration, right? If you’ve never learned the skillset of enumeration, knowing how an attacker is gonna enumerate your environment is a lot harder, you don’t have that visceral sense. I’ve always likened it to trying to learn karate and only learning how to block and never punching anyone, right? And I think that our industry needs more of that. And what I loved about your videos… I was telling IppSec before we got on that I spent a bunch of hours recently watching his videos. And what I loved about them is you’re not giving away the answers, right?

0:08:15.3 IppSec: Yeah.

0:08:16.9 MM: You’re showing how you think.

0:08:16.9 IppSec: Yeah, and I think you kinda hit the nail on the head with, like, it’s really hard to be a defender and defend against attackers without understanding their mindset. Because, like I said before, I came from a blue team background… And maybe I was purple team, I don’t know exactly. We didn’t really do that whole thing. But I always did these CTFs on the side, it wasn’t really until recently that I actually became full-time into security. There was like a pivotal moment where I was actually going to move to Korea to do e-sports or go into security, and I went into security. So, here I am.

0:08:51.9 IppSec: But different tangent, going back to defending against attackers. Oftentimes, I see some blue team discover an attacker, but then decide, you know what? They’re just running the command like, “Who am I,” “Net User,” they’re not malicious. Not realizing attackers don’t use these super spooky commands, they just use the basic commands. And one of my favorite detections is at my last place, we set detections on “Who am I” and “Host Name,” because it’s very rare for defenders to actually run both those commands. “Who am I” is more rare, because they know who they are, but attackers normally won’t. So, they’ll often run that, and when you see that at the start of something, it can be suspicious. It doesn’t mean it is suspicious, because software applications all the time will just run “Who am I” for whatever reason. But they do that in a repeatable way and you can start filtering out that noise. So, when you get an unexpected “Who am I” that should raise some type of alarm bell, right?

0:09:48.9 MM: Right. Actually, that’s such a great example, because people… And you nailed it. Unless you’ve done a lot of this, people think that attackers have this sort of black magic voodoo, and it really isn’t most of the time. I’ve had friends over the years, “Oh, it must be so cool to be a hacker. You must do all this amazing stuff.” And I’m like, “Yeah, I basically run system commands most of the time.” I’m doing the same stuff I did as a system administrator, just on somebody else’s machine, right?

0:10:14.8 IppSec: Yeah, I’m actually reading the documentation the company puts out, and noticing, “Oh, they put this password here. I’m gonna try it. Oh, there we go.”

[chuckle]

0:10:23.3 MM: By the way, that’s a favorite topic of mine. We talk about that on the podcast all the time, because in the old days, if you don’t know this, and it’s one of my favorite things, the life… Useful life of most medical devices is in the 10-20 years range, and from about 2003 to about 2014, almost every manufacturer printed their root passwords in the manual, and the root passwords were hard-coded in unchangeable because they were hard-coded into scripts and code. If you wanna pop medical devices around the world, go download all the old manuals. You will find all the root passwords, and I can pretty much guarantee you that most of those passwords will work somewhere on a modern network. It is a ridiculous thing that we did for a long time. It still creates problems today. So, actually, exactly what you’re talking about. Like, some of our detection logic includes, like, we know what all those old passwords are, let’s look for anybody trying those account names or those passwords anywhere, ’cause a lot of it was over Telnet and FTP, so you can still see it.

0:11:23.8 IppSec: Yeah, that’s actually one of my favorite things. Honeypots are also my favorite technique as a defender that, I think, is often under-used. Like, a lot of people will put Fail2Ban on an SSH server, right? And that will, if you don’t know, it monitors your SSH logins and if you have X number of consecutive it puts an iptables rule to ban them. But I normally modify that, instead of banning them, I just redirected them, and I would often redirect them into a place that had passwords from credential breaches. So, if someone pulled a LinkedIn breach report, looked at our employees, tried that password, then they’d succeed in the a honeypot. And that was very valuable intel to me because now I knew someone was targeting my company, because there’s just hundreds of hundreds of bots out there constantly scanning, but they’re not really scanning with valid credentials. They’re not pulling, “Hey, this is this company’s IP space. Let’s go to their Linkedin, pull this database breach report, and try all these credentials.”

0:12:24.2 IppSec: That’s not gonna be the spray-and-pray type methodology, that’s someone actually targeting you. And they may not be targeting you because they want your information, maybe it’s just some ransomware gang wanting to get in, encrypt your stuff, and get some money. But knowing that was often instrumental, because once we saw it we were like, “Huh, we should try all the other passwords that they were attempting against our honeypot, and just make sure our users aren’t using those, because they could have been successful.” Right? And there’s been a few times where we caught valid credentials in our honeypot that we saw on an enterprise environment.

0:13:00.4 MM: It’s so funny. That’s actually something we do with some of our customers, is we actually… We try and seed certain credentials to attackers in particular ways. I’m not gonna give away too much of it in case the bad guys are listening, but it’s something that healthcare hasn’t done very much of, right? There… And I heard Marcus Ranum talk about this about 15-years-ago, about the idea of putting records in databases that you know no one should access, right? And then putting stored procedure triggers on those records. If anyone accesses this record, let us know about it, because it’s probably somebody who doesn’t know that they shouldn’t be looking at this, right? And so, there’s all these things you can do with honeypots because you know your network better than the attacker does. Same idea as the “Who am I” idea, right?

0:13:43.7 MM: If I’m logging into a server as a system administrator, the odds that I’m going to type “ID” or “who am I” or one of those things… Pretty small, ’cause usually I’m gonna know what that is, right? I know who I am and I know what my account is, ’cause I just logged in with it. 99% of the time, it’s rare that we have information asymmetry advantages, but with honeypots, we do. We know that the system’s not something that should be accessed, but the attacker doesn’t, and I think that this whole industry needs to kind of lean into more of that. I completely agree with where you’re going there.

0:14:16.6 IppSec: And the other side benefit of the honeypot is once an attacker knows you have it… Like if I’m pen testing an organization and they have… I think it’s red canary, but they have some canary setup that’s just essentially a web server that emails them whenever someone hits that web server. Like, as my… Me now doing the pen test, I’m like, “Crap, well, there goes Nmap. I can’t do these wide scans.” And every time I’m attacking something, there’s a thought going in the back of my head, “Is this real?” Like, I’m not gonna do a full credential spray against their domain, because the chance they have some users set up, they change the login hours to make sure that user can never log in, and then put password 1234 or winter 2022… Yeah, winter 2022. That may be a honeypot, and I don’t wanna get caught again, and it just slows me down consistently.

[laughter]

0:15:06.3 MM: Well, and it’s the old metaphor about the bear. By the way, it’s not red canary, those guys are a managed detection and response firm. It’s Thinkst Canary that you’re thinking about.

0:15:13.0 IppSec: Thinkst.

[laughter]

0:15:14.0 MM: Yes.

0:15:14.4 IppSec: Thank you for that.

0:15:14.9 MM: And Agreed, right? No, no, I’m just… In case somebody’s going off to Red Canary’s website, and they’re like, “What is… These guys don’t do that.” Right? Yeah, big fans of that whole approach. And it’s… The hard part with it is for a lot of places that aren’t sophisticated, it seems like a big jump, right? If I’m still struggling to get EDR deployed and I haven’t really got a sim, or I’ve barely got firewall logs, doing honeypots seems like a big lift sometimes. But what do you think about that?

0:15:44.5 IppSec: So, I think doing the EDR is a big lift, right? Like, EDR is not Antivirus, it’s more like heuristic-based, and you have a lot of false positives. It requires a lot of care and feeding. You can’t just deploy an EDR and say,” Hey, my job is done.” With a honeypot, it’s very low care and feeding. Like, you stamp that web server, send up an alert whenever someone accesses it, and then you forget about it, right? There’s… You may have to update some credentials if you change the address that it’s used to email, but the amount of upkeep and just overhead that a honeypot creates is so much less than a fancy EDR solution. Which, I do love EDRs, they do a great job. But it does require a team to manage them and keep eyes on them. I’ve done a lot of engagements where oftentimes they won’t have the EDR sending off email alerts, they just have it in some dashboard, and because they work normal business hours and I don’t, I can have a chance of triggering the EDR, but still somehow getting domain access before someone logs in the dashboard. So, I can go in the dashboard and clear the alerts before they see them, and then EDR’s effectively nothing, right?

0:17:00.8 MM: Well, and by the way, if you can do that, so can the ransomware authors and they know that exact… They know that exact trick, right?

0:17:06.6 IppSec: Yeah, and for the ransomware authors, they don’t even have to get domain admin, they just have to find a way to encrypt it, right?

[laughter]

0:17:11.6 IppSec: Right. Yeah, no kidding, no kidding. It’s wild. I think the other thing about… You sort of mentioned this, but I wanted to double-click on it a little bit. EDR is not cheap, right? You and I could fire up a Linux VM and make a couple of config changes and we could have a rudimentary working honeypot in a couple of hours, right? And it’s not the best thing in the world, but it would serve some purpose and it would cost us all of whatever it cost us to do it. And I think that’s another thing we have to think about is sort of return on investment there, right? I mean, you’ve probably built more than I’ve even thought of, like how big and hard a challenge is it to build some of this stuff?

0:17:49.3 MM: The honeypots is typically just a one-day thing. Another favorite of mine is whenever we decommission some type of service that was listening on the internet, just essentially you use Social-Engineer Toolkit, clone the page, and then once we take off that web page, host the cloned one, and see who logs in still. Because employees should have got the memo, they should have read, they should say, “Hey, I’m not supposed to be logging into this service anymore.” But we’re hoping the bad guys have not got that memo, right? But when you decommission a website, that’s the unique time where it’s okay to start harvesting credentials on it, from my mind. You don’t wanna do that on your production, because those credentials are deemed sensitive, and there’s no reason why you should be looking at them. But if that service is no longer accessible. Yeah.

0:18:36.2 IppSec: Look at ’em and send nasty grams to people that log in, and say, “Hey, you shouldn’t be logging into this service anymore. If there was a phishing campaign, you would have been falling victim to it, because you’re not paying attention to our emails.”

0:18:47.6 MM: So, an actual example from my real life. We used to do that with OWA, because OWA was always one of those services that, as you upgraded Exchange, you often moved to a new OWA domain or a new OWA instance. We actually also used to use that in our social engineering campaigns, this is back when I was at MAD, and we would use phishing emails that were exactly what you just said in the opposite direction. We would send a note to tell everybody to log into a new OWA domain, and give them our new OWA server, and all we would have is literally just one page that looked exactly like OWA. And then, it would say credentials failed or login failed, and then it would redirect them to the real domain.

0:19:28.7 MM: And we had one customer, and this was… One of the most hilarious story, and I get this phone call from their CSO. Like, two years after we did the engagement, and we had finally taken our infrastructure down for something and we just still had the OWA domain. And 50 of their users called to complain that OWA was down, because we took our social engineering infrastructure down and that page had been their way of logging into OWA since we had done the engagement two years ago. It ended up being just this hilarious, ridiculous story with that customer. But I digress and my ADD kicked in there. So, let’s just bring it all full circle. Like, you do a lot of training, you do a lot of teaching, you teach the industry a whole lot of stuff. What do you see as where we need to go as an industry? What do you wanna see more of in our world?

0:20:21.9 IppSec: That’s a tough question. I think the favorite thing about this industry is how wide it is, and how you can pretty much bring any skillset that you had from a previous job into this industry. Like, myself, I was in… My only other job outside of this industry was an umpire, and I did e-sports on the side. I did no college, I have no fancy formal education, it’s just all learning it because it was passion. But where I’m going with this is one of my favorite books I’ve read is “How to Measure Anything in Cybersecurity.” And it’s written by someone that does not have a cybersecurity background at all, he’s like an analyst or whatever you wanna say. He’s good with numbers, right?

0:21:03.1 MM: There’s two of them. Doug Hubbard, who wrote the original “How to Measure Anything,” but Rich Seiersen actually wrote that book, and you don’t know my history with Rich. Rich and I go back almost 20 years. We both worked at Encircle together, and Rich was the reason I went to GE Healthcare. He was in charge of all product security at GE Healthcare, and he brought me aboard to build the pre-market environment. So, my reason for being in healthcare at all goes directly to Rich, and he was writing that book with Doug at that time. And so, his whole team, we all helped edit chapters, and that is one of the all-time best books, if… For anybody listening, “How to Measure Anything in Cybersecurity Risk” is… I would put it in the top three books you have to read to be in this industry. So, sorry, I didn’t mean to interrupt, keep going on the story. I just like… Any time I could can shout-out Rich and give him some love for that book, I do. And by the way, he’s got another one coming out called “The Metrics Manifesto” that is going to be… I think it’s gonna be better personally, but we’ll see.

0:22:00.2 IppSec: Well, now I’m scared, because I didn’t know you had that history. I’m like, “I hope I do his book justice now.” But as I said before, he didn’t… I don’t think he had a lot of insight into this industry as he approached the problem, and he looked at CVEs, and CVEs are how I use to measure every risk, right? Like seeing CVE, seven, eight, nine, ten, bad. But his approach was, “Well, CVEs weren’t created by people that understand risk, and you shouldn’t put as much emphasis on it, and instead just try to fix problems different ways.” Right? Don’t just go, “I’m gonna eliminate all these criticals and highs and call it a day.” Because as we’ve found out now with a lot of exploits, you can easily chain a lot of these low severity things, like the exchange one is huge, the proxy login. If you just look on paper of that, it’s not a high CVE. They have a high CVE related to it, because people like CVEs, but it’s really just a bunch of low CVEs chained together. Like, you’re doing a server-side request forgery, which wasn’t really that high, I think it was like four or five.

0:23:07.1 IppSec: And then, accessing a interface that was listening only on local host, you didn’t expect an attacker to be able to get access to that, and that led to a different thing that led you to code execution. Like, it’s a bunch of small pieces of chain that someone found, and now suddenly they can execute code on Exchange, which is God-awful. Because, as you said, OWA is an external service, and also it’s pretty much a domain controller. So, it’s an external service that you exploit it, you’re pretty much DA 100% of the time.

0:23:36.8 MM: Right? Yeah. And there’s so many of those examples of our industry creating metrics especially, but creating ideas around risk in a vacuum. I far too often have the conversation with people about a particular vulnerability and they give me this crazy convoluted scenario of how it’s possible for this to end up in remote root. And then, I’m just like… The example you used. They’ll be like, “Oh, we don’t need to patch those things.” Right? ‘Cause, exactly what you said, the score is too low, and we’re just not gonna worry about it. And I’m like, “Oh, you need to think.” And this is where I go back to, if you haven’t done the offensive training, if you haven’t learned enumeration, if you haven’t learned how to live on the offense side, you don’t have the right instincts for that. So, you end up just going with… Well, Nexus or Qualys said it was a low, so I didn’t worry about it. And I think that’s true of our whole thing. Alright, dude. We can could talk about this all day and I would love to, but I wanna wrap it up. Where can the world find more IppSec? You mentioned it at the front, but let’s talk about if I wanna go find your training stuff, if I wanna go find Hack the Box, if I wanna go find any of it… Where do we find more of you?

0:24:48.5 IppSec: Yeah, if you just go to hackthebox.com, the website’s there. It offers a lot of training. And one of the things I like a lot about Hack the Box is almost everything on the platform is free for one… At one time. So, we do have VIP where you can play old machines, and we release a new machine every single week. But every time we release a machine, it stays free normally like 20 weeks, and then it goes into retired, which is when I do a video and it’s still free for two more weeks after that. So, there’s always a way to do training, and if you wanna access the old things, it’s only like $10 or $15 a month, which is much cheaper than most things. If you wanna see me, the best way to find me is just ippsec.rocks and you just go to there, it has a link to my YouTube, my Twitter. Pretty much anything I do will be on ippsec.rocks. And I don’t really do that much. I try to keep my face, my real name, everything out of it, because in my last career, I was very non-anonymous and faced a lot of like… Once you give up your name, it’s very hard to take that information off the internet. So, now I’m in security, I’m trying to do what I view as my due diligence, I’m not really customer-facing. So, I can have my live… Anonymity, or however you say that word. So, I’m keeping it as long as I can, but eventually I’m gonna have to give that up. But for now, just check out ippsec.rocks.

0:26:05.7 MM: Awesome, dude. Well, thank you so much for coming on today. This has been a blast, we’ll have to do this again. That was so much fun. We could talk about offense forever. But, as always, thank you. And everybody out there, go check out a ippsec.rocks and check out… Especially the YouTube videos, I guarantee you, and I’ve been in this industry for 25 years and I was learning things, so I guarantee you anybody who watches any of the videos, you will learn something about how hackers think and how to think as a hacker. So, go do that. Thanks, man.

0:26:34.4 IppSec: Thanks for having me. It’s been a blast.

0:26:35.8 MM: Absolutely.

[music]

0:26:40.4 S1: Thanks for joining us for this episode of In Scope. To make sure you never miss an episode, hop on over to www.scopesecurity.com to sign up, or you can listen on Apple Podcasts, Spotify, or Stitcher. And if you have ideas for topics, guests, or technical tips, please contact us at [email protected]

About IppSec

ABOUT THE GUEST

IppSec is widely known for his thriving YouTube. IppSec is about as close to as a real life Mr. Robot as you can get. As with most hackers, he keeps a low profile online. He began his career as a System Administrator in 2006 and did that during the day. However, his dark side took over at nights as he wrote security related guides on his blog which was featured on PCWorld and G4TV’s “Attack of the Show.” His dark side has only grown, now he records his thought process while hacking challenges put out by the security community. It is hard to find an infosec success story in the past three years without a mention of how much “IppSec videos” helped them get started. He was part of the team that won the SANS Netwars Tournament of Champions in Washington, DC in 2018/2019. The team also traveled to Berlin to compete in the European SANS Tournament of Champions in Berlin in 2019, winning that as well. He is currently a lab architect at Hack The Box, where he helps train the next generation of red and blue teamers.

LINKS