Unlock the mysteries of Active Directory with our guest James Potter, an AD virtuoso, as we traverse the complex labyrinth of group nesting and consider the impending expertise exodus. Tune in for an eye-opening discussion on the surprisingly robust security benefits of antiquated systems like Novel Network and the sticky challenges organizations like Blue Lemon face when trying to pivot away from deeply rooted AD setups. Our episode peels back the layers of legacy architecture, revealing how it intertwines with modern business operations and the tricky integration into present-day security frameworks.
Ever wondered about the Herculean task of managing cloud security for a behemoth infrastructure? James Potter and I share war stories from the trenches, including my hands-on experience refining a company's attack surface across a staggering 400,000 Azure accounts. We highlight the pitfalls developers may unknowingly create and dissect the enduring reliance on outdated NTLM authentication. Also, reminisce with me about the days at Microsoft when Active Directory was the unsung hero of businesses, and explore how cloud service lockdowns and the quest to avoid vendor lock-in are shaping today's tech strategies.
Concluding the episode, we navigate the emotional rollercoaster of imposter syndrome when shifting from a corporate behemoth to the entrepreneurial hustle of consulting. I divulge my personal battle with self-doubt and chart out the tactics that fortified my resolve and credibility. Wrapping up, we warmly extend an invitation to reach out to James Potter and the DSE Team for a helping hand or further dialogue, ensuring you leave not only equipped with newfound insights but also with the connections to help you thrive in the IT realm.
Affiliate Links:
NordVPN: https://go.nordvpn.net/aff_c?offer_id=15&aff_id=87753&url_id=902
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
Unlock the mysteries of Active Directory with our guest James Potter, an AD virtuoso, as we traverse the complex labyrinth of group nesting and consider the impending expertise exodus. Tune in for an eye-opening discussion on the surprisingly robust security benefits of antiquated systems like Novel Network and the sticky challenges organizations like Blue Lemon face when trying to pivot away from deeply rooted AD setups. Our episode peels back the layers of legacy architecture, revealing how it intertwines with modern business operations and the tricky integration into present-day security frameworks.
Ever wondered about the Herculean task of managing cloud security for a behemoth infrastructure? James Potter and I share war stories from the trenches, including my hands-on experience refining a company's attack surface across a staggering 400,000 Azure accounts. We highlight the pitfalls developers may unknowingly create and dissect the enduring reliance on outdated NTLM authentication. Also, reminisce with me about the days at Microsoft when Active Directory was the unsung hero of businesses, and explore how cloud service lockdowns and the quest to avoid vendor lock-in are shaping today's tech strategies.
Concluding the episode, we navigate the emotional rollercoaster of imposter syndrome when shifting from a corporate behemoth to the entrepreneurial hustle of consulting. I divulge my personal battle with self-doubt and chart out the tactics that fortified my resolve and credibility. Wrapping up, we warmly extend an invitation to reach out to James Potter and the DSE Team for a helping hand or further dialogue, ensuring you leave not only equipped with newfound insights but also with the connections to help you thrive in the IT realm.
Affiliate Links:
NordVPN: https://go.nordvpn.net/aff_c?offer_id=15&aff_id=87753&url_id=902
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
How's it going, james? It's great to get you on the podcast. You know I'm really looking forward to our conversation today. I think you have some really interesting experience.
Speaker 2:Well, I'm happy to be here and it's fun talking after directories, so you might have to get me to shut up at some point.
Speaker 1:Yeah well, I can't go that deep on active director and I guess I can, I guess I know more than the average person. But when we start talking about like nesting groups and stuff like that, it's just it's going to start getting difficult.
Speaker 2:Well, there's there's plenty of complexity there and one of the issues it's happening right now is a lot of people that learned active directory in their 30s and 40s you know, 20, 25 years ago are rolling out of the workforce. They're retiring, they're, you know, getting a nice home in Florida or, you know, just going going back to wherever they're living now and just having free time. And the newest generation isn't learning active directory because kind of seeing this dead technology that's not going to be around in 10 or 20 years but it absolutely will be at any, any large entity, because getting away from it is very, very difficult. Blue Lemon tried to do this relatively recently, very, very aggressive planning, and they ended up having to stay partially on prem and now they have all those on prem costs still there, along with the migration costs. So you know there's there's a toll to pay if you don't make it all the way.
Speaker 1:Hmm, yeah, I've always felt like active directory is one of those like essential technologies. You know that you just you have to live with, you know it's something that you know makes your business run, so to speak, and if you don't, if you don't have it, it becomes a huge undertaking and stress on your environment. Just because you know the like, you need an entire team of people to manage that custom solution or whatever it might be.
Speaker 2:Yeah, yeah, and it's, it's. It's interesting from a security standpoint too, because when active directory came on, the scene is competing against itself with the NT40 servers and basically Novel Network were the only you know, relatively large players in the game. And we had a financial institution in China relatively recently that was compromised. But the hackers ran somewhere. Code didn't work because they weren't using active directory. They're still on Novel Network, so they were able to catch the intruders and remove them from the system with very limited damage because they were running like 30 year old technology at their bank. Oh, so how will star galactic approach to security?
Speaker 1:That's a. That's an interesting perspective or a route to take, I guess, in security.
Speaker 2:I don't think it was intentional.
Speaker 1:Right, you know, jim or James, you know how. How do you get? How did you get this experience with AD? You know, because I feel like you have unique experience that not everyone is going to have. Even you know nowadays, right, when we're, when we're talking about AD and people you know, kind of owning it or teams owning it. You know it sounds like you have a pretty unique experience with it.
Speaker 2:Well, I was doing a system administration work back in like 99, 2000, effectively, you know, keeping the servers up and running. You know hardware software at a smaller entity in down river, detroit, and so I got to touch a lot of things because there's a small shop and there's only two of us. So we got to do basically everything from from networking literally running cables across drop tiles, to hardware rack and stacking to the logical networking and logical system deployments. And you know, it looked a lot, a lot different back in like 2000, 2001. It's not the, not the same shop.
Speaker 2:Most, most entities didn't immediately adopt Active Directory in 2000.
Speaker 2:But once 2000 rolled around, everyone saw the, the advantages to it, and I certainly did as well and jumped on it. Because before you had kind of a, a clergy network deployment or you had a bunch of NT4L servers all over the place, you know, sitting underneath people's desks at branch offices, and sometimes the cleaning people come in and turn them off, like it was. It was bad, it was real bad. But with AD it was like the first really large, commercially replicated database. So you could, you know, hire someone in New York and if they flew to Los Angeles they'd still be able to log in with their computer without any administrative overhead, and that was kind of like this. This new concept at the time is like this wild new way to auth that didn't exist and now we kind of take off for granted right, you can, you can cloud off from anywhere, it's just always there. So it's not a big deal. So yeah, I guess being being around for a long time kind of helps there from the experience standpoint.
Speaker 1:Yeah, you know it's, it's interesting. So when I was working for a credit bureau, you know, I owned a Pyrla Jaxus management solution and a part of that was obviously getting all of the accounts in AD into the solution and eventually rotating them via the solution. It sounds like a great idea, you know, from a security perspective, but it adds in huge amounts of risk to the environment if that PAM solution is not doing what it should be or there's bugs and things like that. And so you know, literally, you know, one day, you know, my manager said, hey, we need to put global AD into this PAM solution. Never heard of global AD, I had no clue what it is right. And I go talk to our AD guy and he goes, oh, that's a legacy like AD architecture that we basically can never get rid of, because once you started it, you know you basically can't, can't migrate away from it, like it's almost impossible.
Speaker 2:So you're kind of trapped. Trapped in it forever because all the apps you buy integrate with it for its off store and you're stuck with it right, like for better or for worse, like at the hip. Demi, you're up there, man, sorry.
Speaker 1:No, no worries, and you know I'm being the security person that I am. I'm trying to gauge the risk to the environment, right, what's the risk of adding these, you know, 12 or 15 accounts into this solution? And so I started to ask him. I was like, well, you know what happens if, you know, all of our regular AD gets locked out. You know what's the process, right? And he said, oh, I just go into global AD, I could reset them all right from there. I was like, okay, well, what happens if global AD gets locked out? You know, because if all of our normal AD gets locked out, more than likely that issue is going to reside also with global AD, and you know it'll get locked out as well. And he said, oh, if that gets locked out, we're calling Microsoft. I was like, oh, so it's, it's pretty serious then. So you know, I ended up onboarding these global AD accounts. There's like 12 of them, but I set them all to not rotate. You know, that was the idea. We're not going to rotate it right now. We're going to figure it out, you know, as we go.
Speaker 1:And you know, of course, this wonderful solution that I was working with, that I refused to work with to this day, decided to have a bug that we were not aware of it and when you, when you essentially selected an individual account to rotate the database on the back end did not accept that filter and it applied it to every account in its database. And so you know this happened one of our interns, you know, just did a normal BAU task. Right, this user's having an issue with their password, it's out of sync, let's just reset it and call it a day. So 15 second task. You know, literally they do it every single day, all day long. And you know, as soon as that happened, like, my account got locked out. Well, that's weird. I mean, I did just reset my password because it was, it was that time of the quarter for me, you know, it was very odd coincidence. I'm like okay, well, surely you know nothing's going on here. And then I see, out of the corner of my eye, my coworker also had the same, you know, pop up, it's time to change your password, like okay.
Speaker 1:And so I went, you know, back over to the console, because now I can't get into my computer for some reason. Once you, you know, lock it could, literally the process is you lock your computer, you put in the current password and then you reset it. Well, my current password had changed, so I locked it and I couldn't get back in. And I went over to my co-worker that was still in the console and we looked at the last rotation period for all these accounts and it was just, I mean, it was just fire, and through them there's 45,000 accounts on this solution and it's, I mean it is chugging along.
Speaker 1:And I was like, oh no, I have to go to the 12 global AD people and tell them to not log out of their computer. I mean it's 4pm on a Wednesday, you know, like everyone is yeah, everyone is like running out the door, you know, and I have to run into this room and say like, okay, no one here is allowed to lock their computer. You cannot log out If you do nothing else. You have to keep your computer awake, you know, and like it was, it was the worst fire drill you can imagine because now we have to like pull these passwords and set them back to their old value, somehow, you know, and because you can't have all of your users, all you know, 10,000 of your users, whatever it might be, you know, first thing in the morning. Oh, you have to reset your, your AD account password and you have to reset every service account password that you own and you know it's such a mess.
Speaker 2:That's what's really going to kill you, because they're almost never well documented. So like it gets reset, it's like all right, where all is it trying to log in from? Because it keeps locking out even after we reset it on the boxes we knew about and then it's like a hunt, so very catastrophic to production for sure.
Speaker 1:Yeah, I guess you know it's, it's looking back on it. It's funny because when that happened you know literally all of the service accounts you know 12,000 of them, or something like that got reset almost instantly. There was no way to stop it. And one of one of one of the managers that I'm still friends with to sit to today, he said oh, on Monday I got this project handed down from the CISO that we have to go, you know, team by team, and reset all the service accounts. So I guess my project just got done, you know, in 10 seconds. He's like I guess I could close that out. This may have had to take me two years. Oh man, you're welcome.
Speaker 2:No, it's funny because like this is a problem. Like a lot of companies have their service accounts and they're, they're, they're using creds that are 10, 15,. I've seen 20 year old credentials that are out there, right, you know they're, they're, they're not even using curb for off. Like it's, it's a hot mess, but no one wants to touch them. Because the last time those accounts got touched, you know, joe got fired because we didn't realize what it was doing to production. And now no one wants to go near it because they realize it could bore production. So it's like this this hot potato keeps getting tossed around. Project wise Security doesn't want it because they don't want to mess up production. So they go to ops and ops doesn't want it because what is this a security thing, resetting passwords? So it just bounces around between different orgs until, you know, the new guy gets stuck with it, and that's not what anyone should want.
Speaker 1:Yeah, even just trying to figure out what those service accounts manage and what they do is most of the time it's an impossible task because the people that created it like literally that whole team can be retired, like not just like change jobs retired. You know, like that was the case for a lot of these accounts where you know people were like oh yeah, we're just told not to touch that thing because it it does something with this database over here and you know, whatever it might be like that, that's literally the description that we're getting when we're going to these teams saying what does this do?
Speaker 2:No one knows. No one knows. There's some data from interviewing, but you're not going to be able to get everything. So I was. I was at Microsoft and we got rid of wins, right. So this is kind of a similar issue, right? This legacy technology has odd dependencies and they literally hunted down at the network stack. Who always using wins period going to those machines and like being like who owns this? We need to talk to them. They hunted all of them down so there wouldn't be any impact. It was a huge project and I've been on like projects where the service count rotation comes up because it's always a finding during security discoveries. It's like you have a cred that's been out here for 20 years. It's eight characters. There's there's a problem. It's well known credentials. It's sitting in RockU, like this. This is extremely vulnerable to password spray and it has either domain admin or server admin, kind of across North America, kind of a problem.
Speaker 1:Yeah, and you know, back back when those accounts were being created, the easiest thing to do was to actually just give it, you know, global admin, right Service admin, whatever it might be, just to make sure that it works. And a lot of the times the thought was, oh, we'll dial it in later, you know, and and now we're learning 30 years later like, oh, that's a bad idea, we probably shouldn't do that because we never go back to it.
Speaker 2:Yeah, it's tough, and it's really tough in like startups that grew exponentially from the I guess we're calling them the odds right Now. You start small, you're going fast, you're just doing whatever you have to do to be operational and then next thing, you know you're a you know, multi-billion dollar company with an identity system that is almost completely unusable and so porous from a security standpoint that it puts you at a significant financial risk, especially for these publicly traded companies. Now, with the SolarWinds CISO being, you know, taken the core by the SEC, like there's, there's skin in the game potentially now for these CISOs, like personal liability, not just job stuff. So it's it's going to be really interesting to see how that case turns out. It's going to affect the industry, I believe.
Speaker 1:Yeah, absolutely. You know, I actually have a friend that's at a company that is still, you know, it still feels like they're in their startup phase. They've been around for maybe, you know, 10, wouldn't be any more than 15 years, and he said that when he took over as the IAM director right, he was just trying to get a lay for the land and see what they had. You know, they were predominantly in Azure, right, so it shouldn't be that terrible. And he discovered that they had like over 400,000 accounts, you know, and they had accounts just sitting there, you know, not doing anything at all, and his first task was to, you know, obviously limit the attack surface across these accounts. Well, how do you, how do you do that? How do you even get started, you know, and I actually spent probably a week or two. I should have charged them some consulting fee, because I spent like a week or two with them, you know, kind of devising this plan of how he can go about it without causing any outages.
Speaker 2:Yeah, that's the big one not causing any outages. It's really easy to fix all the accounts. It's very difficult to fix them without causing any impact.
Speaker 1:Yeah, yeah, it's challenging and the Cloud doesn't really make it any easier, you know, because it probably I mean it makes it more difficult because you're so easily able to attach these accounts to whatever you want in Azure, in AWS, you know, and it's just, it's too easy for developers to do that.
Speaker 2:Yeah, it's double-edged sword, right, so you can dev fast, you can move quick. But suddenly your test environment is now labeled production and you only had security controls in there for test environment and now it's being pushed to prod, along with all of these vulnerabilities. The biggest thing for on-prem AD for the longest time and still today, is developers choosing to use NTLM auth instead of Curve right, ntlm has been broken for a very, very, very long time now over 15 years. V2 is pretty good, but almost everyone has V1 backwards compatibility turned on, so their legacy apps continue to work. So devs just hey, let's do NTLM. It's fast, it's quick, it's easy, there's templates for it and we can get rolling.
Speaker 2:And they sell the app and the company buys the app and they're like all right, security team implement this. And they're like wait, this uses NTLM. Why did we buy this? Wait, this is gonna be a huge problem and orgs, especially larger orgs, will often buy applications without security review. They won't look at their dependencies, they won't look at how they're built from a security standpoint. They only look at, hey, this fixes this big problem and it's gonna make us X amount of money, or if it's gonna save us Y amount of money Security is very rarely a part of that conversation, and that's detrimental to all of these organizations.
Speaker 1:Yeah, that's a really good point. So you mentioned earlier that you worked for Microsoft, right, so can you talk to me a little bit about that experience? Oh sure, I was working to work for Microsoft, at least on one of their core products. I mean, I don't know if you were on the product team or if you were on another team that specializes in AD, right, but what is that like? Because that's a core technology that 95, 98% of every company out there uses as their directory service.
Speaker 2:I was at a weird point in time for Microsoft they had just figured out that, hey, as Android things getting really big, we need a Windows phone. So I was on the WinPhone project. One of the issues they were having there is at the time Microsoft was very, very siloed, like Office was a completely different team from OS was a completely different team from server, and these orgs didn't really communicate with each other. Each one kind of functioned like a fast moving startup and they all rolled their code up into a central repository, and this was especially true for WinPhone. I was supposed to be using the same code as Windows 8, right, so you have a unified desktop phone experience. It's actually good, but couldn't get anyone to dub for it, and we all know how the WinPhone ended up turning out.
Speaker 2:It was a great phone, but no real adoption. So, anyways, it was a really interesting environment because from a technical standpoint you couldn't do a lot of what you needed to without blessing from MSIT, kind of the key holders for all the different teams. All the different teams have their own admins and architects, but at the end all of the access is controlled by MSIT. So it's really interesting. Kind of look at it as a company that buys other companies and adjust them and continues to let them do their own thing, but occasionally sticks their finger in the pie. It's a very, at the time, combative environment, but the people were really great. It was fun. It was a fun job.
Speaker 1:That's really interesting.
Speaker 1:I wonder how that has played out with Azure. Now, just the nature of the cloud right, you have this giant hypervisor that probably a handful of people actually have access to, and how is that kind of administered and managed and whatnot, right? Like, I always think about it as like the worst kind of attack for any cloud would be to get access to that hypervisor. And, yeah, there's environment escape, exploits and things like that, right, but no one is actually logging directly into that hypervisor. From an attacker perspective, no one's actually logging into that thing. And then, seeing the tens of thousands of accounts that this cloud provider may have, I'm always interested to see how they protect it, and I've done a little bit of research into Google and how they protect theirs, and I mean, from how they make it sound, there's like 12 people at Google that have access to a server and a data center that is like highly replicated across the globe that gives this access, and they invoke some sort of just in time access for admins that need to access maybe a customer specific hypervisor.
Speaker 2:Yeah, it's interesting because with all cloud providers you don't really have physical separation. You have logical separation but it's not physical. I mean your virtual machine for your active directory DC sitting out in the cloud could be on the same physical hypervisor as a VM owned by the CCP or one of these ransomware, because it's pretty easy to buy a hypervisor. So for physical escapes there's still very, very edge case kind of stuff like Rohammer's been out for a while and there's all these CPU vulnerabilities that are flying around. But without physical isolation you don't really have true security and it's easy to go for the hypervisor out because hey, look, I'm up to money, we're saving, we don't have to rack and stack something and it's great from a cost standpoint. And that's been true for a long time.
Speaker 2:So the past couple of years when the large cloud providers realized, hey, we got these people like cook line and sink or they can't just leave us without a huge project so we can raise our rates, right, this is the same thing kind of happened with Uber and Lyft.
Speaker 2:Like it was really cheap when you first started using Uber, like a nice town car picked you up for like $5, took you anywhere you want, and now you're in the back of like a beat up Prius that smells absolutely awful and it's like third round of seat covers and that's the prices going up in the cloud environment. And it's tough for a lot of our larger customers because they feel stuck and they feel manipulated and they feel controlled and they don't like that. And large companies can make a switch very quickly if the wrong person gets pissed off the one Fortune 100 I'm thinking of in particular. There's a rumor of a backyard barbecue in Redmond and they were talking with some Microsoft reps there and there may have been a few drinks that have happened at this barbecue. This is all a legend, second information, so I can't validate its authenticity, but apparently the Microsoft reps said well, you don't have any other option, we're the only game in town. And it pissed the other guy off and six months later they were on GCP.
Speaker 1:Wow, that is substantial. You have to. I feel like when you're in that sort of situation, you have to gauge what kind of personality not just that you're dealing with in that individual. You got to think about the personality of the person in that role, what it takes to actually get into that role. Let's just assume, right to CIO, cto, something like that, right, what's the kind of personality of a person that is typically in that role? Someone that doesn't like to be told no, Someone that probably takes that sort of wording as a challenge. You know, and now you're in this situation of you're losing probably one of your biggest customers because of a sales rep.
Speaker 2:Yeah, that had maybe one too many drinks at a barbecue. It's a very silly way to lose a very big contract.
Speaker 1:Yeah, I mean that's a really stupid way to get fired.
Speaker 2:Yeah, I don't know what happened to the guy that caused the whole thing, but I have to imagine he's not working there anymore.
Speaker 1:Yeah, probably not. I mean, what other solution are they left with at that point?
Speaker 2:Like man, yeah, yeah, and I'm seeing other clients do similar things. Right, they're not going all in on one provider, they're kind of dipping a foot in provider A, dipping a foot in provider B and even setting up pretty interesting failover. So if provider A goes down for whatever reason, they can hot swap back over to B for some redundancy. But it also gives them cost negotiation, right, because now they can suddenly go oh hey, provider A, well, provider B is charging us 40% less for this. I think we're just going to move our stuff over there, and then suddenly there's room for negotiation and price of services.
Speaker 1:Hmm, yeah, you know it's a. It's interesting. I've seen it from multiple angles. I feel and I was at a company that they were a Microsoft shop from the beginning and they bought pretty much everything that Microsoft sold. If Microsoft sold it, they bought it. It wasn't even a question. It always seemed like we had an unlimited budget when it came to Microsoft.
Speaker 1:But when we were talking about like Symantec, right, symantec, like EDR, which isn't even an EDR, which is terrible, you know, it's so low on the magic quadrant at that time you know I don't know about the product now, but at that time it wasn't even considered a top tier EDR. And we're penny pinching. You know, this solution that we desperately need, that isn't even supposed to be that great right. And their whole, their whole Azure. You know, methodology was if we only want network closets on-prem, the rest of it will live in Azure forever and we're not going to migrate away from it.
Speaker 1:And I, you know I just asked them I was like, well, what if there's something that, like Microsoft does that we can't live with? You know, like what if some insider threat happens at Microsoft? And you know we have a lot of proprietary information that makes a lot of really wealthy people, even more wealthy because it's a financial firm, it's an investment firm, right? So, like we have a lot of proprietary stuff, and what if you know all of our eggs in one basket and someone breaches it right and takes that information without us knowing and they're like, oh well, that will never happen. Like well, what if it does? Because you know there's one account for each of the big three cloud providers where something very suspicious happened. You know where a new startup is creating some new product on you know X cloud right, and then magically, right out of the blue, just before you're about to launch, that cloud provider launches this exact same solution, exact same interface, with a different logo, and now you're out of business before you even hit the street. You know.
Speaker 2:If you want true security it has to be physical. You can't have shared infrastructure and security coexist. It's just not the same. Physical boxes will always be more secure than any sort of hypervisor, not because there's active vulnerabilities for VMware, hyper-v or anything, but because there's always the potential for those active vulnerabilities. I mean, look at how many CVEs have existed for Citrix throughout the years. Seems like every six months we hit a new publicly facing CVE that's like oh yeah, they can pivot to domain admin from the cloud, they can pivot to domain admin from the admin interface.
Speaker 2:As this configuration like there's risk to opening those things up and over the past couple of years we've seen the penalties to that. Right, all of these network devices that are opened up. You know octa, I mean the list goes on and on. So if you really if security is number one and it matters for the core of your business and your existence, maybe on-prem those right, because there's always a possibility on shared infrastructure that if someone else has the keys that your proprietary information is going to go for a walk, you don't see Coke storing their magic recipe in the cloud, right?
Speaker 1:Yeah, that would not be a good situation, that's for sure. You know, like I actually had someone on previously that wrote a book about how oh, james Lawler, that's his name about how, you know, this is a fictitious you know scenario or whatever, but I always question how fictitious it actually is because of his background. You know he was actually a spy for the CIA, right? So it's his book.
Speaker 2:It was a hypothetical. It's a hypothetical.
Speaker 1:It's a hypothetical with strong quotations around it, you know, because I'm literally reading his book and I'm like man, this is all like, very, just so probable. You know, and in one of the books, you know, the agency moves into one of the big cloud providers. Right, he used a different name, but it sounded like AWS in my opinion, maybe because I'm a AWS guy. Right, and sure enough, foreign adversaries immediately start targeting the employees at this cloud provider. And you know, it leads me down this thought path of you know, the employees at these cloud providers. They're typically pretty well paid. I mean everything that I've seen. They're pretty well paid.
Speaker 1:And so for a foreign adversary to come into this situation and offer up, you know, a check of like oh, you know, you want your yearly salary and one check like well, here you go, we just need this little script to run. You know that's 10 lines we needed to run on your core server or whatever it is. You know, I feel like that's a very real possibility. And even me, being a cloud guy now, you know, I only do the cloud as far as I'm concerned, at my company on prem doesn't exist. And you know, I always have that paranoia of well, how do we protect something that doesn't reside on hardware, that we do not own, that we cannot go physically pull the plug on? How do we ensure you know that even insider threat is, you know, protected against in this scenario? It's tough.
Speaker 2:I mean, look at stuck snap right. So there's many information is coming out fairly recently that it looks like a Dutch person was working for stuck snap and floated in a USB through the water system and then got that into the software. But and that's a completely air gapped, physically locked environment and they still were able to get a USB stick in there and plug it in and run stuck snap. So there's always going to be the risk of that physical layer being traversed, even in extreme environments, which is why defense in depth is so important. If there'd been policy set up for that environment that didn't allow USB drives to be attached, that would have never happened. And that's really straightforward, simple, basic policy that no one is probably worried about is because, hey, we're in this high security environment, everyone gets searched before they come in. There's no way a USB stick can make its way in and it did. So I mean, the defense in depth has a lot of, a lot of pros there to help mitigate risk, but you'll never remove it completely.
Speaker 1:Yeah, it's very true. You know, when I, when I did some government work earlier on in my career, I've been in some very uncomfortable situations where, you know, I answered a last minute phone call on my cell phone in their lobby, you know, and I mean these guys, these security guards that they have, I mean they're, they're larger than life, they look like they used to play, you know, collegiate football. Right, they look like they could separate your head from your body you know in the blink of an eye right and I mean they see this cell phone go off.
Speaker 1:I think they they have to have some sort of monitor or something, you know, like behind their desk that like goes off if the cell phone is in use Because, like I mean, I sent a text, you know, and they were on top of me. They were like what are you doing? I'm like I'm in the lobby man, like I'm literally cleared to be here. You know, it took me a day to get clearance to be here. You guys know who I am and they're like no, you have to go out the front door, like right now. If you make that mistake again, like we're going to arrest you. You know, it's like geez, like where the hell am I?
Speaker 2:Yeah, it's interesting. So we start talking about high security or gov. The air gap is treated very seriously for a lot of those environments. I was part of a team that did a roll out a secure actually directory forest deployment for a completely air gap environment that had to be able to send out the data periodically and the solution here was pretty, pretty interesting. There was one machine that was set up with dual sets of very high throughput NICs and basically because the data set that needed to come out wasn't massive but it was sizable, so when the data needed to come out I was moved to this temporary holding pattern. They called it a lock server and then the data was transferred from that server to an intermediary and then the connection was severed and it was connected back to the internal network and then that intermediary then moved the data to production, then had its network connection severed. So they were air gapped, logically by network throughput, right, and you needed two people to basically open the network, which was pretty interesting solution for something that had to stay safe.
Speaker 1:I wonder what that would have even been, because, like you know, when you say it takes two people to do this thing, you know you're not able to do it without it. I mean, the very first thing that comes to my mind is well, what else in the government works like that that we know of? Oh, nuclear missile silos, you know, like that's the only thing that I know of. You know that operates like that, where it's like okay, we need these two people, and if we don't have the two people, like we're screwed right.
Speaker 2:The nukes get a lot of publicity because of all the movies, right. But there's use cases for this in the wild, even in public companies. For unlocking, basically, great glass creds, you need more than one person to turn the key.
Speaker 1:Okay, yeah, I've seen solutions like that, where it's like a just-in-time access, you know with Azure, where you have some, you know, global admin account or something like that and someone else needs to approve it and you get multiple approvers Right. Yeah, you get a certain amount of time to actually use the account and everything is logged and watched.
Speaker 2:Yep Screen recording for the full session and all that good stuff.
Speaker 1:Yeah, you know, we kind of glossed over it and maybe that's it's the most interesting part for me is the Stuxnet Water USB thing. So what recently came out Because I've been very fascinated by Stuxnet, you know the engineering, the ingenuity that went into it, everything around it, you know it just fascinates me right. It's kind of what even pulled my interest into security. That was the thing that I was like oh so I can literally spend my entire life and, you know, not learn everything, right. So what's this water USB?
Speaker 2:infiltration method. The original story was that it was USB-seeded in the parking lot. Someone picked one up and plugged it in somewhere. Perfectly plausible story, and relatively recently there was some information that came out I can't verify its authenticity, it's just an article right that it was a Dutch contractor working at the facility that was being paid for this right and they received some sort of monetary reward, or maybe it was a service, who knows what it was. But they used a water inlet allegedly to smuggle in this USB. Because they were part of the cooling area that they knew very well and they were able to get something physical that floated into the facility. And because they're able to do that, they just were able to plug it in. And because of the way Stuxnet worked, it spread far and wide very quickly and it's very hard to tell where it came from originally.
Speaker 1:Wow, yeah, you know, that's the part that always kind of got me hung up was actually infiltrating the USB-in right, because I mean I've been to secured facilities that are not at the same level as that facility would be and I was padded down and I had to go through some special scanner that takes an uncomfortable depth of look into me. You know, like they'll know, I have cancer, for instance, like before my doctor will know. You know, like it's.
Speaker 2:Yeah, you don't want that guy to tell you to, hey, go get checked out on your way out. You know, go see your doctor, man.
Speaker 1:Yeah, yeah, I think you got a lump. You're right. It's like, oh you.
Speaker 2:Yeah, you say, see you later. He says maybe that's a problem.
Speaker 1:Yeah, exactly, you know like, well, that's the part that like I always had issue with, because I mean I couldn't get anything past these guys right, and I wasn't. Again, I wasn't actively trying to. You know, I didn't want to end up in handcuffs. I do like my freedom, but still, you know, thinking through it, it's like okay, well, there has to be an insider threat somewhere. You know that's allowing this thing in, but bypassing it through the water system. I mean, that is something that's really fascinating.
Speaker 2:Who's going to check it right? Who's going to filter the incoming water to make sure there's not floating USB sticks in it? Right, Real edge case stuff, man. But there's almost always like a way in, and that's a pretty good example of it and I'll give you another one. Right? So those the scanners you keep talking about.
Speaker 2:So, for I did lots of consulting, so for years I would fly, fly in my poor backpack, finally gave up the ghost. One day the strap broke, so I grabbed my wife's and I started flying it and think anything of it and I just fly into like two, almost three years and the backpack went off in a scanner. I was having like already a bad day and things kind of went sideways with a client. Like it was not a great situation. So I'm already like irritated, which doesn't justify what happens next, but it's just like a precursor on on, not a bad person, let me.
Speaker 2:Let me add some some, some story here. So I go through security and through the security of this backpack many, many, many times, like two or three years of traveling and it flags All right, whatever we go through the random check and it's fine. And we got to send your bag back through. All right, whatever they send the bag back through, they're looking through it like really extensively. I have the whole thing inside it out, everything out, like separated individually on the table. So I'm getting a little irritated. I got like another like five or 10 minutes for have to be anywhere, so it's fine.
Speaker 2:And they send it through again. Same rigor, merold. And they call some new people over like hey, what's going on here? Guys, I've been using this bag for almost three years now. Can I, can I get to my flight? And everyone there was like really sympathetic with me, except for this one person who's just like there's something in this bag, I just know it. So they send it through like two more times and eventually their face just lights up and they reach into the bag and like they're really in there and they pull out a box knife that I had no idea was in there, because my wife used to work at Target, you know, 10 years ago, and it was her bag and it'd been in there for almost three years and the TSA never caught it. So like even pretty good systems don't always work, yeah.
Speaker 1:I I hesitate to call the TSA a good system. Um well, it's not like, I suppose. Yes, it does beat nothing. Um, the reason? The reason is because, like I read some report by uh, what was it? It was like the, the federal air marshals or something like that, where they actually test, you know if TSA is going to catch something or whatnot.
Speaker 2:Right, I'm sure they were able to get in no issue, right.
Speaker 1:Yeah, I mean they said that they were able to, like, smuggle guns through TSA and knives, and you know they said that there was basically no limit to it, like they could get through anything that they wanted and TSA it was a staggering amount. It was something like 96, 97% of the time TSA would let it through.
Speaker 2:Another example. Yeah, I mean I don't mean interrupt, but I uh I long story. I was flying, I was in Atlanta to visit my um, my grandfather, and he had this like really like old school pair of like sewing. So there was like huge meaty, like giant scissors and without thinking about it, I just threw them on my backpack, went to the airport. You know, I on the plane, going into my pouch, kind of you know looking for a snack, I see these gigantic metal scissors. I'm like how did TSA not find this? This looks like a huge knife on the X-ray Right, like they're huge. There's no way to miss this Like this big.
Speaker 1:Yeah, it's, uh, it's crazy, but they'll find the water bottle. You know that you forget was full.
Speaker 2:They'll get. They'll get bad every time. But they won't get the weapon Like also get your energy bars, because you, if you take more than like a, like a half dozen energy bars on a trip, apparently it looks like a plastic explosive at the bottom of your bag.
Speaker 1:What.
Speaker 2:Yeah, I eat a lot of energy bars. They're convenient food on the go. I'll just throw them all in the bottom of my bag and then head off and uh, I don't do this anymore Cause like I got stopped and it was like the whole rig room roll, search, big delay. And then they call some other people out to look through the bag real carefully and it's just like those are just like cliff bars, guys, come on, what's going on here?
Speaker 1:Wow, you know, james, we, we, we just went like 44 minutes right and we didn't even talk about your, your company, you know. So let's uh, let's talk a little bit about what you're doing now. You know what, what the company is and everything like that, what services you provide, and we'll dive into that.
Speaker 2:Oh sure. So, uh, I found a DSE back in 2019 after doing a lot of work for the big four and I kept kind of asking myself, like, why isn't there a smaller organization doing active directory security like this? I mean, there's there's no reason to pay all this overhead for the big four, you know, financing their, their leases and their 30 foot table and all the commercial real estate, when we could start an org without those things and offer a better price for our customers with the same quality of service. So, like, let's do it. So we, we, we found it in 19 and that's kind of what I've been doing ever since, transitioning from being highly technical to the absolute uh, uh, battlefront that is, trying to be a leader and a mentor. It's a. It's a much, much different job and it's been very fun and I've learned just a ton over the past couple of years.
Speaker 2:But we, as I alluded to, we specialize in a security run active director. We have a active degree security health assessment program, our AD Shaw. Basically, we use a lot of the tools that actors use. We come in as if we were a threat actor. We, we show you where the holes are, we prioritize them by difficulty to resolve and criticality. So you can kind of prioritize, because you're not going to be able to fix everything no one is it's. It's impossible to fix everything, but you got to get the big stuff right, the main arteries, anything that's critical you know, get those solved and that's going to prevent the majority of the threat actors, and that every threat actor is an APT right. A lot of them are newer and amateurish at best and they're just using off the shelf tools and if you can stop the majority of those, it gives you a much better chance against the, the APTs and the more you know financed threat actors that are out there.
Speaker 2:In addition to that, we do AD migrations as well, kind of an emphasis on security. There A lot of orgs will just dump everything from point A to point B and that really is a recipe to bring some pretty bad exploits into your environment. If you you don't know what you're, what you're doing, anyone can migrate a directory environment, doing it without compromising the. The final destination that is. That is kind of the sticky part. That's who we are, that's what we do. If you want to reach out, we're on dseteam and LinkedIn and obviously the social gambit there.
Speaker 1:Yeah, absolutely. I have a question around the mentality of starting a consulting company. I started mine in 2019 and I've been fortunate enough to have a couple of customers here and there. When I started it, I was like, okay, this is stupid, nothing's going to come of it. Who would trust me to pay me to come in and give them any sort of advice? They probably already have the experts internally. What am I doing?
Speaker 2:And posture syndrome. Man, it's powerful.
Speaker 1:Yeah, absolutely, and I'm glad I still went forward with it, I still went down that path and still did it and everything else like that. But how do you overcome that? Because I feel like it might have been a little bit different, if it existed for you at all, because you worked for Microsoft and now you're starting a consulting firm that specializes in AD security. So I mean, at least for me, if I was going to start a consulting firm in AWS and I already worked for AWS, I don't know Maybe I would feel like, okay, I got this thing, there's nothing that they can ask me that I won't be able to answer. But did you experience anything like that, or was it a different sort of feeling for you?
Speaker 2:No, I think I'm pretty sure everyone gets imposter syndrome. It's just not everyone admits they have imposter syndrome. It's scary man, it's scary. But you have to kind of just take yourself and what I do. This works for me and your mileage may vary. I just throw myself into the fire, right? Whatever the new thing is, I'm just going to put myself in a situation where I have to learn it and I have to figure it out, and typically I come out of that on top or I learn something, and either way that's a win and a long enough time horizon.
Speaker 2:But it's tough, right, it's tough to put yourself in a situation where you're giving answers as an expert early in your career because you may only have a couple years of experience. Right, you may only know what you know and that's okay. Right, that's how you learn. Go out there and make mistakes. Take that job you don't think you're qualified for and just learn the crap out of it and really better yourself in your career there.
Speaker 2:It's hard. It can be very stressful. I've certainly had plenty of stress running a business, like actual physical problems from the stress, like heart issues, you know, hair loss, like you stress yourself out enough and your body will make you slow down. You won't have a choice in it, and that's kind of how I find my limits is. When I run up against that wall, I'm like, okay, well, I physically can't go on, I need to dial it back and get more intelligent about how I'm doing this. But absolutely imposter syndrome every single day of my life. It's always there and I'm thankful for it because I think it motivates me to a certain extent to be better, because there's always someone smarter, faster, better, stronger, more wealthy out there and the goal is trying to catch up to them as quickly as you can.
Speaker 1:In my opinion, yeah, it's difficult to overcome. You know that, just getting into that mentality of, okay, I don't know what I'm doing today, but tomorrow I'm going to know more than what I do today, you know, and that's positive, that's positive movement, you know, that's going in the right direction it's really difficult to kind of get into that mentality and just accept it and be like, okay, I'm not going to know everything, but I can find out. And I think that was, I think that was the biggest thing for me when I got those first couple of customers. You know, I was providing consulting on a solution that personally I hate. I absolutely hate everything about the solution. I wish I didn't get the experience that I did, because even to this day, you know, I get calls of people being like, oh, do you want to work on this solution? Just name your number and like, no, I actually have no interest in doing anything with this solution.
Speaker 1:And you know one, I think one of the biggest selling points was hey, I know, you know all the key players at this company. If I literally cannot figure it out, I'm going to go ask the guy that made it, you know, and get you the answer that you need. And that was something that no one else was able to offer them. You know, because you have all these other bigger consulting firms that are kind of more reliant on the internal talent and skills and you know that internal talent and skills is getting trained by the experts that built it. But they still don't have that. You know that connection to where they can go and ask that person. You know on demand, like hey, what is this thing, what is it doing? What's the snippet of code? How do I get around it? Things like that. It's an interesting mentality that you have to have, I feel, to feel like you're capable, you know, of providing services that are worth money to some company that can, you know, dissolve your company overnight.
Speaker 2:Yeah, yeah, I mean absolutely like working with some larger organizations like Fortune 500, fortune 100, it's very scary because you and your you know entity of like 50 people are a rounding error to them, right? If there's any sort of you know legal issue, it doesn't matter if you're on the right or wrong, they're going to outspend you. So all you can do is do the right thing, do as much of it as you can and do as best as you can, and it's been working out so far for me. Growing up thought a lot of extra money helped with this mentality of figure it out, because you know as really young it was. Hey, my car's broken. Well, I can't afford to have it fixed, so I better figure it out. Right, pick up a wrench, order some order, some parts and, okay, let's figure out how this thing goes together. It's just like Legos, right?
Speaker 1:Yeah, yeah, it's a, it's a skill set that helps you in a lot of different areas. At least, that's that's my opinion of it. But you know, james, I always try to stay on top of my time with all of my guests, you know, because I know everyone's time is very valuable and whatnot. But you know, I really enjoyed our conversation. I feel like we could easily go another two, three hours, you know, and not drink a sweat, but you know, that just means that I'm going to have to have you on in the future.
Speaker 1:Anytime man or you know we can talk about anything. We can bring you on and talk about cyber news or anything like that, but you know it's a fantastic conversation. I definitely really enjoyed it. And before I, before I let you go, how about you tell my audience? You know where they can find you if they wanted to reach out to you, where they can find your company. You know what all that information is so that they can, you know, reach out if they wanted.
Speaker 2:I just, you know, go out to your your favorite browser and dseteam that's a Delta, sierra Echo just dot team and all of our contact information is out there. You can get ahold of my phone, email, linkedin, you know, twitter, whatever your your preference of communication is, and we'd be happy to talk to you and help with whatever you got going on.
Speaker 1:Awesome. Well, thanks everyone. I hope you enjoyed this episode.