He’s a real life superhero that connects to a machine on the other side of the world to do the right thing and help businesses fight off threats, exploits, and hackers trying to do the wrong thing and cause disruptions in all types of businesses.
With a background in hacking, he initially started out being a real life superhero after he got hacked playing an Xbox game by Lizard Squad, after joining a company to be a pentester and hack for multiple Fortune 500 companies, this led him to being frustrated with the reactive nature of cybersecurity and penetration testing. With many companies spending millions on threats long after they already existed. You need to be able to create an approach where you can action before an attack.
Alex takes us on a journey to understand where compliance and hacking sync, and how vulnerability management and penetration tests already are part of requirements for certain compliance frameworks. We take a look at AI and its use both offensively and defensively and how companies need to ensure they have policies and procedures in place to mitigate these ever-evolving threats.
This new age of pentesting has allowed Alex and Red Sentry to establish themselves as a new leader in the market.
Good morning, good afternoon, good evening, wherever around the world you may be, and welcome back to another really exciting episode of Comply or Die. I’m your host, Kyle Morris as usual, and today we’ve got a slightly different guest to what we’ve had before. One that’s possibly even more exciting, and it’s a conversation we’ve really been looking forward to having.
So with us today, we’ve got Alex Thomas. Brief, high level. Who is Alex? Currently, the CTO and co founder at Red Sentry. A bit of background about Alex. Started off his career as an ethical hacker, exposing some vulnerabilities in 500 companies, and his background is being a pen tester, a gamer at heart, and I’m told also a challenger of the norm.
So Alex, thank you so much for joining us today. Like I’ve said already, super, super cool to have you on the podcast with us today, and we did a bit of reading into your story with Valentina, and it really was a very exciting one. So apart from maybe just those few little insights, tell us a little bit about yourself, and please feel free to introduce yourself to the listeners.
Yeah, sure. Like you mentioned, I am the founder of Red Sentry. Before starting this company, I had always been interested in the cybersecurity world. It all started in middle school, high school ish. After that, I ended up going to college for a degree and the cyber operations where, where I learned how to analyze malware program, perform web attacks, how to defend against attacks.
Then there’s a bunch of other stuff, after that, I got a job as a pen tester. Where I basically sat around all day just hacking into Fortune 500 companies, legally, of course, I absolutely loved that job. That was like a dream job of mine. I had always wanted to do something like that, and it was, and it was just very exciting that I got the chance.
To actually do that. I did that for several years., did a bunch of engagements such as web application hacking, pen testing, internal pen testing, Wi-Fi, source code reviews, phishing, all of that stuff. I did that for a couple of years, but eventually I ended up leaving to start my own company.
Awesome. Alex, one part that you mentioned, I’d love to probe a little bit more. You said this, this interest all sort of started in middle school. What was that spark?
Yeah, the spark. That’s a very good question. I would have to say movies. Movies were definitely what first got me interested in it, it was the James Bond Mission Impossible movies. Like, I always wanted to, you know, be a like secret agent spy type of thing. So I was always fascinated by the hacking scenes in there, hey just seemed really Hollywood and they just seemed super, super cool.
Now that, that makes sense. Even when you, you were talking about it and starting with the dream job and hacking these, these Fortune 500 companies all day long, it’s exactly where my mind went, and I’m sure for a ton of people, it’s exactly the same when you, you think about that, it’s, it’s associated. No, that’s something you see in the movies.
It’s not actually something you get to, to live and breathe, every day. So I suppose we’ve got a bit of a superhero, I don’t want to call you a villain because you’re on the good side of it on the podcast with us today, which is, which is really cool. Jumping right into it, I mean, we spoke a little bit about the background story, I believe you’re into some games, and I’d like to ask you, does Lizard Squad still give you nightmares?
Yes. Yes. So I have a whole story for them and it’s like a well known story. So it all happened in like 2014, over Christmas. I was a teenager at the time, and then my parents got me a couple Xbox games. I was super excited to go and play, then I ended up going over to my Xbox, signing in. After, after that, I tried to log into the Xbox Live. But I was greeted with a message that said Xbox Live servers down. So I was like, Oh, okay, I’ll try again in a couple of hours.
So I ended up trying again in a couple of hours. But I was greeted with the same Xbox servers down message. Um, after that, I went to Google to see if there was anyone else like having this issue because it was, you know, Christmas Day.
Everyone’s unwrapping all of their gifts, everyone’s trying to hop on Xbox to play their new game. A little bit later, I saw in the news that a hacker group, Lizard Squad, ended up DDoSing the PlayStation and the Xbox servers, basically taking them offline for millions of people right on Christmas Day, which I just thought was just like insane that a small group of malicious hackers were, you know, able to impact this billion-dollar company.
So I’m still, you know, fascinated by that to this day, um, especially because of DDoS attacks are still, you know, prevalent today. There are still Fortune 500 companies that are still getting taken out by this very simple DDoS attack.
I think, I mean, we’re talking Lizard Squad here, it sounds a little bit more like the Grinch Before Christmas kind of story here.
Teenage Alex wants to play Xbox, everyone does, and all of a sudden you can’t, and Alex, one, one thing I’m thinking of as we’re going through all of this, the, the passion and the interest has always been there from a young age, with an event like the story you’ve just told us, it’s always been something that I suppose has been a part of you, but how did you actually get started with the hacking?
Where did you begin that you actually decided, okay, this is what, what I’m going to go with. Was it just from the study inside, and that just expanded into this profession and career you’ve made out of it now?
So it all started with just curiosity. I was curious how these movies were able to do these hacks, you know, even though they were very Hollywood, and they weren’trealistic in there at the time, like, I was just very curious.
And I was like, Oh, wow, that’s like, super cool. They’re able to hack into this machine from, like, across the world. They’re able to save the day and complete the mission. So I just thought that that was really cool, then it just got fueled. After that, just by like, but back in like the 2010 era, there was, you know, anonymous was all in the news.
There was LulzSec, there was Lizard Squad. There were all of these hacker groups that I just kept on seeing in the news. So it just kind of just kept piquing my interest. You know, after that, like, I got into, like, the game hacking space a little bit, um, you know, mainly into, like, the game cheats, you know, trying to get, like, you know, infinite gold on my, you know, Skyrim or something.
So I ended up, so I ended up getting into that, and then I would say that that kind of just, like that just kind of led me deeper and deeper into, you know, into, you know, like, how do you do DDoS attacks? How do you do web application attacks? How do you create malware? How do you analyze? Then it just kept being this deeper and deeper rabbit hole that just never ended. And even to this day, I’m still learning every single day.
Absolutely. And I suppose the attacks are just getting more advanced, more complex technologies evolving. And I don’t know, something I’ve seen, obviously looking into a few trends in that we’ll talk about shortly, the more advanced technologies getting the more advanced the hacking approaches and methods are getting at the same time.
It’s like you’re never getting ahead to get that extra layer of security, which is, I mean, it’s scary in itself, but it’s, it’s the world we live in, I suppose. Yeah. So I’d love to channel or channel this conversation now to a, a few specific, hacking attacks, and I mean, maybe just using them as, as the groundwork.
So before today, I obviously went and had a look at some of the more recent cybersecurity incidents, and it’s actually terrified how many there are. So frequently. I mean, for example, I went. Back and for June, just June this month, I found a couple of really big ones around the black cat ransomware gang that threatened Reddit with 80 gigs of confidential data being stolen from service back in February, 1st of June, move it, having compromised payroll data that included information from British Airways and BBC, just to name a few companies going back to the middle of May last month.
So we’re talking one month ago, and I mean. Just those two I’ve mentioned seem, seem pretty big and serious. We’re talking about US governments’ employee data being, breached in department of transport data breach. You obviously are familiar with all of these, but maybe I’ll mention one more just to sort of set the scene for any listeners, and the final one. This is actually one that I’m very curious to get your input on, T-Mobile. So obviously, T-Mobile seems to have been getting hits. I don’t want to say frequently, but I mean, there was a breach December 21, November 22, and now last month as well.
What, what do you attribute that to? Is it just the volume of data? Is it just bad luck.
Yeah, it’s a combination of a lot of things. T-Mobile is a huge company. So they have a large attack surface to, you know, go after, also, you know, they hold a lot of data. Which means that hackers, are especially interested in them because of the data that they hold, you know, but they hold names, social security numbers, phone numbers, credit cards, they hold everything that a criminal hacker or a, you know, nation state also would, you know, also want to gain access to.
So I would attribute it to just their attack surface is just very large, and then they’re just constantly getting probed by hundreds, thousands of hackers per day that are just relentless in their, you know, attacks on them.
I think that that final sentence was probably quite an eye-opening on that on a daily basis. Like you’ve just made mention, there’s people sitting relentlessly trying to just exploit, exploit the systems. And now and again, I mean, if we look at the other side of that, I’ve just sort of made the statement saying they’ve been hacked a good few times recently, but I suppose three out of what hundreds of thousands, millions of potential attacks is quite a small number, but it’s, it’s a very fine margin and tricky game. You’ve got to be secure every time, and a hacker needs to get it right once.
Exactly. And you also have, you know, phishing attempts, which can go after all of [their users. And you have, let’s say, like, a new exploit comes out today. I mean, like, but, it can be hard to patch that many assets, you know, that quickly. But I mean, you know, hackers are on it the second that that exploit comes out, and then they’re just scanning the entire internet for it.
Crazy, crazy world, and talking about, I mean, you obviously made mention, the criminal hacker versus the ethical hacker side. I don’t want to say there’s a fine line between it, but it’s a hacking side.
It obviously is, whether you’re doing it to identify vulnerabilities to improve an attack surface, or whether you’re doing it for, I suppose, personal or financial gain or whatever that may be. Take us through sort of the mindsets of an ethical hacker like yourself. What does that look like when, when you’re trying to exploit these attack surfaces we talk about now?
Do you try to take the approach where, where you need to get into, into a system or exploit that at all costs and sort of work your way back to a secure approach?
Yeah, so it depends on the engagement type. So it depends on what the customer wants. Um, if they want us to do a more black box approach, which is where they give us zero information, they maybe give us like the maybe the name of their company, and then we do like a red team on them.
That part we would have zero information. We would, you know, go on to their LinkedIn. We would look at all of their users. We would create emails from that we would maybe send some phishing emails to their, you know, like, let’s say we see like, oh, this person is in HR
Let’s send them a resume that has some sort of piece of malware attached to it because, you know, they’re in HR, and they’re reviewing people’s resumes all day, so that’s just like an easy way. So I would say that it can really go all over the place. I do want to say that ethical hackers and malicious hackers use the same exact techniques.
The only difference is that 1 was hired to do it legally, and then it is the other 1 is doing it for criminal reasons for, you know, money for, you know, Nation’s Day. It could be anything, but they use the same exact techniques, though, which means that we are mimicking hackers in order to try to hack you, so that, you know, someone else, someone else who is malicious can’t, you know, use that same technique to, you know, actually hack you in order to get credit cards, social security numbers, and, you know, all of that stuff.
Alex, on that point you just mentioned, hackers are there the moment another exploitable avenue comes up to be on top of it and to dive into it. How do you, from a security approach, stay one step ahead of that?
Uh, yes, so we’re in, like, all of the same feeds as these malicious hackers, you know, Twitter is where I get most of my security news from, basically the second, like, a new exploit is found, Twitter just goes crazy.
Then they start, you know, talking about it. They start saying, oh, like, here’s my PLC, which is a proof of concept, which is like the exploit code, after you have your Proof of concept code, which is the exploit, then it’s just like whoever gets their first wins for the most part, and then it’s just a battle of time.
It’s just a battle of how fast are you? For us at Red Sentry, we actually have a custom-built vulnerability scanner, which means whenever a new exploit comes out, we put it in there. Um, after that, we would then scan all of our customers in order to let them know if they are vulnerable.
Got you. So it really is just a case of staying on top of the news, being in touch with everything and like you said, being the first one over the line to put that, that security in place before it’s exploited for, for the wrong reasons. Alex Thomas: it is like, and it is really crazy because like, I mean, like, um, today you could be safe two hours from now.
Exactly, and let’s say a new exploit comes out and then, I mean, you aren’t safe anymore. So it’s really just like, at the drop of a dime, you. Could be vulnerable and then, you know, which is just like crazy.
It’s a good business model or line of work to be in for, for you. I suppose the more and more the techs evolving, very, very cool space. Alex, let’s maybe on that point, talking about customers and business spaces, if you take a startup company, which there’s hundreds and thousands of every single day that pop up, if you from your experience had to give them one security tip What would that look like?
There’s many that I could give, but if I had to give one, Automated patching that would be a big one because the second that that new exploit comes out, let’s say there’s an exploit and, you know, WordPress, the second that the exploit comes out, WordPress is going to know about it, and then after that, they’re going to push some sort of update in order to mitigate that exploit.
But if you don’t have automated patching, that means you have to go in there in order to manually update, which, which, I mean, if it’s a race against time, um, you know, it could take you days, hours, months in order to even notice that there is an update, but if you have an automatically running, um, that’s just one less thing, but that you have to worry about.
Got you. Please. I mean, feel free if you do have a list, and you have any others you’d like to dive into, by all means.
Yeah, sure, phishing, everyone knows that phishing is like, that’s how a lot of attacks happen, so phishing and then known exploits are like the two most common ways that people are getting into your network.
So I would say proper phishing training, proper phishing detection software in order to detect that. Um, those are the two most common ways. Training is a big one, just to make sure that everyone is properly trained so that they can spot a phishing humor properly, if you have those two things in place, at least that you’ve done your due diligence, In order to try to mitigate those attacks
From the phishing side and the training, I think it’s a very interesting point, especially something I see on a daily basis from a compliance space that, I mean, you’ll, you definitely are very familiar with it. Your people being the weakest link in any organization, but actually to get that, that value out of the training, because it’s something that’s time-consuming.
It’s taking away from the work hours. You have to do your actual work. Now you must spend time doing this training, and I mean, apart from scare tactics, and if you don’t do the training, and you don’t have the adequate knowledge, there’s a much higher chance you’re going to click on a phishing link when you shouldn’t be clicking on it.
Can you think of anything, Alex, in how to deliver that training in the most valuable way? How do you present it? Or is it just something people need to knuckle down and get going on?
Yeah, I mean, so there are a lot of training platforms out there. I mean, to be fair, a lot of them are kind of boring to watch.
You know, it’s just like some video, or it’s just like some text that you have to read it. Then he was like, okay, next, next, next. Then you kind of just like skip through it. I would say if, if it was more gamified, if it was like more interaction, if let’s say like they gave you like a real phishing email, then it’s like, oh, like, like find out what’s wrong in the email, you know, like something that’s more interactive, instead of just watching a video or just, you know, reading some blob of text.
Yeah, absolutely. I think that the interactive side, it hits home. If you’re for your example of clicking next, next, next on videos, I think we’ve all been, all been through that keeps you in compliance. That’s great. Cool. You do your annual training. It’s a tick box, but what value did you get out of it? Probably, probably not much, let’s, let’s maybe talk a little bit now about compliance specifically. So. We spoke a bit about startup organizations and what they might struggle with initially. How do you see vulnerability management playing a role in achieving compliance challenges to it, the benefits of, of having proper vulnerability management in place?
Oh, yes. I would say that vulnerability management is a requirement for many, many, many of those compliance frameworks, such as, you know, like your SOC 2, pen tests are also required, it’s just one of the things that you want to make sure that you have, because like, if you don’t know all of the exploits of all of your exploits, then there’s no way to, you know, fix them because, you know, if you don’t know about them, that means you can’t fix them properly.
But you want to make sure that you have a central place that has all of that data that says, okay, I’m vulnerable to, you know, CVE XYZ, therefore I should go and apply my patches to that you know, and then it can also help you, um, discern which ones you should prioritize as well. So if you have the CVE that a thousand devices are, you know vulnerable to that’s probably a quick fix that you could apply to all thousand devices in order to get rid of a thousand CPEs right away.
Awesome, Alex. And on your point, you mentioned with pen testing, let’s take the example. You’ve got a stubborn customer, and we talk about a framework like SOC2.
There aren’t really many ways around it, but in a framework that you’ve got a lot of flexibility, you’ve got a customer that says there’s no value for us in, in doing a penetration testing. We don’t need to do this. We can figure it out another way. Are there any other alternatives that could give that same value?
Yeah, so if you don’t get a manual pen test, I would always recommend to at least get a vulnerability scanner up and running in order to check for all of your low hanging, hanging fruit pen tests can be expensive. So I can definitely see for like a small startup, you know, like finances. Are limited, which means that you may want a cheaper option.
I would say that one of the scanning for vulnerabilities, um, that that is definitely the cheaper option, it will also allow you to identify all of your low-hanging fruit that way you can at least fix all of those issues first.
Got you. And when we talk about vulnerability scanning and maybe the most cost-effective way to it, a lot of companies nowadays are going fully cloud based architectures.
They’re relying on, on your big names in the game, your AWS, your Azure, your GCPs. And most of those have. Service offerings within them. Click on a button, pay a bit more money, and you can have built in vulnerability scanning, that’s what you’re referring to, correct? Making use of something like that to get going.
Exactly. Yes, and then there’s also like free tools. There’s open source tools out there of which you could download and then just run against your code base, you know like if you’re, pushing out your web application code, you probably want in your CI CD pipeline. You probably want some sort of source code scanner in order to make sure that there’s no, you know, SQL injection cross site scripting, any of those are lost top 10 vulnerabilities.
Alex, on the point you just mentioned there with your open source options, let’s talk proprietary versus open source software. Obviously, I think there’s, there’s a bit of a misconception around it and customers potentially using something that is open source, and it’s not being as safe. Can you help us debunk that?
Not being as safe. Yeah. So like open source is really good to use, if you don’t want to pay for like the full-fledged tool, but you know, like you mentioned, it is open source, which means like versus a commercial product, but they have like a whole team behind them.
They are financially motivated, which means that they’re more motivated to, you know, keep it up, up to date with the latest and greatest stuff. Open source software is still very good because it is free, and it will find those low-hanging fruits, but if you want something a little bit more impactful, a little bit more with like a little bit more power, commercial tools are definitely the way to go since they have, you know, 100 hackers that are just writing exploits all day that are putting them in there in order to scan for you.
So it’s just like, you know, two different, um, offerings, you know, one of them is, is, you know, free. But I mean, it will be limited in the number of things that it can find versus a commercial tool.
Great, great insights there. Thank you. And if we, we push the conversation forwards a little bit, and let’s talk about obviously staying with hacking the name of the game today, and talking about AI. Hackers utilizing your open AI tools and your chat GPTs and the likes, tell us a little bit more about that.?
Yeah, sure. So I’ve definitely been playing around with those large language models, um, ChatGPT is just one of them, there are open source versions of it too, which just like makes it a little bit more dangerous because as ChatGPT, they have restrictions, which means you can’t like type in to say, create me a phishing email.
It’ll say, Oh, I can’t do that. But if you use one of the open source ones, there are no restrictions, which means you could have it do whatever you want it to do. One of the biggest use cases that I think we are going to see a lot is creating phishing emails, phishing is already, like, the number one attack method.
Using AI to enhance that is just going to make it even more dangerous. Um, really, because ChatGPT or, you know, any other model like that, um, it can generate, it can generate a thousand phishing emails within a couple seconds. So it’s just that the scale, the automation side of it, it is just going to allow you to create a lot more attacks, quicker too.
Is there any way to stop the potential impact of utilizing like the example you’ve just made mention of, how do you secure yourself against that?
Yeah. So that’s hard because I mean, ChatGPT kind of does it because they won’t allow you to like say create me a phishing email, but there’s the open source models where you can do whatever you want.
So, so I would say, like, the defenses are your standard fishing defenses, you know, make sure you have training, make sure you have, you know, some fishing simulation going on, making sure you have your fishing detection platforms up and running, make sure you have your firewalls and all. So I would say that, you know, all of that is going to play a huge part.
Um, there are some models out there that can detect ChatGPT written realm, verbiage, so, you know, so it’s used a lot. And like, whenever it’s used a lot and like the schools, whenever like a student gets like an essay to write, they may use chat to write the essay, but then there are other tools in order to detect chat to writing the essay.
So, I think that tools like that will probably come out, tools that are trained to detect. Large language model created phishing emails.
And what I think was really quite an interesting takeaway from that is we mentioned it earlier in the attacks and the technology is getting more and more advanced, but your best method of defense in, in the specific case around phishing, it’s pretty much going back to the basics.
Do the training, put your network security. It’s not like that’s something new that, that popped up this year. It’s what’s always been in place. And I suppose the best practice.
And Alex, I mean, I think we could probably unpack this for ages, but I, I would like to, at this point, maybe just move on to some, some closing words and final remarks from you as well.
I think we could, we could spend a very long time here, and I could definitely listen to you talking about different tools and tech and the hacking world. I basically just see you as, as one of these movie celebrities now at this point, just so you know, one of the James Bonds or the Tom Cruise is like you’ve made mention of, um, that’s exactly how we’ll see this going forward, thank you for that.
Someone listening to this, someone potentially wanting to. [00:30:00] Become an ethical hacker or go into a similar line of work or career path like you, what guidance would you give them?
Excellent question. If I had a couple of recommendations it would try to get as hands on as early as possible because like you could read a book on hacking you could read a book you could read hundreds of books that are on hacking, but it’s very different whenever you get in their hands on, it’s kind of like reading a book on playing football versus, you know, like actually playing football.
They are two totally different things. So I would say try to get as much hands-on experience as you possibly can, here are lots of, you know, training platforms out there. There’s Hack the Box, which is my favorite online training platform. Basically, it’s like a couple of hundred vulnerable machines that have pre-built vulnerabilities in them, and then it is up to you as the ethical hacker in order to try to find how to break into that system. They also have walkthroughs of them. So, I mean, but let’s say you are brand new, and you don’t know how to do it. You can follow their walkthrough and then just kind of follow along with them. Um, that’s one of the best ways to learn.
That’s like kind of how I learned. I just followed other people’s walkthroughs, and then I just redid it myself hands on. I would also say learning to program that will help you a lot because all of these technologies, all of these exploits, they are impacting, you know, devices. They are impacting software, you know, so it’s like if you’re, you know, let’s say you’re a developer, you code up this website, it will make your job a lot easier if you understand how they coded the website, because, you know, as a hacker.
It is, you have to understand a lot of different technologies very well. So it’s very generalized, but it’s very deep as well. So if you have that, you know, dev, mindset, it’ll just help you think about, you know, why did they code it this way? Why did they pick this architecture? After that, you can kind of come up with different attacks in your you know, mind.
There’s also certifications, so the OSCP. That is the best certification out there. Let’s say you are brand new, I would start on the OSCP. Um, they give you training videos, material, they have hands on labs. It is like hands down one of the best training certifications out there.
Amazing. Thank you, Alex.I think that’s, that’s a great amount of resources for anyone listening, not knowing where to go. I think there’s a great amount of direction in that in itself. So on that note, Alex, I really must thank you. It’s been, it’s been awesome to sit and talkto, like I’ve said already, one of these real life superheroes that go and connect to a machine on the other side of the world.
I think it’s important to add into that, that, that do it for the right reasons. So thank you. Thank you, Alex, for taking. Time out of your day today to talk to us, to help educate the listeners and just provide some really insightful conversation.
Thank you so much for having me.