Hacked - The Red Teamer
Episode Date: February 21, 2025Adam used to break into companies for a living—legally. As a red teamer, he watched the attack surface shift from networks to endpoints to something new: identity. The Snowflake breach proved it—a...ttackers aren’t breaking in anymore, they’re logging in. Adam saw it coming, founded Push Security to stop it, and now he’s here to break it all down. They’re our new sponsor, so if that’s not your thing, no worries—catch you in the next one. But his story? Fascinating. Hacked is brought to you by Push Security—helping companies stop identity attacks before they happen. Phishing, credential stuffing, session hijacking—Push tackles it right where it starts: in the browser. Smart, seamless, and built for how people actually work. Check them out at pushsecurity.com. Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
Adam used to be a red teamer.
I entered the industry at some point as an ethical hacker.
He would get hired by some big organization, and it was his job to play a part in a simulation,
to play the role of an attacker.
We were basically the team that you would call in if you felt like your security was really, really good,
and you wanted to experience what was like to undergo an attack from a really sophisticated threat.
He shows up, tries to break in, and in doing so reveals the vulnerability.
so they could fix it before someone else uses it.
So we would very often simulate like, you know, Russia or China
or whatever adversary someone wanted, like a state government-sponsored attack group.
He had a really interesting way when he was describing their old job
because I don't know if you listened,
but he was talking about how they used to get paid on a per milestone basis.
So they'd get contracted by these companies,
and they'd be like, you have three months to try and transfer the money from this account.
we're going to pay you this exorbitant amount of money if you can do it.
And he's like, sure, great.
48 hours later, they'd have done it and be like, give us all that money.
And they're like, well, we thought it would take you three months.
And he's like, well, that's not what the contract says.
And over time, he starts to watch this shift happen.
You know, attack has always goes to the point of the lowest friction.
And so just going after the weakest link because you've raised expense of an attack somewhere else.
People in these rules often talk about the idea of like an attack surface.
It's the sum of the different points where an attack.
can get a toehold into a system.
And they're watching the attack surface of all these organizations they've been paid to breach
start to change.
In the early 2000s, that attack surface was the network.
Securing it was like locking down open ports and stuff like that.
Yeah, firewalls, infrastructure side, keeping the walls of the fort big and strong.
Then it starts to shift to the user's device, what they called endpoints.
That became the battleground, the way you would get in.
Then you got things like EDR and point detection and response, which is looking for like malicious code running locally and like grabbing it and containing the problem before it becomes an issue.
And Adam starts to get this sense that he can see a turn coming, another shift in the attack surface from the network to the end point to the browser.
And specifically the identities that we use in the browser.
The technical term identity, to really boil that down to something that most people will understand, it's their logins, user credentials, login, password, multi-factor authentication, things like that can build up and constitute one's digital identity in this case.
And why would you spend heaps of money developing malware when you could fish or even just buy some leaked credentials and immediately get to work?
Last year, the world kind of had this aha moment in the form of the snowflake breach.
There was no lab developing malware, nothing that complicated, just an attacker who bought
credentials to some identity, logged in and got to work.
And before you know it, hundreds of businesses are exposed based on just an identity in a browser
leading to one of the biggest data breaches of all time.
An identity that was purchased probably for a few cents on the internet.
internet. That attack surface had shifted again. When we were talking through this before we recorded
and like just kind of like having a chitter chatter, he's like, why would you spend all this time
doing all these complicated things, trying to penetrate through all these complicated security
systems? When you could just buy some creds on the internet, write a few scripts, have it ping your
Slack notifications when you like, when it had a successful login attempt. And he's like, you go to the
pub, have a beer. And just wait for your Slack to notify you that you've like compromised a big
international enterprise. After he gets back from the pub, Adam goes on to found push security.
There are a new sponsor. So disclosure, this is technically sponsored content. That's not your cup of
tea. No harm, no foul. We'll catch you in the next one. But we found Adam's story of this red teamer
who saw a thing coming. Just absolutely fascinating. I will say that this is, I guess, technically
sponsored content. But like, this is not contractual. We just wanted to talk to Adam. Yeah. Because
A, he's like a great guy to talk to. B, he's super legitimate. And C, he's got amazing stories.
So like, we didn't have to make this episode. We wanted to make this episode. We think it is a good
episode. Yeah. It wasn't part of the deal, but we wanted to do it anyway. So we sat down with
Adam to try and kind of understand that evolution we're talking about. About,
how he learned to think like an attacker and where all of this goes next.
So if you want to hear the story of a real high-level cybersecurity professional and their journey
through this ecosystem, listen to this episode. It's very great. Let's get into it. This is our
conversation with Adam from personal security on this episode of hacked. We were talking about
this hypothetical, which is there's a bad actor, and they're trying to get into some kind of
big institution, financial health care, whatever it is. And they're presented with this forking
path, this choice they have to make about how they want to go about it. And I really like the
way you put it. I was wondering if you could take us through that choice of how they would do that.
Yeah, definitely. I mean, it came a lot from our background as a founding team. Like, this is what we
did. So we were an offensive security team, basically. We do attack simulations quite a lot. And we
we lived very much through this era of, you know, when I first started doing it,
doing client-side attacks against endpoints just wasn't a thing.
Like it was all about external perimeter testing, right?
So you were doing things like port scanning and vulnerability scanning across public-facing infrastructure,
and then that was like the wall you had to break through to get into the company.
And then as that got better and better and better, it started to, you got harder and harder,
and frankly the tests got more boring.
And so we went through this kind of approach where we were like, well, why don't we just hop over the wall?
Like, why don't we just, you know, go and apply for a job on the company website.
But instead of, we'll send them a CV, but let's embed a macro into it and like get code execution and take control of the endpoint.
And then from there start jumping around inside the network.
Right.
So we went through this era shift, if you like, where the not just the exploits and the tactics change, but it was like a whole MO change, if that makes sense.
And we lived through that for a ton of time.
And then as we started to come out of the back of the decade later,
we've seen this shift again.
And so we've been talking a lot recently about now everyone's very cloud and SaaS-orientated.
If I was an attacker today and I was going to target an organization today as it was,
what is the most cost-effective way to break into an infrastructure?
is it to go away and set up online infrastructure
with a lab with all of the different EDRs and all of the different AVs
and create EDR evading malware and C2 infrastructure
that tunnels out via DNS that gets past all the network traffic
and all this different stuff
and then compromise an end point and learn how to persist
and then move through the network for a month and months
or is it better for you to instead take a list of the top 10,000 SaaS applications,
write a script, which then goes through and like tries username and passwords
and constantly takes clear text credentials off of a criminal marketplace that are up for sale
and just sprays them against everything and logs in, right?
And so if you think about it in that way in terms of attacker ROI,
it's like the second way you can write this automated script,
you go to the pub and you get a slack alert on your, you know, or a message.
on a phone saying, hey, you've just compromised someone's MDM solution. You can deploy
ransomware across everything. So anyway, if we were thinking about this way, we were like,
this is actually insane. Like this is the way that attackers are going to start to
compromise organizations. And companies are becoming more and more supportive of that in terms
of their architecture looks that way. It's very cloud-orientated. And that was why. And so for us,
that's why it became like another shift, just like moving to the endpoint was a shift, now moving
to cloud perimeter is clearly another shift that the industry is facing.
Right.
So you guys are targeting primarily,
or are saying that the target would be primarily identity.
Yeah, like as in the same way that in that first era we're talking about,
it was open ports on public IP address ranges,
and you would port scan them to find now you're talking about identities,
which really we're talking about user accounts, right?
Yeah, credentials.
And then, yeah, people say, okay, well,
I don't get identity being the new perimeter,
because we've always had identity, we've always had credentials.
The difference is they always used to be inside your network perimeter on internal systems,
but particularly in the pandemic, they all got just pushed out online.
And so there's thousands of them sprawled across the internet under your company domain.
And now that they're accessible, right?
So there's billions and billions being spent on network security in your infrastructure.
The attacker is sitting at home targeting identities straight on the cloud.
They don't even touch your network.
There's no logging.
There's no detection.
the impact's just as high because there's a SaaS application for everything.
You know, you can come, even your EDR is SaaS.
So you can just compromise that and you can use that to deploy ransomware across the state.
So this attack surface now is the new attack surface that companies are having to defend.
And it's a big problem for the industry that I think needs a lot of attention.
When we sort of started or restarted the show in and around 2020,
just before the pandemic kicked off, just before all of that shift towards these decentralized systems,
that we used to run our businesses, it did feel like so many, especially the big stories,
the big crazy hacks, the nation state level stuff, they were security labs.
They were funneling millions of dollars into R&D, all of this man hours into try and develop
these compromises from nothing.
And it's felt like in those five years since, it's just shifted towards, oh, that massive,
catastrophic thing that happened, that was like a contractor of a subcontractor of a subcontractor
who's like Microsoft Teams or Slack or something got compromised.
Like it's just that the way the stories are shaped has changed so much.
Was that shift in COVID towards these more remote decentralized team?
Was that the thing that shifted this the second time to kind of bore your framing?
Yeah, it normally whenever there's a big shift like this, it comes from two things.
It comes from broadly a technology shift.
Right. So I think the first one, the first technology shift was just, you know, when the endpoint thing happened, it was very more independent workers, some of which were working from home and some weren't. And so like the endpoint sprawled out of this, you know, castle wall kind of approach. Right. And people used to say, if you remember in that area, people used to go, the perimeter is dead. Right. And that's because they were thinking about this castle wall around the infrastructure and everything was in there and that was it and you couldn't go around it. And then people started working from home. And then people started working from home.
home and so the perimeter was dead because they sprawled outside.
So you had to move on to the end point to keep hold of that perimeter.
So that was the first shift that brought around.
And if the profile of a company changes, then the profile of the attacks change too.
And so, yeah, I think then now everyone's moving to cloud.
Like if you look at modern companies, their office isn't a network infrastructure.
It's an internet connectivity to get you to a cloud infrastructure.
And there's nothing in the middle.
You don't need proxies, VPN.
you don't need any of those things.
So the profile of a company is changing.
And so therefore, the way that attackers need to target those companies are changing.
So that's the first thing is as those companies become the default,
attackers need to think in a different way to attack those sorts of companies.
The other thing I think is just literally about, you know,
not everyone looks 100% purely like that.
Some people are in that transition.
So they might have originally been legacy.
And a portion of their infrastructure is like that,
maybe 20% of their company is like that.
But because of the fact that the 80% is so well protected,
because we've had a whole decade of being security controls around it,
that 20% becomes the weak link.
And so attackers will just go straight for wherever this is the easiest point, right?
So I'd say, like, one, it's about technology shift and the profile of the company changing.
The second is the point of, you know, attackers always go to the point of the lowest friction
and so just going after the weakest link because you've raised expense of an attack somewhere else.
So you came from a red team background. And so obviously that facilitated and built, you know, your perspective into this attack surface. You know, what really, what really got you here? What really made you think this way and come up with a solution?
Yeah. So I've always loved security. I don't know. Why? Like when I was a kid, I just, the idea of taking stuff apart was really interesting to me for some reason. And it just happened. It's sort of evolved into security.
and finding ways around different things.
So without giving you my full childhood upbringing life story,
I entered the industry at some point as an ethical hacker, I guess, was the thing.
And it was a really special company called MWR Infant Security.
We're in the UK.
This place was incredible.
I think the average age of this company was like 20 or something.
Maybe younger, like at late teens, just a ton of really smart engineers who'd come out,
just found their own way, like learning how to break systems. And so it's a very research-led
type company. We were always breaking the boundaries of what would need to be done. And that's
the kind of culture you need in that sort of company, right? Because bear in mind, you're really
going up against huge behemoths like Microsoft, right? People who've built these big security
controls to not be subverted. And you have to think outside the box to get around them. So
everything you're doing is always going into the new. It's always going into the unknown. It's always
trying something that hasn't been tried before. So it's a research organization and I was there
for about a decade or so. I was in place 15 went all the way through to I think we were about 400.
We ended which is for a service company is pretty big given it's all service oriented and we were
just doing things like we were basically the team that you would call in if you felt like your
security was really really good and you wanted to experience what it was like to undergo an attack from a
really sophisticated threat. So we would very often.
and simulate like, you know, Russia or China or whatever adversary someone wanted, like a state
government-sponsored attack group. And so we do things like, rather than it being like a day rate,
companies would pay us a fixed fee over a fixed period of time and it would be goal-orientated.
And they might say to us, look, we want you to transfer this money out of this account or we want
you to get access to a secret project. And it was in our interest to achieve those objectives as
quick as possible. So very often we've been given a three-month timeline, 40 hours later,
we had full control of the whole company. It was like Ocean's 11 kind of style attacks, right?
And you know, you didn't get to be wrong. I had its fair share of application testing and writing
reports as well, but what we were known for were those high-end, those high-end red team
offensive security engagements and the research we did. Yeah, that's what we were really,
really known for. And so that was the background we came to. And then that company got
quiet. We left and my founding team and a lot of the core members. We started off push. And
that was really the mindset. We're like, okay, well, we've lived through this era shift of people
moving to the end point. What now? Like what's going to happen next? And we decided to get ahead
of the curve. And we could just see that it was going to be identity attacks. We're going to
come up to the market. So it was really interesting, though, because I will say we had a bit of a
shock when we came to the real world. Because to us, like, doing an identity attack was just so
obvious. It was like, yeah, of course this is going to happen. I mean, it's completely unprotected.
You can just compromise identities in the cloud and take full control. If I can buy us like
keys to the front door, you know, why wouldn't I? Yeah, exactly. It's like we couldn't,
we couldn't not see it, you know. And so we were like, wow, this is great. And this is the next
big thing. And we went out and we published research and we were talking at conferences. We're on
podcasts, in fact, talking about this and saying about this big problem.
was going to happen. And everyone was like, oh, yeah, that sounds like it's going to be,
you know, a future problem. Like at the moment, I'm trying to deal with this stuff. So I think
at the time when we first spoke about this, people always found it very an interesting,
theoretical future. And the mindset in the industry, understandably, like, why, not everyone's
a red team, right? But understandably, it's like everyone was thinking about Microsoft 365 is the
thing that I've put online and that is the keys to the kingdom you know that's the identity that
matters if someone hacks into Microsoft 365 they can therefore get down into every other application
behind it you know it's true for insert here octa Google workspace whatever you use but the
primary IDP is what I'm talking about so the mindset was very much that that's what matters
all the little applications on the outside don't matter so much and we were saying well
actually if you think about the traditional network perimeter
that's a bit like saying
look I've got you know 400 hosts on the internet
but as long as I secure my VPN and my website
I'm all good but every time the way we'd get in
it was the little development server stuck on the side somewhere
that had a vulnerability no one knew about
and we'd use that to pivot through the DMZN break into the whole infrastructure
and then just come back on the website and the VPN point and everything else
so yeah I mean history just sort of told us that this was true
and we did lots of research into showing how you could compromise a trivial application
and move laterally from that application through.
And people found it very interesting.
But really July last year was the point where everyone woke up and they kind of went.
And what happened there was, I think you spoke about this before on the show.
So just a refresher of people, Snowflakes, big important database.
People are fighting lead attackers off of M points all the time.
attacker comes along, buys some credentials off of the dark web,
and clear texts that were up for sale from a prior campaign,
and logged in.
Like, that was the attack, you know, basically.
Big sophistication.
Yeah, exactly.
And there was a huge awakening where all of the research that we've been doing,
all the things we've been talking about,
we had a lot of people come back and go, hey, okay, we get it.
You know, there are other identities that are out there now.
And for us, it was, it was, it was a good time.
because we're in this to improve the industry, right?
We're not in this to, you know, like we didn't sort of inherit a product and a company
and then we're trying to work out a way to get people to buy it.
You know, it was like we saw a problem that was coming and we've been working a way
to figure out how is the best way to solve that problem.
And because of our research background, it's been incredibly, it's just built in us to sort
of research in this way.
So talking about it for a long time, it was rewarding.
I guess in the same way that
I imagine it's like
what an environmental activist feels like
you know, like you're sitting there
and you're telling everyone
that a comet's coming and no one would quite listen to you
and then where the day the world's about to turn to Cinders
you're probably sitting there going
oh my God the world's about to turn to Cinders
but yes!
No, you get it.
This isn't good but I told you.
Yeah.
Oh man.
Yeah, that's great
because the other thing too
like password reuse so like when it comes to identity and credentials like one thing we've talked about
on the show a bunch is that like a lot of people reuse their passwords so it's like a credential
for one system could be a credential for a bunch of other systems and I'm sure that you know
facilitates the opening of so many doors in the cloud space so yeah a crazy number in fact we
see that in our in our data now so it's well over a third of that's
passwords are reused, yeah, across all places.
And it's problematic because if you look at the traditional domain,
you know, when you were hacking Windows or Active Directory or whatever,
you would break into a trivial server somewhere.
And the first thing you do is pull all the hashes off
and spray them across everything else on the network.
And so it turned a single compromise into mass compromise in one go.
Credential stuffing, when, you know, SaaS and it's exactly the equivalent.
I mean, you don't get hashes.
obviously, but clear text password against one, you know, I've just broken into a wiki,
who cares about my wiki? Well, you know, it's not that big a deal. But if you take that
and then you spray it across every other application on the planet, you get access to another 50,
now it matters. You know, it's a really big deal. So, yeah, we've been talking about that
since I think Ashley Madison. Yeah. Was the first time we started talking about because they,
because I think the salt, or they were unsalted or they had like a very basic salt that was
also exposed in the hack. So essentially the password database was cracked like really quickly.
So all of a sudden there was all of these identities kicking about and we've been chatting about that for years.
I remember that. Yeah. I mean, I'm curious for your take on that then, like you spot this era shift coming.
You you spin up this project to try and address it of like everything's shifting the identity. That's going to be the new vulnerability.
Snowflake happens and everyone goes, oh, yeah, this is this seems like a really big problem. But at the heart of it is those leaked credentials, those marketplaces where people can go buy this information and that's sort of like the easy foothold into the.
systems. Did you watch the development of those marketplaces? Like, what is your sense of these
spaces where people can go buy these credentials on that? Yeah, it's a good question. So that is
kind of an entire parallel industry, like the, in both ways, both from a criminal industry
perspective, but also a cybersecurity vendor perspective, which I would say is adjacent to us. Like, we
we make use of that in our solution
to try to help solve some of the problems
but it hasn't been something
I've kept an eye on growing if you said
in because it was parallel to us but the reason I say that
is because they really
if you think about a sophisticated threat group
they kind of break themselves into teams
like you've always had an initial access team
like somebody who sits there writing exploits
and finding ways into companies like
they might write a browser road day that's never been seen before.
Someone else will write an implant,
and then you'll have a team that take the implant and the browser exploit
and they'll gain access and they'll get a foothold in the organisation.
And then you'll have a different team that will come in behind
that will actually go and achieve action on objectives
and they'll start to move through the infrastructure to actually get to the data they wanted
or deploy the ransomware or whatever they wanted to do.
So it's kind of in batches like that.
And it's similar with the criminal marketplaces,
is that you'll have one person's job who it is just to go
and just harvest credentials from all over the internet.
So it could be fishing, right?
They just fish people en masse.
It could be that you're hacking into, I don't know, Ashley Madison, like you said,
and just pulling out all the clear text passwords and just stick them up online.
And their part of the supply chain is steal credentials and put them up for sale.
That's it.
That's all they have to do.
But there's another half of the supply chain of people who just go,
let me buy some credentials and use this to go and log into everywhere else.
So they're two halves, yeah.
So the people that put the credentials up online are a different group often to the people that take them and use them against different places.
I think you're the first person I've ever heard discuss the cybercrime thing as a supply chain.
You're the first person I've ever heard talk about it like that.
It's like we all have a role to play.
And it's like some people specialize at this role, you know, harvesting usernames and credentials and selling them to other people who will take them and use them.
I've never heard anybody refer to that as a role.
a supply chain, but it is, it is a supply chain.
It literally is. Yeah, I mean, because you think a lot of the times, it depends on the
group, right. There are different profiles of groups like a nation state actor. They're all going
to be, you know, employed people in one organization, whereas criminal groups tend to be
much more distributed. So sometimes you have like solo contractors whose job it is to write just
a Windows driver that allows you to, you know, embed itself into the operating system to
And that's it. And then that one person will just feed it back up to, you know, to a malware author.
And the malware author's job is just to write and keep this malware up to date all the time.
But that's very, very different from the 10 threat actors they then pass to malware to actually use it to go and infect people and keep going.
So I suppose it's that the same as just a normal criminal group. Right. You have mules and you have people who, yeah, yeah, there's just different roles in a big organization.
That was something that struck me. We've done a couple stories where,
I get a good sense of what one of these operations is kind of doing.
You interview someone, they explain the organization of the structure.
At a certain point, you go, like, this is just a company.
This is just a large, this is a mid-sized technology company that's goal is just much shadier than the rest.
But it has the org chart.
It has management.
It has suppliers.
They seem to have vendors.
They have raw inputs and material.
It's like someone smelting aluminum into poles or something.
Like, it's just a business.
So, like, the whole shifting onto the,
into the cloud and you know identity is being sprawled out across the internet is a fairly recent
thing that's happened to the last few years so that's really broadened the attack surface quite
significantly um but the as i said the actual identity attack like the way you do it hasn't really
changed from decades ago it's like brute force attack credential stuffing fishing you know it's all the
same stuff in terms of actual credential access but the reason it's always been a big problem
even when we were focused on instant response and the infrastructure era,
even then we were saying that identity attacks were probably one of the biggest problems
that were going to face the industry.
And the reason that we said that was because when we were,
so one of the things after we did defensive security, just to give you context here,
we were doing detection response and we were doing instant response.
We actually flipped over and started running an MDR service where we were watching attacks happen.
And it was really interesting because you had ex-red teamers.
and it was really cool to see how effective they were at doing a detection response
because you'd see an indicator and be like, I know what you're going to do next,
and then you'd actually be ahead of the attacker and it made it kind of really interesting battle.
But anyway, point being is that we would watch these attacks play out,
and it was really effective when the attacker compromises an endpoint
because what they're doing on the endpoint is stuff they shouldn't be doing,
like injecting into a process or dumping passwords from,
from memory or whatever, like stuff that was malicious
and the EDR could quite clearly tell the difference
between what is normal and what is not normal.
But the moment an attacker steals a password
and they move into identity,
it's really hard to tell the difference
between the attacker and the employee.
Obviously, you can see the point they stole it off the endpoint,
but let's just say you were just looking at the identity, like the logs.
Sure, yeah.
All you're saying is a login.
Yeah, and so you're at this point now,
where someone logs into an account,
like if you just saw that bit,
someone logs into an account
and they delete something from a database
or they delete a file.
Now, was that a user logging in
and doing that because they wanted to?
Or was an attacker logging in and doing that
because it was malicious, right?
And the difference between those two,
you can't tell from data
because they literally are the employee.
They've stolen their account and they've taken that.
So the only difference is intent.
and you can't measure intent through data
if you're saying. So we were like, well, this is a big problem
and this is why I think actually prompting the employee
to say, hey, was this you, is a key part of doing identity attacks.
And I think that's somewhere that the industry really needs to go
as we start to solve some of these problems.
Sure. So like whenever I make a transaction or something
and get the little ping up on my phone, it's like,
hey, did you actually do this? Yes or no.
That's the like verification step that I am who I am.
Exactly. Yeah. So, hey, this malicious action was just confirmed.
Yeah.
Was this you? Like two FAA prompts can make sure that happens and authenticate some of that.
The, as far as fishing goes, what are you seeing for the level of sophistication and the level of like how, how is that grown in the last 10 years from, you know, what it used to be like a generic email and like a, you know, whatever it used to be 10 years ago to what it is now because I'm sure it's much different.
Yeah.
the core like I guess
attacks as I said fishing and everything
haven't changed a lot but the way those are being done
has evolved quite significantly
and so for example
we what we're seeing now is a huge rise
in what called adversary in the middle attacks
or AITM as basically
somebody did ask me whether that was a gender neutral
man in the middle attack at one point
which is not
but yeah
it's a versory in the middle
so it's a slight variation
so the concept's the same
and that you are still
you know a man in the middle
but we refer to it
the best way to think about it
is like fishing 2.0
so in fishing 1.0
your goal as an attacker
is to steal credentials
username password so really what you're doing
is setting up a clone site
that looks like a legitimate one
sending it to a victim
the victim enters their
credentials and you walk off of the username password. Now obviously MFA was shouted as the big thing
because now I can't use those credentials and that was the reason that happened. So ITM have come out
of this increase in MFA effectively and it allows you to bypass MFA. The way the adversary in the middle
works is you don't get someone a victim to log into a clone site anymore. You get them to log into
your actual site,
like to the actual, say, Microsoft 365,
but they proxy it through you, if you see what I mean.
So you effectively set up an attacker proxy.
Yeah, exactly.
You tunnel it through and you say, hey, send them a link.
They connect to you.
You fetch the page.
You give the page page back to them.
Because you're in the middle,
it allows you to intercept everything,
including the session token and the MFA.
So then you can actually get around it.
And there's lots of clever ways to make this happen.
Like one of the ones that's become quite popular is what's called a browser in the middle attack,
which is a subcategory of a version of middle.
And what happens with that is you set up a, you're familiar with VNC, right, like for remote desktop viewing.
Yeah, of course.
The idea is I set up a server on the internet and on the eye control as an attacker.
And when I set that up, I open up a web browser and I browse to the target, say,
Octa or Microsoft 365 page.
So now what I've got is a server VM online
with a browser that's open.
Yeah, so then exactly.
So then I can obviously come in a remote desktop into it
and what I end up with is a window on my desktop
that shows the target page, right?
Now, fortunately, or unfortunately,
depending on which side of the venture on,
there's now like JavaScript libraries
that allow you to run NVNC inside the browser.
And so what we see attackers do
is basically run, you have a browser,
window and you send it to a victim and they open up and they see their fully branded MFA logger
which is actually their login page. But when they enter their username and password into it,
unknowingly, they're actually doing that on my server and I can just watch it and watch it happen.
I can put everything out of it. So they're the sorts of modern attacks that we're seeing
now happen and bypassing a lot of these different attacks. Beyond that,
those attacks are starting to become a lot more well known.
More recently we've seen an evolution in detection bypasses.
And what we're seeing there is that still the main delivery vector for fishing attacks is email.
And so the attacker would send in one of these fishing links,
like whatever technique it is where it was fishing 1.0 or later,
you send the email into the victim
and the email or proxy
will scan the email
and look at a bad URL
now obviously it can check
for domain reputation if it was recently registered
and all those kinds of things
but those are quite easy to bypass
you just buy domains that have been registered
for a long time from a good reputation
all that stuff so what you're starting to see
is they will actually take the link and go follow the link
and query the fish kit itself
to get a lot more information
And so we're seeing attackers just doing stuff that simply putting up bot protection in front of their fish kit, right?
So it's like they've got recapture in front of it and you've got to send particular get parameters to it.
Some of them are even presenting you with a login page and getting you to log in first.
And if you enter a domain that's not the target company, it will just redirect you off to like a Microsoft live login, like something legit.
Whereas if it is from the target company, it will return the fish kit.
and you start seeing stuff like that.
So you're seeing these things just bypass this fishing detections altogether
and completely.
And even if they, you know, the victim forwards it off to their IR team and they log in,
they're like, oh, no, it looks like a legitimate thing, carry on, you know, and that kind of stuff.
So there's simple techniques, but really powerful.
So the detection system is trying to fingerprint the fish kit,
but the fish kit's actually fingerprinted the detection technique.
And it's like when it is coming through, it's like, no,
you're we know what you are like you go over here and like this is legit content like piss off yeah exactly
so you're like it's like oh this is not a human querying me return friendly page basically to go around
detection in that way um smart yeah so we're seeing that they're seeing that a lot more we're also seeing
um a lot of fishing just avoiding email together so people fishing people on you know linked in messenger
obviously SMS has been a channel that's been happening for quite a long time um
But yeah, you know, you can drop fishing links anywhere, not just.
DMs have been filling up with fishing links more and more and more, like over the years.
It's like I'm constantly getting flooded by stuff that's just not real.
Yeah, I actually saw a message, sorry, I'm just pulling it up out on my Slack.
I said it to Jordan this weekend, but the FBI had come out.
I don't know if you saw this saying essentially don't open any links in Gmail.
Apparently, there's tons of AI-powered fishing attacks attacking Gmail accounts
and essentially don't trust anything inside of your Gmail.
I'm not sure if you saw this link or this article.
That sounds like an internal security team's nightmare.
Like all employees ever are not clicking any links.
Totally.
But just like imagine how many Gmail users they are.
And if people have targeted Gmail as like the host to attack, then oh my God.
Yeah.
I feel like there isn't a platform where you can receive.
messages that isn't just inundated with those links. I think we've done a few episodes on
like people hacking games, people cheating in video games. And it sounds like if you are under 18
and in Discord, you are just the recipient of more fishing attacks than I can possibly imagine.
And it makes total sense. It's like, is it the most knowledgeable audience?
Thankfully, it's all to steal crypto. So as long as you stay at a crypto. Yeah, that's right.
Exactly. Yeah. And it's interesting you say that because we,
I don't want to get too far into the future here,
but hey, apparently we keep doing that to ourselves anyway,
so I want to do it again.
But one of the things we were thinking about, obviously,
is like Open Air Paria got released the other day,
and we've seen this as agent runs inside your browser
that uses your browser for you.
The example they give is like,
hey, here's some food, log into Instacar,
and go and add all the ingredients and buy it for me just in one go.
Like really exciting,
but obviously our mind just went straight to,
ooh, how attacker's going to abuse this.
I'm not talking about weaponizing operator itself because no doubt they build lots of safeguards in to stop things from happening.
But that broad technology and as you start to see open source versions of it and stuff like that don't have it as guard rails,
you can kind of scale up those out of email type attacks quite a lot.
So imagine, for example, saying find the top 10,000 most popular subreddits,
get involved in the conversation and then drop a fishing link or like, I don't know,
connect on LinkedIn Messenger to everyone from this company, talk to them for a few messages
and then drop this fishing link and that kind of stuff. So I think those sorts of things.
Be really cordial. Yeah. I can see that. Yeah. Make friends with everyone.
I'm sure you could write a LinkedIn recruiter bot that just like was like,
hey, you know, we've got some jobs. It might be. And just flood people. And like the link would be a
fishing link and you'd get a boatload of clicks. Exactly. Or.
like come on come on to the hack podcast pretend to be CEO of security and then drop my fishing
link at the end of the end of you have the ability right now to pull off the greatest
prank ever yeah might cost you a lot but you could do it it's oh man so it sounds like it's
like we talked a little bit about discord and these other platforms which are basically just
skinned websites it sounds like this new era is taking
place inside of browsers. These vulnerabilities are taking place in browsers. People are using
these credentials and these identities entirely in browsers. Talk to me about the idea of the
browser as the attack surface that we're currently living in. Yeah. Yeah, no, definitely.
You know, full disclosure is this is obviously what we do in our product. But the reason I feel
okay talking about this is because, as I said before, we didn't sort of inherit a product. Like, I didn't just
get given it one day and then be told like, oh, how can you position this in the best way
possible that some people want to use it, right? It was much more we came at it from a problem
of, okay, identity attacks are becoming a problem. We sort of fill a duty to the industry to do
this because we've been on the front line sort of defending against these attacks for a long time.
What's the best way to solve this problem? And we tried all the ways. And what we landed on
through our R&D efforts over multiple of years is that it's got to be inside the browser.
And it makes a ton of sense, right? Because if you think all those sprawled identities that are out
across the internet, you know, you can't just vuln scan them.
You can't just enter your public IP address range.
You can't write a script that brute forces en masse permanently all your employee's credentials
hoping you get the username password accommodation right and reporting about what identities
exist.
So what do you do?
I mean, the thing that all cloud identities have in common is they traversed to the browser.
So we were like, well, this is a really effective, you know, enforcement point effectively
to draw telemetry from the browser
and you can start to see
employees
as they create and use identities
and then therefore you can map them all out
right so it was the obvious place
to think build a solution
also because what we were talking about
about the fishing attacks
as they start to move out to different channels
wherever you click a link
under any source like email
or anywhere else
you visit it
and at some point
even if it has all the bot protection in it
that we were talking about before,
at some point it initiates the payload,
the fish kit renders inside the browser,
and then you can block it, right?
And you can block it based upon the fish kit itself,
but you can also detect employee action.
So detect type events and determine before they press enter,
they just entered a critical password,
like their SSO password into it and stopped that from happening.
So for us, it was like,
it just made so much sense to go there.
and to enforce and solve this kind of problem inside the browser,
for us it's just a really, really powerful way to do this.
I think coupled with, as we were talking about before,
about architectural shifts,
like some companies we started,
if you look at Pursch,
we do 100% of the work in our browser.
I think the only desktop application I have is Zoom,
and it really frustrates me this is desktop publication,
because why doesn't it run inside the browser?
but, you know, other than that, maybe Slack as well, optional desktop application,
everything's inside the browser.
And so moving into the browser and doing security,
and there seems to fit the way that companies are progressing as well.
So, yeah, that was why we decided to go there.
Yeah, it makes a lot of sense.
Lots of those apps, like Slack and Notion,
they're all written in something called Electron,
which is essentially just like an HTML CSS plugin for like Swift apps and stuff.
So they're actually all just web browsers.
It's the way, isn't it?
The way it's going.
Yeah, it's like when people deploy Chromebooks
is always the time when I,
that's when I really think about that, right?
Because that's like the purest version of what we're talking about here.
Like a theme client.
Yeah.
Yeah, because if you get a shell on a Chromebook,
it's read only, there's no files on it.
You can't really move laterally.
What you can do is talk back out to the internet.
So the whole attack vector is inside the browser.
Like, you know, that's very pure of this world
that we're talking about.
Anyway, diverse thing.
I think that's really relevant
because that,
like that,
that you can literally use a computer
that is a browser
and function in the modern world
tells you how much of the modern world
occurs entirely inside of a browser.
So I guess, I mean,
in simplest terms,
like what is it then that push does?
Yeah, so push,
we exist to stop identity attacks,
which is totally focused on that.
And so really,
anything to do with account takeover, which is your user account being compromised.
Now that could be phishing.
It could be identities being sprawled out across the internet and actually mapping out where
those are and locking them all down.
We even sort of determine, you can determine whether someone's using their password
manager and if they're actually clipboard pastored all the time and which password manager
they're using or if they're syncing it back to their Chrome profiles, anything that
it could result in a user's account being compromised as what we focus on.
I guess the technical version of it, if you like categories,
which we get forced into is ITDR, which is identity threat detection response.
I think that's a name that we try not to use categories.
We think about what problem do we solve and we go solve that problem.
But, you know, some people, it helps them categorize and think about where we sort of sit.
So you mentioned clipboarding passwords out of password managers and bringing them over to the browser.
Is that a vulnerability?
So, I mean, people copy and pasting it from, like, I mean, if you think about account takeover,
there's someone entering their credentials into a malicious fishing site, but you've also got to think about exposure.
So if someone's storing it in a place that's not good.
clear text stuck on a document somewhere, that's not ideal.
And so the reason that we can encourage people to use a password manager is effectively a vault
to safely store them.
So the reason we're detecting clip or paste is because it's pretty obvious that someone's just
pulled it out of a document or off of a local notepad and then we're just pasting it straight.
Out of a Slack message.
Exactly.
Yeah, or out of a Slack message, yeah, exactly.
So we obviously only have the context at the point they entered the browser.
I got to tell at this stage.
where it's being clipboard pasted from, but it is just good intel to be like, wow, there's a critical
account, you know, like an AWS admin account and someone's clipboard pasting it in regularly,
probably should go and have a word with that person and see how they're handling passwords.
The other thing, too, is like the clipboard is account accessible.
So like anywhere inside of the account, it's like a universal memory register.
So it's like, it's not secured.
So if there's a password sitting in there, any of the applications running technically have access to it.
so if you were copying and pasting passwords through your clipboard
you're kind of sharing it to every other piece of code on your user account
so there is technically a vulnerability there but you'd be hard pressed to find
somebody smart enough to write a way to exploit it well maybe we have him here
it's funny talking about clipboard pace this is a complete tangent but you just
made me think about it before you're saying as we did you see um I can send you
a link after you to see it.
But there's a,
there was a fishing attack
that got shared around
a couple of months ago.
It was really bizarre,
but really,
you have to give them
top marks for creativity.
And basically what happened
was it was like a phishing link
to a GitHub page
or what looked like a GitHub page.
But when you landed on the page,
it popped up with a recapture prompt.
But the recapture prompt
was written in JavaScript.
And it said,
it said press, like,
these different combinations.
You had to go,
Command C,
yeah, command C,
command R and then control V enter
and it popped up and said thank you you've done
recapture and let you in but what it done is when you visited
the site injected Power Show into your clipboard
so when you then control C you pulled it out onto the clipboard
control R right exactly then you run it locally
I don't like I mean it's like someone probably
probably fell for that and they've never told anyone
because it's such an unfortunate thing to fool for
but I was just like yeah but I just thought for creativity I was like
can't hats off, like trying, you know.
Yeah.
But see, like, that's even, that's a good thing.
Like, so the JavaScript itself wrote to the, to the clipboard.
So JavaScript can probably read from the clipboard.
So if you've got passwords hanging on your clipboard, websites can read them too, I would assume.
Yeah, I don't actually know with that.
I know there are clever models built into the browser.
I need to look into, I would hope that there are protections for pulling them back out in the other direction.
I think it might be read only and pushing one direction, but.
I might be wrong about that.
I don't know.
I was reading about a 2023 study.
I have it in my notes here because I want to talk about it on the show at some point,
but it was a 2023 study that described CAPTCHAs as tracking cookie farm for profit masquerading
as a security service.
And it was saying that the success rate of bots currently is higher than the success rate
of humans, which means they're ineffective.
It's a, I think it was 819 million hours of human time lost, clicking on.
on just traffic lights and it has generated $1 trillion for Google.
I feel a backlash growing.
Last time we were talking, you were talking about something called cross IDP impersonation,
just to start with defining what IDP is and then what does that impersonation mean?
So yeah, cross IDP impersonation was a very recent bit of research that we did.
Actually our VP of R&D, Luke Jennings did.
And this was really interesting because it shows,
the complexity of the identity attack surface.
It's not just as simple as sprawled identities and you logging into them.
So IDP is a short-hand for an identity provider.
So really you're talking about SSO.
So Microsoft 365, Octa, Google Workspace, any of those.
Now, the idea is that ideally you'd have your SSA provider
with your one-user account per employee.
and then when you log into that SSO provider, you'd have MFA and you'd have Ubikis,
you'd have fishing resistant MFA and all those things.
So you have a really hardened identity.
When the employee logs in, you get presented with a tile and you click on one of those tiles
and it logs you into the downstream SaaS application, right?
That's how everything should be set up.
So Luke looked at this and kind of went, well, if you were trying to target someone who had
really, really hardened SSO accounts, what would you do?
and what he determined is rather than going after the IDP directly,
it was actually the SaaS applications behind with the target.
So what he figured out was you could just ignore the company IDP altogether,
set up your own one and create an account, which is the target company.
So let's say you were trying to target Acme.com.
You set up a new IDP with an account for, you know, Sarah Acme.com,
and you can just log directly into the SaaS applications behind the IDP,
they just let you in, right?
So basically they don't check which IDP it came from,
which is wild that that's actually the case.
There's some nuance to it and there's some complexity,
which we can get into.
But the top level is that,
is that you can, you know,
the SaaS applications behind don't effectively check which IDP it came from
and they'll let you authenticate.
So it sounds like the red teamer never leaves,
never leaves you once you leave the red team.
Yeah, that's true.
It's like, it's like, it's a,
So it's like you kind of created your own exploit here to solve it and protect for it in your solution now.
It's kind of what it sounds like.
Is that true?
Yeah.
Well, interestingly, the way that we discovered this vulnerability wasn't from an offensive security mindset.
We actually saw in our data that legitimate employees were doing this.
So what I mean is like there was a company who had Microsoft 365 as their primary IDP,
logging into downstream SaaS applications
and they came back to us and said,
hey, there's always Google logins
into these different SaaSups
and I can't understand why because we don't use Google.
So we started looking into the information
and we said, oh wow,
you know, employees, what they're doing is
going to the SaaS application
and they're presented with like a login with Google button.
Of course.
And so they're just clicking on that
and then creating a personal Google account
but under the company domain,
like under Acme.com,
and then just logging in.
because it's easier. And then that's the workflow they used to. So there's hundreds of people
just logging in directly to these downstream SaaS applications just log in with Google when
they should have been going through Microsoft 3-65. So you've now got two login methods to the same
SaaS application. But obviously the second one's got no MFA on it and that's it. So we saw this
data and it's like, this is crazy. Actually, we could probably use this for malicious purposes.
What if I went to create account on Google and just logged into the SaaS application? Oh, look,
it works. That's kind of how the whole thing came about.
out. So yeah. So that's just purely an issue with those login. Like that's purely with the
SaaS companies. Yeah, exactly. There's nothing to do with the IDP. And it makes sense, right? If you,
if you take a SaaS application, you want to sign up to they give multiple login methods. So you can
pick and you can say log in Microsoft, log in Google, log in with like Apple, you can do whichever
one you want. And if you go and set up a, you know, SSO to to log into those, that's, that's great.
but it doesn't necessarily disable all the other logger methods
and the things that you can get to, right?
So now there is some nuances.
Like I'm trying to give you the top level
so you can understand like how this works.
The nuance with this is that let's say, for example,
I was going to break into this Acme.com company.
I go to Microsoft 365.
I try to break and I go, wow, this is really locked down IDP.
Then I go off and create, I don't know, Apple,
Apple's got its own SSO provider.
So I create Acme.com on that.
now yeah exactly and so the thing is you in order to create an account under acme.com it will
you need to verify that account so it will send a verification email back to the victim and they
need to click on the link so you have to overcome that hurdle but the thing is is getting someone to do
that is way easier than doing a traditional fishing account right so the example that he gives in the
blog post is you send an email to someone and say, you know, hey, you know, hey John, whatever,
here it is. I'm from the IT team. We're trialing company iPhones. Would you like to be part
of the test crew? Oh, yeah, I'd love to. Thanks. That'd be great. Great. I'm going to send you a
verification link to verify. Here it comes. They click on the link. Yeah, because they're not entering
credentials. They're not being asked to give a sense of influence. Just click on a link. It's not a big
ask for people. You only have to do that once. So now once I've got that, I can just log into
every SaaS application downstream and actually get to this. So it's just an interesting,
it shows the complexity. Now the way you'd solve this problem is down to the SaaS vendors,
like the best in class SaaS vendors, when you log into the settings, you can actually
choose which login methods it will allow and you can disable everything but the one you want
for the company. But unfortunately, that's in the minority. And more people should do that to
protect against this. So the action that people can take today to solve that is actually to go
and pre-register the accounts. So go off and create, you know, an Apple one and a Google one.
And lock them out. And create them. Yeah, to actually claim them. And then people come and say,
hey, there's already something under the domain. We have seen people writing email detection rules
to say, like, if they get verification email from an IDP that's not the known company one,
you can do that as well. Yeah. So that's the way you have to deal with this. Because it's just a
fundamental problem in the way SaaS applications and you're not going to get all, you know,
hundreds of them all to get on board to solve this. So that's how you'd take it into your own hands.
Hmm. So the, uh, so you guys started push because you saw the attack surface changing.
Do you see any changes coming now? Are you guys making any adaptations that you can talk about?
Or are you guys looking at other fields where you think that the industry is going to go? Or is that
something that's kind of you're holding your cards close to chess now that you're a company that
will probably get bot or go public at some point.
Yeah, I'm happy to talk about it.
I think the things, at the moment,
the human identity problem is such a big problem,
and fishing continues to be a huge problem.
Now with evolutions of fishing and everything else,
it's becoming an even bigger problem.
So right now there's more than enough to keep us busy
just building better and better and better versions and better and better controls around
some of those problems.
And we're really, really focused just on that because we're meeting the market where they
are now, the pain points that they're seeing today.
But you always have to keep one eye on where things are going to go next.
And so obviously we spoke a lot about these computer using agents technologies, you know,
like Open Eye Operator.
And if they start to scale up, what will happen?
We're already focused in that area, like stopping fishing directly in the browser and just
keeping an eye on that because we might see those things scale up.
But ultimately, even though we're building into the browser, we don't orbit around browser.
Like we're not a browser security platform.
We're an identity security platform.
So really we'll go wherever identity goes.
So we're pulling it from the browser now because it's an incredibly valuable telemetry source.
But, you know, that isn't the thing that restricts us.
will take identities from mobile and from Mpoints and from AWS and other places as well.
So I think it's mainly going to be about going deeper and deeper and solving the current problems
in a much better way than anyone else using our Red Team experience and then going broader
across more and more platforms.
We get wider telemetry and we can solve the problems, you know, a bigger scale.
This is, there's a good chance I'll just chop this out, but I'm curious because you brought up
operator. I feel like every time I hear people talking about agents and operators in the security
space, it's on the offensive side. It's the, it's the sort of like fantasy of being like,
go get their credentials, fish this person, blah, blah, blah, blah. The thing that I keep wondering
about is on the victim side, the idea that it could be a vulnerability, where I tell some
agentic program to like, go respond to my work emails, go do this, go do this. And it just sort of
inadvertently like, oh, I need to validate this Apple credential login.
Like, could those operators and those platforms function as a vulnerability in themselves?
Well, I have, so I haven't done, oh, caveat, and we haven't done any research on this.
So this is just me thinking off the top of my mind.
But I have been thinking about what happens where, like, at the moment, the thing you're
trying to do with an attack is to, is to trick an employee to perform some action like,
enter their credentials into a fishing site.
And if an agent is effectively acting on the person's behalf,
like,
is it possible for you to trick an agent to enter the employee's credentials
into a fishing site,
if you're saying to mean.
Like,
and that feels like how that actually works,
depends is it like,
you know,
cross-site scripting.
It's like where you can inject stuff into a resisting website.
Can you do that to sort of do prompt injection and get it to,
I don't know.
This is not an area that we've researched into.
And I think it's such,
early technology at this stage.
It's hard to know where that's going to go.
But I do think like any time there's a technology shift,
it changes the types of attacks that are possible.
So it's something to keep an eye on for sure.
Yeah, there's been so much research into social engineering
and changing, you know, exploiting of human behaviors.
You know, what is the shift into essentially controlling and, I don't know,
manipulating robots into doing our fittings.
Yeah, exactly.
I think it's good for a defensive perspective as well, right?
Because you can have like a security trained agent
which will look and go, hey, this looks suspicious.
We're doing research into that kind of thing as well at the moment.
So actually looking at the page and understanding the visual processing,
like is this page trying to look like a Microsoft login
and then taking other context of, you know,
what's happening in the actual page itself
and how the user's interacting with it and passing that through.
So I think like AI scales up.
on the offensive side, but it also scales up on the defensive side of parallel.
Just hopefully the defensive side wins. It scales up more.
Hopefully the defensive side wins.
Yeah.
Write that on the wall.
Get the t-shirt, yeah.
Yeah, get that t-shirt, get that merch going.
Appreciate you taking the time to sit down and talk with us.
Yeah, thanks for coming on.
Maybe I'll end with this. Let's end at the beginning.
It's way back when you're in that, that,
role as a red teamer playing the part of this advanced actor in these simulations.
We do a call-in show called Hotline Hacked where people share their fascinating text stories.
What's the craziest war story you can responsibly share with us here to close it out?
Good question.
Do you know what?
I'll actually share, because I think this is amusing and it's a bit more relatable,
I'll actually share one of my colleagues' stories instead.
So my colleague, one of the parts of the offensive security side we did was social engineering.
So it wasn't all technical.
It was also to do with sort of breaking into buildings and trying to trick people.
Now, my colleague who got, he, my team he had, he's really, really good at social engineering.
He's just a really likable guy, everyone trusted.
Yeah, yeah, you see the program traitors.
Like, he would win straight down because everyone just trusted him immediately.
And he did multiple engagements like this.
and it was kind of normal office blocked.
But there was one time when he came up against a very well-secured facility with gates and guards.
It was like, well, okay, this is the biggest challenge yet.
So he went off.
He set up his own website, his own business guard.
He turned up with a clipboard and spoke to the guard.
And then they rang into the reception.
Hey, there's a health inspector here.
Were you expecting this?
It's like, well, of course they're not expecting me.
I'm a health inspector.
And they were like, okay, send him in, send him in.
So he sent in, he checks into security,
they phone back again to the chef, like, hey, we've got the security guard.
You can imagine you there quickly scrapping away all the pots and pans and on he goes.
So anyway, he goes into the room and he doesn't know how to do a health inspection.
He's got no idea.
So he's like walking around, like, wobbling the shelves and like checking stuff and everything else.
And he goes around, yeah, he does this whole health inspection.
He's all in a building.
And the chef says to him, okay, well, like, how do we do?
Like, am I okay?
like I've got this whole thing past.
Sorry, man.
I mean, I have to go back to the office,
and it takes me about a week to process,
and I can let you know.
He's like, well, I mean, if you give me access to a computer,
I can probably do it now, if you like.
And I'll go, yeah, yeah, sure.
So he logs him on.
Do you want some dinner?
It's like, oh, that'd be great.
So he's sitting there on this computer,
hacking the network, eating food.
Prepared by it.
Yeah, takes full control of the network and writes it back.
And it was all done in good faith.
like whenever we do these engagements,
we make it really clear to the team that,
you know,
people are going to get tricked and it's not their fault.
And like,
you know,
it's just we're pros at this and we've done this a lot.
You're always going to get people.
We make sure that those individuals aren't victims from this.
But it's a good learning exercise
because by experiencing that,
it just heightened a level of awareness.
But it was a really fun engagement
and it made a really,
really good story when he sort of came back to the office
and anonymized it and spoke about it.
So, yeah,
I thought it would be a good one, sure.
That's a good one.
that is a good. I love that they fed them. That's the, that's the icing on the cake. Yeah,
free food. Yeah, exactly. There's no way I could get into this network and linguine.
Yeah, what was the bonus points on the contract for getting fed by the team? It's like,
not only did we acquire like all of the mission goals, but also like you fed us and like somebody
gave me a car. Like that's a point. Yeah, exactly. I never actually read the report at the end.
but I don't know whether there's like a picture of the food that you call.
By the way, thank you for the meal.
Yeah, totally.
That's good.
Adam, thank you for sitting down with us.
This was a lot of fun.
Yeah, thanks for coming on.
Yeah, thanks for having me.
It's great.
A lot of fun.