Coffee with CISOs: Blackhat AMA ft. Hector Monsegur Follow-Up Interview

Formerly known as his online alias “Sabu”, Hector Monsegur was a highly controversial blackhat hacker for the Anonymous/LulzSec hacker groups. Today, Hector Monsegur works as a Security Researcher where he helps businesses find vulnerabilities within their cybersecurity infrastructure.

In our latest Coffee with CISOs episode, Hector Monsegur joined Don Cox, Chief Technology Evangelist at CIBR Warriors, in answering your questions on cybersecurity and protection. Due to the overwhelming response we received, Hector was unable to address every single question, but in this follow-up interview he answers additional questions that went unanswered during the event. 

Q: Why do you believe there is such a slow shift towards asset management when there have been multiple breaches in recent years, including the huge Equifax breach, that can somewhat be attributed to a lack of a comprehensive asset inventory?

As far as I can remember, asset management has been complicated for organizations to get behind. Even with great tools available like osquery, which provides you host-based data you can then plug into all sorts of platforms, there seems to be hesitation on how to execute. I think the issue for organizations is that it seems like an expensive endeavor, with a fear that the tech and human cost may be more of a dynamic expense rather than a static one. Implementation is also another issue as you have various tools doing different things and some organizations do not have a central platform for aggregating all of the data necessary for it to be useful. It is in my opinion that asset management is one of the most important investments an organization can make to ensure they’re ahead of potential problems hiding around the corner. 

Q: Grades may help with vendor management, but assessing their security is complicated. For example, look at just the CAIQ. Is a grade really feasible to understand a company’s security track record and assess the risk?

It can be, and there are organizations working extremely hard to reach a point where their grading or scoring systems truly means something. It is important to note that putting together a secure environment involves taking all of the tools that are available to you, including scoring or grading scales, and plugging it into an overall picture. Context is everything when you’re trying to figure out where you stand in terms of a general security posture. I think risk assessments play an important part of the overall process and should be included as the process.

Q: How do you view the efficacy of intrusion detection honeypots?

My personal take is that honeypots serve a purpose, just like every other tool in your arsenal. Depending on how you implement and connect them to your overall toolkit, they can become extremely useful and passive, or noisy and costly. There is no science to it and no real way to gauge how beneficial it will be to your organization at the end of the day because it is meant to be a tool that sits quietly in the corner until it is probed, explored, or compromised. The use of honeytokens I think is fantastic, and I’ve seen many vendors produce amazing results, which makes it yet another solid tool to add to your toolkit. 

Q: How would you suggest quantification of risk from the perspective of the attacker? Would Factor Analysis of Information Risk be a good example from that point of view?

This is actually a very good question and I believe that the leadership of an organization would need to sit down and consider the risks of compromise. Aside from using open source or proprietary risk assessment questionnaires or tools, sometimes asking the question “Well, what is the worst-case scenario if X happens” goes a long way. This question becomes more useful especially when you bring in leadership from other departments, (IT, Dev, Engineering, Sales, etc). The fun part about these conversations is that it may lead you down a rabbit hole of ideas and lead to the discovery of issues that have sat dormant out in the open. Another idea would be to build a risk assessment questionnaire and have every person involved in decision-making and execution answer the same questions. Polling those results and coming up with a consensus that can be discussed with your team will likely lead you to build a solid roadmap. 

Q: Can artificial intelligence and machine learning be an alternative solution to organization’s cybersecurity instead of the human factor?

There are a lot of researchers and vendors working on solutions to answer this question. I have seen clients implement automated and scheduled internal scanning tasks that will periodically or constantly scan their own environment for changes. In fact, you could do this with Nessus or Rapid7’s solutions going back quite some time. The problem you face is what do you do with the results when you get them? How are they triaged? Is there someone responsible or in charge of making sure that any new issues are validated and prioritized for resolution? 

I think that there may be fantastic advances in this field, but to completely eliminate the human element from this process is something we may not be prepared for. Someone needs to monitor the scanning engines to confirm they’re working properly, and there needs to be eyes to look over the results to handle the output. AI solutions will be an addition to your security program, not a replacement.

Q: Where should we look to hire skilled people for posts? Open positions go unfilled as we don’t have programmers applying.

This is a great conundrum that many organizations face, including my own. It is costly in both time and money to find the ‘right’ fit for open positions, and in many cases what you end up with is not what you were expecting. I personally have opted to do in-house training, taking people who understand the core fundamentals of what it is that I need them to know and hyper focusing on the skills I’d like them to have. Case in point, I’m creating training modules to shape actual pentesters out of individuals who are coming out of security programs with at least a basic understanding of networking, security vulnerabilities, and systems administration. I’m looking for individuals who are hungry to learn, are great communicators and simply understand what it is that we are trying to do as pentesters and red teamers. By training them on our methodology, tools, and procedures, we end up with employees who are capable of exactly what it is we’re looking for at a slight investment. 

I understand that my process probably does not work for all organizations, but it is something to consider. The reality of the situation is that the future for any organization will be to either partner with a training-forward staffing agency or in-house training by senior practitioners. 

Q: What are Hector Monsegur’s thoughts on certifications in CyberSec. Does he recommend any (CEH, RCCE, SANS, OSCP)?

In the grand scheme of things, certificates are not a requirement for most situations. Most organizations will work with you if you have the right skillset. I do recommend training and certificate programs that are specific to an area you’re interested in. For example, if you’re focused on penetration testing and want to get your foot in the door of a pentesting firm — the OSCP is a solid direction. If you’re focused on security management then the CISSP and related certificates are a good learning experience. Find out exactly what it is you want to do and find the certificates that are specific to it. Any certificate process that contains actual education and labs, documentation and reporting are all good in my book. Avoid certificates that are only questionnaires if you want to save some money. 

Do you want to learn more about cybersecurity? Please subscribe to our newsletter.