InSecurity Podcast: The Thin Red Line – Lifting the Veil on Penetration Testing

Bank employee: “So, people hire you to break into their places… to make sure no one can break into their places?”

Colin Bishop: “It’s a living.”

Bank Employee: “Not a very good one…”

~ Sneakers, 1992, Phil Alden Robinson

This episode of the InSecurity Podcast introduces the latest report from the BlackBerry Cylance Threat Intelligence team, Thin Red Line - Penetration Testing Practices Examined.

The report is meant to catalyze a broader conversation by lifting the veil on a range of penetration testing practices, byproducts, and after-effects about which clients and the general public may be unaware.

As the pentesting industry has evolved and expanded, the line distinguishing red teaming exercises (a military term that for many has come to be associated with services that include pentesting) from actual threat actor behavior has thinned, and in some cases blurred entirely. In this podcast, the members of the BlackBerry Cylance Threat Intelligence and Professional Services teams examine the pentesting side of that thin red line.

The study sheds light on a discipline where a lack of universally accepted standards allows a range of common practices that may be inadvertently introducing a host of hidden risks that could adversely impact the very things pentesting was intended to protect, including client privacy and security. Such practices consequently raise critical questions about one of the fundamental paradigms of the security industry.

This week Matt Stephenson speaks with Red Teamer Matt Maley and Threat Intelligence Researchers Jon Gross and Kevin Livelli about some startling activities in the world of penentration testing that diverge from best practices. We dive into the curious case of The Poseidon saga and bicker about the blurred line between pentesting and outright criminal behaviour.

About Matt Maley

Matt Maley (@mjmaley) is a self-described technology nerd who has spent his career building teams and offering an attacker's viewpoint to commercial and public organizations of all shapes and sizes.

Maley has spent time engineering security solutions, slogging through networks, picking apart applications, and currently leads the Red Team practice within the Professional Services team at BlackBerry Cylance where he manages the technical development and delivery of offensive security services with a focus on applying an adversarial perspective to new and emerging technologies. Maley was previously a lead at ATD, Director at Gotham Digital Science, and a BlackHat trainer who holds a B.S. degree from Penn State University and OSCP certification. 

About Kevin Livelli

Kevin Livelli (@KevinLivelli) is Director of Threat Intelligence at BlackBerry Cylance, where he conducts long-term, complex investigations with the Research and Intelligence team.

His work there follows ten years at 60 Minutes, where his investigative reporting and analysis were recognized with several Peabody and Emmy awards.

Before that, Livelli supervised investigations at the nation’s largest independent police oversight agency. A graduate of Dartmouth, he earned master's degrees from Trinity College Dublin and Columbia University. 

About Jon Gross

Jon Gross was previously Director of Threat Intelligence at Cylance. He is currently in stealth mode and difficult to find.

Other than that, he doesn’t tell us much. This is the only known photo of Gross.

About Matt Stephenson

Insecurity Podcast host Matt Stephenson (@packmatt73) leads the Security Technology team at BlackBerry, which puts him in front of crowds, cameras, and microphones all over the world. He is the regular host of the InSecurity Podcast and host of CylanceTV.

Twenty years of work with the world’s largest security, storage, and recovery companies has introduced Matt to some of the most fascinating people in the industry. He wants to get those stories told so that others can learn from what has come before.