Jen, a former military professional turned hacker, shares her journey into cybersecurity and her experiences with the Synack Red Team in the latest episode of WE’RE IN! She transitioned from fixing security issues to actively seeking vulnerabilities, inspired by her brother and motivated by her experiences at the storied hacker conference, DEF CON. Jen emphasizes the importance of skill development and preparation for women entering the male-dominated cybersecurity field, and discusses her preferred hacking tools and techniques.
Jen, a former military professional turned hacker, shares her journey into cybersecurity and her experiences with the Synack Red Team in the latest episode of WE’RE IN! She transitioned from fixing security issues to actively seeking vulnerabilities, inspired by her brother and motivated by her experiences at the storied hacker conference, DEF CON. Jen emphasizes the importance of skill development and preparation for women entering the male-dominated cybersecurity field, and discusses her preferred hacking tools and techniques.
In this episode of WE’RE IN!, Jennifer gives her take on AI in penetration testing, suggesting it should be used as a tool for initial reconnaissance but not for exploiting vulnerabilities.
Listen to hear more about:
[00:00:00] Blake: Thank you so much for joining me on the podcast, Jen. It's great, great to have you here. So. Tell me a little bit about how you got into hacking. What was your first introduction to the Synack Red Team?
[00:00:10] Jen: I was actually in the military. My job in the military was to deploy a secure, tactical SCIF, and I had about three hours to do that. I would be in charge of encrypting the network, so ordering like the KU bands. The CompSec stuff, basically being an ISP for the military in deployment zones. I didn't deal with like help desk or actual computer stuff. But during a pre deployment exercise, we had these really cool cyber guys come in. They're like, yeah, we've wrecked your guys stuff. You guys aren't ready or secure for this deployment. And I just thought, well I don't want to be the one who fixes all this.
[00:00:53] I want to be the one that does that sort of thing. And at the time I was working at Raytheon. I worked on supporting defense systems. So like radars, things like that. And my brother was on Synack's red team. I really wanted to get into security stuff. He's actually also an army veteran as well. He worked in a different field. He did intelligence.
[00:01:17] Blake: And you were Army National Guard, if I'm not mistaken, right?
[00:01:20] Jen: yeah, I deployed with active duty twice. So it was basically my whole. Um, yeah, so my brother at the time was working for MITRE, which comes up with like all these best practices for cyber security and etc. They
[00:01:37] Blake: ATT& CK framework we all
[00:01:38] Jen: yeah, yeah, MITRE ATT& CK.
[00:01:39] I was working at Raytheon and I was like, huh, John's doing, John, my brother, this hacking thing on the side. He's getting paid for it. I was told while I was on this pre deployment thing that now I've got to figure out how to fix all this stuff and I just don't want to do that. I don't want to fix anything.
[00:01:58] There has to be a way for me to start getting into this. So he told me, you know, start studying, burp suite, start doing like all these sorts of things, online free resources that I could utilize to study on my own. I did that. I started enjoying it a lot, really spending basically all my free time on like Port Swigger, Hack the Box, other things like that. And they had a security team at Raytheon, and I asked if, you know, they were going to DEF CON. And they were like, yeah, we're going to go.
[00:02:29] So I was like, Hey, um, I had volunteered to do like a technical demo. So I did the first box I hacked on hack the Box was Jerry, which was like an old Apache web server that they had. So I did a live demo of that. Their attitude was like, Oh, she thinks she's a hacker, blah, blah, blah.
[00:02:49] And I'm like, no, I'm just trying to learn and like share, share stuff, you know? So we get to DEF CON, my first DEF CON ever. My brother is going with his group. I'm going with Raytheon. We had like a group chat. They kind of didn't really. Like invite me to breakfast and stuff like that. It was kind of like, Hmm, I feel really out of place here.
[00:03:10] And I was standing in line and I seen one of the other engineers there. And I said, hello to the person. And I was right next to my brother, person asked me if he knew me. And I was like, Whoa, yeah. And my brother's like, you know what? You're here with them. They paid for your ticket, but they're like not acknowledging you.
[00:03:28] the group that I'm with, Synack, they're having a party for veterans that want you to go tonight. So I went, met a bunch of different people, important people, great people, other hackers, ask them about what they enjoy about it, what their day to day looks like, trying to get more info because you don't run into people who do this full time ever.
[00:03:48] So it's really hard to assess if that's something you really want to do. It's hard to get that information. rare, unless you're at DEF CON, they're everywhere. Everybody was so casual and. welcoming, respectful, and just having a lot of fun. And it just seemed like a family dynamic. , they were teaching each other things, talking about new exploits.
[00:04:10] Blake: That's great that you kind of found your footing after what sounds like a pretty rocky start. But, I imagine it has to be a little tough, especially when, before you have all the expertise amassed and all the hack the blocks is completed and whatnot. And already the cybersecurity industry is known to be kind of a male dominated industry.
[00:04:27] And, do you have any advice for other women who are making their way in the hacker community?
[00:04:32] Jen: I think that it's best to just go in prepared, knowing that So, like, in this case, I was not on the Synack red team at that point. I knew that I had to up my game, but being around that group, inspired me and motivated me to practice, to train, to learn more and prove that I have the skill set. So I think with any technical field, you need to walk in there selling your skill set and that's going to be the main focus.
[00:04:59] Blake: And you mentioned some of your work for the army. There's obviously a well known pipeline from the armed forces to cyber. As you mentioned, it sounds like your brother followed the same path in a way, but how did your military service prepare you for taking on this kind of adversarial mindset?
[00:05:16] Jen: I think it was them handing me a bunch of stuff to fix, that I decided, no, I don't really want to do this. And when I did talk to the cyber team who did like potent my network, they were just like, yeah, you gotta. Go get a degree in cybersecurity. You got to go do this. And I thought, well, I don't want to also, I just don't want to get a degree either. And I didn't want to fix all of like the patches and everything that would have prevented those vulnerabilities from being exploited, but they didn't really prepare me.
[00:05:46] Blake: Right, right, right. And you alluded also to some of the tools that you've been, that you've been using and some of the must have tools. I think Burp Suite certainly is one. What else is, is in your arsenal?
[00:05:57] Jen: I also, for like API tests, I like to use a Postman. I really enjoy that. You can actually get that to proxy through Burp as well. So you can use both of those for when you're testing, APIs. Nuclei is a good one, but it has sort of a bad rep because a lot of people just run it with its default, configs. So they're not very careful. They can break things. They can interact with services that they didn't mean to.
[00:06:26] Blake: And what is, what is, Nuclei? What does Nuclei do exactly?
[00:06:29] Jen: Nuclei is basically, I don't want to compare it to Nessus, but it has a bunch of different YAML files that it reads to validate that a vulnerability exists. To say like, oh, this is actually, a valid vulnerability on whatever target list you gave it.
[00:06:47] Blake: That makes sense. Yeah. I, I, as a non technical, uh, podcast interviewer here, I, I, I'm not familiar with all the niceties of these tools, but, I guess they can all be leveraged to really find some pretty intense vulnerabilities. Are there any kind of TTPs or vulnerabilities that you tend to specialize in?
[00:07:07] Jen: When I was more focused on web app testing, I really liked messing with file uploads. To see if I could upload file formats that wouldn't be, normally allowed to be uploaded.
[00:07:22] Blake: Hmm, I
[00:07:23] see how that would be a problem.
[00:07:25] Jen: uploads. Yeah.
[00:07:26] Blake: Probably,
[00:07:28] Jen: where you're only supposed to put an image. It could be bad.
[00:07:31] Blake: yeah, I could see how that would be digested into the system and give you that little foothold that you might need. So I wanted to talk about connected devices, something, you know, that might hit close to home, literally for listeners, are there any flaws that you often find in like home networks or consumer IOT?
[00:07:49] Is that something that you've looked into?
[00:07:51] Jen: Yeah, so there are a lot of things that are convenient, but it doesn't necessarily mean that they're secure. let's just say, for example, the Belkin switch. People can actually Monitor network traffic. They can interact with network traffic and lifetime utilizing tools like Burp Suite and modify requests being sent to these network devices that are attached to your internal or home network.
[00:08:19] It just poses a risk because these things are not tested before they're brought into your house. My fiancé and I, we both Even though we know it might void a warranty for a lot of devices that we bring into our home, like our vacuum, our robot vacuum, it has to be tested. Like most of the things that we have here have to be tested. I would be wary. I would do research and see what the security stance is on that company that produces the hardware that you're bringing home.
[00:08:53] Blake: So, sounds like you share that perspective, with your fiancé you mentioned of wanting to be security constantly on alert, for various things. I'm, I'm like, I don't think I've pen tested my robot vacuum upstairs, come to think of it. So maybe that's offering attackers a backdoor into my home network here.
[00:09:08] I don't know. Now, obviously the first part of a lot of engagements for this kind of work, involves open source intelligence, figuring out what's out there, for those of us like me who might not have those technical chops or be curious about getting started, do you have any tips for the uninitiated? What should people be looking out for to hone their OSINT skills?
[00:09:31]
[00:09:31] Jen: there are many different tools or products that you can use. The first thing I like to do is look at people's social media footprint. , there are some tools, I can't think of the name right away, because they're probably priced high, but if I wasn't using anything like paid for subscription wise, there are ways that you can just manually check out people's Facebooks, their Instagrams, They're only fans. Snapchat, like, different things that are tied to their email, their phone number. You can find addresses online. I like to go on LinkedIn. It's one of the easiest things to do. And I scrape a bunch of employees based on a domain name. I'll also utilize, I think phonebook. cz is free. And you can get, all their URLs, subdomains tied to their root domain. phone numbers, emails, and then what you do with all of that information once you have it is you run it through an email validation checker. So to see what kind of email they're using. So like if they're using Office 365, I would use O365 spray to give me a valid use or a valid list of users. Then the next step would be to go check out, things for.
[00:10:51] For products that release, breach data, data leaks, uh,
[00:10:55] I'm not sure. I use dhashed, I use, um, there's a bunch of different data breach dumps, that you can utilize
[00:11:04] Blake: Have I been pwned? Is it, um,
[00:11:07] Jen: That one's a free one I think you can just check, but it's kind of hard because you've got to compare, like, even with the, the, the paid ones, you don't know which one is the most accurate.
[00:11:18] Like, what is the latest password? Because if you use have I been pwned or like, maybe another one, a couple of them will have breached credentials from like, 2021 or something. You know what I mean? You want
[00:11:32] Blake: Or even earlier, yeah, the Adobe breach I think still surfaces a lot and that was like 2013 or something.
[00:11:38] Jen: Yeah. Um, and then you can begin, you know, password spraying. you can even, like, if you were being really bad, or if you were allowed to, spray people's, like, Instagram. It's like to log in as them. It depends on like, obviously I don't do that unless I have a contract and stuff. And I get a lot of people say, Oh, you're a hacker.
[00:12:00] Can you get into my boyfriend's Instagram? I'm like, I'm, I cannot hack Instagram just because your account is on there. It belongs to them. So no. Yeah.
[00:12:12] Blake: to field those questions. That's like, that's like anybody who works in IT and they become the default tech support for the whole extended family, right? It's like, you know, I'm sure you probably get a little bit of that as well of just like, oh, you're in cyber, can you help me with this TV remote?
[00:12:25] It doesn't seem to connect me to my, you know.
[00:12:28] Jen: visit my parents, it's something like that.
[00:12:31] Blake: Oh, no. Well, I know you said you got into this field because you didn't necessarily want to fix things. But the flip side of that question is, of course, for those of us who might be a little paranoid looking over our shoulders. What are some easy tips that might make the lives of somebody in your shoes a little more difficult?
[00:12:50] Jen: Don't, use your pets or like a mascot. So like, don't post stuff on the internet that doesn't need to be posted. But once in a while do an audit of who's following you, who you're following, who you're friends with. Make sure that there's not duplicates. Use a past phrase and not a past word. Something really, really random and long. It could just be a sentence, you know, passphrase is, is better than a password because even if we get your hash, it's going to be a lot harder to crack than something, you know, 10 character. Close and lock your laptop, sign out of devices when you're done, on your browsers, close out things.
[00:13:28] Don't save passwords in like your notes on your iPhone or like write them down, things like that. It should be something long that's easy for you to remember and not stored anywhere.
[00:13:41] Blake: Easier said than done for a lot of users, but all good advice for sure. Now, on the organizational level. I'd be curious to hear what you think companies struggle with when it comes to implementing a robust security program, or particularly a security testing program. Like how do you scope things that you even want folks like you to go poke and prod at?
[00:14:01] Jen: Well, it depends on what they're looking for, right? So if they just want their external footprint done, there's a method and a process for that. Same with their internal Active Directory networks. Same with their internal web applications or their external web applications, their wireless networks as well.
[00:14:20] And then also physical penetration testing, like on site stuff. So it depends on what they want to get tested. Um, a lot of times they don't know to test things. We're kind of spoon feeding, um, suggestions. For my job at CDW, a thing that I see often is repeat customers, but they're not expanding, their security testing.
[00:14:46] So for instance, they're always only doing an external, or they're always just doing an external and internal. They get to a point where we outbrief them on things that we got DA on, right. And like the whole path to compromise, they fix it. We test them again next year. Now they're pretty dang secure, but they don't have the funding to pay for a red team assessment. So it's, it's Usually a funding issue.
[00:15:12] Blake: Right, because the red teaming then would take you to that next level of showing how far you can go and really putting the security, the holistic security, Program to the test in a more hands on way. So tell me a little bit more about the work that you do with CDW then. It sounds like a lot of the, some of the similar skill sets that you apply in your work for the SYNAC Red team.
[00:15:34] Jen: Yeah. So I do, mostly for SYNAC, I do, um, like special side stuff. And then also, I mean, the main thing or bread and butter is web application testing and API testing. For CDW, I do internal penetration, testing, external penetration, testing, wireless penetration, testing. I do phishing and I just started learning more about phishing.
[00:15:58] Blake: Phishing. That's an interesting one. That's like voice phishing, right? What is it? It's
[00:16:03] Jen: yeah. So you're basically calling somebody or calling a list, a target list to see if you can exfil some kind of data. Maybe you're pretending to be the CEO of a company. And at our job, we've actually, there's Some of our team who are so good at it that they're able to do like deep fakes of like CEO's voices and make something sound very urgent.
[00:16:28] But if you weren't doing that, you could also just pretend to be IT and say, Hey, I just needed to validate your credentials or something. You're just trying to get information from people on the phone.
[00:16:39] Blake: I've seen those types of real world scams actually starting to crop up. I feel like for so long that was a, uh, in the realm of sci fi, right? Of like deep fake audio combined with the call. You're like, is that really going to happen? But no, like attackers are siphoning off hundreds of thousands of dollars, pretending to be CEO.
[00:16:58] It's like, it's kind of like business email compromise, right? It's, it's so successful and it's where the money's at. So people are going to do it. Scary stuff indeed.
[00:17:06] Jen: Yeah. I always tell people, when you answer the phone and they ask, is this so and so speaking, you don't say yes, never say yes. Because we know, like, What to do with those sorts of things, right? It's consent in somebody else's voice.
[00:17:22] Blake: Yeah, that's, I mean, it's hard to keep your guard up all the time though, right? And you gotta, you gotta kind of cut yourself some slack in those moments. I think we've all been multitasking and bamboozled by some little blip that gets, cuts, catches us at the wrong moment, right? And I guess attackers are always, are always knocking on the door to try to find that moment.
[00:17:44] Now you were recently the SYNAC Red Team's circle of trust if, America runs on Duncan, you know, the pen testing industry runs on trust, right? You don't let outside or third party or even internal pen testers sometimes, you know, uh, do the work that you do without some level of trust. What does it take for organizations to actually establish that? And how have you built that trust?
[00:18:08] Jen: I mean, I've been on the platform for about four years now. And while there's many SRT, I think that producing high quality work in reports is what gets you that sort of trust, right? And even doing things just to help a little. Just from the goodness of your heart can gain trust of people.
[00:18:31] Blake: What would that be in the context of SYNAC Red Team? Like I know, I believe you participate in something called the Artemis program, for example, is that, is that right?
[00:18:41] Jen: Yeah, that's a, um, I want to call it, it's like a minorities group. But I do a lot of things for SYNAC just, just to get back because I've been very lucky on the platform. I've made a lot of friendships. I've learned a lot. Customer wise producing quality reports. I've only had one report kicked back to me. So I think that quality, and participating in other groups, just out of the kindness of your heart, going above and beyond, gains trust.
[00:19:12] Blake: Yeah, no, and you got it. The Artemis Red Team was established to support women in the SRT and non binary individuals and gender minorities. So, that, that's kind of the backstory for. And, uh, we kind of alluded to some of that earlier in our conversation of the, getting a foot in the door of cyber and then once they're getting that support, as needed, right.
[00:19:38] And I did want to mention AI, of course, it's a buzzword, can't not mention AI these days, taking the tech world by storm. Do you, do you see a lot of AI in your work? Do you incorporate it? I've, I've, I've heard mixed, honestly, of how AI could make an impact on hacking.
[00:19:56] Jen: So for AI, I think that if it's utilized as a tool or as an aid for pen testing or enumeration, Then that's fine. Gathering all that information that you would gather in your initial reconnaissance portion, but not the actual validation of vulnerabilities.
[00:20:19] I do not think that AI should be exploiting things. To me, it's dangerous. I don't think that it has the capability to think like a real world adversary, right? Because, while we're the good people hacking to find flaws and help people make their security posture better, real world attackers are doing it because they need money.
[00:20:45] They're emotionally driven and they've got no values, no morals, only bad incentives. AI doesn't really have feelings, it doesn't have the emotion to drive, to feed into that. Just, it can't think like a real person with incentive to go do something bad. So from that perspective, and then also a technical perspective, I don't think it should be used to exploit things, but just serve as an aid for initial reconnaissance.
[00:21:14] Blake: I hear you. And that resonates with me. I mean, even if you take it at face value, that AI is somehow neutral, which I think a lot of people would take issue with, even at some of the scenes, what some of the powerful algorithms are spitting out nowadays. Do you still want somebody pen testing your networks who's just neutral, you know?
[00:21:34] Like, do you want somebody who's actually trusted and has that capability and that desire to go in? I mean, you're basically, you're working two jobs now. There's got to be a lot of, commitment and passion for this kind of work to do Synack Red Team and CDW internal pen testing. Like, you're living and breathing this stuff in a way that the AI has no feelings about.
[00:21:55] Jen: Yeah. And then like, you know, you have to think about it. So oftentimes when we're doing something like, say there is a soda company, when you're talking to the clients, you reassure them that they're in good hands. You're not going to take down or disrupt their day to day activities while this test is going on.
[00:22:14] And that you're going to update them if you find anything critical like those, you know, media things. The new SSH RCE that came out. Everything you see on media, they want to know. even if it's, you know, Things they've never heard of, if it's critical, they want to know.
[00:22:27] They also care to know about, their own little personal goals. If you are a bad attacker, Jen, can you find our recipe to our number one selling soda? And then, like, publish it somewhere? Can you get that information from this external host on the internet, pivot your way into our internal network, and find our secret recipe?
[00:22:52] So that's when I turn on, like, the attacker hat, and I'm actually looking, I call it looting, for things, whether it's like social security numbers, people's passports, court cases, bank information and, you know, of course, like recipes or secret sauce for things. I take screenshots of all that information that I find, explain how I found it. Obviously, a lot of things are redacted, but that's where you would put on that attacker hat. So,
[00:23:21] Blake: careful and you use the fictional example of a soda company, but in the real world here and in your own experience, are there any moments that you can share, even if in broad brush terms, where you were like, you had that hacker movie, we're in, fist bump moment.
[00:23:37] So Jen, tell us about a time when you did have that kind of real world hacking moment where you said we're in and did the fist pump and made it access the networks.
[00:23:48] Jen: I used to actually get up and get very excited, but now I'm kind of like, oh crap, that was too easy. No. Um, so last week, actually, I was doing an external test, which is just assessing hosts that are externally available on the internet, right? Externally facing hosts that anybody can access. There was like a couple of servers. The vulnerability allowed you to make a POST request to the server, adding your own SSH key as an administrator. So I was like, cool, I haven't actually seen this happen. So I go, I make my POST request, everything's good, it says successful.
[00:24:31]And I'm like, wow, cool.
[00:24:53] I make myself at home. I make my own account, add myself to the admins. And then I start looking around at like jobs that it has running. And I'm like, Oh, it's got jobs that connect out to its more internal systems. And on the initial call with the client, they gave me permission to test internally, if I could get access.
[00:25:15] So I'm like, all right, I'm going to start like getting DA. That's going to be my goal. Well, before I did that, I wanted to call them and I let them know. So I'm talking to the main point of contact and he's not understanding the vulnerability. So I emailed him resources. I shared my screen, showed him, and he was just like, okay, so do I just change the password?
[00:25:37] I'm like, no, you have to actually like update the whole thing. And he's like, okay, well, I don't manage this. I'm going to connect you to my third party, network managing people. So I'm like, okay. So I get an email invite for a call, Teams call. And I'm like, all right, I have not heard of this guy. I don't know who he is.
[00:25:55] So I asked him to share his screen. Cause I'm not about to get social engineered and show me the email that he's got the permission from the main point of contact to work with me. So he shows me everything, whatever. I am now showing him the vulnerability, sharing my screen. And he says, he goes, wow, can you go to accounts and list them?
[00:26:16] There were so many accounts being added while we were looking at his, his system, cause it's externally facing. This is a vulnerability that was so easy to exploit within like 30 seconds. And I'm telling him, I'm like, hey, this means other people are actively like attacking this. Right now. He's like, well, I don't know what to do.
[00:26:38] And I tell him, I think, you know, we've got to reset everything. And he tells me, can you create an account for me? Because I haven't been able to manage this device in a couple of years.
[00:26:50] Blake: So, so you became the admin essentially.
[00:26:53] Jen: So I'm like, okay, like you're going to have to tell me the commands, dude. So we went through that process. They ended up quarantining it and like taking care of the device. But that was something that happened last week that I thought like, huh. Doesn't happen every day.
[00:27:08] Blake: That's really funny. So you, Hey, here to help, right? You know, if I can carve out a new role for you to reclaim this system, that's being actively attacked, more power to you. That's really funny. So really appreciate your insights here, Jen, some really interesting anecdotes and conversation. There is one question that we ask of all our guests on the podcast, which is what's something that we wouldn't know about you just by looking at your LinkedIn.
[00:27:36] Jen: Something that people wouldn't know. People might know a little bit like the car hacking thing. I post about that on, on LinkedIn, but they don't know that I like to work on weekends whenever we have free time with my fiance to like build some of his cars out.
[00:27:53] I actually learned. That a driveshaft is extremely heavy and it sucks to take it out from underneath a car that is not, like, on a lift and only on jack stands. Another thing, I really enjoy, uh, true crime videos and I enjoy doing my makeup.
[00:28:11] Blake: those are three things that we might not know about you looking at your LinkedIn. So fair, fair play, Jen, and really appreciate your time here. Thanks, Jen, for joining me. Really appreciate it.
[00:28:21] Jen: thank you so much for having me.