21 June 2017

Vista Points: A View from the Top

Andre Gerard

Reflections from a Rising Star

Pete Yaworski is an ethical hacker and valued member of our Synack Red Team. He invests in community advocacy for hackers, which in turn, has helped him build his reputation and achieve success in the field. In our view, Pete is not only a great researcher; he is also a great community leader. By sharing his story and past experiences, he directly helps hackers get their start and encourages them to become the best they can be.

Pete has been actively hacking since December of 2015. He tends to think of himself as “a jack of all trades, master of none”; he’s a self-taught developer and has always had an interest in InfoSec, but didn’t know how to get started. His interest peaked after reading “We Are Anonymous” by Parmy Olson, when he went and enrolled in a Coursera Cyber Security course online.

“For the first time, I started understanding what common vulnerabilities looked like and more importantly, how they were potentially exploited. This kicked off a huge learning journey for me where I read every disclosure write-up I could find along the way.”

– Pete Yaworski, Synack Red Team

Why Synack? There are several reasons why he likes hacking with Synack, he says, but it ultimately boils down to Synack’s fundamental platform design.

“I never appreciated the full effect of receiving responses and payouts within 24 hours of submitting a report until working with Synack. The team is insanely responsive to questions and reports, which keeps you engaged and invested in the platform as a hacker… When I have competing offers from programs to hack on, it’s hard not to choose the one which is guaranteed to be responsive and high-paying.”

From the tradecraft trails…

Pete appreciates the core functionality that differentiates Synack’s platform and dove into some of the key benefits he sees from an SRT perspective (including Synack’s LaunchPoint):

  • I believe LaunchPoint provides hackers with a layer of security to go further and adds extra value to the client. For example, I found a remote code execution vulnerability on a target. Without the LaunchPoint VPN, I would have stopped immediately after providing an /etc/passwd proof of concept.
  • Because I was on Synack and hacking through LaunchPoint [available only on Synack], I dug a little deeper and confirmed what other infrastructure the compromised server was connected to. Rather than just report that the company had an RCE vulnerability, I could confidently identify the severity and potential impact of the vulnerability, and recommend that their remediation be expanded.
  • In another situation, by purely using a site’s own functionality without any testing payloads, I was able to DOS an application. However, since all of my traffic went through LaunchPoint, I wasn’t totally freaking out since Synack vouched for me and confirmed the exploitation was not intentional or caused by any hacking on my part.

Q1: Describe how you see the cybersecurity industry evolving and how it will shift the involvement of red teamers today.

In my limited time in the bug bounty community, I’ve seen a shift in the level of trust given to ethical hackers. As part of the Synack SRT, I’ve had the opportunity to hack the United States Government and various enterprise clients, who I never would have imagined embracing crowdsourced cybersecurity when I started hacking. I firmly believe this trend is going to continue, and with tools like LaunchPoint, the trust will only increase and the breadth of programs will grow.

That said, I think this will have very real implications for traditional cyber security companies specializing in penetration testing. While I have limited experience working in a formal pentesting job, it is hard to argue with the value of leveraging a diverse group of hackers with different areas of expertise paid on a commission basis versus full-time employment through pentesting contracts.

One of the differences I keep hearing between pen testing and bug bounties is trust: with pen tests, you can give broader access to systems because some people think there’s more trust. From the Application Security perspective, I think the crowdsourced model introduces interesting opportunities for teams to focus on high-priority areas and work with developers to improve security on a go-forward basis while leveraging a broader group of hackers.

Q2. Describe any big challenges or issues hacking can cause. What helps you overcome these issues?

I think the biggest challenge hacking causes for me is time management and work life balance. I’m only starting to realize how easy it is to get burnt out. Having realized all this though, I’ve taken a more strategic approach to my time and learning. I try to take at least an hour a day for guilt-free, mind-numbing free time. Sometimes that’s watching Netflix, playing Xbox or reading a novel. But the point is to distance myself from all things hacking, to shut off my analytical brain. With regards to learning, I’ve taken a more structured approach to hands-on learning via the vulnerability information Synack makes available as described below.

Q3: How do you see creativity fueling the ingenuity of successful hacking? How can the industry support red teamers and continue to foster their creativity?

Time is a limiting factor, just like any other opportunity. In order to continue increasing my success, I need to find creative ways to get more out of every hour, minute, and second.

I think creativity is about looking at hacking both from the micro and macro level.

When you’re out of your comfort zone and hacking on a new type of target, you need to be able to critically think about what’s important and what could have been overlooked. To me, that’s creative thinking. When looking at a new technology, you have to come up with ways that a developer could have made mistakes or overlooked security considerations. Sometimes that’s drawing connections between similar technologies, past experiences, or shared findings.

At the macro level, I think successful hackers are able to take those micro experiences, reflect on them, and develop creative strategies to reduce and automate the churn. This is where it helps to have some coding experience, because you can apply it to developing automation tools to repeat the easy stuff. I once had a boss tell me that we all have a finite amount of mental capacity in a day, so when it came time to get her approval for things, she only wanted to make high-impact decisions. The rest could be left to me. She said 80% of the time I’d be right, 10% I’d mess up, and the remaining 10% I’d really mess up. But she was fine with that risk. I think the same applies to hacking. We only have a finite amount of mental energy and need to find ways to free ourselves to apply that. To me, that’s developing creative solutions.

In terms of industry support, the most obvious way to foster creativity is to directly support hacker creativity.

This could be financial support to develop new open source tools, loaning hardware for specific programs, or researching new infosec topic areas and sharing those results. Alternatively, conferences provide a great avenue for knowledge dissemination and idea sharing. This includes not only sponsorship, but also providing expertise and support for hackers to present at the conferences, encouraging them to do so. Ultimately, I think it’s about finding ways to encourage hackers to come up with new ideas and ensure those ideas are shared.

Q4: Synack provides tools and data in our platform that can reduce a hacker’s time to discover vulns. Is there other information we provide that enhances your experience?

One of the things I’ve recently started doing on Synack is monitoring the analytics page for different types of vulnerabilities that I didn’t have much experience in reporting- remote code executions, SQL injections, server side request forgeries, etc. Once I see a new, interesting vulnerability type listed, I try to find time to learn about them.

It’s awesome for me because I learn so much from the process, and it has definitely broadened my knowledge, experience, and also creativity, since I’m trying to uncover both how a new vulnerability type can be exploited and techniques I can use to discover them.

Q5: Do you see benefit in Synack leveraging machine learning to help optimize your search for vulnerabilities, and provide more insight to benefit you as a hacker?

To me, the use of machine learning supports the notion of freeing up our mental capacity as described above. I think its use can and will ultimately pick off all of the low hanging fruit from programs, leaving more complex vulnerabilities to be found. Given that, I think it will result in a forced creativity; hackers will need to adapt to its existence to stay relevant. But I don’t see this happening overnight, which means hackers will have the opportunity to develop the required skills and learn from the results, at least given how I’ve seen Synack begin to use Hydra.

Q6: How does Synack help support hackers and pave the way for the role of creativity in hacking?

One of the awesome things about Synack is the diversity in targets, both in customer type and technology. I’ve been lucky enough to be invited to these programs and personally encouraged to participate where I might otherwise have shied away. For me, these experiences have been invaluable and I keep prodding for more. For example, I had the opportunity to do some hardware hacking through Synack. I was newer to it, so not sure I would have actively pursued the chance had it not been for Synack’s support and the open opportunity to extend my skills.

It is very easy to develop “hacking blinders”, only looking at the same type of targets with the same lens. While it makes sense to develop a methodology that works, I think it can easily lead to stagnation. Being encouraged to hack on diverse targets, combined with platform analytics drives me to explore new areas, approach sites in different ways, and get past the low-hanging fruit while hacking.

Synack provides initiatives to help foster the researcher community and engage top talent; technology to optimize researcher efficiency and accelerate vulnerability discovery; opportunities to work on unique targets; personalized support, and skills development. We do this through fun competitions, interactive gamification elements, mentorship, and specialized projects.

Consider applying to join the Synack Red Team. Become one of the few and fully experience our platform – it’s designed by hackers for hackers. If you’re up for the challenge, apply  today.