🧙‍♀️ CISO Story Time

This is not exaggeration.

I have a good friend. He's a CISO of a multinational organization in the technology sector. We talk often.

Market trends, sales, and business regulations had the business decide to open an facility in China.

a 🧵 👇 👩‍🏭 Construction was commissioned and completed within 4 years for the new site.

Everything was going pretty well. They had finished HVAC, and most furnishing.

Under suggestion from a CISO friend in a CISO Slack we are in, he commissions a bug sweep of the new office.

More AI in cybersecurity thoughts:

1️⃣ Walking the RSA floor I am reminded of how disparate the telemetry is for hybrid organizations.

In order for AI to make the difference we want it to, we need that telemetry to be standardized.

👇🏼🧵 2️⃣ There’s a some focus on consumer level AI assisting standard
products, but not as much as I thought there’d be.

Some of these security products will need to be moving faster to adapt. Right now it’s just the top tiers.

Random thoughts from my offensive security mindset:

I’m at the RSA keynote.

Obviously, AI and Data to feed AIs are the top topic for this cybersecurity audience.

Like I’ve said, defense will gain a giant boon in the consumer AI golden age.

But.. adversaries will pivot.

🧵👇🏼 Adversaries will begin staged attacks.

One intrusion to gather data and recon which will be burned by an AI defense, then another to accomplish their objectives in under a few minutes. Too fast for even ai aided operations to make defense decisions.

🤖 WebSecGPT - Your AI security buddy

Hacking an API or JS framework?

Don't have a swagger file or struggling to understand the app?

Wanna quickly identify all js sinks?

Meet WebSecGPT

(a thread ) 👇 I created a chatGPT 4 master prompt that focuses on web analysis and security testing (private for now, not that hard to do).

I then fed it my target app (a .js file).

You can do this by using chatgptsplitter.com

(Sorry I meant to post all of these this AM)

Want some fun video content to help you stay up to date on AI?

Check out @fireship_dev

👾 Why AI kinda sucks:

👾 ChatGPT4 Plugins Buff:

📣 Stealth and supercharging your offensive security testing using:

🔥 Axiom 🔥

by @pry0cc & @0xtavian

Resources and musings on this epic framework.

👇a thread👇 So I wont lie, I slept on Axiom by for quite a while. I don’t really know why…

☢️ I know @pry0cc (Ben) personally, he’s epic.
☢️ I love the ideas in the framework.
☢️ I know bug hunters who use their own frameworks similarly as their advantage in the bug bounty scene.

💪 Code Literacy is a Super Power for Hackers 💪

(and Security Literacy is a super power for devs)

Knowing how vulnerabilities are mitigated makes you a 10x engineer (sec or dev)

Check out this thread for some of my fav

🔥FREE🔥

resources. ⬇️

(Also send me more!) 📣 1st off, if you're a 🛠️Hacker🛠️ or security person:

☢️ You don't need to be a dev. You just need to understand the concepts of mitigating common vulnerabilities. Bonus points for knowing frameworks that eliminate them entirely

🐻 Hacking a Search / Cloud Company 🐻

I once took over a MAJOR foreign search/cloud company.

I had full access to every employees email & full source code for all their apps.

Here's how it did it (legally)… ⬇️🧵 ⚠️ This one is from the archives and mobile tools change fast (well… not that fast tbh) so I will attempt to give modern analogs for tools, for those following along at home. ⚠️

🥽 The Anti-Recon Recon Thread 🥽

Recon is important, but some people hate it. I get it.

When you're in the zone & ready to pounce on a target, you just want to start hacking.

Want the best of both worlds? Quick/complete recon, WITH great coverage?

(a long thread)

🧵⬇️ As an offensive security and testing connoisseur, I love recon. But after talking with many other hackers about their flow, It’s always divided.

Others absolutely do not enjoy it at all and are way more comfortable getting on a target as ⚡️fast⚡️ as possible.

👮 Hacking into several Prisons 👮

Here's how I did it (legally), and what I learned along the way!

A thread for security testers and cyber security pros

🧵👇 This security testing was part of a 🪲bug bounty🪲 program.

The target was shared software that many prisons across the US use.

I started on one of the main domains:

login.hackertarget. site/

🔍 My ultimate workflow for simple and easy JavaScript Analysis

⚡️ Comprehensive JavaScript analysis in offensive security, appsec testing, and red teaming wins.

Often you can find juicy hidden endpoints, parameters, & domains buried JS!

A thread 🧵 1/x
👇 Often, dynamic tools fail to parse, visit, and understand complex JS. This is because referencing URLs in JS can take many forms (see image):

2/x

🧠A little mental health and #hacking crossover on the topics of cultivating desire and progress.

👠 Cultivating Desire

It can be easy to deviate from your goals.

There's always a new game, show, family situation, etc, that can keep you from moving forward.

Thread🧵👇 🎯So how do you re/focus?

You have to learn to capture desire.

We all get the urge to do cool things, spontaneously, during the day. You have to learn to grab hold of that lighting strike of desire & turn it into a plan.

📝Note it, outline it, & calendar it.

🧵2/x 👇

A thread 🧵

The quoted tweet is a long thread of high profile breaches of 2022.

What can we learn to guide our security programs in 2023?

🔟 Observations and recommendations from the writeups and my conversations with other CISOs about their experiences in 2022.

1/x

https://twitter.com/tayvano_/status/1611131230074073088

1️⃣ Two-factor auth, but better yet, FIDO must be cornerstone for your security program.

If you are fortunate enough to have great IAM, the minimum here should be deployed to tech staff, devs, and admins.

2/x

So… I just finished my 1st @Hacker0x01 Live Hacking event & I’m heading into another with @Bugcrowd

As a program owner, hacker, & security leader… I have thoughts!

Read along for some spicy bounty takes.

🚨 Like, follow, & retweet for more security content 🚨

a 🧵

1/x If you’ve never heard of a Live Hacking event before then you’re not alone.

Less than 50 companies worldwide (I’m guessing) have done such an event with a Bug Bounty platform.

2/x

Coming to Vegas for @BlackHatEvents or @defcon ?

Here's a calendar and guide from the perspective of a 17-year DEF CON veteran.

A Thread 🧵

🚨Like, follow, and subscribe!🚨

1/x Many refer to the combined Blackhat, DEF CON, @BSidesLV , & @DianaInitiative week as "Hacker Summer Camp"

2/x

Short Thread 🧵

Today on Ben's stream we did some recon on the DoD promotional scope for the 4th of July.

Here's an example of using trademark, privacy policy, or footer recon to find more seed domains:

The scope is ALL .mil sites

🚨Retweet, follow, & like for tips! 🚨

1/x We started with a crt.sh and google to find some starter domains:

Google:

site:".mil"

2/x

a🧵

⚠️Orgs with mature security programs⚠️

Want a masterclass in scoping/running a bug bounty program?

Read more from a program owner, (former) bounty platform employee, and top bug hunter (me😂)

🚨 Retweet, follow, & like for more sec content! 🚨

1/x This thread is about Yahoo!

The @TheParanoids & @Yahoo have one of the best bug bounties in existence. Why? Read on 👇👇👇

hackerone.com/yahoo

2/x

A thread🧵

💸Secrets of automation-kings in bug bounty💸

Finding 1day (or 1month) web exploits that haven't made their into scanners yet can make you big money.

Read more to understand where and how to get an edge in this area!

🚨Retweet, follow, & like for more! 🚨

1/x A competitive advantage in bug bounty is being able to write your own vulnerability checks.

There are hundreds of COTS and OSS software that have vulnerabilities that never end up in a vuln scanner because of various reasons...

2/x

Dave’s thread is spot on.

I’d say 80% of the colleges I’ve guest lectured at are teaching curriculum that is not applicable to a job in the industry.

It’s either focused on the wrong skills, or woefully out of date.

I’ll give an example from a few years back…

1/ 🧵

https://twitter.com/HackingDave/status/1537594934081077249

I had a friend who I considered infinitely smarter than me doing a masters program in cyber security at a prestigious technical college.

I had competed with him on CTFs and knew he was top ten percentile skills in binary exploitation and reversing.

2/

🧵A hackers guide to FINDING cybersecurity jobs🧵

Many people know of the normal ways to look for jobs like LinkedIn & Indeed... but we're hackers!

Today I'm going to share with you my top places/tips for finding your next gig.

🚨Retweet, follow, & like for more! 🚨

1/ ***

a full expanded blog with more/all links for this thread can be found on my blog:

jhaddix.com/post/a-hackers…

***

2/

🧵A Practice Target SUPER Thread🧵

Offensive Security People!

Want to take your theory to live targets?
Need some resume filler?
Just want to keep fresh and practice?

Here's a thread of my favorite practice targets to recommend.

🚨Retweet, follow, & like for more! 🚨

1/ Here's a thread of my favorite practice targets to recommend to my students. It includes online, offline, and resources to guide you!

2/