Alton Johnson, Founder and Principal Security Consultant at Vonahi Security, automates his way out of his pen testing job in this week’s episode. An AOl hacking gone wild got Alton into defensive cybersecurity years ago, and now, as the Founder of Vonahi, Alton advocates for automation and efficiency in the pen testing process. Alton talks about his connection to defensive over offensive, customizing a pen test report to your audience, and finding that sweet spot between practitioner and entrepreneur.
[00:00] Learning the importance of automation in defensive cyber
[07:48] Connecting with automation & defensive cybersecurity over offensive
[12:01] Showing the results that matter to the right people in a pen test report
[15:27] Prioritizing exploitations in the world of vulnerability assessments
[21:59] Maintaining the cyber practitioner & the entrepreneurial side of Vonahi
Thank you to our sponsors Axonius and NetSPI for bringing this episode to life!
The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley
For more than 2 decades, NetSPI has helped companies discover and remediate critical security issues through its platform-driven, human delivered security test. NetSPI is much more than a pentesting company, bringing you the most comprehensive suite of offensive security solutions. Visit netspi.com/HVM to learn more.
How have you seen automation change yourself and your role?
As a penetration tester, Alton explains that time is often not on his side. There’s a limited amount of time to do an assessment, and the measure of a good pen tester is often determined by fast, high quality reporting. Automating the repetitive tasks of pen testing not only saves time, but Alton believes it genuinely changes the role into something much more efficient, high value, and successful.
“Automation obviously plays a huge part in growing in the career too, because the more you can do, the more value you can provide, and the faster you can provide that value makes you a better pentester.”
How do you convey the story of a red team engagement in different ways so that message is received by everyone in the company?
At Vonahi Security, Alton’s team separates pen testing reports into an executive summary and a technical report. The executive summary is high level, demonstrating the impact and severity of what was discovered from a business point of view. Many business executives don’t need the technical play by play, which is why that is saved for the technical report. The technical report acts as a scene by scene story of what was done and how to technically fix it.
“We separate the two conversations. Here's what we did at a high level to anyone that doesn't really care about the technical stuff, but only cares about how it impacts the business, and then, for the person that has to fix the issues, here's everything that they would need.”
What would you tell the newer generation of cybersecurity practitioners about the offensive side?
When Alton first started his cybersecurity journey, he was very into hacking and coding. That passion for code has served him well, allowing him to become successful enough to start his own business with Vonahi. For the younger generation of cyber practitioners, Alton recommends not skipping that coding education. As technically advanced and automated as cybersecurity tools are, practitioners should be prepared to code when something breaks or doesn’t work as intended.
“I think coding is extremely valuable, because there's going to be many times that tools that you use don't work and you have to have the experience and knowledge to basically fix those problems with coding.”
What have you learned over the past few years that has helped you to maintain both the technical and business side of Vonahi? 21
Efficiency is the name of the game for Vonahi— and it’s the one thing that has allowed Alton to remain in a hands-on pen testing role while still being a business owner. Keeping it efficient is more than just technology and automation. Alton believes his success is a direct result of the efficient technology around him and the hardworking, intelligent, efficient team members working with him at Vonahi.
“It is really just about efficiency. We look to all these other leaders, but for me, I like to learn from other people's failures. I don't want to take the same growth processes as the person who failed and didn't do well.”
Purchase a HVS t-shirt at our shop
Continue the conversation by joining our Discord
Hacker Valley Studio 00:07
Who says tech can't be human?
I like to learn from other people's failures. I don't want to take the same growth processes the next person who failed and didn't do well, or whatever, it's really for on a business side as well, thisismostlyabout like efficiency, building a strong team, just growing from there. Hacker Valley Studio 00:30
Welcome to the Hacker Valley Studio podcast. Axonius Ad 00:37
We get it; another vendor running another podcast ad, trying to get you to check out their product.
Instead of explaining to you what our amazing sponsor Axonius does, we've brought in an Axoniuscustomer to fill you in. Take it from Jason Loomis, Chief Information Security Officer at Mindbody. Jason from Mindbody 00:56
The sheer excitement of my team to have visibility into what's in our environment, and haveit all inonelocation is just— I can't express how important that is for us. Axonius Ad 01:07
Want to learn more about how Mindbody enhanced their asset visibility and increased their
cybersecurity maturity rating with Axonius? Watch the video at Axonius.com/Mindbody. Chris 01:19
What's going on, everybody? You're in the Hacker Valley Studio with their hosts, Ron and Chris.
Yes, sir. C
Welcome back to the show.
Glad to be back again, Chris. There's only one thing we get into these little tizzies is about andthat isautomation. So, what I decided to do today was bring in someone that is just as passionateabout automation as I am and our guests this episode is Alton Johnson. Alton is the Founder of Vonahi Security, and never really thought that he would embark on the entrepreneurship journey. I'mexcitedtocover automation and also learn more about you, Alton, but most importantly, welcome to thepodcast.
I appreciate it. Looking forward to it. Thanks for the opportunity.
Absolutely. We talk about automation all the time on this show, and I do think automation playsahugerole in cybersecurity. Ron thinks that can be the end all be all, but that's another conversation for another day. We got to talk about this, you automating yourself out of a job? How did that evenhappen?
Yeah, so, as a penetration tester for the last 10 years, for me, I'm a very impatient person andI viewthe world in a very simple lens, I like to look at things and ask: Why is this complicated? Andasapenetration tester, there's a lot of complicated things that I was doing, that was forced to doasapentester, reporting, things like that, and a lot of those things were just super inefficient. I couldn't understand why, as a person who was being hired to hack a company, I had to sit back andwritereports in a Word document and run macros, and stuff like that. It just seemed like a huge problem, andno pen tester likes to write reports, we all just want to hack and have fun and hope that documentationwrites itself. So, that was really my goal because a lot of stuff that happens in a penetrationtestsarethings that could be repeated over and over and over. There's a lot of things, of course, that changealong the way, but those things can be automated as well. So, that's pretty much what drovemetostartVonahi, was really just a lot of frustration dealing with a lot of inefficient processes and stuff that just
didn't really have to be complicated. It was just complicated for no reason.
You know what I find interesting about the automation topic? I believe it's directly tied into entry level positions turning into mid level or senior level. We were just looking at a tweet by Meg West recentlyand she said, "No one talks about how once entry level cybersecurity personnel are hired, theyrapidlygrow. They outgrow their skills. They outgrow the position, but their pay stays the same." AndI wouldimagine that automation is the equalizer, it's the thing that helps you go from doing those reportsmanually over and over and over again, to having that opportunity to learn new skills. In what situationhave you seen automation change yourself, from going to a more senior team member or changesomeone at your company?
So, as a penetration tester, you typically have a limited amount of time to do an assessment. Andso, you're basically as good as the value that you provide with that penetration test report. Andso, if you'redoing every single thing manually, then you have even more limited amount of time to accomplishthegoal, right? Because now, you're focused on doing a lot of this stuff manually. So, automationobviouslyplays a huge part in growing in the career too, because the more you could do, the more valueyoucanprovide and the faster you can provide that value makes you a better pentester. So, you're makinglessmistakes, you're spending less time doing things that should take a lot less time, so, you're basicallyusing your time a lot more wisely? But yeah, it definitely plays a huge part as a penetration tester andgrowing in the industry as well. Chris 05:05
Where did all of this come from? Were you interested as a kid when it came to puzzles? Has that always been how your mind works? Where did all of this really start for you?
Yeah, so it's very interesting. So, when I was 11 years old, back in AOL days, we were all chattingonline, I used to just hang out in the chat rooms. There was a point in time where somebody actuallyhacked me. They sent me a file, I opened it up, and they had access to my computer. They starteddoing all these weird things with the computer, changing the desktop, locking the mouse keysandunlock, scroll lock, caps lock, playing with the lights and stuff like that, printing stuff on the printer, andIwas like, obviously, freaking out at the time. But it's kind of interesting, because the person that didit tome, they were messaging me on AOL, and they were telling me, "Hey, I got access to your computer."So, it all started making sense. Like, this person obviously has messed with my computer, they'retheone that's doing all of these different crazy things. Now, the cool thing, though, is that this person, forwhatever reason, and I'm glad they did, but for whatever reason in the world, they told me, theyshowedme how they did it. They linked me to a tool called ProRat, similar to Subseven, and I just startedusingit on everybody else's computer. My whole goal at the time was really: How many computers couldI getaccess to? I didn't even care about flipping the screen and stuff like that. I just wanted to know that I had access to a computer. That, for me was the end goal. I don't care about anything else beyondthat.So, I didn't realize you could actually get paid to do that until I was much older. So, as I startedgettingolder and heard about penetration testing, and you can get paid to be an ethical hacker that was just mind blowing to me. You mean I can get paid to do this, to hack? For me, at that time, that's when I really started kind of putting together courses and trying to figure out like, what is the best wayfor metoget into the cybersecurity space? I was reading courses, reading a lot of books, just basically talkingtoa lot of people, trying to figure out what they kneww that I could learn from and stuff like that. But yeah,
it all started from the time when I was a kid and getting hacked, and thankfully, that person toldmeandshow me how they did it, and that really paid off.
I am shocked, and I'm shocked because you might be my doppelganger. That is the exact storyof howI got into cybersecurity, and it's funny because we were just live on LinkedIn earlier today, talkingaboutthis exact story. I was in a chat room, I was around 13 or 14 and talking crap to the wrong person. Theysent me a file using direct message and same tool, ProRat. They sent it to me, they told mehowtheydid it, and I did what any responsible teenager would do: I sent it to all my friends. Did you dothesamethings? Were you also experimenting with other people that you knew?
I did the same thing. I was also using ICQ, the reverse shell, and stuff like that. And yeah, just went crazy with it. I just had to get access to as many computers as I could. I was just extremely excited.
Love it. It's a small world. Maybe I got sent the file, and then I sent it to you. I don't remember what happened all that time ago, but it's really changed my life and it sounds like it's really changed yours, too. But for me, I will say the difference is, and I don't think we look that much alike either, but I thinkthe difference is you stay on the journey of being an offensive engineer, someone that really understands the attack, how to dissect it, how to automate it. What made you more fascinatedi n that side of the house, versus the blue team, defensive side of the house?
The Future of Pen Testing Automation with Alton Johnson
Hacker Valley Studio with Chris Cochran & Ron Eddings
Yeah. I think, for me, just being able to get access to computers and networks and stuff likethat, it'salways been super exciting. I was working at a federal credit union once before, and we hadasecuritycompany come in to do an assessment, and that was like, for me, the face to face to another personwho was doing what I thought was pretty cool. And so, that just really stuck with me, I really wantedtoget into it. I could go around to different companies and assess their networks, basically gotothecompany, tell them all the things that are wrong, and then walk away. That part of it was exciting, andalso being able to travel and stuff like that. I had some other friends, I started meeting peoplewhowerein a blue team area, and they just didn't really seem as happy just because it was just a lot different asfar as like, job responsibilities and stuff like that. But as the person on the offensive side, youbasicallyget to rip the hole in the network and just walk away and just give all the recommendations. Be there for advice and stuff like that, but you're not involved in why it's broken, why the vulnerability exists. And I told you last month, it's supposed to be patched. You don't even have to care about any of that, you just basically say, "I exploited this computer because it's missing a patch, and that's it." I don't care why but it's missing a patch.
So, you love it because you get the party like a rockstar and walk away. Everyone else to clean up a mess. Got it. No, I was just kidding. But no, that's a good point because there's different paradigms within cybersecurity that people need to really be specialized in. There are folks that are really focused on the offensive side, folks that are really focused on the defensive side, and then, there are folks that are in the middle, trying to pull those pieces together. What do you think is missing fromthat connectionpiece? Because you can tear a hole, you can find all the bugs, you find all the issues, and then, it'supto the blue team to pull things together, but a lot of times, in cybersecurity, we're trying to prioritizewhere we devote our efforts, our time, resources, money, and it can be difficult to really figureout whichpriority we're going to go through. So, is there anything from the red side, the offensive side of cybersecurity, that would make it easier for the blue side to determine what to fix first and then what to fix after that?
Yeah, absolutely. And to be honest, obviously, I'm a little bit biased because of the pen testing stuff, but basically, a penetration tester, the red teamers, the offensive security, we're basically simulating exactly what an attacker would do. So, the things that we're able to come up with, as far as our reportstosay, "Hey, this is how we got access to XYZ," I think that really shows the impact and definitely increases their priority of remediating those things. Because as a person on the blue team side, where you've got a lot of different things going on, vulnerability management, you've got patches and stuff like that, there's so many different things going on. But on the pen testing side, the red team side, the stuff that we present are the things that would truly happen, it could really happen tomorrow. Like, it's soreal, you know what I mean? Because there's the proof, there's the impact, there's the evidence. Andso, thepriority, in my opinion, would definitely be on that versus some of the other things that are goingonbecause we're basically saying, "Hey, I hacked your network, and this is how I did it. And so, if I didit,
this could easily be accomplished by a malicious person, who isn't going to tell you howto fix theproblem." So, yeah, I definitely think on a red team side, the pen testing stuff should really helpwiththepriority.
NetSPI ad 11:29
For more than 2 decades, NetSPI has helped companies discover and remediate critical security issues through its platform-driven, human delivered security testing. NetSPI is much more than a pentesting company, bringing you the most comprehensive suite of offensive security solutions. Visit netspi.com/HVM to learn more. Thank you, NetSPI, for sponsoring this episode.
So, let's talk about that a bit deeper. When you are going through and maybe working with clients today, organizations today, I feel like a lot of organizations are somewhat misguided or skipping step one, and that's understanding their priorities, understanding their requirements, and what's really needed to be done first. What is your philosophy, your mindset for making sure that you're not just jumping the gun and trying to show the results, but you're actually showing the results that matter?
Yeah, I think— Do you mean for a pen test report, for example? Like, interpreting that?
Or, even the information that you will provide in a pen test reports. I'm sure that some pen testers will provide just a template, but then, others will go deeper with the customer to give themthe fields, thedata that matters most.
Yeah, the severity ratings in a penetration test report are definitely a lot different than you would see from a vulnerability scanner. So, I think the priority from just the standard pen test results woulddefinitely hit home a little bit, but then, also, too, when it comes to narrative. So, for example, we do this and I've worked for another company that did it, I don't know if it's super common, but one of thethingsthat we do to help bring that point home is to essentially show the reader how we did everything we did from point A. So, when you look at the narrative, it basically says, "Hey, I started off a host discovery, I found x amount of systems that are active on the network, and I started doing port scanning on Xamount of ports. Based on those open ports, I was able to find XYZ information from the services that are running. Based on that information, I was able to discover X amount of vulnerabilities, and then based on those vulnerabilities, I was able to exploit this one. And then, that will lead to you getting access to computer." And so, we paint the entire picture of how we were able to start from point A and get all the way to point Z and show the sensitive data. It really helps organizations understand the mindset. Obviously, they're on the other side, so they may look at the narrative and identify areas that we shouldn't have been able to do, just because there were firewalls, their security controls, andthingsthat may or may not be working depending on how far we're able to get. So, I think in our case, the narrative has been extremely valuable as part of our assessment reports.
That's speaking our language, because we're all about communication. We're all about storytelling, and what you're talking about is, if you're doing a red team engagement, and you're saying, "Hey, this is how we got in, this is where we pivoted, this is what we exploited in order to get access to thisspecifictype of data," that's a story. What are some of your tenants with conveying that story? Because I'm sure you speak to everyone from the C suite all the way down to the security engineer. Howdo you convey that story in different ways this so that message is received?
Yeah, so, we have an executive summary. We keep that pretty high level. The executive summary kind of demonstrates that impact through severity ratings. We also have some descriptions and stuff like that, to kind of summarize the things that we're able to find. If we're able to accomplish a significant amount of assets, a lot of assets to data systems, whatever, that criticality in the executive summary is going to pinpoint that. There's also just a high level overview of the results. So, let's not dive into getting too technical. So, we have the executive summary that separate that for the executive level andthen, wealso have the technical report. That's the one that dives all the way into the narrative, the evidence, the attack chain. So, that's pretty much how we separate the two conversations, right? Like, here'swhat we did at a high level to anyone that doesn't really care about the technical stuff, but only cares about howit impacts the business, and then, for the person that has to fix the issues, here's everythingthat theywould need to know to further improve that environment.
I like it. I mean, you make it sound very straightforward, pretty easy, but what are the challenges though? Outside of creating the story, what are the road blocks of people interpreting that story the way that maybe they should, or based off of the data that's presented to them?
One of the biggest things, obviously, for us, that I think we've been able to solve as far as the challenge is really just that priority, that impact because a lot of companies are doing vulnerability assessments all the time, they see all these vulnerabilities, but it doesn't really mean much. They see it every month, nothing bad has happened so far. So, what's the point of caring? Sometimes. Not every organization feels that way, but in vulnerability assessments, there's just a lot of vulnerabilities that get produced on a lot of those assessments. And so, it's very hard to really figure out: Which of the 2000 vulnerabilities should I should address first? But when it comes to what we do, from the pen test side, we're basically showing the impact. So, a lot of that confusion around: Where should I start? What's the first thing I should remediate? We've eliminated a lot of that, because when we say, "We exploited this system, and that led us all the way into getting sensitive data," it is very clear, there's no going back and forth and arguing about severity ratings. This person thinks it should be a high versus critical versus medium. We're making it so simple to say, "Hey, we exploit this system and that's what led into getting access to everything else." So, I think we've eliminated a lot of those issues when it came to prioritizing what should be addressed first, just by the way we present those findings in a report.
Do you have a story that you like to tell about pen testing or being a red teamer? Where you feel like, you were up against a wall, you were dealing with an organization that's really, really tight, they'redoingall the right stuff, they have great cyber hygiene, they're updating their patches. So, the normal things that pen testers and red teamers lean on just aren't available, but you had to do something creative, you had to switch, you had to almost present that twist in the story in order to get that access. Do you have a story around something like that?
There is one story that I have, in particular, and I guess I didn't get all the way through becauseof the pen test. So, we were doing a pretty big assessment for a pretty large company and my part of it was just the network penetration tests. The other part of it for the other team, it was a POS assessment. So,they were doing source code review, stuff like that. The CISO at the time was like, very cocky, just, "No one can touch us. We've got all these fancy things in place." He brought me to his office, showed me his big whiteboard of all the architects here, and just was like, "Yeah, this is why no one candoanything. We're using the latest and greatest," just super cocky. From the network pen test side, I wasn't able to really discover anything because everything was pretty locked down, but someoneonthe other team was able to find an exploit for one of the POS devices and that basically opened up the floodgates to everything else. But that's probably the one thing that comes to mind, the one scenario that comes to mind, it was a pretty exciting feeling to get that far after dealing with that person.
It sounds like you still get the rush, you still have the excitement about staying technical, what and what not. Is that right?
Yeah, yeah, exactly. I've always thought to myself, you know what? I see a lot of people who have been in this industry for a long time, they've evolved, now it is more about the business andstuff likethat, I get it. But for some reason, man, I still, if I can't accomplish something, getting an exploit to run or work properly or developing something, I can't sleep at night. I don't know what it is. I don't know when that age is going to be for me, but I love being creative to come up with that solution. I can't sleep it till I find that solution, so that's still in me.
Are there places that you pull that creativity from outside of cybersecurity? So, for instance, for me, when I think about Hacker Valley and what we do hear, even though we're talking about technical topics, we're talking about personal growth and development, the things that I tend to pull from are movies and even music. It gives us that vibe, it gives us a certain flavor of the way we do things. Do you pull from other sources for your creativity when it comes to pen testing?
I wouldn't say other sources per se. It's mostly just like, inefficiency frustrates me and frustration for me typically drives, "Alright, how do I fix this problem?" But yeah, so, of course, like fast cars, I like to essentially have something that's constantly pushing me to the limit. I love the automation of it. So, cars are basically turning into more more automated stuff and like, I have a Tesla. So, when I see how self driving feature is constantly evolving and is getting better and better, I want Vonahi to be like this as well. So, a lot of that technologies that I see that's advanced in the world as well definitely contributes to a lot of what I do today.
On one hand, you have all of the technical opportunity, innovation, creating new tech, experimenting with new tech, but on the other hand, you have business. You could double down on creating something that is sustainable for yourself, your family, but other people's family. How do you balance those two, because I'm sure they both take up a lot of time? Sometimes, I would imagine they are a conflict to each other.
It's definitely interesting as a technical founder, because I constantly go through that challenge of growth and wanting to evolve, but I think the biggest thing for me, it's really just having a good team. So,I've been very, very fortunate with having the team that I have to basically take care of a lot of the business things that don't necessarily excite me. I think that's really what it's all about, right? Just having the right people in place to help me out, and that way, I can focus more on the things that I loveto do. When we look at the big picture, that provides more value to everybody that uses our services. But yeah, I think the biggest thing there is really just a team. That's obviously a huge impact for me personally.
Thinking about all the people out there that are getting into this game today, because pen testingandred teaming back in the day, it was very different than it is today. What is some of the stuff that youwould tell the newer generation coming into this space about the offensive side of cybersecurity?
Yeah, I would definitely prioritize coding, because, for me, it just happened that as a kid, I fell in love with hacking and started coding and stuff like that. So, I've always had a passion for codingandasapen tester, getting into the field about 10 years ago, that passion for coding has really helped me excel as a penetration tester. I've seen other pen testers who just can't code, they can only use the tools that the industry publishes, and if the tool doesn't work, it could be just because of a semicolon or something like that, they would never get it fixed because they can't code. And so, I think someonegetting into the industry today, I think coding is going to be extremely valuable, because there'sgoingtobe many times that tools that you use don't work and you have to have the experience and knowledge to basically fix those problems. Of course, when it comes to automation, you got to get into aprocessas a pen tester where you're doing a lot of the same stuff over and over and over. So, if you can code and make yourself a better pen tester over time, I think that should definitely be something to focus on in this beginning of a career in cybersecurity.
Yes, you gotta learn at least the logic. It's almost like also eating your veggies. I gotta ask though, there's definitely someone, including myself, that's listening to this podcast that is wondering, how do you stay technical? How do you also start a business? What will be that one key learning that you've learned over the past few years that has really helped you to maintain both technical but also the business side of the house?
I think is really just efficiency, because on the technical side, it's all about: How do we incorporate something new into the platform in a way that doesn't take up take six months? And so, we have to create ways in the framework to basically drop in a new exploit if it comes out tomorrow. And so, for us, because we've built such an efficient process, it allows us more time to basically do the research, and contribute back to the platform. There's a lot of passion around just keeping it simple, keeping it efficient, and being able to grow in scale with that mindset. And that's for the business side, too, right? It is really just about the efficiency. We look at all these other leaders. For me, I like to learn from other people's failures. I don't want to take the same growth processes the next person who failed and didn't do well, or whatever, it's really on a business side as well, this is mostly about like, efficiency, building a strong team, and just growing from there.
Exactly, we have to stand on the shoulders of giants, because— Why we want to make all the same mistakes that everyone else has already made? We have to take these learnings and push everything forward. Gotta say, Alton, thank you so much for taking the time out of your busy schedule to hop on the mics with us and have fun. We're definitely gonna put all of your information down into theshownotes below wherever anyone is listening to any of this. And with that, we will see everyonenext time.
Hacker Valley Studio 23:47
If you found value in this content, it would mean the world to us if you shared it on social media, sent it to a friend, or talked about it over coffee.