sarc

[This is not in chronological order] During early pen testing days, you had to manually hunt for open ports on the internet with listening services, and then either blind fuzz them or model them on your own system and find memory corruption. Then nmap came out and changed the game for finding potentially vulnerable systems. Then vulnerability scanners like Eeye and Nessus came out and if you weren't using them, you couldn't keep up. Internal vuln scanning and automated patch management became a thing. People thought testing would be dead. Then metasploit came out and really changed the game. A lot of people said that now all script kiddies could hack anything and security was ruined. (It wasn't). Halvar came out with BinDiff, RE tech like IDA got more and more powerful. Time to exploit dropped dramatically. If you knew how to use IDA, BinDiff, and metasploit, you could be incredibly fast and effective. If you couldn't, you were stuck with public 1days and commodity scanners. People started using firewalls and finding open ports became almost non existent so people had to adapt. This spawned internal pen tests, phishing, reverse shells. Skape went to Microsoft. Tools like valgrind, SAST and DAST, "memory safe" C/C++ functions, etc. started to come out. ASLR, DEP, etc. made it seem like memory corruption was infeasible. Return to LibC and ROP gadgets were innovated and overcame those issues. Eventually, finding a RCE in a running process in mainstream software became very hard and many people pivoted to SQL injection, XSS, and other web vulns. You had to be good at HTTP, Javascript, and other web technologies. Burp suite came out and changed the game. My point is that many times during my 30 year career in offensive cyber I've heard that XYZ is dead, jobs will go away, etc. I'm hearing it now again with AI. The truth is, those who don't evolve and use new tools DO go away and lose their jobs. But each age is an evolution. AI is no different. New tools, new approaches, acceleration. I don't pen test as much anymore, although I do still do a few a year to keep up and keep tabs on tools, techniques, and what corporate networks look like. If I was still using approaches from 2003 (nmap, vulnscan, metasploit module) I would not be having success. But because I'm employing the whole field of tools I still am. Also, pen testing is of low value if its just about popping shells or reformatting a vuln scan. If you learn and understand a customer's business, figure out and are able to articulate strategic vulns rather than (box x has vuln b), and can work as a partner rather than just a once a year annoyance, you provide value. If you want to survive the offensive cyber industrial revolution (whale oil -> shale oil) that AI is bringing, you must: - Know how to use and customize AI and Agents. -Speak and present to customers and publicly. -Write clearly and coherently for different audiences. (e.g. Tech vs manager) - Think with a business mindset. Budgets, culture, technology, timelines, roadmaps, priorities. - Have strong skills in remediation, PoAMs, helping design migration and mitigation strategies. - Master web technologies from HTTP to databases to GRPC. - Have a deep understanding of RF (wifi, bluetooth, NFC, RFID, cellular, etc.) - Have a handle on hardware (UART, SPI, JTAG, glitching, hot air rework, firmware dumping and extraction) - Know all the old service attacks from port scanning, to network protocols. - Understand deception. - Have some amount of threat intelligence so you can keep up with what real world attackers are doing. - Be able to RE (ghidra, IDA, radare, binary ninja, debuggers, dynamic instrumentation) - Understand the principles of memory corruption, exploitation, continuation of execution, how to get around memory randomization. - Fuzzing, fault injection, test harnesses, triage. - How to navigate call graphs and control flow graphs and visualize a program. - Understand authentication systems (and their flaws), MFA, and transport encryption (TLS) - Have a deep understanding of network protocols including man-in-the-middle attacks. - Have a deep understanding of enterprise directories (AD, FreeIPA, etc.) If you have all that and you can use AI to accelerate, automate, and fill in the gaps, you will absolutely still add value and have a job for the foreseeable future. You just can't stay stuck on one particular way of doing things. Constantly evolve and adapt.

Yes, I've tried Claude. It was okay. I primarily do malware development and reverse engineering, so there are many times Claude will say, "that's not in my training data". Alternatively, I'll notice Claude is wrong and it'll say "you're absolutely right!". It's cool, I guess. As is tradition, Claude and ChatGPT feel more like a fancy search engines than anything else. For reverse engineering Claude has been pretty helpful. It helps rapidly speed up what I'm doing. Sometimes Claude picks up on details I've missed. My biggest thing about AI though is that, while I enjoy it as a tool, I learned to program because I like problem solving. Even if AI spoon feeds me the solution I like to review the code, research what it has shown me, etc. I don't like having a machine do all the thinking for me. I enjoy the process of failure and exploration. Maybe others don't want to think, but not thinking defeats the purpose of why I chose this career field. Maybe I sound like a boomer or loser, or something, I don't know, but I still very much like thinking and struggling. Thanks for coming to my TED Talk.