Automated Pentesting with Alton Johnson from Vonahi Security

[00:00:00] The Stack, a podcast for IT and MSP professionals with your host, David Pap.

[00:00:17] Welcome to the MSP Stack Podcast. I'm your host, David Pap. We're joined today by Alton

[00:00:23] Johnson with Vonahy Security based out of Atlanta. Alton runs an amazing cybersecurity

[00:00:29] business. Welcome, Alton.

[00:00:32] I appreciate it.

[00:00:34] Let's uh, I want to talk about automated pen testing, which is obviously what you

[00:00:37] guys do and kind of the future of offensive security.

[00:00:42] So yeah, Vonahy Security, we are an automated network penetration testing company. It mostly

[00:00:48] stemmed from me as a penetration tester for the last 10 years. And I just I've always

[00:00:52] had a passion for for hack and encoding. And you know, traditional pen test engagements

[00:00:57] are really nice and stuff like that. But as a pen tester, there's a lot of deficiencies

[00:01:02] that I noticed in our processes. So there's a lot of things that we were continuously

[00:01:06] repeating. Like reporting, for example, took up a lot of time and even a lot of the activities

[00:01:11] that we were performing on the pen test. And so I started off with the process of just

[00:01:15] automating the reports, right? You know, I got tired of kind of copying and pasting

[00:01:18] the icons back in the forward and wanted to kind of create a process to automate that

[00:01:22] workflow.

[00:01:24] So you know, that's my stuff. You know what? We're people are hiring us, spend

[00:01:28] a lot of money to hack and pen test their networks and we're copying icons back

[00:01:32] and forward in the word doc. Like something seems a little off to me. So you know,

[00:01:38] it's so true.

[00:01:42] Yeah. So like, why does that cost me five minutes? This needs to be automated.

[00:01:46] This is ridiculous. We're hacking people for we're not automating copying icons.

[00:01:51] It's kind of weird.

[00:01:54] So so yeah. So basically, it started off with the report generation process where

[00:01:59] I wanted to trim down a lot of the time that I was doing, you know,

[00:02:02] spending with reports and make it more efficient.

[00:02:04] And then I kind of trickled into automating, automating a lot of the

[00:02:07] activities that I was performing as a as a pen tester.

[00:02:10] And it got to a point to where, you know, I eventually started automating

[00:02:14] everything that I was doing and no one on the team even noticed because

[00:02:17] the results were the same.

[00:02:18] I was just doing it a lot faster and no one else noticed.

[00:02:21] And that's kind of what trickled into the platform that we have now,

[00:02:23] which is called the pen test.

[00:02:25] And so we work with a lot of managed servers providers to essentially allow

[00:02:28] them, you know, empower them to be able to perform penetration testing

[00:02:31] and get an exact same quality as you would from a traditional pen testing company.

[00:02:37] Excellent. You know, it's kind of funny.

[00:02:40] We all love the pen testing aspect.

[00:02:42] I've done a lot myself over the years and and it's the reports that you cringe

[00:02:46] at, but yeah, the clients are paying for the report.

[00:02:53] Exactly. You know, and it's so painful as a pen tester because,

[00:02:57] you know, like we love to hack.

[00:03:00] Yes. The last thing I want to do is sit behind a computer and

[00:03:03] fiddle around with a Word document.

[00:03:05] You know, you guys, you got executive summary, you've got charts.

[00:03:09] And then the key way person goes, hey, this should be a high, not a medium.

[00:03:12] And then you have to go back and fiddle around with numbers.

[00:03:14] And it's just like, what in the world is going on?

[00:03:16] You know, we're in 2015, 2016 at the time, we should not be doing this.

[00:03:21] Absolutely. So for those who are listening, you know, when we say

[00:03:25] pen testing, it's a short for penetration testing.

[00:03:28] And there's different aspects to it.

[00:03:30] And I'm curious which ones you touch upon.

[00:03:32] Like there's the external pen test, which is from the internet's perspective,

[00:03:36] hitting a firewall and, you know, the security perimeter.

[00:03:39] There's an internal pen test as if you were like you had access

[00:03:43] to an internal workstation or subling plugged in the network

[00:03:46] attached to the Wi-Fi network or whatever.

[00:03:49] And then there's there's yet another level of pen testing I call where

[00:03:53] you're you're in the know, you're a staff member.

[00:03:57] You've got access to passwords.

[00:03:59] You've got access to VPN, whatever it is, backdoors.

[00:04:02] And you're you're trying to see how far you can go with that.

[00:04:05] So which aspects do you touch on with your business?

[00:04:09] Yeah, so Vani security, we still offer a traditional like manual

[00:04:13] web app testing, wireless testing, things like red team engagement,

[00:04:16] things like that.

[00:04:17] But the platform itself focuses mostly on network penetration testing.

[00:04:20] And as both internal and external.

[00:04:22] So you could basically use the platform to perform an external penetration test,

[00:04:25] which would be that, you know, just like you described,

[00:04:27] you know, we have our infrastructure that tries to attack

[00:04:30] the IP addresses based on what the partner puts into the platform.

[00:04:34] And then on the internal side, we also perform, you know, internal testing.

[00:04:37] And that just simply requires one single virtual machine to be deployed,

[00:04:41] which is typically a 30 minute process.

[00:04:43] And from that point on, we can perform internal testing.

[00:04:46] Excellent. That's amazing.

[00:04:48] And then you I've used your service.

[00:04:52] It's absolutely amazing, super easy.

[00:04:54] Love the the reports and everything, which is the best part about it.

[00:04:59] Tell me though, about what it means to you, the future of offensive security?

[00:05:04] What does that mean to you?

[00:05:07] Yeah, so honestly, automation is a big part of it, right?

[00:05:11] It's it's been an interesting process, just kind of, you know,

[00:05:14] taking a product to market and just kind of getting, you know,

[00:05:16] people's understanding of like what pentesting is currently today,

[00:05:20] what is automated, automated, pentesting me into them.

[00:05:23] And I think the future of offensive security is going to be

[00:05:27] a lot of automated like tasks, right?

[00:05:30] There's more people that are coming out of school, making scripts and stuff like that.

[00:05:33] And there's going to be more companies like ours that pop up

[00:05:36] that are just basically taking all of these like ideas and mindsets

[00:05:40] and tools and putting them all together to create a workflow

[00:05:43] that saves everybody time to ultimately provide more value for the people

[00:05:47] that are looking to improve their security.

[00:05:50] And, you know, it's it's been very interesting because, you know,

[00:05:53] like five, 10 years ago when you when you mentioned things like AI,

[00:05:56] you know, it was just not the buzzword, right?

[00:05:58] Like, oh, here we go.

[00:05:59] Another one doesn't mean anything.

[00:06:00] But we have seen in the last few years that, you know,

[00:06:04] AI and automation actually does play a big part of like today, right?

[00:06:08] Like there's self-driving cars, all kinds of stuff.

[00:06:11] Yeah.

[00:06:12] And so when it comes to like pentesting and office security, you know,

[00:06:15] there is more there are more and more companies that need security,

[00:06:19] but there are less people every year to basically satisfy that demand.

[00:06:23] And so you think about just where the world is going today.

[00:06:25] I mean, the answer to that is automation, right?

[00:06:28] We need to implement more and more automated processes

[00:06:31] that can tackle this huge demand, but I'll have it to, you know,

[00:06:34] hunt and look for more and more people, you know,

[00:06:36] we're going to be having babies trying to do pentesting

[00:06:38] because, you know, we don't want to do automation.

[00:06:39] So it's definitely going to be a heavily automated, you know,

[00:06:44] industry in the future when it comes to office security.

[00:06:48] Absolutely. I'm kind of curious.

[00:06:50] This is just kind of a little side topic,

[00:06:51] but I get asked all the time by people about who they want to not

[00:06:55] just enter the IT field, but they're saying, you know what?

[00:06:57] I think I want to get into cybersecurity.

[00:06:59] What should I do?

[00:07:00] But then you're making this great comment here about how

[00:07:05] the future is getting very much into the automated aspect.

[00:07:08] But I'm thinking somebody still needs to know what they're talking

[00:07:12] about, understanding the forest from the trees and read those

[00:07:15] reports and action those items.

[00:07:17] If there are holes and some vulnerabilities and do that,

[00:07:20] we'll call it that risk management aspect of the report.

[00:07:26] So what are your thoughts on that?

[00:07:28] Do you feel that cybersecurity is going to be a growing field

[00:07:32] in terms of the number of people who enter it?

[00:07:35] But is it shifting what they're actually doing?

[00:07:37] Because the tools are becoming automated and you're not so much

[00:07:40] becoming the hacker, you're more interpreting the results

[00:07:44] and becoming a risk manager.

[00:07:46] Like I'm just curious if that even makes sense.

[00:07:49] Yeah, yeah, no, that makes that makes perfect sense.

[00:07:51] And so, yeah, there's two sides of it, right?

[00:07:53] So you have the consultants that are, you know, they're

[00:07:55] really good at like, you know, pentesting, you know,

[00:07:57] that's still going to be a thing to basically understand

[00:07:59] how pentesting works, understand the technical stuff behind it.

[00:08:02] There's going to be your security researchers out there

[00:08:04] that are trying to find the next, you know, vulnerability

[00:08:07] that hasn't been disclosed yet.

[00:08:08] So basically zero days.

[00:08:10] So you have a lot of people that are also kind of getting

[00:08:12] into that phase as well because, you know, traditional

[00:08:15] pentesting engagements are fun, but like to your point,

[00:08:17] it's being more and more automated.

[00:08:19] So security researching and bug bonding stuff like that

[00:08:21] is always like a fun, you know, thing for people to do.

[00:08:25] So I definitely think that there's still going to be room for that.

[00:08:27] And then also too, rather than doing certain things

[00:08:29] like network pentesting, you may see more people kind of

[00:08:31] going towards like application testing and red teaming

[00:08:34] and, you know, social engineering, things like that.

[00:08:37] So basically cover some other areas of cybersecurity

[00:08:39] that aren't necessarily as automated as a network

[00:08:41] penetration testing will be.

[00:08:43] But then also too, right?

[00:08:45] I think there's going to be a pretty big interesting shift

[00:08:48] when it comes to like coding because I know a lot

[00:08:49] of pentesters out there that are really good, but they can't

[00:08:51] code and that could potentially hurt them, right?

[00:08:54] So I think we'll see a shift because of more automation

[00:08:58] in the world and in office security that will start to see

[00:09:01] some coding courses also get kind of integrated into cybersecurity

[00:09:05] because I think that's going to really help shape the future

[00:09:07] of automation, right?

[00:09:08] Having people that know how to hack, having people that know

[00:09:10] how to code and having that generation of people like build

[00:09:14] the next way of automation to keep the process moving.

[00:09:22] You're listening to The Stack.

[00:09:24] Thanks to cybersecurity leader E-Set for sponsoring the podcast.

[00:09:29] E-Set delivers award winning cybersecurity technology to protect

[00:09:33] all aspects of your digital life with cutting edge expertise

[00:09:38] and advanced machine learning to secure windows Mac OS

[00:09:42] and Android devices.

[00:09:44] E-Set bundles antivirus, antispyware, device control,

[00:09:48] web filtering, two way firewall, anti spam, remote management

[00:09:53] and two factor authentication solutions and is a recognized

[00:09:57] leader in home and business cybersecurity solutions.

[00:10:01] What's in your stack?

[00:10:08] So I'm curious when you have a company like this, you're doing

[00:10:11] you're trying to automate all this pen testing.

[00:10:13] You got these reports you're keeping up with the zero day stuff.

[00:10:16] What give me a description of the types of people that you employ

[00:10:20] and your company and the types of roles like because obviously

[00:10:22] you're trying to keep up with this stuff.

[00:10:24] What like what are what are they doing?

[00:10:26] Are they actively changing your algorithms and what you're looking for?

[00:10:31] Do you have do you have things that are is it very like anti virus

[00:10:37] like where you've got signatures that you keep adding into a giant

[00:10:40] database that you're compiling or how much does the AI component

[00:10:43] play into this as well?

[00:10:46] Yeah, yeah, absolutely.

[00:10:47] So it's so basically our team, you know, we're very efficient, right?

[00:10:50] Anything that we find that we have to do twice in the manual

[00:10:54] like, you know, since I mean we want to automate that.

[00:10:57] And so typically for us, you know, that's kind of like our approach, right?

[00:11:00] What are we doing?

[00:11:01] What will we do as a manual pen tester?

[00:11:03] And what could we do from like what could we take from that

[00:11:05] and put it into the pipeline?

[00:11:07] So it's been a lot of our time on the security research side of things, right?

[00:11:10] We're looking for the next vulnerabilities that come out.

[00:11:12] We're looking for, you know, we're a scrapped reddit

[00:11:14] and, you know, all these other different, you know,

[00:11:16] feeds where security researchers kind of post content.

[00:11:19] And so for us, what we're constantly doing is just stand on

[00:11:21] the forefront of like what's new coming out?

[00:11:23] What new exploits?

[00:11:24] What are new tools that they were saying being published

[00:11:26] and how can we make our workflow a lot better?

[00:11:30] Right.

[00:11:30] So a lot of times as us developing our own tools or we see something

[00:11:33] new comes out, right, that combines two or three tools and it's more,

[00:11:36] you know, more efficient, more scalable things like that.

[00:11:39] But we'll kind of get that into the pipeline.

[00:11:41] So we spend a lot of time really just kind of, you know,

[00:11:43] keeping our eyes out in the industry to see what's coming out

[00:11:46] and how we could improve the product and the workflow of the process

[00:11:50] to provide more value to the partners.

[00:11:52] Amazing.

[00:11:54] Is there also an, and I don't know if you delve into it much,

[00:11:56] but the awareness, cybersecurity awareness and training aspect?

[00:12:02] Or do you just focus more on the automated tool and reporting aspect?

[00:12:08] Yeah, we did actually, this is like my very first few days of Anaheim.

[00:12:12] I try to get a little bit into the social engineering stuff,

[00:12:15] but, you know, there's just a lot of competition out there

[00:12:17] and just a lot of free courses and content and stuff like that in training.

[00:12:21] So we, I mean, we do offer some of those services, right?

[00:12:24] But we heavily focus on automated network pentesting because, you know,

[00:12:27] we're seeing a huge shift in the demand for penetration testing,

[00:12:30] especially when it comes to like cyber insurance.

[00:12:32] And so we were really focusing on bringing that to, you know,

[00:12:36] to the market and making sure that everybody has an ability

[00:12:40] to perform that test rather than having to spend all of their budget

[00:12:44] on a pentest from a traditional company.

[00:12:46] I love how you just brought up a keyword.

[00:12:48] I am noticing with a lot of the MSPs we deal with right now

[00:12:52] that a big topic is the cyber insurance.

[00:12:56] In fact, general insurance policies being able to be renewed by an organization,

[00:13:01] whether they're talking to a broker or whatever company,

[00:13:04] that there's a compliance aspect now.

[00:13:07] And I'm guessing you play into that extremely well

[00:13:10] to help organizations satisfy the requirements

[00:13:14] in order to be able to renew their annual insurance policy.

[00:13:18] Yep, exactly.

[00:13:19] Exactly. And that's it's like it's literally perfect timing for us to, right?

[00:13:23] Because before we were just, you know, like PCI HIPAA, right?

[00:13:26] You know, pentest requirements, things like that, yearly assessments.

[00:13:30] But now with cyber insurance companies

[00:13:32] requiring that and even from like small businesses,

[00:13:35] you know, I can imagine that it's extremely difficult for small businesses

[00:13:38] who never used to do pentesting before

[00:13:40] because they didn't have to meet certain compliance requirements,

[00:13:42] but now having to because of cyber insurance, I can't imagine

[00:13:45] that, you know, they will have to go to traditional companies

[00:13:47] and pay tens of thousands of dollars for a pentest

[00:13:50] that should technically cost maybe, you know, one or two grand, right?

[00:13:53] Depending on the scope.

[00:13:54] So for us, it's literally perfect timing

[00:13:57] because we have a price point that's very, you know, reasonable

[00:13:59] for MSPs and smaller clients

[00:14:01] and being able to accomplish the same results.

[00:14:03] So it's perfect timing. It really is.

[00:14:06] That's amazing.

[00:14:07] I'm actually wondering how many people are using your service

[00:14:10] but still charging traditional rates.

[00:14:13] Yeah.

[00:14:15] Yeah, we we yeah, we try to like

[00:14:18] we try to work with our partners to offer it at a, you know, more affordable price.

[00:14:23] But I mean, you can't force right.

[00:14:25] But you know, because we're trying to drive

[00:14:27] like more people to do more testing, you know, because it's more affordable.

[00:14:32] So but, you know, unfortunately, that's just always going to be that

[00:14:35] the other batch that you know, they're like, oh, wow,

[00:14:37] it's time to capitalize on this opportunity.

[00:14:40] So but yeah.

[00:14:42] Too bad you can't get a cut of that.

[00:14:48] Yeah, right.

[00:14:50] So where what do you feel this?

[00:14:54] This is how I like to wrap up a lot of my podcasts

[00:14:56] and I'm kind of putting you on the spot.

[00:14:57] But what what's a single power tip or a piece of advice

[00:15:01] or something that you'd want to give to people as a takeaway?

[00:15:05] As you know, for.

[00:15:08] Well, it could be anything.

[00:15:09] It could be related to cybersecurity.

[00:15:11] It could be related to pen testing.

[00:15:12] It could be related to insurance, but some kind of tip

[00:15:15] that you think people should do something that everybody should do.

[00:15:20] Yeah, you know, I hate to drive this back to the product,

[00:15:24] but I definitely think that we're in a time right now to where,

[00:15:28] you know, happened to me cyber insurance stuff like that is becoming

[00:15:31] a big part of like our yearly requirements, just like that.

[00:15:34] So I would definitely just, you know, vet out the companies,

[00:15:38] you know, we're also in a phase of where like automated

[00:15:40] pen testing is kind of a, you know, people are kind of like,

[00:15:42] well, is that really true?

[00:15:43] Is that really a thing?

[00:15:45] And we do offer proof of concepts, you know, trials and stuff like that.

[00:15:48] So I would definitely encourage, you know, to take a look at that.

[00:15:51] But yeah, no, definitely check out the platform

[00:15:55] and, you know, we'd love to help out any possible way.

[00:15:57] Excellent.

[00:15:58] So what does a person do?

[00:16:00] They go to your website, they sign up for a trial account

[00:16:03] that is there any restrictions on the trial account or a time period

[00:16:06] or number of IP addresses?

[00:16:08] Like, what do you do?

[00:16:10] Yeah. Yeah.

[00:16:11] So basically, if they go to a www.vanahai.io, you can sign up for a trial

[00:16:18] or a free proof of concept.

[00:16:20] You can do the trial whenever you want.

[00:16:22] Right.

[00:16:22] You can sign up today and not do the trial for another six months.

[00:16:24] Just kind of to you.

[00:16:25] The only limitation is really the IP addresses, right?

[00:16:27] So we do limit the IPs to roughly 25 IP addresses.

[00:16:31] Sometimes it goes a little bit over no big deal.

[00:16:33] But just to kind of let people understand, you know, that this

[00:16:37] is a penetration testing platform and just to kind of get to feel

[00:16:39] of like how the process works.

[00:16:41] But yeah, they can definitely sign up and do that for free.

[00:16:44] That is amazing.

[00:16:46] Well, thank you very much once again for joining.

[00:16:48] I mean, this is extremely valuable information

[00:16:51] and it's becoming so important that every single organization

[00:16:54] needs to be doing this.

[00:16:55] Absolutely. Yeah.

[00:16:56] Appreciate the opportunity as well.

[00:16:57] Great. Thank you.

[00:16:59] We hope you enjoyed this episode of the MSP Stack Podcast.

[00:17:03] Remember, if you liked it, hit thumbs up.

[00:17:06] If you didn't like it, hit thumbs down twice.

[00:17:09] If you'd like to be on the show, head on over to themspstack.com

[00:17:14] and click on the Be a Guest button.

[00:17:16] The stack is made possible through the generous support

[00:17:18] of MSP Corp.

[00:17:20] What's in your stack?