Note: This summary is AI-generated and may contain inaccuracies, errors, or omissions. If you spot any issues, please contact the site owner for corrections. Errors or omissions are unintended.
This podcast interview from Safety Talk #66 features Anant Shrivastava discussing offensive and defensive cybersecurity, the NULLCon conference, and how companies can discover different ways to protect their businesses from cyber attacks.
Guest Background
Anant Shrivastava: Founder of Siphonoid Research
Experience: Both offensive and defensive cybersecurity, development and operations
Conferences: Free speaks and provides training at Black Hat, NULLCon, and ConCon among others
Open Source Projects: Tamer Platform, Code Vigilant
Location: India
Community: Especially active in NULL community, curates Hacking Archives of India
Key Topics Discussed
NULLCon Conference Overview:
Conference Background:
One of biggest conferences: In India and South Asia in information security domain
This year: About 3,000 attendees - had to close registrations for some events because running out of space
Originated: Out of NULL Community back in 2010
Community started: 2008 with idea of sharing knowledge with peers
Some founders: Thought it’s good idea to have conference around this - that’s where NULLCon came into picture
Conference running: Since 2010
2011: First got into NULLCon - started as attendee, then went on as speaker, also done workshops there
Past couple of years: Helping entire Patu team which runs NULLCon with whole organizational activities
Part of review process: Also participate in background activities around what to do in conference, how to do it, new funky things that could do which brings more crowd into conference, effectively create awareness around it
Open to global community: Located in India
Anant’s Background:
Started working with computers: Since around 1995
2000: First spotted Linux, started playing around with it, installing on systems, configuring services, reading Linux user groups online, Yahoo groups
2008: Got into corporate world - started as server administrator
2010: Moved into security community and security domain - felt like natural extension to server administration
Knew how to defend server: But more curious on what happens on other side, what other things are there
That’s how security domain came: Into picture - this is time when also got involved into NULL community
From NULL Community: To whole wider group of communities
Experience ranging: From server administration to developing softwares around PHP and Python, to past couple of years doing full-time information security work
Ranging from: Pentesting to red teaming to setting up pipelines for people (whole DevOps keyword areas) to now focusing around supply chain security and distributed web in mobile areas
Conference Structure and Tracks:
Diverse Content:
On one side: Talks happening around new and innovative things people are finding
Examples this year: Talk around UPI, talk around biometric security, talk about someone trying figuring out how to open locks (all locks effectively communicating over Bluetooth protocol, able to find right signals, able to open all locks)
Technical side: That was happening
At same time: Another track totally focused on CXO side of equation
CXO track topics: “Hey Cloud exists, should my organization which is non-IT organization be dealing with cloud or not? Should government be going into cloud or not?”
Startups and entrepreneur community: Discussions ranging from “Should I even take funding from venture capitalist?” to “What does venture capitalist look for while giving security startup funding?” to “How do you self-sustain and how do you make money while building your own product?”
Parallel workshops: Where people could basically do hands-on activities ranging from lockpicking to soldering own hardware badges
Live places: Where people had or organizations had their presence, demonstrating products
Could ask questions: Good part was most of these booths had either founder available with them or people who were technically inclined available - not just marketing people selling things, real technical people actually helping with answers, helping use tool in better way
Catering Entire Range:
From: “I want to get into information security industry”
To: Person who is in industry for very long time looking to refresh skill set
To: Someone trying to upskill themselves
To: Someone at executive position - “I don’t care how it works, is it going to work? Is it going to be useful thing for me?”
Entire range: What we cover
Additional Tracks:
Resume clinics: Trying to help freshers or people just starting with career how to get into good corporate jobs
CTF organized: Called Wija CTF - trademark CTF for conference for about 7-8 years now
Focus: To nurture and bring women in information security
Short of women: In information security domain - this is way of bringing more women in information security community
Everything for everyone: At least something for everyone
Offensive vs. Defensive:
Keynote Example:
This year keynote: By John Lambert from Microsoft
Starting of keynote: Screenshot of six different approaches can have towards defending yourself
Taking it: In classic sense like medieval defense
Defense does not just mean: Helmet - could also mean shield, could also mean barricade, different sort of symbols there
Knowing how operate: In own domain is one thing
Knowing how other person: Going to operate and react and act when whatever doing will happen - that gives better perspective around how to deal with things
At end of day: In infosec domain, infosec is not about breaking things
End goal of infosec: To secure organization
When take that approach: In mind, amount of attacks can mount on organization not going to help anyone if don’t know how to protect against them
Recovery and Detection:
Current Focus:
From conferences standpoint: Not just NULLCon but rather large number of other conferences also
Wave when prevention: Was key factor
Right now: Not recovery, right now it’s detection which is key criteria which everyone is focusing on
How do I detect: Attack?
No one talking: About building whole layers of defense
Everyone like: “Yeah attack going to happen, why worry about building layers? Build basic set of layers but then focus on detection - should be able to identify when attack has happened”
Recovery: Something still not that much talked about
Hoping: That’s why focusing - really hoping hacks that happened at Las Vegas casino chains (Caesar and other one) - two big hotel chains, both got hacked, ransomed, then one paid, one did not pay, still trying to get businesses up and running
Ransomware Reality:
If pay ransom: Let’s say want $25,000, get key back, pay 25 grand, now say “You know what we want another 10” - “Wait minute, just paid you” - “Well okay you did, now know you’ve got resources, now paid it, got to pay more”
Pretty ironic but true: Most perpetrators of ransomware attacks are ethical - pay ransom, give key
If didn’t: Then whole scam falls apart - if everybody paid ransom and nobody ever got keys back, guess what, never going to pay another ransom
CISA says: Don’t pay ransom - really shouldn’t because validating what doing, giving more resources can dump into more attacks, cause more damage, wreak more havoc, make more money - perpetual cycle, not good
Having good plan: In addition to good backups
Companies don’t trust: Backup, don’t want to take downtime on say Saturday night to pull system down, restore from backup, see if works - afraid to do it
Attack Surface and Supply Chain:
People Reckless:
Pet peeve: People in information security industry (rather IT industry, not information security industry) - people reckless when start building things
Don’t care: About where sourcing inputs from - be it open source, be it commercial, whatever
Attack surface: Keeps on increasing
Resources deployed: To help with that keeps on decreasing
More attack surface: Have, more vulnerable are, more fronts got to defend
Turnkey Solutions:
Information security industry: Going forward needs to start looking at turnkey solutions or solutions which actually help smaller entities have basic set of security
Right now think: Large number of companies don’t even support SSO authentication as basic level even at paid tier level
Always Enterprise feature: Or highly paid tier where SSO gets added into bucket
Siphonoid Research:
Company Overview:
Research-based company: Started with idea that lots of topics left non-researched because either in corporate world too focused in protecting own assets, or in consulting world too much focused on getting done with project and moving on to next project
Deep dive research: What gets missed out
Took up research: As primary area
Took Android, distributed web, web applications: As key areas
Trainings: Whatever do as part of research is what now piping out as trainings
Key Insights:
NULLCon is one of biggest conferences in India/South Asia for information security
Conference caters to entire range - from beginners to executives
Understanding both offensive and defensive is crucial
Current focus is on detection, not prevention or recovery
Attack surface keeps increasing while resources decrease
Need turnkey solutions for smaller entities
Conference fosters entrepreneurship - many attendees start own companies
eBPF has huge potential for defense
Communities are abundant - join as many as want
Siphonoid focuses on research-based trainings covering both attack and defense
Actionable Takeaways:
Attend conferences like NULLCon to get exposed to diverse topics
Join multiple communities - don’t limit yourself
Focus on detection, not just prevention
Understand both offensive and defensive perspectives
Keep attack surface minimal
Test backups regularly - don’t just assume they work
Don’t pay ransom - have recovery plan
Note down interesting things at conferences, explore later
Make connections - they help later
Field changes dynamically - stay updated through communities and conferences