Know your attacker: Speaking with Josh Kamdjou from Sublime Security
Reading time: 15 minutesWe're all aware of the age-old debate among those in cybersecurity circles about who's better, red team or blue team? The lighthearted "animosity" between red and blue teams can be fun, but the truth is, there is no benefit to picking sides, as both ultimately have the same goal — preventing cyber crimes.
We've written before about the importance of cooperation between the red team and blue team, and how essential they are for an effective security infrastructure. But today, we are talking with someone who successfully walks the line between the two, while running his own company.
Josh Kamdjou is using his knowledge as an offensive security practitioner to build the perfect defensive product to protect against sophisticated email-based attacks and detecting phishing domains. Josh and his co-founder, Ian Thiel, run Sublime Security, a company that was first intended to be a security consulting company. But thanks to Josh's innovative mindset, the direction of the company shifted to being a software company.
We met up with Josh in Washington, D.C., and talked about his uncanny ability to learn any programming language or technology in hours, how knowing his attacker (in this case, him) helped in running a cybersecurity company and, of course, who does he favor — red team or blue team?
SecurityTrails: Word is, you can learn any programming language or technology in just a few hours! How do you get "in the zone," and what's your process like when you start learning?
Josh Kamdjou: I always have a music playlist that I use to get in the zone. I use that playlist pretty much any time I need to be focused, and that can be either learning a new language or adding a new feature to the product. The music varies depending on my mood. Sometimes it's heavy rock/alternative rock and sometimes it's a very upbeat dubstep. It really depends on how aggressive I'm feeling that day!
You are from Washington, D.C., just as Andrew Morris, who we've also interviewed! Are you originally from Washington, D.C., or did the cybersecurity industry bring you here as well?
Josh: I was born and raised in this area! I know there are a lot of people who come to this area for cybersecurity — Virginia, DC, Maryland — they are the hottest places in the country for cybersecurity. I was fortunate enough to actually be here my whole life, and go to the University of Maryland.
You've been dabbling in IT fields since high school. Do you remember what made you gravitate toward it?
Josh: I was really good at it from the beginning. I started with generalized IT and learning how computers work, and from there I got into networking and how networks are set up. After that, I got into red teaming, playing around with Metasploit, and other offensive tools. It was at that time that I got hooked into the security field. It's a special feeling when you throw MS08 67 for the first time, which is this old school SMB exploit on the Windows OS. And it's crazy when you are in high school, and all of a sudden you have access to someone's machine — taking screenshots for fun and keylogging their boxes. Getting that early exposure to IT, security, and red teaming just hooked me completely. I knew from then, I wanted to be in the field. I was very lucky to have a safe environment both in high school and college where I could learn and put that knowledge to use.
When you realized you wanted to go in the direction of computer sciences and cybersecurity that young, did it change the social dynamics in your private life?
Josh: Oh yeah, I was absolutely a nerd in college! I spent a lot of time on my computer, programming and building random things, and sometimes on a Friday night, I wouldn't go out because of it. In those terms, it definitely affected the people I hung out with and my social circle, but at the same time, I try to keep a balance. I'm involved in sports, martial arts, football, soccer, and weightlifting. So that opens up my social circle and I have a lot of friends that are not nerds like myself. Having exposure to different circles of people and having different hobbies outside of the computer science field really helps.
Do you have any advice for young people who have an interest in cybersecurity, but due to the lack of exposure to it are unsure if it's the right path to take?
Josh: We are fortunate now to have a ton of resources for getting started in the cybersecurity field. There are lots of general cybersecurity courses, tutorials, guides, and materials available on e-learning platforms and online. You can learn how to start building a virtual machine setup for hacking, or how to setup your Kali VM for pen testing. My advice is to seek these resources, as there are a lot of materials available out there that are designed to appeal more to people trying to test the waters and see if they're interested in the field.
In college, you took some security focused classes. Tell us about your experience with cybersecurity at universities?
Josh: From the beginning, I was involved with our cybersecurity club. The degree program I was in, was a computer science program, and they didn't necessarily have anything cybersecurity related before my senior year, and even then the course material was fairly limited. There were network security and cryptography, but not much else. If you wanted to be involved in security, you really had to do it at your own will.
In addition to the cybersecurity club, there was a competition team I joined, that was basically all CTFs (Catch The Flag). We would compete in CCDC (Collegiate Cyber Defense Competition), which is a big national hacking competition. Currently, at the University of Maryland, there are many more cyber-focused classes, so it's easier to be involved.
My first and second years at Maryland were all extracurricular stuff, such as the above mentioned CTFs. I was really good at it, so I ended up leading the competition team for a couple of years and winning a bunch of tournaments. All of that was very motivating and increased my interest in the field.
We have to ask you the age old question. Red team or blue team?
Josh: I am red team for life!
Your background is mostly in offense, doing consulting as a pen tester. What were the most interesting projects you've worked on/things you've uncovered about people's attitude toward cybersecurity?
Josh: My experience in the field has largely been offensive cyber for the past 10 years. It's been a mix of government work and private consulting. The coolest projects I've done are in the government work, but I can't talk about any of that! On the private side, the coolest things I've worked on are the things you would read about in the news — a company getting hacked and compromised. Being able to replicate that with no access to a network is a really crazy feeling. Basically, I'm sitting at home connecting to multiple servers, with no access to this network. I set up my phishing campaign and hack into the web application, and within a week I have full access to the network, plus I'm getting paid for it. It's a really awesome feeling to be able to do that kind of thing, and to provide value to organizations so they can improve their defenses and don't get owned by people that actually want to do them harm.
- 3.5x more cybersecurity experts than anywhere else in the US
- Virginia is the first state in the ratio of cybersecurity jobs to residents by state; Maryland is second
- Largest concentration of university-trained cyber engineering graduates in the world
- Highest salaries in the nation for cybersecurity professionals
Your extensive work on the offensive side actually led you to becoming a defensive product builder. How did your journey toward that transition happen?
Josh: It was tough going from red team to blue team, offense to defense. The good thing is, having an offensive mindset and knowing how to beat the defense makes you a really good defender. It can get really tough because at offense, in order to win, you have to find that one way into a network. With defense, if you get it wrong just 1 time, you lose! The hardest part is definitely that mindset change. Defense is a thankless game. You're expected to stop all the attacks, but if you fail at that just once, then it's a complete failure and a total loss. Defense is harder in my opinion, but it's really important to be good at both.
In becoming a defensive product builder, particularly for spear phishing in the email security space, I've taken my years of doing offensive phishing campaigns and incorporated them into our defensive product. The really good thing about being a red teamer at heart is I'm constantly staying informed about red team techniques. Any time I see something new, I'm all over it, trying to find ways to incorporate it into our product.
Your technical knowledge gives you an upper hand when it comes to running a cybersecurity company, but how big of a part are soft skills there?
Josh: Soft skills are incredibly important, if not just as important as your technical skills when it comes to starting a company. As a founder, or a co-founder, if you cannot talk to people and articulate why your product matters, or how your product is solving your customers problems, it doesn't matter how good your product is. It doesn't matter how well you're detecting something, or how great your technology is, if you can't communicate that to people, there is no way you're going to win. It's a people game. You have to have those soft skills, to meet the right people and make the right connections in the industry.
Basically, I’m sitting at home connecting to multiple servers, with no access to this network. I set up my phishing campaign and hack into the web application, and within a week I have full access to the network, plus I’m getting paid for it.
You started your company, Sublime Security, as a security consulting company. What made you change the direction in which you took your company?
Josh: I had this lightbulb moment, where I realised that despite all the money being poured into email security, Google, Microsoft, and other competitors' products, I was still able to bypass those defenses in under a day. I would be able to start an entire campaign, send someone a phishing email in their inbox, and get them to click on something. I was thinking through the problems in the industry — and at that time there were companies being hacked left and right with phishing emails — trying to find what the crossover was with my experience. Since the problem hadn't disappeared and nobody was really solving the problem, I decided I would solve it.
All the companies that tried to solve this, including big companies like Microsoft and Google, were not approaching it in the right way, and weren't able to stop the really advanced attacks. What they were doing was great and necessary for spam and that kind of stuff, but as soon as you think about the more advanced hacks, which are indistinguishable on a technical level from a legitimate business email, they can't protect you.
My favorite type of phish is to imitate a business opportunity. If a target does business with other companies, and depending on what kind of business the target is, I will create a fake company and send a phish asking to do business together and offer a document with the requirements. That type of phishing is extremely hard to distinguish from a legitimate opportunity.
The problem I saw was, everyone was trying to filter emails before they got to the user. They were trying to make the binary decision of, are we going to drop this email and send it to spam, or are we going to let it through. Those binary decisions are where the problem was. I started to realise what needed to happen — we needed to arm users with better technology and knowledge, so they could make more informed decisions. People say it is the users who are at fault, but it's a technology problem. I'm a big fan of effectively training people in real-time, so users can identify phishing better and know what to look for.
What one should do, is inform the user if something is suspicious. So we provide security training at the point of attack, when a userfirst sees an email in their inbox. We use warning banners directly inside the email, to alert the user to signs of suspicion, and we tell the user why something seems suspicious — whether the sender was registered 2 days ago, or the display name looks like someone they know but it's not actually coming from them, or it has a link with very low reputation. And then we explain why those things are suspicious. We put those heads-up displays inside the email, and they're only displayed when something is suspicious. That allows us to flag really advanced forms of fishing, and allows the user to make an informed decision, instead of reading an email in their inbox and trusting it because it's not in the spam folder.
How did you realize it was the right moment for you to start your own product and company?
Josh: I approached some people in the industry about their problems with phishing. I explained my vision of building something that detected phishing and displayed signs of suspicion, and basically laid out how I wanted to build this product. People liked the idea and thought it sounded amazing! They said they were doing security awareness training, but it was only marginally effective, or it was effective but people were still clicking on phishing emails, so they were really excited to have this product. It was at that moment when I got customer validation, that I decided to start building the product
You're running Sublime Security with a partner, Ian. Did having someone by your side make everything easier and does it come with its own set of challenges?
Josh: It makes things infinitely better, especially because Ian is Ian. Ian is the best co-founder I could have ever imagined, as he has experience in both founding companies and in the very early stages of startups. He was basically building companies and making them successful, so having Ian by my side was incredibly important. His wealth of knowledge and experience in growing early-stage companies, finding product market fit, and doing sales, has allowed me to focus more on technology and making a better product. If it wasn't for him I would have to balance both, and this has allowed us to continue innovating, building a product, and adding value to it.
Starting a company is so damn hard, you really shouldn't take that decision lightly … You have to go all in, because otherwise there will be trade-offs, and if those trade-offs are not worth it to you, then there's your decision.
What advice would you give to someone looking into starting their company, but lacking the confidence to do so?
Josh: It depends on what they want in life.
Do you want to have your own vision for something and build it? You can't know you are ready to start a company, until you know if you want that.
The reason I say that is because starting a company is so damn hard, you really shouldn't take that decision lightly. Figure out what it is you want to build. Once you figure that out, then you need to start talking to customers before you start anything else. You need to talk to people to see and understand what their problems are, and if what you want to do is going to solve their problems. Once you have that set, you just have to do it! You have to go all in, because otherwise there will be trade-offs, and if those trade-offs are not worth it to you, then there's your decision.
What are some of the future plans for Sublime Security?
Josh: The most important plan is to perfect our current product offerings. We need to make our product the best solution out there, so our focus is making our customers happy and reducing user susceptibility to phishing. There are security awareness products with susception rates of 12% to 6%, but we want to bring that to 1% or zero.
One thing that we are doing, is opening up some of our internal tools, and showing how we do some of the analysis and our machine learning capabilities. We're going to create an API for researchers and other people, so they can do their own analysis.
Email based attacks facts
- The average email we analyze reviews over 330 distinct data points to identify an advanced phishing attack.
- On average, 1/2000 emails across our dataset are malicious.
- The average corporate mailbox across our dataset sees a targeted attack at least once every 55 days.
Do you have any of your own interesting projects you will be working on in the future?
Josh: I'm so focused on the company, that I haven't had time to think about personal projects. But if it has to be something, it would probably be getting back into top physical condition. Before I founded this company, I was in a lot better shape, but now I spend every waking moment working. I would really like to get more focused on staying in shape and growing as an athlete.
Josh represents the new wave of innovation and creativity that we need in our industry. If you want to follow him in his endeavours, follow him on Twitter and be sure to check out his company, Sublime Security.
Have you been enjoying our interview series? Tell us who you would like to see next and make sure you don't miss the next one! In the meantime, check out our [blog][blog] for more cool interviews and infosec topics.
