The rise of cyberthreats, in both scale and technique, has brought an increased attention to and demand for cybersecurity. However, academia and the publication of academic papers, struggle to keep up with the frequent shifts in trends and methods. Coupled with the fact that many people interested in cybersecurity are working professionals who may not have the time to read more lengthy academic papers, we are seeing more people turn to conference papers and blog posts for this information.
Patrik Hudak, a young cybersecurity researcher and developer, has written a master thesis that shines a new light on cybersecurity and introduces new techniques to the academic field.
Patrik has also started a blog on this topic, conveying the information he presented in his master thesis in a less formal and more easily accessible way for the masses. All of this, while doing numerous bug bounty programs and running his own company, Aleph Infosec.
We met up with Patrik while he was attending BlackHat Asia in Singapore and talked with him about his blog, the most interesting bug bounty programs, and what the cybersecurity industry is like in his home country, Slovakia.
SecurityTrails: You are from Slovakia. How is the cybersecurity industry in your country in contrast to America?
Patrik Hudak: It's very poor here. I'm originally from Slovakia, but I studied in Czech Republic, which is a little different in that sense, but not much. Companies in Slovakia and Chech Republic are not at all worried about cybersecurity. I do know some people working for banks and insurance companies here, but they do not have anything like US companies have in terms of cybersecurity.
For that reason, I was so lucky to work in Honeywell and see things in action, since that wouldn't be quite as possible if I was working for any Slovakian company. I'm also very skeptical of any European company being on the same level as a US one. For companies here, it's buried money — investing in cybersecurity doesn't bring any profit, and that's the main goal here. The mentality is different — data breaches don't happen often, and they don't get the deserved PR and media coverage when they do. That's definitely one of the reasons why US companies are more aware and proactive in investigating cybersecurity.
You graduated last year and your master thesis was noted as one of the best cybersecurity theses. Could you tell us more about the topic of your master thesis?
Patrik: My thesis involved the analysis of some interesting DNS data that I was researching for half a year prior to the writing of it. The thesis focused on two main topics. One of them was subdomain enumeration — being given a domain name and finding all of it's subdomains using different sources and different techniques. I chose this topic because in the academic world there are not a lot of publications aimed toward explaining, or having a formal description of the technique. I was working with a couple of DNS data sets that were freely available, however, there were no public techniques or explanations on how to use these data sets for subdomain enumeration. I explained a couple of enhancements and additions to the techniques that I was aware of. That was one part of the thesis.
The second part was aimed towards subdomain takeovers and misconfigurations on DNS servers, that allow third-party or malicious parties to host old content on a subdomain belonging to another company. When you set up your DNS records, you use a CNAME record for your subdomain and point it to a cloud, for instance. You basically release or delete the instance of this service in the cloud, and the DNS record stays in place. Anybody can register the same cloud instance as you and control what you have on this domain.
That was the main focus of the thesis. But the most interesting part, next to the research itself, was the fact that there wasn't any formal writing on subdomain takeovers. So I sort of wrote the first formal writing on that topic and provided an Internet-wide scan of subdomain takeovers, that I was able to find using the same data sets that I used for the enumeration.
[caption="Distribution of cloud providers that domains vulnerable to subdomain takeover had set in their CNAME records. The scan looked at 30 million CNAME records from which around 12000 were vulnerable to subdomain takeover."] [/caption]
"The most interesting part, next to the research itself, was the fact that there wasn’t any formal writing on subdomain takeovers. So I sort of wrote the first formal writing on that topic and provided an Internet-wide scan of subdomain takeovers."
I provided some interesting results on subdomain takeovers at NASA and other high profile companies, such as Intel and Microsoft. This was one of the main reasons my thesis got awarded, as it was academic in one sense, but was also transforming these topics into something practical using the scans and providing some meaningful results in the end.
During your education, did you know which direction you'd go after graduation or did you choose to go with the flow?
Patrik: I knew it from the beginning; since back in 2013. I started working for a security operations center immediately after starting school. Right from the beginning, I was in the security world working on incident response, digital forensics, and creating automaton for various security tasks. I was working for Honeywell, one of the most developed security centers in the region where I was based, maybe even in all of Europe, as companies here are not that worried about cybersecurity as much as companies in the US are.
Honeywell is actually a US based company, so it kind of makes sense that it was as developed in that area, since management directions were coming from the US. I was very lucky to be in that kind of an environment. I got good practice and a chance to learn from highly-skilled people.
I started with general computer science in university, and from there I kept gradually moving toward cybersecurity. I'm definitely interested in other areas of IT. I'm still learning about them, but with the main focus remaining on cybersecurity and development.
While waiting to finish your degree, you started a blog that attracted a lot of attention from the industry. Was there a specific incident that got you to start your blog?
Patrik: Before I finished my degree, I had a couple of free months while waiting for the date of my final exam, and my master thesis was getting good reviews from my advisors. I was thinking of ways I could propagate research from my thesis to the general world. I knew most people don't like to read 80 pages of PDFs, so I figured I could start a blog and write about the things I worked on in my thesis.
At that time, I was researching the DNS and thought the best thing to write about were the things I was already learning about. There were articles on the Internet about that topic, but none as advanced as what I intended to write. The post that got the most attention was about subdomain takeovers. I knew those would be good articles to write, since there weren't many written before. I knew my research that I presented was the most advanced one online. At the same time, I started doing bug bounty, so it was an interesting intersection. A lot of people from the bug bounty community started reading the posts, writing to me, and asking questions. From there, I kept moving forward and the blog is still active now.
How did you get started with bug bounty programs?
Patrik: To be honest, I wanted to generate some money from my research. Before, as I said, I found subdomain takeovers on NASA's websites, and knew that it would be valuable for the bug bounty programs to find those kinds of bugs. In that time, there were a couple of bug bounty programs where subdomain takeovers were reported. There were only around few of them per year, much lower in scale, but at the same time they paid really high because the impact of subdomain takeovers can be pretty severe.
Basically, I started to periodically monitor domains that were part of bug bounty programs, all fully automated. For weeks I did nothing, as I had this tool that, as soon as a subdomain takeover pops out, notifies me on my phone and I can check it manually. There were two to three alerts per week, and most of them were false positives. When I got alerted, I checked them. For most of them, I couldn't do proof-of-concept, which is required for report to be approved.
My first bounty was in April 2018, when I was alerted for one of the Starbucks domains. I looked at the alert and thought it was another false positive. However when I tested it, it worked! That was the first time I got my proof of concept. I felt a big rush of adrenaline and immediately submitted a report to Starbucks, and then waited. They verified the report and confirmed it was the problem, but said they would get back to me. Nothing much happened for two months and then, out of the blue, they said, "Yeah, it's fixed now, you have a $2000 bounty." I thought it was amazing to have this award while basically doing nothing different than what I did in my thesis — putting interesting domains in the tool that could bring revenue. The automation ran day and night, so there was not much time spent on it on my part. I started digging more into the bug bounty. I knew there were many of them that had reports about cross-site scripting and SQL injections, but those were some basic ones. So I started learning about other ones, since subdomain takeovers are just a small portion of the bug bounty reports.
"My first bounty was in April 2018, when I was alerted for one of the Starbucks domains. I looked at the alert and thought it was another false positive. However when I tested it, it worked! That was the first time I got my proof of concept."
Aleph Infosec is a startup that focuses on automation for SOC teams, security consulting, and company security in general. What is the story behind starting the company?
Patrik: In the past, I had multiple offers to do one-time security related jobs. Since I am pretty efficient in programming, the tasks usually included some sort of automation. After talking with people in the industry, I realized that many SOC teams are lacking automation in their processes. That was the main drive for starting a company that focuses on helping SOC teams automate their day-to-day activities and provide better and faster results. We are currently helping some major European companies to improve their cybersecurity processes.
How did you incorporate your previous knowledge of working on different projects and being a bug bounty hunter into starting your own company?
Patrik: I am technically skilled in multiple areas, but I also think that I can explain difficult ideas to non-technical people in the clear way. For the day-to-day running of the company, I had a basic knowledge of marketing and sales which helped me a lot in the beginning. At the same time, I have many friends whom I can ask questions of, if I'm unsure of things. Many of them are also running their own companies. It was hard in the beginning, but the environment in Slovakia at the moment is good for me, due to the number of people I know here who can help me. It might sound counterintuitive, since I was based in Czech Republic, but most of my connections are in my home country, which is the reason my company is still based there.
You are currently interested in OSINT, threat intelligence, and automation of security processes, but you come from a different background. How did your background as a software engineer help you with your accomplishments in cybersecurity?
Patrik: When I started my degree, I was learning software development for a couple of years. While I was still in high school, I was attending programming fairs and contests, and I learned coding on my own around the age of 13. I enjoyed working on it for fun and building some projects, but nothing to do with security.
"Many companies are employing their own security teams, due to security issues they can’t handle manually. Automation is helping them run it more efficiently and saving costs in head count."
At college, when I worked for Honeywell, I worked primarily on automation. I got good use of my software development skills, but at the same time, I started learning about security operations like, incident response and forensics. That's where I found a new learning path, but I never really stopped learning about software development. For me, it just made more sense to focus on security automation, because it's growing in importance and will continue to grow in the future. Many companies are employing their own security teams, due to security issues they can't handle manually. Automation is helping them run it more efficiently and saving costs in head count.
You are often invited to cybersecurity conferences such as DEFCON and BlackHat. What is your favorite experience you got from attending?
Patrik: Last year, I was not only attending, but also presenting at this conference called CyberThreat 2018 organized by SANS and NCSC, which was held in London. While still working for Sweepatic, we submitted a talk about subdomain takeovers. It was a very good experience to present at a conference that was aimed more towards advanced cybersecurity topics — a more upscale conference in a sense. It was a humbling experience to stand in front of 500 people and present your findings.
You were just at BlackHat Asia in Singapore. What were the best talks you listened to this year?
Patrik: To be honest, I spent most of my time talking with other people at BlackHat. I visited only a few talks. The one I really enjoyed was called "CQTools: The New Ultimate Hacking Toolkit."