DEV Community: Carole Winqwist

Scaling a marketing team in a BtoB start-up post series B

Carole Winqwist — Mon, 30 Jan 2023 10:36:24 +0000

A year ago I was looking back at my first year at GitGuardian, a cybersecurity start-up developing cybersecurity solutions and summarized some lessons learned from this experience. I have now completed the second year in the CMO role and I thought why not do it again? Scaling an organization is definitely a thrilling journey and time flies so fast doing it that you never really realize how much was accomplished until you take the time to stop and look.

A bit of context

GitGuardian now has 100 employees and the marketing grew in the same manner, we started 2022 with 8 team members and we are now 14. The ARR was multiplied by 2 and the marketing budget increased by 60%.

Our customer base has evolved a bit towards larger accounts and therefore longer funnel time. Multi-touch is more than ever our bread and butter.

In the meantime, the sales team and the product team also grew, consequently, the number of interactions and the need for alignment followed the same curve.

Team wise

We made it! The team almost doubled. We did not change the overall team structure, we still have:

A growth/demand gen team
A content team
A product marketing team
Support functions: design, web, data&ops

The major changes are:

Adding a mid-manager for the Growth Marketing team
Adding a full-time resource for Data&Ops
Internalising SEO
Doubling similar positions
Adding a full-time resource for field marketing
Having the first team members in different time zones

Here is the new organizational structure

Marketing team structure

Agencies are still used for Press Relations and for Analyst Relations. If you still wonder what to keep internally and what to externalize, here is an excellent article on the topic.

The objective of the year was also to double resources on similar roles while acquiring missing competencies. With this approach, you diminish your risk linked to turnover, you get rid of a lot of bottleneck issues and you improve the team’s expertise. And if you hire well you can build a great team of experts. As a manager, you have tolearn to lead people who know more than you on their specific subject. Let go of “you know it all”, don’t worry, you are also becoming an expert in complex system management!

Tech Stack wise

No big changes there as we already had a solid ground to build on. We added small tooling to automate and gain efficiency.

Zapier + N8N for most automation proves to be a very powerful stack that will have us scale through series B. However we are starting to invest in a modern data stack, with the help of the Operations and Data engineering teams, with the implementation of Snowflake. The data warehouse will be essential to lift future blockers, such as attribution, lead scoring, and analyzing complex multi-touch funnels at the company level. One thing we tried was to deploy an outbound platform, Salesloft, and unfortunately, it has not been a success. The vendor oversold its integration capacities and the resulting processes were cumbersome which is the opposite of what you want when dealing with outbound involving sales time…

Adding a layer of management

Growing your team will of course mean adding a layer of middle management. Based on experience I think a middle manager should manage at least 3 people. Below this number, the value added by the additional layer is questionable.

Adding a mid-manager to the team, you’ll have to rebuild your RACI and evolve your rituals to leave enough autonomy to the newly promoted or hired manager. But on the other hand, you want to avoid the development of silos.

We found good solutions to deal with this. First, we kept our dailys with the whole team but we created slack channels for people to asynchronously tell the rest of the team what they will tackle during the week and on Fridays, what they actually delivered. Keeping the daily meetings to discuss open questions, adjustments, alignments and so on. It still works with 14, but I realize It will have to evolve at some point when we continue to grow.

The second solution aims at keeping a communication channel between team members and the CMO. We have put in place skip-the-level meetings. Every other month each team member has a one-to-one with me during which we address topics like company strategy, career path, advice, etc. It is a way for me to keep direct contact but also for the team members to get unfiltered feedback or information.

Deploying Career Ladders

Finding the right profiles is quite difficult so you want to retain them. Giving visibility on a career path is a critical component of people’s motivation. Laying out the different steps and what is expected both in terms of soft skills and technical expertise is a very interesting exercise.

We have developed a marketing career ladder for each of the main roles starting from an engineering ladder that contained most of the soft skills elements and adding all elements relative to technical skills. It is true that marketing has very different profiles in small quantities, but I still believe that giving a good vision of the progression path is worth the effort.

This tool helps each team member and even myself (I build my own ladder :-) ) get a growth mindset, imagine their future, understand where they are at the given moment and take ownership of their progression. If you know where you sit on your career path, you can set and work towards goals that will take you to the next level.

It gives also a more meaningful basis for career progression conversations and allows better comparison as the elements are objectively presented.

I did not find many resources or templates on marketing career ladders, so feel free to reach out if you are interested to discuss this topic further.

Marketing career ladder in Notion

Assessing your tactics’ maturity

In 2021 we activated most tactics available and in 2022 we were able to run them, experiment and assess their effectiveness. As a post-series B we need to balance innovation and Optimization. The team members have to master both approaches and the ladder mentioned above helps outline the missing skills. It is also the right moment to assess our tactics’ maturity and set objectives to move them up the maturity ladder.

We use a 5-phase scale:

Experiments
Positive signals
Repeatability
Operationalize
Fully integrated

For each tactic, we evaluate where we are and what is missing to move to the next phase. This assessment is done quarterly and allows to set clear objectives and action plans to improve the overall engine.

Tactic assessment in Asana

An interesting example is SEO, for which we started with an agency until we hired a team member who could take it from where it was and operationalize it completely. The approach has been successful and we have been able to benefit from the internalization (better understanding of the offer, content available and audience dynamics) while building from an already solid situation.

Accelerating your production volume

Adding fuel to the engine both in dollars and people’s time should translate into production volume. Beware of meeting sprawl, push people to work asynchronously, and meet only when decisions or discussion is absolutely needed. It is important to revisit some of your processes and spot elements that generate inefficiency.

I like to say that marketing is like a factory, we need constant output and flawless production. And to get to this you need to make sure you have quality checks, emergency management capacities, deep understanding of your data. This is why we have an operation and data team member. At first, this resource should cover your “run”, ensuring everything works smoothly, and then do some “build”. You can even externalize some of the build to gain time and when the POC is proven efficient internalize the run. In 2023 we will test this for BDRs and for Intent management.

Finetuning your measuring

Piling up data year over year allows you to finetune your models. One of the most complex models in a BtoB enterprise environment is the North Star metric one. Finding the right elements to create your prediction model is not an easy task. If you are interested in this subject I suggest you read Dave Kellogg’s blog, he is an expert! Building your model will help in terms of marketing and sales alignment and will outline your business dynamics: close rate, deal size thresholds, lead time, and conversion rates. Setting marketing objectives and predicting sales outcomes is not an easy task and needs ongoing refinement. As the team leader you have to keep an eye on the score and your team too but don’t forget that you won’t win the game unless you focus on it.

Looking ahead

I think a team is an ecosystem that needs some time to adjust to new components, this is why you should be mindful of keeping some pauses between big waves of hires in order to stabilize and have everyone fully operational before you grow again. In 2023 we aim at growing our ARR another 2x, so back to work full steam ahead!

The State of Secrets Sprawl 2022

Carole Winqwist — Fri, 11 Mar 2022 09:25:30 +0000

Today we, at GitGuardian, are happy to release the 2022 edition of the State of Secrets Sprawl.

Download the report

Our previous edition, which has become the reference on secrets leaks, aimed at answering a simple question: how big of a problem is secrets sprawl on public GitHub?

We concluded that the problem was not only growing at a very fast pace but also that most leaks happen out of sight of companies' security teams.

The figures this year confirm this trend and even show that the phenomenon is probably underestimated: in 2021, our monitoring of public GitHub revealed a two-fold increase in the number of secrets leaked, reaching just over 6M. On average, 3 commits out of 1,000 exposed at least one secret, a 50% increase compared to 2020.

But that’s not all: with this edition, we wanted to push the analysis further.

Leveraging our unique position as the leading secrets detection platform, we wanted to get to the bottom of the situation faced by IT professionals. For this, we conducted an in-depth study on the state of secrets sprawl in corporate repositories.
Monitoring thousands of repositories in real-time and scanning the entire history of corporate codebases provided us with the data to depict a realistic view of the state of application security in the DevOps era.

If there is a single conclusion to be drawn from it, it is that the amount of work required for both remediating real-time incidents and investigating leaks detected in the git history (which can still represent a threat) far exceeds current AppSec teams' capabilities.

Download the report

When compared to open-source corporate repositories, private ones are also four times more likely to expose a secret, comforting the idea that they permeate a false sense of secrecy.

The historical volume of secrets-in-code, coupled with their constant growth, jeopardizes the remediation capacity of security teams, primarily application security engineers. This, in turn, puts the whole transition process to DevSecOps at risk.
The challenge for companies is therefore to address the threat of secrets sprawling while avoiding overworked teams. In our experience, the best way forward is to move towards a collaborative prevention model between AppSec and Developers.

What you will find in the report:

What's the growth rate of the secrets sprawl phenomenon on public GitHub?
How frequent are cloud providers' credentials leaks?
Are increasing detected credentials a sign of growing popularity?
How many Docker images expose at least one secret on Docker Hub?
When do leaks occur the most? Where do they originate from?
How do breaches and supply chain attacks relate to leaked credentials?
What is the reality of the problem posed by leaking secrets for AppSec teams?
Do leaks occur more often on corporate private repositories?
How to solve the problem of secrets sprawl at scale?

Download the report

CMO at a fast-growing BtoB start-up: Adding boosters to the rocket

Carole Winqwist — Wed, 12 Jan 2022 14:52:01 +0000

I am not a spaceship project manager nor a rocket engineer, not even an engineer, but some days I like to think I am dealing a bit with the same concepts. I joined GitGuardian a year ago as CMO and it has been quite an exciting and fulfilling experience. As I regularly meet and talk to my peers I find that there are recurring questions on how to scale an organization. So here is my take on the subject.

The blueprint

First some elements on the company and its specificities. I joined GitGuardian post series A and the company had reached the product-market fit stage for 2 products already. To give you some numbers, GitGuardian was about 30 employees at the time and the marketing team 3 (Versus 60 and 8 end of 2021), the ARR growth objective was a x4 (and we made it!) and we had the ambition to raise the Series B before the end of the year (which happened end of November 2021).

The market GitGuardian addresses, Code Security, is growing fast as demand rises and new vendors emerge. Funding is massively flowing and accelerates the pace vendors need to sustain to build market shares.

On the other hand, the cybersecurity market is still young and as it is very technical it requires a lot of education. The last element that will set the scene properly is the characteristic of GitGuardian’s customer base.

GitGuardian solutions are adopted through two very different buyer’s journeys. The first one, representing the larger volume of users, is acquired in a bottom-up manner and is constituted by individual developers and small development teams. This user base is using the product for free and is fueling the adoption and virality engine.

On the other side of the scope are the subscription customers, large to very large organizations choosing the solutions for their enterprise-grade capabilities. The enterprise customer journey is quite long and is multi-touch by nature.

These two very opposite acquisition funnels demand different but also complementary marketing approaches to be successful.

Funnels characteristics

Choosing the crew

Building a team to deploy this challenging and complex but exciting marketing strategy is crucial. You need to select the proper profiles that will enable you to address the needs for agility, data-driven approaches, technical knowledge and content development.

Based on my experience the commonality of your team members must be the appetite for technical products, the taste for experimentation but also the capacity to project manage very rigorously.

Building my team I found this presentation of Mkt1 quite well done. And here is a slightly revised version of the structure based on my marketing strategy constraints.

Marketing Team Structure

Of course, when you start building your team you need to prioritize your hires based on your budget. Here are some priorities in my point of view:

The growth team focused on-demand generation. If you face both a Sales led and Product led funnel, you need to staff your growth team with profiles able to both address acquisition and conversion. They need to be able to execute the whole set of marketing tactics including inbound, paid, nurturing and ABM but also field events. Your growth managers need to be tech-savvy as they need to fully understand the product and its value proposition, data-driven to conduct successful experimentations and very well organized to be able to execute multiple tactics at the same time.
The content team. With a very technical audience and a market needing education, you need to invest heavily in content. Your content writer(s) and developer advocate if you sell developer-oriented products must have technical/development experience and real writing and content development skills. These types of profiles are maybe the hardest to find but they exist more than you imagine.
Product Marketing. The value of product marketing is not always well understood but it is a critical component to success. Product marketing understands competition, articulates the value proposition, the messaging and enables sales. Your product marketer needs to be technical enough to fully understand your product. It is easier to teach someone about marketing than to get them technical.
Brand & Creative. You can always subcontract the web design and the brand design but having even a part-time resource dedicated to marketing makes a huge difference when building your brand consistency.

Where you will benefit from agencies:

Press relations
Analyst relations
SEO

These elements are critical for your strategy and cannot be only internalized. You will really benefit from specialized agencies’ savoir-faire and I recommend you find partners for the long run.

Due to the size of your organization, you probably will need to be a player-manager. Depending on your profile as a CMO you may own one or the other subject as an individual contributor. On my part, I have kept Coms/PR/social media and employer’s brand under my responsibility.

And the most important part is the balance between your content production and content usage teams. I think this article about Fuel and Engine summarizes this subject well.

Adding Boosters

The interesting thing about building the marketing strategy of a pre-series B organization is that you have to think about scalability. Because what you build will be the foundation of your growth.

Choosing the right marketing stack

Tools… Even if tools are a mean and not a solution to a problem, choosing the right tools will be crucial to your agility. Here is a basic list of what you need:

A CRM. I have experienced salesforce and Hubspot among others and they both have their strengths and weaknesses

A MAP. You can of course use your CRM capabilities but a best-of-breed MAP is often more efficient. We have chosen Customer.io

A project/task management system. I have used Jira in the past but it is not fully adapted to marketing and I find Asana really flexible and pertinent. It allows templating activities, processes, onboarding and more. I even use it to present the marketing master plan with all key actions executed and planned.

A CMS. My recommendation when it comes to choosing your CMS is autonomy. I have experienced complex websites with awful backend dependencies and I really think the simpler the better. We use Webflow and so far it fits the need.

An automation tool. Zapier and N8N are complementary.

A social media and web monitoring/publishing tool. There are many solutions on the market for this and we found Mention to deliver the right value for our investment.

A webinar platform. Webinars and virtual events are quite an important tactic. We looked at different solutions and chose Crowdcast for its community-building capabilities among other things.

A knowledge management platform. You’ll gather experience as a team and will need to document a good number of items to gain efficiency. We have chosen Notion for this purpose and document things like our KPIs, our plan, our vendors, our tools, our best practices… this is a goldmine for new team members but also to advertise what marketing does in the organization.

Depending on your market and experience you can find solutions more adapted to your needs but in any case, you always need to choose a solution that will last a bit as changing a tool is always a disruption and takes a lot of energy that you could spend on production.

Putting the right processes in place

I have always thought that team efficiency is maximized when you have the proper processes. Processes could seem in opposition to agility and speed but in fact, they are the actual foundation you build on. As your team will grow quickly, having processes is like having a GPS when you drive. Even if you know the road it gives you a sense of security and someone can very quickly take it from where you left it in case it is needed.

A few examples:

Templatization

Using templates to allow flawless repetition of execution is actually accelerating execution. You can create templates for content production, content dissemination, video production, events management, webinars but also for repetitive checks for your paid ads or your SEO. The important thing about templates is to get back to them regularly assessing their usage, improving them and sometimes removing some steps that are systematically not used.

Approval processes

Alongside templates, you should implement documented approval processes and a RACI matrix. This framework diminishes the risk of mistakes but more importantly gives the sense of ownership. The person accountable is not the one doing it all but is definitely the one who should make sure things happen and happen correctly to serve the defined objectives.

Objective setting

The expression “Happy if” was used by one of my managers and I like this terminology because it sets the scene for a given action. An objective is not always a number or an execution check box but can be more subtle as long as it expresses the sense of achievement. All activities should have a “happy if” checkpoint and for the most critical ones a post mortem analysis.

Budget management

Proper budget hygiene is critical to your agility. At any given moment you need to be able to tell what contracts you signed, what invoices were paid or are to be received, what buckets of money are still to be invested or are care committed. Budget building and management would require a full article but one thing is that you don’t need a specific tool to do proper budget management at this stage. A good spreadsheet is sufficient. Align with your finance department to group your budget lines under proper labels to allow analysis (demand gen costs, versus outsourcing, vs content, vs tools…). Record accurately the status of your spending and record the dates of each item with both a cash and a P&L view. It will help greatly when you’ll need to add or remove allocations.

Rituals

Having the right number of meetings so they are productive. Here is our schedule and it has evolved along the year to adapt to the growing team and to remote work increase and decrease.

Daily stand-up with Monday to set objectives for the week and Friday to make a wrap-up.
Tuesday and Thursday we only cover questions of blocking points and on Wednesday we try to have everyone in the office and do an informal stand-up around a cup of coffee or tea :-)
A weekly team meeting to address specific subjects, and a monthly reporting meeting. For this one, we recently changed the pattern to have the deck ready the day before so everyone can read and comment on it and have the meeting to address the questions and comments so it is not just a present and listen type of meeting.

We also borrowed from the agile methodology with a monthly marketing demo during which we present 1 or 2 key projects to the entire company. This meeting has multiple objectives: promote and educate other teams on what marketing is and does, get feedback, highlight team members’ successes.

Onboarding

I have repeated it quite a bit. I guess in this article scaling the team is a major element of the growth. Therefore preparing the onboarding of new team members is critical. It needs to be documented, to have a clear timeline and to be checkbox-able (don’t know if this word even exists…). In parallel with the onboarding task list, you need a clear trial period ramp-up document stating the different elements to learn and the deliverables expected at each stage to demonstrate the ramp-up. Having this clear visibility is usually very much appreciated by the newcomers and allows an objective assessment of the performance.

Building the brand

Moving away from the structure towards the actual activities, I will start with the brand. Evolving in both a BtoB enterprise market and a very immature technological market, we need to build a brand and educate the market on the niche we address. We also need to build an attractive employer’s brand as recruitment is key to our growth.

This requires a consistent and qualitative production of content.

In a way, we have set up our production as would a magazine:

We have our writers, from the marketing team but also from the tech teams and we have also sourced external writers (experts on our subjects and willing to do guest blogging).

Extending your pool of writers really helps you scale. And you should always look internally first. Technical teams have writing skills and they can benefit from promoting their expertise.

We have our editorial meeting to identify the subjects we could cover and a publication calendar to plan each week and get a good balance of topics and frequency.

And we have our dissemination plan to make sure our content is properly promoted and used.

We tried to have an editorial framework with “this day for that type of subject” and so on, but we found it too much of a constraint. We prefer to balance the content during our weekly meeting depending on what is ready to be published.

And of course, there is no brand-building without proper press relations and analyst relations. For these subjects as mentioned earlier, we selected agencies to extend the team.

Building a brand is a marathon and you better start early and have regularity. On top of your regular flow of publication and dissemination, it is good to have virality or high exposure contents (such as reports and cheat sheets for ex) creating momentum of attention. These assets will help on getting influencers’ attention but also on expanding your audience. The graal is to be perceived as a reference on a given subject and be mentioned in an earned fashion by various media and authors.

Deploying all tactics and testing

When you join an early-stage start-up there is a chance that the marketing mix is limited and adding boosters to the rocket means adding channels of acquisition and conversion.

Depending on the persona you address you need to choose the different tactics you will activate in your campaigns. My recommendation is to build a listing of all tactics available to you and assess your readiness and their adequation with your audience. Then you need to have a plan of activation of the different tactics depending on your team skillset, budget and time of the year. You can for example push the nurture flows to later in the year once you have sufficient data to nurture or invest in proprietary webinars when you have a large enough database to promote them.

Whatever you choose to select there are a couple of important elements:

Set objectives — as explained earlier.
Plan and document the execution — back to the template idea. You’ll gain time for the next iteration
Test before signing up for a series
Experiment and assess. You should embrace a growth marketing mindset and try a lot of different things. One thing that could be difficult is that when navigating an Enterprise market, the complexity of the sales cycle and the buyer’s journey does not allow immediate effect measurement. Therefore you need to find intermediate points of measure to validate or invalidate your experiments. Be inspired by the growth marketing approaches and methods, use them to keep your agility, but don’t be lured by all the fashionable growth publications which often advertise crazy numbers and massive traction. If you are in an Enterprise market the rules are different. Compare yourself with similar product types.

As the CMO, your role is to provide a strategic view to your team who are much more focused on operational topics. Ask the right questions so they can articulate their tactics in campaigns, help them prioritize and challenge their proposals.

Measuring results

Of course, this is obvious that you need to measure your results but it won’t be done in a day. Finding the right KPIs, building the historical data that gives you enough data points and testing different metrics is an on-going activity.

If you are not a data professional yourself, it is great to have a data person in your team, you’ll benefit at many levels:

Building the right data set
Getting the right integrations and automation in place
Analyzing the data in different ways and with different methods
Getting a second opinion on the analysis

You’ll have a set of measures and KPIs and the list can be long but you should definitely have one North Star Metric. My recommendation is that it is aligned with your sales team. It is a bit of the glue between marketing and sales. In our case, it is a number/value of new deals in the pipeline. Not leads, not MQL, not SAL, actual pipeline. It avoids a lot of useless conversations and biases on what marketing produces. And one thing you should definitely not do is look at marketing vs sales sourced pipeline. You’ll have a good summary of why not in this article from Forrester.

But to build the objective of this North Star metric you’ll need to iterate and find the right dimensions that will allow you to accurately measure success. As marketing works for future revenue, and this future can be months away, you need to evaluate success with ever-changing data if you grow fast (average deal size, close rate…). Go back to your numbers as often as needed.

The next frontier

I hope you did not find this article too long but summarizing a year at a fast-growing start-up was maybe mission impossible… Writing it I thought some of the subjects would in fact need a deeper dive. I would be very happy to hear what you think and which subject could be the next to tackle! And now my team and I are focusing on acceleration and this will mean doubling the team size… An interesting experience I am sure, that I will be happy to tell you about soon!

Red Team Chronicles Episode 5 — Alert to Avoid Serious CompromiseRe

Carole Winqwist — Thu, 07 Oct 2021 09:30:53 +0000

Red Team Chronicles Episode 5 — Alert to Avoid Serious CompromiseRe

In the previous episode, Philippe emphasized the need for a shift in the security posture toward better detection. So let’s dig into this subject.

We will first look at the timeline of a compromise:

Different phases of a compromise

Philippe, can you drive us through this process, please?

Here, you go: during the initial reconnaissance phase, hackers will gather as much information as possible. The objective being to make initial access into the target system. Once you have access to the first system the initial intrusion happens. Hackers benefit from the trust that is put in the system they entered.

The next phase will be to try to elevate privileges. One thing that I usually do when I access a server is then to use the “history” command to gather a list of the previous 500 commands made and store them. It can give us credentials or file names that could store secrets.

Hackers will then move laterally to access critical data and exfiltrate them. Once this is done, they will obfuscate their traces. This is then very difficult for the security teams to know what exactly happened.

Most organizations focus on preventing the initial intrusion, but as we saw with examples provided in previous episodes, it is a bit of a lost cause. Security teams should also focus on putting in place a proper alerting system for the phase between initial compromise and serious compromise. When hackers have access to legitimate admin profiles, it is too late. They will not trigger any alerts anymore.

Even if ransomware is put in place during the initial phase it is limited to 1 or 2 machines, but after it can be the whole company. We see more and more of this type of corporate ransomware. They are much more profitable for hackers. In the past, hackers would cash in as soon as they compromised one machine, now they stay and take the time to escalate, move laterally and compromise the whole organization.

Alerting should be in place for key events leading to privileges, like admin profile creation for example, and for anomalies (server and services reboot, NTP synchronization, authentication failures).

Do you have other best practices for us?

Know your environment , not just what is exposed to the outside world. Where is your code, who has access to it, what are the passwords for?

If you have legacy servers, isolate them. Think that hackers are bouncing from one spot to another, try to block them in dead ends.

Install security patches, I repeat install security patches …

Do not use professional email addresses for external sites that are not essential to your business, or at least use password generators to avoid pattern copying.

Do not have a check box approach to security. Try to think like hackers to adapt your security approach to your environment.

And of course make some intrusion tests , internally or with external providers or bug bounty programs.

We hope that you enjoyed this first series of the Red Team Chronicles with Philippe Caturegli and that detection is now part of your agenda!

Originally published at https://blog.gitguardian.com on October 7, 2021.

Red Team Chronicles — No Hidden Information

Carole Winqwist — Wed, 15 Sep 2021 16:51:07 +0000

Red Team Chronicles — No Hidden Information

In this episode, you’ll discover a perfect illustration of the security knowledge gap existing between organizations. Offensive security expert Philippe Caturegli comes across a way too common belief: “nobody will find my scripts or my data because they are very carefully hidden”.

And here is how Philippe reacts to this:

There is no such thing as well-hidden information. Security can’t be established by hiding things or considering they are not understandable, cybercriminals have the time, intelligence and tools to find anything. A common error is to leave sensitive data in a development folder. Everything that is available in a website for example, even in sub-folders should be considered public.

Multiple techniques enable attackers to find hidden or forgotten information: Open Source Intelligence, DNS enumeration (active or passive), attacks through folders and files dictionaries, website archives are some of them.

You need to protect the information in a way that even with complete knowledge of how things work, you can’t exploit it.

In one case we got access to the source code of a Java application. In this application, they used a function called Math.random to generate a one-time password. This function is in fact a formula :

X n+1 = (a.Xn+c) mod m

where a is a multiplier, c an increment and m a modulo

This formula generates pseudo-random numbers. These numbers constitute a sequence for which each new number depends on the previous one. The initial term X0 is called the seed. Each seed generates a new sequence. The modulo defines the randomization space.

The sequence seems random but it is, in fact, predictable. We just needed a sequence of 3 numbers , which we got by enrolling 3 times. From the 3 numbers, we could reverse engineer the formula using brute-force techniques. Current processing power makes it easy and quick. In this case, the function elements were static numbers in the java code, the only unknown element was the seed.

You need to protect the Intellectual Property that is present in your code because if it leaks it can give hackers a lot of useful information to exploit.

But you also discover hardcoded secrets, like credentials?

Oh yes… and cookies and tokens which have a longer lifespan, as passwords are often expired, but not always… also we can deduct things from accounts, password structure, the way they are used, internal machine names, internal IP addresses, even proxies. We often use multiple items together to succeed, one leading to another. So never consider something as not important.

In fact, I really believe that there is always a way to get in. Social engineering being one, even if people are trained. There is always a weak link. Some profiles are also easier to bypass because it is their vested interest to comply. I am thinking for example about sales reps or support teams. IT needs to make sure access rights are correctly managed. Do sales need to access Jira tickets? Because in Jira tickets you often find security issues.

But don’t get me wrong, developers are also potential targets , even if it is a bit more difficult. We can use personal accounts and credentials leaked to embody a developer and create trust with their colleagues.

In the end, security should really focus on detection. Being compromised is not a major issue if you react early, because the initial intrusion is limited to a very narrow scope. This is a shift we’d like security teams to take, adding a discriminating alert layer to their protection. They should not only focus on preventing but also on alerting.

As you can see, Philippe has some interesting stories to share as well as some useful recommendations to make. If you are interested, keep following the Red Team Chronicle by subscribing to our newsletter or following us on Twitter or LinkedIn.

Stay tuned for Episode 5!

Originally published at https://blog.gitguardian.com on September 15, 2021.

The illusion of the fortress — Red Team Chronicles

Carole Winqwist — Thu, 15 Jul 2021 15:43:01 +0000

Red Team Chronicles — The illusion of the fortress

Last time we briefly touched on the concept of a fortress in cybersecurity. In this Episode, Philippe will do a more thorough analysis on this topic.

Building a fortress is a strategy from the past. Mobility, remote working, cloud and SaaS have made the delineation between internal and external networks almost impossible. And even beyond these concepts, physical security should be part of your cybersecurity strategy… An attacker does not need to bypass your firewall if he/she can bypass your receptionist and physically connect a device on your internal network.

While some of these scenarios may seem out of James Bond movies, the reality is that there are plenty of tools readily available to facilitate some of these attacks. From RFID attacking tools that can copy employees’ access cards from a distance to RFID implants that can be installed on the card readers themselves in under a minute, these types of attacks no longer require really advanced skills.

RFID access cards usually contain two values: Facility Code and Card ID. The facility code is usually the equivalent of the code of a building and is generally the same for all employees. On the other hand, we have observed that the Card ID is often incremental, which means that if an attacker can copy the card of one employee, it is then possible to perform other types of attacks (e.g. brute force) to then gain access to more sensitive areas such as computer/ network rooms.

Here is a picture of a custom tool that can perform this type of physical brute force attack against card readers.

Sometimes we do not even need to copy access cards, gaining access to office buildings is as easy as following the crowd in the morning and block a meeting room for the day.

In large organizations, we often see screens that tell you which rooms are reserved or available.

Our favorites are the ones that even let you reserve a room for several hours directly from a touch screen.

Meetings rooms often offer network and telephony access, so once an attacker has physical access to it, the opportunities are endless.

Moving away from physical access, let’s look at the targets.

Generally, Attackers do not prioritize their initial targets based on their level of access. The first goal is to obtain initial access and then move laterally to other systems or vertically to escalate privileges.

We see a lot of efforts and solutions implemented to secure the final targets but the initial targets are usually left out with little to no protections.

When attackers acquire users’ authentication elements, they don’t need to further exploit any vulnerabilities, they are already in the system as a valid user.

Keep in mind that the initial target is not always a person, it can also be a machine connected to the network. Multi-Function printers are a good example. These devices often have default passwords and in order to send scanned documents by email or on a network share, credentials are often stored on it. These are perfect entry points for attackers.

To add to this, if your SSO is not well configured (e.g. auto enrollment), then it means the technical user account configured on the printer can also access systems like Jira or Slack which very often host a good number of secrets.

And what about two-factor authentication (MFA)?

It is a good thing and we recommend to our customers to use it because makes life more difficult for attackers. BUT deploying MFA does not make you immune against all attacks.

We recently worked on a security incident for one of our customers, where the attackers were able to exploit a vulnerability in their VPN appliance in order to retrieve the cookies/sessionID of authenticated users in order to gain unauthorized access to the VPN and move laterally to the internal network.

Stay tuned for Episode 4!

Originally published at https://blog.gitguardian.com on July 15, 2021.

The Red Team Chronicles — No such thing as a miracle solution

Carole Winqwist — Thu, 24 Jun 2021 14:52:51 +0000

Red Team Chronicles — No such thing as a miracle solution

Now you’ve met Philippe, let’s talk about a very common misconception that security professionals may have: “I have already bought this “all-in-one” or “one-size-fits-all” solution, so now I should be safe.”

Let’s listen to what Philippe has to say about this.

When talking to various organizations, I regularly meet IT teams who would love to find THE solution. You know, this perfect tool that you would just have to install and you’d be protected against all possible attacks… As you can imagine, such a solution does not exist despite claims from unscrupulous vendors.

Quite often, we see security solutions that are not properly implemented or simply do not work as expected. This often leads to generating too many false positives where normal events get miscategorized as security incidents and end up being ignored over time (until real security incidents occur). This is what we call “security fatigue”. On the other hand, some security solutions are not properly configured leading to false negative, where real security incidents do not even generate an alert.

When we successfully penetrate an organization’s IT infrastructure, either we do not trigger an alert because their notification systems have been disabled, or, they have so many alerts that the alert that really matters is lost in the mix and gets ignored. This is one of the reasons why, one of our last phases after a successful compromise is to voluntarily perform actions that should generate alerts in order to measure the detection capabilities of our customers. And surprisingly, most of the time this does not trigger any response.

For example, we create a new rogue domain admin user. This is typically easy to detect and could be an indicator that something wrong is happening: an admin user is not created every day, and its creation should follow a strict change management process. As such, these types of events should be under strict surveillance.

The bottom line here is that security teams (and real-time monitoring solutions) should focus on compromise indicators rather than trying to look at everything all the time. They should also evaluate each solution to ensure that it does what it claims and they should run diagnostics to evaluate what solutions are needed and how they should be implemented.

One piece of advice: Do not take for granted vendors’ claims. I cannot count the number of times we bypassed so-called “new generation security tools” with very basic techniques.

For instance, a few years back, one of our clients spent over 6 months (and a lot of money) to deploy a new generation antivirus throughout their organization, and it took us less than 5 minutes to realize that it could be deactivated by simply uninstalling the application. This demonstrates a typical issue when organizations overprotect one door, but they leave another door wide open. As an attacker, if you run into a security solution that is efficient you simply try to go around it.

When evaluating your security posture, you should always try to look at your environment like an attacker would. This is why our slogan is “We protect you from people like us.”

You should think of all possible entry points and have a holistic approach to cover all your bases, rather than try to build a fortress around your crown jewels. This is why running red team exercises internally or externally is important.

As you can see, Philippe has some interesting stories to share as well as some useful recommendations to make. If you are interested, keep following the Red Team Chronicles by subscribing to our newsletter or following us on twitter or LinkedIn. Checkout Episode 3!

Originally published at https://blog.gitguardian.com on June 24, 2021.

Red team chronicles — Looking over the shoulder of a Pentester

Carole Winqwist — Wed, 16 Jun 2021 16:56:50 +0000

Red team chronicles — Looking over the shoulder of a Pentester

While developing our products we want to battle test them and get feedback from cybersecurity experts. This is how we met Philippe Caturegli, offensive security expert at Netragard and Seralys. Conversing with Philippe is always a very insightful experience and we wanted to share a bit of this through the Red Team Chronicles. The chronicles will be presented through a fly-on-the-wall viewpoint, in order for you the reader to grasp the reality of the battlefield. Philippe will debunk some common misconceptions and share best practices to avoid serious compromise.

So let’s start by introducing the Chief Hacking Officer, as he likes to present himself. Meet Philippe.

Philippe Caturegli — Chief Hacking Officer

Philippe is passionate about Cybersecurity. He kind of fell in it when he was little (this is a typical French expression if you are familiar with Asterix & Obelix).

When he was 16, his parents bought him his first personal computer, and at the time it was really expensive to be connected to the internet via long-distance dial-up calls, so why pay to connect somewhere when you could develop a BBS server and have people connect to you instead and exchange files and messages there… He did not really play games with his computer but was more interested in understanding how everything worked, if there were safeguards in place, and if so, how to get around them.

At the time it was kind of simple. For software for example, serial numbers were only checked by a simple line of code with IF conditions, you just had to overwrite checks, and there you go, whatever the serial number, it was approved and you could install the software.

“_The real game was in fact to work around the controls.”_

Kind of a rogue teenager, no?

Even if he trained as an IT engineer, Philippe thinks he learned cybersecurity mostly by practicing on his own.

His first experience of an attack was when a website he developed for a client was hacked by an SQL injection. At that time no one understood what an SQL injection was. “ As developers, we focused on the final results, is the website working, is it nice… We did not care about security. I started to look at the code of other sites and I noticed that most of them were exposed in the same way “.

His first job was for a global pharmaceutical company. He was responsible for the security perimeter (firewall, IDS). At the time, the typical approach to security was really like building a fortress.

During this first experience, is this when you really grasped the impact security could have on a business?

Exactly, in pharma your core business is manufacturing drugs, not deploying firewalls. Here is an example of what I faced: Changing a firewall is a question of hours, but on the business side it has huge repercussions. I had to update a firewall for a manufacturing site producing cancer treatments and the risk was that if the update failed, the manufacturing line would stop. They could not take this risk, so they took months to build a stock, just in case, and then another couple of months to absorb the oversupply they had created. You understand the difference of perception?

Build, Defend and Attack, Why do you think mastering the three makes you a good offensive security expert?

There are 3 types of experience in cybersecurity: build, defend and attack and I think the best offensive profiles, the ones who strive in Red Teams, are the ones who experienced all three. If you have built and defended, you understand the shortcuts developers and security teams take and you can exploit them in simulated attacks.

You are now an entrepreneur and you specialize in intrusion tests?

Yes I want to be able to replicate real-life situations when performing tests, not simply run scans and deliver a report.

Concerning the attacks that you witness, do you see an evolution in the type of attacks or the way they are handled?

Yes, I have seen a shift with the rise of ransomware. It’s all over the news. Beforehand, the main idea was to get access to the machine and then use it as long as possible, remaining unseen in order to monetize the access over time by joining the compromised machine to a botnet. Now it is often the opposite, as soon as hackers get access to the machine, they encrypt everything and ask for a ransom in order to monetize more and faster.

So what’s the main issue now?

Well, even if budgets and resources for cybersecurity increase, the situation does not get better. Detection time is still extremely long, the average time to detect an intrusion is above 200 days when the average time between the initial intrusion and the irrevocable compromise is 4 hours. You see how huge the gap is. Intrusions are sometimes so difficult to track that they can be taken for internal fraud. I have experienced this with a bank that underwent malicious money transfers. At first, the audit team was sure that it was coming from an insider, as the transfers complied with all internal checks and processes. But in fact, the attackers were present in the systems for over 6 months and had access to most systems and documentation, so they could learn everything needed to behave like an authorized employee, go through operational check and turn their knowledge into money.

Are hackers independent or is there a real “hacking economy”?

The dark web is now well organized, with hackers organized by specialty. Hackers tend to specialize in what they are good at, compared to others. Some will scan the internet for potential vulnerabilities, default passwords, etc. but they are not always able to monetize these vulnerabilities, so they sell the information to groups capable of monetization. There are even some groups specialized by industry verticals (such as finance or pharma), based on the experience of their members.

And what are companies doing to react to this situation?

What I experience a lot is that companies rely on generic solutions to defend themselves. Each vertical has its own specificities and security approaches should take this into account. I can tell you a lot more about this but I guess it needs another episode :-)

Checkout Episode 2!

Originally published at https://blog.gitguardian.com on June 16, 2021.

CISO Live with Yury Koldobanov — Director of IT at Mirantis

Carole Winqwist — Wed, 09 Jun 2021 16:15:29 +0000

CISO Live-Yury Koldobanov-Director of IT at Mirantis

Yury Koldobanov — Director of IT Mirantis quote

Mirantis helps organizations ship code faster on public and private clouds. The company provides a public cloud experience on any infrastructure from the data center to the edge. Mirantis empowers a new breed of Kubernetes developers by removing infrastructure and operations complexity and providing one cohesive cloud experience for complete app and DevOps portability.

Challenges

Mirantis development teams are using GitHub extensively, with an infrastructure as code mindset. Like most developers today, they handle increasing amounts of credentials, and as Yury Koldobanov Director of IT and acting CISO puts it: “The combination of people working on Git repos and the handling of credentials leads to issues.”

Yury’s team found out that some companies were impacted by secrets leakage via Github repositories and decided to work toward proactively preventing this from happening to Mirantis.

Solution

Since manually investigating hundreds of repositories is ineffective and costly Mirantis started looking for a solution.

Yury’s team first considered a hybrid DLP / analyst tool, with keyword-based detection capabilities for GitHub but which also covered other data sources such as Google Drive, dark web, etc. However, the key point for Yury was that GitHub is a different kind of data source with different considerations

“Like many software companies Mirantis is concerned about leaking keys”

The need for a solution specialized in GitHub monitoring and capable of sophisticated secrets detection became obvious.

Another important consideration was automation and detection time. Given that malevolent actors are actively scanning GitHub, having manual analysis of potential incidents would have a huge impact on detection time. This was both the case for bug bounties and for the DLP tool. GitGuardian’s ability to detect leaks instantaneously and immediately alert Mirantis’ security team was hence crucial.

Another key differentiator for Mirantis was GitGuardian’s ability to automatically identify Mirantis’ publicly active developers, and therefore to create a dynamic perimeter to monitor.

“Most DLPs would put the burden of defining the perimeter on us”.

This enables GitGuardian to not only focus on known corporate repositories, but most importantly on developers’ personal repositories, where companies typically have no visibility.

GitGuardian is now leveraging the development team workflows by integrating with Slack, which is heavily used by the team. The customizable integration allows specific alerts to be routed to the appropriate Slack channel.

Results

Alerting is only the first step, which is why GitGuardian also helps with the remediation aspect of the Incident Response process. Mirantis developed a triaging and severity rating questionnaire that they sent to developers with a precise and standardised set of questions and leverages the GitGuardian “Developer in the Loop” feature. This in app feature streamlines the information collection process and centralization in GitGuardian’s dashboard, which enables Mirantis’ teams to more quickly understand the context of a given incident thus facilitating the investigation and remediation. Without this feature, Yuri’s team would have to less efficiently collect feedback from different systems (email, Jira, Slack) and request actions from different stakeholders manually. Mirantis also found that involving developers in the remediation process is also a great way to raise secrets leakage awareness.

Having been a GitGuardian customer for almost two years, Mirantis has been very positive about both their experience working with the GitGuardian team, and the enhancements brought to the product.

Mirantis also had a good experience thanks to GitGuardian’s customer-centric approach “GitGuardian is flexible and reacts fast to feedback. I can talk about my specific needs, and see a reaction from the team very quickly. GitGuardian also provides guidance and best practices to help us grasp all details of this aspect of cyber security.”

“In an ideal world we would have several other security and detection systems, but for us, as a software vendor, we need to focus on what really matters. And this is our IT stack: Secrets are the keys to your kingdom”

What’s next

GitGuardian is already well-integrated in Mirantis development stack thanks to the Slack integration. In order to go further, Mirantis is looking forward to having GitGuardian integrated with other systems it uses, since it would remove the need for some manual tasks and benefit from GitGuardian expanding its detection capabilities.

Interview

Learn more about Mirantis usage and experience listening to this interview on Tech Strong TV — Digital Anarchist.

Originally published at https://blog.gitguardian.com on June 9, 2021.

CISO live — Anne Hardy from Talend

Carole Winqwist — Sat, 06 Feb 2021 11:39:48 +0000

Talend is a global leader in data integration and data integrity solutions and a pioneer in the open source world. Talend was the first company to market open source data integration software. As a result of this “open source DNA,” Talend uses GitHub.com extensively to collaborate and share code with the community.

Anne Hardi — CISO Talend quote

Challenges

When Talend CISO, Anne Hardy, joined the company in 2020, she quickly identified that there was an issue relating to infrastructure credentials and other secrets leaking through GitHub.

“When I arrived, I heard about quite a few issues with GitHub, including leaks of private information, keys, passwords that could be unintentionally stored and publicly exposed on GitHub by our developers or some of our professional services. We absolutely had to deal with the problem quickly.”

Talend had already tried to remedy this problem by developing an in-house tool. This complex project quickly exposed the limitations of building effective in-house detection solutions. The solution not only had some flaws but also proved to be both challenging and expensive to maintain. Additionally (and crucially), it couldn’t identify and monitor developers’ public personal repositories.

Solution

It was at this point that Talend decided to look for a ready-made solution available on the market. The desired solution needed to allow for active monitoring of all their GitHub code repositories as well as the public personal code repositories of their developers.

“We started by looking at open source solutions such as Gitleaks and truffleHog, but they did not meet our expectations. In particular, it was necessary to declare all the directories to be monitored, which represented a substantial workload.” Indeed, it is tricky to identify personal repositories belonging to developers, especially when dealing with large teams. Automating this process was the only feasible way forward.

“Then we discovered the GitGuardian solution, and analysts confirmed that it was a solid solution and suited our needs.”

Results

“Once we decided to deploy GitGuardian’s GitHub public monitoring solution, the ramp up was rapid. As soon as we had access to the platform, we were able to start remediating past incidents.”

In parallel with the deployment of the solution, a procedure was put in place to treat of this type of leak, and all 400 developers were trained on secrets management.

“What I have found to be very effective with GitGuardian is that we can analyze the history of Talend related alerts on the entire GitHub perimeter, whether they are our official public directories or any public directory outside the control of Talend. We launched this audit, and several leaked secrets were brought to our attention. What was very interesting and what we didn’t anticipate was that most of the alerts came from the personal code repositories of our developers.”

GitGuardian can confirm that almost 80% of corporate leaks on GitHub occur on personal repositories.

Talend’s first priority after taking ownership of the solution was to go through the list of historical incidents and enact the new procedure. This allowed them to start on a sound basis and rely on GitGuardian’s real-time alerting going forward. “It took us 3 months to clean everything up and solve problems especially with employees who had left the company.”

Today, GitGuardian continuously monitors all commits within Talend’s perimeter, whether on Talend-owned repositories or developers’ personal repos. Credentials are detected a couple of seconds after they become publicly-visible and then listed on the dashboard along with information that will facilitate remediation.

Key Quote

“Human error exists, but the key is to be alerted and be able to take appropriate action when a leak is found.”

What’s Next

Talend has deployed GitGuardian for the Infosec team. They will also extend it to their team of security champions, developers who will act as an extension to the Infosec team and encourage best practices.

Originally published at https://blog.gitguardian.com on February 6, 2021.