In the first part of this interview, we spoke with our consultant Diogo Sousa, Offensive CyberSecurity Specialist on a project in the financial sector, about red team, offensive security, and the work of those who test systems, processes and people before someone with bad intentions does. In this second part, the conversation moves towards a more strategic dimension: the direct impact of cybersecurity on the business.
At the end of the day, security is not just a technical issue, but rather operational continuity, trust, data protection and the ability to resist when something goes wrong. From identity segregation projects, cloud dependency, the use of AI, certifications and the future of cybersecurity profiles, this conversation shows us how the work of a red team can help companies better understand their risks and prepare for threats that are increasingly difficult to anticipate.
How does your team contribute to the client’s success?
My team contributes to the client’s success by reducing the probability and impact of any security-related incident. The goal is simple: to prevent an attack from happening and, if it does happen, to ensure that the impact on the business is as small as possible.
A good example is a project we are currently working on, called AD Segregation. The goal is to reduce the impact in the event of a security compromise. Let’s imagine someone gets into our infrastructure and completely compromises one of our domains. In that scenario, we need to ensure that the business continues to operate and that the remaining areas are not also compromised.
To do this, it is necessary to organise the domains according to the different business lines, ensuring that if one of them is affected, the others can continue operating. This is where the balance between operational capacity and security comes in again.
Naturally, the operational team tends to want to reduce system complexity, because that makes day-to-day management easier. But by reducing that complexity too much, we may compromise the initial goal of the project: ensuring that, if there is a security problem in one area, the rest of the business continues to operate.
I would say this was the first project that exposed me to the business in a more cross-cutting way, because we are addressing the four business lines at the same time. In a pentest, for example, we usually only look at one application, one system or one specific perimeter. Here, the view is much broader.
Because I am part of the red team, I also end up having a privileged position. We have some flexibility in how we define our operations, and that allows us to learn more about the business. If we want to better understand a specific business line, we can attack that business line and learn more about it.
Red Team: Inside offensive security
Why do you think security is so important for the client?
Security is fundamental because, if it is not guaranteed, the business may simply stop working.
I had a very clear example relatively recently, around a year and a half or two years ago. A company with almost a century of existence, with profits in the hundreds of millions, was the victim of a cyberattack and ended up going bankrupt. This clearly shows the real impact that a security incident can have.
In the case of a company in the financial sector, with a presence in several countries and different business lines, this risk becomes even more critical. We are talking about years and years of building a business, trust, market positioning and competitive advantage. If the systems are then exposed, an attack happens and everything collapses, the impact can be huge.
We can have a phenomenal business model and marketing campaigns capable of attracting the best clients, but if there is a cyberattack and the operation is compromised, everything falls apart.
Do you carry out awareness work with new hires on these topics?
Yes, we have awareness campaigns. But although they are important, it is still complicated to “sell” this area of security. Usually, things are explained based on numbers. If I have a company and can increase the number of clients, that is easy to demonstrate: you have 10 clients, I tell you that you will have 20, meaning you will double the number of clients. I present a PowerPoint, explain that you will earn X euros and, therefore, I will charge Y.
In cybersecurity, it is different. We have to sell what will not happen. Basically, we are saying: “this is the money you will not lose”.
How has cloud changed offensive security?
I was thinking about that the other day. Cloud has changed offensive security mainly because of the dependency that now exists on a small number of providers. A large part of software and cloud services comes from companies like Microsoft and Amazon.
We may have information stored in Microsoft, in the cloud, but that information is still ours. We are simply using that system for our own use cases. Then there are services that are in the cloud and come directly from Microsoft, and others that are also in the cloud but are developed by other entities.
The problem with this dependency is that we lose some visibility over what is, or is not, expected behaviour. It becomes harder to distinguish legitimate traffic from malicious traffic.
For example, we have an entity like Microsoft receiving millions of requests from us. If I place a malicious red team request in there, it will be very difficult to distinguish it from the remaining legitimate requests. And it will also be almost impossible to block that type of attack, because if I block access to Microsoft, legitimate access also stops reaching it.
In other words, because I cannot simply block it, I am left with a potential security problem that is very difficult to solve. And that problem comes, to a large extent, from our dependency on providers like Microsoft and Amazon.
Is AI helping or complicating your work?
I love it. It is funny because I never used it much, but this week I fell in love with it.
I used to use it more for code development, mainly to create simple scripts. I do not usually use it just to talk, because it agrees with me too much. But for code and automation, it has been very useful.
This week, my red team was automating some processes. Whenever we have a new campaign, we need to set up new infrastructure. If I used a domain, for example abc.com, to run an operation, at the end that domain becomes associated with me and with red team activity. So I need to buy a new domain and repeat all the necessary steps.
Although it is something relatively easy, it takes time, and there is no need to waste that time if we can automate the process.
The problem with automation is that, to do it properly, we need to understand the tools that allow us to automate. That requires research and time. Usually, it pays off, because we do the research once and the automation works in the future. But with AI, I did not even have to do that research in the same way.
We had a problem to solve, divided it into 10 components, went to AI, presented the problem and explained that I needed to solve A, B and C. I asked for a script with certain requirements, then another script with other requirements, and so on. In three days, we did the work that otherwise could have taken three months. It is impressive.
If used in the right way and with well-built prompts, AI increases our productivity exponentially. It is phenomenal.
What is your opinion on trends where people publish AI-altered images of themselves? Do you think there are risks?
I do not think it makes much sense, but I also would not say it is the end of the world.
The average person, who is not that tech savvy, already sells or exposes their information constantly, every day. This is just another example of that. Ideally, they should not do it, unless they do not mind exposing their profile to large conglomerates that will use that information for their own benefit. But that does not mean someone will automatically be hacked, I hope.
Even so, ideally, people should not do it, and I would be especially careful about publishing photos of children on social media, because there is a darker side to that.
Are you interested in Cybersecurity?
Explore all the projects we currently have available!
If you had to start from scratch today, what would you learn first?
First, I would not go to university. University gave me good foundations and helped me a lot, but knowing what I know today, I would not take that path. The degree itself is not something I use daily. There is knowledge I brought from university and will carry for the rest of my life, but in terms of the percentage of what I learned and what I use today, I do not know if it justifies the three years.
By comparison, I can complete a certification in three months. If, over three years, I completed a certification every three months, I would probably come out much better prepared for this area.
The cost would also have to be considered. A degree ends up costing almost the same as a certification, but if I had access to the necessary funds to study through certifications, that is what I would do.
What separates an ethical hacker from a malicious attacker, besides authorisation?
Intention. I can have authorisation and still already have the intention of selling information. In fact, assuming that is my goal, authorisation can even make the job easier.
If I have authorisation to carry out tests, I can make as much noise as I want. Any red flag that appears, people come and speak to me and I say: “Yes, I have authorisation, here it is.” And, often, that means the situation is ignored.
In the extreme, I can even start to exfiltrate data and say that I am only testing whether the system properly detects that type of activity. Meanwhile, the information has already reached my side.
Is the market prepared for the current level of threats?
No, and it is difficult to be. We have people who start very early and do this their whole lives. And then we have countries that almost raise people specifically for this. Their goal is to have professionals with IT skills capable of finding problems and exploiting them for the benefit of the State.
There are examples appearing all the time. China compromised a very large company not long ago and had already been inside that company’s systems for at least six months. But it could have been there for six months or for four years. It was only detected after that period of time, and nobody knows exactly what it did while it was inside.
It is almost a military logic. Russia, for example, carries out many OT operations in Ukraine, and OT is a difficult area to study because there is not as much information available.
It is very difficult to combat this type of threat, because these entities have access to resources, information and time that we do not have. The difference between us and them is that, if they discover a critical problem in a technology, they will not share that information.
For example, the NSA (National Security Agency), in the United States, had access to Windows systems all over the world for I do not know how long, and we only found out because someone leaked that information and Microsoft fixed the problem. Maybe they even knew before, but could not do anything because of pressure from the American government.
It is always difficult to compete in this context. Even if we were on equal footing, we cannot prepare for what we do not know exists.
Do you think Europe is behind the rest of the world in this regard?
It is, because we do not value this area as much.
The fact that we value regulation so highly also ends up working against us. For example, in the case of AI, because we place so much importance on citizens’ privacy, the technology cannot progress at the same speed.
The same happens when we compare Europe with China. A country that puts people to work 16 hours a day will naturally evolve faster than a country that values work-life balance. In the end, it is a matter of choices.
What type of profiles will be most in demand in the coming years?
The most in-demand profiles will be linked to cloud and to the ability to use AI, but without depending on it completely.
AI makes our work much easier, but people cannot rely entirely on it. Cases are already starting to appear where, when someone is asked how they would solve a problem, the answer is: “I will ask an LLM and follow the steps.” Or they do something and ask AI to filter what they want.
That dependency is not positive. People need to continue thinking for themselves and having critical thinking. I think that will be one of the most important qualities in the future: knowing how to use AI, but not being dependent on it. That is really the keyword: knowing how to use AI.
I also think containers will continue to be very important.
At the same time, I feel that some people are falling into the mistake of studying cybersecurity “just because”, without properly understanding the technology behind it. Cybersecurity is a branch of technology. Historically, people did not start with security. They started by learning technologies, realised there were mistakes in how they were implemented, then learned that those mistakes could be exploited and, finally, understood how to fix them.
Security started largely around web application security, and many of the people who became hackers started as developers. They learned how to use a technology, understood it, then learned how to break it and suggested ways to solve the problem.
I think that is being lost. There were people who did that work for us: they learned the technology, discovered how to abuse it and taught that process. Today, there are people who only learn that part, without truly understanding the technology.
It happens a lot that someone knows that system X is vulnerable, but does not understand where that vulnerability comes from. And that is a problem, because we cannot solve something we do not understand.
For that reason, the dependence on offensive knowledge, or being stuck only with the knowledge of how to exploit or abuse a technology, ends up working against us. But it is difficult to identify, because someone who focuses only on that can evolve much faster at the beginning. After a year, that person can say they know how to abuse technology A, B or C. Another person may only know technology A, and not even completely, because they have really been studying how that technology works. But, in the long term, it is that second person who reaches more interesting places.
You place a lot of value on certifications. Which ones are worth the investment?
They change over time.
Many years ago, the most recognised certificate was the Certified Ethical Hacker. Everyone had to have that certificate, but nowadays it is no longer worth much, because it has fallen out of use. That is the big problem with certifications: the entities behind them need to be aware that they must adapt to the time they are living in.
The big entities, such as Offensive Security (OffSec), which has some of the most valued certificates, seem to me to be paying attention to that. Even so, I notice that some important certificates are falling out of use. For example, the OSEP (OffSec Experienced Penetration Tester) was last updated in 2019. Considering that the content of the OSEP is very sensitive to the current technological context, being outdated for so long means it loses much of its value. It carries the name, but that is not a sustainable strategy.
If I had to recommend a certification now, I would not necessarily recommend the same one I would have recommended five years ago. People need to do research, understand the context of the certificate, understand where it fits within the field and see whether it is a certification that is frequently used. Because if it is not, it does not have much value, even if it has a name.
For example, the OSCP (Offensive Security Certified Professional) is probably the most valued certificate today. Any job post in this area tends to have that certificate as a requirement. It is almost the holy grail of certifications. But I do not know if it is necessarily the best.
There are other cheaper certificates that can teach as much or more. One example is TCM Security, from The Cyber Mentor. It was created by someone who was an accountant, changed fields, started creating content on YouTube to teach other people and ended up creating his own certification entity.
It is a much cheaper option than Offensive Security and provides almost the same knowledge. It does not have the same name, of course, but if I had to learn now, I would probably start there. I would learn almost the same, maybe even more, and would be better prepared for the next exam, such as the OSCP. Besides that, it would be much cheaper and would reduce the risk of failing a more expensive exam.
So, I would start with that type of content before moving on to more recognised and expensive certifications.
---
Did you find this area interesting? 💡 Explore all our open Cybersecurity projects here!
Want to hear more about topics like careers, productivity, technology, management, or leadership? Check out our podcast.
