How to Hack any Company

What the game of telephone taught me about B2B SaaS

Security is like a competitive game of telephone that companies don’t even know they’re playing, and attackers can listen in when employees take their turn. I once watched from a user’s system as a response team had a video call with my target; I took countless screenshots of them investigating the workstation and ultimately concluding it was safe. I felt like an ominous specter sitting right next to the defenders while they were clueless. When organizations get large enough, they are insecure by default. Even if there are no distinct technical vulnerabilities, the information flow itself can be exploited.

When people collaborate, they all follow the same patterns. They want a barrier between the collaborators and the rest of the world, a way to communicate between collaborators, a place to store the data they need, a way to create new information, and a way to share that output. Each element provides a new way to leverage assumptions, behavior, and information arbitrage to compromise individuals, systems, and entire organizations. Organizations assume they have less attack surface than they do, and that their permissions are more restrictive than they are. Your employees will follow the path of least resistance to finish their tasks, and if security gets in the way of doing their jobs they will find incredibly creative ways to bypass your controls.

Hacking is simply information arbitrage, with the attackers having a better understanding of an organization’s technology stack, user habits, and permission hierarchy than the company does. This is because organizations don’t think in terms of how to attack, they think in terms of how to defend. The value proposition of red teamers is that we don’t think about how to defend every single asset, we think of how to compromise the most valuable asset, and the easiest path to that asset.