Talking with the expert- Shubham Mittal
By Ashish Chhatani - May 22, 2019
Shubham Mittal- Co-Founder of RedHunt Labs has been a well known personality in InfoSec industry. Shubham has so many Hall Of Fames, research works under his belt. He has been an active speaker and trainer in so many well known InfoSec conferences and events. In this interview, Shubham opens up about his journey and so many various other topics.
1. Please tell our readers a little bit about yourself. How it all started and how’s the journey so far?
I am Shubham Mittal. Always been the most notorious kid in the class, an outgoing person in the group and the one who makes crazy plans. I started my career as InfoSec trainer, jumped multiple organizations doing offensive as well as defensive roles, followed by leading technology opera-tions in a FinTech company as CTO. Now I find happiness working for my own organization, RedHunt Labs. To answer the question more precisely, the journey so far has been super fun and amazing.
2. Your journey looks quite interesting. You’ve published papers, worked across many orgs, an active member in global confer-ences and founded a startup now. Was InfoSec a first love and everything was planned?
Well, honestly, first love was computers. I did a computer hardware course in 6th class, as a favor from a known cousin. When one of my friends told me about phishing scripts, it kind of looked cool at that age. I picked it up I picked the only Hacker related book available in my college library, The Hacker’s Handbook, gave it a quick read, and realized, if done in a legal framework, this could be a good career.
Once I started my career, I got introduced to Null-Open Source Community in India, met a bunch of like-minded people, started open source contributions, and then things just kept me going.
3. What’s the idea behind RedHuntlabs? What’s the vision for that?
In all the prior organizations I have worked for, I learnt that, irrespective of how many defenses and patches are applied, the assets cannot be se-cured until and unless there is a process to continuously monitor them and check them for not only new vulnerabilities but also vulnerabilities resur-facing. Such assets could be IP, subdomains, servers, and they could also be your github repositories, PasteBin dumps, social media accounts, and leaked credentials. Similarly, the vulnerabilities could be configuration is-sues or credentials leaking on some website.
We founded RedHunt Labs to address this lack of Perimeter Security Solu-tion in the industry with our Continuous Asset Discovery and Monitoring product, nVadr.
Our vision is to create an extensive platform which can solve all the chal-lenges in the Perimeter Security Domain.
4. Being a young entrepreneur, what were the challenges you faced?
A lot. The most important one, traditional senior folks, sometimes don’t take you seriously. However, with good work, this fades away.
5. What are the things in terms of InfoSec which you see in the recent time that needs to be addressed and requires an immediate attention?
I believe the traditional security industry is getting matured. There are enough tooling and processes around. However, since cloud infrastructure, social media and code sharing platforms have evolved exponentially, there is a high need to address challenges created by such advancements.
If you look at the Hacktivity in any of the crowd source hacking programs, most common and critical issues are generally as trivial as an API key being leaked, a password being shared unintentional or an untracked legacy subdomain running unauthenticated services. Such kind of issues are taking over a lot and should be fixed.
6. What are the basic requirements to set up a red team task force?
The first requirement I believe, is to understand the objective of the Red Team. While a few tasks might vary depending on the business you are involved in, the responsibility and the goal remains the same - you have to challenge the various aspects of your own defense mechanisms. Once that’s done, you should decide who all are going to make the team. How many red teamers with what all backgrounds? Pentesters? May be a defensive person too? How about having an OSINT expert?
Once that’s done, figure out the lab part. You might need, a lot of components, depending on the business requirement, including (and not limited to) Attacking domains, Exploit frameworks, Payload server, Phishing frameworks, Team Servers with covert communication, High range WIFI Antennas, RFID cloners, etc.
7. Your views on Cloud computing. How do you reckon the state of cloud security?
Since cloud is evolving at a rapid rate, and more and more organizations are moving to Cloud infrastructure, there is definitely a huge gap of security in the cloud security space. Although, the cloud providers solve this problem to a great extent by providing security configurations hooked within the infra along with services like monitoring, alerting etc., the mar-ket is still immature in terms of cloud security and organizations need to catch up a lot.
8. Share your thoughts on the role emerging techs like AI and ML can play in Information Security.
A lot more than we can think. Of course, they cannot beat Manual approach, but when it comes to automation and continuous security, AI and ML of course goes long way. They have already found their way in Password less authentication, Due Diligence, Automated Attack Chaining, SIEM, Threat intelligence feeds, and a lot more. However, I am yet to see some more advanced products coming out, which use AI / ML and not just talk about the keywords.
9. Next big revolution in InfoSec domain you see.
Cloud Security and Asset Monitoring with combined continuous integrations with other tools. At least that’s something I am eyeing upon.
10. Key factors you think are must to become an exceptional leader?
• Appetite to take risk
• A continuous itch to solve a problem
• Good planning and execution
• Ability to get into multiple shoes
11. How do you reckon your journey so far? Something still in the bucket to pursue or any other plans?
Yes, A few more surprises planned in next few years. However, apart from professional work, I am looking forward to doing a cross-country car roadtrip someday.
12. We see you have got plenty of HoFs, Any advice to the young folks who are ambitious for Bug bounty program?
While Bug Bounty programs are great platform to learn, they are also a lucrative target to run behind bugs (which includes running dorks, spray-ing vulnerabilities, etc.). While all of this is quite useful and important in Bug Bounty market filled with competition, young folks do miss a lot of important concepts which they should try to understand order to be a good security professional.
Folks should definitely keep finding bugs, but they should also focus on understand what’s going behind the scenes? May be a little networking, TCP/IP models, IP Subnetting/Supernetting, HTTP protocol, DNS Records, etc. A classic example, one should not only know how to find subdomain takeover, but also understand other DNS records and their significance.
I highly recommend any person starting into InfoSec to setup a small pro-ject website on a Linux server and manage running it on public internet. That covers a lot of things which a person should understand, and this not only makes doing post exploitation easier, but also helps the person learn about all the small configurations which could be goofed up by anyone.