James Mason is an expert in Enterprise Cyber Security at QinetiQ, one of the world's leading defence technology and security companies. With over a decade of experience in attack simulation and red teaming, James brings a unique blend of technical expertise and real-world infiltration skills to his role.
James will be speaking at DTX London, taking place on 2nd and 3rd October at ExCeL London.
The following interview has been edited for length and clarity.
Q: What will you be speaking about at DTX London?
I'll discuss the critical importance of attack simulation, also known as "red teaming", in 2024 and beyond. Drawing from QinetiQ's extensive experience as one of the world's oldest formed red teams, I'll share real-world stories and actual photographs from our exercises – including climbing fences in the dead of night.
I'll also reveal the four essential skills I've developed over the past decade that have allowed me to talk my way into any business successfully. But more than just exciting anecdotes, I'll focus on the crucial lessons learnt from these exercises. I'll explain how organisations can benefit significantly from their very first attack simulation exercise and why this proactive approach to security is more vital now than ever before.
Q: How did you get into the field of attack simulation and red teaming?
I fell into it just over a decade ago, in 2013. Before then, I'd never even heard of threat-led pen testing or ethical hacking. When I first learnt about them, they sounded like something out of a movie.
On my second day with the QinetiQ team, I was taken to a windowless room and shown how to pick locks and even open a padlock with a can of Coca-Cola. They also demonstrated how to compromise a laptop that wasn't even switched on. It absolutely blew my mind.
My passion for red teaming was ignited that day, and it's been an addiction ever since. I often have to stop myself from noticing security vulnerabilities in everyday life – like doors propped open in airports that shouldn't be. It's a constant battle, but it's also what makes this field so exciting and vital.
I've spoken before about my personal journey "from salesperson to social engineer," and it’s resonated well at events and such because of its uniqueness. However, I draw heavily on transferable skills, such as people skills, quickly building rapport, and so on.
Q: Why should people listen to your session at DTX London?
Some companies have dropped attack simulations off their radar post-COVID. There's been a concerning resurgence of the "it-hasn't-happened-to-us-yet" mentality, reminiscent of attitudes from about a decade ago. This complacency is dangerous, especially given the massive year-on-year increase in threats and the rapid development of new technologies.
I'll share an example of a breach we discovered within approximately 20 minutes of beginning an exercise. This underscores the reality that threats are not hypothetical – they're happening now and the company in scope may very well be completely unaware.
I'll also discuss the importance of opening up your entire enterprise for a comprehensive view of your security posture. Many companies still rely on traditional annual pen tests or anti-virus scanning, but this limited approach can miss crucial vulnerabilities.
Q: If you could offer three takeaways from your speaking session, what would they be?
1. Attack simulation/red teaming is a force for good: The primary aim of a reputable attack simulation exercise is to make the company and its staff more resilient. This fundamental principle is often overlooked but is crucial to understand.
2. The human element is key: I'll share the four essential skills for successful social engineering. These skills demonstrate how human factors play a crucial role in both attack and defence strategies. Companies often experience a light-bulb moment, that once we have successfully infiltrated during a physical exercise, we’re suddenly an insider threat, which is a top risk/concern to the C-Suite.
3. Comprehensive testing yields comprehensive results: By opening up your entire enterprise for testing, you can gain far more value than siloed pen tests. This approach can reveal systemic vulnerabilities that more limited testing methods might miss.
Q: You mentioned four key skills for successful social engineering. Can you elaborate on these?
Absolutely. These skills have been crucial to my success in red teaming over the past decade, but I must caveat that they are applied during exercises under robust legal processes – do not try this yourself!
1. Confidence. You have to believe that you're supposed to be in that building more than the person you're talking to. This self-assurance is often enough to convince others of your legitimacy.
2. Manners. I always aim to treat people kindly, as I'd expect to be treated myself. When you're polite, people naturally want to help you. Some red teams use aggressive approaches, but I've found that good manners get you much further.
3. Instant adaptability. No matter how much you plan, unexpected situations always arise during red team operations. You need to be able to change your approach instantly based on what's happening in front of you.
4. Always have a backup story. In our 24 years of attack simulation operations at QinetiQ, we've never had to show use a "get-out-of-jail-free" card unwillingly, and we don't want to be the first. Always have a convincing explanation ready for when you're challenged.
I do sometimes feel a pang of guilt when people help me because I'm exploiting their kindness. But I quickly remind myself that I should find these vulnerabilities than a real-world attacker.
Q: Have you attended DTX before, and if so, why should others attend?
Yes, I've enjoyed speaking at DTX Manchester and DTX Europe recently. What has consistently impressed me about DTX is the sheer variety of content available throughout the conference. The multiple stages offer a diverse range of sessions, ensuring there's something valuable for every attendee, regardless of their specific role or interests in the tech industry.
For those considering attending, DTX offers a unique opportunity to gain insights into the latest trends, technologies, and best practices across a broad spectrum of the tech industry. Whether you're a seasoned CISO, a budding security professional, or a business leader looking to understand the security landscape better, you'll find valuable content and connections at DTX.
Q: What are your hopes for DTX this year? What are you hoping to learn?
This year, I'm particularly interested in sessions focusing on attack simulation and human factors in cybersecurity. These areas are at the core of what we do at QinetiQ, and I'm always eager to learn about new approaches and perspectives in these fields. Additionally, I'm keen to chat with leaders who want to "red team" their company but are experiencing challenges.
I'm also looking forward to engaging with like-minded professionals. The cybersecurity landscape is constantly evolving, and events like DTX provide an invaluable opportunity to exchange ideas, discuss emerging threats, and share best practices with peers from around the industry.
Q: Is there anything else you would like to add on this subject?
I want to emphasise to senior management and board members the critical importance of regular security exercises. There's an old saying, "You don't know what you don't know," which is particularly true in cybersecurity. Our exercises often uncover vulnerabilities or process gaps that organisations were utterly unaware of.
Lastly, remember that if you have the same systems and environments in place globally, a comprehensive red team engagement can help you identify and fix vulnerabilities across your entire organisation, not just in one location. Use this to your advantage to get the most value out of your security testing efforts.
James Mason will be speaking at DTX London, taking place on 2nd and 3rd October at ExCel London. For more information and to register - please visit: https://dtx-london-2024.reg.buzz/