The reverse-engineering team presentation
Rédigé par
Tiphaine Romand-Latapie
, Eloi Benoist-Vanderbeken
, Fabien Perigaud
, Clément Berthaux
- 13/04/2022 - dans
Reverse-engineering
- Téléchargement
A lot of candidates, or simply fellow reversers, ask us how our team usually works: what kind of technologies are we looking into? What kind of projects? Do we work solo? How do we handle remote? etc.
The goal of this blogpost is to share what we can about our internals, so you don't have to reverse us.
The goal of this blogpost is to share what we can about our internals, so you don't have to reverse us.
The people
As of today, the team consists of more than 35 reversers, between 23 and 47 years old. We have offices in different locations in France: half of the team is based in Paris, 4 people in Toulouse, 5 in Lyon and 8 in Rennes. We also have a few team members in full remote in other cities in France.
The team is led by four people today: Tiphaine manages the team as a whole, while Eloi, Fabien and Clément focus more on technically supporting the team on its various projects.
The profiles are quite varied, we have juniors and seniors, Ph.D and bootcamp-style schools alumni.
Our Projects
We help our clients qualify their risks: we perform deep-dive evaluations in both black and white box. Typically, that means that we perform vulnerability research and go as far as proof of exploitation so that our clients can really measure their exposure. That also means that we need to deal with low-level understanding of our target, should it be hardware or software.
Imagine a client building a product, the security of which will be critical for its success and the brand of the company. This client has a couple of catastrophe scenarios in mind and wants to see whether or not they are realistic in a specific time frame. They call us, explain the scenarios and ask us to try to implement them.
We have the opportunity to work on many different layers and technologies, either through our clients' requests or through our R&D work. For example, see the list of our past published works:
- Low Level on embedded products (Dumping the Sonos Smart Speaker; Pull-up Your Bootloader)
- Tooling (Investigating IDA Lumina Feature)
- ... and all the rest that we cannot publish.
Day-to-day work
The mean workload for our projects is around 100 men-days, so we are talking about projects spanning weeks or months.
Our standard setup is to have two team members minimum on a project, coordinated by one of the three technical team leaders. Those three people can be in the same location, or not. Our infrastructure allows us to work very well remotely. The team members and technical leader are handpicked for each project, so anyone has the chance to work with different team members and technical leaders.
People are driven by different things: it can be the technical challenge, the client impact or the studied technology itself. Some people like to invest years in getting in-depth knowledge of a technology, others like to see different systems or work with different clients. We try to accommodate as much as possible those wishes and needs when we affect the projects.
What a standard week in the team looks like:
- One short meeting on Monday (less than 30 minutes) between the project tandem and the assigned technical leader following this project: the idea is to take the time to think about where the team is going, discuss any issues arising, bring a new perspective, etc.
- The rest of the week, the tandem works on the project. We have guidelines on how to conduct a project successfully, but we let the team members choose the way of working that fits that specific tandem best. For example, some tandems are in an all-day video-call, others only meet once a week and communicate via chat the rest of the time and others do a mix of both.
- One team meeting on Friday (less than an hour): the global news of the company and the team are shared. Then each team member does a quick recap of their week.
We work on a personal laptop, with enough RAM and space to make sure VMs and fuzzing are not an issue! Of course, we also use dedicated fuzzing servers for greedy campaigns.
Finally, our projects are quite long and challenging. When team members feel they need to take some air, we arrange a couple of weeks on an R&D or a "short project".
R&D/publications
Like for all people working at Synacktiv, we offer the possibility for our team to have some time dedicated to what we call "R&D". They are projects chosen by team members: it can be a willingness to try the PWN2OWN competition, to dig into the PS4 or a recently published vulnerability or to take some time to develop a tool the team member feels is missing.
Once the team member has their idea, they request a dedicated time: they describe shortly their idea, where they want to go with it and the number of dedicated days they request.
They usually request a couple of days first to begin preliminary work and evaluate how much effort should be invested. If it's a "short" effort, they usually ask for the required days once they have finished their preliminary work. If it's a bigger effort, the days will be requested iteratively when it's the most convenient for the team member and their ongoing client project. Some R&D span 5 men-days, others can go up to 85 men-days (spread out over several months).
Sometimes team members work alone on their R&D and other times they work in groups. For example, at the 2021 PWN2OWN Austin, 11 team members worked in teams of 2 or 3 people on different devices.
Our R&D usually ends with a publication: either a tool on our GitHub, a blogpost or a conference. Sometimes, it's an internal publication: a presentation to the team or a written resource on the methodology they used and lesson learned. You can find all our publications on our blog or the "resources" part on our website.
Whom are we looking for?
In a nutshell: people with a strong technical level, with already a bit (or a lot) of experience. It can be personal or professional experience: a personal project on GitHub, a nice CTF or Root-Me scoreboard, a research project documented in a blogpost or a previous professional experience in low-level development, vulnerability research, etc.
We don't look into a specific number of years of professional experience, we have team members who have just finished their studies and we hire the great majority of our interns.
Right now, the team is francophone, so we need French-fluent candidates. If it changes in the future, we will make sure to communicate the news.
We are completely open to people with a different profile, so if you are interested in joining the team, feel free to send us an email at apply@synacktiv.com! To put all chances on your side, list any concrete experience that may help us evaluate where you are in your technical journey.
If you want to know more about our recruitment process, you can find information on the dedicated page.
Autres publications
So I became a node: exploiting bootstrap tokens in Azure Kubernetes Service
During one of our assessments, we managed to retrieve a Kubernetes bootstrap token from an AKS pod. It was a good opportunity to get a closer look at these tokens, how they work and how to exploit the
...
Paul Barbé
, Kévin Schouteeten
- 23/04/2024 -
Pentest
OUned.py: exploiting hidden Organizational Units ACL attack vectors in Active Directory
Exploitation of Organizational Units (OUs) ACLs received comparatively little attention when it comes to the security analysis of domain objects permissions in Active Directory environments. Yet, thei
...
Quentin Roland
- 19/04/2024 -
Pentest
Quantum readiness: Introduction to Modern Cryptography
This article is the first of a series of articles regarding Post-Quantum Cryptography in 2024. It builds upon Synacktiv's 2021 article, "Is it post quantum time yet?", by presenting the evolutions tha
...
Alexandre Brenner
, Benjamin Sepe
- 18/04/2024 -
Cryptographie