#introduction Hello friends, I’m Josh Kamdjou
I’m a red teamer turned defender working on a new open approach to email security at @sublime
I got into #infosec when I was an early teen. My high school (Wootton — where my Marylanders at?) was ahead of its time. We got trained up on Cisco routers, networking, and crimping RJ45s. I started playing around with *nix distros on my own time, and one thing led to another and I started popping VMs in my home lab network and dropping sub7.
This eventually led to my discovery of @metasploit. I started popping things left and right, dropping keyloggers, and taking remote screenshots. I couldn’t get enough of it. It’s an understatement to say that if it weren’t for legends like @mubix, @hdm, @carnal0wnage, @egypt and the tools and content they put out there for the community, I probably wouldn’t be where I am today. I’ll forever be grateful, and it’ll take me a lifetime to pay it forward.
I decided to take up Computer Science at the University of Maryland (#terps) and joined UMD’s Cybersecurity Club circa 2010. We did CCDC (I remember going up against @mubix at the time 🙂), won MDC3, and a group of us were asked to pen-test UMD’s network. I popped a Department through phishing (naturally) and exfil’d the crown jewels. I think my favorite part was control over the stadium’s big screen. RIP #MS08067
After college, I started full-time doing offensive cyber related things in and around the DoD until 2019. There are not enough words to describe how formative, impactful, and meaningful these years were for me — working alongside our nation’s most talented, driven, and mission-oriented humans to make the world a safer place.
I continued to do offensive work in the private industry to stay current, and wrote up one of those engagements back in early 2019 on the techniques used to gain access via #phishing: https://blog.sublimesecurity.com/red-team-techniques-gaining-access-on-an-external-engagement-through-spear-phishing
I started working on @sublime as a side project, nights and weekends, to see if I could build a tool that would stop me as an attacker. Over a year later, the product was inserting warning banners into email clients with digestible information so that users could make more informed decisions when viewing a suspicious message. It was working: click rates were way down and I had early happy customers. I was lucky enough to meet @ianthiel, who joined me on the journey as my co-founder, and we continued to build the product and team out together.
We built and released emailrep.io, a free email reputation API, and I gave a talk on it at Shmoocon back in 2020: Voight-Kampff for Email Addresses: Quantifying Email Address Reputation to Identify Spear-Phishing and Fraud
Talk: https://www.youtube.com/watch?v=awVEYrbvYmQ&t=3s
Slides: https://www.slideshare.net/JoshuaKamdjou/voightkampff-for-email-addresses-quantifying-email-address-reputation-to-identify-spearphishing-and-fraud-226745475
We pivoted Sublime in 2021 after realizing that we, like every other email security product, had become the bottleneck for innovation. When red teamers or attackers came up with a way to slip through, defenders couldn’t close that gap themselves even if they wanted to — they had to wait days, sometimes months, for their vendor to close the gap. Rumor has it some are still waiting to this day.
Defenders had tools to close attack surface, collaborate, and hunt in nearly every aspect of security: YARA for binaries, Snort for IDS, Sigma+EQL for logs, but nothing for email.
So that’s what we built. Sublime is free to use via Docker/CF, has an email provider agnostic DSL that lets you collaborate with the community, build custom detection rules, hunt, etc. The team is now 12 strong, and we’ve been quietly refining the product in private beta over the past year with a group of incredible design partners. Stay tuned, because we have some exciting news to share with the world in 2023.
In my free time, I love weight lifting, spending time with family, and venturing out into nature and disconnecting. I recently hiked the Tour du Mont Blanc and witnessed the most beautiful sight I’ve ever seen camped out at the top of the mountains. Growing up, Martial Arts and soccer were a big part of my life. I’m a 3rd dan in Taekwondo, spent some time training and competing in Seoul, and played soccer competitively until college. I haven’t done either in years, but would love to get back into it at some point.
This is probably the most I’ve ever shared about my life online, feels like I should have stopped awhile ago. But here we are. HMU if you ever wanna nerd out about email security, offensive cyber, martial arts, or literally anything else really. Happy to be here with ya’ll.
I’ll leave you with a quote from someone that was close to me that’s guided so much of my life: “Do what you will, make the world a better place.”
