How Hackers Attack: 5-Minute Interview with Andy Robbins, Adversary Resilience Lead at SpecterOps

Basically, we get paid to break into organizations, steal their data, and give them a report on how we did it, said Andy Robbins, Pen Tester and Red Team Lead at SpecterOps.

Andy is one of the founders of BloodHound, which uses Neo4j to let pentesters sniff out the privileges and attack paths that hackers use.

In this week’s five-minute interview (conducted at GraphConnect New York), Andy tells us how SpecterOps uses Neo4j to turn the attack graph into a defense graph.

Talk to us about how you guys use Neo4j at Specterops.

Andy Robbins: Basically, we get paid to break into organizations, steal their data, and give them a report on how we did it.

The most interesting Neo4j project we work on is called BloodHound. BloodHound is the result of months of effort from myself, Rohan Vazarkar and Will Schroeder. It’s based on years of work by Will Schroeder in situational awareness in Active Directory environments.

BloodHound lets a pentester or a red teamer map out the privileges in an enterprise – as well as attack paths that go from a low-privilege user all the way to a high-privilege user or to a computer – that has a certain data asset or data objective on it.

What made you choose Neo4j?

Robbins: When we started the BloodHound project, there were a lot of requirements. We needed a graph database that was simple to use and had support and great documentation, because we don’t have a graph background personally or professionally. We needed something that was going to be easy for creating a proof of concept and then threading it into an actual product.

We looked at a bunch of solutions. We found Neo4j was the best as far as documentation, support, community and developer outreach. For people like us who don’t have a background with graph databases, Neo4j is very easy to get into and start developing with.

What have been some of your most interesting or surprising results you’d had while using Neo4j?

Robbins: We use Neo4j as an attack graph to find and execute attack paths. However, the most interesting thing that we’ve found so far is that an attack graph is extremely hard to defeat.

One of the services that we stood up at SpecterOps is called Adversary Resilience. This service essentially takes the attack graph, flips it upside down, turns it into a defense graph and tries to cut out the attack paths identified in the graph.

This turned out to be incredibly difficult because things that we thought would cut out a lot of attack paths – such as protecting credentials or patching systems – did not cut out as many paths as we thought they would.

The attack graph proved very resilient. It was very difficult to cut out attack paths that would result in the highest mitigation. That is the most surprising thing that we ran into so far.

Discover how graphs help thwart hacker attacks with Andy Robbins of SpectorOps.

If you could start over with Neo4j, taking everything you know now, what would you do differently?

Robbins: If I could go back to the beginning of the BloodHound project, the first thing that I would do is read the documentation more carefully. I would read everything Michael Hunger has ever written so I didn’t have to learn things the hard way.

I learned a lot of things in the intermediate Cypher training class that proved to be invaluable to the success of the project. I learned about efficiency of queries, the quality of the data that we were getting and much more: things that made the project so much better with just a day in the classroom.

Also, if I could go back, I would learn the differences between Shortest Path and All Pairs Shortest Path, and why one is so much more efficient than the other. That was a hard-earned lesson.

What do you think the future of graph technology looks like?

Robbins: In cyber security, there is a ton of opportunity for applying graphs to very difficult-to-solve problems. We have already had success with applying them to finding attack paths in Active Directory or in a typical corporate environment.

In my opinion, there’s also opportunity for exploit research, local privilege escalation and discoverability. There’s even more opportunity for automation of attack path execution.

Anything else you’d like to add?

Robbins: Michael Hunger is the best. He answers all of my questions in the Neo4j Slack channel. Max is also pretty great.

All the developer outreach folks at Neo4j are fantastic. I owe them a lot. I owe them drinks, as a matter of fact, for all the information that they have shared freely and all of the assistance that they’ve given me along the way.

Want to share about your Neo4j project in a future 5-Minute Interview? Drop us a line at

Want to build awesome projects like this?
Click below to get your free copy of the Learning Neo4j ebook and catch up to speed with the world’s leading graph database technology.

Get the Free Book