BSides LV 2023 - Common Ground - Tuesday
Show transcript [en]
[Music] thank you baby [Music]
[Music] don't leave me alone [Music]
don't wanna overthink it baby [Music] baby you killed me giving me Wind and Rain some kind of butterfly [Music] that up [Music] you can put my appetite [Music] but I don't wanna jinx it baby [Music]
[Music]
[Music] thank you [Music] baby you'll give me my appetite don't leave me alone [Music]
[Music]
[Music]
[Music] oh [Music] [Music] foreign
[Music] thank you [Music] foreign [Music]
[Music] foreign
[Music]
[Music]
[Music] thank you foreign [Music]
[Music] [Music]
[Music]
[Music]
thank you [Music]
[Music]
thank you
[Music]
foreign [Music]
[Music] foreign [Music] thank you [Music]
[Music] wow [Music] foreign [Music]
[Music] all right [Music] oh yeah [Music] thank you [Music] foreign [Music] foreign [Music] foreign
[Music] foreign
[Music]
thank you [Music] foreign [Music]
thank you
[Music] all right [Music] thank you [Music] thank you [Music] foreign
[Music] foreign [Music]
[Music]
[Music] thank you
[Music] thank you [Music] [Music] thank you [Music] foreign [Music]
[Music]
[Music] thank you [Music] foreign [Music] thank you
[Music]
[Music] foreign [Music]
[Music]
[Music] thank you foreign [Music] [Applause]
[Music] thank you [Music] foreign
[Music]
[Music] baby [Music]
[Music] don't wanna overthink it baby [Music]
[Music] baby you okay you'll whip up my appetite [Music] but I don't wanna jinx it baby [Music] so it's okay
[Music] thank you [Music] baby [Music] foreign [Music]
[Music]
[Music]
oh [Music] bigger over to you [Applause] so hi everyone um very excited to be here um before we start just to get a sense of the crowd um I would love to get a show of hands who here directly deals with vulnerability management as part of their day job okay very good and who knows maybe doesn't uh directly work with vulnerabilities but know how its organization prioritize vulnerabilities okay a few more so and out of all those hands uh how many of your organizations rely either solely on cbss score or primarily on CVSs score to do vulnerability prioritization okay so great um okay a few other questions so who here uh has heard of vex
in the show of hands okay csaf okay uh epss okay so so that's good so the the a lot of topics to cover and uh this talk was originally supposed to be 45 minutes uh it got turned to 20 so I apologize in advance if I'll Rush some of the pieces I have a lot of Links at the end so you can dive further and also I'm around the conference feel free to to approach me with the questions and I can talk about this topic for hours but today I'll hold it to 20 minutes so um let's start so I'm your time I currently lead the vulnerability management at startup called resilient prior to that I worked at PayPal doing
thread intelligence insiders threat uh and vulnerability management research I also take part in several open ssf uh working groups around open source security uh and see Server groups around s-bomb and vex uh and organize the pycon IL one of the organizers of the pycon air conference okay so uh the reason you see an iceberg here isn't because we're going to talk about climate change or global warming uh this kind of reflects the way we are standing the way we're at with uh software uh supply chain uh currently most code in your production environment is in code that you wrote uh we use third-party code whether it's open source or commercial and that's good it allows us to move fast it allows us to
focus on our Core Business logic but on the other hand uh it also comes with risk and one of those risks is uh in the form of vulnerabilities non-vulnerabilities as that and as you can see here the the amount of vulnerability is constantly Rising this is up to August 2023 you can also you can already see that we're 2 000 uh ish vulnerabilities over what we were at in terms of the publish rate uh last year and this isn't something that is going to change anytime soon um and um exploitation of known vulnerabilities still is the one of the major factors attack vectors for uh initial access to organizations and um organization simply don't seem to keep
up and be able to remediate or patch uh all of these vulnerabilities so what do we normally do about it so we turn to CVSs and the thing with CVSs is that it's not uh it's sub-optimal uh I would say it's not effective it's not scalable and it doesn't even reflect actual risk and I'll explain so it isn't scalable I say that because around 57 percent of all of the vulnerabilities with cbss3 score in nvd are CVSs are high in critical vulnerabilities so even if you do prioritize and focus only on the hides and the crits it's not it's still 57 of nvd that we're talking about hundreds of thousands of vulnerabilities it's not scalable
um it's also not effective the reality is that only a fraction of vulnerabilities will ever be exploited and only a fraction of those are are actually exploitable in the context of specific environments so when you focus your time uh on vulnerabilities there are not likely to be exploited or will never be exploited you're wasting your valuable and limited resources as is on uh uh on the wrong things um and uh attackers are already a step ahead because they don't rely on CVSs scores in order to determine which vulnerabilities to exploit um so um again it's not it's not an effective thing to do and moreover it's not really a smart thing to do as well so
pause here
yeah so as I said uh it's not that attackers only exploiting critical vulnerabilities this quote is actually from the folks who uh are in the CVSs working group who invented the standard and they strictly mention and say that it's only a measure of technical severity it's not recommended to use CVSs base score alone to determine remediation priority but that is the current status quo so clearly this isn't working um we have about 16 of vulnerabilities according to research from Cynthia Institute there are left unattended for over a year after their initial Publications uh as I said huge backloggers are vulnerabilities and uh attackers exploit these vulnerabilities this is from research we did analyzing the public attack surface for the sisa
Kev catalog the known exploited vulnerability catalog and um and as you can see there are millions literally millions of instances publicly facing that are vulnerable to these actively exploited with known patches vulnerabilities um but that that's that's the that's the reality and and a lot of these are are also not new vulnerabilities as you can see um so how can we move forward what's what's the road uh going forward and also something I didn't mention the average organization only has the capacity to deal with 10 of their uh vulnerability backlog in a given months also from Cynthia Institute so we need Focus uh and what can give us font uh Focus uh context so this blob you see here will
slightly get more focused as hopefully as the talk progresses um and I'll I'll try to describe a few um aspects of this context so first of all um the initial kind of base level of context is a software build of materials or an s-bomb this is not the topic of my talk also feel free to approach me later and it allows us to know exactly what we have in our environment without memorizing or guessing which is great because at least we know what we have but even if we have the perfect s-bomb which most organizations unfortunately still don't have and all of the different aspects that are still being worked on are in place is the problem solved
so I argue that no unfortunately because actually the opposite is true because we know more and when we know more we have more things to deal with which is good but again this isn't something that the current the average organization has the capacity to handle um so it isn't a silver bullet and we need more uh more context so context so there are several layers as I said s-bomb is is kind of the base level of context but you can add on top of that additional layers of context for example exploitability you have things like EPS score which is I won't go into that because again a shorter of time but it's a a machine learning model that lets you
predict the likelihood of exploitability within the next 30 days we have a research on that it's it's it's a very strong signal for prioritization the sisa care of non-explored vulnerability catalog of threat Intel speeds uh the vulnerability itself also provides context the attack Vector is it exploited via the network only physical or privileges is required do you need authentication to exploit it Etc environmental context so do you have mitigation mitigating control in this place uh do you have reachability analysis is this code even being loaded even used and of course business context is uh what's the asset criticality is it exposed or internal Etc but again this is nice it's good but it's not really actionable because in
order for it to be actionable uh we need automation and uh in order for it to scale so um this is the current how do we do about how do we go about answering gamma affected today so we can run a vulnerability scan but again uh noisy um and this is also a Shameless plug I have a talk about that specific topic later today uh at six at the breaking ground but um uh not always reliable and a lot of things to deal with independent investigation uh time consuming not effective as the vendor as well not scalable security advisor is nice but uh not always will have those and also not something that we can currently automate
and s-bomb as I mentioned not everyone has it and it's not alone it's not the Cure so this is where csaf comes in is the common security advisory framework and basically you can think of it and you can think of it as a machine readable security advisor so you have for example in this case uh Cisco issuing uh uh security advisory currently it can be in HTML format it can be in the text format it can be in a PDF you don't really know where it's at uh and it's not something that you can automate consumption of csap tries to solve that that uh that issue um and it's easily discoverable uh via several methods in this case we see a
security exists of our or try to see I'll try to highlight it a bit um so we have uh the security txt file with the reference to where can where can I consume that csap from and then the csap itself uh is the the bottom link which is basically a Json file with the same security advisories that we saw before only in a machine readable uh format that allows for automation um so this is how it looks like and you see there's various layers and and uh pieces of metadata that can go into such a csaf but the main thing to remember about this is that again it's machine readable it can be automated and you can
you can start to consume it and Cisco is doing a great job uh of of advocating for it there was recently a summit um and there there I hope this will get more traction uh as time goes by so that's one and so we can we can see the picture a bit more clearly now but another important piece of the puzzle is vex vex the vulnerability exploitability exchange um as Alan uh often uh feel sorry for the name but that's the name and we'll leave it uh so um basically this is a way to communicate whether a piece of software is affected by a specific vulnerability so um I'll read the quote to provide users
additional information on whether a product is impacted by specific vulnerability in an including component and if affected whether there are actions recommended to remediate so that's the purpose again machine readable way to for your vendor to say this product is not affected by vulnerability X also it has the ability to say if something is affected we'll discuss that shortly and again aims to be machine readable you can embed that you know as a profile in csaf that we mentioned before so all of the pieces of the puzzle come together it can be linked to a netspomb it can be separate and it allows us to handle this this issue of false positives from in a more scalable way and from a
vendor perspective it saves them money because you don't have to have your uh phone centers crash whenever something major comes up and I think the the promising direction for it is also from the consumer side so if I as a consumer have a product that can tell me whether something is impacted by specific vulnerability because it's not loaded because the configuration is in place and it can issue a Vex for me again then I'll have this this this language automated language that I can help to reduce my attack service so uh sorry I'm rushing I want to get to the core part which is in a few slides and again there are several statuses for vex you can say
something isn't affected affected fixed or under investigation and obviously this is dynamic you can change over time um and because it's machine readable that's not really an issue um okay so uh and there are several justification those are the current ones I'll give an example just for context let's say vulnerable code not present so if you remember lock for Shell five minutes okay five minutes I'm good so look for Shell uh so one of the remediation advice that were that was provided that was to remove the vulnerable class from the job file uh the gndi lookup class so if you remove that class you still have the vulnerable jar in the vulnerable version your scanner would say you're affected but
you're not really affected so if you have this Vex you can update this status and let your your security tooling your Insider threat Personnel your whatever organization and if you're a supplier then to the folks that consume your software that you're not affected by that specific vulnerability and there are several other justifications um so it's it's really a flexible format okay so now I'll try to put all of these pieces together and see so as you can see we can already see the picture clear um so this is something that again I won't go too deep into the stakeholder specific vulnerability categorization or ssvc there are Links at the end of the presentation but you can think of it as
a decision tree you have a decision tree that allows you to decide what to do in various circumstances or situation regarding a specific vulnerability and I know you can't see well so I try to to give some context so there are three actions that you can take this I I stuck with the sisa approach for this one but this is very flexible uh just for the sake of the example the same Act is patch remediate the 10 to now attend is okay I know I need to fix this but I'll first deal with the act and get to this and crack So currently it's not something that I'm uh actively doing something about but I'm keeping track so
and here you see for example three layers of context exploitability context so you have epss six that we have threat Intel to tell you whether the vulnerability is actively exploited is this badge the middle bench is uh highly likely to be exploited or uh not likely on the right hand side and then you have another uh layer of decision which is the asset context sorry the automatable which is from the vulnerability so if the vulnerability is exploitable via the network and also doesn't require privileged authentication that then it's automatable and then it's in a higher risk from my perspective and then I I send it to a different branch of the team and then we have the asset content
so how critical is this asset low medium or high and then I make a decision so if for example I have a vulnerability that is actively exploited and automatable and on a critical asset obviously I need to act upon it and again the decision here is isn't the focus like you can we can debate the decisions it's not a purpose but um the thing is you you have this thing that you can communicate internally and to stakeholder and say this is how we do things now according to these these these parameters and you can tune that according to your capacity of the organization so you know you can only deal with 10 of our vulnerabilities make
sure that that's a 10 that actually count that matter most and you can let's say okay I don't have an asset criticality that's not a problem it's flexible so I I chopped off the last layer of the tree and I added for example I have a a product a vendor that can tell me whether something is loaded or not the reachability analysis so maybe that's my uh first decision decision uh that I want to take after I know if something is uh what's the likelihood of exploitation um and uh maybe I wanna I have all these things that I can put everything together and I get a lot more context so and then I can make more educated uh
uh um assumption and prioritization to focus on what actually matters and you can look of it as like a funnel okay so you have your vulnerability scanner output and then you have what we talked about the csan Vex that tells you what uh what you should focus on what affected and what isn't and then you have this decision to be with all this context that filters that out and then you start from the bottom you start working with what uh uh most critical in terms of risk reduction to your organization and work your way up okay so um this the The Blob that you saw and this picture is from a movie called The Truman Show which is about a man that
lives his whole life as a in a scene of a movie but he doesn't realize that and the quote is when they asked the director um uh What uh uh how does how does it not suspect and he said we accept the reality of the world which we are presented uh and so what I ask of you is don't accept the reality of the world as you are presented um and and be inquisitive and and uh know that there are these resources out there and uh transform your vulnerability Management program into a more modern risk-based vulnerability Management program um so that's it no time for question I'm sorry so in case I don't see a good
afternoon good evening and good night also from The Truman Show thank you [Applause] yes what yeah sure sure [Music] foreign [Music] foreign [Music] thank you
[Music] foreign [Music]
[Music]
[Music] foreign [Music]
[Music] thank you [Music] [Music]
thank you [Music] thank you [Music]
[Music]
[Music] thank you [Music] foreign [Music] foreign [Music] foreign
[Music] thank you foreign [Music]
[Music] [Applause]
[Music] thank you [Music] questions [Music] [Applause]
[Music]
[Music] foreign [Music]
[Music] but my appetite don't leave me alone [Music]
[Music] how to communicate with non-security Specialists to drive action and without further Ado I would like to welcome our speaker Ashley Lee [Applause] hi everyone um my name is Ashley I am Senior product marketing manager at Jupiter one and I've been doing marketing for over a decade now the last seven years in cyber security uh and uh in the four and a half years that I was at now secure which was my previous gig I observed a rather unnerving cycle and maybe you've experienced this too basically our pen testing team would scope out a project with a client they would spend several days testing the mobile app then they would spend several more days maybe a week or so
compiling that report of the findings and suggested courses of action they'd have some calls with the client to figure out the best course of action do some more explanation and whatnot and after a period of time they would send back a new app binary to test and lo and behold what would they find the pen testing team would retest it and they'd find a lot of the same findings if not more now for someone who was attracted to cyber security in the first place uh to with the mission to defend and to protect against threats it really boggled my mind that customers would be okay with leaving in weaknesses that would expose customer data like payment data pii it
was really mind-boggling for me um what was the point of fixing or finding all those weaknesses without fixing them so when I moved on to Jupiter 1 in 2020 I found that that cycle wasn't specific to mobile app security in fact that cycle of finding but not fixing knowing but not doing anything about it uh that hit a lot of other domains whether it's Network configurations Cloud resources device management you name it why were these issues not getting resolved well it turns out that people who find issues are not the same people who have the means to fix them the people who find security gaps are not the same people who own those systems so as a result we've seen in recent
years a rise in security trainings a rise in security awareness security Champions programs and it's all to put knowledge in the hands of the people who actually have the means to fix it but even then in the latest Verizon report the data breach investigations report they found that 74 percent of breaches were still involving the human element so even though knowledge is in the hands of people you still have to convince them persuade them to act we've got a lot of work to do and I'm here to help you not feel like this
so when you are communicating to a non-security specialist there are three things that help you communicate to drive action you provide value you'd be extremely clear and you connect with your audience now how you do those three things provide value be clear connect it's going to be different for when you connect with Engineers versus Finance sales HR Executives engineering interns you might be you know convinced that you should do it in a big group right for efficiency purposes because there's only so many of your so much of your time to spend but the reality coming from a marketer if you are specific with your audience the more specific you are the more likely you're going to be able to drive
action so let's take the first one value when you are thinking about value uh you have to obviously think about it in the context of your audience and there are seven reasons why people care to read or listen to anything in general first thing is novelty is it new or original to them counterintuitive does it go against their expectations counter narrative does it go against a strongly held belief that they have or does it reinforce a belief that they already have maybe it Sparks controversy or debate maybe it induces fear or maybe it's just a simple rankings or a listicle that is really easy to scan and consume just a side note listicles tend to be
really good for executives because they don't need all the detail now aside from value the other two pieces of connecting and being clear those uh are best captured and quote by Katsu ishiguro katsuo ishiguro was the Nobel Prize winner of literature in 2017. and in his acceptance speech this quote goes stories are about one person saying to another this is the way it feels to me can you understand what I'm saying does it also feel this way to you stories are about one person saying to another this is the way it feels to me can you understand what I'm saying does this also feel this way to you
the first part here is Clarity can you understand what I'm saying communication persuasion influence they all start with this basic question can you understand the words that are coming out of my mouth is it clear what I'm trying to convey and the second part is connectedness here does it also feel this way to you this is what makes stories powerful and memorable it's the power of connecting on an emotional level because we as human beings build trust in relationships with that emotional connection the way security practitioners relate to and comprehend technology is going to be very different from how non-security Specialists relate to technology so as subject matter experts it's our duty to be able to connect with our audience and
be able to connect the dots between why a policy change or a change in their behavior is important in their context remember always keeping your audience in mind so uh Clarity and connection these are the two basic components of any storytelling now the biggest hurdle that I see is clarity too often we rely on technical terms that become jargon misused by media by marketing people by sales people and the reality is jargon's a problem for any technical field whether it's engineering Finance legal Sciences there are entire programs dedicated to the art and practice of communicating technical terms and Technical fields to the common everyday regular person think for a second how many brilliant phds do you know
that are also great communicators tends to be an exception to the rule right to be both a technical expert and a great communicator and that's because these skills to get to their level of expertise are very different from the skills you need to be a good communicator technical people like yourself use precise specific words in your roles because it matters ambiguity costs time it costs money it costs your sanity but in order to drive action across other business units across other people in your life even we've got to use Simple common language to connect with those people these people also have their areas of expertise right they may not know the ins and outs of multi-factor
authentication but they just need to know that it's going to save their butt one day right so to that end we gotta use Simple common language So to that end I'm gonna give you two free tools to help with clarity first one is the de dragonizer I actually learned about this last year from Carrie Tomlinson she presented on this at RSA last year so the dejarganizer is a djorganizer which I'll show you in a second on how to use it and the Hemingway app so two uh demonstrate how to use these two tools we're going to use a definition from uh nist this is the definition of MFA from nist it goes like an authentication system
if I can read this that requires more than one distinct authentication factor for successful Authentication multi-factor authentication can be performed using a multi-factor authenticator or by a combination of authenticators that provide different factors the three types of authentication factors are something you know something you have something you are probably not the best idea to use the word you're trying to find in the definition right so when we drop this definition into the dejarganizer you'll notice that it highlights the likely culprits of jargon orange is that mid-range it's used but it's not used uh too infrequently red are your real culprits of jargon this tool also gives you a meter reading so it counts how many words there are it
ranks the the commonality of your words um and Studies have shown that readers need to understand 98 of the vocabulary in a text in order to comprehend it so that means rare words should be less than two percent and in this case no rare words now let's drop this into the Hemingway app Hemingway app uh you can see that it is highlighted as such it's a tool that helps with readability so what grade level does somebody need to have in order to understand this text any guesses eighth grade any other guesses post-grad you need a post-grad degree in order to understand this particular definition we've got to do better than that so here's an example of a simpler
explanation um this is I actually presented a similar topic we talked to other marketers believe it or not that because they have problems with Dragon too um on how do you describe multi-factor authentication in a simpler way that isn't using all the jargon that marketers have relied on so this is one of the ones that were uh provided multi-factor authentication is how you prove who you say you are using something you know something you have something you are and when you drop this into the two tools you can see our meter reading for the dejarganizer is in the green uh we have no rare words and it's in a grade seven level reading so with this we're
able to actually appeal to a wider audience uh but this is only to get to Clarity we still have to connect with our audience right so on that end connection the most logical person that you know will probably still be prompted to act off of emotion so you just gotta connect with them I have two books here that I recommend on how to connect with your audience and it's going to be specific to who you're talking to but both of these books give you tools tactics on how to improve and listen well so How to Win Friends and Influence People this is a Timeless book it is decades old but it is still applicable it gives you tools on how to
communicate with folks how to get other people to see your perspective and even jump on board if you have even if you have opposing goals the second book there never split the difference by Chris Voss he is a hostage negotiator or was um he has this concept of the Black Swan and uh the Black Swan is essentially the motivation behind the motivation behind the motivation uh of why somebody's acting the way they are people will tell you that there there's a reason why they're choosing not to turn on MFA for their accounts but if you dig a little bit if you use the tactics in his book you're able to kind of uncover what is the real hurdle
that's blocking them from performing the security measure Okay so we've covered all three value Clarity connection I want to take you back in time to 2017. I just finished uh and passed my exam for the Marketo certified expert and this was when the exam was still hard and it's probably the equivalent of the AWS uh certified Solutions architect exam I walked into the room for the next talk riding the high of passing out exam settled in for the talk and it was by Holly Rollo who was the CMO of RSA at the time there were seven other people in the room and I remember exactly where I sat it was second row second seat on the right
section it felt empty and intimate all at the same time the presentation started off the way that most do twenty percent this 35 fat three out of five people do this wrong 74 of breaches are attributed to the human element but then all of a sudden it felt like Holly was talking directly to me she knew three things about her audience one we all had the keys to do some serious damage with our customer data or we manage somebody who did two we liked our sparkly technologies that inevitably held customer data and three we us marketing operators did not give significant thought to security measures like MFA now as she wove knowing her audience those three different aspects she
brought her message home and said don't be that person don't be the reason your customer data gets stolen you better believe that I turned on to fa and I rechecked all our user permissions after that session and the reality is I had heard that fear-inducing message before but what actually drove me to act it was her extreme Clarity and connection with her audience with me that helped me understand why security measures made sense in my context it made a difference so I'm going to leave you with this people want to do the right thing you just gotta Inspire them to do it right they just need to know what it security measures mean in their context
and you can Inspire them by using these three pieces of communication that drive action value Clarity connection and always keep your audience in mind thank you
we got time for questions I think
Mike right behind you so once you've gotten your message once you've gotten your message across and you're motivating people to do things how do you track their progress and follow up with them in a way that doesn't seem like you're punishing them or you're a parent talking to a recalcit sort of child that is a great question I would say part of it has to do with the relationship that you're building with them right um if you are chummy with folks you can totally joke with them in a way that they can receive it but then also message received that I better get on that task um but also sometimes it's okay to be direct and be like hey I've also tried
to tell you this it's been how long what's what's the what's the hurdle right and use some of the tactics from uh Nevers with the difference to kind of hear out oh are there other priorities that are pushing this down are there maybe technical things that they don't understand are there you know there's a number of different reasons why somebody may not be doing it maybe they just don't they feel crushed in their job right and they just need someone to hear them out you know if you're a human being to them I think the builds Rapport right yes you put that way more succinctly than I did for all those who couldn't hear he said
empathy any other questions
um how do you do uh how do you practice this when you can only correspond with these uh folks you're communicating with via email I work with a lot of international partners and so it's really hard to hop on a call and get messages across do you how would you build rapport or overcome those challenges by being creating only remote relationships oh that is a tough one um because you'd already nicked the one thing that I normally would say is Hop on a call with them and you know shoot the breeze right um I think that there needs to be probably more organized ways to get that interaction and build that Rapport like if there are regular maybe it's not a
weekly thing but like if you can get together with those folks somehow uh whether it is a zoom call and it's you know you're just doing a trivia or like having a good time like there's different tools out there where you can get into different event pockets and connect with each other we actually used to do that at Jupiter one where it toucan would just put us in a bubble and we just all just talk about random stuff um if you can make the time to do that that actually will go a long ways of building rapport with your counterparts that you'll need to ask things from down the line so I would say if there's a way to
build in a program where you can just have time to connect with people instead of always having to work directly and ask them of something um that would be my recommendation find a way to connect with them outside of the job if you can I think we had a question up here also there's a mic coming how the best way to you know the new audience sorry how the best way for to you know a new audience how to how to best way to to contact you uh to me contact me oh I'm on LinkedIn oh sorry it's the best form to know a new a new audience how to oh how to get to know your new
audience um there's different ways so I for me I tend to try and pick it up as I go along as I meet people right what are their interests how do they interact with you do they do your jokes land or do they not land um the other way to do it is you know hey you want to get to know the finance team you're just doing your new hit to this company and you want to get to know a group just be like hey I'm just if you have time come on over we're gonna have a zoom meeting we're gonna play a game we're gonna play code names whatever right just create an event where you can connect with people
and just have a good time um whether it's remotely or in person and you can do that either bit team based or you can do that all at once and just pay attention to which person is on which team um that's probably the most human way I would do it there are other ways like that I know people might recommend surveys and stuff like that what are but I feel like you don't always get an authentic answer in a survey right it's very wrote um and so a lot of it is just being able to interact and pick up the cues from the people so that's does that answer your question perfect so our next talk is gonna come up so
thank you thank you everyone and if you have any questions Ashley will be here [Music] [Music] thank you [Music] foreign [Music] [Music] thank you [Music] foreign [Music]
[Music]
[Music] foreign [Music]
[Music] foreign [Music] [Music] thank you [Music] all right [Music]
[Music] foreign
[Music] thank you foreign [Music] thank you [Music]
[Music] foreign [Music] thank you [Music] [Applause]
[Music] foreign [Music] thank you so much for coming so uh this is going to be the history of malware my name is Elliot kimchi I'll have a who am I slide at the end but there's a lot to cover so we'll move quickly so today we're going to take a journey through time and space I think it's really important to understand especially people who work in security research in any area of security really important to understand where these things come from the motivations how do we get to the point today um and and how did it all evolve how do we get to the point where we are today with malware and we're going to talk a
little bit about when some of the first phenomenons that we understand today in malware when did they first happen we're going to talk about what happened who are the people behind it what were their motivations and sometimes where they came from and that's going to be really interesting before we start I'll start with a question and this is Common Grounds and somebody told me that I need we should do some sort of uh there should be some discussion so I'll ask some questions um the first question is uh when was the first ransomware incident yeah 1989 very good a round of applause uh do you wanna do you do you know the details yes very well done so
the AIDS of Trojan or the PC cyber was the name of the company but in 1989 the first ransomware incident that's really funny and kind of weird for a couple of reasons one is 1989 uh there's people in this room that weren't born in 1980 and I imagine I was born shortly before so this really predates a lot of things and also like really ransomware 1989 was the technology there to enable this and this is a real story and I mean I think uh for starters it took a lot of creativity and a lot of determination to actually make ransomware in 1989. um there was a guy called Joseph L Pope he had this brilliant idea
um what if he could create software that basically blackmails people into paying him and he thought this is great this is fantastic idea he took 20 000 floppy disks which is a huge investment uh Financial investment each one would go in an envelope he would send it by mail to people all over the world actually most of them were in the UK um if you ran it it asks you to turn on your printer because back then ransomware wasn't paperless yet you know so it would print out the invoice which is also the ransom note and uh yeah it would lock up your computer after a while it would ask you to pay um you was you were supposed to send
money to a PO Box in Panama because the genius that he was he thought he could just go on vacation immediately after and it was a really really interesting incident first of all the the malware itself the Trojan itself had some it wasn't super sophisticated but it was really clever one thing that it did is it would fake an MS-DOS environment so it basically would create this MS-DOS environment which you couldn't escape out of um control alt delete would just return you to that environment uh restarting we're just returning to that environment you would basically you're supposed to think that you're locked out of your computer in the back uh or behind the scenes it would encrypt files it was an
xor encryption it would change the names of the files and that would create uh it would make it really hard for you to access your information this had impact in a lot of different ways similar to where we see impact today with ransomware um a lot of people back in 1989 didn't really know how to recover from something like this they were AIDS researchers that had lost reportedly 10 years of their research and it was also partly the impact that it caused was the reason that Joseph L Pope uh kind of went crazy uh towards the the sort of uh later part of his life and it I read a lot of different accounts uh but some of them say that he
was just so ridden with guilt when he'd heard of what he had uh caused that he was in a in an airport in Amsterdam and he passed on a note to law enforcement something along the lines of Dr Joseph L Pope is uh not well or something to that effect they caught him they tried him he would show up in court with like curlers in his beard hats made out of cardboard I think and he was completely insane and they let him go because he was crazy maybe he was crazy before I don't know but uh he was certainly crazy after and that was the first ransomware and this was a Trojan and we'll come back Trojans
will make a a great comeback towards uh towards the latter part of this talk but really to start talking about um malware and malware writers we have to sort of put ourselves let's Journey Through Time and try to understand what computers meant to people in the 70s and 80s and there was this sense of wonder Fascination computers were this magical thing that could enable uh everything that we could imagine uh when you look at pop culture and sci-fi in particular computers were this thing that would make science happen it would make magic happen there would be the thing that would take you to space or teleport you or at least enable these things to happen there were some some films where
it was the main character like war games or Tron things like that and so there was this sense of wonder and in that sort of environment you have a lot of people sort of theorizing and they're sort of fascinated with these ideas of what could happen on a computer and in 1984 there was a man called Alexander dudney he wrote a column for the Scientific American um he wrote about a game that he created the game was called core Wars and the whole premise was you know what if there were two programs on a computer and they just fight each other they can copy themselves they can think they can attack each other you write the code and
then you Let it Loose you know so it's kind of like Battle Bots but without chainsaws and they would fight it out and whoever wins wins and he he says I was inspired by this story that I heard he says this this Fantastical story this myth um about the Reaper and The Creeper he says somewhere uh uh in the 70s there was a lab and some scientists created this virus called The Creeper and it spread throughout the lab and it infested everything and they couldn't get rid of it until they wrote another virus that went and spread again and then all it did was look for copies of the first virus and delete them and
delete itself and he thought you know there's some obvious holes in this story and it's a bit of a you know it's a weird kind of story but what if it could be true what if it was true and that's why he created his game um but back in 84 there was no uh real uh awareness of what viruses were so he asked his readers to send him some uh some of their creations and what he got instead is a whole lot of virus uh evidence of virus creators all sorts of virus that people uh encountered so a year later he writes of worms viruses and other creatures he writes this column again and there he tells people
all over the world about viruses actually existing what he had considered a myth was actually a reality and this was a surprise to a lot of people um what I'd heard is is really this wasn't commonly discussed because nobody really wanted to hinder the sales of computers that's one thing that I'd read but in mid 80s despite viruses having existed for a long time they were still considered something of a myth and maybe maybe some people in the audience can confirm or deny this but in 1989 he writes another column he starts that with a quote from Eugene spafford something along the lines of the only safe computer is one that is turned off cast in a cement block put in a safe
room and guarded with live guards and even then I have my doubts so by four years later he everybody understands the danger of what can happen with with computers and it's interesting to see this transition and we're going to talk about a little bit why this happens and by the way the story that he's thinking about that myth is real and I encourage everybody to to kind of research to this uh in 1971 there was a lab called BBN Labs uh the the nns BBN labs in Massachusetts it was a name by a man by the name of Bob Thomas he wrote The Creeper they were trying to create software that would replicate itself to
create backups for itself uh systems weren't always uh you know fail proof sometimes they would crash so how do you back something up well you move it you copy it to another machine so he ran this experiment and he was a little Whimsical so he created this thing that would replicate onto another computer and to know that it's success successfully uh replicated it would put on the screen I and the creeper catch me if you can it's a really cool story later on they created the reaper which was a same concept but it was meant to delete the creeper um and I don't think it went out of control I think it was a control
environment from what I've read so it wasn't this Fantastical story but it did happen so We're Not Gonna talk this is we're not going to do background for much longer but I do want to talk a little bit about what happened with technology around that time in the 80s and the 90s personal computers came on the scene 1977 were the first three personal computers the Apple II the TRS-80 and the Commodore pet really really important uh fact for for malware writers um IBM came into the scene in 1981 with their PC and this was the first time where people actually had access for a lot of people to computers and with great access comes uh no responsibility
and lots of lots of power and people started writing viruses and they started seeing them in the office in their homes and the other thing that was happening is the sort of the creation of the sneaker net they were portable medium portable storage devices you could actually take and put into another computer so this was a boon and a curse for virus writers and a huge influence on what we're about to look at because now you could actually transfer your virus from one computer to another powered by the power of shoes people walking around and that was great because you could spread it and the curse was that those shoes were connected to a thinking living living
human being that had to actually want to pass this along so you have to be stealthy they should they couldn't know that they were infected or maybe you make something really funny and Whimsical that they would want to show their friends and these are some of the early this is these are viruses from sort of the early 80s uh some of them are from the later part of the 80s but a lot of the early viruses were experimental they were Whimsical um they did things like write peace on Earth on your computer or I am the hyper Avenger uh Dukakis for president uh peace on Earth and love for everyone or they would do these things like the
Cascade virus here which would create this visual effect and a lot of them were harmless but if you weren't really paying attention then things would start happening and maybe you didn't know really how to how to handle this and all of them had these different messages or different effects I read somewhere it had this uh silly sort of look what I can do bravado rather than sheer hostility and it was cool I mean I think we could think of it more as graffiti you know you're not really trying to knock down the wall you're trying to cover it it's vandalistic a little bit but it's it's interesting has anybody here ever experienced a virus like that
you want you want to share or you want to tell a story or and these these things were things with bread and that's really really interesting because you wouldn't you might not imagine something that can only travel by floppy to actually get to a lot of different places but we'll start seeing these viruses spread later on I want to talk about one specific one and that's El cloner and maybe maybe really talk about what were the inspiration alcorner was written by a man called Richard Scranton um Scranton and he got his first Apple computer in his seventh grade and he was in love by the ninth grade he was uh pirating games for his friends and
playing little pranks so he would pirate a game and he would put a kill switch in there and after four or five times it ran the game would delete itself and so his friends would play the game they would get hooked and then the game would delete itself and he loved it he was just laughing his ass off and just enjoying the whole thing and his friends did not like it at all and they stopped taking floppy disks from him so he started thinking what can I do to to infect people to continue to play pranks so he decided he's going to make some sort of sticky um software and I I don't know what you
were doing when you were in ninth grade uh I wasn't writing brilliant viruses for for a brand new sort of Technology but he was and so he decided he was going to create it was a boot sector virus a lot of the viruses back then were boot sector viruses and the virus if you put a floppy disk that had this virus on it put it into the computer it would copy itself to the boot sector and it would run every time you run the computer it would also infect other floppy disks that's sort of the simplified version of that so Richard wrote this virus and continue to prank his friends um and generally speaking a lot of these
viruses work similar to this they would sort of append themselves to the end of the program they would hijack the command to start sort of start start the program that was running they would run the virus code and then they would jump back to the program so you basically think you're running a program but you're running the virus as well they would use these uh interrupts this is from MS-DOS these are the kind of like system calls you could use them to do all sorts of things and you would hook on to that um basically nowadays I think obviously we don't use MS-DOS but there's other things that we hook onto there's other system calls that we use so this is
something that is very similar to maybe in some way similar to what we do today however a boot sector viruses things like that we don't see a lot anymore we do see malware that infects the master boot uh record like petia but there's not a lot of them that do that so those are sort of the some of the earlier viruses but something happens we know that malware becomes malicious we know because Mal malicious but the question is uh why and when and it's really hard to pinpoint but uh somewhere in the mid 80s we start to see news stories all over the place about the computer virus and this sort of builds both attention and hype about
what could happen on your computer and also it builds the anxiety the general anxiety of people this kind of starts with this virus called the brain virus and what's interesting about the brain virus first of all it infected a news organization the Providence Journal and then so it got a lot of coverage the other thing is it came from Pakistan and nobody knew how a virus came from Pakistan and made it all the way to the U.S on a floppy disk nobody knew how it got there nobody knew how it it infected tens of thousands of floppy disks it wasn't particularly malicious but it was enigmatic and with this Enigma you get a lot of uh Buzz there was also
people writing books about viruses like the scosen computers in Germany telling you how to build a virus and then you start to see viruses that are a lot more malicious that are a lot more destructive like the casino virus or the Maltese Casino from 1991 this one was pretty nasty it would copy your file allocation table to the memory it would hold on to that while it deleted it so your computer doesn't know where your files are or doesn't know how to access basically deleting your your hard drive and it would make you play a game it's a it's a little slot machine if you get three pound signs you would get your memory you would get your data back if
you didn't you didn't get your data back and if you get three question marks where it says it will give you his phone number and he says something along the lines of screw you why are you trying to track me down as punishment I'm going to delete your files anyway and delete your files so you have this Maltese Casino coming from Malta you could have like the Vienna virus uh you know oddly enough research in Bulgaria have the Italian virus you have the Israeli virus Jerusalem virus 1987 this was a virus that was designed to activate its payload and delete everything on Friday the 13th 1988 or sorry every year after 1987 because it was created in 1987 and they
wanted to have a year to sort of try and infect as much as it can and these things would create these panics Michelangelo was another panic because they would be found before the day that they were supposed to um to infect or before the day they were supposed to activate their payload so people didn't know if they were a victim to something like that if on the day 20th of January 1988 are all of the computers around the world going to be deleted or not it was kind of like a Y2K um sort of panic every every few years one of my favorite viruses though I want to talk about is the one half virus and
I'll just talk shortly about that this was a destructive one this is towards the later period of what we're talking about here 1994. but already there's a lot of sophistication so one half doesn't just jump into the entire virus uh code and then jumps back to the software it actually splits itself up to different functions and then distributes it itself inside the program that it tries to infect it looks for empty sectors in that program and just attaches itself and it would jump from one instruction to another and this is a form of polymorphism or metamorphism and this is MS-DOS this is in 1994. so that was one thing that was interested in pretty pretty clever uh the other thing
is it would encrypt itself and decrypt itself on the Fly because it didn't want to be discovered or or um by antivirus software it would also look for the names of antivirus software in the software that it's trying to encrypt or trying to infect and it it wouldn't in fact so it would watch out for antivirus this is pretty clever for the time and what it would do is it would start encrypting your hard drive slowly encrypting every reboot would encrypt a little bit more um and you wouldn't know it because it would also decrypt it on the fly so as you're trying to reach into that it would start decrypting your your memory and then
encrypting it again and you have no idea until one day it pops up a message that says this is one half and by that point a bunch of your memory or a bunch of your hard drive is encrypted and when in your hard drive is encrypted and the only thing that decrypts it is this virus then you have a problem because you can't delete it but you also don't want to know maybe you don't want to live with this on your computer it's really strange and I don't know I thought I thought it was fascinating this type of parasitic relationship between you and malware um it didn't do anything else so technically you could just live with it
if you wanted to so this is the world of early viruses um we have Trojans and worms that are also making their first appearance we've talked about the age Trojan uh more is warm I'm not going to tell the whole story of the Morris worm because we're going to talk about worms a little bit later but 1988 this is another big story in the news um Robert Morris writes this worm he has this idea if I could make a software that copies itself into other computers on the early days the very early days of arpanet Internet kind of um if I can send this to all of the contacts if I can make it send itself
use a couple of vulnerabilities and also something that would sort of uh guess passwords and you figured if I could do that I could spread my uh my software everywhere I want um and he did it and it infected 6 000 computers which at the time was 10 of the entire internet and it was a big story and everybody forgot about that until the next worm comes around so this is another Trend that you'll notice things happen and then we forget and then they happen more seriously but now we arrive at the mid 90s and why is it important why is this an important time well first of all in pop culture we also understand
already understand what what uh hackers are we kind of start to get an idea although it's still a lot of Clickety Clack and you know I'm in the Mainframe um but also we have two wonderful things happen um we have Windows 95 which before that came out Mike herself said that they're the viruses are not going to work on Windows 95 and so that is the end of my talk actually they never worked again but uh and this is probably it was a marketing person that said that but um yeah the Windows 95 had a lot of uh other convenient ways to activate to work with for malware and more importantly Office 95 and Office 95 had
this great new feature macros you heard of macros and macros this was this kind of cool feature that somebody at Microsoft thought about and well I shouldn't I shouldn't talk about it this way but macros basically uh gave you the option to automate some functions whenever you uh were working with an office file and so you would automate maybe you could open things close things you can run debug commands you can run commands on on Windows you could do a whole lot and because you could do a whole lot people started thinking about how this could be abused so the first ever macro virus was the concept virus came up maybe a month after Windows uh after Office 95 came
out and Maca was super super simple you open a word file the macro runs it tells the computer to display this you press OK and then nothing happens it was literally a proof of concept um so nobody cared and then macro and then and then concept was uh you know in when it came out it was maybe the fourth most infected infectious virus and then it became the second and then a month later it was the first and then it was the first and then three years later all of the viruses were macro viruses and that became a really popular uh technique but we're talking about macro viruses macro viruses haven't gone anywhere we're still seeing
macros being used for fishing this is still an effective way of or in the past uh let's say 10 years has been a very effective way of um being able to run commands on a computer Powershell or anything like that so you're looking basically at some sort of prehistoric like a shark something that that uh has this Ultra Predator from from 25 years ago that still hunts to this day so macro viruses throughout the the late 90s continued to evolve and we actually start to see the same Trend they were experimental then they were Whimsical then they were destructive um this is one of these experimental viruses this was written by a guy called uh nightmare Joker and he was a famous
virus writer at the time they were like rock star virus writers uh back in those days um he was super famous he wrote some kids but he also wrote this this is interesting for a couple of reasons when you run the document it would run the macro the macro would copy itself to the global macros which means it starts to infect all your other documents whenever you open them or when you create a new one it would also obfuscate the names of the macros because like I said when concept came out nobody really did anything about macroviruses by the time antivirus caught up to this trend they were just looking for names of macros so
virus writer would just obfuscate the name created a generator on the spot so we would create these macros and it they had a very specific purpose on a specific date they would activate and when they activate on that specific day it was January 20th I believe um it would basically hijack your screen it would say uh you are infected with Outlaw a virus from night or Joker behind the scenes it would run debug commands it would create a file generate a binary file and change it to a WAV file a sound file that sound file was the sound of someone laughing so if you press the wrong key which is what's the E key on January 20th your computer
would get hijacked and it would start laughing at you um kind of a prehistoric dropper of sorts and really really creepy if you ask me and macroviruses just continue to evolve during those days now remember the worm the Morris worm from earlier back then the internet was maybe 60 000 machines by 1999 the internet was uh 250 million machines so we start to see the first emergence of these big worm infections so Melissa is a macro virus that had taken on a worming capability so instead of doing something like delete your entire computer or instead of doing something like laugh at you it opens Outlook and then it sends itself to 50 contacts the first 50 contacts that it
can find and then when it lands on the other on the next computer hopefully somebody opens the the uh the file it would send itself to 50 more people and Melissa spread so quickly and so uh thoroughly that in 1999 this virus shut down 300 companies uh where they had to shut down their emails shut down the communication including IBM Microsoft and a lot of other companies and it made huge huge news all over the world um they the this the FBI got involved they actually caught the guy but this was the this was a new era this ushers in something really really important for the first time we have a maybe not the first time but but the
first time with the major major impact we have a macro virus that can warm itself to other computers and this was an important step in the evolution of of malware after the Melissa virus we see the I we we finally I love you virus uh one year later and this one was a lot more destructive had some destructive capabilities it could change files it could change the the uh it could hide files and there were variants that would delete files and it would cause a lot more damage but from that point on we start to see these type of warming viruses and we kind of move into the 2000s and the 2000s bring with them
a lot more ways for us to communicate with each other and that's sort of the technological influence of that time that it brings on to malware we've got Kaza we've got uh IRC and aim and malware would spread through all of these channels macro viruses would spread through all of these channels and we'll maybe talk about why but also IRC was super super important at the time because it provided it ended up being some sort of uh a Consolidated point for control and we'll talk about control of of what exactly well we talked about Trojans and we kind of forgot about Trojans and now we're coming back to the Trojan so there these Evolutions the the Kaza and and all these things it
meant that actually it it makes more sense for you to send somebody a file and tell them that this is the new Britney Spears album um and for them to to run that file then to try and send them a Word document with a macro on it so suddenly we start to see this this uh um decline of macro viruses and we see a lot more Trojans pop in so we start to see microviruses being compiled the macro script is getting compiled into a file and then they tell you it's some kind of a pirated uh or maybe it's a crack for your favorite game but it actually contains both the crack and the virus
and you get infected without knowing another thing is happening uh at the same time um we start to see these types of remote access uh Trojan or a remote Administration tools however you want to call it the abbreviation is the same and the idea is that now you have computers networking for the first time computer and networking on mask and so you have administrators and administrators do need to administrate and they need something to help them control computers but at the same time you have this sort of uh on the other side of this coin you have these remote access Trojans which the whole point it starts out with netbus in 1980 1998 and that bus was
created by a Swedish man bus in Swedish is Mischief so this was supposed to be a prank or a joke um and it would basically create a connection between two computers you have one computer that's infected the other computer is controlling it one is the server the other is the client and the client can send commands over to the the controlled computer could open the CD-ROM or it could do all sorts of fun things like play fart sound awesome that same year we have Cult of the dead cow group of very famous hackers released back orifice that was in black hat 1998. um back orifice did the similar concept only that was a allowed you to do a lot more you could
do a lot more than just make funny sounds you could delete somebody's computer you could key log you could look through their camera you could listen in on what they're doing um and that opened the door for a lot more that you could do with these remote access Trojans in 1999 we get sub 7 the script Kitty Mecca which enabled you a lot more things and also eventually included the connection the ability to connect to an IRC server or IRC Channel where you can control uh you can control sub seven and you know I I said script Kitty and I know we derived script Kitty and for some in some ways justifiably but I want you to
try and imagine being 15 year old years old and having that that type of power I think like I said with great access comes absolutely no responsibility and great power and I think a lot of people just went that route because it seemed like some kind of Grand Adventure um that they could do I don't think that justifies anything but I just think it's it's interesting so these would act as inspiration um for for malware riders in in the 2000s and suddenly malware is starting to get a purpose because up until now we get these things that make fun of you or they do some silly thing or they delete your files but here we can do so much
more and that opens up the door for a lot of different things so what happened when you combine this with the warming viruses well you get macro viruses that can warm to a lot of other computers and then they could install some back door or they can put some backdooring capability and when you put it back there on a computer they can do whatever they want with that computer you could uh a lot of the early ones would use it to sense spam so you would have this these macro viruses some of them would act like downloaders so some of some viruses going all the way back to 1999 the way they would operate is they would connect
to a website online or a server online and they would download the rest of the payload this is this goes all the way to macro viruses they would update themselves they would download modules from the internet and they basically would spread through email IRC messenger anything they could find and sometimes drive by downloads and they would install a back door so we start to see this happening in the early part of the 2000s and this is for the formation of the first botnet so botnets would start to become more popular the idea was that you could um create a bunch of slave computers you either install a proxy on them or you install a back door and they all
connected the same IRC server and then you could do stuff with that and what you start to see around that time is highly infectious viruses spreading to the to the tune of millions and millions please don't tell me okay good I need to remain in compliance sorry pause let's comply um and so uh you would see these explosions of malware in in the early 2000s because you would get malware that spreads really quickly and because it's connected to some kind of command and control server or it downloads part of its uh um its payload these would be hard coded into the malware and when you block an ioc back then you blocked the malware so
they would just go all the way up to like 11 million uh infections and then they would disappear a month later which is really interesting but these develop from these worming viruses that could connect to a server you start to see the modern botnet emerge throughout the late 2000s or between 2005 2000 to 2010 and again this grows the sense of purpose that malware now has it's not just something that could delete your files or or make a fart noise on your machine now you could create a huge network of computers and you can tell them to DDOS somebody all at the same time and you could start to maybe you sell that capability to other people you
could start to make money a lot of these would create spam so they would use proxies or computers to sand spam everywhere and you could pay for that suddenly you could make money on on your on your botnet and that was a huge Evolution and you start to see from that the first emergence of cyber crime but these are these are there's you know a lot of a lot of botnets emerging at this time and one of the ways that botnets would remain active is they would have to iterate because if you block a in an ioc it would be difficult if you uh find their signature it would be difficult for them to spread so they start to
iterate and they iterate quickly the name of the game in this later part of uh between 2005 2010 was iteration new versions would come out so quickly that you would start to see conversations happening between malware writers and writers of NT uh or researchers security researchers this is nearby and throughout uh the I think it was 2005 throughout 2005 whoever wrote this with every new iteration would write a new comment for researchers to find and it would just basically be a conversation the gist of it is he wanted it to be called ironbot and everybody else was calling it near bot and they just continued to call it nearby probably to kind of annoy him and
throughout this he's saying a lot of not nice things about security researchers but they would iterate very quickly and 2010 to 2020 we uh we start to see the sort of evolution of what we know as modern malware um one of the big things that happens in 2012 is the creation of Bitcoin another thing that happens is is eternal blue in 2017 and with it Wanna Cry why these two things are important is because um Bitcoin gives people a way to monetize on their malware that is a lot harder to detect no more uh gift cards or vouchers which they they would then have to resell and it's a huge problem and they could be tracked back now you could work
with Bitcoin it was a lot more effective vulnerabilities gave you access to a lot more computers are more Network now than ever before and so you could use these vulnerabilities to get gain crazy amount of access and so when you think about the next part in the evolution of malware and I know that this is now getting a little simplified because when I when when you do the research into the the history of malware you start out really sort of narrow you start with like MS DOS viruses and it's all pretty simple and then it kind of grows a little bit and then it grows again and then it becomes exponential so I'm having to simplify a little bit but
we start to see the phenomenon of these botnets um developing more and more complex back doors um which leads to more and more monetization of these botnets and we like I said start out with Spam and DDOS but it's not it doesn't take too long for these botnets to start using backdooring capabilities like key logging and password uh um credential harvesting and so on and we see the first uh uh banking Trojans sort of come into the scene where the goal is to steal uh steel banking information and then finally um dropping a ransomware when you're done with this this endpoint when you have no more use for it you drop a ransomware on it this was first done with crypto
Locker um in 2013 2012 2013 and the Zeus belt net so Zeus was a very famous partner at the time and then basically when they didn't need the the malware anymore or the the end point anymore they would just drop uh ransomware on it eventually just like uh every time in the history of uh cyber security you start to see first you see attacks against people and then that moves into organizations eventually these attacks that were mostly targeting people moved to organizations and I showed the slide for example uh you know wannacry and others like it really show the world that ransomware can be an infection that is uh really really hard to stop both
for individuals and for companies so I know I'm kind of rushing through the later part but I feel like we've all lived through more modern malware and I kind of kind of want to focus on the history so I'm sorry I'm simplifying here a lot right but I wanted to kind of show you my train of thought um you know in the early days imagine kind of the 80s right here and then the kind of late 90s and then finally 2000s we start with viruses just regular MS DOS viruses there were a lot of those there were a few worms and there were a few Trojans but there were a lot of viruses and then we start to
see the macro virus in 95 so that's an evolution there and then when you start to get the put the sort of Internet into the picture you start to see macro viruses that worm around uh the world that spread themselves at the same time Trojans develop and we start to see backdooring capabilities develop in a lot of different malware and so when you combine those two you actually form uh botnets and then from botnets you start to see uh the the sort of development of Trojans of of uh banking Trojans and uh ransomware that's kind of it I guess obviously there's a lot more to this story um but of course now we're dealing with with a
lot of other things uh in the corporate world but when I thought think about malware specifically that's kind of where I want to trace this journey so the last thing that I have to ask myself is is okay when I was doing research for this um it's a lot of reading it's really fun but it's also really a lot of reading and you try to make connections and you try to figure out all right what was the technology that showed up around that time that seems to have enabled what's going on throughout this period and I thought to myself if I write this 20 years from now and look back what would be the thing
that that I see is the is the driving factor for malware that are going to be created let's say in the 2020s and it seems to me that AI might be something that that uh would play a big role and I don't know how if if this is correct or if it's not correct but the way to sort of know this is maybe to follow the same pattern that we see throughout the development of malware throughout the years well we're going to start to see is uh some Concepts we're going to start to see something experimental come out and to be fair I think those things already exist I think we're kind of past the
experimental stage in a lot of ways there's already AI or language models that could write malware Not Just Fishing but right malware so the question is is this going to get to develop into something serious and I think first thing we'll see is his Concepts uh proof of concept and I'm wondering if one day we'll see this vision of Alexander dudney of two software two AI software Creations fighting it out inside a computer uh when we have you know the malware writers and the A and the security people just kind of building their own AIS to kind of battle it out and that's kind of a a an exciting future and also a very uh creepy I would say but it it
might happen and I think the the one thing that it's important to take away from this history is to Never Say Never a lot of these things start out at Concepts this happened with the the concept uh macro worm this happened with a lot of the early worms that were being created people didn't pay attention they thought this this is not going to be a thing this is not going to cause any harm but Never Say Never And so I think this might be the next stage there's there's so much more to the history of malware there's so much so many more stories that I wish I could tell you uh that I wish I could share with you
um I put a lot of different links and and as you can see every slide has has different links for you to go and read uh for yourself I don't know if we'll be sharing slides later on there's so much information out there and I encourage you to go and read about it yourself I hope this was good I hope this was interesting I hope this is this this uh invigorated your desire to learn about the history of Mala and thank you very much so much for bearing with me
we're at time but if anybody wants to ask any questions go ahead your thoughts on mixed reality alternative reality what viruses uh have you heard about it I mean okay yeah I think yeah I'll repeat it so what what is my opinion about metaviruses and and AR viruses so there's a um shoot what's the name of the book um with hero uh is it snow Crush snow crash right there was a virus that would infect your VR glasses and would alter your brain right I mean I think I don't have an opinion I'm not qualified to make an opinion about the future of VR but could this is a good example of some technology that's being
developed and might seem innocuous or might seem um might seem uh safe and harmless and then you start to see people abusing it for for different purposes that's something that we might see and again to find out if that's a actual reality that might happen we need to look for the uh you know for these first uh the canaries in the in a coal mine kind of these first proofs of concept of a virus in a VR headset I don't know isn't interesting what you might be able to do with something like that I think we can do one more question
getting their steps so I kind of got a joke out of the the macro viruses because so many companies still use macros yes right and so that's not really an old Tech it's an old technology but it's still really valid yes but we rely so much and developers lie rely so much on like shared code so direct system calls you know uh click once applications direct handlers why as a group have we not just gone to Microsoft and that said just stop it right I mean because at some point we have I mean there's so many things that are built in that use click once right two things and there's so many vulnerabilities we can take advantage of
which is great but it's not good for the world you know oh so we have so there's two things I can say about this one is security researchers are always at the Forefront of telling people uh oh I should put this on my where am I by the way if anybody's interested um security researchers are always on the Forefront of telling uh corporate people that stop put some some defenses into what you're doing so if you read through uh you know there's a lot of great archives for magazines uh like virus bulletin for example when it actually used to be a bulletin in the 80s 90s um and security research do warn about the the dangers and specifically with macros
this has been something that Microsoft has promised to block off starting from 1995 or 1996 when when you start to see these uh uh the concept virus and other viruses come up so it's you can read about it in in during those days there it's something that's repeated that Microsoft was supposed to solve the problem I believe in 96 and then they didn't because they didn't want to break anything and then they were supposed to shut it off later on and then they they didn't actually macroviruses actually kind of fell off the face of the Earth on their own because because people didn't want to open attachments and it everybody started compiling their macros um and then they just made a comeback
towards you so we have we have they just don't they just didn't listen and now I think I think now Microsoft is somehow blocking macros I don't know yeah I mean there's the warning but uh yeah go ahead thank you everybody for your questions I really appreciate that yeah just wondering uh about the diagram you had of the classification of different threats yeah I was just wondering where do you think threats like petia uh fit into that things that essentially are ransomware but also have a destructive purpose get rid of the master boot record because good question very good question look a lot of malware today if you look at an attack cycle it will have
a lot of these components coming in through so the thing that really dawned on me that was really interesting because I've always known and and I worked with a lot of researchers you see often you see fishing start with a document and then it runs uh um it runs a macro and that macro maybe will run a Powershell command and that would start the whole infection chain and yeah I always thought okay macros right fishing goes to macro and one thing that kind of dawned on me as I was working on this hey that's a virus actually because the macro is is sort of appended to or infected onto the the um the the file itself
and so a lot of this history still exists through a modern attack cycle I don't know exactly how pecha works but if I had to generalize and maybe think maybe it's through phishing do you have the answer yeah yeah so maybe you know you you do the fishing you run the macro you download something that something probably acts as some remote access tool or a remote access Trojan gives you some back during activity you start to you know you continue to operate in in the network download the payload and install it the only I think one of the the bigger differences between pecha and other ransomers that for my understanding patch it does work in in the master boot
record so I think when it runs it will run I think it'll it I can't recall if it starts to encrypt files already but it would some point ask you to reboot like wipers yeah yeah so if I if I had to if I had more time like if this was a two-parter or something like that then I would probably go more into yeah proceed talk about wipers maybe talk about web applications as applications and how threats sort of get into those areas and how maybe the genealogy exists there talk about the web and the evolution of the web talk about exploit kids and you know how different programs like Java and Flash enabled people to just infect
uh you know drive by downloads just infect people I think there's there's a lot more to talk about so but this is kind of the the base of it all right last one yeah we have to break for lunch I don't know this is just a build on what he was already asking but one of the things I think about was um viruses that um jump from like you know cyber to physical that you actually can reprogram or you know like in other Control Systems reprogram machines to destroy themselves something like with a stuxnet and such so you're thinking about like something like stuxnet so you were saying what about viruses that that ah come out of
the vir yeah but they're um their purposes is entirely like you know it'll sit and wait and make sure it's on the right machine in the right place and then um because it's you know it's targeting a particular system in a particular place and the object is to destroy something physical and positively cause physical harm yeah yeah there's um of course so no not you know not sure what the question is but but that that is something that I saw popping up throughout the the history there's this there's this story and that the first instance of something like that happening was in I think 82 or something like that which is not a very credible account and it was the U.S
infecting some kind of a Russian control system for a gas pipeline um yeah stuxnet was the the coolest one of those but what would be your question what would you want
I mean this is this is all part of sort of the cyber War the activity that nation states are doing I mean I think this is going to continue to play out I I don't think that yeah most of this kind of evolves into what I'm talking about evolves into cyber crime bye this is definitely a set of cyber security that maybe you guys can talk offline yeah thank you come chat with us great thank you so much [Applause] [Music] come on [Music] thank you foreign [Music] [Music]
thank you
[Music] thank you
[Music] foreign [Music]
foreign [Music] foreign [Music] foreign [Music]
[Music] thank you [Music]
[Music] thank you [Music] thank you [Music]
[Music] thank you [Music] foreign [Music] foreign [Music]
[Music] [Applause]
[Music] thank you thank you [Music] thank you [Applause]
[Music]
[Music] foreign [Music]
[Music] baby you give me my appetite don't leave me alone [Music]
[Music]
giving me Wind and Rain some kind of butterfly baby [Music] [Music] but I don't wanna miss you baby [Music]
[Music]
maybe you'll give me five [Music] don't leave me alone baby
[Music] baby you'll get me [Music] don't leave me behind
[Music] oh [Music]
my God [Music]
[Music] I don't know [Music]
[Music]
[Music] that's okay
[Music]
I'll move it up
[Music]
[Music] thank you [Music]
[Music] [Music]
[Music]
I'm moving up
[Music]
[Music] thank you foreign [Music]
[Music]
[Music] thank you [Music]
[Music] thank you [Music] thank you
[Music]
[Music] hahaha [Music] oh yeah [Music] thank you [Music] foreign
[Music] foreign [Music] foreign [Music]
[Music]
thank you [Music]
[Music] foreign [Music] thank you
[Music] foreign [Music] foreign
[Music] foreign [Music] thank you [Music] foreign [Music] thank you foreign [Music]
[Music]
[Music] thank you [Music]
[Music] foreign [Music] [Music] foreign [Music] all right [Music]
[Music]
[Music] thank you [Music] thank you foreign [Music] foreign [Music]
[Music] foreign [Music] thank you [Music] [Applause]
[Music] foreign [Music] questions [Music] [Applause]
[Music]
[Music] foreign [Music]
[Music] dreaming of myself
[Music]
some kind of butterfly baby [Music] don't leave me [Music] but I don't wanna jinx it baby [Music]
[Music]
[Music] thank you [Music] yes I'm gonna butterflies [Music] foreign [Music] don't leave me alone [Music]
[Music]
[Music]
oh [Music] oh [Music]
[Music]
thank you
[Music]
foreign [Music]
[Music]
foreign [Music]
[Music]
[Music] foreign [Music] foreign [Music] [Music]
[Music]
[Music]
thank you [Music]
[Music]
thank you
[Music]
[Music] thank you [Music] thank you [Music] thank you [Music]
[Music]
[Music] thank you [Music] foreign [Music]
[Music] Hallelujah [Music] oh yeah [Music] thank you foreign [Music] wow [Music] foreign
[Music] foreign [Music]
thank you [Music] thank you
[Music] foreign [Music] thank you [Music]
foreign [Music] foreign [Music] thank you
[Music] foreign [Music]
[Music]
[Music] thank you [Music]
[Music] thank you [Music] foreign [Music]
[Music]
foreign [Music] foreign [Music]
[Music]
[Music] thank you [Music] foreign [Music] foreign
[Music]
[Music] thank you [Music] thank you [Music] [Applause]
[Music] thank you [Music] foreign
[Music]
[Music] foreign
[Music]
[Music] baby [Music]
[Music] don't wanna overthink it baby [Music]
[Music] baby
you'll whip up my appetite [Music] but I don't wanna jinx it baby [Music]
[Music] maybe you'll give me five six five [Music] foreign [Music]
[Music]
[Music]
let's go [Music]
[Music] thank you foreign [Music]
[Music] thank you
[Music]
[Music]
foreign
[Music]
[Music]
[Music] thank you foreign [Music]
[Music]
[Music]
[Music] moving up
[Music]
[Music]
forever
[Music] thank you [Music] thank you [Music]
[Music]
[Music] foreign [Music] foreign [Music] oh yeah [Music] foreign [Music] foreign [Music] all right [Music] foreign [Music] foreign [Music] foreign [Music]
[Music] thank you foreign [Music] thank you [Music] foreign [Music] foreign [Music] foreign [Music] foreign [Music]
[Music]
[Music]
foreign [Music] thank you [Music] foreign [Music] thank you [Music]
[Music]
[Music] foreign [Music] foreign [Music]
foreign [Music] foreign [Music] foreign [Music] [Applause]
[Music] thank you thank you [Music] after
[Music] foreign [Music]
[Music] appetite don't leave me alone
[Music]
don't wanna overthink it baby [Music]
butterfly [Music] baby [Music] [Music] oh but I don't wanna miss you baby [Music]
[Music] fly [Music] baby [Music]
[Music] baby you'll get me you're with my appetite [Music]
[Music] oh [Music] my God [Music] foreign [Music]
[Music]
foreign [Music]
[Music]
thank you
[Music]
[Music]
foreign
[Music] foreign [Music]
[Music]
[Music]
move it up
[Music]
[Music]
[Music]
[Music] foreign [Music] thank you [Music]
[Music] thank you [Music] thank you
[Music]
[Music] foreign [Music] Hallelujah [Music] thank you [Music] foreign [Music] foreign [Music]
foreign
it's at the bottom
sure
all right let's get started I hope you guys had a good lunch break sleepy this this talk is definitely gonna help this is an amazing talk on strategies for secure graphql development and I'm excited to introduce you to Mr glass yeah welcome thank you uh yes this is a strategies for secure development with graphql uh it's a terrible title not refreshment but that's what we're going to talk about uh my name is yatir silbermans I work at aeon Cyber Solutions they are very very very great to paved my way here and also they're sponsoring tomorrow at the happy hour so please check that out I also am staff here at besides Las Vegas I work on the
website it's an immense privilege to be able to work here with staff so that's me our goal today is to make a developer experience where security is actively nurtured and supported I see a lot of projects where we talk about security being important and we say oh the team you need to do security but nobody actually helps them do anything secure so a lot of what I'm talking about today is trying to help make something so that developers have the tools they need and a note um most of my talk is framed around graphql but this should be applicable to like any engineering any development so don't worry if you're not a graphql developer this is really more about applying
standard practices standard uh techniques for security secure development to graphql um also a little note unfortunate I made some really awesome hilarious memes for today but there was this nafu and I can't use them so you're just gonna have to assume that there are awesome graphics on each slide thank you okay so I decided uh to be frame this around three questions I actually I spoke at besides a decade ago uh and it's it's been an experience since then and I was trying to think what I would tell to me a decade ago as a young engineer about security and I decided there were three things that were hard for me to get answers to and I would
tell them that is how do I figure out what I need to secure how do I build something like the secure Foundation if I said you have to start with security but nobody tells you how um and what should I love which is something that's it's a little very specific but it's a question that I never got an answer to ever and so I want to talk about it Okay so our first question how do I figure out what needs securing anybody have an idea no that's okay there's an obvious answer it's threat modeling threat modeling is uh has been around for a while at this point it's a very well understood process you know
the idea is to model your application build a model of what you are building so you have representation of it you know you can look at it and then try to apply different threats and different threat factors to it so stride is a fair modeling framework uh came out of Microsoft and you model out your application and you try to apply specific vectors of spoofing tampering repudiation information disclosure throttle service and exhalation privilege the Nautica strive pretty easy to remember and these are the things you're going to look at when you're threat modeling on your model you're going to look for areas where things could happen so this is a high level model of what
pretty much every web application looks like on the back end I mean there are bigger ones people who custom stuff but most of them have a public endpoint like a laugh or a AWS endpoint and that goes on to an actual graphql framework so now we're talking about inside the code the WAFF will call and call the your server software which follows your framework and your framework is going to run and their framework is then going to call your model logic that's how all of the web uh Frameworks are set up that's where everything is set up so on a high level I actually worry about um this and and here I worry more about
like stuff that would affect the framework system so if something would affect off which is part of the framework for me and far from most people it's a spoofing anything that could do the analysis would probably end up in the framework I mean you could have bones in your code but I worry about framework level issues or denial service and same thing with escalation of privilege I've worried about since I use the framework for privileged access I'm I need to make sure that my framework has what I need so I need to worry about it on that level and then at a lower level in graphql you can graphql it's complex but it's not too
crazy there are a few parts to it the first basic part is a query and a query is you post payload to the server and ask for what you want um you can graphql you can request multiple objects at the same time through the graph so you can say I want the user and I want all of the users posts and it'll get all for you in one go which is really awesome but also opens you up to some attacks so if you have a cyclical reference you could have a very long cyclical reference attack to get a.net of service um there's other attacks that are out there and subscriptions are actually very similar to queries uh the only
difference between a subscription and a query is that subscription is done over a steady connection like a websocket and then if the server keeps posting new payloads as things change so there's usually an event there's a specific subscription that you have subscribed to and when that gets triggered the server will automatically send it to the Appliance so that the client get updates in real time so that's it it's almost exactly the same as queries but it's a separate thing um and then there's also mutations mutations are awesome back when I first started everybody was moving to rest and you couldn't use RPC RPC is evil RPC is a remote procedure call and so what happened in the industry is
like we have to use rest rest is where rest rest apis have a paradigm where you're posting a document and pulling a document back right that's what rest is all about but let's say I need to uh fire off an email when when somebody puts this thing well now I'm just having a side effect whenever somebody changes it there's a side effect in my code triggering something else it doesn't fit the Paradigm of I'm posting a document it's all side effects so I've hated rest for those things it it doesn't apply an RPC is server do this so if I say server send an email it doesn't and it gives me an okay or not
um so mutations can do all that stuff they return basically the same thing as a query payload inside so you run your mutation and it can return data of implementation or from just your whole database same thing with the graph all this supports following the graph to the child objects and everything um and I worry at this level about tampering repudiation exploration privilege because this is where their code is actually this is where they're actually hitting your code and this is where you have to worry about actually having lockdown access and actually having locked down who can touch what and things like that so mutations are where you're going to have your code doing things that aren't
standard and you're going to need to worry about that stuff so my big thing that I try to tell people is to treat security like a feature request developers we get feature requests all the time and we tend to get like oh and this needs to be secure we never get a feature request of add MFA as a feature but that's a huge feature so approach security improvements the features a you can probably sell it you can get planning on it and V it lets you approach it in the full process like we do everything else because developers all have processes for approaching features and I also really like to test them like a feature if I skip a slide no
um I also really like it test them like a feature so don't just test that the user my favorite example that I almost never see in a code base is a unit test that says posting the wrong password not allowed in right you have a lot of tests that say I put my password and it works almost nobody has not putting the password and getting blocked but don't just check that it got blah check that you log whatever you wanted to log check that you responded properly so that you're actually saying back to the user hey this was blocked for this reason um and all that stuff make sure you actually check all of this it really
helps it helps make security easier when you do all of this it it really helps when the problem happens having all this supports having somebody be able to figure out what's wrong so adding in this test very important to have Vlogs and everything else just make sure all parts of your security feature are happening um I really like functional tests unit tests are occult um and they're not bad they're they're pretty good the thing about functional tests if we look back this is from the earlier slide so we have the framework and the orm and these are controlling a huge part of what we're worried about right we're worried about how the framework is handling off and how the
orm is handling checking actual database access to the items Etc and validation on on inputs as well and so if you're doing a traditional unit test what you do is you mock out everything outside of the the function that you're trying to test and you just test your specific unit of thing that you're trying to test and so if you're writing a unit test you mock out you mock out the framework and you mock out the URL in a real unit test you only have your logic so you can't test all this and at the same time a functional test also will get you a whole breadth of coverage a functional test instead of unit test is just one
little feature a financial test is literally hit the full page have the full process of the pro of the website run and get a payload back and check that the payload looks like what you want so similar what I did here right I'm not going and checking the ad user to group function I'm calling a query from the outside and I'm getting the full response back from the server um that's a functional test um and they're awesome and they actually allow you to test the other stuff so don't just do unit tests okay how do we build a secure Foundation what time is it so I have to keep an eye on the clock okay
so start with the framework um Reinventing the wheel is bad especially right now there are tons of great Frameworks graphql is all new code from the past five six years so you're gonna the Frameworks are all well made and don't reinvent the wheel craft wheel has a very complex uh has a very complex query structure that it needs to parse and parsing things is where a lot of mistakes happen so don't write your own parser use one that's already pre-made when you're picking a framework look for an active community and good thoughts I like to check the repository to see how they respond to security issues before because you can immediately see if oh they actually respond took care of
it or they said I don't know if that's a problem oh maybe we'll fix it in two years you probably don't want that framework that like is saying you know it's not sure if it's going to fix the the security thing right away you want the framework that's like oh security problem here's a hotfix um so check that they've done that in the past in case it happens again and another big thing that um I've seen a lot of places fall into is they'll pick a framework that's very specific to how they want things it's very opinionated so if you want all of your code to be formatted a certain way that's cool and you should do that and we'll get to that
but if your Frameworks want you to format your code a certain way you can't change it if you want to change it you can't change it if something comes up that makes you change it right so if your framework is is kind of blocking you from doing other things that weren't out of your opinion at first it will come back to bite you because it's going to block me from doing other things you might want so don't look for a framework that like perfectly matches what you want look for a framework that's more of a tool for you to use to build what you want because what you're going to do is you're going to take that framework and
you're going to extend every class in it if you can so there's a standard model class that you're probably going to have in the framework you're going to extend that and add what you want uh big ones are non-sequential IDs time stamps and uh I actually really like to disable Superuser functionality in Frameworks um so that there's no super user like they need a permission to actually do the thing instead of having the ability to just do whatever anything all the time so I like to disable super user entirely I like to build in off checks into the node resolvers which is part of the craft dwell side and the objects um this is where you really should
enforce your opinions so whatever you care about being in the object like non-sequential ideas is a big one for me um whatever you care about enforce it at this level this is where you're kind of making your framework but you're not making your own framework you're using something else but you're making it into your own okay that will allow you to build all security you want into it then you're gonna have to go beyond that because it's not going to cover everything and you're going to need to find a lot of simple stuff it's probably going to seem simplistic that developers are going to need to do in the course of their business and write the functions
for them so that they don't need to figure out how do I check this user is active right they just call the is active function I don't need to I don't need to um there's a whole bunch that we have in my my team for things like permissions right I don't need to understand how the whole permission structure to work I can call the permission helper that sets up the permissions so for security and specifically for authorization stuff you can centralize it in one place you can well vet that thing and then they can call the function and know it will work for them and do the job so this is part of again building an environment where
they can do what they need to do is finding these simple actions I mean the the most common one um is a decorator uh the most common one is a decorator you put over your functional decorators are little at common to put over a function um they're supported in a lot of languages and they usually like add something as a wrapper to the function so they wrap it in some logic and so I have decorators and I've seen decorators and Frameworks a lot of Frameworks have it um you can basically put a decorator that says this is loading this object at the start and it will automatically load the object automatically check permissions for the user and just when
the developer goes into in the context of starting their function they already have a vetted object that they know user has access to and they don't need to worry about how to get it securely they have it already so that's the thing try and drink close that law objective developers don't need to worry about how do I do this purely um it seems stupid to put something like is active in this but I really wanted to point out that doing the simple stuff helps because they they might see the active thing and not be sure also you're going to get people who do it slightly differently in two places if you don't have this you're always going to have
slight differences everywhere and if you ever need to expand the active thing so say you know you've got a call and we're like hey we need to make sure that users who are like over two years old can't sign in either right so you can add the check that the user hasn't signed into your two years active talk if you have it here so really try to enclosure stuff and help her functions um really helps checking if user internal is another great one you know uh often you have functions that you don't want clients to use but only your people to use only your employees to use and so just like it's active very simple
one that isn't somebody from the company is a very simple easy check and important and again that can be very complex logic depending upon your company but if you can close it in this developer doesn't need to worry about knowing that complex logic they can just call your function and I also really like making test helpers because you need to help the developers make their tests right you need to help them make their tests secure so a huge part of my work in starting my this my latest project was making helpers that you could easily make a query and get it back to those functions so that functional test that I showed you was one line to make a query
instead of a hundred to build a query and insert the stuff and get the user and say okay now pass it into the framework this way I can close it all in the function whether you can just say give it a query string and a user and it takes care of everything else and gives you the response and that allows developers to develop tests quickly and make it more likely they're going to make tests and it really helps keeps them secure because it encourages testing of this layer of stuff and we want to encourage testing of this stuff
so if we've done our job well at this point we have secure Behavior by default in a lot of our classes as well as I'm sorry just checking your time as well as sensitive logic that's enclosed on centralized centralization I should talk a bit more about um when you have code in multiple places it's impossible to keep up to date as a possible key to all of them up to date and write the same way and for off it's huge important that you don't end up with what's called like a shotgun parser so where all your checks are happening all over the place you want all your checks to happen in one place so you can understand what's
going on you can understand what the checks are and you can clearly develop it so centralization is very important for for things like super processes and particular authorization is a huge one um and build tests with broad coverage I I can't stress that enough that'll help you in multiple ways but in terms of it really helps that broad coverage I have tests that I have test that check every if a user can load an object if you're using a little list of objects all that and I have a helper that does it for me so I just have one line that says get object as User make sure it can use it right if I didn't have that helper
developers would probably either have 100 different ways they're calling it to check that and they'd probably spend a lot more time we're not even make the thing to check the full thing but because I made a Helper and because I I mean this helps them let them do the broad coverage they have a full own compassing test so the helpers really encourage the developers to do the right thing we're on to the last bit of the talk which is what should I log so anybody have an answer everything is the first answer I always get you shouldn't log everything
exactly what you need to audit is the big one right if you're logging everything there's a huge amount of stuff but also it you're gonna get a lot of private data in your logs too right if you're logging every request you're just going to get a lot of data that you don't want in your logs you don't want to have to treat your logs that way so pay attention to what you are logging and log specific things that help you thinking about repudiations a lot of what I do so the audit stuff think about okay somebody's going to come and say I didn't do this action you're going to say no that user click this button at 10
53 on Thursday um when somebody asked what on Earth happened to this you know you're going to need to figure that out if it's something important um and I stress Don't limit yourself to logs um logs are great but there are other ways to capture information that will help you tell the story later so already I mentioned timestamps on each object um time stamps that you see when it was created when it was updated they're built into most Frameworks or they're super easy to add and that lets you know when the object was added so you get the call what happened to this well Bob edited it on this date right because I have the edited advice and the updated
by and the updated app so I can easily go and tell you Bob edited that one last that's why it's different right and uh the most important the very important thing that you should not omit and logging is Authentication you should be outlogging what's coming into your authentication so you can see attacks come so that's like the bare minimum to log if you don't have this you either have a very specific use case um so there's a fun thing with repudiation is sometimes repudiation is also a security feature so repudiation is the ability to say I didn't do this right so somebody wants to claim they didn't do it you need to prove they did
but let's say I had secure messaging or paste bin right pastebin doesn't want to be able to prove who posted right you want it to be a public dump right so that's actually a feature a paste bin that you're able to repudiate that you posted to it I think pasteman still has that um so unless you have a specific reason not to have the logs um of these specific logs these are like the bare minimum that you should have again these aren't that's also aren't really logs but they let you tell a story of what happened to the object um my favorite story about the repudiation um is from Defcon um a few years before I started going to
Defcon there was this thing called Cisco gate speaker came and spoke about Cisco was going to speak about Cisco routers and vulner that they hadn't patched yet and Cisco got an injunction against him and all sorts of stuff happened they actually ripped the talk slides out of the printed Black Hat book so you can do a bump of the slides I mean it like ripped the whole section out and one of the things that happened was that the feds said I need a copy of every I need a log of every person who downloaded the slides from the website um and they were forced to turn that over uh and as dark tangent talked about this
in a talk a few years later and as he put it and that day we turned off the locks because again they don't for Defcon they don't want to have the thing to turn over to the feds of who downloaded the files right they don't want that information so again thinking about it it's a feature um think about what you're logging uh yeah and I actually I really love that story because it's just yeah we Defcon stop vlogging they stopped a lot of their logging because that way they didn't have anything to turn over more intensive than that but still in the same vein is object versioning so you can often find a plug-in for this or
build it yourself real easy basically every time you save you save a copy of the old record in the in a table somewhere in its own row and that way you can go back and see each individual version of the object you can look in that table and be like okay the edited version from this date was like this and then it was edited here this way and here this way every individual version it's really easy to set up in those Frameworks there's usually a plug-in for it um and again telling that story seeing exactly what happened to the object as you go through explicit logging of sensitive events um I can't stress this enough this is
again if the authentication intent but also if you have a sensitive parts of your application every application is custom logic in it right so you have a sensitive action that a user does I really I consider anything that changes an off access permission so them inviting you to a group giving you access to that group that changes the access versions of the group so I want to log that he made that change at that time that's an a sensitive event there might be other sense and events I do like real world payments or things like that but actually like having of easy to use logger which is not hard to set up so you can just say log and message here
this happened um it there's no substitute for it and again you can very specifically say on the important things this happened here right your company has something important they want know about explicitly log when it happened what happened um again you want to avoid including private information so don't put the user's name there I use your IDs so I just put the uuids in it and make sure if you're like changing like the owner of an object one mistake I made early on was to just say oh Bob made whoever the owner of the object and I have no record who the previous owner was so make sure that you have your log say fully Bob changed this from Steve having
access to Tom having access right um though you want to have as much information available in that log to see exactly what happened point in time DB backup systems are fun just kind of like the object versioning where you can go and look at every version of your object in the database playing time backup systems let you basically say roll it back to Thursday at 3 pm exactly or 302 in 30 seconds um the way it works is that they have like a base a base database copy like a like a snapshot and then they record all the addition all the changes to the database are recorded as individual events rather than put into the database
normally and so when the record is individual events it can play back up to a certain point so you can it can literally say okay start from this it's start from this backup roll forward to 3 45 pm and you see exactly how your database was um I put this in here because it's remarkably easy to do and I say that because it's built into RDS so if you're using RDS and most people I meet are you can just click a button at a point in time database back now they don't go so far back unless you tweak them to go very far back um they go about a week or two I think by default
um but that can be hugely helpful as well uh and I'm wondering because it's a button in RDS to turn that on press long in graphql so going back to rest typical rest logs the way we weigh most people log them is to log the um endpoint the method but not the action any actual like host payload because again the post payload is likely to contain user information that you don't want right you don't want to have private information in your logs so we don't usually log the post payload unless you have a really secure application where you need to have everything right and instead we just log the uh the method the endpoint uh usually
there's a time stamp but I left it off here right and 200 these are the response codes that say you know this is a good response this is something was actually saved and this is an error response right and with rest this works great you can clearly see what have what this user did they want to look the post and then you and he went and tried to get a group that you didn't have access to right so this works really well again for going back and telling our story with rest you can do that but there's a problem with graphql basketball uses the same endpoint for every request and graphql by by standard does not give
error response codes um the reason for this is it's um the RPC style of it um if you post something that fails in a normal way like not having authentication that's a 404 your request worked but the inner thing that you asked for didn't and so graphql responds with a success payload that inside said here are your errors and it can give you multiple problems and it can partially give you a request too um so it the error responses are very different um and so you can't really tell what's going on from just that so if you have your standard API logs on our graphql server you probably aren't knowing what's going on it's just you know you
can't see anything um looking at a graphql request so I lied a bit before when I said that mutations are IPC everything in graphql is an RPC the way a graph the way graphql queries work is you declare a query like that's compiled in real time basically and then you declare an option name an operation name and tell it to run that query so again this is why we have the 200 responses um what this allows us to do because it's so nicely structured you can probably log just this and get a good idea of what happened now you don't have the variable so like you would have an idea usually in rest logs and you won't have it if you just log
the query portion but you can still sort of see what they did and since probably you control the graphql queries unless you if you have a public referral server you can't control what query is coming into you if you have like public consumers but if it's only your employee is consuming the graphql API you can make sure that they don't have any sensitive information in line that they properly put in the variables and then you can log the query part and be pretty safe and not worrying about on the other stuff and that is almost functionally equivalent um it's not quite functional equivalent to your standard rest logs because like again a rest log you'd see the ID or
probably a search you might see it in the in the endpoint that you're hitting like it's a get parameter but you you're not you're not logging back here um and it's not that you can't log user input but it's that unless you have a real um need to have that level of logging unless you have a real application that's really sensitive and they want to know everything rolling back and we don't care it really is not as worthwhile to log the actual payloads you don't you want to avoid having user content in your logs um don't just log put your logs in the three bucket and walk away so one thing I see a lot
is people who they they strap I mean I worked at one company and actually the first thing I did for them they're like we want to know every click on the website okay and so I set up a whole thing every click up posted and saved into an S3 somewhere and nobody ever looked at it again right if you're just dumping everything into a place without any tools to look at it you know it's pointless so if you've just toss your logs into a three bucket that's not great you need a way for you to actually search it right so you can go and do investigations and have it ready because if something happens you're not going to go and
figure out how to search at the start of Investigation you want to know how to do it already right so using a logger that outputs the structure Json is uh pretty important these days it allows the the seam and other tools that can parse logs can parse the individual things as individual thinking parse the payload as an object and see the individual parts of the object instead of a line that's harder for them to parse out what is what so if you have a scene that's automatic reacting you can see the timestamp is a is its own it's an old feeling on the object instead of just being on the line right it can it can
interact with the better and you can search it better because you can search specific fields the Json structured logging in Json lets you have different fields in your logger instead of having things just one Big Blob of line um it's really just a matter of outputting that log line as a Json object there are Frameworks that do it for it and then you do really complex things um loggers will our loggers are really good for helping you add in extra information for what happened there so if you have a good logger and you call it it's going to it's going to log what you said to log so you know log user click this right it's going to log that
but it's also going to log the times also going to log the user ID it's also going to log a bunch of extra data about that and a good logger will automatically add that in for you and have facility for you to add in whatever you want so good longer have a facility if you say I want every log structured law and almost every structured log output in the log to have a field that says whether the user is 10 years old right I could write that for you okay give me 10 minutes um they you can get a lot of utility out of it and again have standardization um so structure log is very important
provide a service like a like an oak stack or something to search um or documented methods of search there are a million ways to search an S3 bucket um and so there are millions load it search it efficiently but have a method ready to go make sure if you are logging information that's user content or your logging user actions that might be sensitive log your stuff securely right again don't put in mystery box that's open to the public right make sure it's been put into place that's properly made for storing that sort of information um and finally run drills it's similar to database backups if you know there's a little saying if you don't test your database backups they
don't exist and they won't exist when you need them um if you don't test it you can look at your logs you're going to have trouble looking at them when you need them and again at the start of an incident it's not when you want to try to figure this out so have a documented method or something where you can go ahead and do the drills oh there's an invasion um so that's most of my talk um we covered three basic ideas planning your security features like features build a code base where you're really helping the developers do secure Behavior and pay attention to what you're logging please thank you again a huge thanks to my
company aeon for sponsoring and sending me in here or other sponsors and everybody else all volunteers are you going to interrupt me I need to take questions give you a minute any questions okay I wanted to expand upon drills yeah it's always really hard to try to like budget time like what's a good way of like selling these drills and Chaos testing in my application we've been able to do it simply by following up on support requests to the nth degree so you get a support request they want to know what happened it's like you know what I'm going to figure out exactly what happened and that way I know I can figure out when I need to know exactly
what happened in other cases so that's the easiest way to do it um selling it otherwise it might be hard selling security features security things is hard that's one of the reasons you want to build it as a feature because security improvements are usually seen as a cost they're just a stupid cost there are some costs we have to do this it doesn't give us anything if you think of it as a feature I'm building out this new thing for our users so our users are more secure you can get more buy-in so that's a huge part of it hey Damon you're answering that's it
it's the silverware this is an unused Bowl thank you this is my outrageous speaker request we have one uh we have a little trouble getting kosher ice cream so you've got lots of tough to create a kosher Sunday got it I'll take more questions yes
so like most uh most things it comes down to do things well from a stlc perspective right I'm sorry hello okay sorry so like most of most things related to security it comes down to have a good sdlc process yeah right that's a huge part of it um I didn't want to focus on that because I wanted to focus on stuff I haven't heard before right but yes and you can see a lot of that is the process I'm talking about yeah well I I want to plug two different things one is immutability um which you know you don't have to log things if they exist Through Time right yeah immutable records and that's sort of like the the
the the the the the version backups right which also leads you to dry right don't repeat yourself so if you're going to have data in a database you don't need to log it if it's immutable right email question but oh it's important to note logs are different than your database so you still might want to put things in your logs that are also in your bags there are good cases for that logs are a different thing sure any other questions well thank you thank you all for coming [Applause] sure
here first [Music] thank you [Music] thank you [Music] [Music] thank you [Music] foreign
[Music]
[Music]
[Music] thank you [Music] [Music] thank you [Music] foreign [Music]
[Music] foreign [Music]
[Music] foreign [Music] foreign [Music]
[Music] thank you [Music] foreign [Music] [Applause]
[Music] foreign [Music] questions [Music] [Applause]
[Music]
[Music]
baby you'll kill me [Music] you're giving me wind away [Music]
[Music]
[Music] I don't wanna overthink it baby [Music]
[Music] don't leave me [Music] but I don't wanna jinx it baby again
[Music] but I don't wanna miss you baby [Music]
[Music]
maybe you'll give me five years I'm gonna butterflies [Music] don't leave me alone baby you give me rain [Music] there's some kind of butterfly baby
[Music]
[Music]
oh [Music]
[Music]
[Music] foreign [Music]
[Music]
[Music] okay thank you
[Music]
move it up
[Music] thank you [Music]
[Music] [Music]
[Music]
open up
moving up
[Music]
[Music] foreign [Music]
[Music]
[Music] thank you [Music]
[Music] thank you [Music] foreign [Music]
[Music] foreign [Music] happy birthday
all right hello everybody are we good all right so this talk is from a rock star herself this is on security TPM role so without further Ado I I'll just introduce Lee Snyder thank you all right awesome um some names Lee and as some people who walked in on time or early saw I actually got the title of this wrong so that's a hilarious way to get started this morning um so who am I I am a principal security engineer and all of a sudden everybody in the audience is going why is the security engineer going to talk to me about the technical program manager role don't worry we'll get there um so you can read more about me and my
LinkedIn I also did an interview for TL DR SEC about my life as a staff plus engineer um in my spare time I run a lot of security conferences so I used to run besides Boston I'm on B-side Seattle planning committee thank you I'm also over at the Diana initiative you can see lot lots of fans um and I used to be a TPM right that's why it's okay I'm doing this talk um also my good colleague and friend Raji was supposed to be here with me unfortunately she had a family commitment and she's not here but she is a technical program manager today she is a TPM manager manager which is really awkward to me to say
um so she helped me write these slides she helped me write the abstract so it's not just my thoughts but my normal disclosure these are my thoughts not my companies all right why this talk um I get asked all the time how do you become a TPM um how do you explore multiple domains in security like it seems really hard to move around in security so how do you do it and what are the two or three factors that were essential to your career this role by far and away is why I am who I am today all right yeah so this is B size so you knew there was going to be audience participation at some point I made it
early all right so who in here is a TPM all right who's thinking they might someday want to be a TPM I got some hands all right how about people who work with TPMS all right how about people who work with TPMS and actually think you know what they do I know that's that's a really I know um and then how many people are in this room just because you know me yeah okay thank you friends thank you for support all right so this is the classic thought process of what a program manager is and I kind of feel bad for the guy he doesn't look happy does he he looks actually really unhappy um
I'm not a big fan of describing the role this way I think it actually does a disservice to both the people in the role and the people they work with so I have a funny story I didn't actually know what this meant the first time someone said it to me so this is my thought process quite literally I went somewhere else because I have you know attention problems and then I went to like wait I'm gonna have to hurt about like what like I so herding cats is hard all right um this is going to be hard to read so I'm going to read it to you guys so this is a Twitter account called security TPM
uh like an engineer who can talk to people so what is a technical program like that's like let's start there um so TPMS typically will lead large complex multi-disciplinary cross-functional programs that was a lot of words um so what's an example of that so how many people remember preparing for gdpr yeah okay I would hope a lot of us remember that um see a TPM think about what would their role be in that type of program right they're going to work with legal to understand their requirements they're probably going to work with compliance to understand what compliance thinks they're going to work with developers to build the tooling that you need for gdpr and then they're going to work with the
teams they've got to migrate to those tools so you can see that role is working across teams now today that would probably actually be somebody who specializes in privacy but the time that gdpr came out a lot of people working at were in security because that's what we had like people weren't yet specializing in privacy what's another example um often it's someone who works on something that's not a product what what what the heck does that mean so a good example is a lot of people probably have done this before you write your own detections so TPM is going to be a person who's analyzing the data all the different data streams coming in and
saying okay cool I'm going to raise my hand and figure out what we need to deliver and do that but the important part of this why we're talking about security is they do it with security right so they have that security Acumen and they can come in and Lead just gonna make sure I got all my points
oh yeah so what are some examples of programs I've LED um so many years ago if you were here at b-sides you may have actually seen me working in a booth I used to work for a different company and someone once asked me what do you do and I said I have the most awesome job ever I actually ran a program for developer education but I got to work on gamification so I got to run a capture the flag program both internally and externally so what does that mean well I had to work with the developers who built the platform I had to work with legal because if we were doing questions externally we had
to make sure that we weren't doing anything that would be objectionable I had to schedule the pen test right because we want to make sure the platform doesn't get hacked um and then I had to you know get people to write questions and what's interesting about this is that that wasn't anybody's job right I had no Engineers assigned to me I had no one right I'm just I'm on my own but a lot of people are really interested in this kind of activity and it's a lot of fun um I actually used to write the social engineering challenges for the platform and we're going to get to why the technical matter to the TPM um another example
we kind of were talking about how we saw the same class of problems over and over and over again and working with some Engineers we went and did root cause analysis and what we figured out is that the reason we see the same type of problems over and over again was that we really need to harden our platforms and Frameworks right so what does that mean well it meant I had to go convince these development teams that they wanted to work with us directly to fix the problems in their platforms or Frameworks so there's like a wide variety of work that you can do but what would you say you do here so I gave you some examples of technical
programs um I think the most important part is that you are still an expert right you are still a security expert that's why they hired you so you need to bring your security skills and your technical Acumen and come in prepare to deliver when you think about a TPM they are the person I'm going to try really hard not to curse that gets stuff done stuff okay I did it um but really they they're the person who comes in and leaves the program right they develop the strategy and then they do the execution end to end so they've got to go get buy-in from leadership they've got to convince leadership to staff that program right they've got to demonstrate how
it's going to be successful so out of the gate you've got to be thinking about what are your success metrics what are your okrs right it's not just I got a design a solution but I gotta show why that design will be successful it's good oh yeah
some other points um so remember how I mentioned they're the leader of the program so you're going to work cross-functionally right you're going to work across the organization and that's really where a TPM can add value if you have TPMS working only within their team and not working cross-functionally and cross-organizationally they're just not going to have the same impact it's why that often the ratios for TPMS to Engineers there's going to be a lot more Engineers than TPMS um but some of this kind of depends on the company I'll be really honest my background is entirely Fang so that's going to cloud my experience right like but really um you're gonna find some places will just have a handful of
TPMS some people have fleets of TPMS right so it really does vary but the important part is you're the leader of that program you're the person who owns it and drives it end to end and you you bring in that security expertise and that the experience that you've had the funny thing is um I didn't start as a security TPM right so my background originally is pretty normal I teach directory right I started in the help desk I help people fix their computers it was not my favorite thing to do I became a desktop engineer so then I could ship you know os's to people basically I moved to a standard systems engineer role you know so then I would build
systems and then eventually I landed in identity and access management which I actually really like to this day I still like I am I think it's a great role um and that's how I became a TPM actually like I was an identity access management engineer I became and I am TPM and then I thought well security is kind of cool I could do that and uh hilariously got hired in appsec you all just listen to my background is there anything I just said that said I could code in case you're wondering I still can't really code I'm I'm actually a decent scripter but please please don't make me code but that's the beauty of this role
all right so what's the difference between a TPM and a PMT so PMT is a product manager technical and this is hilariously not lined up um so the biggest difference is a TPM remember I told you they focus on programs often programs that aren't products but a PMT is all about the product and they're all about the product life cycle they care so much about the customer needs the customer voice they are the what and the why that is what they focus on entirely the what and the why TPM does not care about the what and the why we care about the how the when and The Who which is why we do things like develop
work back schedules we figure out who we need across the company and we figure out how we're going to get it done often we have to figure out how are we going to get it done with the least amount of resources as fast as possible and that's when that strategy and execution becomes so critical right so we focus on Milestones deliverables resource allocation and measurement like that is the bread and butter of the job okay so what's the difference between a TPM and an em here being engineering manager they look similar right you got the how to win and the who yeah I did that right okay um but the biggest difference is the engineering manager is focused now this
assumes they're also just like a standard like I don't know what the right definition is but they just have a team they're not a senior manager they're not a director so just just go with me on this analogy for a bit um they focus on their team right like that is their Focus right they do team deliverables they do team allocation they also do Performance Management um the TPM though is like I'm gonna Focus again it's the same thing so it was on the other side right and but it's across the org like that's the biggest difference I think is that really you're focused across the org across the company not just within a team now this
changes obviously as you go up the engineering ladder as an engineering manager you start obviously looking across I don't want people to get the wrong impression one of the interesting things is a lot of times people forget that the TPM can help you let's say you don't have enough resources to get something done the TPM is the one that's that's going to go and Advocate it doesn't necessarily have to be the engineering manager advocating for additional resources or let's say the project has gone totally off the rails the TPM is the one that's going to go explain to leadership wise off the rails and what they are going to do to fix it again helping the
engineering manager um so those are differences the interesting thing is that often people start out as TPMS and they'll learn a lot about strategy and execution and let's be clear you learn a lot about people management and they'll go on to become engineering managers it is a very very common path I've done it okay so we talked a lot about like what they do what's not in scope four a TPM I mean there's a reason I say just right if you find yourself just taking notes just scheduling meetings just reporting guess what you're not you are not a TPM I don't know what that job is but it's not a TPM um I mean I kind of I love this
I started a day with problems and I've lost the spreadsheets again not a TPM but pretty funny so what if you find yourself in this situation like how do you get out of it I've had to coach a lot of people who found themselves in these roles unexpectedly wildly technical people right wildly talented great execution but for whatever reason the Oracle is just like I actually a note taker so here you go there are so many ways so let's say all you're doing is taking notes well out of notes come action items right you're in a meeting you're taking the notes you're discussing what should happen start suggesting the action items start demonstrating that ownership
um let's say again you find yourself only doing reporting for whatever reason that's all you do just send status reports like start owning some of that right do the data analysis show that you can do the data analysis write the dashboards there's lots of ways to also demonstrate your technical skills you could scrub something right automate a simple thing but make everybody's lives better go chat with the engineers hey what's your big engineering problem and try to show how you can help solve it right look for pro like literally seek out problems and fix them that's how you demonstrate your value now this one's probably a little strange to people they're like why is mentoring
Engineers on this list so think about what a TPM is good at they're good at problem solving they're good at execution they're good at leadership they're good at program management right they're good at getting people together moving in the same direction to get things done guess what you have to do as you climb the engineering ladder as an IC everything I just listed if you cannot do that you can probably get promoted still like you can probably get promoted purely on your technical skills and congratulations you want to be a phenomenal leader that's not going to get you far enough okay so what makes a tpn successful we talked about a lot of this already
right but a big one is you really do need to understand systems architecture and Design um so think about it like if you're having a conversation with your engineering counterpart and you don't understand what they're telling you go get a book like go learn that system you are paid to understand how systems work together how to anticipate the bottlenecks in them you're paid to find the problems that people create in their own designs um what's really interesting about this to me is that background as we talked about came up as an engineer this is the easiest part of the interview this is like the most delightful part of the interview for me they were like just
design a system for me I was like great can I do this all day like when we got to the tell me how you're gonna measure success I was like I've never done that before but here are my thoughts um if you cannot do this I have a slide later that will give you some great uh primers for how to learn how to do it you really need to have security knowledge or interest and why do I say or interest so remember earlier I said it came out of IAM right that's an adjacent field I think it's a fair call right and I remember my interview being asked like everything about authentication and authorization we like geeked out on
certificates which still cracks me up to this day but you had I had all these transferable skills yeah I as I said I wasn't a developer I didn't know how to code but I did understand systems design so they threw a system and they're like what's wrong with this and that was an interesting experience because I wasn't yet as experienced as security as I am now but I could I could find the flaws in the authentication and the authorization and so past that interview um okay that's neat
all right I won't walk that way um okay what else so you're there to drive Clarity right when there's ever confusion or people aren't on the same page you are there to ensure that we all like March to the beat of the same drummer right so that you're really driving that clarity you're either removing blockers or you're trying to anticipate blockers so a lot of ways people talk about that is you're looking around corners right so you're anticipating when something might go wrong and calling it out and this is actually um really interesting to me because more Junior folks will often try to hide these problems when they're TPMS so a classic way to talk about a program
and how it's going is it's either a stoplight right it's either red yellow green green means everything's great program's super healthy we're gonna meet all our deliverables it's awesome yellow means we're at risk there's some problems we need to develop a path to green red means we are blocked and we actually need help figuring out a path forward too often a junior TPM will tell you it's green right up until delivery and then suddenly it's red and the problem with that is they're afraid to ask for help they're afraid to show any sort of vulnerability and I can't stress this enough go get help go ask Engineers for help go ask other TPMS for help go ask your
manager for help go ask for help never never hide just how off the rail something is going um you need to be able to communicate with all kinds of people so remember how earlier we were talking about the program might involve legal and it might involve developers and it might involve product it's going to definitely involve leadership every single one of those audiences is different and getting in front of all of them and being able to communicate properly to all of them is a learned skill I was not good at it at first um came from an engineering background I talked like an engineer I really did have to learn this but this is a huge
skill set so think about it you want to climb again as an engineer you're going to be in front of a VP or director you get to do this way earlier as a TPM you know as a very Junior TPM when I was talking to VPS um I was talking to svps and I remember thinking I don't know why I'm in this room I am not high enough I'm not important enough but that is the Brilliance of this role you're going to influence up down across often people say this is without Authority and I think the reason they say that is remember you're not responsible for the engineers that are on your team you're not
responsible for the engineers you're working across the org you're not writing their performance reviews you might influence them but you're not actually leading that team here's the problem with that you're the program owner you are the authoritative source for the program you have authority use it so getting hired or hiring and I will have to check my notes because Raji wrote a lot of this slide I did not um so you do need technical program or project management experience and so often people ask me well you know like I'm an engineer how do I do that run a project raise your hand say hey I saw that we're going to do this smaller thing just in our team it's not going to
involve a lot of other people figure out how that works show what the Milestones are like figure out the success metrics I mean that's that is literally what I did as an engineer just because I thought it'd be interesting right I like weird things I'll admit that um but then what I was able to do because I had done that right is is tailor my resume to demonstrate hey I have some PM skills I could probably do the rest um so and let's say you can't even do that at work for some reason remember how earlier we're talking about Community experience raise your hand and volunteer for an event like this try to get on the organizing committee that
will demonstrate your PM skills right like run something end to end talk about how how do you measure the success of a conference by the way that's really hard but now you have something you can go into an interview and talk about um it's hard to have systems design I okay so the first one is the thing I send to people because I think it's a great resource and it's free the second one is the one that Raji recommended I've never read it but I trust her a lot so she says it's good it's good but I also feel like I have to warn you I've never read it you need to have communication skills
and collaboration skills so any way you can demonstrate thinking about different audiences and how you collaborate with people across the aisle really helpful so are you the kind of person who runs towards problems or do you run away if you run towards problems great role for you if you run away this is probably not the rule for you I'll be really honest you gotta have a lot of tenacity to be successful um you need analytical thinking you got to think through problems you're going to be throwing stuff at the interview you've never thought about and you're just going to have to work through it on the spot like seriously when I first interviewed for a TPM role I still I
will never forget this I had explained the project I was running it was an active directory upgrade pretty standard kind of thing at the time right and the TPM interviewing me is like okay well how do you know if it was successful and like frankly my first response was while we upgraded and we didn't have an outage he's like it's not really a success metric though is it and I was like Oh no you're you're totally right to this day I have no idea what I said it was like this was the most stressful interview I'd ever had but I kind of walked through like well you know thinking about it I would ask stakeholders did we do appropriate
Communications you know obviously it is a success is it wasn't successful or not did we do it on the budget did we do it on the timeline so I kind of walked through and the guy just kept I mean he just kept going at it like what about this and what about that and like I do think just if you can think quickly on your feet you'll be okay but if you're not used to talking about what makes something successful I do think that would be some time to spend you want to demonstrate leadership skills again you're going to have to crowd a bunch of people we talked about a little earlier without Authority again
you have authority please own it um and you really should have security interest or exposure so Raji obviously hires a lot of TPMS and I was asking her for some stories about like what are the what do you what's memorable about candidates and she pointed out something that I thought was really interesting so TPMS really have to listen they really have to engage in active listening and to be frank everyone should engage in active listening but they don't always right and she's explaining that she says great candidate super excited by them and they they weren't listening to what she was asking in the interview in fact they got kind of belligerent and angry at because she
just kind of kept asking them questions you know trying to really understand their answers and she was like all right that's that's neat that's that's not the right person right and so her point was you know if you are in an interview situation you know engage in an act of listening demonstrate like even if you're confused so that you can respond in a way that's super helpful right like oh I'm not sure I understood that question could you reframe it could you rephrase it like people ask me that all the time and I'm fine with that right what you don't want to do is tell the person basically I think your questions are dumb like don't do that
so here are things you don't need you don't need to understand specific technology at the company now obviously if you understand I'm trying to think of the all the like actual programs out there let's say you don't understand jira you've never used jira but if you've used a tool that's like jira like you're gonna be okay right because you can talk through you know how do I think about Milestones how do I think about deliverables but you don't need to know the exact program the company's using and people actually get really tripped up on this they'll write me and say but I don't know jira and I'm like oh my God but have you used Ado have you used anything
what have you used have you used spreadsheets they're like yes I'm like great we'll walk through why that skill set will actually work for jira so don't don't get too upset if you don't know the specific framework or technology um you can learn a new security domain so here's the really interesting thing I think right came from an engineering background I worked really hard to develop those skill sets and I was really good as an I am engineer I mean I was really good I would find problems I would call Microsoft and be like I don't know what to do here's like the 20 things I've done already and they'd be like please hold and I was like oh no I've broken support
um and eventually they would you know find somebody at the company who was a principal and they would work with me and I'd be like great they fixed the thing right and it so I thought I was really good at it I can't go be a different engineer not easily like it was much harder when I thought about like when I wanted to grow I was like you're really cool to go do something else but my background was I am and I knew it inside and out as I said it worked really great for my appsec TPM interview but I'm not convinced that it would have been as easy to move into a different engineering field as it has
been for me to move around as a TPM right so the TPM you know as I said I did I am and then I did appsack and then I did portfolio management that was weird um I did privacy right like I had a lot more opportunities to move around because I had all these other skill sets I could learn the next domain so some examples of what other people have done I had a friend who did security awareness right so that's very much rooted in like teaching people about Basics and security and she was really interested in the incident response and when a job opened up she moved into incident response right like not as an
engineer to be clear again as a TPM but think about it if you're doing education how easy would it be then to move to incident response I'm not saying you can't do it I'm just saying this is an easier path I had another friend who did a developer entry I have a lot of friends who do education I'm realizing all my examples are based on that they did developer education right and so that's all very much about teaching developers you know the basics like OAS top 10 making sure they understand like security policies right and that they can do all that and then they move to the security assessments for m a they're similar but very different skill
sets but again as a TPM you have the ability to move around a lot
I'm really not kidding it is just about anything um I was an engineer that is a very common path I'll be really honest we get Engineers that are just like I'm so sick of building can I do something else and they become a TPM that's what I mean literally that was a conversation I had with a hire manager I said I don't want to build anymore if I never have to be in a data center again I'm good it's cold it's loud it's annoying if I never have to deal you know with the private Cloud because that's what it was at the time there wasn't I mean there was a public Cloud but most of us were you know using
VMware but I never have to think about moving my off physical servers to VMS I'm good I really want to do strategy like I was like I got a roll for you um a lot of people were engineering managers but remember how I said earlier TPM becomes an engineering manager and then sometimes people get sick of Performance Management um I talk about this all the time and people ask me why aren't you a manager anymore I truly hate Performance Management thank God there are people who love it because I hate it I hate it so much it stresses me out I just I I'm not I will Mentor all day long but I don't want to be responsible for the
growth of other humans I really don't and I think some people just get burnt out as engineering managers they you know come up back and be a TPM um you got project manager program managers product managers so sometimes folks will start in a non-technical role right they've got that great like writing background I've got a great education background they can they can really do great communication skills but they need to grow their technical experience and there are people who've done this and I think that's awesome um quality assurance that one probably feels like a left field one but I know people who are like got sick of writing a bunch of QA jobs and decided that they wanted to go
organize humans instead but often what you find is they're just not candidates that fit neatly into another box this is like the everything role the other thing I forgot to mention is it's actually a lot easier to move to TBR TPM in your own company so if it's something you really are passionate about I would recommend just trying to convince somebody at your own company I tried that they told me no so then I went and interviewed at another company and said sure so don't let it don't let someone who says no deter you just find somebody else okay so why I love this job and then I'm waiting I know somebody's going to ask
why I don't do this anymore um there was never a dull moment there really wasn't there were times that I wanted to scream there are times I wanted to literally throw the computer out the window and send like a carrier pigeon saying I quit um it's a trying job at times but it was never dull um you have so many opportunities to grow like please please please if you are interested go read my TL DRC interview I talk a lot about how this role was so critical to my own personal growth I went from being as I said really good engineer to be able to understand how to communicate with leadership and it just it opened
the door to so many opportunities um my path was weird Well everybody's path is weird but what I did is that I am engineer and then I am TPM and an apps like TPM and then it became a security engineering manager and then I was like I kind of missed TPM so I went back did a principal TPM and I was like I don't really like this and then I went back and did privacy engineering and then I really hated that that's a different story for a different day um and then I was like now what do I do and so I interviewed for a bunch of roles and I had like an offer to be a
c-zo and I was like oh I am not ready for that um I had an offer to be a director and I was like I don't think that's a good thing and so I ended up being a principal security engineer again and that's what I think is cool like there is no one-way door right and I used to joke but uh TPM is the only job you are paid to network I'm not kidding like you have to be okay with picking up the phone and calling a random engineering manager a random director a random VP a random engineer another TPM and you have to build your network and get people to trust you and that's what makes this
really cool because you're constantly networking and because you're constantly networking a whole host of opportunities will just open up for you and that is what I have my friends another joke for you [Applause] does anyone have any questions
that's a great question so the question is okay everyone also is just asking comparing the TPM role to the principal security General so I I will get in trouble for saying this I will have other Engineers tell me I'm wrong I think a principal security engineer has to be a really phenomenal engineer and a really phenomenal TPM often you're going to be the person that's advocating for the new thing and you're going to demonstrate how they can do the new thing you're going to run the POC yourself you're going to demonstrate what what does success look like right and so you have to do both as a principal security engineer and I think all the leadership skills you get from
being a TPM make it possible for you to be wildly successful principal engineer that's just my opinion anyone else
oh come on you don't have any oh yeah
uh thank you um are there any obstacles or challenges regarding being a TPM that's unique to being a TPM That You Don't See in other engineering roles or any kind of security role yes um so the reason I have the like just doing X is because often people will discount your your capabilities like they will just assume you are there just like I'll give you an example this engineer pings me on you know whatever chat platform we have I really need a meeting with so and so I'm thinking myself what you don't have Outlook but whatever I'm really good at calendaring no problem I'll schedule the meeting for you don't do that gets worse we go into the meeting
I get a high priority escalation from leadership and at this point I'm no longer paying attention to the meeting right like I'm trying to address what leadership needs because that's way more important than whatever the heck's going on in this room we get done and he's like can I have your meeting notes and that was when I blew a top I explained what my role was and that that actually I think is a real big challenge you will constantly have to remind people why you're there and what value you add which is weird because as an engineer I never had to explain the value I added but as a TPM I always did I politely pointed out that he asked for
the meeting he owned the meeting it's his like why didn't you take notes man late to your meeting um so I think that's the biggest challenge of being a TPM and it was not one I was prepared for thank you any more questions well you can find me on LinkedIn you think of anything else I really hope that I encourage at least one person to consider this role we desperately need more security TPMS I think it's an awesome role so please reach out I'm happy to help you figure out that path thank you Lee [Applause] [Music] foreign [Music] foreign [Music] thank you [Music] foreign [Music]
[Music]
[Music] thank you
[Music] foreign [Music] [Music] foreign [Music] foreign
[Music]
[Music]
[Music] thank you [Music] foreign [Music] thank you
[Music]
[Music] thank you [Music]
[Music] [Applause]
[Music] foreign [Music] thank you [Applause]
[Music]
[Music] foreign
[Music]
[Music] baby [Music]
[Music] don't wanna overthink it baby [Music]
[Music] baby [Music] everything don't leave me [Music] baby [Music] so stand up [Music] thank you [Music] baby [Music] foreign [Music]
[Music]
[Music]
oh [Music] oh [Music] my God thank you [Music]
[Music] thank you thank you [Music]
[Music]
[Music] foreign
[Music]
[Music]
[Music]
moving on [Music] foreign [Music]
[Music]
[Music]
move it up
[Music]
[Music]
forever
[Music]
foreign [Music]
[Music]
[Music] foreign [Music] foreign [Music] oh yeah [Music] thank you [Music] foreign
[Music] thank you foreign
[Music] thank you
[Music] thank you [Music] thank you [Music] foreign [Music]
foreign
[Music] foreign [Music] foreign [Music] [Music] thank you foreign [Music]
[Music]
[Music]
[Music] thank you [Music] thank you [Music] [Music] thank you [Music] foreign [Music]
[Music] thank you
[Music] thank you [Music] foreign [Music] thank you [Music]
[Music] foreign [Music] thank you [Music] [Applause]
[Music] foreign [Music] [Applause] thank you [Music]
[Music] foreign [Music] you're giving me wind away [Music]
[Music]
[Music] don't wanna overthink it baby [Music]
[Music] don't leave me [Music] again
[Music] but I don't wanna miss you baby [Music]
[Music] oh [Music]
baby [Music] don't leave me alone baby you'll get me butterfly [Music] baby
[Music]
[Music] oh oh [Music] [Music] foreign
[Music] foreign [Music]
[Music]
thank you
[Music]
[Music] moving up
[Music] foreign [Music]
[Music]
[Music]
[Music]
thank you [Music]
[Music] thank you [Music]
[Music]
[Music] thank you [Music] foreign [Music]
[Music]
[Music] thank you [Music]
thank you [Music] oh yeah [Music] thank you [Music] foreign [Music] foreign [Music] foreign [Music] foreign [Music]
[Music] foreign [Music]
[Music] foreign [Music] remember [Music] thank you [Music]
foreign
[Music] thank you [Music] thank you [Music] foreign [Music]
[Music]
[Music]
[Music] thank you [Music] [Music] thank you [Music] thank you [Music] laughs
[Music]
[Music] laughs [Music] thank you foreign [Music]
[Music] foreign [Music] foreign [Music]
[Music] [Applause]
[Music] thank you thank you [Music] [Applause]
[Music] thank you [Music] thank you
baby [Music] some kind of butterfly baby
[Music] dream ing in myself
I don't wanna overthink it baby [Music]
some kind of butterfly baby
appetite
[Music] but I don't wanna jinx it baby [Music]
[Music]
[Music]
maybe you'll give me [Music] away guess I'm gonna butterflies [Music]
[Music] some kind of butterflies
[Music]
[Music] oh oh [Music]
[Music]
[Music] thank you foreign [Music]
[Music]
[Music] foreign [Music]
[Music]
[Music] foreign [Music]
[Music] [Music]
[Music]
moving up
moving up alone
[Music]
[Music] thank you
[Music]
foreign [Music]
[Music] thank you [Music] foreign [Music] foreign [Music] oh yeah [Music] thank you [Music] foreign [Music] wow [Music] foreign
[Music] foreign
[Music] thank you [Music] foreign [Music] foreign [Music] foreign
[Music]
thank you [Music] foreign [Music] foreign
[Music] foreign [Music]
[Music]
[Music] thank you [Music]
thank you [Music]
alright let's get started guys so the next talk is the evolution of Mage card attacks and our speakers for today are galmir and Roman Lewinski I'm sorry if I got the name incorrectly but yeah I'm gonna give it to you welcome foreign thanks for coming um my name is and here with me is Roman levowsky and today we're going to talk about the evolution of magecard which is an ongoing research that we are doing for almost three years as part of the talk we'll show you some techniques so the Tucker is due in order to complicate their attacks and make them more sophisticated and healthy to detect let me start with the introducing ourselves so I'm gal I'm leaving the
threat research team of academizing browser protection group woman here is part of the team our main field of expertise is a client-side security everything that happens inside a browser in terms of JavaScript injection and Mage cut obviously but also add injection affiliate fraud attacks info Steelers and so on and also a bit of a phishing detection the agenda for today will be separated into three main parts we will start with a short introduction about Mage card we'll talk about what it is how it looks like and what makes it be so dangerous after that we will get to the main focus point of this talk the advanced attack methods there we will talk about hiding
methods and data exfiltration methods uh we will talk about the differences between them later and we will end up with mitigations and protections so let's start with the introduction to magecard Mage card also called Web skimming or form jacking attack is a kind of attack where the attacker injects a piece of malicious JavaScript code into targeted websites in order to steal their end user sensitive data in most cases we are talking about e-commerce websites where the attacker inject its code into the checkout pages of these website and of course aims to steal the end user sensitive information such as payment information credit card data and so on the attack flow so the end user browsers
online gets to a targeted website and reaches the checkout page there he enters his sensitive information and the JavaScript behind the scenes takes this information and exiltrates it to the command and control server after that the checkout process continue as usual what makes magecult so dangerous compared to other other kinds of client-side attacks so first of all this is a server server side originated attack the attack itself is delivered as part of the site the code itself is coming is any other resource of the website from the server side to the web browser as opposed as opposed of um other client-side threats it usually comes part of malware or malicious extension that installed on the end user
machine here we are talking about something that comes from the server side and infects all the sessions of the targeted website it also sets the responsibility for the attack on the website owners and not on the end user itself second the number of affected users as the attack comes from the server side um comes from the server side every session of the website is infected and in fact every user that will enter is sensitive information into the checkout page will be a Target and a victim of this attack and last this is a silent execution attack it means that it does nothing to the user experience it does not shows pop-ups or things like that on top of
the screen everything is concluded on one single request that is being sent from the web browser to the attack Hills command and control server behind the scenes let's take a look on a very basic attack example so we have here 20 lines of JavaScript codes that perform a generic Mage called attack um at first we registered to an event on the page here we will look for a mouse over event over the submit button in the page when it will be triggered we will start with the data collection we will iterate over all the input fields in the page we'll take their name or ID and of course their value with the sensitive information is part of it and in the end
we'll send it as a simple xhl request to the command control server and that's it we also recorded it here a demo ahead to connect all the points so this is a checkout page as we created for this demo on the right side you can see the attacker's command control server as part of this page we injected the same simple codes that I just showed now I will fill in the sensitive information and once I will hover with my pointer over the place order but then you will be able to see a request being sent from the browser to the attackers the command and control server with all the sensitive information as part of it
uh in a very few words about the infection methods how sites getting infected with Mage card so we see two main vectors of infection the first one is a direct first party infection here we are talking about exploitation of non-vulnerability vulnerabilities and cves that exist as part of the technologies that the website is built with or usage of leaked credentials and tokens and using them accessing storage containers and injecting the JavaScript to there the second Vector is supply chain attacks here we don't Target specifically and directly the website itself we target a fail party vendor or a third-party service that is loaded as part of the site injecting the JavaScript to this vendor and using its
access to the website we actually get access for the malicious script so now we have the basic understanding of what major cut attacks are and let's talk about the main focus point of this talk the advanced attack methods I will say ahead um some of the methods that we will show right now are relevant for any kind of JavaScript injection and not only for magecard but we will focus on the magical perspective of this kind of techniques and first let me start with the hiding methods so hiding methods refer to anything that attackers do in order to implement the attack in a more Silent Way in the website something that will give it a more legitimate sense and
things that will complicated that will complicate the reverse engineering of the malicious code and will help in order to evade from static scanners and I will start with the very basic one I guess those of you are familiar with JavaScript one consider it as something sophisticated obfuscation basically in a language that can take this simple command line and show it like that you can do almost everything and this is exactly what obfuscation is about taking a clear Cod taking its variable names and strings and transforming them in a way that will that they will be less readable and harder to understand and complicating also the code execution flow in order to complicate the reverse engineering of the code
the motivation here is again to complicate the reversal engineering of the code and also hiding iocs that exist as part of it on the other hand as you can see it makes the card look very suspicious here you can see two examples of the same simple chords that I just showed you being obfuscated with two of the most common office schedules in the field and as you can see they look pretty suspicious next we have abusing known Services as you can imagine a major part of the decision whether something is malicious or not is based on where it comes from the domain name that the attack is loaded from and where it sends the data
to where the domain name that it connects to uh attackers use known services in the museum in order to inject the malicious code to the page and use the domain name reputation of these known services in most cases we are talking about tag managers here we can see an example of a real Attack that used Google tag manager in order to inject the image Cloud code to the page and on the first image you can see the actual malicious code is part of the gtm.js tag after that it's been rendered in the page and in the third image there you can see the actual magical request with sensitive information being sent and the initiator is gtm.js Google tag
manager.js the motivation as you can see the initiative of this attack is Google tag manager.com a domain name that um static scanners won't suspect and consider something malicious and it will help attackers in order to evade from static analysis scanners and that's next we have the scriptless infection here the motivation of the attacker is to separate the injection into a loader a very basic one that will bring the actual malicious code as an asynchronous request and then we'll evaluate it on the page as you can see in the example here we have a very basic xhr request that calls and imports the actual code as a NXT child Quest and then evaluate it on the
page the motivation the actual malicious Squad is not stored on a specific file so scanners and static scanners won't be able to take it and analyze it statically and also the request initiator itself in most cases will be the page URL itself as the loader is mostly injected as an inline script to the page and then when it evaluates the code it will remain with its uh initiator so attackers took the idea of separating the attack into a loader and a resource that comes after after it to the next step in what we call Two Steps loaders two steps loaders refer to loaders that bring to the page the malicious Cod not as a clear JavaScript code but there's
something else such as image or a CSS file take a look on the example here you can see on the left side the loader that is injected to the page and as part of it it calls a file named stylesheet.css on the right side you can see the CSS CSS file and theoretically it looks like a valid regular CSS but if we'll take a look behind the scenes you can see that it contains a lot of white space as part of it what happens here the loader takes those white spaces and from them decodes the actual malicious code and then executes it on the page filo is Javascript tag it comes from another resource that later
is decoded and executed on the page one particular use case of two steps loaders is steganography and here we are talking about web skimming magical attacks that inject to the page both a loader and a hidden image and then the loader takes this image and from it extracts the actual malicious code and evaluates it on the page again the motivation is the same there is no specific file that contains the actual malicious code it is decoded on the go as part of the website execution another way to run JavaScript outside of a script tag is running in a non-script tag take a look in the example here you can see an image tag that we created
with a source that does not really exist and we set for this image tag and on Arrow attribute once the image will be failed to be imported to the page this JavaScript will be executed and initiate the magical attack on the page itself static scanners tend to scan the the website and tag only the script tags as part of it in that case we will be able to evade from them as the JavaScript will be run outside of a regular script tag in the page last let's say that I'm a security researcher and I understand that something is wrong about a specific script and they want to investigate and reverse engineer it with so many cases where attackers
injected to the page anti-debugging mechanisms to the to the script sorry anti-debugging mechanisms that complicate the reverse engineering of the code and sometimes even make it impossible to understand what it performs without modifying and removing this piece of code from the injection the most common one is devtool check you can see on the screen right now too techniques that attackers use in order to detect these devtools in the browser in most cases the adapters chair come with a self-destruction mechanism once detected the attack stops immediately removes all the traces from the page and we even saw some use cases where the attacker actually burned the IP address of the machine that we browsed from in
order to make sure that the same code won't be delivered to it again and now Roman will explain you about the data acceleration methods yeah so so on the next couple of slides I will talk about the last phase of typical match card attack which is the data exploration phase so the the idea here is to exfiltrate the stolen data to the command control server of the attacker in a most evasive way and avoid detection so the first technique it's a very common and it used not only in match card but also in other attacks type of attacks as well obfuscation and encryption so the the attacker will try to send the data and obscurely and not
as a plain text in order to make the text unreadable so there are different types of encoding techniques and obfuscation technique encoding encryption techniques one of the most common techniques that we encountered in recent match cut campaigns was or was a base64 encoding in some more advanced cases we encountered even asymmetric encryption uh there is an example here of a case where encryption was used in order to encrypt the sensitive stolen data so the next technique uh uh the usage of websockets so web sockets is a communication protocol for a persistent bi-directional communication between browsers and servers and the attackers the Metro attackers usually use web sockets for two main purposes the first one is to fetch the
malicious code and the second one is to exfiltrate the stolen data using the same websocket channel that created in order to fetch the malicious code it's considered a less common and more discrete uh network network transmission NPI and compared to a traditional transmission request like transmission method like the xhr and fetch request and this way the attackers can in some cases evade beta form evade better from static security Security Solutions and static scanners that may run on the affected page uh regarding the one one more word about their example so the example here uh uh illustrate how websocket is connected is initiated on the page and uh the the websocket channel That it creates and
used in order to fetch and exported the data uh the usage of the next technique is a the utilization of HTML tags so this technique uh the main advantage of this technique is that the attackers use uh um HTML tags like image tags anchors and links and links um those those type of tags initiate Network requests the attacker use the stacks in order to uh exfilter the data they're doing it by concatenate the stolen data the sensitive data as the query param to this requests to this type of requests and this way they the the the network request will be sent to the command control server of the attacker uh the main advantage of of this technique
is in some cases it can bypass content security policy restrictions that usually Target script domains and there is an example here that illustrates how how this how this technique is works so there is a malicious code in this case the malicious code is obfuscated you can see it creates an image tag where the SRC points to the command and control server of the attacker and the stolen data attached to to the query params of the request as a base64 encoded string once I decoded the the string you can see the in clear text the data that that is sent out to the attacker uh the next technique uh so there are cases in many cases
websites usually e-commerce websites but not only uh use uh third-party services for their checkout process so in such cases they doing it by uh um by the usage of iframes or some external third-party pages in such cases the attacker the the malicious code that injected by the attackers won't have access to the sensitive fields uh and and there will be no option for the attackers to to read the sensitive data so to bypass the workaround this issue the attackers use a Technique we call fake forms they create the malicious code creates a fake form that mimics the original form that the website is implement the fake form injected as an overlay on top of the original form and once the data is
entered is submitted there the attacker will send it send it back to his command control server the example here show how it's done you can see uh two iframes the top one is the original form which is hidden and the second and the second iframe is an iframe that injected by the attacker and shown on top of the original one by the way this is uh the only technique that actually impacts the user experience since it requires the user to enter his credit card details his personal details twice uh so it's a quick demo from a real uh from a real attack from a real website that was attacked recently that combines all the technique that I
showed till now that I presented up till now so there is a fake form that injected First Once the user submits the data you can see that a websock you can see the websocket channel on the right side the the personal data is sent as a base64 encoded string in this websocket channel and once I took this string and decode it I found out that the request included all the sensitive data that was entered to the fake form the form that you see now on the screen is the original one which presented only after uh the data is submitted the first time on the fake inside the fake phone um the next technique is abusing known
services so the idea here is using a well-known and trusted services uh that uh any like telegram or Google tag manager and use those services in order to expertise the stolen data I created we recorded a quick demo here so you can see how it's done using telegram bot Channel so once the sensitive data on this page is submitted the malicious code initiate a network request that sent to a telegram resource but behind the scenes it's a telegram board channel that owned by the attacker and once the payload arrives the the the the stolen data attached as a encrypted string once we decrypt it again we revealed the data that was sent out uh last but not least the last technique
is uh slow Bridge it's a less common technique the idea here is to split the expectation phase into uh two two steps so the first step will be on the sensitive page itself once the sensitive data the credit card data for example will be will be entered into the form uh the malicious code will save it temporarily in one of the available available browser storages like session storage it can be a local storage or cookies in some cases um and then the malicious code will wait for user navigation and only after the user navigation uh the malicious the sensitive that the malicious code will read the data from the the browser storage and send it back to its
commandant control server uh it can be a good technique uh to evade from Security Solutions that usually run in a more strict way on the sensitive page itself like the login page or checkout page so this was the uh Advanced expectation techniques uh the last the last part I want to talk about the protection and mitigation uh techniques so we split them into two three main groups in browser Solutions all browser Solutions and random solution as a side note I will add here that the latest PCI DSS security regulations that released May last year now requires each and every company or website that process credit card payment data to implement uh security measures and solutions against match card
so the first group uh what we call in-browser Solutions so when was the solutions uh two main technique two main mechanisms are content security policy headers I mentioned them before and sub resource Integrity so this mechanisms can provide some some uh some protection against match card the main disadvantage is that it's hard to maintain them each and every update inside the script or each and every new script that added to the page will require some updates sub-update in those mechanisms they are not running in the same context as the page and they won't provide protection if the malicious code injected is part of a third-party script that a legit third-party script that are running on the page over the solutions
we are talking about scanner or sandboxes that are external to the browser and they are trying to scan run synthetic sessions and scan the website the many disadvantages of this group is that in some cases in many cases we encountered bot detection mechanisms showed some of them that implemented in order to detect scanners and the second advantage that in in case of session sampling um the scanner may miss uh the scanner miss the execution of the malicious code uh the last group runtime solution we are talking about JavaScript services that are loaded as part of the page together with the page they are running on real session on in the same context um they have the ability to detect
suspicious behaviors like interaction of malicious scripts with sensitive Fields different anomalies and other suspicious indicators they're running in real time and in runtime and this is why they are considered a very effective one of the more effective type of solution against match card um that's it thank you very much hope thanks for listening hope you enjoyed [Applause] due to time constrained we won't be doing questions but thank you Roman and Cal [Music] foreign [Music] foreign [Music] thank you foreign [Music]
[Music]
[Music] foreign [Music]
[Music] [Music] thank you
[Music] all right [Music]
[Music]
[Music] thank you [Music] foreign [Music] foreign
we can test it can turn it on can you guys hear me okay okay
[Music] it's not working
I'm fine I'm good okay welcome everybody this already looks so fun so I'm just gonna introduce the dog so that today's topic is wrangling cats how we coordinate red team testing and uh please welcome our speaker Jennifer trevan
well welcome everyone so as you see this is like one of the best commercials that was in super Super Bowl like history this is from EDS like back in the day so Super Bowl 34. cat herders by EDS all right so if you haven't done so already uh please pick up a pair of cat ears so you can listen in and participate so Ringling cats how we coordinate red team testing I use the word we because all of us can Wrangle cats so disclaimer the views of this presentation are mine and not of my employer so just keep that in mind my biography I've been in technology for about 28 years I've been a project
manager for 18 of those I've worked for Fortune 500 companies in technology telecommunications Financial Industries currently for the past four years I've been on a red team providing Administration and coordination for well for red team for a financial institution the goals of this presentation are during the presentation you will learn how to use jira to enhance the organization of assessments and connect with business partners collect key performance indicators and execute an end-to-end process before we proceed any further we must name the star of the show now she was up here she's right over there she's kind of migrated over there she's hiding because she sees the carrier so we must name her so earlier today
in the Middle Ground you might have seen this box here for some suggestions of names I received like 130 suggestions now Army trained I don't know if they're in the room they were definitely in it to win it because they submitted 97 of them so you know they really wanted to win yeah um so the two that I chose out of the 130 that were submitted were gritty Kitty she finds her shitty I don't know if Tom I know if it's June or Jun if if that person's here okay and then Army trained submitted well like I said they submitted 97 but one of the ones that spoke to me was Katniss everclean so is Army trained
here nope okay well all right so um those are the two that won the Box round but I also want to open up to the floor is there anyone else here that had suggestion if you want to hold that up suggestion to name the star anyone have any suggestions anybody princess okay you got princess had exactly like this she her name is Bella Bella okay princess and Bella spring did you submit one as well I think I saw sprinkles okay what was that that's a lot that's a long name so Princess Bella spark you said sprinkles say I think Sparkles and then Advance okay all right anyone have any anyone uh want to vote for the names that we
called out here you got princess Bella Gaga sprinkles okay sprinkles and then advanced pumpkin I don't know okay looks like sprinkles one so sprinkles is the winner you get to upgrade your cat ears to a LED one yeah no that's good yay sprinkles okay so now sprinkles now the star has a name sprinkles all right here we go all right so now that the star is named she's going to want to visit everyone so here she comes she's going to come around and visit be nice to sprinkles and she'll be nice to you all right so now in true Las Vegas fashion everyone have their cat ears on let's get ready to Rainbow okay here we go
all right where are we at now all right so I had that up the whole time like I did I keep going back and forth sorry was that up before no is it before okay all right so cyber security testing can be challenging can be a challenging Endeavor introducing an additional layer of complexity to use this complexity a dedicated resource can use jira to organize red team activities this will allow researchers to then focus on their research as well as their testing some of the activities this dedicated resource can take on are initial onboarding of the request prioritization scoping resource allocation training account provisioning and removing obstacles this will result in areas of improvement or key performance indicators being
employed through reporting from fields in jira some of these are efficiency by reducing assessment timelines speed by increasing the number of Assessments being performed communication by delivering findings to the customer transparency by providing detailed findings and recommendations for remediation customer satisfaction by giving a customer a sorry a voice due in the entire process
all right my thing is not there it is okay the Indian Pro the end to end process developed was for red teams to assess new technology that lines of business want to deploy as well as internal customer driven requests and individual research interests requests are submitted through a customer portal or internally and then prioritize scoped prerequisites are completed testing occurs and then findings are reported and debriefed with the teams responsible for remediation kanban boards in jira were then used to provide a visual aid to show the progress of the red team activity so now let's see what that looks like in the real world by showing what future story activity and test issues in jira
look like so since I was not able to present current production issues for my employer I created my own so now we're going to embark on a visit to the veterinarian you will see three ways a kanban board was can be used to show juror issues within the 2023 veterinarian visit the first one is a full board with one created quick filter so that shows the issues only assigned to that person from the filter the second one which is down here um it doesn't have any quick filters created it's just the only person that's logged in will be able to see their issues and then the last one has a has about 10 quick filters
actually done for each person's name so when you click on each one of them you'll be able to see their actual issues that they have for organizational purposes okay now we're going to dig a little bit deeper into the what the actual issues look like so the first one is a feature so you can kind of think of a feature as kind of like a program the overall arching effort that's being done so for this example we're going to take the cat to the vet so it's 2023 veterinarian visit now we'll say in technical terms we could say this was maybe like a hardware feature so just Hardware in general if you want to like
similar so and then the next one which is so it goes feature and then underneath it is story so it's uh the story is a child of the feature so in this instance of the vet visit cat wrangling is the story now in the hardware feature we could say ATM I'm going to pick ATM because so ATM and then underneath the story we have individual activities that need to occur so in this instance reveal carrier so here's one of them now in the hardware or we'll say the ATM story maybe one of the activities could be research ATM models I'm just going to kind of throw that out there that could be one of the stories or one of the
activities you can do so another activity in the veterinarian visit is locate the cat well you've got to locate the cat to take it to the vet so that's another activity you got to do so you got the carrier you got the cat now in the ATM Story another activity you could do is maybe like research known ATM vulnerabilities that could be a good one you could do maybe duh maybe possibly and then last but not least and you see how all these which you might have seen all of these are actually linked together so you can find the ones that are actually um part of that we'll say feature so the last but not least is the actual
test well when we locate the cat we've now our test is can we get that cat in that carrier I don't know sometimes it's very difficult to do and then you got to get to the vet so that's going to be the test for this example now for that we'll say ATM story that I was mentioning beforehand of course the test would be you know to test an ATM so that would be how it would link to what you what you guys probably already do so all right so now that we know which issues are needed in jira let's see them in action for those that love the movie say anything I don't know if we have any say
anything fans I don't know if we have any Europe fans the ban Europe because we're about to do the final countdown [Music] you're gonna do old school say anything laughs you can hear it [Music] nod your head sing along get up and dance whatever you want to do there you go clap there you go all right there we go so Final Countdown here we go number three was reveal carrier so there's number three it's actually in the done column of the kanban board because it's been here the whole time all right two so well there it is real good number two locate the cap is now in progress there it is I see it all right we've
located we've located sprinkles I should say sprinkles all right and there's my cat Tindall I've located her as well um and one is now it's ready to do the test so the test should be in progress now which is carry insertion and Expedition and Expedition you see one all right so we've located the cat I should probably go get the cat which I'm gonna go in front of my screen here and get the cat so just bear with me for a minute I thought she might still be traveling around so here she is I don't think she's seen the carrier yet I don't know she might get scared so oh oh oh oh oh oh oh oh oh oh okay
okay okay okay maybe maybe we should hide her maybe she's maybe uh this is like sneaker in there maybe so you know it's like she's not happy about it so here she is okay okay oh so you know now we actually get to take her to the bed so on the way to the vet oh my dropper so she's going to the vet and now that we have her in the carrier she's on the way to the vet she's actually gone to the vet our findings were that she's healthy everything is good she's all good all the the features done the story's done the two activities are finished and the test is done so all everything's
closed out of that particular we'll say effort and thank you if there's any questions you know please feel free to go ahead and ask me or hit me up on LinkedIn but also I want to thank everyone for this is my first time speaking so thank you all for joining me on this adventure thank you very much thank you thank you and and everyone have a great rest of hacker summer camp thank you any questions all right thank you very much thank you thank you [Music] tomorrow [Music] thank you [Music] thank you [Music] thank you [Music] foreign [Music]
[Music]
[Music] foreign [Music]
[Music] thank you [Music] thank you [Music]
hahaha
[Music] all right [Music]
[Music] thank you
[Music] foreign [Music] foreign [Music] thank you [Music]
[Music] thank you [Music] [Applause]
[Music] foreign [Music] foreign [Music]
[Music]
[Music] foreign [Music] you're giving me wind away [Music]
[Music]
[Music] don't wanna overthink it baby [Music]
[Music] don't leave me [Music] but I don't wanna jinx it baby it's not kids [Music]
[Music] my mind [Music] oh my God [Music] baby [Music] don't leave me alone baby you give me rain is
[Music]
[Music] oh oh [Music] [Music] yeah it's ready so this is the last one the best one I hope so the title of this talk is how to have perfect vulnerability reports and still get hacked and our speakers for today is Zach Newman and Luca Guerra welcome thank you thank you so welcome and thank you for staying for the last Talk of the day thanks a lot uh so today uh Zach and I will tell you more about how we can have perfect vulnerability reports and still get hacked because yes we needed someone to explain so I am Luca and I work as a senior engineer at sysdig I during my normal uh work work day I work on a project called
Falco that is runtime Security based but my background is pretty much everything security from security research to engineering so I really feel a bit right at home here at besides and hacker summer camp week so and I have the pleasure today to speak with Zach who is an awesome uh researcher and research scientist at changard a company that does specialize in supply chain security so a lot of the cool stuff that we'll be talking about today and also he he's very expert about crypto where crypto means cryptography so you can take a look at his blogs I I wish I could understand half of them so what actually are we talking about today so today uh
we'll be of course we'll explain how our vulnerability report can be perfect while we get hacked so in order to do that we'll take a look at how this vulnerability reports are produced so what are the uh what are the tools that we use software composition analysis we know we have heard so much about SAS bounces so we'll take a look at that tool and how the whole process works and by understanding how the whole process works we know pretty much where the blind spots are that none of this spoiler none of this technology is perfect but they are actually useful and where so let's get started of course we all love vulnerabilities we all love
looking for them patching them all that stuff and if you think about the time when maybe you you weren't you weren't shipping software to production maybe a happier time I'm sure you were happier I was when I was in shipping software to production I could ask myself how much vulnerable software I wanted in my production environment and of course I want none why which stupid person would ever have vulnerable software especially software that you know it is vulnerable in their production environment well as it turns out really in the real world you can't have that we all know that you can't have a system that
Related talks
51:51
32:48
33:48
54:33
31:06
20:51