Keynote: Knowledge is Power

Okay. All right. All right, everybody. Okay. Please welcome Jessica Payne from Microsoft for the keynote.

Are you ready for keynote? Okay. Knowledge is power. But the problem is is that we typically think that we have the knowledge gap where the knowledge is bigger on the side of the attacker than versus on the side of the defender, which makes us sad. And we also think that we have attackers that are wizards. And we make them seem like wizards because we use certain words about them. We use words like advanced persistent threat or sophisticated attackers. But the reality of this is that the attackers who are going after most networks are really just what I like to call moderately skilled people who know slightly more about your network than you do. [Music] [Applause]

Oh, it's going to be one of those types of keynotes. Okay. But this is where we also have a knowledge problem because we come up with this concept of targeted versus commodity malware and we treat those as completely different categories of what a person would research or what a person would care about. And this is where we cause our own problems because then we decide that the knowledge of the reverse engineer who was looking at that targeted malware is much much greater than the other person and therefore they must be a wizard. But the problem is is is that with the targeted versus commodity problem, it doesn't really exist as much anymore as it used to

because now we have the rise of the offtheshelf attacker. It doesn't matter if we're talking about some sort of fluffy animal or a numbered group or a te an element on the periodic table. These people are using the same tools as literally everyone else. a great example of that. Literally everyone uses Mimikats. There is no reason to do anything but use Mimikats because Mimikatz has lots and lots of cool features including the ability to export certificates including those that have the purely decorative flag of not exportable. But this gets better because not only do we have mimicats, we have an amazing group of security professionals and a wonderful infosc community that really, really, really want to give back. And

boy, have they given back. We have Will Harmjoy, who's given us PowerShell Empire, which is very popular with Eastern European crime gangs. We have Jared Hate, who's sitting in the front row, who's given us PS Attack, which is very popular with East Asian crime groups. And we have the lovely gentleman who gave us Blood Hound, which is popular with everyone on both sides of the fence. But this doesn't stop because this is the gift that keeps on giving. Because even if we think about the dumbest stuff on the planet, the stuff that's been there forever and should be disabled if you've been bothering to read anything called a best practice office macros. So now you don't have to

bother to load the VBA toolbar because Jason Lang took care of it for you. And not only did Jason Lang take care of it for you, within 72 hours of Jason Lang publishing this tool, it was used in a state sponsored attack. Thanks Jason. But we have other fun things, too, because we have certain people in this community who never give up. These people are really determined. These people have superpowers. These people spend 15 minutes a day looking at system 32. I'm talking about Casey Smith because Casey Smith gave us the great gift known as Squibbly-Doo. Squibbly-Doo is utilizing what is called a misplaced trust binary. It's arbitrarily sort of kind of an application whitelist bypass,

but what it really is is it's a way to convince most anti virus products that you're legit. So what Casey learned is that he can take a binary built into Windows signed by the fine company that is Microsoft and use it to load arbitrary code. And about 24 hours after he published that, literally everyone started using it. But the cool part about that and why I love Casey Smith to death is that we found out that prior to Casey publishing it, a whole lot of people were using it too. which is a really really important point here because this sort of blending of the lines I do not mind when a security researcher finds something important

because typically I found after they tell me about it that someone else has been doing it for a very long time which takes me to the infosc observation of a very smart person that if an infosc it looks like a duck and quacks like a duck it's probably a giraffe and you should reevaluate your best conclusions [Applause] because this is so True. Because even if you have a stack full of ODAY, if you can get in using a macro, are you going to waste your O day? No. Because this is the security arms race. And the security arms race is based on one of the oldest professions in the book, crime. Because crime is not going away. And neither is

criminal. They are always going to be motivated and they are always going to probably care more about getting your target that you may not even know is inside of your network that they care about. And this security arms race has moved from spending lots and lots of time developing super special tools to doing what you already have. This is where what's useful for the admins is useful for the attacker. So, if you remember last summer, we had some stuff about things on the internet where you could utilize the terminal services manager console to hijack someone else's session. Now, of course, this is in that you already had admin place. But this is where something that's useful for an

administrator is very very useful for the attacker because you can just use built-in stuff and dump their credentials and do whatever you want. And this takes us to an amazing term called living off the land. Living off the land was coined by someone named Matt Greyber. Uh, and he came up with that top when he was talking about using WI and different parts of the operating system in order to not drop arbitrary binaries onto disk and it's gotten bigger ever since. Thanks, Matt. Um, but living off the land doesn't have to be something that's just for the attacker and it doesn't have to be something that scares you. You can do it, too, because you can

utilize all those tools as well. But this takes us to a concept that you may have heard of. You may have heard of the concept known as assume breach. But what does that mean? What does assume breach mean? Assume breach is about the difference between time to compromise versus time to goal. In an attacker's mind, time to compromise is not a big deal. It's getting someone to enable macros. Getting into your network is very easy. The assumption is is there is at least one machine on any given network that is in control of an attacker utilizing commodity malware. If you spend most of your time in an IT department, you will see lots and lots

of alerts in your antivirus console for detections like dawnoff or quackbot or dryex. And these are just detections that have funny letters in them and then they wipe the box and don't worry about it. But one of that's kind of a commonality between all three of those is those are generic detections. They just say it behaved like something. And all three of them have something in common, which is they behaved like something that had system level access in all of your credentials, which is a really good thing if you're a targeted attacker. And so if I'm a targeted attacker and I've utilized something that pops up onto a console as commodity malware X and the help desk's

response is to just format the machine or let AV clean it because it's just commodity malware. Do you think we've ever done deep forensic stuff on that machine? We ever look where those credentials went? Quackbot moves about networks laterally. Does anybody know what Quackbot is? Does anybody know what Quackbot malware is? It's malware that's been around for 10 years that steals your credentials and moves laterally in an automated fashion. It's not nearly as cool as the new modern stuff, but it's been doing it for forever and people just flatten the boxes when it happens. Nobody ever looks at a detection that comes up as Quackbot and says, "Where did my credentials go and what did they do with them?" So,

this time to compromise if you're an attacker is not really relevant. They assume that it's anytime they want to. The metric that you need to worry about as a defender and the metric that if you are a redteamer or an adversary emulator that you need to be testing your environments on is the time to goal. How long does it take you from getting an arbitrary person's just regular end-user workstation in a network to get to the keys to the kingdom, the formula for the soda pop, their plans for the fighter jet, or their email? Because there's lots and lots of targets there that you may not know about. That's the metric that matters and that's the metric where

you can hit an attacker where it hurts. Because let's think about the power of authenticated users. So, if you stop by the Trimark booth and talk to Shawn Metaf of adecurity.org, or you can impress him by knowing what authenticated users are because in active directory there's a group called authenticated users which is literally every computer and user account in active directory. That's right, computers are people too. But if you have even one of those accounts in a typically setup Windows network, you can utilize just this regular enduser account to figure out who's in the membership of the local administrators group on every single network or every single computer in the network. That's pretty powerful. So I don't need highly elevated access

because I can utilize other tools to show me what I can do there. And this is where Blood Hound comes in. So when Andy and all the other people wrote Blood Hound, they were nice enough to produce some screenshots for me. So what Blood Hound does is it shows you how you go from an authenticated user to the goal. So in this instance, you can see that almost everybody that works at whatever company this is has access to the goal. That's pretty easy. I can go from authenticated user to what I want in no time at all. Right? But sometimes it's a little bit more complicated than that. to go from an authenticated user in this

company to the goal I do have three or four hops. The fascinating thing about this company is if you ask them how many administrators they had in their network like domain admin level or you know widespreading administrators they told you 15. Who thinks they had 15? They had 15 people in the group labeled domain admins. That's not how it works though because there's this thing called the default domain controller policy which has all these other permissions that exist in it and then there's some nested groups and there's this group called backup operators and there's this group called built-in administrators and in reality they had 879 administrators. So sometimes you find out surprises, right? But this is what an attacker

would find out. You think you have 15 avenues to compromise. you have a highway to compromise is what's going on there. And then there's this one. Don't be that guy. So that is one machine where the guy logs in as domain admin all the time, right? But let's think about this. If we have these tools that the attackers utilize that they're offtheshelf attackers, what's preventing us from checking ourselves before we wreck ourselves? Absolutely nothing. And this is getting easier by the day because now you can check yourself before you wreck yourself because we have the attack by MITER. MITER's attack database framework. Sorry guys, I don't remember what it's called. Matrix. That's what it is. So if you've ever wondered what an

advanced persistent threat does and you think you have to pay a specialty threat intelligence fee or you're not in the right position at your company to know that or that must be very hard or that must be very secret. No, you can go to attack and you can go look up AP blah and they will show you all of the public knowledge of AP blah. So you can go and you can say would I detect a blah? Do I detect this behavior, that behavior? Can I emulate that behavior if I'm a red team? It is absolut freakingutely amazing because it's going to show you a whole bunch of things in your network that you didn't know that you needed to

monitor. And it's going to tell you why they were used, not just what was used. Because an event ID or some sort of alert with no context means absolutely nothing. This will provide you with the context of why they used it versus something else. Hugely helpful. And then we have some other companies that are helping out. We have Endgame Devon Kerr in the front row here who doesn't want me telling you that, but he's giving a talk at 4 p.m. today. But they built the red team automation framework and this will actually take the MITER stuff and run it for you. So you don't have to do work. That's cool. Uh, but this will actually allow you to kind of check your

own defenses. And that was very, very helpful if you're a small shop or something like that. You know, if you're going to be needing to check yourself, you have to do it in a way that's going to scale. And we also have Blood Hound. If the attackers are using it, you should use it, too. As a matter of fact, I hear more people who are network defenders talking about how they use Blood Hound to check their network than I hear about red teamers using it. Also, if you want to break Blood Hound, it's called the Windows Firewall. enable it and then block stuff and it doesn't work anymore. You're welcome. But why why would I bother to check

myself assuming that I'm going to wreck myself? Because you are of interest to the attackers. This is a problem that a lot of people have. They look at their network and they say they're after my fighter jets. They're after my formula for soda pop. Whatever. That may not be what they're actually after. If you're threat modeling your own network, you may not be doing it with the actual attacker mindset. Because let's think about this. We've got some example companies here. My company is just streaming video or my company is just image hosting or my company is just some e-commerce or my company does AV scanning. So if you look at those, just think to yourself for a second, what

would be your threat model? What would be what they would be going after in those companies? you have a mental image of at least one of them, what you think they'd be going after, what an attacker would be interested for. Okay, time to check ourselves. Because in the attacker viewpoint, if I'm looking at a streaming video service, which may not be all that interesting to most people because it's cats and video games, I'm looking at a DOS platform. And that's exactly what I want to use it for. I want to take your massive amounts of UDP packets and I want to turn it into the low orbital cannon. That's the threat model that's useful to an attacker there, not

watching the person wearing caddi ears playing video games. Image hosting, steganography. Who would think that the Instagram with Britney Spears photos would have been used by a nation state? Because guess what? That happened. So there was a set of nation state sponsored malware that was utilizing photos of Britney Spears where the command and control for the malware was encoded into those photos. That's steganography. This is hugely popular in all sorts of types of malware whether we talk about completely commodity or we talk about you know topshelf type of malware and the reason is is that you can oftentimes get an image hosted on a domain that's trusted by lots of people. Now, if we think about not necessarily

image hosting, but comments and forums, there's a report you can read called Black Coffee, which is by an AP that utilized the forum comments of a very, very trusted domain known as technet.microsoft.com. Uh, because that was not in the threat model. The threat model for TechNet's comments were very, very good at like scraping out profanity, scraping out spam or, you know, things like that. Nobody threat modeled, I wonder if a nation state is going to put command and control in my comments. And that is exactly what they did because Microsoft.com is allowed through even some incredibly secured and lockdown environments. So you can get updates, right? Super clever on the part of the attackers. Uh we have fixed that. Just

putting that out there. Um but you can still do it with a lot of other stuff. This is constantly happening uh with a lot of this this reports that you're seeing coming out now. um the Kihoo report or Chih who report that just came out with a flash o day they were talking about it being used there that type of thing so this is this is very popular e-commerce you probably thought PCI or credit card data I thought customer recon because we've recently learned that what people are interested in and who they're friends with is really interesting to certain sets of people imagine if you could also get what they buy and who they buy it for and all that

different stuff like that this is actually what we see being taken from e-commerce networks almost as much as credit cards. And in some ways, it's more valuable because you can have some if you're not a top shelf attacker, if you're someone who's doing work in dark markets and things like that, you can still get great value for a customer database and not have the secret service coming and knocking on your door. If any of you are in the audience, thanks guys. Um, so AV scanning. So, if you run a company that does AV scanning or is a software company, there's this concept called a false negative. And if I can steal your trust, if I can get Mimikat's

binary pushed through an AV system and mark it as clean, imagine the implications of that, right? So, if I can get access to anybody who's an an anti-malware vendor or someone who ships drivers to an anti-malware vendor or any sort of software supply chain pipeline where I can inject myself into that trust and then get a false negative, that's amazing. Think about the supply chain attacks that have happened with like text editors or accounting software in Eastern Europe. This type of stuff is because they're stealing the trust of that. And a lot of times you're getting past an AV scanning mechanism because your originating binary is trusted. So this is very important. Think about that

because it's not just popping an actual anti virus company here. If I can get into the supply chain of another trusted binary and I can infect that, I also get that transitive trust. So that attacker viewpoint is very important because what you think is interesting may not be what they think is interesting and quite honestly you don't get to determine what's interesting on your network. I'm sorry the cat pictures are not probably a strategic asset. But that's where stuff like MITER can help you. Go read those reports of what AP blah has stolen before and learn what your industry might be affected by because a lot of times we'll have like people call us and say like I read about

this you know whatever targeting whoever and I'm like are you a whoever? And they're like no. And I'm like, then you can probably wait for the patch because it's really important to know what's coming down the pipeline and who's coming after you and what they're after. Because sometimes this gets weird because one of the things that's universally interesting to attackers are emails. And this doesn't just mean reading your merger and acquisition emails between your CFO of company A and B. This also means the transitive trust of email. If I can get into a law firm's email system, I can guarantee that every one of their clients will double click on that PDF because that's what you do

with your lawyer. You double click on PDFs that come from them. But if I can also get into maybe a university or a.gov address, there's transitive trust and spam filters implied by doing that. So that even if I am sending something through that might be malicious or might be malware. If it's coming from that transitive trust domain, it's highly highly helpful. We're not even talking about targeting an individual that you know emails individual X. That's also incredibly valuable. But just saying wow I'm whatever.edu. Woohoo. You know that's going to be a big thing too. But it is 2018. So it's time to talk about the omnipresent thing. the thing that every attacker is doing, whether they are

state sponsored a elite people or otherwise, they're mining because all of the mining now is utilizing what used to be elite techniques. We're seeing mining being done with cloud compromises and WI and all those different things like that. So, they're mining and they're mining hard. But what about another vector? What about you? I'm looking at you security people because security people are a completely different threat model of value. If you are a penetration tester and you have a report of what customer X's network looks like, did you know that'll make like $400,000 on a dark market and people are actually stealing when they go in and they're in a targeted compromise and they're in a network.

These criminals for hire that sell access to like the Fortune 50, they're smart. They're not touching the things that have all of the alarms around them. They're going and they're buying or they're getting the network documentation. They're dumping SharePoint. They're getting the pentest reports and they're putting them up so other people that are stupid enough to touch the trip wires around the credit card data will buy it from them. So if you are a security person, whether you are a person who has a bunch of ODAs stocked on your laptop and you know has a contact in, you know, security at Microsoft.com or secure at Microsoft or if you work at an AV company or if

you're a pentester or whatever, there's a whole different part of your threat model that's actually interesting to attackers. And that's a really interesting to think about that I think a lot of us might have the sort of like that will never happen to us type of thing. That is not true. Uh there's a lot of people who thought that would never happen to them who got their email read by other people. So yeah, be careful of that because the important thing to know is that your company, your products, your platform, and your assets, which means your human beings are of interest to attackers. This is not going away, right? It's about figuring out what's of interest and

knowing how to protect it. And here comes a very harsh truth behind that is there's a lot of times we want to blame, you know, crappy software or whatever else like that. But the true fact of this is that bugs are not the main issue in most breaches. Operational issues and technical debt are. I'm sorry. Because a lot of times it's really really hard to get people in an organization to care about security. It's really really hard to get them to understand even what is a security priority. I've visited during incident responses companies that have had multi-million lots and lots of money investments in security, but they didn't have randomized local administrator passwords, which you can do for free,

right? So, they didn't understand what's the right thing to do, what that scale of things that need to happen are. They thought they were doing all the right things. So, this is where it's very, very difficult. But here's a magical thing because using what you have and knowing it inside and out is what makes you a superhero. Because this is where we can live off the land as defenders as much as attackers can. And this is honestly how my career in technology started. Uh which is thing that I was quizzing Sean Metaf about earlier. I had to troubleshoot how getting Macs that were using a Heimdel Keraros realm to communicate to a Windows DFS server cuz

I worked at a university. That was not easy because the Heimdoll realm was actually from 1983 and we'd never changed any of the KRB5 comp type stuff in it and it wasn't actually supporting any modern ank types and 2008R2 doesn't support it. You don't care. Anyway, moving on. Uh so dealing with that and dealing with it in a packet capture and dealing with like deep level inspection of all those different operating systems honestly got me through the next five years of my career. That's where I learned about like p firewall.log blog and how group policies set things and what a Kerros ticket looks like and what KN it is and all that different stuff that I use

every single day. I learned from knowing how to use what I have. And that's really important because I'm not telling you that you should have whatever by company X. It's important that you think about what you already own. You may have AV antivirus X. You may have monitoring software Y. If I visit a customer for an IR, this may shock you. The first thing I tell them is not rip out everything and buy my stuff. Um, I say here are the principles and the tenants of what you should be doing with your thing. If you figure out later that you like my stuff better, that's cool. But there's fundamental things that you need to be

doing regardless of your software stack and you can figure out how to do them in a lot of creative ways. Use what you have to solve your problems. Which takes me back to Casey Smith. So Casey spends 10 to 15 minutes a day looking inside of system 32 and going WTF. Do you spend 10 to 15 minutes a day just being curious about your job? You may or you may not, right? But the concept here is that your attackers definitely are spending 10 to 15 minutes a day at least thinking about how to get into your network. Uh there's a piece of malware called Emoteet. And Emoteet and a friend of mine are in a

you know brutal battle to the death because Emoteet changes what it does every single day. And for the most part, we're keeping up with it. But it's really really funny because it will like just do dumb stuff one day and then it'll do really smart stuff the next day. And it's specifically doing that to try to throw off machine learning, which is incredibly clever. So, it'll go from like, you know, just attaching really really dumb looking uh PDF attachments or just like telling people to click on a link that leads directly to a portable executable that's malware to uh using like office sophisticated hover over PPT type of stuff like all in the same week.

Um, so your attackers are definitely trying to spend more than 10 minutes a day trying to figure out how to get into your network, even the ones who aren't very good. So, you need to become a pool learner. So this concept between push and pull, it used to be the case that you could go like once a year to the conference held by whatever vendor is the most predominant in your environment and they would teach you everything you needed to know for that year and you would go home and you'd be like, "Yes, I'm going to use whatever version 2012 and I know how to use it now." That doesn't work anymore. And that doesn't

work anymore for a lot of reasons. One of them is software release cycles, whether they be open- source or like even Windows. Windows Windows 10 does not release the same way other Windows used to. But also the release cycle of security. The release cycle of security is like hourly, maybe minutely, because I can go from having a really really good morning and like hanging around at my house and petting my dog and thinking I'm going to go to work late to oh crap, everything's on fire. And that's like within the space of like stirring the Earl Gray. So this is really really important is we have to be able to seek out knowledge and we need to be able to

seek out knowledge aggregators that can help us because it's impossible to know everything and it's impossible to keep up on everything. But this is where like finding sources whether that be MITER or whether that be something like an infosc Twitter account or you know just know what your good sources are and figure out what you want to learn about. But you're going to have to go out and learn about it, right? you're going to have to pick topics, which is where it kind of helps to have a mentor or a taste maker or somebody like that kind of leading you along that isn't necessarily your boss because your boss has different priorities that are coming from their

CEO, that are coming from billboards, that are coming from the nightly news. So, those may not be the priorities that you would like to have in mind. It is important to be able to answer those priorities though because we do a lot of giggling about people we think are dumb in this industry and we do a lot of sneering at certain conferences that we think aren't important. But if you want to change those people and you want to change how they talk and you want to change what they think is important, you have to talk to them and you have to be able to know what they're talking about and what their questions actually are.

So, it may be helpful to actually be a pool learner of what those people care about as well because knowledge alone is not enough. If you're the smartest person in the room, you're in the wrong room. That's the thing. We all know that, right? But knowing everything and not being able to apply it to real problems is also a horrible, horrible thing. You may know the magical secrets of a 100% secure network. I can guarantee you that absolutely no one will ever be able to deploy that network and still do stuff. It's not that you have to make compromises. It's not that you have to say, "Wow, yes, I absolutely love that MRI running Windows XP that just got

malware on it that hasn't been updated since 2016. That's cool." No, you don't have to accept that. You have to be able to say, "What does this business need and why do they need it? And how can I help them do that?" Because if you've become someone who uses knowledge and learns to what you have, you can take that $40 million MRI machine that saved somebody's mom by diagnosing cancer three months earlier and you can put a Lynxis router in front of it to prevent people from getting to SMB1. $45. [Music] That's one thing you can do if you know how to live off the land as a defender. So that knowledge is not enough. know

what you can apply to things that need to happen because there's this magical component of security that you never see on a billboard in an airport and that's humans and humans are a really really important part of it. Most of you are probably humans. Maybe not you, okay? But the human being is not a rational creature. It sorry. Um, but humans have a lot of different priorities. And it's important to understand that what we do as a security person is to serve humanity and not in that it's a cookbook way, but security has human consequences. A lot of times you may be thinking, "Ah, sweet attack, man. And look at that. That malware is so cool. I'm going to

tell you a story about my very first major IR where uh I literally was sitting there saying, "Oh, wow. What cool malware." And then I realized that what the attacker had taken off the network were the home addresses of dissident in a certain country. And then I went home and thought about what that meant because I'm sure they weren't sending them flowers. So there's a human consequence to what you see. And there's a human consequence even if we're talking about incident response. If you're an incident response customer, it's not your first goat rodeo. You see this every week, right? But for them, it's the worst day of their life. They literally think their lives are coming to an end. They think

they're getting fired. They're not sure if their company's going to be in business. They're not sure if it was their fault. Or if we think about less businessoriented compromises, think about the human beings that the EFF writes about. When we're targeting dissident in certain countries and we're putting malware there, right? There are human consequences to these actions and there are human consequences to what we talk about and how we talk about it. And a lot of times it can seem like fun and you might be able to say something like, "I would never want someone to detect my elite attack because I like it." But the problem is is just what we went back to

earlier is when you tell me about your elite attack, I found out someone else has been using it for a year and where they use it. And this is where we find that they're using it to hurt human beings. So let's think about the humans and let's listen because it's really really important to listen to the human beings and make sure that you're not just hearing but you're listening. Raise your hand if you've ever been in a meeting and thought this person is stupid. Some of you are lying by not raising your hand. Once upon a time uh I received an email from another consultant at Microsoft that said, "This customer is dumb." And I read the email because I'd met this

customer and I'd spent a lot of time with them and I knew they were not dumb. And I realized that the person who read the email didn't know what the customer was talking about because the customer was asking very very pointed questions about an attacker group that had been active in their network and technology they had in their network that this person didn't know about. If you've ever assumed someone is dumb, maybe you should make the assumption that you don't know what they're talking about and ask them questions. I do this all the time. I work for a person who developed most of the kernel mitigations inside of Windows, but it's his first goat rodeo as a threat intelligence

manager. We spend most of the day assuming that each other is smarter than the other one. Uh, and then we talk about it, right? But that CEO or that lawyer or that doctor or whatever, they're smart people. They got there by being smart. and they're smart at what they do, listen to what they're telling you. Or if it's someone who uses a different platform than you, listen to what they're asking about. You can totally translate macaffy antivirus to sofos to semantic to defender mostly, right? You can think about the concept the person is telling you. A lot of times people have a hard time understanding that they're asking for a certain feature because they need it

based on what they've been using. Make sure you're listening. Make sure you're listening not just to the warm fuzzy parts, but to what other people have to say, especially on the internet, because we're all jerks to each other on the internet. And I'd like that to stop because if we look at infosc Twitter, uh how often have you looked at someone on infosc Twitter and said, "I think that person is stupid and I'm going to quote retweet them and tell them what I think." Or more importantly, people that quote retweet you and are super creepy. Those people are weird. Um, but these are really good rules that Matt's put out here for life as well as your

career, right? When you're reading something, uh, when you're reading a doctor in a hospital saying, "I must be domain admin." The person is not stupid. What's the nuance? The nuance is that when they removed domain admin from him, he could no longer treat his patients. That's the nuance, right? Does your firmly held opinion hold up to scrutiny? Uh, there are many people who run around turning off the Windows firewall because it breaks things. I will scrutinize you, but most people are not dumb. Opinions are formed as a result of your experience. That's a great way to matt phrase that there, right? Your life is not my life. My life is not your life. All of us have had different stuff we

bring to the table. And that's what's freaking amazing about the security industry. You do not have to have a degree to be here. You do not have to have gone through a puppy mill of schooling. You do not have to be group think. We come from different countries, different backgrounds, different ethnicities, different places, different militaries, different whatevers. And some of us are college dropouts. So this type of stuff that we have, we are forming our opinions as a sum of our experiences. My experience is different than yours. That doesn't mean it's better, right? So let's try to bring that to the conversations and how we build security. And as you go through this whole conference, when you sit in

talks, think about how to apply that to the talks that you're here because we don't want to do this. We don't want to build our own infosc echo chambers, which we're all at risk of doing, right? We have our friends, we have our heroes, we have our idols, right? But who's bringing a different opinion to the table, right? Make sure that you're actually like being able to hear stuff from other people, other people that might have different opinions from you because honestly, that's what's going to teach you how to better secure your network. I spend a lot of time doing things that are not Microsoft related. I know that may shock you. Uh, but it teaches me a lot of

principles that I can then bring back and I can translate. It also makes me really, really valuable to my customers who do not have absolutely all Windows devices. I can speak Cisco. I sort of took a CCNA test one time. I know what a VRF is. Do you know what a VRF is? A VRF is magical. It is a magical unicorn because if you go to your network guy and ask for a layer 2 extension between two data centers, he will tell you lots of swear words because a layer 2 extension to get network segmentation between data centers costs, I think, $3 million on average in equipment. But if you ask for a VRF, it does almost the same thing

because it's a layer three running off a router, but it still provides you with network segmentation. Your network guy will hug you. So, this is that sort of thing of like breaking out of your echo chamber gives you the power to actually get what you want because all you want is a freaking different subnet for your printers than for the rest of your workstations. And all you needed to learn was VRF because we all have brains. We love our brains. Our knowledge is different, but we need to come together. And as we come together and we share our knowledge and we work together, it's going to get a lot better because what we can do is we

can uplift people and we can amplify them. And what do I mean by this is I mean uplifting people and introducing them to what we do. I grew up in the middle of nowhere. There is literally no one else there who even knows that you can actually work at Microsoft. My niece's guidance counselor once told my mother, "She doesn't work at like the real Microsoft, does she?" And then he was like, "So, does she teach people how to use Word?" My mother did not kill this person. Uh, just want to put that out there. But there are places, whether they be inner city or they be rural or whatever, where people don't even know our jobs exist.

And imagine all they could bring to the table from their different backgrounds and experience. So, we need to uplift other people. How many of you have a mentee? That's less than half the audience. Raise the hand as having a mentee. How many of you have a mentor? Those are the same hands. So, what I'm seeing is we have some places that have organizational structure around uplifting other people. But a mentee and a mentor relationship is doesn't have to be official and it doesn't have to be a lot of work because there's a difference between mentorship and sponsorship. Mentorship is where you actually go teach somebody how to press the keys on the keyboard type of thing.

Sponsorship is where you say that's Mary and she's freaking awesome at application whitelisting because she is. So if you'd like to talk about application whitelisting there she is. That's sponsorship. So that's uplifting people and getting them the opportunities. Uh there's a couple of conferences that have happened in the past year that I haven't spoken at, but I was responsible for more than half of the talks that were submitted there because I cajolled people into doing it. So that's what uplifting is. And there's amplifying, right? If you come across something that is completely awesome and you're like, "This helped me." Amplify it. Get other people to understand it. Because that whole thing about like if you are asking a question, it means

someone else had the same question as you. Like every one of you who came up to me and said, "Thank you for the Windows firewall. Thank you for the Windows event forwarding." Those things exist because they didn't exist for me. I have to tell you how hard it is when it's 2 in the morning at a customer site and I Google Windows event forwarding blah and my name comes up. I'm like, "No, she doesn't know." So, we need to amplify and we need to get that information out there because other people have those questions too. Because this brings me to one of the greatest superpowers and it's something that became a buzzword that got used

incorrectly I think which is cyber hygiene. Superpowers personified because in my opinion it shouldn't be called super or cyber hygiene. It should be called building the attacker's playground because you have control of your network destiny. And this is what that cyber hygiene actually means. It doesn't just mean installing patches because you can't patch sometimes. So if we think about a typical network design, how most people are laid out, it's what's called a flat network. And remember this time to compromise versus time to goal metric. If you have that flat network design, there's nothing standing in the way between the attacker and his goal. But let's think about how we would design a cyber hygiene network

or as I call it the attacker's playground. So what we would do is we'd start to put a little bit of speed bumps in the way. So we might patch, we might randomize local administrator passwords, we might, you know, disable some of the things that are available uh like through the old legacy group policy settings. We might enable the Windows firewall uh you know various things like this. Get some monitoring in place and then what happens is you get monitoring opportunities. Now note that that does not say stop the attacker and make them go home opportunities because that's the debate that I think a lot of people were having about the cyber hygiene thing is

that no it is not about that they do not hit the first speed bump because you bothered to patch your machines this week and go home. I know that and yes they will elevate their privileges and they will keep going. But look at every one of those things because if you have a firewall that prevents 445 and 139 communication among your Windows hosts and then suddenly somebody tries to do it, ding ding ding ding ding ding ding ding. Or if somebody starts to clear the event logs on your machines, that's where you start to get monitoring opportunities so that you realize you have a highly skilled attacker in your network. It isn't about cyber hygiene

magically fixing things because you did one thing or you followed best practices. It's about you understanding that it's just going to slow them down. But here's the bad news. The news that you do not see in airport ads. You can't just buy this. You have to build it. This is something that you have to develop superpowers and build into your network regardless of what the architecture of your network is because it also requires building the human beings because knowledge without context. No matter how many red alerts I pop up in your console, if you don't know what they mean, they mean nothing to you. I have seen so many intrusions where we've gone back and we've looked

at the logs and no matter who it was, they smashed, grabbed, and ran out the door with the data. There were all the events that happened about it and nobody did anything because they didn't know what they meant or they spent a lot of time trying to figure out if it was a red team because you have to build it and you have to build the people because what you're doing here is you're taking lemons and you're not making lemonade, you're making fighter jets. So, I use this slide a lot, which conveniently looks like the Microsoft logo, but there's components of a holistic security strategy. Thank you. It took me like four minutes to make this. Uh, it's called credential

hygiene, which means don't have the same password everywhere and don't log in with highly privileged accounts. Don't pseudo to root constantly. Uh, don't have MySQL running as a root account. Uh, don't put everybody in wheel. This stuff applies everywhere. network segmentation. That does not mean run out and buy a bunch of Cisco firewalls unless Cisco is sponsoring this conference. That means having some layer of speed bump, usually host firewalls or you could bring in that VRF type of thing. Not just having everything be one big network. Do not let workstations talk to each other on 445 and 139. Lease privilege. Don't run things as extreme administrator, right? Because you want to expect that stuff's going to get

compromised and you want to limit the damage. And then there's targeted monitoring. There's a difference between like regular monitoring and targeted monitoring. Regular monitoring is where you get all the data coming in and you don't know what it means. Targeted monitoring means you start with like 10 alerts that you know are known bad things and you start from there. That's what that means. But this is also a strategy that applies to all sorts of Flora and Fauna. It does not just apply to Microsoft. So this is something that will apply across the board if you think about things as principles and it's really important to think about your security principles and your security promises because that's

what allows you to support different vegetables and animals. But because if we think about mistakes that can get made, think about targeted monitoring, right? This is my ven diagram of common monitoring strategies where people either monitor all the things or none of the things and there's nothing in the middle. And there's a great example of this that happened which cost lots of companies $70 million and that was Petra. So the Petra ransomware, we called it new ransomware old techniques for a reason because the PCA ransomware did something called WVT CL security. This is where you clear the event logs in the noisiest way possible and you never ever bothered to learn how to do anything different.

I'm sure they knew how to do something different but they did this anyway because they knew that nobody monitors event ID 1102. So if you run that command, that creates event ID 1102, which means somebody cleared your event logs, which means you need to go look at that machine right now. And so if you imagine that you have some sort of targeted attack coming out of a certain country and your local office there starts to show you 7,102 events, you would probably cut the WAN link if you had the targeted mar monitoring part done rare, right? Not rocket surgery here. Your goal is not to stop the attacker, but to irritate them. They're always going to get in. You just want to slow

them down and make them mad and maybe swear a little bit at you. And there's this slide that we use at Microsoft that talks about how if you do all of this, there's going to be all these little red lines that come up and you know, he's going to send the fishing email. He's only get the first one. But I would prefer to think about it this way. I would prefer to think about it like this because we're building a network and we're building the network the way we want. And instead of crocodiles, imagine it as host firewalls because protective controls can lead to detective controls. And they lead to the best detective controls because they're

both slowing them down as well as creating alert in a console for you. So why doesn't everybody do this? Jessica, you make this sound so easy. Why don't I do this for free 999 since this is all built into the operating system? Well, there's a lot of reasons people don't do this. There's legacy settings. There's technical debt. There's we've always done it this way, which is the most deadly sentence ever said in it. And then there's really the reason that's behind all of that, which is fear. And there's humans here again, right? Because fear is if I fix that, what will break? If I fix that security issue, will that cause the stock price to drop

more than usually getting compromised, right? Which is why you need to apply your knowledge and your superpowers to answering the difficult questions. So, I'm going to walk you through a scenario using something I built called Wessles. And we use waffles to answer difficult security questions because people tell us things like I can't do whatever. And I don't remember what order these are in. So we're going to make it up as we go. All right. So here we have a console and let's say that I want to know stuff. I am going to click on the stuff I want to know which in this instance is where does backup service log in? Backup service lives in the domain admins and

they tell me I can't take it out of the domain admins because it might be important. Well, now I've answered this question. Backup service only logs into those three machines. So I could give it local administrator on those three machines. Solve the problem of what it has later and then go ahead and remove it from domain admins. Or I could figure this out which is where is everything logging in as batch which leaves credentials both on disk and in memory. And I can see it's got these servers and a workstation. And I can see that it's all domain admins doing it which is weird. And then I see what's cleared their security event log recently. Has

anybody noticing workstation one coming up a lot here? So, workstation one seems to not want me to know what's going on in its security event log. And lo and behold, when I look at, we know when we've removed something from domain admins and we're looking at event ID 4625, which is something has failed to log on. Well, what do you know? The domain administrators are failing to log into workstation 1. Hm. I wonder if that's where our compromise came from. So, you need to be able to answer the difficult questions because that takes me back to another security saying that I think needs to be updated. Defenders have to be right every time. Attackers have to

be right just once. I don't think that's right because I think what it is is defenders get to see own the home turf and can see it with traps, alarms, and tigers or crocodiles. And attackers get that one endpoint just once. That's what you have. That's what you can do. And that's what we need to think about when we put put the humans in the equation and we develop our own superpowers and we understand what we're doing because you have the power. Thank you.

Marilyn, welcome. Psiz charm filled with Old Bay chocolates, burger cookies, nice stuff. Old Bay is

[Applause] real quickly. Uh, we need to vacate this room. What we're going to be doing is opening up all the villages, all the things opening for CTFs and hiring village. So, make sure to go check it out. 2:30. All right. Close the microphone. There we go. All right. So definitely