BSides CLT - Track 2
Show transcript [en]
all not that I'm saying we should be like an overarching of all these things get that into
that interness and that tie-in and understanding uh to know what your strengths are where your weaknesses are and what we can do about them uh so so yeah so why why would we only carry it out the move forward we look further we dig harder and hopefully make the upper management understand these are the real threats to your environment here's where it actually spreads out here here's where everything connects and combined and you know never stop you don't sit there and say check the box we're good ever it's always an evolving uh landscape you know the threats are always changing we'll come out with new technologies I'm sure soon enough that will completely revamp some of this
so it's uh it's always a continuous uh maturity model getting to a certain stage and then moving further forward and then moving forward again and so on uh and make sure that you are like I said working with everybody integrated with those other teams and groups don't shun everybody don't try and make enemies at the end of the day yeah your job is to remove the vulnerability and it's like I'm not here to make friends but you know not necessarily make friends but make powerful acquaintances work with them be you know friendly where you can professional always and you get that understanding between the teams and the groups to where you can work harder together they'll be more
open to the changes that you're suggesting and surprisingly enough they will come back to you on a number of occasions to say hey this is what we're doing and what we think we could do differently or how we think it could relate to your program and like phenomenal ideas that you can then come back and integrate because they're on board and they're fighting with you so it never hurts to to make that uh that attempt to kind of make those connections and drive forward as a team as opposed to uh on first you or any where uh so of course what is all of the skill mean uh hitting these misconceptions early on like I said is not an all-inclusive list
but hit him up front you know if you were like me rolling into a company um for the first time you know either company after company or you just joined ask all those questions you know where's your cmdb what are your dependencies you know who's working with who and what what are your policies and procedures let me see them all you know uh who's the contacts that I really need to dig into really understand your environment and get into the weeds and the details you know even if I'm not scanning the manufacturing environment I still want to know what to do why they do it how they do it because that's important to them and
it's important to us to understand what's important to them so that we can have those conversations so nothing sucks worse than walking in and saying well I don't know what you do but change and that's you know that's your your skill you know here we go I have lists I have PowerPoints it's cool just go with the flow they're gonna laugh at you and you know curse you behind your back um so digging in with all of those things and I reiterate a little bit of this stuff but it really is just drive the point home you know get that mindset going be open about it um sticking to the message uh is more about
driving with these the the sweet the c-suite especially your directors all the management factors and saying look this is how this needs to go we need your backing we need you don't have it nobody's going to listen to it doesn't matter if you filled out that policy without you know the systems being on it or the CEO or whoever you need to get to sign these things for these people to listen it doesn't mean anything you know because they're they're going to come back and say well this is inconvenient I'm going to go above you and say no I can't do this and that manager is just going to be like okay whatever I don't want to deal with this
here's this here's a signature you know they're exempt from whatever this is uh and then you get a setback the company gets a setback credibility is you know down the tubes because that other application owners and system owners are going to hear about it and when you walk in to start talking to them what do they care you've already been overridden once probably do it again some of them are really cool you walk in and they're like yeah let's go let's roll with it usually those are like your your base patching teams and whatnot and you know they're they're chilled to deal with um but yeah obviously not everybody's going to be there uh be clear on what the ramifications
are you know what what's your issues uh what's gonna happen if you don't do these things you don't have to do a doom and gloom story you don't have to threaten them and say oh well if you don't do this you're going to get ransomware by the end of the year you know full of crap don't don't bother doing that because that again will affect your credibility um but be honest you know here are the potential threats to your environment here's what's going on here's why we're doing the things we're doing because you know what comes out of it and not even just ramifications but the benefits you know you know by doing you know software
removal of things you don't need that's one of my uh I'm the ones with the with the software that's out there it's like you got these applications like nine of them that all do the same thing you really need nine different applications pick one or two you know because I'm there's usually something that will work across multiple lessons if not you have a couple out there make them go to a standard it's a lot easier to maintain it saves your your packaging and patching teams so much time and effort so therefore saves the company money everybody loves that one uh more money you save them the better off they are so less software we're maintaining for you cool
uh and then you even find software applications that are out there like one-offs that somebody installed like five ten years ago that they haven't used since you know okay great I used that it works cool and then they forgot about it that guy's left the company the next one came in they're just like oh that's always been there cool always been this way that's another one of my favorite excuses um you know it's been this way for so long why would we change it now uh but you need to you need the need to change that mentality the culture of the business um be ready for that ongoing fight it doesn't always have to feel like a
battle every time you go in but be prepared for it be armed have your facts straight have your details well especially the four times you do this or the more more you've been rolling through it that's just more experience and ammo for you to walk in there and be like look I know these things work um and also be flexible at the same time so it's not just about this has worked before for this company or this has worked good for this department within a company you know understanding back to to my point earlier understanding those individual groups will help you tailor what you're doing with them one size does not fit all it's not a
cookie cutter world and we have to understand that and move forward in that fashion um let's see and and yeah decide for yourself what's what's important so for us it should be exceeding you know that checkbox mentality and exceeding that you know we passed the audit reaching out and building a teacher for a company and a better better Prospect to move forward with I might do it on time okay all right cool all right so uh digging into like business owners management I'm sure we have some of those floating around I hope so things that that you really need to work with uh and uh understand when when digging in with your teams to say you know what do you need how can
I help you um is you know support and accept those challenges from the team if you're if your vulnerable management team or security teams of any other type are not challenging you on things and saying look we really need to do this I don't care if you know it's not the budget or you know it would be easier to do it a different way you're just tired of hearing somebody whine and complaining you know from a particular application you know don't fall into any of that stuff you know let them challenge you hear them out ask them good questions though at the same time and there will also be a step for them coming up in the next slide to respond
as well uh stay engaged in it that much or okay um all right so stay engaged with those teams you know keep on tap on target with it so you're not you're not just like okay you know report in when it starts report in you know quarterly and then when it's done you know get in there talk to them on a on like a weekly basis at the least and I'll find out what's going on get status updates and and really um keep on Taps of what's going on because when they come with you with a a request or a challenge that they're having you should be aware of what's going on what they've already walked through what who
you need to talk to it shouldn't be a big rush to find out who you need to deal with or uh maybe where the holdup is or what even is going on in the project to be like all right hold on step back you know I thought everything was going great two months ago um so so keep on top with that when you ask questions you know how is it related to the program how is it related to what the task you're doing or what you're trying to accomplish you know what are the impacts barriers expectations both short long term um and then what are those advantages of disadvantage advance that you're really looking at
so and they should be able to answer these questions so uh and then again look into the implementer section which is next um get that backing from upper management if you're implementing this stuff and you don't have that backing like I said you're screwed uh collect everything you can I think I've pounded that into the ground by now ask your questions you know you know from each team understand their processes understand what's going on today um and then I have a whole list there for where we start that's you know just a whole slew of things that you would want to to dig into and talk to to collect documentation on uh to to really get you to where you
need to go all and then going beyond that you know what additional areas can you really dig into you know hit those blind spots hit the user awareness trade hit those backups and disaster recovery um get into talking about you know penetration testing and social engineering tests and such you know make sure they're aware that there's so much more to this program that where there can be uh then they're really looking at considering at the time so all right um so yeah so just trying to in this one give you like a bit to think about uh things that I've run into you know last few years like I said um trials and such ways around the
things that I've done to kind of to get past it and it's just kind of like that learning curve to where it's like let me get that that foot up uh when I go into the next environment avoid those missteps you know best you can you're not going to be able to get over every pothole in the road there's going to be something that comes up to be flexible all it's an ongoing process this never ends so you're always going to be evolving and maturing this process it's never like oh hey we hit the end we're good um there's no 100 win like I said they're gonna get it one way or another it's going to happen
no matter how strong your defenses are no matter how intelligent the uh the user Community is how trained up they are um there's going to be some way so be ready for that and that's why we dig into those backup programs and other options get your hunt teams involved Etc um be aware you're part of a larger Community I was actually asked earlier today if I knew about any like discords for something we're a VM Community existed and I drew a blank um honestly so I will be researching that to add to see who's out there but you're definitely not alone uh they're definitely more of us there with the uptick and companies really looking at
these programs you know people are going to need help you know people are going to have experience they're going to be running into issues you know reach out and that work uh I think these conferences are pretty good for getting names and have action even if you're just talking to a pen tester you know or some other discipline they have ideas they have knowledge they've seen a lot of these things um work with them and that even gets you some more direct knowledge of a particular area that you're going to be speaking to at some point or another and as I mentioned I have a paper I wrote up which is most of this information maybe a little bit more uh
that I've asked to be attached along with this presentation um so I think that'll be available on the east side site afterwards so uh any questions beyond that um my overtime right I'm like right at a minute all right so any immediate questions cool uh otherwise I'll be floating around the next two days anyway so if you in the future to just you know you know have a chat all right thanks [Applause]
since the camera's not working I'm gonna I'm in a free room uh I I am a sand instructor so uh first by show of hands how many people have taken a sand scores before awesome so you already know I'm going to talk about a mile a minute it's gonna be like a fire hose the entire time you're only about 30 of the information as we go through it I've got 30 slides and 30 minutes to go through it so it's going to be really rapid fire okay I joke I mean I do have 30 slides and I do have 30 minutes but uh that's typically the pace that we do at a sand scores um so what I'm gonna do is actually talk
about operational technology so another show of hands how many people are on the OT side of the house I mean people know what operational technology is I know all my co-workers at dragos over there anybody else OT no okay what's that overtime there we go okay different than that I guess that could be a different chalk uh overtime versus it you don't get it uh congratulations to being a salary employee um okay so how many people then identify as the I.T side of the house that information technology okay how many people are in management okay compliance okay all right so I'm going to touch on a little bit of all that um because that gets a little bit messy here so though
that really helps me out to understand sort of what level I could talk to you about through different things I'm not some very nerdy OT specific things but I'm also going to have a very simple if my pointer wants to work which of course it doesn't because now I'm presenting and now I'm stuck at the podium there we go okay yeah hold on technology is so awesome when it works right there we go okay so I'm going to quickly talk about the differences between it and OT I'll probably spend a little bit more time there because most of you aren't familiar with OT which is perfect as a perfect audience to be able to learn
something new right um oh you got to be kidding me I got one click out of you okay is that uh I'm wondering if it's my adapter okay this is a perfect security lesson right here I'm going to put it in a random USB port uh now it wants a keyboard assistance okay now it wants to show you the rest of my desktop all right we're just gonna ignore all about them and I'm gonna go back to doing this annoyingly okay this is what happens when I try to get fancy with things
everyone's on YouTube like not seeing me just seeing these slides go back and forth like what's going on here okay so I'm going to talk a little bit about first the differences between it and O2 um then I'm going to talk about some recent events in OT and why you should care about it really um especially for those of you on the information technology side of the house those will be brand new for a lot of you and then how do we solve what I would call The otit Divide so when we think about the differences between these two things I've got traditional I.T where you think a lot about confidentiality uh what do you do
with data at rest study in motion when I'm on the OT side of the house I'm in a control room I'm not as animated as that character there and I'm dealing with zeros and ones that will impact the physical world instead of being stored somewhere it's actively doing something with physics as a result to give you an idea of what we're talking about think about things like Motors generators we have Safety Systems we have different input output devices uh those are not the IEDs that you think they are those are intelligent electronic devices um these are things that you may find in a substation and a power plant in a water facility in a chemical facility
you're dealing with plant life at that point you're dealing with engineering and to sort of summarize this is what you'll typically hear about when talking about cyber physical which is sort of the category for everything we have industrial Control Systems automation single purpose use of these uh different categories of operational technology and that's where you start hearing about some of these things down here uh scada supervisory control and data acquisition uh field devices like substations so the data has to go out someplace and somebody has to do some sort of control of it at a central location uh distributed Control Systems you may have them dealing with home automation systems and obviously things that we're
dealing with in medical devices as well uh so you can think about that if you have like an insulin pump that would be operational technology at zero or one that's saying here is a sensor that is saying how much glucose you have in your body we have to give you more insulin as a result of that that would be that operational technology the zero or one is doing something in the physical world and over time these have gotten highly connected when we first started dealing with Control Systems uh you basically just had you know a lot of levers uh some cranes I've got over here they weren't connected to anything over time we started adding more
connectivity because you got more optimization out of them and then today I have wireless sensors in my plant life I've got some really scary things of people use iPads in the plants don't know why you want to do that but apparently they do now um so we've gotten more and more connected as a result and this came from this whole conversation that organizers have an industrial organizations want to understand this idea of visualization and having more optimization across their plant life so you can see here this is where that security conversation really gets difficult because when you're talking about why you shouldn't connect these things hey you're gonna have an increase of Tax Service you
don't want a niche State adversary inside of our plans well the CEO is talking about well I could have increased efficiency if I can get all the data from all my plans and start figuring out well maybe if I just change the mixture of fuel by two percent I could say five million dollars per year and then you come as a security person be like please don't do that I don't want you to connect 12 turbines across our entire fleet and you're starting to argue then with what the return on investment is uh air reduction better Safety Management in some cases reduce Workforce constraints I work with one plant where the facility actually had an
engineer whose job it was once a week to go and drive four hours to remote site take some readings turn a valve four hours back the boss came in and said why would we do that why don't we just put a remote sensor out there now let's do this all remotely can do it from an iPad now here it's great you didn't go through what that really bad day could look like well all of a sudden it turns out that that was a multi-billion dollar potential loss if they had a cyber event due to that once that organization found out they hired that engineer back again and he drives four hours the one way to go and turn
that valve four hours back to the other but this is the constant battle that's happening on the OT side now and it is furthered by this complex discussion about being insecure by Design what we mean by that when you talk to anybody who's on the OT engineering side of things is we already know these devices are insecure you work with a controller and when you go to the controller you're not entering a username and password it doesn't have the ability to have antivirus on it if I'm lucky I can enter a four digit PIN when I walk up to one of these controllers they're 30 year old devices so some of these things already can
start as you see here all the different types of vulnerabilities Exist by Design they were designed to be operated by a good and smart engineer 30 years ago they had no context for either a dumb engineer and do something they shouldn't have been doing or the context of what it looks like to have a malicious actor do something as well um so with that were you gonna read my bio that would have been that's okay I am I started way early
sweet I'm good either way why y'all want to listen to me
all right bye everybody um uh he's the director of cyber Spectrum wow this bio is going so well you can sit at that table there are three other dragos people he's actually wearing a Drago's shirt right there so a Drago's side
[Music] security firm where you helped uh he is also a certified instructor and office assistant industrial control services
he has held multiple roles as operator Federal regulator security researchers and Technology basically specialized scaling Security Programs across multiple critical infrastructure sectors with a specific subject not only OC classes with executive leadership
see this is the world of OT oh industrial cyber security professional uh critical infrastructure protection specialist services
Binghamton Binghamton University Upstate New York anybody no oh yes I got a People promote ah upstate New York Master through electric engineering from before now also Upstate New York small school probably never heard [Music] I actually love it when other people read my bio because it's the worst thing for me to do like I just would never tell you any of that stuff um so that's why I'm up the stage here um anyway where was I I didn't so that was perfect though So within the context of it these are typically the controls that you look at when you want to be able to secure something right uh I've got patching here everybody loves patching just
talked about it with vulnerability management anti-virus vulnerability scanning endpoint agents encryption if you go into a plant environment and you try to do this you will be laughed out of the plant you cannot do any of this on OT there's going to be limitations no matter what within patching you will cause that operational hours now an OT we have like this 24x7 thing you're gonna shut down turbines like there's there's a lot that happens and you're not going to go in there every Tuesday be like I've got a patch um those are things that have to be prolonged and planful Antivirus again I've got controllers that cannot have antivirus on them you will never be able
to install antivirus there are some assets where you can but for the most part I can't do that vulnerability scanning literally you'll crash the system if you try to do nmap try to find everything on your system you will have a really bad day we can't do that in O2 endpoint agents again lack of visibility there and encryption I then actually add a layer of latency that I cannot do in operational systems some of these decisions that I have to make in OT may be on the millisecond level so I can't encrypt these things and not only that when I am talking about encryption I lose the visibility of some of the things I want to look for with thread
actors to summarize that in a table of sort of this it versus OT discussion I can see a lot of the things that I'd expect to see in it I just don't have on the OT side one of the things I'd like to be able to point out especially is that life cycle decades is how I'm measuring these things I go to a plant I install something it's going to be there longer than I'm going to be at the organization in most cases at least so far in my career I haven't been at some place for 30 Years yet so a lot of these things that you'd expect to be able to do that things that would be common are almost
impossible in many cases on the OG side effects okay let's see how this looks on oh yeah that's a little bit can you can y'all see like the zeros and ones running down from the heaven with the light blue so yeah cool so when we think about things how many people are familiar with the Cyber kill chain okay good good smattering of folks this will be a one slide crash course for us when we talk about it this is the traditional things that you expect to see in the Cyber kill team the Cyber kill chain for folks who don't know that's how an attacker looks at the way they're gonna perpetrate the attack what are the different stages they absolutely
have to go through from reconnaissance to be able to get a command and control inside your network for them to be able to actually execute on some sort of data exploration or some sort of attack inside that it Network for us we call this stage one in OT because if you do something on it yeah it's a bad day email servers may be down ransomware but I can still run the plant in some of those cases right depending on how my protections are you may have a horrible day in it but an OT I'm sitting down here I hope to God I have some firewalls I'm sitting down here everyone's freaking out at headquarters in the Enterprise and I'm just running
my turbine if there were to be an attack down here that's what we call stage two of the ICS kill jet the ICS kill chain itself is something that's uniquely different what I mean by that the skill sets here to develop test deliver install modify and execute an ICS attack require you to understand not just the it protocols but the OT protocols the devices that have been down here the the valves the levers the sensors for 30 years you have to understand a little bit more than just what's perpetrated on that it side now that being said every good OT attack starts with an I.T attack every attack has to start off with some sort of conversation about uh targeting
reconnaissance delivering of an I.T tool because you're going to try to find out as much information as you can about this system down here while you're up in stage one that's where all the information lies about that system so you're going to Target that one you're going to go through that but at some point you want to be able to get to these crown jewels down here that could cause that operation outage or maybe have a impact to health and human safety and this is where we talk about the most recent events and what has happened here there's been a timeline of a lot of events in this space I'm just going to highlight a couple of them but these are
new to you um I'll I mean there's the jetted s word I can't do an OT attack without talking about stuxnet right so stuxnet was one of the ones that really made it apparent to people that this could be an attack Vector where there was actually an outage at a nuclear facility in Iran based off of a targeted attack however things that you may not be aware of uh havocs actually looking at process data so that physics data what's happening inside that system was what the adversary wanted to go after moving on to what we saw in Ukraine in 2015 sort of going through this idea of a remote access toolkit that could impact operations
if you really want to look for a very interesting story that would kind of go off of what was in the keynote in Ukraine in 2015 actually a bunch of us were at the Drago's table raised our hands have we been to Ukraine before um that was one of the reasons that I was in the Ukraine to be able to talk through their operators and how it is that they got to deal with this attack for a mode access toolkit from a nation state adversary that is probably pretty apparent to everybody also sort of dragonfly 2.0 this is an interesting campaign I went for operator data so how do the operators go and use this process data how are they
interacting with the system if I were to look like an operator What would I want to look like from that perspective so maybe it's harder for you to detect what's happening and then uh crash override so folks who are familiar with the great 1995 film the hackers uh so crash override is one of the uh marginalized toolkits that we found within the conversation here at dragos of ICS module and malware the first public available release of its kind that we could see that talks about what it is to have a Swiss army knife of attacking OT going after those controllers after those safety systems before this happened I mean these are all scary in their own way before this
one happened if you'd asked me how long would it take an attacker to go from the it Network into the OT Network and actually cause an outage I would have said something along the lines of ah year-ish maybe a little bit longer because I need to be able to understand what's happening in that system we saw it in Ukraine 2015 when they use this remote access toolkit we saw what that looked like so we had a little bit of an idea of how long the timeline is with a framework that somebody's invested millions of dollars into to be able to have repeatable code that they could execute on that shortens that time frame quite a bit and that became one of the
scary things that came out of 2016. what's up I can't I mean we're talking months and weeks right so it depends on how I'll talk about the gap on timeline towards the end here but it shortens it significantly good question and then this one is scary because sis take the intermittent systems uh so this was the crisis attack it attacked a petrochemical facility was actually going after not the actual control system but another system that we all rely on as engineers and operators which is to keep us safe where I walk onto a plant I'm going to do some maintenance and I know there's a really bad day at least nothing will happen to me as a
person and the attackers didn't even bother going through the control system they went straight to the safety system meaning that they wanted to cause damages they wanted to disrupt not just the operations from a big boom perspective but that big boom would have potentially led to a loss of life loss of love which as an engineer and operator is probably the most terrifying thing that you could tell me I would have no idea how safe my system is I'm not standing near that system at all so when I look at that stage one stage two piece of things a lot of things you may have seen the headlines will differentiate between whether they really had an ICS capability you see I
have a little bit of a clustering of things in the upper left hand corner where we start talking about actually getting to those impacts and Industrial Control Systems versus not really like everybody's heard of Oldsmar right but Oldsmar really didn't have that stage 2 attack you saw a lot of people just sort of messing around with some of the information there because they could because they had access to it not because they really knew what they were doing or what the impacts are going to be right because there's nothing that really came out of Oldsmar that impacted ICS so when I think of it an attack that's what I mean I mean things that are stage two really
dedicated towards what's happened in the OT Network everybody feel warm and fuzzy this is not a fun presentation for your uncertainty doubt I do want to talk about what is it we can do in this space because there actually are actionable things that you can do so let's start off with talking about what is the typical path that we see for most people who go through ICS security so a presentation like this will tell you it's a pretty straight line right here's how we get to the destination most programs that I've worked with never go in a straight line after an incident is the most popular way then fortunately to get to ICS security and it just means you totally
bypass it and you had a boomerang around and unfortunately the other one this one that I've been most familiar with uh how many I had like two people from compliance I'm so sorry um yeah compliance does get you there it's just a little bit more complicated in all of those lines in ICS security we actually have our own standards um we have quite a bit that we've done in the space for the past 20 or so years I've been a part of what part of the the acronym list that was read off in my bio but in part A lot of the creation of these standards so I know that compliance journey is really painful but
if you're new to this I highly recommend picking up one of these um the nist ones in particular 892 free open source document it'll give you a crash course on ICS Securities where a lot of people actually almost start their Journey when they first come into this um highly recommend just being able to pick up something that may be relevant to you and start there and there are going to be three slides they'll say are the major points of this talk this is one of them this is for those of you who are coming from it or somebody said hey now you own something in OT as a warning sign this is a quote from the
Department of Homeland Security incident response deployed in I.T Business Systems may result in ineffective and even disastrous results when applied to ICS cyber incidents the number one thing that I tell people when they come from I.T you have to learn how the plant works you have to learn how operators speak what it is that they do if you come try to copy paste what you do in it you will have a bad day and if using as the answer response plan your bad day is going to be even worse I'll talk through some of that and probably some of that should have been a little bit apparent when I showed you like hey you can't patch right there are
going to be things that will be very very clear as you work with operators so things to consider as your incident response plan for example so people familiar with boom and left the boom and write a boom okay so what does it mean for us in OT so for boom I'm looking at actually going through and looking at my control system and figure out where can I inhibit things where can I do maybe manual operations where can I disconnect we actually do talk about being able to disconnect from the network as part of what it is that we do because we don't need the network in a lot of the cases to survive it makes things a lot difficult but we can
do it especially if you have engineers and operators who've been there for the past 10 or 20 years that know how to do that manually evaluate the Integrity of your system start operating throughout a controlled outage and also information sharing is one of the key things that we tell everybody to do when they're there but before you have that bad day are you even training or doing exercises do your operators know what it looks like to have a bad day the Ukraine events talking through those there were two different events that happened in 2015 simultaneously one was using some really cool Innovative things from our perspective there it looks like you couldn't control anything at the
substations anymore you lost Communications the way that you respond to that would be very different than what other utilities saw which was let's describe the hey I can't see my subsidies anymore like the five million tool and there's a five dollar tool the five dollar tool was hey I'm just going to use remote desktop protocol it's already there it's already enabled why don't I just go on your computer and start unlocking things when you're an operator and you can't communicate the field devices that may feel to you like a telecommunications issue a maintenance issue when you're an operator and your mouse starts moving and opening up Breakers you know it's a cyber event right and you have to be
able to balance those two for that training piece to be able to actually know what an OT event looks like do the operators they're the first people who are going to know these things understand what a cyber event looks like unfortunately most of the time they do not because they've never been trained on it and also on that uh sort of left the boom conversation do you know what it looks like to restore the plant this is where most of the incident response plans that we see fail because most folks will say Okay The Operators know how to restore the plants but the it folks are actually going to be coming in there and helping out with things
like forensics and at a certain point there has to be a handoff of when I T steps away and the OT folks have come back and say okay we can do a plant restart now we can do it safe and reliably if you don't know what that handoff looks like you're never going to get there all right this is this is where I this is where I get nerdy with it okay so within the context of OT this may be for everybody here who did not raise their hand about OT this is the first time you may see a network diagram on this type I've got some devices down here I've got controllers I've got different
instrumentation I've got maybe some generators down here a robot arm just for fun uh human machine interfaces where the operator can actually work with those systems and we actually talk about these in different levels the Purdue model is what we use the Purdue model is not where I have firewalls it just tells me what type of devices it is that I'm paying attention to in this case here Enterprise is level four to five I have a DMZ I hope I have an industrial levels that are going to be uh zero through three and those are really just telling me hey I have sensors down here a level zero is a sensor very very dumb thing right it's just getting inputs and
outputs analog maybe in those cases and so when I look at these systems and I figure out what the architecture looks like in the trust model that's involved most of the time we only invest in where those canons are at that level right between Enterprise and OT unfortunately five minutes it's gonna be awesome the trust all between us do I get my time back because my bio is read halfway through I'm just okay uh you trust level here though everything from OT is trusted which gets really complicated when I have things like remote uh plans where those things may have their own cellular devices their own connections outside of us you may think you're monitoring
everything at those firewalls you are not there's a whole lot of mess happening down here that most people don't even have a recognition of let alone be able to put Security in for so let me give you a cleaner view of that because that was really messy so this is a cleaner view right where I've got the Purdue model outline I have where that it OT divide is and I can tell you a little bit about these devices across each one of those so if you want to get visibility we do this really well because this is the I.T side of the house we know that those attacks come from the I.T side of the house maybe you've got
these firewalls put in place maybe you've got a little DMZ there that's got different patch servers a jump servers where you get remote access in and you're monitoring all those connections we actually do that somewhat well I say somewhat because that firewall may be there but most of the times when I do firewall reviews I'll still find like in any any rule because why not but you'll still find some sort of Protections in place as I drill further into this Purdue model I get to level three it's sort of like the the plant operations maybe or it's where I may have uh if I'm at a control room for a uh electric utility getting all the data from a substation
in those cases there you may have like maintenance laptops that just walk on in your vendor may allow you to just to have a laptop but you walk in you plug into the network again now your visibility that you had at level four level five is totally bypassed so you need to be able to do some sort of monitoring there and we can do that and put sensors in there to be able to understand what OT things are happening same thing down at level two you want to be able to understand what you're going to use in that perspective and from here I've got these human machine interfaces I've got engineering workstation I've got some specialized
servers that are down there and in those cases just want to make sure I'm monitoring what it is that they're doing most plants have not done this yet so like if you thought like we were doing really well maybe on those top two levels most people don't have any monitoring here whatsoever they're not even looking for it it's if the tree falls in the force and no one's there to hear it doesn't make a sound most operators will say oh it's fine everything's working what's the problem it gets a little bit more difficult as I get into level one uh this is where I start talking about these controllers logic controllers remote terminal units are to use these are the Dumber devices
these are things that I don't have a username password I don't have antivirus for I want to be able to still monitor those connections I want to know how it is to communicate back and forth if an attacker is down here we have seen recent exploits where an attacker could actually own this device down here and now your engineer may look or see things that is not the operational condition that they're actually in uh level zero is definitely the trickiest one but that's where we could actually get some data where we can start looking at well what type of things are there you pointing out do I have a way to verify uh what the sensors
are actually doing it's who watches the Watchman in that case but there are ways to do visibility across all these levels unfortunately again most industrial organizations most folks who don't even know they have OT are only doing level four and level five missing an entire level of stacks that could have monitoring which leads me to really the the second I said there are three slides that you should really pay attention to the second really important slide if I look at the actual timeline for an attack this goes back to your question sir about what did this look like this is actually very similar to what we've seen previously in post 3 2015. I have that stage one I have an attacker
go through get command and control they'll pivot from where they are in that level 4 level 5 Network figure out what they can do industrial control systems then they're going to go and figure out what they can do in that stage two area what impacts can they do in industrial control systems they'll validate their attack they'll sort of make sure that they don't they don't want to invest all this money and then have the attack not work right which has happened hilariously uh but they want to make sure it'll work so they'll go through and they'll then give a attack delivery methodology they'll then adjust based off of what it is they're able to see on that OT Network
and then in the matter of minutes execute on that attack that is the timeline for an attacker to look at industrial controls let's look at the defender the defender during this very first stage should be able to do some sort of detection with common it tools because they're in that stage one network right they're trying to find out more about what is happening at the Enterprise before they pivot into stage two here is where it gets a little tricky this is where your firewalls are really important right they're in this first sort of going through and detecting things hardening you can do some system pardoning I think for example my human machine interfaces sure it may be
Windows 7 or Windows XP but there are like 177 default services in Windows 7. I don't need a majority of those to operate an OT I can shut a lot of those down and you can be more restrictive in those so I can get to hardening I could start hopefully having some awareness if I've built down that visibility deeper into that stack by this point I'm really relying on threat detection so I hope you have visibility if you don't if your visibility is all on level four level five don't worry about this you won't be able to detect me you're already hosed you just don't know it yet and then the actual this clear Declaration of instant response that's
when my RR plan May kick in containment eradication which we all kind of suck at and then recovery where I really hope that you've been working with your OT and it people if you look at this when we talk about that visibility problem again there is during this time period your ICS compromise through detection Gap when it was that you were actually compromised to when it is that you would detect would exist there again if you have that visibility if you don't and you don't have an incident response plan then we're talking about our detection to containment Gap how long once you know that you're owned can you actually take care of the remediation before I could
talk about the last gap which is that remediation Gap itself this is the second most important slide because if we don't have the visibility down here you're only relying on catching them at this part here and the rest of that attacker activity is totally unknown to you same thing with your incident response plan if you haven't worked with your engineers and operations people it gets dicier and dicier the longer that this goes okay everybody's still feeling warm and fuzzy so where do we start this is the most important slide every single time I talk with operators I want to make sure they know me before an incident happens shake their hand get to know them and I
do it with donuts every single plant is not a single plant operator I've met that will not say yes to Donuts you walk in there with your hard hat I recommend if it's your first time going to a plant you're going to wear PPE right your your own protection equipment have a hard hat on have some composite tote or steel toes don't do steel toed if something falls on your steel toe you may slice your toes off don't do that composite's the way to go but before you even do that like before you show up in your shiny new hard hat uh go like go play soccer with somebody in that hard hat and when you're with your boots on
because you you're going to stand out really bad it's like a shiny new hard hat but you want to be able to talk to them where they are meet them where they are and do that I'm not joking with donuts Pizza I don't care what you do but get with them often and don't be about don't talk about like phishing attempts they don't care about that like you're talking to them about the thing that's happening at that Enterprise level they're not checking I hope they're not checking email on the same controllers that they're using to operate the plant on if that's the problem like God you're gonna bring more than Donuts you're gonna bring some whiskey with that too
but you want to be able to talk to them where they are and their concerns day in and day out are about safe it's about keeping the plan operational you have to be able to meet them at that level and the only way you're going to do that is with communication so I actually really like that from your talk too it's the people thing I could talk about all the visibility controls you want in there I can talk about all the different things that we can do from a technical perspective on system partner but if you don't have the people on your side if you don't answer to bridge that culture Gap culture each strategy for breakfast
every single time so you want to make sure you've got that culture and donuts are a great way of getting them with that a little bit about me uh so at JD Christopher on LinkedIn Twitter I am here for the rest of the day uh I'll also respond to things on Discord I found the Discord Channel um other than that uh I don't know if I have any time where is lunch okay we don't know where lunch is it's over there I was gonna say if lunch is here and I can just like steal you guys but um any questions concerns personal stories about operational technology or safety incidents that you don't want to talk about
yeah push the slides
sure I can't so much talk about my role uh but I can talk about the events themselves um so we all know from the keynote that there is geopolitical Strife throughout Ukraine um and they actually the way this started was so three utilities were attacked simultaneously and again they had different ways of being attacked but it all started with as every good story does of fishing it does uh there was actually a what looked like an official looking email that came to the utilities that said hey there's Russian troop movement in your service territory would you like to know more I don't know anybody who's an operator is like no I don't want to know that
like if the Canadians were coming down and attacking us I know every utility be like whoa what's happening because you want to know like where can I put my Engineers what what substations may be infected how it is that I keep my communities with power that's really critical thing so they all said yes and then they downloaded a document the document said hey I've got some macros in there and again it looks like it's coming from the Ukrainian government you say yes of course I trust the government and now they have the Footloose and over the period of again is about that year time frame the attackers were able to identify more and more of the system
until they got to VPN access keys of the castle they could look like a legitimate user they lived up a land as it were for the entire time period before pivoting into the other stuff when they attacked the substations themselves again it depended on what utility you were you would have had that multi-million dollar tool and you can sort of imagine how that would have gone um the the thing about attackers is a couple things one uh they also have memos and PowerPoints but they would start off you can imagine there's somebody coming to a room and saying and now we go fingers to keyboards it was highly manual and the attackers went after these different substations and
cut off that Communications just putting it very simply and for those operators again it looked like you had a telecommunication outage which for us an electric power happens pretty regularly not to the extent and time period but you'd say oh that looks kind of weird why don't we have communications out there and that's how they responded and that's how they eventually recovered it took about six hours or so depending on which utility to recover from that incident and then again the other one was hey my mouse is moving without me and opening up things I think I'm being attacked um actually in one of those cases there somebody took a video of it because they
want to be able to show their balls like hey it wasn't me somebody else was doing this um and so yeah so that took about depending on utility about six and a half hours it was roughly a quarter million people without power during that time frame however I would say they had a benefit because of their operators there um they knew how to get to manual operations pretty quickly if I look at the United States if I look at some of the other countries we have a lot more automation I'm not confident we would be able to be six and a half hours in that same time frame they just happen to have a really robust engineering team that
could respond and recover key question back to you or back to their audience in that case if your entire system was just owned by a nation state adversary would you ever trust that system again so now you're talking about we're operating in a degraded State talking about how does he do planful restoration and replacement of certain assets because how would you trust it again that's the difficulty that still prolongs even to this day um obviously to this day ukrainians are focusing on other things but that was the thing that was leading up until the most modern piece of this Warfare was how do we trust our Electric System ever again we don't know hopefully that story time was also my I
just have a cheery talk today this is like you know everyone should feel happy and just like go happy go lucky has been awesome everyone talk about something happy like donuts any other questions concerns awesome get some lunch uh I'll be around thank you thank you
foreign
thank you
on we're good all right awesome uh so again I work with triaxium security and I am a pen tester with them so as a pen tester part of my job responsibilities are running social engineering exercises for some of our clients and to be successful at that I have to look for information that I find that will make my communication with them appear more authentic and that can be used to create attack vectors now thing is these are the same tactics that a bad actor will use when they are targeting uh people that they're going after as well so it's important to be aware of these tactics so that we can protect ourselves and our loved ones
so this presentation is not designed to you know be oh my God you know scare everybody I'm a firm believer in Awareness um that way we can make calculated choices in RN for what we want to allow to be disclosed that can ultimately affect our day-to-day lives so here's four things we're going to cover today uh we're going to cover osin what is that we're going to cover what can people see about us online how do people find this information out and most importantly how to take back some control over that information that's out there so jumping right into oh synth osynth is an abbreviation for open source intelligence all that means is that this
information is publicly available there's no hacking required to access this information so typically when somebody is collecting this information they'll collect it piece by piece those pieces go together from multiple sites and then from there you can create even more crafted and specific searches so I liken it to putting a jigsaw puzzle together if you have one piece of the puzzle now that by itself may not mean so much but you start putting more of them together and you start forming the whole picture and then the more pieces that you put into place it gives clues about where those other pieces that you have left go and eventually you have the complete picture so the ways that people find this out um
it literally just starts with a browser and Google and just looking for internet searches from there it could go into social media profiles and posts and social media especially because everybody likes to talk about their interests right um but sometimes the conversations give Clues to things that maybe they shouldn't give clues about um they can be hints to passwords somebody talks about a certain subject all the time or family member's name um or pet's name and then that becomes their Wi-Fi password cynthia123 something like that I've seen it it's out there um looking up unique usernames if you have a username do you have a really cute one that you think is really super cool and you're really proud of it like
oh my god this is my handle everywhere all over the Internet that's awesome just also understand that can be used to trace back to you specifically as well and then finally uh deep web searches now Deep Web of course is different than the dark web all Deep Web means is that that information is not indexed by search engines but it's where the majority of the information on the internet lies now just because it's not accessed by a search engine doesn't mean it's still not available for you for anybody really to see if they know where to look so one of my favorite examples of this are things like County and state tax records um if you know where somebody lives
you can see a lot of times you can look up real estate that they own sometimes even their car information just by going to the county or state tax website um and real estate you can find things like of course if you find that you're going to figure out their address there's also documents that get uploaded to register Deeds like Deeds of trust sometimes mortgage info you can see who their mortgage is with how much they took the mortgage out for they're for the monthly payments stuff like that if it's vehicle ownership it could be the kind of car they drive sometimes even their license plate now this will vary by state and County but
that information is literally just sitting out there other things that people can see addresses current and previous phone numbers email addresses going all the way back to that AOL address you had 25 years ago social media profiles on the different networks dates of birth maiden name relatives neighbors political affiliation online reviews now online reviews is a really interesting one because um people like to run their mouth and give their opinion on on everything right so if you're always checking in or reviewing restaurants in South Bend Charlotte on a Friday night now somebody has a pretty good idea of where they can run into you also if you if you tend to engage in conversations on forums you have you
have items that are very valuable like uh like a rare risk wristwatch for example you know and somebody's looking for something like that they can take that's one piece of the puzzle but then they can start taking those other pieces and you kind of see where that can go from there now this applies to business information as well I was doing a pen test a few months back and it was for repeat client and they wanted something different on their social engineering exercise so I was actually able to figure out who the company used for their HR software the way I was able to figure that out was I was just looking for the logo on
the on in the search engine that led me back to the HR company's website where they had our clients logo sitting there with the big testimony about how happy they were with with the HR company software which of course I got my brain going now we have an attack Vector so uh created a fake portal that looked like that HR companies login sent a phishing email out hey we're upgrading our system we just want to make sure everybody's account is transferred over you know please log in by the end of the week uh so we can have a successful rollout next quarter spoiler alert it works it worked because people were already familiar with it they didn't there was
no real red flags that well there were but they were more hidden but anyway it worked this is an example of some stuff that um okay so I picked on somebody that had the unfortunate look of sharing the same name as me and I just went to town on them and see what I could find um all the stuff I put in red boxes there found age social media profiles previous current addresses relatives neighbors uh this is really interesting length of time you lived in his house uh median home value median household income and aliases so I gave a um slightly different version of this feature the Queen City skitties meetup group and the morning of the talk uh I
decided oh hey you know maybe put an example like this in here would uh would be beneficial because it's always better to show not tell right um all that information based on the last two slides I found in literally 10 minutes while watching a Formula One car race and it took longer to redact all those flights and put them in the PowerPoint than it did actually find that information once I had the person you know once I found the person it was off to the race poor guy so why does this matter well have you ever had to answer a password reset question or have you ever had to prove who you are to a credit bureau like especially
credit bureau they're going to ask things about current previous addresses you know who's your loans with how much are they things like that now if you take all that information that we looked at in before and you think about it in this context you can kind of start to see some of the potential issues there um stalkers here had to deal with the stalker and I'm not trying to make this sound sexist but disproportionately this affects women the most um I also have teenage daughters that I care deeply about and kind of glad the presentation is being recorded because anybody who wants to try to date them I hope they see this remember me because
I am that Dad I promise you it's not just women though that that this affects um I had this happen at one point in my case it was more annoying than anything else however I completely understand in many many many most actually other situations that is a far more serious situation that sometimes has deadly consequences um and then there's you know looking at these sites you know did you all agree to have your information posted out there like that we kind of did we'll talk about that later but if if you know that that's how it's going to end up maybe different choices would have been made along the way so an attitude I hear frequently is well
somebody wants to know all of that about me that says more about them than it does about me than Maybe um this scene is from a this is a scene from a movie that was shared with me at one point from a movie called Anon and uh what it's about is it's in there's it's in the future it's a surveillance State everything that everybody does is recorded so you know if a crime is committed um law enforcement can go back review Everybody's Records memories and they can kind of see the perspective of everything of how how it all went down um Amanda seyfried's character here no she's actually figured out how to erase those memories and mess with the
algorithm and how to stay invisible herself while she is just walking around everywhere she played opposite live oh and Clive Owen asked her why it's so important for her to stay invisible and this is what she said and this is something that always stuck with me it's not that I have anything to hide I have nothing that I want you to see and isn't that really the point um it doesn't mean you have to live like a prepper it doesn't mean you have to be a recluse doesn't mean you can't ever do anything online doesn't mean hiding from everybody the point is to be aware that this information is out there and then decide what your comfort level is with having
it there so before we get into what to do about it you know let's take just a quick minute and talk about how we got here this information is collected from all sorts of different sources rewards programs social media posts social media games uh mailing lists um data that your mobile apps are leaking uh web browsing history cookies that are put in there credit card transactions now even those are even though those are anonymized you start combining with the data points not too hard to build a profile anymore is it online surveys we might have taken and then public records like like we talked about so there's an old saying and I'm sure we're all probably familiar with it if
you're not paying for the product then you are the product so this information is all collected from these sources other sources it's licensed up about 87 000 different ways then it sold off to the highest bidder over and over and over and over and over again so we kind of did this to ourselves we voluntarily gave up this information we agreed to let it be used in this way because you know raise your hand if you've read every single terms of service agreement that you've ever agreed to of course Matt has a uh the the one percent stick out right um but we all did that so we could save 40 cents on a loaf of bread you know and
do that enough times here's the end result now criminals misusing this information that's a whole different discussion um John Oliver he did a fantastic piece on data Brokers it's about six months ago that clip is available for free on YouTube and he goes into that really in-depth it's a very well researched piece if that's something that interests you I'd recommend checking it out and intrude on Oliver fashion at the end he does something extremely funny with it I won't spoil that for you but it's it's worth the watch so now how do we get rid of it um well first step just Google yourself see what information shows up see where see see where it shows up and what what
you can see now a lot of these services like the ones we looked at uh before with people's information they do have an opt-out page I went I did this myself as a personal project to erase all this stuff oddly enough they actually honored the opt out which I was frankly pretty surprised by but they have an opt-out page probably because legally they have to allow that um but they do not make these opt-out pages easy to find at all sometimes if you Google the name of the Service Plus opt out page it'll lead you there and the reason they don't is because you're messing with their business model you're messing with their money um
sometimes they require a reason for the opt-out reasons that could exist like you work in law enforcement so you're afraid of retaliation uh stalker harassment victim identity theft victim when that when I went through and did this I used the stalker and identity theft I never got asked to prove that what I was saying was true it just kind of took it with a grain of salt that thing it'll never be asked but a lot of times it's not and if you have any qualms about stretching the truth in case any of those situations don't apply to you remember Equifax did it's all a favor for this at risk for identity theft when they leaked all of our
information a few years ago so thank you Equifax and you're welcome and then the other thing is to look at the permissions that you're enabling on on your phones tablets laptops you know does that game really need access to your contact list you know does it need to know your location all the time and just kind of look at it with more of a critical eye and again beside what you're comfortable or not comfortable with now the fun part so we see how this information gets out there now right you know we know that it's collected why not screw with it you know when you're signing up for Rewards program if it's a place that you
frequent you know cool more power to you do they really need to know your date of birth or your real phone number are they really going to verify it probably not I know when I when I do that I like to use April Fool's Day it's my date of birth and August 29th 1997. if you know why that date is significant I'll be around the conference I'll give you a high five I mean you're as nerdy as I am so put put that information out there misinformation out there intentionally leave it out there let It screw around you know mix it up a little bit does this work yeah it works so like I said I did this with with myself and um
funny story with it uh back where I grew up I had some very dear friends they were having coming up on the 25th 25th year wedding anniversary and it's a friend of theirs wanted to throw them a surprise party and their friend knew of me but we didn't know each other so she went on this hunt for months trying to track me down looking up all the Chris horners and you know North Carolina and you know she finally had to give up and ask ask our mutual friends okay look how do I reach this guy and so you know so they you know they gave her my number and we had a good laugh about it but it
actually can work now the downside to that is if you go too far if there are reasons that you may need to be found again you analyze your own situation and come up with the Comfort level that that you like so this just scratches the surface you can go really deep in the rabbit hole on this and we're going to look at some resources on that and I do have to say you know anything that any of these resources either me or b-sides or tracking security we don't care if you use them or not nobody gets anything these are just resources that we have found to be helpful or at least I found to be helpful in my personal experience
and um yeah again nobody cares if you use them or not but here they are Keith Adams with TCM security this might be a familiar name to most of us here um he has a whole course on Ocean and how to use it how to look it up even some fun little challenges and then see how good you are at finding some of this information he actually put that course out for free on YouTube now on his cyber Mentor Channel and um it's really good and he's also got some shorter videos in there as well of how ocean information has been used or misused in some examples of it so and it's all free that's the right price
Michael bazelle now he's an author and he runs a website called inteltechnics.com this dude treats this topic like Bloodsport I mean he is absolutely amazing on this and but one of the resources that he offers on his website is the checklist of these aggregate sites and there's a ton of them ones you've never even heard of and it doesn't mean to necessarily have information on those sites but you can use that as kind of a checklist if you want to go down and figure out where your information is or isn't um he does have a book extreme privacy I own it it's it's it goes deep I mean he starts getting into burner phones prepaid cards how to hide real estate
transactions from prying eyes like we looked at before um not the government not the IRS don't get too excited but you know if but what I really like about his approach is that he very much Advocates living a normal life you know you can't have your friends you can go out you can do things you can do whatever you want just not giving up information you don't necessarily need to give up to people who don't need it but this book with his his clients tend to be very high profile people celebrities and so forth who need that level of anonymity and this is his Playbook of how he sets those Folks up for that um like I mentioned I gave a version of
this at Queen City skitties one of the attendees actually brought the service uh to my attention called delete me now this is a paid service um again no affiliation to anybody anything here but it takes it automates some of that removal of the from those aggregate websites um but the reason I wanted to include it here is because they actually do have a lot of good resources on their site they've got some really good articles about it how did you get here uh what do you do about it and then in the middle of I've got the red box up there a do-it-yourself opt-out guide so if you don't want to pay for the service they
even show you how to go go through and do it yourself so that's why I decided in the colluded here because it really is a solid resource that's it so uh While most of us here you know being the cyber security industry or enthusiasts we are interested in maintaining privacy and security a lot of people in our Circle really don't even know all of this is going on behind the scenes and they look to us as experts just like you know I'm sure most of us if not all of us are not doctors you know so we wouldn't you know want to give medical advice but we are the experts in security and privacy to
the people that we know so I always say it takes a village it's important to look out for our families and our friends we can help all of us to stay safe let's go eat [Applause] of course yeah
bonus
questions
I like I like to walk around
[Music]
foreign
Maybe
should we swap
um
oh we have our slides too thank you foreign
no I think it's still over there I switch your mic
just uh can everyone hear me when I enunciate my voice cool Maybe perfect that's disappointing
numbers and the content cyber security times
exercise
already up there's a lot of operations I didn't write it cool yeah hey what's going on everyone um thanks for listening to trying to figure this out um so everyone here is hopefully trying to learn how to stop their cyber security program for failing uh I'm the threat actor uh my name is he alluded to I'm the managing lead for offensive security at Echelon uh fun way of describing what I do is I'm the emulator mod boss of a group of emulated criminals um a red team all the way down to your physical break-ins if a criminal's gonna do it we can emulate it legally it's the way I like to look at it uh I'm also a
malware Dev done it for quite a long time started to teach malware Dev even taught of course out at Defcon so uh if you want to learn more about that hit me up uh prior soft or Special Operations uh radio operator so started helping calm out and then moved over to offensive cyber operations before uh targeters and all the wonderful restrictions came into place uh the hacker name I go by is apt Big Daddy uh I used to not go buy this uh it just ended up at a previous employment I was riding malware used to sign APD Big Daddy because I thought it was the funniest day in the world yeah they I'm announcing me though they
installed a bunch of software that they in time hour because I didn't obfuscate or anything I go into a threat Intel brief and they're like hey just been breached there's a new OP uh new apt they're calling themselves apt Big Daddy and I'd be like oh guys hey that's me um ever since they kind of stuck so a little bit about who I am right uh if you want to follow me on social media I would much appreciate it I always love to share knowledge and and grow everyone's skills inside this field it is a highly specialized field after all uh if you want to check out the people who pay me Echelon fiber is our website and if you
just want to check out some some dumb blog articles or YouTube videos the Cyber radius is those um before we get into all the bean-filled uh PowerPoint I want to start us off with a little bit of a thought exercise something to think about um and it's something I learned in the military and combat the person who makes the least amount of mistakes wins right we're going to make mistakes ultimately that's the way it goes and cyber is the exact same way granted you're not getting punched in the throat but um it's still if the okay um nice so like if the defender makes a ton of mistakes they're not going to catch the criminal right if the
criminal makes a ton of mistakes and the battery's going to catch it it's just all it's all planned to distract you from this terrible analogy here anyways you know keep that in the back of your mind as we kind of walk through this power uh this presentation for the agenda today we're going to talk about the history of cyber crime where we've been where it's going how it's changing uh we're going to talk about three common pitfalls that I see just about every team do the blue team that is and um finally we're going to wrap it up with how do we verify that it's working that is man my ADHD is going wild from
that stuff back there all right so a bottom line up front about cyber crime right uh it should be no surprise to anybody cybercrime has been around for a very very long time you could argue that cyber crime's been even longer than the 80s but really the way that we see it today uh Captain Zach AKA uh Ian Murphy was the first person to be convicted of a crime he hacked into the American Telephone Company he changed their internal clocks to uh be something other than peak hours and this is just so people could call wherever they wanted still for free during peak hours super cool thing right very Robin hood-esque um he ended up getting picked up by
Apple like a couple years later so that might say something about Apple but we'll leave that for later um ultimately that's how the 80s and 90s were people didn't do this for the money they mostly did it for the memes the lulls whatever um if you guys remember back during this time frame most the viruses were just destroying your computer it'd be like oh yeah you want to get to that start button ah nope now it's over here in this corner um it wasn't about like stealing money sure there were like Bank heists that were attempted but you still needed to have someone Courier the funds right 40 million dollars uh was taken from a
pretty major Bank in 1994 by a Russian couple they came back to the United States to pick up that 40 million dollars from their bank account and uh the FBI was there to pick them up right so it's a little bit different uh what it looked like back then it really it just who got the best victim who could deface Microsoft's web page um and the cost of Damages were really based on what was ruined not what was uh what was gained that started to change around 2000 um in the 2000s you know the internet boomed got everywhere it was worldwide so we're threat actors uh how many of you actually used LimeWire yeah so you guys remember how virus
filled that was LimeWire naps are these guys like really enabled a whole new realm of cyber crime for for two reasons uh the first reason was you you could start to purchase stuff on the internet credit cards made it onto the internet during this time frame and threat actors were like holy that's awesome right and then we just gave them this distribution platform that they could just freely put their remote access Trojans everywhere so um we started to see a shift in how crime was happening uh fishing was transforming from those Nigerian print scams of trying to get you to send money mail order to a different country now to I'll take whatever credentials I can
find whether that be your bank account or your Neopets account like if the credit card's there we're gonna try to take it though still at this time uh threat actors really still work mostly in silos we didn't really have the ability to communicate with one another securely without you know getting caught uh FBI was still pretty good at coercing people into giving up information at this time so hackers were like all right almost still stick around to myself but the community of cyber criminals was growing right we started to see invite-only hacker forms starting to pop up during this time frame as well um and a fun fact about this particular decade we used to have a 60 detection
rate on zero days in this decade we dropped to 20 which was the largest detection Mist that we've ever seen right from then we've only gone down incrementally it's still going down unfortunately but um this was a major shift in tone on how criminals were were working in the environment then 2010 this is when cyber crime became an industry um and it truly is an industry it's a Marketplace uh Silk Road Bitcoin tour these days really changed how cyber crime works it gave a safe space for for criminals to communicate securely and transfer funds securely uh what I think was really really interesting during this decade is we saw that initial access and credential compromise sales
like Skyrocket I think it was like four thousand percent like people used to trade stuff right but it was very much like oh I already know this guy he's down the street my mom's vouch for him right now it turned into I don't know who you are but if you want to buy a hundred remote access Trojans I'll sell it to you for four Bitcoin right um and at the time that was relatively cheap right that's not that's not to say now it'd be like roughly about 100 bucks you could still buy about 100 rats for a dollar each um aided by Bitcoin the industry really exploded the fact is during this time we really didn't know how to trace through
the uh the blockchain yeah everything was public we still knew where the funds were going but we didn't fully understand how it all worked so an industry was born to where now there were marketplaces to buy and sell everything that they needed and then in 2010 this is probably the worst time frame for for many cyber Security Professionals um government spine tools like Eternal blue uh other things that snowed and released things that Wikileaks released um these really Amplified the tool sets for threat actors even the opportunity to use tools that were used mostly for Espionage and now there was no fix for it and nothing was um nothing was coming around the corner as far as like fixed actions right we
still see smv being just as insecure as it was in 2017. so pretty bad year uh but it definitely got worse uh you know 2020 happened covet happened I don't need to be the first person to tell you that it definitely changed the world for the worst um I mean cool we get to work from home now but that's kind of a problem don't get me wrong I love working from home even as an extrovert but as a cyber security Personnel um we have to see that the threat landscape has changed uh threat actors no longer needed to be internal to an intranet they could just be internal to your home and a Soho router is a lot easier to
hack than a Cisco router mainly because we never patch it right how many how many of you actually patched your your Soho router okay a handful right uh likely it's it's vulnerable to quite a few attacks uh Packers really had this new playing field in their their advantage and they took advantage of it majorly I mean in 2020 alone we saw an increase of 300 percent reported that doesn't go into the unreported which is still a large portion of cyber breaches today and then just as a fun little fact here is like 2021 last year uh they dropped the numbers about 70 percent of breaches now are financially motivated so we've completely 180 from the whole I got
Microsoft too hey I can make pretty good Moolah here um the average data or the average cost of a bridge is 4.24 million that's worldwide in the US it's double uh uh and then the average life cycle of reaches 286 days and that's from identification to containment not actually the breach the breach number is more like 212 days so all in all it takes us about a year and a half to fix the the attack and I don't think it should come as any surprise to anybody the reason why that is ransomware right uh ransomware has been around for decades it's it's even been around since the early 2000s but in the early 2000s ransomware was more of a gotcha you're
never getting your stuff back to um what we saw more so in 2010 late 2010 to where it's like oh we can make money up from it um in 2016 we saw the first ransomware as a service uh I remember a lot of my colleagues laughed at this they're like Transformers service what do these people think they are a company uh yeah yeah they do and um what really solidified ransomware as a whole was wannacry um 2017 Wanna Cry was released and one day alone they they impacted 230 000 hosts in a single day for an asking price of 300 600 that's about 69 million to 138 million in in a potential revenue for a single day it's
worth work uh and that was all thanks to Eternal blue a government spying tool I got released the uh the internet so once that happened Russ is written in history 2018 we started seeing c2s integrating with ransomware and then we no longer have ransomware as a service we have malware as a service pretty pretty terrible crap going on right um so as a quick recap for those who need to see this in miter when we look at 15 years ago right it was very very limited sure you had one super cool like Elite hacker doing malware Dev they're out there just doing it for the memes doing it for the lulls maybe they're doing some data extortion
through like threat of release of data but for the most part like companies were kind of like all right cool you got our employee list who cares right um now it's a little bit more dangerous so today one could argue that this whole thing should be ultimately filled but um when you look at threat actors combining they uh they still miss some ttps here but it's multiple groups working together or one large group working as like a major company um for example a multiple groups working together who's familiar with Mage cart okay a handful so Mage carts uh a threat actor that installs credit card skimmers on e-commerce sites uh they don't get their own access they
don't hack their way in they buy the access from initial access Brokers and then they install their their credit card skimmers in line so they're buying it from somebody else one big group working with like with multiple uh professions would be something like Conte um Conti as you guys all remember got in a big fight with one another because of the Russia Ukraine situation um a lot of people focused on the malware which is cool I I thought the malware was cool but nobody seemed to really focus on the background documents they had like sales Engineers uh you know people that say like hey if they're gonna spend this much or give us this percentage of of the ransomware or the
ransom uh we'll give them X percentages at discount they had marketing Personnel telling them how to Market they had recruiters uh pay structures like it was a cyber security company with no morals um so like really the Dynamics changed right the the cyber crime industry became companies and and pay structures and all that stuff is it's weird to look at uh but ultimately like how they make money today is so different than how we expect them to be making money right after one buys from actor two uh or the other way around actor one sells initial access actor two active two installs ransomware and then actor three just makes the money because they uh they
made the ransomware um but when we look at most Security Programs today we still look at them as a single actor right sure content is important they they did a lot of damage but our evil sells their malware and don't really do a whole lot of the exploitation on the side so we haven't really caught up with this mentality that the cyber crime industry has really changed um some other quick facts here about cyber crime in today's world right about uh eighteen hundred dollars lost ever or 18 000 lost every minute due to a phishing attack uh Global damages last year alone were more than the GDP of the world minus the US and China
but we saw an increase in malware use by 358 percent and then ransomware alone in 2020 was 435 percent um and as we'll get into a little bit later here uh we still don't test for these in our pen testing red teaming engagements right the majority of those engagements very rarely ever use ransomware uh neutered ransomware or neutered malware um if you need justification for more funds from your from your executive staff just give them this number the average ransomware payment uh grew by 518 percent so it's around 570 000. that's just the the payment that's not the continual damage that they'll continue to do and then a fun fact here about every 11 seconds somebody gets hacked and is uh
hit with ransomware and I don't know if the FBI mentioned this but in the us alone we have a detection detect and prosecution rate about 0.05 percent so if anyone in this room has ever been like man I could get away with a cyber crime yeah you probably could you probably could so I'm not saying go out and do crimes but I am saying that's a pretty bad number so um how do we improve Right Where Do We Go From Here cyber crimes changed how do we change well first off I think we have to check out we have to check ourselves before we wreck ourselves you know um first one that I see on every
engagement I've ever been in from Fortune 10 companies down to brand new startups we just ignore the basics look I get it that Sim that laugh that that EDR whatever is being sold to you is sold as like the greatest thing in the world um it's it's gonna solve all your woes to be honest with you it's not if you still got Windows XP on your uh on your network it's definitely not um I mean ultimately everything is worthless without the basics we don't do patching strong strong passwords or user awareness you're just going to get whacked and it's not a matter of if it's a matter of when um so let's let's dive a little deeper
into this let's talk about passwords right uh probably many of you have seen this it's a it's a chart that discusses the complexity and of a password and the time it takes to crack it uh and I'm here to dispel this myth this is what the chart should actually look like huh the ultimate reason here is is um there's a there's a few things first off password reuse most dangerous activity or most dangerous practice in cyber security uh I don't know why we still allow this but stop letting your admins use the same password that they use for their low privilege user having the same hash I'm like oh okay cool I've just prevessed uh and I can tell you that's
happened quite a few times um also stop letting your users use the same damn password uh password one one bang bang it's the same thing as password tutu at at really is and that's because we as threat actors we as emulated criminals or criminals um we don't crack passwords we don't brute force them right that chart ahead of time yeah it's true it if you try to brew for something of a large complexity in length it's gonna take a long ass time but we've moved away from that we we now do something that's called password rules uh password rules allow us to take a password uh let's say the base password and set a set of rules to it
like this with their two uppercase two lowercase two special characters that kind of thing it'll print us a password word list with every variation according to nist of password which is great for us bad for you guys um this is this just makes it really really quick it's easier to go through a password list than it is to crack things individually uh what we've seen in our own engagements is we get about 10 of an entire company's passwords cracked using ntlm with just like Hardware that you find in a laptop within 24 hours just by using password rules so pretty important ultimately to have a good password you need two things which is uh entropy or
chaos and key space you can accomplish this by Smashing your face on the keyboard and it'll give you both um ultimately right other ways that we can improve passwords uh we need to stop letting our users use really common stuff if you don't have a password block list for your active directory or any other authentication you need to uh for example password or season and then the gear is so common uh we can password spray in a region and we'll find usually one or two passwords into an environment also something region specific here if we were looking to get into for example not saying that we are Bank of America right um go Panthers 2022. that's your password
today change it please um try to avoid using those regions right so we need to start blocking that stuff but now that I'm telling you hey we need to start changing the way that we do passwords we also need to change the way that we refresh our passwords we need to stop asking our users to reset things every 90 days ultimately if we're going to ask them to remember a super complex password we need to not make it so that they go back into the pattern of just changing one character so that takes length takes complexity let them keep it for a year or something in that sense right we can still do password resets just not every 90 days
but for you admins you don't have a choice sorry buddy um ultimately you should just probably implement a password manager and oh God please don't put the password manager in a master password in a text file you know or the OneNote that you guys have shared with these uh amongst your admin group I've seen that a lot onenote's not a password manager for your password manager right we don't need that ultimately though you know an admin password needs to uh needs to have an expiration date uh one final thing here a bonus on on passwords I actually made this for the Uber hack and I when I saw the Uber hack I was like oh Justified and then
um and then I realized it's a really bad thing to celebrate uh ultimately MFA is Paramount to your security you need it but please guys stop using push we've realized that push doesn't work sure the hacker that got Uber and and uh the others just pounded them with MFA and MFA requests there are smarter ways to do this we actually usually just ask but we log in at 9am 1pm and because that's common for people to be logging in they're like oh yeah okay hit nine percent of time we get in the 10 that we don't is because the company is so small that they're just they're just uh better aware I guess you could say
that or they just don't like working there who knows all right uh second basic that we needed to talk about passion and life cycling uh seriously why do any of you have 2008 R1 boxes on your on your network or 2003 or XP um it's been gone for ages and I get a lot of times it comes down to justification to your um business right like how can we justify the business expense well you can tell them we could get rid of it or we could spend half a million dollars in a year from now when we get ransomware um ultimately the uh the two suggestions I have here with end of life if you can't remove it
from the domain for some odd reason segment it so hard that you can't do with it right uh it does not need to be on your network ultimately and if it's end of life it likely doesn't have the ability to have an EDR on it so you can still hack it very very easy for us hackers especially red teamers uh I would say ultimately that's the way we we get prevask in most of our engagements um if you want to improve on your patching and life cycling a little bit better for those who don't know about patching segmentation I figure I throw it in here I think this is probably the best way to do patching to justify a
quick roll out uh start with your admins first they know when problems arise then move on to the group that has the least business impact into the largest business impact But ultimately there should never be a critical vulnerability on your network longer than a month it doesn't matter if it's external or on the internal because you're only as secure as the least secure system on your network right uh as we'll get into it a little bit I don't need to hack your external to get internal there's plenty of other ways that we can get into ultimately I shouldn't see Eternal blue or ms08067 on any network if I see ms08067 on your your network we're gonna have words
uh and I am not shy to explain when things are bad all right last basically I want to talk about is user awareness fun fact about 91 of all external attacks start from phishing not any shouldn't be any surprise uh it's a it's a pretty pretty good vector the the thing is that we have to remember is the user is still not your enemy uh we like to joke about that as it happens as security guys but ultimately it doesn't matter because uh our team has a 30 success rate against it teams so if you think you're better and you're probably not um most of the reason why we see this most of the internal fishing campaigns
lure everyone to a false sense of security they're too easy why is there like 17 spelling mistakes inside that that email right yes those exist I'm not going to argue against it but targeted campaigns against companies are very very good um plus the exemption for like leaders and Executives is such a poor practice it leaves a gap in your in your Security even if your CEO gets mad be like kick rocks dude sorry man you need to learn um I'm not telling you to go piss off your boss by the way but like you know as a quick thing like let's let's take a look at this this is grammarly business right spot the fish
um grammarly business don't mind that one's thinner than the other it's just the HTML when you drag out the window um both links or all the links here go to shortened URLs the only difference here is the email header which I purposely didn't share because then it would be way too obvious but um when you look at this you know how many of you think it would be the one on the left none how about on the right still none you guys are just believing that there is no fish here you don't believe me yeah there there is uh actually there is no difference ultimately the one on the left the fake one um and you would only know because it's
not grammarly business it's uh grammarly biz or uh grammar for us or whatever you want to name it but this is a service people want right this right here will get you a large percentage of your company no joke I've seen it I've done it um it's good stuff so you know how do we fix that how do we fix fishing and I I've seen this from year over year on our own stuff right from from our own campaigns going from 40 success rate to about 15. but ultimately train their users how you want to be treated I get where it admins we get dogged on all the time people are not happy when we make
changes but most of these people that they're not happy they're not cyber Security Professionals they don't know um I mean the fact is about 64 of Americans don't even know if they've been part of a breach because they never checked that's bad uh so really to change it up we need to start changing the communication that we give to our users users shouldn't be punished for clicking a phishing email at least not the first time maybe the second time or the third time right the first time encourage your users to come come talk to you because the quicker you can get ahead of this the quicker you can identify and close the gap um we've seen where where where that
culture is is given to their users really did change the success rate of our own campaigns one company that we worked with they had a zero tolerance click um uh Zero Tolerance per clicks right to fishing uh we had like a 90 success rate it was insane and then we gave the suggestion hey maybe you should change the culture so you you know encourage them to come forward they're not going to get in trouble it went down to like 10 15. which still not great but better much better uh encourage your users to talk to one another we're better at detecting something being weird if we can talk to one another we go does it look right ah
no probably not throw it away uh and then email and subject editions post fixes whatever you want to call them uh yeah there's email fatigue But ultimately it gives a little bit of something maybe fishy here right all right let's talk about Pitfall number two because we got more to go uh Pitfall number two No in fact this job is stressful or a bunch of other magazines they'll put our job in the top ten it sucks burnout is real and burnout causes mistakes teams are Spread Way Too Thin there's a Manning shortage uh it's really hard to find good analysts and good practitioners and yet while this field is so massive I mean you guys heard the
FBI guy was like oh yeah he has to be a jack of all trades like that really doesn't truly exist I mean there's one John Hammond and that's about it right um it's not logical to expect doctors to be able to form every aspect of medicine so why should we have to be able to do reverse engineering oh I'm touching the mic sorry guys on the internet um uh why should we have to do the same uh the most people are the most dangerous people to make unhappy in your environment are the security staff and I.T admins threat actors do pay a lot of good money again don't go talk to threat actors after this talk but I've seen
like 20 of a ransom will go to admin credentials if you provide it to them right that's a that's a good payday uh you could retire and Belize with that probably not but ultimately it's it's it's the worst people to make mad the worst people to to stress out how do we fix that hiring um it's more than likely your HRS I'm not blaming you guys I think everybody in here knows but uh your requirements are way too strict probably gonna make a lot of you mad but a degree doesn't matter um it's a good to have don't get me wrong for all the students in here it's good to have but curriculums don't change
cyber changes hourly right and this is this is just back to the matter it's nice to have but we need to drop it as a requirement I don't have a degree yet I could probably hack every single one of your guys's Networks and that's just not me being like boastful that's just me saying like I know how y'all's networks is um we're in a we're also in a stopping shortage this is what most like hiring managers don't understand we have way more jobs unfilled than we have filled so we need to stop saying hey Junior for a senior level what Junior pay we need to make this solidified and we have to do that as a group we can't like
just rely on HR because HR doesn't understand they don't even check to see if they're part of a breach I'm not saying go look up your HR Manager on have I been pwned but could be a good argument um last thing I will say about this is higher interns trust me interns are the way of the future why they're replacing us I don't do the technical work anymore as much as I wish I did but the interns that are coming in are going to be replacing my seniors and my managers so that they can lead the next group they're hungry to learn they want to learn this job as much as anybody else they're cheaper no offense guys but
you're cheaper um so let's bring them on let's let's stop hiding them in the dark this the Old Guard of you need to have experience to do this job needs to die off because we don't have the Manning capability to do that uh how do we improve the Jack of all trades no support this one I think is uh pretty much on us as technical leaders to really drive this is more so how we Advocate um every network has a Nuance to it it's it could be the exact same ad structure the exact same program yet this one over here you have to like log into The Exchange Server I guess you don't have exchange servers anymore
um whatever you have to log into the file server to log into DNS or something like that right there's some nuances there when the turnover happens when they leave that Nuance leaves with them but the threat actors are probably going to be in your environment for a year so they're going to learn the nuances their attention is no problem they're getting paid nice um so you need to make sure that retention is key and invest in your people cyber security is a team job we can't do it alone if you're a single cyber security engineer and you're uh one of 10 000 employees of a company uh I will be an advocate for you hit me up and I
will talk to your board because it's it's not a single person's job it is too difficult to do alone and ultimately um when we do create these teams we have to create a team of a good culture yes we're nerds most of us are introverted most of us like to play video games in the dark I myself play doto with no lights on I get it right um it doesn't mean that I don't like having a good team and even The Quiet Ones enjoy having a good team so you know take care of your people send your people training doesn't need to be a cert but training in general right uh Black Hill security uh Specter
Ops even me like we all keep training for as much as we can to teach people how to how to grow on this it's good not your technical leadership and reward it uh that's really all I'll say on that it's the last thing for everybody in the room uh yes we're all stressed we're over working but you have to remember a strong worth that hit epic requires a strong rest ethic take a break take a breather log4j has been resolved we'll wait till this Christmas to come up with our log 4J for this year um breathe while you can all right on the last last Pitfall we're going to talk about today is um communication with our Executives and
other business units uh something I learned in the military it was a phrase that was said all the time communicators are it was here it says communicators are the worst at communicating what my sergeant really said to me was communicators are at communicating and uh you know the emphasis really did go a long mile um ultimately we are we're bad at this we use fancy acronyms and terms that nobody else understands if I told a CEO today that my hacker name was apt Big Daddy he'd be like what's apt right it doesn't make any sense to them so when we start telling our Executives hey DNS FTP is uh it's open you know you get
there anonymously they're like cool what does that mean um they're business focused they don't give a uh ultimately they just they see the money and that's their job they're supposed to see the money that's what keeps your company running they just see us as paranoid I.T admins really expensive taste and I mean ultimately I've seen some of your guys's bills to some of those cool fancy tools that's a really expensive taste I'm not saying that bad it's just the way they see us so it's not up to them to learn it's not up to them to change the ways that they speak it's up to us ultimately this is really where we have to quantify the risk in a way that is
understood in the business aspect because failure to con uh communicate properly is only going to amplify those first two um those first two pitfalls um when we talk to our our Executives we have to be realistic about our cause we can't keep going ah yeah I could probably get a I could probably do it with that right you know maybe we don't need this particular tool if you know you need a tool and it's a Best in Class justify it right be honest about what that is going to cost the company but also be honest if if you don't invest how much is that going to cost the company I mean how many pen test reports have
you seen actually have if this was successful here's the cost it would be to your company probably very little right I've read a lot of pen test reports in my day probably very little so if it's not in there it's up to you to communicate it the Board needs to understand that we also need to stop talking with technical jargon I think it's pretty pretty obvious but it's probably the hardest thing to learn it took me years the only reason I ever learned it was because I remember I was briefing a very very high up individual in the US government and they just were like well how about you hack his phone I was like
sir we don't even know where like he is like how am I supposed to hack his phone like these guys just don't understand and so translate in a way that they can understand is super important last thing I will say on this and I've seen this be very successful in my previous employment is keep your your executive staff engaged throw like celebrity vulnerability updates to them right hey Eternal blue just came out we're vulnerable 100 of our systems uh we're screwed right like tell them let them know even if they're like can you stop sending me these emails like no absolutely not I'm not going to stop sending you these emails you can block me but still gonna send
them to you I'll print them out put them on your desk how about that um a little healthy paranoia right we could all use a little bit of it but enough for for them to bring us in the last thing I will say on on Executives is compliance is uh something that can help drive your spending especially as it becomes more into law here in the United States but the longer you wait the more expensive it's going to be so if your CEO or your CFO whoever it may be is scoffing at that one million dollar price tag six months from now it could easily be two million or if you wait till Q4 to do your pen test you bet
there's a 30 premium going on there right cyber security firms are already booked out it's only Q3 all right yeah are we in Q3 I think so um or we might be in Q4 now either way people have been booked out for months if you want to get stuff done now you're gonna be paying a premium so that's something you kind of have to to explain as well it's not a we can wait and we'll be fine kind of thing it's we can wait we'll spend more money kind of thing the other thing I will say about um communication with your other business units this is something a lot of us fail on because you know that marketing team is
releasing that super sweet Rebrand they're not telling anybody and they just made a whole new website and then I.T security gets brought in two days before launch and uh oh it's hacked um seen that way too often ultimately it comes down to policies policies policies policies and plans um important assignment is 77 of you don't even have an IR plan despite how crime has increased in the last two years so if you look around this room likely one in four of you that doesn't have an IR get me their card I would like to talk to them and see how we could help each other you know legally um not illegally uh get in the back end
of your CIO or CTO is really important right if you have policies in place that they are willing to enforce because they're good policies that will force marketing to uh to Wrangle themselves in and bring you in appropriate time that will force the other business sections to stop doing Shadow I.T or Rogue it uh it's actually really important because ultimately policies translate to business speak a lot better than it's insecure bro like what do you want me to tell you they don't trust us again we're paranoid I.T admins let's not be paranoid it admins let's take the extra step let's actually pick some stuff we got to do it ourselves though we got to put a little bit of
effort in here right right in those IR those patching whatever it may be those policies need to be put in place so talk to you about some pitfalls talk to you about cyber crime like how do we verify it's all working how what is the way forward here right after we've taken care of our pitfalls what do we do I don't think it should be any surprise to anybody here uh I'm obviously going to be an advocate for criminal activity uh emulated criminal activity ultimately the commodity pen test does need to die though doing pen tests for just pen test sake is uh it's a false sense of security in itself because I can tell you in a pen
test uh yeah we might fail right we might not get to domain admin you may have been doing okay at patching but the likelihood is it's not true to really how cyber criminals are working today the train how you fight principle is what created red teams in the first place right it's borrowed from the military um so we have to keep we have to keep up with what the right actors are doing and yeah and I guess maybe like Maori pen test shouldn't die completely because we still need it for for the people who who haven't even done fantastic before right let's get them to a point But ultimately we need to start moving toward towards adversarial
emulation and I don't mean adversarial emulation or simulation in the sense of red teaming but more so just emulating criminal activity in more of a gray box approach right this helps blue teams be able to do the detect protect and respond or prevent um portions of uh whatever that framework is I already forgot the name um but you know they can they can work on what level of noise is it going to take for a threat actor to make before we actually detect this and go back and fix it because with pen testing the noise is already there right a pen tester comes in they're hitting you with nmap right off the bat attack a they're
like screw it man I'll be back in 45 minutes we'll see what happens um but average cell emulation it's a lot quieter it's starting off with SMB exec or crack map exec right tools like that where you're looking at legitimate processes um you're using ldap and the noise that it makes by itself to pull down that and inform you on what's a good decision ultimately it allows us to do a lot of red team or a lot of uh adversarial ttps that are relevant to that organization without the three-month time period it takes to do a real red team um also with adversarial emulation malware should be used in about every engagement and not just like the generic
hey I made a metasploy payload and tried to run it it's you know building actual Shell Code loaders that evade edrs AVS to Showcase really what is the techniques that are being used by threat actors today um simulated ransomware I mean how many of you have actually simulated ramps aware within your network that's maybe one one or two yeah okay about what I would expect so how do you know that your EDR is actually stopping ransomware are you trusting them right I don't um if I'm ever recommending things it's because I personally have gone through and tried to run ransomware or tried to run malware and that kind of stuff so in an adversarial emulation engagement it
doesn't need a box this is what we want you to do you don't have privileges to it already so get privileges run ransomware on it and if you can fully encrypt that box okay we probably need to change some of our detection we probably need to tune our EDR a little bit more yeah yeah I'm almost done we're about to wrap up here um how does that tie into aperture emulation uh with with the pitfalls basically try hard social engineering you know actual good social engineering campaigns confirming that your patch management isn't working because threat actor is going to abuse internal blue just as anybody else uh it's going to Showcase that your people are burned out
if they're burnt out because they're going to miss alerts um they're gonna make mistakes and also a good adversarial emulation engagement should include a communication to the board that's not a cheap engagement right I'm not going to lie to you it's not as straightforward as a pen test but ultimately that should be presented to if this was a real Attack how do we uh what would that look like to our organization so it can go a long way in helping out with that healthy healthy paranoia all right let's wrap up because yeah we got told I have a few minutes ultimately the cyber crime industry is booming and it's growing it's gonna be at 25 trillion by 2025 is what they're
expect expectations is it's a good business to be in because low risk High reward and ultimately if we're going to survive this we have to change how we're going to combat it we talk a lot we talk a lot and we talk a lot about changing veins but we're never the couriers of our own success we're not going out we're not actually writing the policies we're not going out and trying to speak better to our Executives we're just going ah well we need to do it somebody else do it and then we leave our jobs and we go somewhere where they'll pay us even more um we need to change that right we need to
implement the basics we need to grow our people we need to translate ourselves and actually be who we say we're going to be and uh again security is hard I'm not ever going to argue that but that's my TED Talk thanks again guys for listening uh happy to field any questions anything on Discord my Discord people
now just Smiley happy faces I'm cool with that oh
yeah so with with red teaming just because I'm a little bit more familiar with that side of the house right and you don't have to spend good money to be able to really learn the Craft um funny enough Microsoft really doesn't care if you download you know their ISO and don't activate it as long as you're not using the company don't listen to me Microsoft um but you know having a machine that you can purposely make insecure and then downloading like Kali Linux uh as a as a base distro is always good you don't need Cobalt strike to have a good C2 there's Mythic which is developed by Specter Ops uh was developed by a guy
inspector Ops I should say um has the capability of installing similar implants time-based implants um and you have silver uh Covenant right there there's all sorts of just free material that's out there the hard thing and cyber security is we're really bad at combining all that knowledge into a single space so learning's all been mostly up to us this has been changing with TCM and black hills spectrops groups like that that have really been trying to drive the change into making it so that we can learn the minute facets of like malware Dev or uh Windows domain exploitation um but ultimately everything's out there on the internet right uh that's the beauty of it but I would I would start off with Cali
and uh Windows 10 box that you purposely made insecure now
okay
yeah yeah so um I mean in most engagements that we do adversary emulation anything that lasts longer than a month or a simulation or the red uh red team side of it we've spent months in in environments where we're just undetected and it's it's no fault of really like the engineers at the other end it's more so that they got they spent twenty thousand dollars on a new EDR a new salmon nobody configured it right um pretty much every TTP that's out there can be detected even all the way down to the kernel level uh it's just really how we tune our detection uh to how we deta how we capture it as far as an anti-virus
detection piece to it uh I would say never trust your antivirus to be the the last line of your defense uh if you guys know of anti-scanme.me which is a non-distribute uh malware tester essentially for criminals and emulated criminals alike you can throw it into there and like virus total will tell you if it gets detected or not if you look at any of those AV or EDR products like those are pretty common for what is easily bypassed the stuff where it starts to get a little bit more difficult it's like your your crowd strikes your um uh what are they called I forgot the other one it's carbon black um right like these like super deep EDR
products that gets a little bit more difficult but ultimately they're still bypassable so it's the worst phrase of cyber security defense in depth
yeah so most of it is just like a Windows process that we've disguised to look like any other program um I've made malware that disguises itself as a remote Management program for like an MSP um which most users are like oh new MSP sweet download right um as far as communication outbound HTTP https DNS these things are very very easy to just use you don't need a constant connection this needs to go hey I'm alive and then the server goes hey here's a command it goes thanks I'll see you in 10 minutes um so it's it's really not hard to obfuscate like the communication portion I think I'm at time though I'm at time if you guys have any other questions
we'll be out there I'll answer them happy uh happy to be here and thank you very much foreign thank you YouTube people
okay I want it somewhere like there thank you try not to come in there nope all right t-shirt it is that's not happening all right Mike check
up there uh
that's not exactly
foreign
I'll do my best to stay on time
good morning like Facebook yeah Children's Hospital of West Coast and one of the results Facebook .com Security offers into this responsible several times in addition number of the trials of Packers released team organizations his personal time people want to use the special order um alma mater Gonzaga oh boy
diversity if you like that one you hope to continue helping organizations develop I.T and information programs that power their goals all right oh all good as soon as April said that I was like oh wait I'm in North Carolina it's dangerous to say you're a zags fan but that's all right now basketball people that's okay all right um thank you so much for having me uh like April said my name is Sahan Fernando uh going to talk about attack path management this afternoon I'll try and keep it on time and especially leave some room for questions at the end I'm pretty informal so one don't mind me if I trip on that wire right there but two
if you have a question during it just you know raise your hand totally fine if you want to wait for the end that's also great so we'll just go over a little bit April covered most of my background so it'll be short uh short there but talk about where this topic came from why I wanted to talk about it with y'all today um how to identify attack paths just for time only go over one example of an attack path that we worked with at my organization and then just some kind of wrap up leave some time for questions uh yes that is the uh hospital where I work at that is my little guy I wanted to
bring him he decided he didn't really feel like flying this time but it does travel well uh San Diego is super pet friendly have a lot of canines around campus so April said all of this so I'm not going to spend two minutes talking about it I've been fortunate to do a lot of things work on both uh I started out as a sock Analyst at an mssp doing the tier one just trying to blaze through all the alerts do that whole thing and really start figuring out what does this actually all mean uh but I also was fortunate to work on kind of the engineering side work with help desk service desk projects and
and try and get a little bit more of a broader view partly because I didn't have anything else going on at the time it just worked out um just kind of the standard even though my employer is just all over this presentation they don't really have an opinion on attack path management so because my stuff not theirs uh if you have legal questions about it I'm sure we can talk about that so why and kind of where this talk came from uh some of you maybe all of you are familiar with things like Bloodhound and the great work that the spectrop team have really done over the last gosh at this point almost seven years I think the attack
path management Manifesto came out in 2016. um Andy Robbins I think was the primary author but a lot of great folks behind the scenes on that work as well and it really it brought together a lot of disparate pieces of information and thoughts and tried to tie it all together and went into building Bloodhounds so first of all thank you so much to those folks um credit to Andy especially for giving me permission to use some of their content to help build out what we were looking at and also some of the graphics which are now open sourced of course uh Enterprise infosec some of you probably work in it it's just it's so so complex um and it's easy to make
jokes and talk about how like there's all this crap over here and there's Windows 2003 over here uh we're a healthcare facility number one is always going to be how do we prevent loss of life and impact the patient's safety uh important distinction patient safety does not equal patient care there's a wide Gap there but it still affects the the organization's ability to treat patients and also capture Revenue because we need money Healthcare is a business as well uh on the back side and so for us we really I mean running bloodhound's awesome and you learn a lot but for us I wanted to look at a little bit more of how do I Bridge
you know as Cesar I really have to bridge very very non-technical stakeholders with very technical Concepts and risks and trying to bridge that conversation is where we try to look at it from right we have attack pass and we've talked about it especially with an active directory and how there are direct and indirect links from point A to point Z but uh what does that mean in the more business context so for those that aren't familiar with what attack paths are they're really just attributes that lead from one set of attributes to another so those could be systems how they're configured what are user behaviors on those systems and just again that link I didn't want to put that quote that's
been played out a billion times but John John Lambert I think at Microsoft right the whole Packers thinking grass Defender sync and lists right I mean that that does hold true and it's important but I thought this was a better representation of what we're looking at right there's just regular user and that can lead to an attacker's outcomes uh and so that's really what it attack path management to us has been about how do we look at the end state of what an attacker is looking for how do we work backwards from there how can they get there and we start to disrupt as much as possible but also how do we funnel them into higher Fidelity
sickness risk is just inherent in the system right I mean we always talk about it at my org in terms like chaos theory I'm a big Jurassic Park Fan and everything's all related and mixed together and it's one thing over here very much does lead to another thing over here and so if we start to navigate through the noise how do we force them into more like choke points in ways that we can detect the risk we've chosen to accept versus giving them opportunities to be silent in the background and just get away with whatever they want to do as I mentioned before Bloodhound has been kind of the gold standard on how do you view attack pass because active
directory is more ubiquitous but for me and how I try and convey it to my exec team even within the it organization we wanted to look at it beyond that that's just part of the picture and there's so many other ways that you can use people and kind of more process and thought process to expand Beyond just the active directory viewpoint so how we go about identification we start with what are the priority processes and it feels a little bit kind of business continuity disaster recovery almost we're really trying to proactively look at okay here are the highest risk processes that the organization either from a patient care standpoint from a financial standpoint some other other
things that um thinking about this very moon but really what does the org care about most and then we start to look at what are the systems the processes that support that what are they relying on and so that really starts to build the picture for us of okay so if accounts receivable is considered you know a top five process and it relies on this system this system this information exchange then we can start digging at it a little bit more uh you know and just side note pen tests are great but pen tests are within the context of who's doing you know that work they aren't there to do the business context analysis for you
you're the one that's always presenting hey the pen testers did this you know that's that's the bridging that you're doing and so it is a similar approach right uh for us it was always a big emphasis that tools we can't just spend our way out of the problem uh I'm very fortunate we have a really really engaged board to ask you know what do you need to help prevent some sort of big attack as much as possible yeah we understand that that's you know inevitable to a point uh but how can we lower the impact and you know I tell them they've got great supportive we're having these conversations but number one is that we keep investing in
our people um like the previous speaker said I mean you can't automate your way out of this problem uh and good people who just understand different attack pests and how attackers are working but also most importantly how does your organization run uh you can't you can't replace that um you know and Consultants can only do so much so for us some of the tools though that help Empower our team to identify different paths we use Bloodhound for sure but um some other ones that Standalone people use for identification of issues that but we try and tie that together so we do uh have like Showdown monitoring on the external side right we want to know if something gets opened up that we
weren't weren't planning on it weren't aware of uh ping Castle also a great tool not as many folks use that but very complementary to Bloodhound Bloodhound with attack brass what pink castle just pulls all this great information for us to look for misconfigurations because again that's a part of that attack path building is misconfigurations privileges how does the soul tie together we found a few through our EDR Telemetry as well that's given us that almost weird stuff that just pops up when you're logging right um and that's that's helped flag some weird behavior for us bone scanners yeah yeah they're fine but at least when we're presenting it to a broader broader audience we can at least
say well the bone scanner also says these CVS are here but that's really not a primary thing we look at that's more just help support the narrative uh one of the best things I found though is I'm a big believer in having good relationships and maybe that's just because I'm a seesaw I don't know uh it is so much easier to just go ask the admins of the system that you are looking at or people who support the processes ultimately of like like just tell them what do you see the issues with how things are going right now that leans a lot of insights because they are the ones who are going to know most and
especially if you educate them on here are some infosec things that what it means to you we do a lot of Outreach like that they're the ones that then come to us proactively and say hey um I noticed my application doesn't have https on its authentication page and people log into it with an admin account right those are things that the Nuance gets lost in a single tool or not so building that out and peace and make it together so once uh once we have what we feel is a good solid attack path uh then we really start to put it on paper in terms of here's a narrative almost almost essay style you know we
use the S Bar format because we're Healthcare so that tends to get a lot of traction and people are familiar with how the information is presented there sometimes we put in some graphs sometimes it's as simple as just hear all the things wrong with this application you know this process or something supporting something else here's our recommendation on how we want to fix it here's what it means in terms of this risk being actualized even if we don't quantify it we don't have to all the time it's just the risk is being actualized and then we could even just the base unit for us is this could lead total system downtime we know how much we you know Revenue
wise per hour and make that calculation and part of that mitigation plan is again suggesting well here are some risks that maybe are worth accepting after mitigation working on that iterative process with the uh the process stakeholders uh so the example I wanted to call out this was one of the first ones we found where we had a legacy service account for business intelligence um it was really it stuck out very quickly um once I joined you were running a couple of Discovery things through pink Hassle and Bloodhound and it just uh it lit up every single one of those unfortunately um you know I had unconstrained Kerberos delegation for entire OU's had password change rights uh
which those are two things right there where it's like well why and then you also realize why don't why am I going to waste three hours digging it up we know we're gonna fix it like what you know you got to balance how valuable your time is but sometimes it is worth pursuing well in a nice way what was what was the context here like why'd we do it this way um because that very much informs your mitigation plan but also good for note taking on here are some Outreach opportunities after we fix this on how we can educate because if there's a common theme of well the admins kept doing it this way because they didn't
know any better that's on us now to go back and teach them okay so going forward here's what we want to do and why because of X right um the last two things for us you know we saw password hadn't been changed in a while um and the biggest thing from an attack path for us is that that service account was running on multiple critical servers you know the process for business intelligence were data driven it informed a lot of reporting that was considered critical and so for us we built out The Narrative of well this service account anyone could really get access to it because we don't have proper controls around it especially curb roasting and password
cracking right away were just standing out as ways that it could be compromised and then that starts the conversation of what the heck's curb roasting uh again starting to inform your your technical stakeholders as well as the higher ups chain difference differences in conversation but still trying to inform them of what are the risks and then showing them that here is that path to critical servers critical file shares privileged accounts and that's going to get them to whatever their objective is whether it is just exfiltration but most likely we're Healthcare most likely Ransom ourselves that's that's the narrative that they understand and at no point did they have to go into the complexities of how Kerberos Works how
lateral movement works at a more in-depth level it's just they understand here's point a here's Point Z I trust that you're judgment on there is a path there excuse me and then we just we really had to work on the remediation side because it's critical availability is number one for us and so uh how do we do this without bringing down business intelligence in this context I I'll be honest with you I got a little lazy and just said can we just recreate it I was really feeling like climb back permissions one by one so um they were on board with that because that was faster for them uh and that also made them look better in terms of
time repudiation so always a good sell right we're always telling why why should you do what I'm asking you to do um so some of the things we did to address those risks among otherwise when we recreated it it was so much easier to do constrained delegation again walking them through though what does that even mean right oh yeah I've heard of Kerberos what's constrained delegation going through just how that all works why that's important to us on the infosec team and why it matters to them and how it's actually easier for them um limiting logon rights you know all these things are just they don't know until you educate them and that helps us
with other attack paths that we're now working on right putting in fine-grained password policies you know it sucks we looked at it couldn't do group managed service accounts um wasn't supported by the application but that's a part of that process of that of mitigating it is well we have to accept that risk but how are we going to best control that risk going forward sorry uh and just man a lot of conversations around that um so many meetings but those are really where you also get to strengthen the relationships with the folks who actually go do the work I think most of you that have worked in any sort of big or corporate environment we can't go do the fixing
um which is always frustrating for me because I used to be able to do that we can't do that anymore so it's important to have good relationships with the people who do that and they care about what you're saying uh we would not be effective if we just said well go fix this your your stuff's not patched I mean it's you know don't be that person uh so some closing thoughts just to keep it on time and leave some room for questions um these these will go back to business process risk and you need to prioritize it as such um for me it always is about uh you know having gone through the Pediatric Health System as a patient
when I was younger you know I I get it to a point it was never anything as bad as what other kids have to go through but you need to work on why does this matter and how are we all working towards those strategic objectives and putting risk always within that context otherwise uh it really is just kind of talking into a void and that's just we want you to be more effective and that was a big thing for me submitting this talk is how can we Empower you to be a little bit more effective and some other ways to have those important conversations even if you're in the trenches those are still maybe conversations you
need to have with your leadership on infosec side of look this is why I think this thing is important um again be really transparent about look we understand that there's going to be some risk but at least we know it and we know how to look for it being actualized humans being the foundation of this is cannot be understated like you're internal folks you can't you can't Outsource everything some things it helps but this is the sort of thing where you have to know what's going on in the organization um I I couldn't ask our our external sock hey tell me about this business process I don't know uh you know my internal folks absolutely oh yeah I
understand our Radiology workflow and how images flow from the machine to the Radiologists I can tell you how it goes through these systems and here are the ways I can just poke at it and start having some issues right those are the things that really matter to the organization uh you really do need to continually see it assess and validate though um just because you think you have closed off an attack path doesn't mean it's closed forever I'm in one of the dumbest examples I've seen um is well they shut down the vulnerable server and we thought we'd closed down the attack path this wasn't at my organization somewhere else uh but they didn't delete the VM and so they moved
uh virtualization platforms and turned the VM back on and it's like we weren't monitoring that you know would have sat there as another 2003 server for some time until yeah it was discovered so uh that that continuously assessment continuous assessment and validation model really uh really does help and drive the value uh and last note on a value standpoint right everyone knows lateral movement privilege escalation are the big things that attackers are looking for to get to their objective um so really focus on choke points how one resolution can actually resolve multiple track points whether it is as simple as patching this application or resolving the harder things like service accounts running everywhere I'm sure a lot of you are guilty of well we
have our bone scanner logging in everywhere with no limited limits on rights things like that really do help kind of show that reading our own dog food and uh we're trying to reduce risk you know iteratively but get those high value wins out of the way and with that happy to answer any questions that I can yeah I'll wait for the mic
thank you
so number one to me is showing that you have I mean at actions mean everything showing that you care about their job and showing even the tiniest bit of empathy uh is huge I mean for me personally like I said I had to do that for a while I was working in the sock but also helping on that assignments like this is not as easy as it sounds to go and fix these things um and they're also the ones that are the first call if something breaks um and having irate positions and nursing leadership you know that no one wants to be in that position so understanding kind of what they're going through and talking about just this is
humans realistically it's like hey we've got this thing I know you're busy how can we work on making this the appropriate priority level and you know a little bribery goes a long way and even in remote remote work you know hey there's ten dollars to GrubHub buy some tacos or whatever I mean we try and do that and and for me I think personally I also just during different meetings or whatever I mean I just treat them like any other peer you know it's like hey how's it going how's how's life going you know I work from only 90 of the time but I still try and stay connected because those uh those relationships are so important
when I do have to be a little bit more direct and just to the point on hey this is the situation like I mean the log4j stuff that was just brought up I mean that's a great example I had other stuff to do they had other stuff to do it was Friday evening you know I was at dinner and it's like great okay well so well how are we gonna go fix this I'm calling you in on the weekend we got to bring everyone together and just ascertain what the heck's even going on um people are less resentful for you uh to you for that if you are constantly communicating your appreciation um relating it to how it impacts them
and just working with them rather than just here's here's the spreadsheet please go fix it tell me when done passing tickets around doesn't do anything so I hope that answers the substance or your question yeah any other questions I can answer fair enough well you can find me in the hallway afterwards thank you so much for having me all the way from the west coast and uh go Irish
thank you so thank you
okay
okay good so this will go both ways wow okay okay
foreign
mm-hmm
foreign
foreign
foreign
all right
okay out yeah all right all right yeah
all right yeah
that you set up
are we good
oh foreign
up here
Oracle and then
Alexander but um all right thank you so this talk will be a about databases and about security and this is called confused Deputy problem for what that means so I have already been introduced I'm currently leading I'm managing uh um red team here at Amazon web services working with the relational database so let's start what is the confused Deputy problem so compute the participle if as declared by this video is a computer program that has been confused into doing something they're a computer program that has High privileges he is confused by the low privileged program to do something usually something bad so let me give you a quick demo I have recorded the video of what that but
before we'll go there let's start with a Linux let's imagine that
well okay so let's um a let's see so this is on Linux and since magnificent I decided to create a security monitoring and fixing program so the idea is very simple so let's try and follow files in a user home directory that are not owned actually doesn't matter let's find all the files in a home director of a user and change owner to that user right so that is a good idea right so what can go wrong so let's actually see so here's my Linux box and I have this chrome job here so what what is the purpose of this culture let's say I created a file in a user home directory and this file is
owned by root and I want all the files for that user is owned by the username which is how it should be so Micron job will go and fix that speaks on yet not yet but in a in a minute it will go and Show net not yet here we go so it's changed the user now let's imagine on the right side we have a malicious and the malicious user wants to actually abuse the power or fruit to do a privilege of course so what will it do it will Create a Sim link it's a sort of poison scenery so this user will create a sibling to Etc password in its own directory you can create a
Sim link to any file on the system you don't need to own it you don't need to even be able to read it so you can play The Sim link here and then our clone job will start in a minute and what will happen it will show that and shown by default they actually followed assembly so it will actually show and change the ownership of that password file to easy to use it in a second here we go so now a bad issue to you the unprivileged user can go ahead and do what edit the file edit Etc password file to create its own fake root account so here I can go here and create another root
account with a uid 0 and group editor all right I will stop here this is the demonstration and example of confused Deputy problem one Linux Square and I will demonstrate a confused Deputy problem one Maya field let's look at the sample fictional architecture in this architecture we have a bad actor a hacker or a pen tester getting access to wordpress.com using a CasCal injection and there is nothing interesting in this WordPress database it's just a description of the website it's a corporate website reader only know you there's nothing there but what is important here is that it uses the same mySQL database with another Circle and another service is a healthcare record data starter which store the personal health
information so the question is can we get here and again this whole talk is from the red team perspective from the attacker perspective right so I will say we and here I will pretty much think like an attacker and personally attack the red team member so can we get here so do I really answer this question we'll need to First understand what kind of users and what kind of exercise do we have on the bio skills so what we know here an attacker doesn't know that but we know that there are four users here the first users get basically a routine the Second Use is Corp portraitsuber that has all privileges on this what's that
and another user is a health data services which has all privilege information so we have isolation and technically it is all good but we have this another user called monitor so what is this so we can look at the Privileges this is my SQL specifically the way how you display the privileges so we can see that Corp WordPress users have all the Privileges to the workplace service how data user has all privilege to have service debate and the monitoring user is interesting it technically doesn't have any right access to the database it has very low privileges but select and execute so this is a monitor this user is probably used by the performance monitoring system on a database and it
has a Global Select meaning that it can select from any database and it can execute functions in certificate they'll start.star means everything all the databases all the table the database name dot start means that this user can have an access to all the tables and all functions and objects inside them that so can we confuse our performance monitoring system into giving us more privileges that we already have so what do we have unprivileged user corporated WordPress user cannot access the MySQL user done they might actually use a table this is the database and table that is used toward the passwords are stored in the hashed form but you cannot if you only have a specific database restricted file which
is looking not at the tables at the same time our monitor does have an accident because he has a Global Select privilege so I can actually display the the hash password this is how the the hash password looks like I'm only displaying for first chat so what does database performance monitoring do performance monitoring system usually collect database metrics wave metrics slow queries and generate explained plans what does the database administrated review database metrics collect again the view flow query and to be able to optimize the queries to see the information about the queries the query player it will run explain and explain is the way to understand why the query is slow and what is happening
now let's look at the typical explain this is explain planning my FPL and what it does what the database administrator do and what the performance monitoring system can do is that it can take the query rerun it with experience plan and then this display some MySQL specific database specific metrics and information that can be used to understand why this query is well it shows you what the indexes is using how many rows it scan coupling so the question is will it execute the select and I should not execute the select right because that's that's just a specific well in some cases it actually executed select and it will execute the select to be able to materialize the sub query for
example be able to display how many rows it will read so before this is the sub query here but before uh to to display the accurate number of rows it will need to First materialize this sub query and then do select so that's why this sub query is actually educated this is really bad and this is known that has been known form about two years I would say and there's a blog post on the Corner website that explains uh why it is bad in your performance so basically here I have a query that does nothing but sleep and I have it as a form of sub query and when we run the explained plan it will
change it will run for more than an hour so this blog post is called Uncommon Sense MySQL this is Uncommon Sense with the database to actually have everything now how can we can attack our pen test they use that to escalate the Privileges so let's take a look we have on this fictional architecture we have two database but in addition to that we have a performance monitoring system and this monitoring system is constantly collecting flow query it will collect a slow query from both WordPress and health record study so when it will collect the slope queries it will save it and run explain so our attacker control the WordPress deadly and can create any objects here
it can create tables functions to use whatever so let's create a proof of concept the first thing what we will do is we will create a function an exploit function and then we'll need to make this query flow so we will first check if the user is monitor the user that will eventually run the explain on that function and then if it's a monitor then we will retrieve the password if it's not monitored user we will make it slow so that the monitoring system eventually will pick it up but now the question is uh yeah so we we can retrieve the the password the authentication screen because our monitoring user have a global a select and if it's a MySQL
specific if you have a global flip you can retrieve anything from the mysql.use but the question here is how do we say that the monitoring system only have select privilege right it doesn't have any insert of the delete privileges under so the question is how do we pass it back to attack and the answer is we have a definer SQL statements SQL function has a feature called definer SQL security definer or invoker so what that really means is it works as a similar to sue it be it in Linux so you can specify SQL security definer and you can specify the owner of that object and if you run that function then it will run in the context of that
user so this function that I created that's safe save and it will be run as my content so it can actually write to my database that I control so let's put it all together we have a exploit function we have the save function so if the user is monitored then we will retrieve the password from the mysql.view table and save it into our database into the word database so here I'm attempting to retrieve the admin use a password but I can also do monitoring so now we can save the admin password to the attacker control table and I completed this demo which will demonstrate this attack again uh first of all we have an attacker
here on that side and the attacker we created this explode function and we created the save function and our current users so we have created this P table and repeatable is needed to store that whatever we are achieved now we generate a malicious flow query the slopeware will look like this so we created a sub query so that when it will execute explainer will need to materialize that and then it will execute it so this is running in the context of Wordpress the user so that's three seconds and then on the other side we have my FTL DBA in this MySQL DBA retrieves the query and trying to understand what is happening so it will run the extremely
that can be actually done by the monitoring system which will be Fuller so database administrative around this scrambles the head trying to understand why this is slow while our attacker became the battle so our password is here and this is MySQL vessels which is uh one double shot one so what we should do next we will try to brute for that right and to Brute Force the password I have started up my GPU instance on ec2 and install the hashcad and I put my password Here and let's see so the password this is my skill password again I remove the star so that the hashcad key and pick it up and then let's take a look let's see I
will use Roku standard password file and it actually took less than a second to both Force this password and the password is passed and this is actually very common that's why lots of um you know that means administrator don't pay much attention to the monitoring user password because they think that this doesn't matter no one will ever get that that's a low privilege event this is not the key so here we have retrieved the password we escalated our privilege we we use the confused Deputy problem to retrieve the password and code for it sell recap database privilege escalation what we did we used the confused we have confused the monitoring system for our human database administrator to run
something with a higher privilege that we have and then MySQL explained actually execute the statement and it should should not that that's a big issue in my appeal but also whoever created in this fictional scenario whoever created this monitoring user are created that monitor user with Global Select and execute the executive Trilogy is essential to be able for that user to to run the function to the execute function so thank you um result we got monitoring using password cache it was a simple password it was easy to crack and as a result our attacker was able to connect and monitor and user and download the whole Healthcare Information System including the personal health information diagnosis
so that was fictional scenario we successfully as an example we successfully escalated our privileges yet uh Healthcare all right what about podcast SQL is more complicated I will talk about the progressive skills from here on besides RDU in October so that's all we're hiring retimers uh at Amazon web service so if you're interested please come and talk thank you very much all right question
this is a very good question um no no in my scale there's no predefined human it's just for you
correct but also there are some monitoring systems that will either create the user for you or tell you how to create the user so you need to be very careful of what you uh provide the user with you need to be to have absolute minimum privilege and of course password any other questions
all right thank you very much foreign
efficiency
[Music]
for the day I appreciate thank you for that intro all right just to kind of recap a kind introduce myself um I am on Army Greenbrae I have a very um quite different background coming into application security I actually started out in my military career I started as infantry Ranger kind of just knuckle dragger carrying big guns uh went into Special Forces got picked up and selected and they said hey let's make him a medic so I spent the next eight years as a medic in uh Special Forces so of course when I got out I was like hey let's get into appsec um so I've kind of like part of my lead-in to get into the application security was
that it was kind of a long path on my way out I knew I loved some of the stuff about technology and wanted to really get into cyber security and then of course the new one starting cyber means oh yeah I'm just gonna become a cyber security guy right and then you get into the world and you're like that doesn't mean anything right there's a million different Specialties out there and paths you can take for becoming something sort of cyber um the nice part for me is I found a passion as a software developer while I was kind of figuring out my cyber career so I worked for a few years with Lockheed martin.net developer working in
that space and then I kind of was able to finally bring the passion for security together with the passion for software development and kind of become application security so and like I said like she said before I worked as the directive application security for a company called security Journey we're a SAS based platform that teaches um teaches how to do secure coding into the process with Hands-On experiments and a bunch of the stuff like that right teaching secure coding to developers um and great news process early about a few months ago this year we were acquired so kind of a big Plus on our progress as a company so today though I'm here to talk to you
about taking my experience from the military and from the time being greenbrien Translating that into how we can do application security better and building a better program and the way I do this is I don't want to sit here and just run off a list of things that are going to tell you how you should approach these things I'm going to tell you a story and I'm going to take that story and we're going to start applying the things that I have learned throughout my special offerings and career that takes that story and allows you to build a better application security program in your company um and out of all the stories I could pick I'm not going to pick a story where
everything happened right and everything was a good day because those days that we had those stories you don't learn anything right the day that I come in and everything just checks the block everything goes we high-five and walk out the door what a great day it's a great day that's awesome but you didn't learn anything right you learned things on your worst days when everything goes wrong and everything kind of falls apart right so that's the story I'm going to tell you now before I get into my story I do have to start out with one cool guy photo um I like to point out the fact that the one guy in this photo that is not
wearing a kit does not have his gun and it's riding in motorcycles me in the far corner um so it was back in about 2015. this is my first deployment as a medic with special forces um this was my first mission on that deployment we were in logar Afghanistan doing operations we had just gotten to a new base and at this base there was a having a serious problem every couple weeks we were getting word from a local Village there's about a kilometer or a half outside of that face that we were stationed at and it was becoming a serious problem because every couple weeks the borders would come in is there a threat of
people getting injured on the base we're having to run and hide but the problem was The Stance at the base at that moment was no one was doing anything about it they get mortared they run hide the people that dropped the mortar would run away wait a few weeks for it to happen again so we came up with a plan with our partner forces of how we wouldn't interdict and respond to this so we went on a mission about a kilometer and a half out of our gate with a hundred Commandos and our entire Special Forces Oda to go through and basically clear through the entire Village that we were getting ordered from to find out who was
ordering us and to stop it from happening now one of the things a lot of people understand what special forces is so this is kind of what a team looks like a special forces Oda is sfoda so operational detention Alpha um what that is not is the A-Team right now they're based off of what an A team is Right eight team is because you're an operational Detachment Alpha that Alpha is the A Team right um what it really is is it's a group of 12 individuals that are highly specialized in individual tasks they're working together to complete any sort of set of missions it could be anything from commercial Warfare to doing something like counter Insurgency which
is what we're doing in Afghanistan at that time was doing counterinsurgency um when you look at this team it involves a lot of different diverse groups of people right we have our commander which is the national fan the one that's responsible for the team we have an assistant Detachment Commander we have the team Sergeant he's on the NCO side of the house he's the one responsible for the beans the bullets the men right and the mission and then we have our assistant operation intelligence surgeon now after that we have a bunch of Specialties we have an attack we have weapon sergeants those guys can do anything in the world Under the Sun with a gun we have our
communication sergeants they can talk with anything right their entire premise is how do we communicate within the team and back to hire so everybody knows what's going on we have our medical Sergeant that's what I did and then we have our engineer and our Engineers are great because they do two things they build things and they blow things up right that's they're too special um something I want you to notice when we look at this team is we're very Diversified but we're redundant we're highly redundant right for every leader there's a counter leader that says assisted for every medic there's two for every engineer there's two for every communication Sergeant there's two engineer there's two
it's extremely important and we're going to talk about that as we move forward talking about how we build security teams now we go on this first mission Afghanistan and it's going like any normal operation we have our 100 Commandos we do a plan we do briefings one of the nice Parts about Special Forces is we are a force multiplier we're going to talk about that later too and the idea is my job is not to go out and do a mission my job is to take a hundred local Nationals and get them to do a mission right because that way you can put 12 Americans on the ground and turn that 12 Americans to a
well over 100 person Force to conduct operations right that's a highly effective way to utilize highly skilled people so we go on and we're on this Mission we've studied up we've done our planning we've set up on a Mountainside and we're going across and the cross out in front of us is this large Valley and this large Valley is probably well over a hundred buildings and different compounds that make up this Village this could be a multiple day operation at least that's what the original plan was right so what we do as sfoda is we're command and control we're going to help lead the Commandos in clearing through this Village so we set up along the Ridgeline
and then we have the commanders come in and we're going to support them as they come across and they start cleaning through the village and we're going to watch and we're going to communicate between their leadership and allow them to effectively push through this Village
now it's about a little past sunrise and we're just passing through the first Valley when the first gunfire started happening and the worst part about this is is we they hadn't quite reached the village the commanders had come down the hill the Mountainside were on and they're clearing up into the village and they started taking fire from a sniper so you have a lot of people in a big open field taking a lot of fire now what I will say is um our Commandos are great they were great they listen and they do the best they can but they are not all trained to the highest level as we call us coming in and teaching them are so one of the
first things happens is we took a casualty someone was shot in the middle of the field and everyone around him was afraid to get shot so what's everyone else in that field do they run right so now all of a sudden we're in this situation where we have a man that's been shot in an open field by himself with lying on the ground and we're taking fire and we've lost all communication because everyone's gone and Scattered um at this point a lot of tensions Rising right so we have the their trading command that's with us right so they're higher ups and they come up to us and they're like we have a man down we must rescue him go
get your American Helicopter and land it right there and pick that guy up so just to let you guys know that's not how that works um even if I was laying down shot in the ground there's no helicopter coming to get me because what happens when a helicopter comes to get me or I'll get shot at got a helicopter that's now shot at and now on the ground now we have to rescue the helicopter a whole lot more people right the first thing you have to do before you react is you have to pause because you have to think and you have to react and the first thing you gotta do is you have to secure the area before
we can Rescue an individual right so at this point there's a lot of a lot of anger people don't understand why we're not going to go rescue them we're losing trust with the people with because they feel like we're failing them because they have somebody that's dying of you so this person's only a kilometer away from us me and the other Medics say you know what we're gonna go get them right thing that makes sense right now it's not because it's not because it's Mission critical at this point at this point it's Mission critical to save not only his life but if Mission critical that we keep rapport with the people we're fighting with because these are
the people that could be watching our back day in and day out over the course of the next month months to come so we go to B and him start running down the hill right we have cover Fire coming into the Village um but it's nowhere nearly effective we get probably about 50 meters up that hill and we're immediately pinned down on the side of the Hill taking a lot of fire rocks kicking up all around um we have to go back there's no way we can get to him in that that scenario so at that point we are finally able to get a military vehicle to come up to us and drive a military vehicle as cover as
we go down and recover that individual now the hard part about this is that person's been down for about 20 minutes for no no physical care whatsoever you throw them in the vehicle we bring it back we check on it it's not breathing he doesn't have a full right we do all the medical care we can on him there's nothing we can do to bring that guy back now we're still there they're still asking us to do everything they're extremely upset that they've lost one of their guys but we're not being effectively Partners so what do we do I continue to treat them we get a sniper with me in the back of an ambulance I do
CPR on a guy for 35 minutes on the way back to that fob knowing is not going to come back but knowing that we can show to that guy and throw our partner for us that we're going to be there and fight for them no matter what all right so what was the point of that story what is that any of that have to do with application security besides being an interesting story let's talk about that and what we're going to do is we're going to talk about that as we go through these slides and I'm going to bring out the points of what happened in that situation that applies to what you need to understand
about building a security team now the first thing when I look at this team right here a lot of different specialized people individuals what I don't see on that list of that 12 man Oda is I don't see anything that just says Green Beret or special forces that goes back to all the different diversity you have there right let's talk about application security teams all right so we have what's in the application security team this is nowhere near all inclusive this is a bunch of lists of names and titles I threw it in there that fall under this big umbrella that we call appsec one of the biggest problems I see when I look in uh I don't know if you guys ever been
to LinkedIn recently and looked at a job description um every job description for every engineer that says appsec has every single one of their job titles underneath that job description if you can't do every single on that thing on that job description ain't getting the job it's unrealistic it doesn't make sense right it's the idea of having that one person hero that's a phenomenal doing that job being able to do everything that's not how it works like if we could then we'd have just about 12 Green Berets that were the best at everything and we did every skill possible and we didn't have to specialize right the idea is we have to specialize in abscess you
have to specialize if you don't specialize if you don't build your team of a group of specialized individuals you're going to have a bunch of people that aren't really good at much of anything but can kind of do some stuff right the idea is I know how to shoot a gun right I'm I'm plenty good at shooting my gun but I'm not the Weapon Specialist right the idea is that person should be able to pick up any gun in the world and know how it operates works and fixes it I'm a medic my guys know how to do Medical Treatments right and they have to this goes back to something I'll talk about later they have to know how
to do medical treatment however they're not they don't know how to do surgery they don't know how to do Advanced procedures right you need someone that's specializes they can step in when it's outside of their scope so what we need to lean away from in the idea of appsec is this one person that's just going to be the appsec engineer that last little title there on the bottom right that app section engineer that we expect to do every single thing on the team that person doesn't exist if they do their unicorns and to be honest they could probably even do better if they specialize in one area now one thing I would like to add on
here at the bottom here is the developers now when we talk about security teams we talk about we have our security team on one side and then we have they support the development why actually I think that's a really convoluted wrong way to think about it to be honest because most of the time most of the security controls I'm asking a developer to build it's the developer that's building that security control a lot of the time it's the developer that's building in the input validation to make sure that the stuff that's coming into my applications being done well as Nats against engineer a lot of the times we're the ones doing the auditing we're doing the threat modeling and supporting
with the developers but they're our first line of defense right if they're not part of the security team it's not embracing that culture then we're failing as a security organization um and to correlate that to us for us on the Special Forces team there's 12 of us right but we can't win a war by ourselves we can't clear that Village by ourselves it's the commanders they are developers they're part of our team going through to accomplish that mission without them we cannot accomplish the mission they're just as much part of our team as we are part of theirs we need to break down some of these walls and barriers that we put between us as application and security
teams and these development teams and understand we're one cohesive unit and should work together consistently all right building the team so we build a team in Special Forces of two different phases um and if you guys ever seen the team there's some good good stuff on uh Discovery Channel out there if you ever watched two weeks in hell and some of those other shows they'll show you some of the crazy stuff we go through um on the left side here oh by the way you will not see any pictures of me and these because apparently they frown on doing selfies while you're in Special Forces selection um but so the first thing is on the left the
sfas is Special Forces selection the way I equate that too is just that's literally if you pass Special Forces selection everyone puts this big piece oh you pass selection that's great well selection honesty a selection was just giving you the chance to even try right you didn't do anything yet you just got the chance to try to me that equates us like oh you just got past the hiring manager and now you get to interview right that that's what it is right now you get to get together the technical interview um and then we go to sfqs and that's for us that's our technical interview right here right and then for us at that point
one thing I don't show you on here is I go through a special voice selection that's about three to four week process the Q course for me that was a year and a half process right because the medic we do a year specifically just on medical training so after almost a year and a half year and three quarters of work I show up on my team show up on my ID I'm like yes I'm a green Brave coolest guy out there guess what everybody else in that team said to me hey what's up new guy you don't know nothing right because just because I've passed the interview and I've gotten into the position I don't learn anything until
I'm on my team on the team and doing the job right and the expectation that we bring somebody in that knows their job so well enough when they haven't had time to sit in the seat and learn their job is unrealistic and that's something that we do constantly it goes back to these unrealistic and unnecessary job descriptions or requirements to sit in a seat it is so much more valuable it takes someone that's ready and eager and wants to be there and train them to be into that position and allow them to sit in that seat and grow to be where that position is because to be honest until they sit there long enough they don't
know what that position is they haven't learned it so what's that mean for us when we're creating a security team the first is to selecting the right individuals right and First Step you want to do is you need to select people that are hungry to learn and want to be there right you don't need to select people that have the bucket list laundry list every item Under the Sun in their in their resume um the second phase to that is the mentorship and this is one of the more important things I think that we lose something you saw when I talked about the SF teams is there's two people on every any slot right you have two Medics
you have two Engineers you have two communication guys and in those two slots there's always a junior and a senior every single time and one of you sit in that role it doesn't matter if you guys are both in SF of the same amount of time one of them sits in the senior role one of them sits in the junior one the reason for that is you have to have mentorship and growth right and so when we're bringing these individuals in and rather than just taking a person and it might even be in a management position right you want you to be a security manager throw you in the seat figure it out it's a Synchro swim It's usually the way
companies approach this you sink or swim if you can't do it we'll fire you and find somebody else right that's the loss on taking like your the amount of work it takes someone to go through the interview process and get in that seat I know I'm trying to hire an abstract engineer right now on my team I've been doing it for four months having a hard time finding the right person that wants to come in the door and do the work the problem is once we get someone in that seat we fail them if we don't partner them and train them and give them everything they can to succeed we've wasted so much time and money to
get them in that seat one of the number one things we should do is we see right off the bat pair them with somebody that's either been there longer that's on the same peer level what that isn't is I'm I'm your boss I'll pure Mentor you that that doesn't work that's not a mentor you're my boss what you need is a real Mentor someone that sits there parallel with you that holds that same title that can help guide you like hey here's what worked for me and didn't work for me when I sat in the seat right these are ways that we are failing people that we can help improve and retain people that have the chance to
grow into those positions another big thing to talk about is continuous training um and I love besides but what continuous training doesn't mean is like every now and then we let our team go to a conference that's not continuous training like you'll learn a lot in these conferences but that's not what continuous training growth is right because when we train people there's two things going to happen the company as an organization we can train people so they can grow into their next position or they will study themselves and go find the next position somewhere else at a different company right and the idea is if we do the funding of either whether it's actual education on the outside continuous
learning that you do this provided by the company internally you can help grow these individuals into higher seats within your own company and when you fail to do that you're going to lose you're going to lose people because they're going to do it themselves and find somewhere else that's going to do it for them all right repurpose this one is uh it's kind of a unique scenario for us because in Special Forces one of the things we have is the ability to do something that a lot of organizations don't if you screw up on the team you could walk through the door one day and see all your gear outside the door and that means you need to go find a job
somewhere else no more conversation right now you only get to that state if you've lost a lot you've had to do a lot to fail the team to get there and even when that happened within our organization or if someone was like hey you just you're not working out what we didn't do is all right cool you're not good in the Army we're gonna just out process you out go enjoy your civilian career so you didn't work out in this part of our team there's somewhere else within our organization that you can support us we've done the time you came in you've learned you've been process you've done all our security requirement training for the year right you've done things
that make you a value to our team so just because you don't work out one slot doesn't mean we should fire you and get ready let's read purposely and move you somewhere else maybe you'll be more successful now there's always to be individuals that are obviously just non-conformant and not going to work out anywhere but you give people the chance to be that right you do everything you can to retain the people you've brought into your organization now my last thing is one that's kind of a huge part for me is the security Champion program right we cannot effectively create change across the security organization as just the security team we need to bring everybody
in and that goes back to developers are part of that security team that's part of that security Championship program it's being a force multiplier and what we need to do is get out of the mindset that okay well we're going to reward a couple good Engineers that really want to be security Champions and just bring them in as in the entire development team should be part of a security Champion program now maybe there's levels of involvement of that right where if you're the top you're like I'm not a big fan of the the belt system right you have a white yellow black belt light belt system now at the white belt level maybe your involvement in our
security Champion program is you do our lunch and learn once a month and you do that you get an extra free meal once at the end of the year from the company right incentivized reasons to join in and participate our top level security Champions ones that are out there going out to conferences and talking are with developers that are out there actually helping the development team set up SAS tools and Das tools and that they're hoping to actually Foster teaching in their team levels right where they're going in and they're talking into their teams by hey here's a new tax the security team released let's talk about it let's dissect it but we run training
on an Oda so before we went on that mission we did a lot of things right um we we did sand tables we did a lot of briefings we did walk throughs we went out in a field and we had everyone stand out there and pretend exactly where they're going to be on the map and talk through every single phase of that training prior to that we had spent weeks a week with the Commandos going in and practicing shooting guns with them again just to see where they're at we went and taught them basically medical skills across the field so they could do self-medical treatment when we train you first thing you need to do is you need to become an expert at
the basics right and that's what sets the Green Berets apart from a lot of the rest of the military it's not because we have individualized skills right it's because we became so good at the fundamentals that I don't even have to think about I don't I don't even have to think about what I have to do so I can focus my attention on the harder tasks because my fundamentals are so down pat that they're just second nature to me when we train we train realistic because fake train is going to lead to fake results right if I just do check box compliance training that's what you're going to get for the results of your Security Programs checkbox
compliance they're not going to be effective you can't learn combat from a book that's something you have to do something you have to hands on get out in the field and train and fight for it right you can't just read about it and say okay cool I read a great book ah I know I could be a Green Beret right like that's the mentality if you cross-train like your life depends on it because it will and for me as a medic that one stands really close to my heart because one of the things I would have to do is I have to train the rest of my guys on medical tasks and the reason I train them on medical
tasks wasn't because I'm an infected medic because a lot of times the first thing that some of my guys would say is like you're gonna be there I don't even know this like no I'm training you for the day that I'm shot and you need to treat me because there's nobody else they're going to save my life right so you cross-train your people like your life depends on it so let's talk about how that relates to absec and Abstract training programs so the fundamentals understanding our fundamentals right and this is once again it's not just our app SEC Engineers this is our developers and both right you need to understand your fundamentals if I can't walk into my
developer's team room and ask someone hey what's an injection attack if they can't answer me I have failed and is an abstract person I have not cross-chained my developers in a way that's effective they should know this stuff like it's the back of their hand the fundamentals and as an app set guide I'm failing them if I don't know how to code right because then I can't talk directly and I'm and this is someone I don't always get a lot of agreement on this one I'm pretty biased on it I think every appsec engineer should know how to write software if you cannot write software that means you cannot effectively read it you cannot effectively communicate
with developers when you're trying to convey these different things right so know how to code know your fundamentals do Train That's realistic it's not check box compliance so when we do training what it's not is if I'm doing an instant response drill I'm not just sitting there reading through a couple of jokes around the circle and then we're done right to be honest what you should do is you should create a real incident you have to respond to right push data through a wire that causes an alert and make your team actually react right so instead of sitting around playing like I I enjoy the stuff that makes it easy too like a lunch and learn the board games where
you play around and pretend to do instant responses are good they have their place that's not realistic training realistic training is making an actual event that you have to respond right make the training realistic and you're going to act realistic when it happens Hands-On training if you have to do it if you do not do it with your hands you will not learn it right that's why when we do these training programs from appsec when I say don't just tell me how an injection attack works okay let's let's get on the code let's get on the keyboard let's create a vulnerable component Let's do an injection attack against it and then show me how to put the mitigation
against it now I can physically see that you know how to implement that security control that defends against that vulnerability right if you don't actually physically do it you're not going to remember you're not going to learn and then finally your cross train right especially for our security teams we get so siled into this so This goes back to our Specialties right right now if you're specialized in just one thing so stay out specifically on network and security right you'll never get to be a product security manager right because that person's expected no product security didn't expect the new app SEC they're supposed to they're expected to know compliance they expect to know all these
different domains they're going to be managing right so at these lower levels while we're working in appsec the security team should be cross-training with each other because that's how we're going to grow up these individuals in organization to that next level they're going to be managed teams that are multi-disciplined Mission planning so on an Oda we go through a lot of work when we plan for a mission it may look like it's not like Hollywood it's not like hey someone said hey we got an operation let's go kick in a door in 15 minutes and jump on a truck and it's all going to work out um it's not how it works at all right we
go through a very thorough process every time we walk out that door and I what I want to do is lay out here what we go through in this Mission planning and then how that relates to what we need to do in appsec so we win our mission we we understood that there was someone murdering Us in that in that other Village over there right we understood that our area we did an area study right we knew that this is the only Village area they could have been coming from and we were right and they found us we went out there we did something we did an area study it's called met TC is what we call it
um met TC is kind of the way we describe everything that's going on in the battlefield so that's our mission our enemy the troops the terrain the time constraints that we have to do it any civilians we have to consider on the battlefield right so that's basically how do we draw out what our operational environment looks like before we start planning on how to do our mission at that point now we know what our operation environment looks like we're going to evaluate the threats that we're going to face in that operational environment once we've evaluate the threats we think of what are our threats most the determined threats course of action so the determined threats course of
action is what is the enemy most likely to do what is the enemy going to do in this battlefield when we walk in so we can start playing about what's going to happen and how we can defend against that how can we mitigately against that we're going to say okay what are available assets what are our mitigations we're going to put in and what are the shortfalls we have going into this and then finally we're going to develop a course of action so COA development that's course of action development the way we do it in Oda and the way we did on this mission was we broke up into two teams right we took half our guys here half our guys here we
came up with two completely different plans on how to tackle the mission and then we both briefed them to our commanders and then out of those two separate Mission plantings we came up with the final plan right but we did it completely siled from each other so that we would have two completely fresh different set of ideas and plans of how to tackle this objective because if we all sit in one big group and come up with one big plan together we get a lot of nodding heads and saying yeah that sounds good right but if I force you to separate and come up with two different plans and we bring those things together that's where we have true diversity of
ideas the ways to tackle a problem right so how's that look at when we do appsec and that's what we call our threat model OKAY the same process we use in the military the same process we use when we do a threat model on our applications right in the security team so when we Define our operation of live let's talk about our scope of what we're going to be doing our threat model on here and how we're going to tackle this specific problem our met TC let's do our data flow diagram that's how we're going to draw out where all our inputs and outputs are coming in from this application where all the different sources and attackers and users are
going to be able to interact with their application right we're going to build out that data flow diagram that's going to represent how our application works right we're going to evaluate our threat we're going to look at that data flow diagram and we're going to identify different areas as it could be vulnerabilities right say we take an input from a user here and it gets translated over to database well we're open to an SQL attack possibility here so what mitigations are we putting in place and that goes into determine the threat course of action right attackers most likely and detrimental approach now one thing I do want to say here and this is me being a proponent for you guys
coming over tomorrow I'm doing a threat model Workshop tomorrow so do come in and I'm gonna go into Super way more in depth of threat modeling and the process here um so I hope you guys join me for that but one of the things we want to look at is what is the attacker most likely to do because that's the thing they're usually going to do is the path of least resistant to our data and then what is the most detrimental approach because if we don't look at what the worst thing that could possibly happen if they do an attack then we're failing ourselves and this also allows us to prioritize because you can't put every security
control you're ever going to come up with in your application right we don't have the budget or time it just doesn't work but we're going to pick the ones are going to a the most likely and be the most detrimental we're going to identify our security controls and shortcomings this is the part of the threat model in the process where we look at our application we look at our threat model and say okay here's all the security controls we picked then the final question we always ask do we do a good enough job now I'm going to talk about this specifically tomorrow too the course of action development is how we do threat modeling now this changes depending on
the environment you're in and sometimes if you're in an agile environment like well how do I threat model a new piece in an agile environment I just got a ticket well theoretically you should start model every time you make any change right any change to something you know and understand because you're going to have an effective away in changing the way that application works right you're going to change the way data is process or data flows or something happens so you should at least do a small threat model on any new feature a change into on a larger scope plan when you're first designing the full scope of the application you need to Silo out into
the team it's kind of why I'm getting out here and the idea is is that instead of you stay away from two things you're not going to have the champion threat modeler which means it's the one guy that does all your threat models for you because he's just so good at it because what you're not going to have is any diversity of views whatsoever and you're going to miss stuff and the second thing you're not going to do I just do a front model once and leave it alone with one group of people the best way you should do it is the way we do it you do it as a COA developing you break up into two
different teams of diverse groups of people and you both come up with a threat model and you come together and see if you came up with the same things like guarantee every time I've done a threat modeling Workshop it never in anywhere close come up with all sorts of new ideas there's a few things they're always the same but people have very different ways of approaching problems the more diversity you can get into that process the better um and when I say people I don't mean just developers or security let me get everybody in there I've had business analysts I have ux designers anyone who touches that application knows how it's supposed to work have them sit in that
process because they have a different Viewpoint than we traditionally would this leads to what threat modeling looks like and this goes more into what is a threat model so it goes and we scope out our problem we're going to do it we're gonna draw a data flow diagram we're going to analyze that diagram and look for problems we're going to create mitigations and the biggest thing we're going to do is we're going to document what we did now this specific idea right here comes out of the threat modeling Manifesto I actually have a great experience working with my uh my CEO the security Journey before we got purchased out was one of the writers of the
filming Manifesto and one of the big Pioneers uh fourth fret modeling in the industry and this is kind of what the way he kind of came up with approaching it all right so one of the things I didn't mention about on that mission and I was kind of saving for this slide is a qrf so quick reaction force when you plan out a mission you always want someone to back you up when the worst day happens right so when the worst day happened and we're on that side of that mountain and that firefight went on most that day we lost somebody we were running low on ammo we were in a very tight spot and we called our quick
reaction force what is quick reactive Force it's on I'm gonna read it right from the definition qrf is an armed military unit capable of rapidly respond to developing situations typically to assist Allied units in such assistance they are highly or they they are to have equipment ready to respond to any type of emergency typically within 10 minutes or less so this is the one my favorite part of the talk because this is where I get to kind of down on the Navy Seals for a little bit so anyone who knows the military knows that there's High competitiveness between the different special operations for answers right um so we were actually working under a Navy soda um when we were in Afghanistan
what that means is the Navy was in charge of the base I was in where we were working at and we had a partner for us there so it was our team and we had a Navy SEAL Team that was there with us now I'm going to caveat the next few comments with I have a bunch of Navy SEAL friends I have teams that I love and I will admit right away that there's SF teams out there especially Forces teams that are amazing there's other ones that I want to let wash my cat right like there's good teams there's good people everywhere and there's bad people everywhere it's just common you're going to see that across
the board so here we had was our first mission Afghanistan we picked the Navy SEAL Team we were partnered with to be our quick reaction for it go out the gate and we have a bad day right we are low on ammo we got like we we're we need help we need support right everything's going bad I've blown through a bunch of medical supplies on someone who's dead now what happens when if my guys get hurt right I need support we need people out there and we call them up guess what happens First Response oh man we didn't create a list of who would come so they don't know who to wake up they don't know who to go get
so they're waking people up they're sleeping in the middle of doing this because nobody's ready they're getting there they're starting to try and throw their gear together they go to get on their trucks their bolts are rusted to the rear on their 50 cows on their truck so they can't take their trucks out we're sitting ducks we could call back and we really said we can't come get you right so what happens so what happens is two of our great Green Berets that were on the back of the base get some two little quads filled it up with ammo and a couple eight bags and drives out there by themselves comes bring us what we
need now the team that replaced SEO team were phenomenal so I can't I caveat this there's good teams and bad teams out there everywhere um but the problem was is they weren't ready and they weren't ready because they were so confident in their own skills they didn't take the time to be humble enough to prep and you know who we use for the quick reaction force the rest of time I deployment the gate guard infantry unit on that base and those guys were phenomenal right because every time we got ready to go out the wire we brief a plan they'd have all their guys ready that have equipment they do inspections they do comp checks they'd review our
plans so they understood where we were what we're going where we might run into trouble they treated it like they were going on the mission every single time we went out the wire right because they weren't so overconfident that they were too they were humble enough to do the mission and they loved it and they wanted it and they were hungry for it right they weren't so full of themselves that they couldn't prep right so what's that have to do with uh half sec well there's three p's to this right for a good a good qrf team right you need to be prepared you need to be planned and be ready to do the basics
you have to practice and train for that missions just like its own and last thing I want to throw in here is whenever we're doing something quickly it's good to do something I call ltpr all right so listen think pause or spawn now that doesn't specifically talk about this but I'll get how to erase the idea is to pause and when I say pause take a tactical pause just take a moment step back take a breath and think about what the best course action in this instance is so when we have a quick reaction force coming in and they know that we're at our worst situation taking a tactical pause to think about what the best
course action rather than rushing out the door it's one of the worst things you can do is grab everything jump on truck and run out the door and not have a good plan in place for what you're going to do when you get there right incident response within appsec okay so one of the biggest things we have to do when we prepare for instant responses we have to prepare for the fact that this is our mission right this is our job this is how we are preparing to react to the worst case scenarios right so when we deliver a product and we're ready to put it out to production we should already be planning ahead for
what's going to go wrong for and how we're going to react and start training and having a plan in place for that situation because guess what once you put it out there an attacker is going to attack it right it's going to happen you are putting something out there it's
Related talks
49:50
1:04:53
29:30
50:56
1:21:38
7:55:42