BSidesNYC 2023 - Keynote - Lance James

good evening everyone welcome class take out your textbooks for cyber security 101 on no no all right so feels like John Jay thanks John Jay for uh having uh having the facilitating this I'm super honored to be here I know Huxley keeps making a big deal that I'm the keynote and that I said yes and all this but actually this is like the places I'm found from this is the places that mean to me this is my root besides tour con the hacker conference is the community and I'm actually really honored to like actually be in New York City talking to as a keynote so this is an exciting time for me as well um theme is reboot

which is actually kind of cool because congrats we got BC lights in New York City back everybody get a little positive you know all right so who the hell am I is a big question because sometimes I wonder that on a daily basis um so um my background is I've got about I think I'm getting old so 25 plus years of information security and counterintelligence I focused around trying to bridge hackers to with uh feds in the years that actually mattered so that we can actually you know things like threat hunting and digital forensics and criminal justice actually uh happen because when you get people with handcuffs and you get people that are really good with computers together

it gets a little kind of fun right so get to stop bad guys um I'm the CEO of a company called Unit 221B as in Sherlock Holmes um you know and I uh it's an investigation an r d think tank we do a lot of really cool forensics we do pen testing we do like investigations we find bad guys our mission is to Define them and disrupt them and we get to work a lot with law enforcement because of that as well because we like to really kind of like put an end to the problem and send a nice message um so yeah forensics and uh all that kind of stuff is kind of on our area so

it's great for that uh you know I'm at a school that actually teaches forensics here this is great um I also like to Mentor so those 200 people that are going to ask me did it please come up to me I have a free training school actually so and we do all collaborative creative stuff and I say yes to everyone so essentially this is just to kill that whole like glass ceiling a little bit and it's been a project since coveted because I figure you know what you got to do something cool right so we do cool projects we can do forensic projects we can do all these different things so um earlier days I founded i2p it was the

dark web tool back then before tour um Zeus malware was kind of like one of the big things that I got to do and play with and stuff and I also am a violin and piano player and Love karaoke so if you you know if anybody likes to karaoke you give me a call so I also worked on I got into ransomware around 2013 when crypto blocker came into my view and we actually started a crypto Locker working group and uh recently we released an article that like uh showed that we had secretly cracked uh the Zeppelin ransomware and helped people during covid mainly small to medium businesses where they would have probably been you

know ended their organizations uh to crack it because they hit the homeless first and I was not happy about that and if you hit the homeless you're going to get someone like me with ADHD and a lot of focus to go not cool so all right so the problem with all my talks is usually people call me and say will you keynote on emerging threats right that's like the big thing you know everybody wants to know that stuff but the problem with that is that I sit there and go that's a yabat right yet another boring emerging threats talk which I don't want to do and actually ironically when I came up with this talk it was

kind of in the moment and I realized I want to actually do something more about reboot you know and and the concept of where we are in our stuff because what is another emerging threats uh conference going to do for us sorry just raise your hand okay got it double checking still a classroom uh but what's that going to do for us we're going to basically be a little bit entertained look at this cool threat you know all these bad guys are doing this stuff that's we get that right we'll go back to the office and do what about it right oh gosh you know that was a cool talk but what's that uh what how can I apply it I might be

scared because yet another emerging threat and now I got another problem on the stack on my thing if you're a ciso that's probably just a headache uh and we're not gonna get really prepared just by talking about this anyways so I want to talk about something a little bit different I've actually figured out the emerging threats algorithm for cyber security and here it is okay we start with what are the emerging threats from 2023 you can either ask Google or chat GPD Plus Google or Bard one of those three things nowadays and you get a list I'm just going to start with the top four because you know screen space and all that stuff but that's enough anyways so the the

four ransomware email compromise supply chain attacks iot device attacks right then the next part of this is then you go have we solved any of these if yes what are they and remove from the list I don't think the list has been modified for a while right and then on the other side how do we solve for any of these no then we carry over to the next year right notice that then what we do is there are there any groundbreaking texts in 2023 that scare the crap out of us yes Ai and chat GPT right that one so let's add that to the list number five wow the list is getting longer right so then we wait for a

vendor to come along and say they sell something that will fix your problem and you're taking a Gamble and spending all that money to see if it will or not because everybody you know I'm not saying they don't I I respect the vendor space and there are people that are solving real problems but you know there's you know that's how we kind of like sit and solve our defense problems today right any groundbreaking Tech uh that we uh everyone knows about no phew keep trying to the same thing we did last year and hope the numbers get better so we'll go back to number four if Ai and chat GPD weren't on it but we'll add five today it'll be fun right

so anybody want to tell me what the definition of insanity is repeating the same thing repeating the same thing over and over again it's expecting a different result cool let's verify this with chat GPT what's the depth of common definition common definition of insanity is doing the same thing over and over again and expecting it for 12. congratulations you passed the test I used chapter to grade my test for me so okay so obviously we're asking the latest right you know and it seems to know the answer better than we do which is kind of fun so obviously we're doing something and we all need jobs do we all admit we all need our jobs but like today a security

researcher is more of a marketeer right they write blogs and stuff not that this is also important but most of their careers read blogs to push a device to like say look at my malware analysis stuff so it becomes basically media fodder for like essentially some company's device that's fine that is a model but is that really what the security researcher wants to be doing all the time or do they want to be solving a problem with all the malware they analyzed right and we don't really make room for that and I think now with the way the jobs are today we can do both and it'll actually benefit us so I'll talk about that but first let's

talk about how we're tired covet is still you know there are people still wearing masks and covet is still a threat but it is probably nice to get out and we can actually finally be in a room together you know that Turtle deserves a freaking Applause right but let's talk about the existential crisis we actually really had we all shared a collective trauma that we were all afraid that we were going to die right and that is its own thing and then we had work we had to work at home our prefrontal cortex was probably only going around 30 because of all the stress in the back of our head about all of this stuff and it was hard and we had

to adjust and zoom and I got to learn 10 of Neuroscience because of Zoom because my uh my wife's a PhD student so I'm like all right cool but like essentially it was a big change it was a big shift it scared everybody and I think we can all admit that are we good with that right okay so that is some serious trauma and it's changed how we might look at the world it's changed how we looked at ourselves a few things which is kind of the beauty and all that part right if we survive it so 2023 comes in anybody feel in January February how it started going faster the world started going back to faster and it was kind of

stressful when everybody's kind of heads down just shut down and they're like where's my friends at and they're like I'm just too busy to even text you how many people had that feeling starting January February world just starts spinning at that like normal Pace again and we had like what happened to our coveted Pace right and that was hard to adjust for and that's its own trauma that's its own problems and we're tired and the template has changed but we don't have to one thing we learned in covid if we did you know that there is tragedy to it and I'm really sorry about that side of it but there are also like you know what they say it doesn't kill

us what's making us stronger is that there were some gifts that we could learn we learned our own Tempo we got to sit with ourselves and like do more creative things in many cases because we had the time where we spent our time with the family like you know those kind of things and so what's really important here is that we can take the gifts from we that we did learn coming into coven come out and slow down to actually go faster and we got to remind the companies out there that it's not just going to go back to how it was because actually we found and found our creative space maybe or we found some other

things that's really important to us right so let's step back and do something different with those gifts so we've spin sucking on like I said the security Market Kool-Aid our problems caused by our current approach is this if you're a CSO or garden Network um or you're the organization security defense is a cost to cost center there's no profit for them or at least they don't look at it this way so unfortunately you see those or people who have to guard it have to spend time negotiating whether they want protection from a breach that's likely going to happen which is kind of ridiculous when you actually that way and we're going to talk about that later

so for your security vendors it's because they're they're being themselves as well see it is billions of dollars and a big sale so if you're the mandians of contracts or whatever all the good big players out there they're doing something don't get me wrong but they're they're in it for the industry aspect of it now at this point which is not a judgment it's it's just the way of the nature of the Beast then the threat actor and adversary all need all he needs is one bad line of code in a few hours now with chat GPT maybe a few minutes um so just basically one line of code in a short interval and all the million

dollars of devices you spent and the tens of millions of dollars you're spending on 10 people running that device is all falls down it's a zero-sum game and it's a losing one on our sense so we is this how we're going to continue solving security do we think this is working I'm saying and I'm not saying like for instance all the policies they don't like rip them out because they are working 90 of ransomware that comes at you is actually caught so there is a lot of pieces here that are more reality here but the reality is the security Engineers cost a lot of money just to write to work with a a Sim or this or

that and it's like so it's kind of like reminds me of like when gunpowder came out uh in the old days in Warfare and essentially you got all these castles that start crumbling and they have to sit there and there's this time where you have to adjust because castles are sitting still and you've got this Dynamic set of weapons that are new and so what's that adjustment period I think it's time that they finally we get past this adjustment you know period and stop being just the castles anymore right so when we talk about the zero-sum uh game for this we're actually looking at the real emerging threat is us it's our systemic Behavior we've gotten

complacent we negotiate and we need a job and that's those are realities we get overwhelmed we're costly I mean every time we do a red team we end up seeing where there's like you know 80 tickets on a 10 person security team how the heck are you gonna even stop us when we're in your network you've got all these other tasks going on right and that's the problem so like obviously arguing for the investment all that stuff is a big thing but it's weird to me that it's an argument in the first place um so basically you got all this fear of conflict as well so when you kids that are doing your new job when you get a

new job out there I'm going to teach you one Secret in life don't fear conflict you'll get more yeses everywhere you go so let's talk about fear and Innovation okay so how many people actually play with chat GPT Yay good this room I don't need to talk and lecture about fear but how many people are a little afraid of it like holy crap this might be some things okay see that so it's like you play with it and you're afraid of it that's probably why we're playing with it because it gives us a sense of control yay so we are in the AI era we have now had that disruption just like when the internet

came out in 1995 for like everybody obviously the internet was out there before some you know for hackers that knew about it but essentially there's we've had a new disruption large language models all of this stuff and yes it's going to make a threat actor write ransomware much faster because all you have to do is say make me a backup file encryption Pro and it will write that for you right um but instead of being completely afraid of it like the fears are you know somewhat rational it will happen we've seen some malware recently used low code chat GPT and stuff that it was in the news um and the code will be faster for

threats actors but it's not like it anything changed all it did was put us there too security Engineers can now be faster too I can actually write an entire risk model it won't take me 10 minutes months on training on tensorflow it can literally you can finally speak language to a computer a human language and it will do what you you need you can make automated risk scoring automated intelligence reports this is actually a thing where I set up virustotal and it will literally pre-prompt and every time I look up a hash it will simply like make a full malware analysis report in a human readable format this helps train our juniors in malware analysis this will

help get us there so there are uses that are actually really quick because how much does it cost to get someone a reverse an engineer and then like write the malware analysis report and all that that's the whole thing that doesn't mean it's taking away your job it's allowing you to look at the we're overwhelmed with malware these days no one's got time to do that malware analysis should be chosen when it's ready to be doing it because it's a matter of like oh this is unknown we don't know anything about it also pen testers anybody like pen testing okay you know those deliverables the the hard part but everybody wants them everything so I actually um I made

this thing and I think this actually works here it's a little bit of a video but I don't think you're gonna be able to see it but essentially I wrote you know some Python's OS command system command type code and I basically had it where I can put prompts in it and it would automatically scan my network so what you can do is you could technically feed these large language models A playbook and if you have a good parsing system it will literally run your playbooks for you so all the low-level red temp stuff and the exciting stuff you actually want to get to is a human you let chat GPT do the Junior stuff and

you move on to let's write some malware and like get you know do a side Channel attack or whatever it is right you do the fun stuff so there's like you could fear it and go it took our jobs or you could say that this is actually going to be awesome because now I can work on the creative stuff I want so there is a great piece here so red teaming cost savings time the market and we can hit all the low hanging fruit on a more automated Manner and you don't require a bunch of Engineers to do it anymore because you can actually just give it the Playbook right deception technology allergies this is actually it looks like

I don't know if you can see it very well but it basically looks like Linux but it's not Linux I'm sure some of you guys have seen this concept but essentially it's just AI responding as Linux so you can use it as honey Nets or adversary uh uh you know modeling or messing with them or trolling or gaslighting or whatever you want to do with it you know um psyops it doesn't matter just let's have fun with like a bad guy on our Network and he's actually just talking to AI you know so so that's also one of the things that I actually I got so excited when chat GPT came out was I wrote and put chat GPT into my copy and

paste so essentially when I'm doing deliverables which everybody freaking you know has to go ah you know because most time when you're in a dock you have to go back out you got to go to this go to that so essentially what I wanted to do was here's like a example of it it's a botnet a bunch of cves for like an rce whatever I literally when I hit copy it will come up and prompt I can hit of course Escape if I want to move on but I can say summarize all the uh cves in a detailed form for me right I don't have to go look for them get cve go cut and paste

this watch this and like essentially what will happen is I think down here and this was the first version I have a faster version now because they finally got faster um so essentially boom copy the clipboard and when I paste it look at that I'm not done cool so like you can integrate there's so many things you can do do I need to know the detail I was going to copy and paste CDs off of CV you know enum anyways so this is like boom I've got one track and you can speed up those deliverables do more pen tests have more fun so let's talk about the definition of disruptive thinking okay because we've talked about all right so

we've got this old defensive systemic way of handling things we've got this kind of like standard narrative that we have of how the security is we know it's a zero-sum game we've got all this figured out now so how do we get into disruptive thinking into our work environments so disruptive thinking if I'm actually looking at I'm just going to focus on questions assumptions and challenges of status quo and yes I borrowed this from check GPT two considering unconventional Solutions and three be open to new ideas and perspectives the good news is your students so your mind's already kind of getting there um but it might get disappointing if you go find a job and you go don't get to be

disruptive anymore right what changes though is if you're a leader that actually isn't a company and you hire these John J students and you let them be creative you're going to also feel like you're finally leading and have a purpose you don't go home and say man I don't know why I don't like my job I think I might leave soon and you know we get that a lot in our industry whether it's like two years in and they're like the same thing same thing same thing well it's like it's not the companies you have to do something different and be not afraid to disrupt a little bit uh Innovations and breakthroughs will happen even if you are a company that's

not like has a product you might end up having a product and there's an entire like Market there for you right um and then strong sense of like I said success and purpose you'll be coming home because you set some goals you got to be creative with your team and you got to be back to the hacker intuition which is what brought us here all in the first place this industry doesn't just without all of us so who drives the market we talk about them the vendors for a second no targeting all vendors are fine sponsors are very much appreciated and they're doing Innovations and that's cool but there are certain things that bother me for

instance threat intelligence anybody do that here okay anybody get feeds you guys buy feeds and stuff okay how many feed uh vendors do you have two okay and many bigger organizations will be like across a span of 510 or something like this and stuff and some over two because you figured out what do you you know how much percentage of each feed you actually use exactly right and you're paying full price for each feed aren't you of course anybody ever see a problem with that right that's my problem right now right is that are you a CSO okay but you're ahead of your team or whatever or at least a pretty close to the person that you know does that

you're like hey so either way CSO head up security whatever you're doing if you're responsible for security or if you're even on the security engineering team right you guys are the ones and galstar you all Drive the market meaning why are we letting them charge us for less than one percent at full price that makes actually zero sense but we're the ones who actually can make that decision we're the ones that say you exist because we need you right so like remember that and but Embrace that know your power as someone who's heading up security Embrace that and claim your darn Throne because you guys you know you all were the ones who started this in the first place the csos

just happened to got older and are becoming leaders in it and going why is my job shitty because I don't get to be creative anymore well you could actually you could force the vendors to be better you could challenge them and say this I'm not no one if we all collectively didn't buy that until it was properly priced for us we end up setting that that price I thought you know that was kind of appropriate so I can't watch the show it's too gory um but my point is it's not a negotiation when literally another thing that baffles me you see so and you're negotiating with your boss like we talked about earlier about the fact that

you are probably going to get breached and it probably will end your organization if it's bad enough how is that a negotiation like that's just like if you're gonna hire CSO be serious you know like so just a little you know hey so so let's try some disruptive thinking this is a classroom so let's have some fun okay we're gonna do topic of ransomware just because that's on the list and everybody knows that it's one of the just disgusting Crimes of the of our time right outline the problem in front of us so let's do that first so part of disruptive thinking is I'm going to follow what chat GPT told me how to do

it based on the structure we're going to outline the problem in front of us we're going to look at the problem from A New Perspective we need to question those assumptions we need to brainstorm unconventional Solutions and analyze what existing Solutions aren't working and all that fun stuff so I'm just going to keep that here but what I'm going to talk about this is I want you guys to almost take a beginner's mind all right you hear the word ransomware and you think about all the tools your your mind goes from key ransomware to value of like a list of like AV vendors or what vendors or all the stuff let's remove out all possibilities in your mind and act like

we're at a table on a whiteboard that says we got to solve ransomware guys or gals you know and essentially let's do that right so let's do it that way almost like like when Steve Jobs would get in a room and they'd try to make Lisa or whatever and it was a failing project let's not use that as an example but essentially let's let's clear our minds on this okay so let's start with the why ransomware actually works why is it so popular so this is basic ransomware code because of like that's basically the core of it it doesn't take much there's obviously more pieces and other things like this but essentially it's a big file encryption system and

you don't have the key right so why would they ever stop because ransomware is Trivial to develop it's trivial to buy on the the dark web right yeah 512-bit or a digit number can literally you know Crush an organization crypto is one of the great equilibriums but it's got you know it's kind of scary and the return of investment obviously is currently very high without the other Roi which is risk of incarceration because they're based out of Russia most of the time right and so they don't like us there's a lot of history there um and Conti ransomware alone last year made over 250 million dollars so it's very lucrative and then you've got cyber

insurance companies that enable this problem let's pay for the ransom and of course you know there's no other options of course but I just learned today from someone today that actually ransomware authors will go and find the customer list from the Cyber insurance companies and Target them knowing it becomes a victimless crime for them which makes it easier for them psychologically to do this because they're like well it's not actually hurting anybody they'll be fine you know so let's break down techniques tactics and procedures right so how does what I I've been doing malware analysis for ransomware a long time and I wanted to look at like what are these what's the commonalities to stop anything you need to figure out

like what are the past and commonalities that exist in all ransomware obfuscation doesn't actually ransomware actually works quite well because it doesn't try to it's written by software Engineers not necessarily malware uh authors they don't try to hide this there's not a bunch of obfuscation in most of this stuff it's actually because it looks more like a normal program right and it can be your backup system is very similar right so first thing it does is recursive directory and it usually goes through whitelists for you know not destroying the system so you'll get the ransomware note then it will open and read the file into memory this is before it's encrypted and again keep your your bright Minds open a little bit

and see if you can figure something out along the way as we're discovering these ttps right then we have like the crypto mode and usually there's a static key but then there's also a generated AES key or some kind of symmetric key that's FM role that gets generated on each file or at least each directory and then it will encrypt the file often what's called stripe encryption because it's a commodity out there ransomware needs to be fast against petadite petabyte type of data so they stripe it which means they'll just encrypt sections of the files on purpose for Speed which also can help us later after that essentially they'll delete and rename the file or rename the file

to make sure that it's overwriting the same node that actually has the previous so no it data recovery tools will work and then essentially it'll close right and close the file to disk but it'll usually add a footer or an append a header to it most of the time footer and that tells the decrypter that if you ever do buy all the encryption the offsets the information the previous file size all the information that you would need to decrypt including like public keys and such that are the the public ones not the private ones unfortunately so then on the network side and the note side is then a ransomware's note is dropped it's usually a text file doc file a PDF and

sometimes I've even seen it on a printer because it shut down and did a BitLocker reboot I was like whoa that's some crazy stuff you know so essentially you know anything they can do to get your attention essentially most of them though are usually just in every directory when you're like why are my files not working um then they also look at x-filling extortion so there's a double extortion many of the claims that they're going oh we're gonna put your data out on the the web are usually idle they're not actually there but they've learned that if they can force you to pay within a certain time versus calling a company that like cracks keys that that's that's

uh that's their win so they basically put that pressure on people but there are real ones out there that do that Doppler lock bit Rebel maze they actually do x-fill first so they have an operator keyboard getting stuff out to Mega sync before they get started then they'll do wormy stuff ransomware will also do Network file share enumeration and try to do escalated Privileges and such actually it's the operator that gets that part and then what will happen is it'll scan all the network it's you know pretty much encrypting across there dropping notes in there and then you have to find out where was our actual infection right so that's always a one and then and this will just rinse and

repeat and then Ransom note comes back out right so let's do a comparative analysis what's the difference between ransomware and a backup let's start with something like ransomware encrypts files so does next-gen backup tools right so we hope so mine does pgp uh it will send files to the cloud yeah x-fill and also a normal backup program will probably send files to the cloud it will send a note if you ran somewhere it sends an alert if you're a backup system tells you files are encrypted tells you files are encrypted and it tells you everything's been backed up and sent to the cloud not much difference so what is the one difference between ransomware and a

backup system exactly the threat actor controls the scenario the situation whereas in a backup the network admin controls the situation so kind of interesting so the question when you start need to to do here is we need to establish that this is kind of why ransomware actually works quite well because it is actually just a backup system and that's kind of hard to stop right everybody has backup systems even though they still get those encrypted let's not talk about that now but essentially it's a backup system and the difference is it's just one that's not in our control and obviously we've told people immutable backup solve problems you know I'll solve ransomware but that's a

little bit idealistic because we have all these uh sorry my bad there we go oh wait let's take okay yeah we have all these excuses that we keep using and stuff like this nothing about that but that's like because the systemic nature of business this gets harder and harder and harder and it's basically Captain hindsight all day go and we should have done this right so that's kind of fun so the question is what is the right question Ransom is going to happen ransomware is going to happen it's going to act like a backup the only difference is the threat actors and control so what is the question 42. of course you know no the real question

is can we or how can we turn tables on ransomware and use its own technology to our advantage how can we move that threat and control it right so then when you think that way versus like how do we just prevent this you know blah blah blah you know let's think about that so let's ask AI what it thinks real quick one potential way to exploit existing ransomware technology for our benefits to develop a ransomware vaccine I did not cue that you know or other security measures that can prevent ransomware attacks from succeeding another approach which we did already in our tabletop today could be to study the tactics and techniques used by ransomware and use that knowledge to

protect our systems and networks so let's do both right okay so let's go back to a theory now that we've had the original system ransomware recurses the directory so to backups right on read remember when I said on read the file's not encrypted yet and it goes into memory what if we had a hidden hard drive that's like not seen by the OS on the other side and essentially we could create a snapshot every time it tries to read or delete a file it can only actually be once too because no one cares if your Microsoft thing of three lines earlier didn't get saved versus all your files are encrypted so you don't even have to like have a big

retention field you can have a small Dynamic hard drive that will spread out when the thing now imagine when it starts recursing and starts opening files and it's snapshotting each file before it's encrypted on the back end somewhere that it has no access to and the operating system doesn't know about you would use UEFI for the hint by the way or container Infuse but my point is is that essentially when it does that that's fine then it starts encrypting we don't care we've already got it we just told the ransomware to be our backup system thank you because I was meaning to do backups today right so we have a shot we don't care but the cool thing is an entropy

everybody know what entropy is it is the measure of basically chaos from order you know and on computers we can actually see how complex something is so you've got a Microsoft Word doc usually about three uh entropy bits per you know uh unit or whatever so essentially it's basically it's really small but AES is usually seven or eight so if you see it suddenly an order of magnitude or something going like that to all these files recursively it's a really easy thing at that same file level system you're in the middle of there you're reading that you can literally say let me just like put all files to zero bytes and read only so even if the X-File

guess what's happening enjoy your or your guitar pit it and put like two petabytes for each file and just have a bunch of random zeros in it and just uh have fun like downloading that forever while we track you down right either way you can get rid of your x-fill you know it's more like think about the file ideas like you're under the kernel you're above that you're ring negative one right um and then restore is pretty easy you just give it the extension tell it you know that and then suddenly it like takes it's faster to restore ironically because you don't have to deal with encryption it was caught before it was encrypted so it's a standard restore and

you're done so just to really you know show you one way of prototyping this you could do a hidden file system like a container Docker container map it in stuff like that read delete you can snapshot ransomware does our backups for us restore takes second entropy change file size equals zero turntables because I like puns none of you no cringe nothing I need a cringe uh Network admin now has control of the threat ransomware just did your backup for you thank you very much they needed to be done anyway and uh the threat actor is busy crying which is key here I'll let you get your picture you got it okay good all right I'm going to

photobomb my own stuff so anyways okay so one emerging threat is now down look at that instead of focusing on five at a time four at a time and being a Cesar going I got all these problems why don't we just get one of them solved in the next 10 years right like and that's not even like that could be free that could anybody can write this if you know some python or some C or whatever like this is a doable thing really easily it's not some crazy amount except for Windows Windows kernels are kind of a pain in the butt but either way good luck my point is is that here I made one out of fuse just to

demonstrate so this is actually ransomware on the black side this is actually doing snapshots on the read and the deletes so it's basically only expanding the hard drive because it's recursing and it actually Seasons so this is also changed seeing the entropy as well and seeing that suddenly it went from three to seven things like this so essentially ransomware is creating my backup and that's simple right and that is because we looked at the TTP and looked at what thing does it have to do and is there an area we can actually be creative or disruptive in you know and and move on right even if your backups come online guess what you gotta backup

of the backup awesome you know so um so when you leave here today um I wanted to just say that you know there's obviously ransomware and other threats today I think require more creative approach and I want to encourage all of the students here that are getting into this you know we're in that great resignation but what it really taught us is that we can try to figure out especially in Tech what we want to be doing and what we believe should be being you know being done right you you don't always have to go and like you know again it kind of comes down to you know that's why unions exist a gathering of people kind of

control it so our society our community kind of controls what our future is here right so we should be pushing and challenging our companies to have more hackathons teach us things like you know uh you know training get us more creative allowing those times to have that I was actually at hackathon on my last company and someone made a DDR like authentication two-factor authentication we had to dance your way to get through the thing that may be like fun but that's out of the box thinking that's the stuff we love and when I remember going to conferences that's what we did we just shared what we were cool working on together and then maybe someone else

had a cool idea and we merged the idea oh let's GitHub collab and the great thing now is the Internet it's so easy to work together right but our current cyber security methods seem insane it's all zero-sum and the insanity itself is our emerging threat systemic Behavior right csos or people who are ahead of departments that like run security stop negotiating take control you know uh don't be afraid of that conflict trust me they're not going to fire you because they need you and you got to remember that right and drive that market you know your threat feeds tell them you're going to pay 0.1 percent of the freaking fee you know what I'm saying why the heck

not like we you know there's CSO groups that talk to each other they start talking to each other and spread that out at the top levels and down stuff changes right um and drive your organization no more negotiations under that stuff and get back to your hacker intuition that's really really key see so you don't have to be bored you know people that they had in the leaders they can actually get their team to like create things so anyways thank you very much for having me

oh wait you got a question us I actually don't know what I mean by that is uh as you can tell I have a lot of energy and I'm now 44 which is like got to keep it up and I'm already sweating but um when you're young like I grew up when like apple 2es were like the computer so you have to learn how to program to use a computer and so there's a piece of it where I always like had a sense of winning like when I was a little kid there was a joke I was like I was a loader you know little nerdy kid and I and when I was six there was this serial killer called

The Green River Killer that was on the news a lot my parents like watched the news and I was around the perimeter of the fence and teacher's like what are you doing I said I'm protecting the perimeter from the Green River Killer and so somewhere obviously I had some sense of justice or sense of protection and that might be from being adopted or whatever other reasons it is but the point being is that like something kind of like gave me a purpose there and I was also a musician and practicing all the time but like then I met a computer and I was like I couldn't get off of it um and my first like really cool little

kid program was I actually had such an imagination that we had joysticks back then so I made an X from y plotting so you could log into my games with a special secret you know username that my parents didn't know about or take them to their word doc and then I would have it where it's like welcome to X-Men Security Center and it would actually you'd have to turn the the joystick certain ways and I marked it as a combination lock so you would end up actually having the joystick as a combination line because I was reading about the X and Y plotting and I'm like I don't care about drawing but this sounds cool right you know and so like

that was kind of like one of the things I still have that program to this day from like when I was little but essentially like I just started tinkering and that was the thing I had this I just wanted to know it and maybe it's a sense of like this is so interesting and on the other side as I got older I think it's also like this is going to be dangerous as well so I want to know everything I can so that I run towards fear and so versus like let's let's not like not use it right because it's going to happen anyway so I needed to learn and understand more about it um and then the next thing you know I

guess we called it cyber security but back then it was like information security and I'd read all the books on like the 70s hackers and 9x in New York that's why I'm kind of quite honored here because New York's kind of a big history of of hackers and freaks you know so uh yeah that's kind of the story I mean it's a longer story than that but you know so any other questions

questions

because the windows doesn't see it either it's actually done in the UEFI so it's actually like unless you can figure out how to like break through and like actually break every ufi I'm not saying that but like think about how much ransomware is done and how advanced you'd have to do to like Target this right nothing is ever bulletproof we all know that right but if you had an isolated system that is literally like shut off from everything and it's read only when it hits everything even if they do find it what are they going to do with it you know what I mean so and that's the key so yeah sounds good five minutes are good

all right five minutes any other questions before we go good all right class is dismissed everyone thank you very much [Applause]