Disrupting Nation States and Cyber Criminals with Attack Surface Management

thank you very much what a beautiful event you guys got going here like fantastic job from all the volunteers besides love it's gonna be there next year as well uh look at this Slide by the way disrupting nation states cyber criminals and there's animation turns out PowerPoint has a button called well it should have been called Pimp My slide but you could just click this assign button and Magic happens but yeah my talk will basically be revolving two concepts continuous attack surface management and what we have defined as always on pan testing trying to change up the game a little bit innovate a little bit and see if we can basically make our customers have

better security uh Chris Dale I teach for sounds in fact the slide uh I'm also sorry also a founder of river security where we're a group of nine people now trying to make the world a bit harder to hack uh teacher stand so I travel all all over the world I travel U.S Europe Africa Middle East trying to preach you know trying to tell people how things can be done how it should be done and hopefully also make it actionable something that you can actually implement the next week in short I do a lot of penetration testing and unfortunately you might also see me commenting about instant response as well ransomware case has been a big one

the past few years it's been a huge companies literally on the verge of dying and having to help them is is anything but fun so yeah alphabet soup of certifications a little bit about myself all right now a question for all of you why do we do pen testing I mean sometimes we got to go back to the basics and ask the simple questions why do we do pen testing to help a customer not get hacked tomorrow so they are safe to figure out which cves and bugs you need to patch so that we won't get popped anytime in the future to maybe stimulate long-term effectiveness of your security policies and make security better in the long

term pen testing is for many a silver bullet that basically makes you a little bit more immune to hackers online and I don't necessarily agree with that there's a couple of problems with a traditional pen test I've been lucky enough to work on both sides of the table I spent three years working as a ciso for a company called surecat Solutions so I had to procure pen tests from some of the people here in the audience even and I've been working for many years on the other side of the table I've been providing pen tests and and making customers understand why they need to buy a pen test I've seen some problems on both sides of the table that

are not necessarily being addressed by everyone at the moment for example as a client somebody who wants to buy a pen test what's the scope of the pen test I mean here I am wanting to have a pen test because I want to make sure that well hackers are not going to break in tomorrow and I'm gonna have to figure out what the scope is I gotta figure out which assets that I want to put in scope which assets that should be excluded from scope and I don't necessarily know how hackers operate I don't necessarily know how they do attack surface Discovery scanning and so on I'm not qualified to set my own scope of a pen test why

because I have Shadow I.T I have dark data I don't know what the scope could be when a real hacker a real threat actor Targets this company my company for example they're gonna find the things that I didn't know about and when we do instant response guess what very rarely it's a com is a customer hacked by something super sophisticated or Advanced very often the customer is hacked by something that makes the entire company go oh no that server that user ah oh no they did that it's very often something stupid right and we are not buying pen tests for those systems because most likely they're not on our radar okay so that's a bit of a problem

also it's a typically once a year approach we don't do it often enough I mean agile has been for years something developers do but pen testers not very much agile just yet we're trying to get there though providing a pen test what is the scope right how do you find the scope of a pen test well I got to do my reconnaissance my scanning my discovery of assets I gotta figure out what this company looks like but that's after the customer assigned a deal so you won't actually find out what the scope is until you start and maybe you do some scoping meetings and so on and you waste everybody's time you have still haven't signed any money on a

paper yet so it's not very nice process in my honest opinion to figure out the scope before even well having any money on a table the scope also websites often infuriates pen testers because once you start working on the engagement you start to hack into the multitude of systems you discover other systems neighboring systems that are much so much more juicy you know oh I'm supposed to hack over here but I just found these other ones I really want to touch but I can't and I can be frustrated it can be sad and you really want to tell the customer but then you're in a dilemma of a scope creep nobody wants a scope grid because

well more billable hours is going to cost a bit more expectations are not necessarily met and I don't want to ask you the threat actors out there or this one is animated too I didn't know that you again hit the magic button pimped my slide do attackers care about the scope a real threat actor who wants to get in doesn't care about scope whatsoever they're not going to look at you and say ah I better leave those assets alone I mean no the attackers don't care about scope and I found this beautiful video I hope some of you have seen before it's like a meme I want to quickly show you what it's all about

somebody seen this one before it is awesome it's only 25 seconds I thought it was a minute but we'll see if this is the right one but this guy is a system it's basically saying hey shoot me hey come at me bro and he's like really come on come on pressed on hey ah they just bought their new destination firewall hit me and Panthers okay well right that's really what I see during incident response once we do the root cause analysis we figure out how they got broken into then it's it's often a problem that was previously considered to be something they knew about but they forgot about that old DNS server that system that

should have been removed that was never removed that account that popped up uh after a migration to Azure it popped up an account that was all of a sudden available on the internet that shouldn't be on available internet on the internet attackers they don't care about scope they just care about monetization or breaking in somehow I did was to look at what we're doing try to innovate a little bit I would call it micro Innovation because we're not doing a whole lot but instead of saying hey let's do a pen test we can tell our customers say hey let's map out your digital Tax Service let's not say a pen Fest is one report one result let's say a pen test is

actually two different deliveries it all starts with a digital attack service overview let the hackers show you what we can find let us complement your asset inventory with all the stuff that we find your social media accounts your leaked credentials that was leak from 50 either slog or Sudan told again so let us give you all of the ammunition make you as smart and clever as possible before we start negotiating and talking about a scope I can do a lot of great things by just looking at I.T assets I mean I ask a pen tester tell them have they ever had a hunch on how easy the system will be to hatch I mean there's no CSS template on the page

it looks old it looks a bit wobbly has a PHP extension you go I really want to hack over here every hacker every pen tester will have some hunches and we can attribute those hunches down to specific metrics that says these systems are very attractive to an external penetration tester we really want to recommend these assets to be in scope and because we have already looked at those assets now we can even basically estimate the size and the time it will take us to pen test those assets so we can come up with maybe a fixed price say here's what it's going to cost and the customer can then maybe add their own systems to it they can remove

their own systems and we can basically in a much better way agree on a scope makes sense right I think it makes sense and I know many of you know it feels that it makes sense now because I'm seeing more and more cyber security companies that are offering their clients to hey first let's map out the digital attack surface and figure it out it is a good exercise that gives high value early on in the engagement ensures trust between the parties and overall it's very fun to do and that takes us into attack surface management what is attack surface management then attack service management is basically the digital footprint exercise evolved into a continuous cycle of

reconnaissance Discovery and scanning we want to take a look evolve not just one or like a snapshot in time this is you we want to look at those systems and those assets how they change throughout every day how the landscape evolves every company will innovate they will build they will have organic growth and we want to put that into a system that allows us to well detect those Deltas detect those changes that might give an attacker New Opportunities and that's what it's all about in my opinion because an attacker a real threat actor on the internet will base themselves upon what opportunities exists today on how to break into this company log4j all of a sudden happened the day after you

had a pen test you go like oh do I need another repentance now can we look for log4j and absolutely you should be able to look for it you should be able to discover such opportunities and basically identify them as potential threats that should be something that you can do easily also Shadow I.T and dark data should be something that is harder to implement we can complement attack service management with features of the blue team blue team has DNS logs for example that you can go look through things like Amazon AWS buckets Google Cloud compute buckets for example Azure blob storage and you can find Shadow I.T true Corporation as well but there is basically the concept of

attack surface management is basically hey let's put this digital attack surface that that report let's put that into a system that lets us continuously maintain and monitor the customer finding those doors that we left open you know this Meme here is Beautiful by the way I saw this highway apparently there is no sign this sign has been photoshopped on top of this meme but there we go some meme trivia for everybody but to typically when we are successful as pen testers and I hope many of the pen testers in the room can can confirm this with me but very often you can get a sense of you're if you're going to be successful Independence or

Not by simply having a fantastic reconnaissance face by simply being very good at reconnaissance building very targeted nice beautiful word lists and building up that dossier of information preparing you to the inevitable launching of exploits to us that's the most important face what determines the success of a pen test of us breaking into a company typically hey reconnaissance that's where we get value for our money and to to to basically to improve your reconnaissance processes you want to look for what we call the path least traveled you wanna this is also for the bug bounty hunters out there if you're going to be successful in bug Bounty you probably want to find those new systems or those

those systems that nobody else has found yet you want to find that hidden attack surface and you find that by having the best reconnaissance you find it by having targeted good neat word lists and processes that will let you be notified when there is a change to the attack surface so you can jump on that opportunity to quickly take advantage of it there is a dilemma from a business side they want to grow they want to build they want to release marketing maybe they have stuff that wants to go out information should be spread but from a cyber security perspective we want to slow things down right in fact cyber security for many has been all

about saying no you want to move to the cloud hell no no you want to put some data out on a server on in a DMZ and expose potentially gdpr sensitive data true basic means of access controls we've been saying no no no no no however cyber security in my eyes is all about yes you want to do something yes but here's how it's done attack surface management and the digital footprint this allows hopefully the security teams to say a bit more yes let's support the organization let's not hinder Innovation let's not stop the company from growing let's say yes but and for the things that we cannot govern maybe a tax service management will help

us conclude and reduce that risk I love seeing customers that they look like a tank from the outside all we see is a couple of websites and a lot of endpoint like VPN concentrators and so on and there's not not that much weed you know it looks very clean and neat from the outside that's an attack surface a digital attack surface which is hardened and nice every version number is the same and so on you can tell that the guys on it operations are governing this whereas in most organizations it's a lot of it's a lot of weeds a lot of like things growing left and right and you go like what is this version number from from 10

years ago end of life systems you find all kinds of stuff so what is always on pen testing then well always on pen testing is when we take ly the digital attack surface management and you pen test and verify all of the changes so when a port is opened when a new domain has been provisioned when you found something new of an opportunity when log4j comes out for example that's cve that burnability you want to be as fast as possible to quickly find out can you exploit the customer taking the pen test down to the opportunities as they happen instead of once a year once a quarter however fast that you can build this so instead of working my team instead of

working in projects that are a week to trade long we are looking at projects that are hey let's look at this item 45 minutes later you're done let's look at another item and we have this huge sandbox with tons of assets that belong to our customers that would try to hack simultaneously it is a lot of fun working like this because it's working on in the same modus operandi as real trap actors always on pen testing it's basically us trying to real time as fast as we can figure out if we can conclude a possible opportunity down to actual exploitation where we say we take the vulnerability scanner we purchase those vulnerability licenses for necessary cannibals and and

like rapid seven so on we will have those licenses we will scan your assets and take all those critical high-risk mediums and ask ourselves can we hack the customer now based on a vulnerability a new cve nist has just announced that hey there's a new CBE for Apache software for example Apache web server we're going to take that cve we know the customer is running Apache across a couple thousand assets maybe and we will ask ourselves based on the cve is there any reason for the customer to shut down the server and upgrade immediately or can we wait till the next patch window and that is very nice because now we get what we call High Fidelity alerts we get

alerts that we can trust we can trust in these alerts because they've been verified by human people I'm not a big fan of crying wolf wolf all the time which is something this industry is specializing on it's kind of like we're proud of having a very many findings like the higher number of findings that we can get is very nice for many however you look at this from a business side you go should I patch any of these is there something for me to do do I need to act on these 127 vulnerabilities or am I safe I mean I know there's a vulnerability but I haven't been hacked yet it's because no nobody has looked

yet what is the reason and the reason why you're not necessarily getting hacked immediately because you're running an end-of-life system or because you're running uh or you have a critical vulnerability on a web server it's most of the time vulnerabilities have dependencies the attacker might require an account on the system for example oh big vulnerability in WordPress only if you are assigning authors or users the author role only then will the server get popped and the pen testers can break in meaning that you can relax unless well you're currently giving random people on the internet to the authorship role or if any of those accounts get compromised so I like working like this in a traditional pen test

it's kind of like we're slow we're Turtles very slowly but surely moving ahead well threat actors nation state attackers like the US NSA for example they have a fantastic talk on on YouTube from the usenix conference Rob Royce goes ahead and says look we are present every day the reason why we are successful in breaking into customers or victims you could say in foreign countries is because we end up knowing the target better than they know themselves their cheetahs super fast always moving always looking if you open up a port only for a couple of hours there's going to be somebody there to check hey Port open what is this I used to say pen tests it's like

playing badminton but and real criminals they're playing tennis right until a guy arrested me on that and said well you know actually a badminton Bowl can move faster than a tennis ball and I'm like oh okay yeah but are we playing the same sport we gotta ask ourselves that a traditional pen test is that actually will that give us something really actionable for the long-term sustainability and security of a company and I think bug Bounty for example attack service management and so on has higher returns for customers because it is all about Speed and Agility inspired by the military which we are quite a bit in in River we believe that if we are faster than

the treadbackers out there to observe changes to attack surface if we are faster to orient ourselves and ask yourself the question does this allow us to compromise the customer is Sir gdpr sensitive data is there a way for us to run code can we do a denial of service any risk to the customer if we can ask that question Orient ourselves really fast decide on an outcome and make the customer act on that rapidly multiple times every day we believe that we can have a chance against what the threat actors are currently doing to us we can beat them at least we can compete against them in the same Arena that they're playing this is based off the military and the

military in a dog fight like these two fighter jets here typically what you would say is that the pilot who has the fastest repeating ooda Loops over and over and over is the pilot who's gonna win the dogfight the pilot who can quickest identify threats identify mountains up down velocity and so on over and over make the right decisions based on the information that you can see will win the dogfight it comes down to proactive and reactive we want to be and we have this slide here to to show you how companies could potentially mature in terms of cyber security because if you look at the Journey of a company today most companies they will invest in

shiny nice next Generation firewalls antivirus and police detection response and so on if they have a problem if you get compromised you are the most reactive you can imagine you be you are now blocking attack you're trying to respond to an instant response that's a reactive type of approach when companies mature in terms of proactiveness most companies after they have invested in cyber security they will ask themselves what's next what should come after we have purchased we have a licenses of different software and they looked towards the pen test they need validation all right what if we let some some hackers on the inside of our Network now will we get popped now are we good enough now what if we

invite somebody to come hack a company can they that's a typical approach and then once you have gotten a report you fix the findings you ask yourselves what's next we're still growing the company requires more operations regarding security so we're looking to mature into a security operations center manage the texture and response and that step for many organizations is very hard they fail and they start stand still for years to come because they don't get to the point where they have money or time enough to invest into building a robust security operations and then if we look at the security operations it is typically you sitting inside of your castle with Spears waiting for somebody to jump the

wall and Trigger some tripwires or alerts you're waiting for alerts most of the time to basically respond to of course we have cyber threat intelligence we have proactiveness things that we can complement the sock with but a traditional sock with a Sim and so on for getting in alerts that we need to react to what we're saying is Maybe a different maturity would be to take the pen testing and turn it into as a service model because why not attack surface management always on pen testing you're on the internet you're already getting hacked by somebody so why not have the good guys be your criminal best friends on the internet trying to break in every day

and for some people they're like I'm really scared of inviting a team of hackers to try to break into us every day but come on there's already somebody trying to hack you right there is there is a lot of people out there trying right now to hack you and some of us we say well okay that's fine I guess I just don't want anybody else trying to hack us and that's a losing that's a losing concept we're going to have to change and I think we should allow pen testers to continuously review the cyber security status like a bug bounty we have defined this as an offensive cyber security operations center because why is this sock concept only

for Defenders I mean my team we're getting alerts Newport new domain new cve new leak those alerts are processed by a team of Engineers security analysts security researchers and they will ask themselves do I need to forward this to a pen tester and have somebody look at it right now it is a offensive security operations center and that's how I would imagine some of the nation states working basically doing reconnaissance intelligence gathering every single day and feeding the valuable information down to people who can send attacks and try to prove risk and within this architecture here we have a lot of different components and that's what the next section is going to gonna contain I've been told

that we have plenty of time so we're going to go a bit slow through to components take your time and look to see how can we automate collection of important data that will have an impact for our customers for example domain names internet facing domains well a domain for many attackers is a starting point it is associated with an IP address typically and there's going to be Network Services hosted on it of course we want to find domains because there's typically functionality behind it that we can try to break so looking at new domains Provisions trying to figure out when there's a new domain created on behalf of a customer or a sub domain provisioned if we can

quickly get a hold of them and check out and see what's going on on it we can make a difference we can ask ourselves who registered it and sometimes we see uh very funny things when we find phishing domains we see like profanity and stuff in the emails and so on but we have all kinds of information we can go look for we have brute forcing we have word lists that we use but perhaps the most valuable is certificate transparency logs if you haven't heard about CTL the certificate transparency logs it is time because CTL is basically a public log of all the certificates that you create on behalf of your domains it is basically a

statement that hey this certificate Authority has created this certificate on behalf of a domain making it a beautiful resource for attackers to figure out what there is to attack let me find for example here is a website that we can use to search search in the history of the log so up here for example I could put in say like this beautiful autocomplete here for the wildcard here and this is a historical search did I click enter or not I didn't I'm using internet explorers I'm not sure it's the slowness you gotta let it run for a while but I just search through the history of the CTL that's something else that's sitting on the beating pulse of the CTL

the pulse all the new domains that I've created every single second is what we look at but this website allows us to go back in time and see which domains or which certificates has been created and wouldn't you find the S and D PTA 01 starting at I know that's that sounds interesting doesn't it and I want to quickly once that domain has been created I want to quickly jump on opportunity to ask myself can I hack the customer now is there something here to to find is there any mistakes we've had customers that within 24 hours of them putting on SSL TLS on a website within 24 hours we've been able to pull them up and say

hey we got the IET administrator's password and plain text and we got your third-party supplier super admin password in plain text by simply looking at new domains how is that possible well you know when a domain is provisioned for example it's lagging like crazy here bad decision of using Edge I guess but when our new domain inspiration we will immediately jump to the conclusion that look let's scan this let's assume it's online and find services and then we find well it operations developers they're they're building things they're setting up the blocks and they're putting things online and so on installing Services getting things ready and so on and that's when we look at those systems

we ask ourselves maybe there's some temporarily security vulnerabilities in place here for example in our case where we had less than 24 hours to find passwords in plain text you know what had happened they had turned on directory listing on a folder called logs so we find the logs folder and inside of it there's a bunch of text files of the logs of the server and that web application we click the logs and it turns out that the application logs usernames and passwords in plain text when somebody tries to log on because application is running in debug mode and so it wasn't hard at all it wasn't sophisticated at all it was all about taking the the the opportunity as soon

as possible to demonstrate the risk that password the third party provider was using by the way this was for a Microsoft team since sip integration their third party that they were using that password I guarantee you works at other customers it was like one of those passwords you look at it and you go yeah yeah this is this is the one password that they use for everything and we had a wash-up meeting uh our customer they were like but we got to ask you how can you be so fast 24 hours how how is that possible and it's not hard when you look at the logs of the CTL like this when you look at the

live stream of data here and you look for keywords not stutting it.no you look for stutting yeah what you will find is that you will find thousands of certificates pertaining things that might include this name you will find phishing domains you will find anything that pertains to keyword structure and then you will filter out and score those assets based or basically score them on the likelihood of it belonging to your customer you can do like a Rejects and say I want to look for two things that I know and only that but the wild cards are better look for stuttinger or the name of your customer you're going to get some false positives but you will find domains like

say starting a dash gdpr..com.no or something like that you're gonna find those domains that are being staged and built to set up phishing for the future and also you'll find real Attack surfaces which is very fun to hack so the CTL beautiful for bug bounties there's more there's plenty of things of automation that we're building to to to allow us to collect data for example URL shorteners Vega who is in the audience here me and him did a project where we took archive teams they have um basically what they do this team over at archive uh they're called archive team what they do is that they Brute Force URL shorteners bit.li links and so on those links are

being Brute Force to see what is behind them because if you hit the right URL there's going to redirect you to some kind of website and those websites might contain information that our customers are interested in they might contain domains internal domains they might contain information that pertains our customers domain directly or when we look through the The Brute Force URLs we find like all kinds of hacks in progress we find all kinds of interesting evidence of URL shorteners being used for all kinds of things and here we see actual URL shortening links to backup files SQL injection we had local file inclusion we had iedor attacks we had all kinds of links identified that will give us

information that hey this website is vulnerable because attackers are using these websites as well and then we found a ton of booking confirmations a ton of flight tickets and hotel reservations and so on and we're just looking for a customer's name if you ever see this domain we are very interested in that because while it's parked today it could be something else tomorrow it could be something that you utilize the next day so when we see something Park we use a feature that we call a Delta Checker which is basically a little check that goes ahead and continuously queries the service and notifies us if it ever changes so we can get an alert that hey all

right this domain has been registered it's old but all of a sudden it goes active we want to take advantage of that opportunity funny thing about the main shop actually we accidentally scan them over IPv6 not too long ago I believe it was about a year ago and on IP version 6 we found a port open on a parked domain we finally a port open on it I think about Port 9000 and it was node exporter and IP address Behind These parked domains is well domains shops web server so when the founder when I let them know on LinkedIn that hey this port is open he was very happy it was only open over it versus six not over item version 4.

mistakes happen right we actually had our service in terms of Port scanning we had our service actually catch ourselves in a mistake because when we scan domains and IP addresses when we try to figure out what network services are behind them we also do it to ourselves we we have a project that we call Naval gazing where we have all the assets that we know about that we have it's like our asset inventory we also scan them and all of a sudden one day one of the analysts asked hey Chris is this port 8080 supposed to be open and it turns out that in digitalocean sure enough we had a Docker container that by accident exposed Port 880 to the

internet it was not supposed to be open and we found that by basically scanning using Port scanners you can wrap these tools and make them put data into databases for example and so on using Port scanners we want to see what the current landscape looks like that's your digital footprint and then we want to see if there's in any way in the future a new Port that is opened any time in the future a new service opens up we want to know about it for example over in the UK we found a crypto wallet all of a sudden exposed for like a couple of hours all of a sudden hey here's a crypto wallet hosted

online very interesting print screens look for CVS see if we can find information abilities but all of a sudden it was gone again it's oscillating we can find these things by scanning the the attack surface in different configurations so you don't need to scan every single port every single day necessarily it will be a lot of traffic it will be a lot of potential waste so what you can do is you can scan in different configurations that make you more effective for example by scanning according to Mapp at least I know some of the data is a bit old but according to Theodore and Mapp the top five by scanning 576 the top most common ports

you will find 90 percent of the available attack Surface by only scanning a close to 600 reports that's much more effective that you can do on repeat you can scan in higher better faster intervals so that we can find if something is happening once there is something that is discovered you can jump on it immediately keep in mind this is from an external attacker's point of view but we are working for a customer and a customer can very well tell us hey we're planning on releasing a new domain we want to give you a heads up here's the domain name you're welcome to start looking at it right now but it's probably going to go live in the next

couple of weeks the the teamwork between red and blue making purple is definitively something that we synergize with and that's nice trackers digital ninja Robin wood made a beautiful little script that allows you to basically uh use the web trackers to understand how uh to find more attack surface so for example here we're looking at a scan using the mmap script hdb track tracker tracking and it finds a a HTTP tracker like um what's it called Google analytics and so on and those identifiers we can basically take and apply querying on we can Google for them we can look for them in other places and we can expand on our attack surface so that's a pretty neat little trick here

with the tracking code you see it down there 750 3551 you go look for other websites that have the same tracker on it all of a sudden you find new systems systems that are not attributed to necessarily a customer domain and so on nice thank you Robinwood in fact Robinwood has made other tools it's kind of like it's like producing a bunch of tools out there he wrote a beautiful tool called cool it's a ruby script that generates word lists that it takes in a website and out from this tool comes word lists that have your Works in it meaning when if you manufacture ice cream for example if you have all your product names in that word list if you

have your pump supplier it will have your model numbers and so on those keywords those names those product names and descriptions of your services and so on you can imagine people have those sensitive passwords could potentially be right and it could also represent domains and systems when we see a splash website like this which is every single day when we see the splash website that I showed you from stuttinger we assume there to be content behind this and we are going to do a very like thorough job trying to figure out where the application is there's got to be something behind that I'm sure there's an application somewhere so we're going to be enumerating the hosts if there's an IP

address we're going to be enumerating the content discovering seeing if you can find that folder that gives us the application you know what we do if we fail there's no shame in this we'll just ask the customer our process we've done content Discovery we have word list we still can't figure out where the application is where's the end point can you please give us the Insight so not only can we improve our processes but we can also check out the system and see if there's any credential stuffing that might work on it if there's any misconfigurations and vulnerabilities we might find so it's nice but anyway super pro tip if you're bug Bounty check out IAS short name scanning

ah how many bugs we have found on this basically your windows servers running IIs many of them will support basically the old dos short names remember how in the old days if you had a long file path it would say like six characters and then a tilde and a number one for example documents and settings on Windows XP for example you would see that short name being represented well that feature is still supported right Windows NT is beautiful and it's running behind the scenes supporting short names and we can Brute Force basically from an external point of view we can try to Brute Force what short names exist on a web server to find a lot of great information so if

you don't know about that technique you should definitively check it out because it's a lot of fun and I've spent countless number of hours just trying to figure out which files are behind a web server other things technology stack this is a huge one for a lot of customers because a lot of the times when the customer looks at their technology they have say a vulnerability scanner giving them information about all the bad things that are happening with their Stacks all of these vulnerabilities left and right there's purple there's red there's some yellow and green informationals left and right and they're not sure if it can be actually used for anything so when we look at the technology stack

what we do is that we purchase information from third parties in oh synth Gathering and so on plus our scanners give us information about technology in place what we do is that we normalize the output of scanners and collectors and awesome data we normalize it into a technology type and we basically look on behalf of the customer on the feeds from nist and others basically is this product from one day to another all of a sudden burnable and if there is a vulnerability can we hack it and a surprising answer is actually very often most of the time it's no we cannot hack the customer most of the time it is risk introduced yes to the server but it's actually not

something we can weaponize we don't there is no public exploit that we can take advantage of you can probably sit tight there customer put this through your regular patch management cycle get it done but you don't need to do it over a good weekend and that's a I I really like that because instead of crying wolf wolf you kind of become very actionable when Lord 4J happened I was actually very happy that it happened on a day of our Christmas party so we're gonna have our Christmas party at River security and log4j and we're like uh oh gotta Castle everything but we got lucky one of our guys got coveted and he had to stay home

he worked then the next 16 hours just understanding log4j taking all of the attack surfaces that we have scanning every single server that might have anything per detaining Java and just figuring out anything they're out there we can hack and very quickly we identified several callbacks and we can say customer looks like You're vulnerable over here and we uh we can basically assess the situation while we're then continuously to develop scripts that will help conclude the fact of a matter all right so what we'll give some time to q a as well so let me just these slides will go online okay and you will have them how we can look at Cloud operations how we can use all

synth and so on to help us code repositories there's a lot of interesting things for us to look at from an external point of view third parties that are part of Supply chains we see credential stuffing using software as a service companies their leaks we can stuff on our customers and all of a sudden we get into an account beautiful take a look at these things be inspired and think how can we Implement things like these for our own assets how can we start to gain that control mobile applications is also a big one not necessarily hunting for vulnerabilities in a mobile application itself but it has typically a tons of endpoints apis that it uses that we can

now build out more attack service on and find where we might compromise data or somehow get into the customer and you can monitor for mobile applications with some automation some API accesses and so on you can get lists of applications pertaining a search or a given name and so on so there are opportunities that opportunities out there and sensitive information this is also beautiful I mean very often by literally doing what we call Google Dorking searching on Google and sometimes even Bing anybody use Bing and you want a bad as one guy in the back here are you spinning I'm proud of it right but because Bing sucks it's actually useful sometimes I'm sorry I'm

sorry marks I'm Bing is beautiful okay but we query this search engines looking to see can we find spreadsheets can we find files and information say you have a hundred thousand results off Google from a specific search query that we utilize on your organization we can't go over a hundred thousand hits but we can take one hundred thousand and one once that one extra comes in we want to know what happened and we can automate querying of say WordPress it has apis it gives us beautiful lists of every file being uploaded and so on right social media lots of things here for you to dig into users credentials on the on a being leaked I mean we've

purchased quite expensive licenses of of CTI just so we can better understand if there's any opportunities pertaining credentials that we might use brand just think about what you can do with a brand to find more assets you can take a phrase you can take a logo and query to reverse image searching algorithms and find more systems and finally some other things here I mean you're waiting for me right now to conclude you gave me till five right you're stressing me out a little bit uh I'm sorry I uh I want to fit in the uh we need to fit in the CTF and uh as well so right My Fault by the way if uh

Chris is going along because I I was ambiguous in my communication it did yeah so it's all my fault Chris is doing a fantastic job of doing what I basically but fret not these notes will go online what I hope that we will do in the future is that we will start to basically go out of our Castle defending forward look into the Shrubbery what exists around our Castle things that are not governed While most of us Engineers we sit inside here hoping that nobody jumps over the wall and breaks in hoping that there won't be a tunnel being dug right now trying to get in and I want us to move outside of the castle

and protecting ourselves better it does resonate very well with sis top 18. look at number one and two knowing yourself inventory of software and assets how are you supposed to protect yourself if you don't identify a map knowing what there is to protect where should I focus my defenses where do I not have governance and so on and I think Sun Tzu said it the best right we gotta have a sun suit quote in here look know yourself and know your enemy you will not fear results of a hundred battles and he is right in I.T it works the same we can know ourselves who we are what to defend any information overload online we can

also know the attackers cyber threat intelligence and knowledge sharing helps us understand how the attackers work hence we will know the result of a hundred battles and hopefully not get hacked all right thank you very much everybody thank you foreign thank you very much Chris and again I apologize for my ambiguous communication uh you were going really slow and then I made you go really fast so that's just how versatile this guy is but uh let's do a little time for a couple of questions because that was a lot and uh people probably have some questions right anybody yeah all right let's start at the front hi so I would be interesting knowing your thoughts about the pricing model

for his Concepts like would this be like yeah I'm not buying but right you want to have their numbers and everything right spreadsheets that goes along with it give me the price now you don't need to know my size no so obviously running it's just like yeah are you thinking monthly yearly is it a is it a subscription-based model is it a based on findings like thoughts yes so this would be a subscription model for sure uh pricing is it's something that it's a bit more on a premium side you could say uh is anything but cheap I think uh but the value is tremendous and we see it every single day um in terms of a how to price there are

different metrics that we can use number of users in a company number of companies and subsidiaries number of assets that you discovered during reconnaissance and so on so those numbers are going to have to figure out and consider your internal costs and so on how many man hours do you need to spend staying on top of all of this attack service and the scaling operation and all of that fun business side of things right yeah when sorting got hacked uh you know they had the post-mortem and they said if they had turned on two-factor the attack would be stopped but I'm thinking that can't be right because it was a determined attacker and they found

missing two factors so they got in if they had two factors they would just find The Next Step Up all right that's a good observation I think I would agree with you like the attacker's probably not gonna give up but the path of least resistance they're gonna if there is a fruit to be picked they're gonna pick it and they're gonna yeah get in but yeah MFA come on like like how naive can we be thinking that why would anybody want to hack me or I got nothing to hide like come on 2022 right you're not getting hacked they're hacking everybody not just you they're not targeting you your collateral damage you're fishing with dynamite right it

just goes boom and all of a sudden you're compromised we have a responsibility in MFA it's up there we need to raise that bar all right last question for Chris from Mr Brown here and then we'll get to the CTF winners uh very quickly your when you show a showing uh where you'd be having this continuous assessment this continuous evaluation I presume that you actually had from perception of just of the organization's assets just on the organizations infrastructure right we no longer are an organization we own a post we are within four walls we are all over the world working does your model take that into consideration remote workers was that was is that where you're coming from or

what I'm talking about a I'm using my organization's device from home I'm talking to that I'm using private advice to access organization data are those would those also be covered in that kind of model you had yeah so it depends on how we attribute access to your organization and if you are running uh say a private web server and you expose your company logo all of a sudden it discovers is being discovered by some of our collectors and agents and scanners and so on then we would see this system and we have a scoring way to see hey How likely is this to be the customer and we'll just ask hey this here looks like it's a private IP

address of a broadband connection like something is definitively up here so all the time do we find assets that are not governed not maintained and not within the scope of actually receiving a full-on pen test we wouldn't want to necessarily hack it but I'm sure we're stepping on a lot of toasts all all the time where people might get offended say hey why is there hackers trying to break in here and it's because it's being discovered and also our Panthers methodology is a bit also simplified so so we have when doing a full pen test on a web application for example we have big methodologies that cover most aspects of what there is to attack that model is

simplified in this external point of view so I won't be pressing all the buttons all right I think that's my cue thank you thank you very much uh that was great

[Applause]