The Cuckoo's Egg — 30 Years Later We Are Still Stuck in Groundhog's Day

ladies and gentlemen with no much further ado jj winer [Music] today so thanks again for that first thank you for all of our sponsors those that put this on the vault everybody that made this happen uh very thankful to be here in person seeing all the faces and one of the reasons why i signed up to do a talk is so i could rock 20 minutes without a mask on so very thankful for that today you know the spawn of this talk actually came from dallas i don't know if dallas is in here he said he was going to listen to it but uh he actually turned me on to this book uh it was a couple

years ago i hadn't read it right the cuckoo's egg it was written back in 1990 i think was when it was published it's probably written a little bit before that time but great book great story kind of started the process of me thinking i took notes why i read the book because there's so many applicable lessons that are still valuable today that i'm hoping to share with you there's nothing going to be too insightful with this talk more just reflections on reading the book by show of hands who's actually read the cuckoo's egg all right that's a lot less than i expected so if you have not i there there's a couple there's a couple spoilers but not too many there's

no it's not really a spoiler you could read probably the back of the book and get just as much information so again and i'm going to tie it back to groundhog day because the repetitive nature of what we do in 30 years and there's still applicable stuff so my name is jj weidner i'm the director of information security for a small healthcare it organization are based out of maryland i work remotely here in kansas city so very thankful to be here have a whole alphabet soup search that i've learned and i got pretty good at taking tests so i like learning i love learning the context of information security and how it applies to to help out our organizations

so this is cliff stahl it goes by cliff i think they call him dr stahl as well i love this quote that he has data is not information information is not knowledge knowledge it's not understanding understanding is not wisdom so valuable lessons still today again that i mentioned earlier from his book it was written some time ago back in the age of digital digital equipment corporation some dc's and uh openvms has anybody in here actually used openvms all right got a couple so yeah it's uh so it's been it's been a while um i haven't i've used openvms in one one context but not much so it's been a few years groundhog day the movie so this movie

came out you know 93 comedy classic if you haven't watched it you know i don't know if you want to or not but pretty funny bill murray movie but the the part of the movie is that he repeats the same day over and over and over and there will be a little trivia question at the end is how many days was bill murray actually in groundhog day doing the same thing over and over so it reminds me at least it reminded me reading this book because in the book you'll hear cliff talk about running to do a phone trace so he'd actually have to wake up run to his campus start a phone trace to

start tracking this adversary start tracking the attacker so you know and sometimes we need comedy in cyber security right because as we saw from one of the previous talks it is one of the most stressful professions it can't be a very stressful profession when you talk about dealing with attackers you're dealing with the change in technology you're dealing with you know the rapid amount of vulnerabilities that we have to deal with on a daily basis and trying to help protect our environment so so we need some comedy because we have to do a lot of things over and over anybody here work in compliance yeah so yeah so you know i'm talking about over and over there's a lot of things we

have to do over and over is that yearly audit so i digress better get moving we got some lessons in this book so again the the the start of the book is a 75-cent accounting discrepancy is how this adversary was discovered cliff was looking through the notes he was looking through the accounting of who's paying for access to timnett t-y-m and e-n-t it's uh back in the day that's how they you know the internet you paid for 10 net access and you had to pay to be on that network uh paid quite a bit of money so a 75-cent accounting discrepancy is how this journey started multiple years of tracking down an adversary and international adversary

that ended up being over there in germany so he was one guy an astronomer not an i.t person by trade that took it upon himself with his curiosity with wanting to try to figure it out and track down in one of the first documented cases of cyber espionage that we have and wrote it all in a great book so it it's a awesome story uh so if you haven't read not many uh spoilers here but it you know and there was lack security so you get a computer on the network it could talk and manipulate files and you know move files copy files from anywhere if you're all connected to this network they had some basic security measures

but but not many so again the call back to groundhog day when he had to run and run those traces over and over and over again so there's a big chunk of the book that's what it actually talks about so it again whenever i read it i was thinking oh my goodness this is this is what we do sometimes on a day-in day-out basis we go through the same motions you know so trying to keep it creative being curious finding a better way is always a challenge that i have for myself so lesson number one it's more of a quote actually it doesn't take brilliance or wizardry to break into a computer just patience right so

i think it was from the first keynote of uh maybe it was one of the other keynotes sorry where you you identify vulnerability i'm just going to uh pack that away i'm going to hold on to that now i know that you have that vulnerability i'm just going to wait i'm going to keep scanning your environment to see if you're not patching correctly so you know that patience and then kick off that exploit later so again patience those advanced persistent threats as apts uh those nation state actors they're really working uh to be persistent they're working on their patients level hoping that you make a mistake lesson number two so it's non-technical resources can actually

be highly valuable that their way of thinking because sometimes we get in a siloed view right we we know we know you know we don't know what we don't know that's what i loved about dave hull's talk previously you know that's right we don't know what we don't know so sometimes getting somebody from the outside looking in can actually help us kind of jar us out of the way we always think of things so he he was able to systematically figure out where this attack was coming from deduce logic logging down everything uh multiple printouts so he he's an astronomer by trade and he loves making klein bottles so he just looks really excited so applying

bottle is almost it's a bottle inside of itself so it actually hooks into itself so kind of fun he loves making i think dallas has a signed one from cliffstall so you can you can talk to him about that so again pulling on those resources that might not be in i.t or information security there might not be on the red team or blue team you know getting their input getting their insights could be very valuable to help us get out of our kind of siloed way of thinking lesson number three again these are my lessons that i pulled out of the book that might not be lessons to you but something that that i took away so document everything right

keep a log i have my one note every time i get something new every time i learn something new i jot it down to my onenote you know so i can easily search through it i couldn't imagine trying to write that down and remember where i wrote it down to try to flip through it or have a stack of printouts this large that i highlighted and had to flip through those so thankfully we have much better tools to kind of help consolidate our notes nowadays but he he spent a good deal of time documenting everything so you have to and he was meticulous that's how they were able to track down the adversary and eventually get that conviction

so lesson number four correlate data from new trends so he had to pull data sources again i already mentioned the you know the printouts you know so he actually and i think i have a slide in this uh later on but some deceptive techniques you know that he had to correlate data from new trends he had to pull data sources up printed pieces of paper and keep track of where all these were you know i could just imagine what it looked like trying to track down whenever you don't have some of the systems we do now and how to find all these different elements where you might not have the right time stamp you know you might just be working on a

username to access the system so you know now we have sims you know they're flashy you know which is great but if they're not configured correctly or you're not pulling in the the correct data you know they can just be that flashy light of technology that sits up on your shelf that nobody really touches you know you set it up to send you notifications uh then the notifications get too noisy so i'm just gonna you know shuffle those uh notifications somewhere in my inbox i'll take a look at them sometimes so again finding that valuable information understanding what we're looking at correlating that data is something i took away as well so being patient and persistent

yeah again we have to be patient sometimes but sometimes it goes back to that you know recalling dave paul's uh talk you know of that that that instant thinking that 95 of the time we're making those those system one decisions right uh where it's telling system two what to do but we have to be patient at times we have to think of new ways and you have to be persuasive you have to be patient when you're presenting to your organization does anybody try to present a new budget line item when it's outside of the budget season for any of those you know it can be very difficult right unless it's an emergency or something major happen you want to

procure some new funding to purchase this new tool but you missed the window by two months so now you got to put it on next year's cycle so again being persistent having that line of communication open you know someone might eventually listen and hopefully something bad doesn't happen to where you know the pocketbooks come open but that leads me to like don't waste a good crisis either or something like that does happen you probably need to buy something so valuable lesson number six and this goes to those those newcomers to our profession that you know if you have a passion if you're interested if you have a natural curiosity there's no way we can know everything

not even close you know i can take as many cert tests i can you know read all day long there's just every new rabbit hole leads to another new rabbit hole that's why i'm thankful for conferences like this where we can get the collective together and i can learn something new there has been one time i went to a conference where i've known everything or will there be because i don't know everything so if you're if you're passionate though and passions can be short-lived but if you have a love for it or a cure a natural curious nature it goes a long way in this profession and cliff he didn't have a passion for this

he didn't have a passion you know just for cyber security you know he had a curiosity on why is this person accessing our system what is his 75-cent account discrepancy i got to figure out what it is and then he traversed you know and the attacker was was trying to get like military documents the you know he was in miners network you know in mclean virginia so you know he was in the fbi systems he was in the nsa systems you know so this attacker was was all over the place and cliff had to really educate them and there's a slide on that as well later but yet always be curious in our profession to keep going

again budget is another thing because i i deal with it on a on a daily basis sometimes i would like to get this thing but you know sometimes you have to find another way you know write a script build your own thing uh take the time to learn a new way of doing it and you know you might not have the budget now you might get the budget later but we can always be doing something right rather than you know doing nothing and sometimes you do nothing and you get a promotion but that it's not the real world you know so all right valuable lesson number eight honey pots can help make sure they're configured correctly has anybody here

had a honey pot that was configured to actually give them actionable intelligence a couple yeah it can be difficult right so you can configure in that way hopefully the actionable intelligence you are receiving can be you know something you can take that information and it's not just information that the attacker is feeding you right if they know it's a pot if it hasn't been discovered you know but but honey pots you know cliff was one of the first that ever documented the deceptive techniques of using a honeypot they can be very effective you can place a file that if it's open it'll send you an email or you can i think somebody was talking about it

early today where there's a ms sequel or a my sequel token where you can you know somebody's trying to feed you some sql injection commands in my sql it'll send you a notification so i learned something new and i think that was just released so i was taking a note on that how can we use that so but honey pots can be very effective and cliff was one of the first ones to document it i didn't use a meme on this one because this one is i think very important we are more than just cables and wires right so networks what we're trying to protect our organizations you know this community here is much more than just

ones and zeroes you know it's a collaborative effort and i i really thought it was interesting on cliff's explanation of a cyber criminal their vandals right so we distrust and paranoia so how can we come together to help combat that paranoia to combat that distrust and work together so publicizing a new attack so he he found a vulnerability it was in a new emac it was like a text editing software back in the day right so he actually had a gui interface to interact with your techs and all these universities wanted it it was a vulnerability in that system that led that attacker to be able to traverse through the network and kind of perform that lateral movement between

systems and he he let the people know that needed to know but rather than going out and you know putting it on github here's how you exploit you know new emacs or you know here's how you export this one thing or the other so it can be a two-edged sword so making sure we're reporting responsibly uh you know informing uh making sure that we're doing the correct type of knowledge sharing and not publicizing our vulnerabilities is something i took away as well so 75 cents is how it started and it's hard to quantify damages whenever you can't go to your organization and say hey we just lost 75 cents how many of you think you're going to get a new

budget spent on that right so having and knowing what kind of data and sometimes the data that you don't have can be very helpful so always seeking out a new way so was it really the data that was the issue what about everybody that spends their time fixing the issues or you know let's say it was a nasty exploit that hosts your whole environment you know so the attacker actually did malicious damage they didn't steal any data but now it's the resource time to rebuild it's the resource time to procure new uh new technology or new software to to combat this threat so understanding your systems what we're trying to protect and sometimes it's not just the data they're

trying to steal they just want to wreak havoc too but i found that to be interesting that this all started because he discovered that 75 cent discrepancy and lastly which i think is one of the most important pieces of the book that i really took away is knowledge sharing is critical coming to conferences being a part of groups like isc squared isaka the iapp for privacy professionals the h of ice acts so there's a health issac or an h i sac there's thin ice act there's rin isac for higher education so there's a lot of information sharing communities that share openly about threats new vulnerabilities in their environments how can we work on that so

being a part of that is helpful to the community right it helps overall it helps spread that knowledge so i highly encourage everyone to be a part of those if you're not i mean even coming to this conference is it's doing some type of knowledge sharing right you're talking to others you're gaining knowledge hopefully from me but you know from a lot of the talks that i listen to today i'm always bringing away something so share the knowledge as well if you get an opportunity to write a proposal or do a talk you know don't automatically think you're not going to be good at it go out there and try and you'll be amazed oh yeah and i thought this was so he

spent many hours trying to convince the fbi cia nsa that there was this person that's in their systems some of them shut off access immediately some of them say that you know there's nothing really happening here or didn't believe them so he documented again everything it was even able to show them like the trail log of everything that was happening so it really brought a lot of light onto this new cyber espionage uh movement that was that was getting ready to happen and was happening at that point in time so again klipstal was one of the pioneers of discovering and kind of tracking the deceptive the blue team and he put it all in a nice book that's

actually a really good story as well so if you haven't read it highly encouraged so the cuckoo so why is the book named cuckoo's egg so this is a cuckoo bird being fed by a robin so as you can see the cuckoo is three times the size maybe more than that than the robin so cuckoo birds lay their eggs in other birds nests playing off the ignorance of that species to raise that bird as their own or that that chicken or whatever bird is their own so i take it away with this don't let others play off our ignorance of our systems and have them lay cuckoo eggs in our networks or in our environments you know

take away some of the lessons hopefully from here and you know all the learning that you have to help prevent that type of activity i thought that was a pretty funny picture all right random trivia as i think i'm coming up on time for our next speaker so how many days is bill murray's been stuck in groundhog day anybody want to take a stab did you google it 30 years oh i like it let's say it wasn't somewhere around like it was mid uh it was like 9 30 it's like 34 yeah something like that yeah it's close 38 yeah so the internet doesn't know there's debate but it is around that 33 34 year mark uh some say it has to be more

than 10 years because he learned to play the piano like a grand meister right a grand pianist so so it had to be more than 10 years but you know you spend 10 years doing something so if you're again you're coming in uh to the profession where you're you're still learning in this you know there's no way i know it all there's no way anybody in this room will know it all we are better together right we learn from each other but we can help each other so i take that as an encouragement to others to to work with each other and you know cut yourself some slack if you've been doing it less than 10 years

you know after 10 years you shouldn't know everything right yeah never will and there's bill murray eating a baby ruth if anybody knows the movies that's wrong so and thank you that is my quick and succinct talk i appreciate your attention and interaction

and please take a look at that qr code and provide some feedback if you want to i appreciate it as well thank you so much one more round of applause