Keynote - Jeff Banner

good morning very excited to be here with the inaugural b-sides here in Sydney it is a tremendous honor for me to be here and I would also like to introduce mr. Gregg Howell he is one of my team members who was out there with me so I was the overall mission commander out there for our mission I'm gonna gonna get into here shortly but all this stuff that we were doing forward in these countries we're running back to Gregg him and his team were coordinating everything and then essentially making sure we were on task with what we needed to do a little bit of background about me US Air Force been in for about not quite 15 years now

I've been doing cyber for about six years from a combination of cyber rate of threat intelligence into the more operational speak to give me the operational world taking our defensive capabilities and going out to work with foreign countries so let's jump into it I'm gonna talk about what the hunt for word is it's a relatively new term just out of curiosity how many people have heard of hunt for word before a few you okay I'm gonna give a little bit of background about where hunt for word came from let me talk a little bit out what a national CPT is because that's what we are and what our team makes makes us unique versus what you

typically see from other teams such as Incident Response Teams when we talk about what we're doing with our foreign partners in this case governments throughout Europe as well as other parts of the world and then we're going to talk about the successes and also some of the challenges associated with the missions we've conducted and then I'm gonna finish it off with talking about how we on the government side want to work better with each of you whether it's from the universities whether it's from the private sector commercial sector how we can better partner together so a little bit of background as you all probably know this news travels fast across the world but in the

2016 US presidential elections there was a significant amount of Russian interference specifically hacking the Democratic National Committee releasing a bunch of information publicly that was damaging to Hillary Clinton that supposedly or allegedly led to Donald Trump being elected president ultimately we decided this is not something we're going to allow it to happen in the future we have to stop this we have to prevent any kind of interference in our democratic processes going forward but what exactly did Russia do ultimately their goal was to use our love of social media against us a lot of facebook ads a lot of social media posts trying to ultimately sow discord and a lot of anger in between the two parties and the

hunt for word was a direct result in response to these aggressive actions that were taken against us now fast forward to the fall of 2018 we have our US midterm elections coming up and we decided what we're going to do is we're going to have a very concerted approach to tackle this problem what we did was we realized we can't do what we want to do because of our legal system we had to have a bunch of changes that enabled us to then go forward and conduct all the operations that we need to conduct to defend our democratic processes so what does that mean Congress had to enact laws that gave us as the military better authority and

legal authorization to work with Department Homeland Security to better work with the FBI the civilian sector of our government additionally we had to get authorization so that we can send US military teams out into foreign countries to work better with foreign countries because of this new this new ground we were able to send teams into Eastern Europe in support of the midterm elections and it was a national cyber protection teams who are tasked with defending anything that the president United States is deemed important enough for national security so whatever that may be whether its electrical grid whether it's the financial sector it doesn't matter what the topic is national cyber protection teams are the teams that go answer the call so what

exactly is a national cyber protection team we're a small team but we conduct defensive cyber operations only I want to stress that defensive cyber operations only and it's whatever we need to do to defend the nation what is unique about our team is we primarily conduct threat hunting operations so we are working with foreign partners we're working with industry were working with anybody that we can but our specific goal is threat hunting we're looking for those apts or in the networks that are trying to steal your government data your proprietary information that's who we're looking for we are unique in that we don't do any all-encompassing things that say an instant response team would do or a pen

testing team or a vulnerability assessment team we do bits and pieces of those we do elements of them however we collectively are not any one of these teams what capabilities we can bring to the fight as we say but what we work with our foreign partners with is as you can see here we have our network network based forensics we have our network operators then they work with our host operators for both Windows and Linux and these two sets of operators work seamlessly together we have team members that conduct malware analysis now this is more what I would say battlefield triage or the initial triage of the malware and then once we do that forward

on location then we have a reach back support that we can have do more the longer term reverse engineering of those malware samples can extract additional indications that compromised and see two domains anything like that that we can glean they'll do that longer term analysis for us we also have members that have our infrastructure expertise so when we bring our equipment forward we have specific individuals that are tasked with connecting our equipment into the mission partners network whatever the case may be whatever the equipment might be and where we're going we get into areas where there is a lot of equipment that we've never seen before and our guys have to know their their networking fundamentals so well

that they can take the concepts and apply it to any particular networking device we also have a team that does threat intelligence now this is extremely important as you all are very much so aware because you can't hunt for an adversary if you don't know who that adversary is and how are you going to hunt for an adversary if you don't know what they do how do they conduct their operations what are they going after what are the targets all of these are tailored to whatever specific missions that we need so depending on the size of the network we might increase the amount of equipment we bring we also might increase the personnel totally specific

to whatever the situation is and what the mission partner that we're working with requests one of the caveats that we have to abide by is we cannot take our us procured equipment that is specific to the military because of a lot of export restrictions a lot of other red tape and bureaucratic processes so what we had to do is we had to come with commercial off-the-shelf equipment equipment you could go to Dell you could go to HP you could buy it straight off the shelf it was already manufactured ready to go the other thing was the open source software as we partner with foreign countries as we partnered with industry we all have to be careful about

what proprietary information we release to the public or release to that entity that we're working with with using open source equipment and software we can get completely around that requirement so for example working with several the countries we've had to help them set up the ELQ stack for example as a seam so they can connect to their analysis using the misc malware information sharing platform to better incorporate IOC s that they can get from miss Moloch Wireshark there's a whole host of tools that we use and it totally depends on what the the country that were working with what they want us to use what they're familiar with so as I mentioned we are similar to an incident response

team because we are going into networks where we have pretty good information that there is and a advanced threat actor out there and we are working with the country to find where that actor is what indications of compounds we can find and how we can remove that actor but we're not a full instant response team we can do elements of pentesting red teaming assessments one of the things that a cyber protection team is known for is a component that works with the local defenders in order to ensure that the defenders can incorporate the things that we're teaching them or that we're working on and then give them little exercise or scenarios to make sure that they can incorporate those

defenses the vulnerability assessments piece is pretty much inherent if you're going to get into the nuts and bolts of a network you're going to inherently find weaknesses or vulnerabilities in a network we don't want to be the weakest link but we want to identify what the weakest link is however we are not solely focused on the vulnerability assessment piece we are focused on what an adversary what an apt might be looking for for those vulnerabilities in the network and how they could exploit it that's where we can come in make our money so to speak ultimately we're very specialized teams we do bits and pieces of all of this which makes us very unique also what makes us unique is

the fact that we are going into foreign countries to do this where a lot of businesses aren't allowed to go this is part of our cyber strategy within the Defense Department we want to build these relationships and partnerships not only with foreign governments but also with industry we know that the US government the Australian government cannot solve cyber security cyber defence by itself nobody can it forces us to come to the realization and then act on the fact that we have to share we have to get better at sharing information we have to get better at working together to defend our networks collectively across the world one of the things that we found though is you can't just walk into a

business you can't walk into a foreign government and say hi I'm from the u.s. I'm here to help it goes over about like that yeah okay I'm gonna close the door and have a good day but what that means is from cyber comms perspective we have to get better it's a growing process the operations that we started conducting last fall was the very first time that we had done this the very first time that we had sent teams forward to work with other countries to partner in this kind of capacity as you do that you learn more and more about how to work together but in order to do that there's a lot of challenges or as we say in the airforce

I'm giving you an opportunity to excel opportunity to learn some key things here but one of the things that we in the US military side I'm specifically in the IT or the communications arena we have teams that are dedicated to being that mobile deployable force that can go work with our our army brethren our Navy Marine Corps and other Air Force entities in a combat environment I will say that is not us we are your traditional Network defense type role however taking a large group of folks and a large group of equipment overseas in a short period of time is challenging for example in the US I can take 70 pounds worth of luggage no

problem in Europe you're 50 pounds so we had to take our servers out of our Pelican cases buy a suitcase put in the suitcase wrap your clothes around the server so you can get it into country because it was overweight a lot of challenges but it made sport some unique storytelling afterwards as I mentioned with the equipment problems that we had because we couldn't take the what we call a cyber weapon system but it's basically just our servers and switches and stuff that we use for our defensive purposes we cannot take that overseas without a bunch of red tape and hassle so what we did was we had to purchase open source equipment the cots equipment

like I mentioned the problem is when we purchased it there due to the inevitable delays it arrived in our building the day before our teams left to go to Germany and then from Germany they were in Germany for a couple of days and then we went forward into additional countries from there our guys had to set up the equipment load all the software on it get it completely configured within 48 hours so the week and then take it forward into these other countries no small feat but that's just one of the unique challenges that we have working in the environments that we work with now this would be a little bit easier if we had done better

coordination with the host nation governments so there was a very high-level coordination that occurred the prime minister of these countries said yep you can come in these are your pocs you're gonna work with we showed up Monday morning for our meeting and the first question was who are you I'm from the government I'm here to help so we have to figure out how I can build that trust with you and your IT department so that we can get our equipment connected and assure you that we are not doing anything that you would deem as unacceptable inappropriate and anything like that on your network the way we had to do this that would build the most amount of trust was I sat you

down right next to me shoulder to shoulder you're looking the exact same information I'm looking at I'm showing you everything that I'm doing so you have complete confidence that what I'm doing is in accordance with what you gave me permission to do anytime you go overseas though you have the inevitable language barrier problem this was particularly a problem in one of the countries we went to because as you all know when you're doing your host forensics the volatile memory is very very important to capture one of the very first things you need to try to capture and one of the teams asks when the local IT administrators we have this host over here we need to go start our

forensic process on it because we think there might be something malicious there immediately that individual went wiped the Machine put it back out on the network I said no more problem we're good to go actually what I meant was we need to analyze the memory pull a memory copy so we can analyze it oh okay so the next time disconnected the computer brought it to the desk sat it down the desk wait there you go sorry what I meant was we need to leave the computer on and let's go to it together and then they were able to get the memory pool and proceed with their investigations from there so language becomes a rather significant challenge especially if you

don't have a linguist or somebody who speaks that that local language that can help you out there's lots of cultural nuances and you always are cautious and careful not to offend anybody however it also creates some unique challenges how many of you in the audience today feel there is ample budget time training resources for your needs good I didn't see a single hand go up that problem is universal it in the US government we're the same way we would love to have more training everybody who works in the cybersecurity industry understands that cybersecurity ISM is very very important but it is not funded appropriately for what we are tasked to defend we are undermanned were underfunded under

resource we have a lot of challenges ahead of us but it also creates a lot of opportunities as well for example the the countries that we worked with they had heard of ELQ but they had never stood up their own sense of the elastic stack so how can we do that we can sit down and we can work through the problem together how do I use Moloch or Wireshark or any other pcap analysis tool let's sit down and I'm gonna show you here's how we do it and then other countries who were more proficient with in cybersecurity oh you do it that way we'll we do it this way and so it truly becomes a collaborative learning

environment where we're learning from you and you're learning from us so we're sharing information we're all growing together overall we determine a successful partnership if we're increasing the information sharing because if I have a a situation where you invite me into your country we conduct our defensive operations together we leave everybody's happy but if I don't continue the relationship what kind of problems does that cause it makes it really difficult if I ever want to come back to your networks if we find anything additionally malicious that we want to work with you on it makes it hard to do so if we can increase the information sharing over the long term not just during the time that we're there if we

can increase the defensive capabilities and capacities of the local defenders and the countries you work then for us it's a win at the end of the day and ultimately our goal is to identify and remove any threats that we can but do it together that way we're learning they're learning and we're all sharing the key to success though is like I mentioned I have to be able to build that trust if I can't build the trust between my team and the team on the ground that we're working with we are not going to be successful it doesn't matter the situation working shoulder-to-shoulder as you see here was the way that we found to best show our

true intentions but ultimately hands-on collaboration that we that we focused our efforts on it's sharing the tools sharing the equipment sharing the methodologies the methodologies ended up being one of the biggest things that we saw was from a from a local cyber defender perspective was more important if I understand how to hunt for an adversary if I understand how to analyze a peek at it doesn't matter what tool I use I can still analyze that PK and so we really focus on the methodology piece and that was what really paid a lot of dividends for us so our hunt methodology that we use because again we are focused on looking for apts and networks who has

not heard of the mitre attack matrix a few so the mitre attack matrix is what we based our hunting methodology off of looking at the tactics that techniques and the procedures that apts and other threat actors use the way I describe this to the the folks that we worked with was find evidence of process injection in your network can you do it well you first start off by asking what information do I need to collect what data sources do I need do I have a way to collect that data do I have when log B so I have sis Mon do I have some other logging agent that can get those host logs and push it to a seam so that we

can then analyze and from there can I visualize that data just because I collect it if I can't extract that information and visualize what that means run my analytics against it whatever your your search query might be then you could have issues and that's what we focus on is understanding the tactics the techniques and procedures that an adversary would use what makes this successful though is you have to have good threat intelligence you have to understand what does apt one go after what does a PT 5 a PT 10 whoever pick your apt what do they want is that the right actor looking for economic espionage type data alright look and try to steal your intellectual property or

are they trying to figure out what your government is doing if you can understand what your adversary is trying to do you can then effectively hunt in the network on the host for that specific good actor so what do we find throughout not only the operations less fault but all of the Cybercom operations before that and since has let's say quite a few significant discoveries we found everything you can think of from script kiddies an example of this as we saw a reverse HTTP you know good old interpreter from kali linux and then we've also found the advanced persistent threats we found apt 17s a chinese based group a PT 28 Turla group several others

not only do we find these specific groups but what was the activity that we found in one country we saw an active session we saw an adversary try to log in with invalid credentials and then try to laterally move throughout the network being able to capture that you can truly understand what technique what tactic and what procedure that particular thread is using to try to move laterally in the network what we also found was a ton of like cryptocurrency mining you name it a lot of times we take for granted our antivirus software in some of these networks if you updated r antivirus software more frequently you would block out a lot of the things that we saw but

it also makes for a very very unique challenge how do you look for a needle in a stack of needles how do you sort through when there's a lot of things to find the one specific piece you're looking for you can't ignore all the things that you're finding you still have to document you still have to remediate those issues as best you can but how do you do that what's your process at the end of the day as you can see here what we found was noon hour this was malware that didn't exist previously and also new variants of Mauer we found new c2 infrastructure we found new TTP's for how some of these threat

actors are are conducting their operations we're finding new ways and one of the big questions that we asked is what do we do with this information this is very valuable information and we got it from working with foreign partners throughout the world what do we do with it so there was a individual who said you know what why don't we just post it to virustotal and so we went up to the cyber national mission Force Commander it's a two-star general who his boss is general not Cassone who is the commander of Cybercom and basically said hey boss what do you think we should create a virustotal account post Emily's malware samples to virustotal and let the cybersecurity

industry do what they do best rip apart that malware find the IOC s make the attribution call for what the right actor it is and go from there now on initial thought you might think oh this is a government surely there's a long long process it took about 72 hours for this to happen very very quick this is how much the cyber national mission force and Cyber Command have put into sharing of information it is a huge huge effort that we are trying to push this information out to share what we're finding with the people who need it most so if you aren't following on Twitter CNET virus alert and all the virus samples that we are posting is in the

cyber con malware lurk within virustotal we started this as you see from this pin tweet here 5 November 2018 our very first post now even though we haven't posted a large number of samples this is what some of the fellow cyber security analysts have said one sample was a new external variant this was a Kaspersky Labs report when it was first posted virustotal Kaspersky Lab and zone alarm were the only two AV engines that flagged in that malware four days later when this article was written by cyber scoop 41 of the 71 we're now creating signatures off of those two files that were submitted for that external variant another example was a new LoJack variant this is

the UEFI rootkit ESET has some really good reporting on on this particularly piece of malware but this was a new one as you can see here seem to be new related to UEFI rootkit so far the quantity has been small but the quality is high so what we found is we are in a very very unique position because we can take our and go government-to-government a lot of the companies in the world don't get that opportunity and if they do it's on a very very limited scope it's a very very small segment of the network maybe if there was a compromise in one particular portion of the network you might call a Nissen response team in

conduct their investigation and then leave but you don't get access to the entirety of the network some of the ways in which we are trying to build on our success in the information sharing arena is what's the next step how do I go from sharing malware samples to to what what what's the end result so if I gave you not only a malware sample but if I also gave you a report that covers the TTP s that we observed the full investigation on a host what could you do with it now could your heuristic software your IDS's your IPS is could they be improved if you understand the TTP's if I gave you the more complete picture the full

context of the situation it makes everybody better additionally because of what we're seeing we can truly share not only the TTP's the IOC is the malware but we can share more what about the threat intelligence so what if we can refine the the specific targets that an apt is going after based on what we find if we can find that evidence and say hey we saw this particular apt in this network over here which was completely against what they normally go against if for example if you have a an apt that likes to target ICS Skater networks but then you see them in the Prime Minister's Network you know trying to get access to the Prime

Minister via spearfishing or something else that is not a normal target set for that particular group now why are they trying to do that and we can start working with you in the security industry to figure that out as you all know there are nuances to any network that we work in ICS SCADA the power grid that is a huge area what about the financial sector what other networks are what we would consider one-off networks what about Bluetooth IOT devices I think there's more than a few vulnerabilities in the IOT world so how do we then look in those networks for those vulnerabilities for those thread actors that are taking advantage those vulnerabilities and gaining

further access to their targets through those vulnerabilities but more importantly how do we work together to figure out what those are if a team like mine can get access into an electrical grid what can we find what can we share how can we work together we're such a small team if I only have a handful of folks based on this particular mission set it's really hard to get all the different levels of expertise that I need in one team I need to be able to call an extra help for that expertise and everybody is seeing this pyramid of pain it's those TTP's that are the the hardest thing to find and that's where we can partner together to truly get at

the key problem of finding and removing these apts in our networks what are some other ways we could potentially work together so one of the things that I'll show you a little Side Story real quick with regards to the training one of the things that we find is like all of you have found there's varying levels of expertise there's varying levels of experience within the IT world how do you walk into a IT department who maybe isn't to the caliber that they should be how do you bring them up one of the one of the countries that we went to we walked in day one Here I am from the government I'm here to help you're here to help me

okay here's two pages of training that I want you to conduct I want you to teach me assembly reverse-engineering Ida Pro Holly debug in one week the next week one should teach me how to run a sock I need you to teach me what all the different operators should be how many people do I need each week of a 60 day timeline was mapped out now I don't know if anybody in this room could do that I know we definitely couldn't do it but how do we balance the needs of what we can do to get them on the right path and that is where from our perspective we can also leverage the industry partnerships so one of the things that

in preparing this presentation I was informed of a thing called a No Fee contract it might be like a US government term but essentially what a no fee contract is is if you work for a security company and I can use your expertise let's use ICS SCADA because it's an easy example so I'm going to an ICS SCADA Network and I don't have enough expertise on my team to account for the network size that I need to go looking so if I can identify some expert in the field who is a cyber security expert with in ICS SCADA a No Fee contract basically is the easiest mechanism where the US government can bring you along with the team to go into

that foreign country give you the benefit of the experience in helping us not only look for an apt net network but then also if we let you report out the findings then now you are furthering your company's efforts but it's at no cost to the US government that is one option in which we can which we can explore another big problem that we have as you can imagine in the government side it's very difficult for us to publicly acknowledge the threat actors that we're finding the fact that I'm calling out a pt-17 the fact that I'm calling out a PT 28 saying we found you what does that mean how do I get that information so in order for me to

comfortably tell an organization that we found this threat actor in your network I have to have the open-source I have to have the unclassified reporting because we can't keep all of our information tied up and highly classified channels it doesn't do you any good it makes our job significantly harder that ties back into the overall theme that you're seeing in this presentation is how do we get that information shareable working with you members of the cybersecurity industry to attribute the malicious cyber actors then enables us to do a lot more things for example one of the other big tenets of cyber comms mission is to impose costs on our adversaries what does that mean to

impose cost in the cyber domain have you ever built an exploit ever built an implant that you would try to use takes a lot of time take lot of effort might take weeks it might take months it might take years depending on what you're trying to accomplish what happens if I take all that effort and I release it to virustotal you know I have to start over either you have to find new ways to encrypt it or other ways you can change enough of that piece of malware so that it doesn't get flagged by the virus engines or you have to completely start over and build out new and for structure new tools whatever the case

may be this takes time takes money takes a lot of effort we can do that additionally if we can identify at the cyber persona level who these people are where they work what are they doing we can also start to get into the more economic side of things from a government approach we can implement sanctions those are very effective but from a corporate level maybe you can start to refuse business with other entities that are tied to these malicious actors but the tool development piece if I can make it harder on you you have to go back to the drawing board repeatedly to build new tools find new ways of changing up your habits then it makes it so much easier

for us to defend but it has to ultimately the end of the day it has to be a collaborative effort this has to be an opportunity where we on the government side it doesn't matter if it's the US government whether it's the Australian government the British government any government we like to stovepipe we like to share information with only ourselves how can we give you the information you need to be effective if I can give you the information that I'm gleaning the information that I'm gathering by virtue of the fact that I am in these networks that very very few businesses will ever have access to but enable you to do your job better then at

the end of the day we are defending not only our democratic processes our country we're helping to defend the entire world all the devices that are out there with better antivirus signatures better intrusion detection and prevention systems you name it across the spectrum we can now defend these networks significantly better that's all I have with that I'll take any questions you have those who couldn't hear the the question was regarding funding within these countries if they have adequate funding and the resounding answer is is no there's a huge problem with funding especially if you have a very small country you just don't have the financial resources to dump into cybersecurity and cyber defense that's where the US government

and several other governments have partnership programs and other programs where from a government-to-government perspective we can help out with those things we have regional security cooperation agreements between a lot of the governments but specifically the u.s. we can leverage those relationships to help build out your defensive capacity and that's what we're seeing a lot in Europe right now so one of the things that we're trying to change the attitude of Intel sharing is one in places like this if you go to any cybersecurity conference you will likely find the National Security Agency you'll find NSA there but you're not finding Cybercom what we're trying to do is we're trying to get the word out there

that we have a different mission set then the NSA and other government agencies and we're also showing and demonstrating by virtue of what we are sharing that we can break those silos we can get away from the old mentality of I can't share what I have to why can't I is a is a hash of a file classified may sit hash what about an IP address it's just four octets is it really does it really need to be treated as if it's the world's biggest secret most of the cases we find that no it doesn't need to be now you have to feed the Machine you have to get those processes lined up so that you can get that information to a

releasable state that's one of the big processes we have going on right now is trying to streamline that process to get information pushed out in a way in which we can then start sharing it more broadly starting trying to invest in things like Mis showing resources there some of a veneer export right now that's a great idea and honestly it's not one that we thought of yet but having a alternative malware analysis repository if you will I think that's what you're referring to so right now what we're trying to do in the meantime is set up a sharing agreement where if you find something in your network you have an avenue that you can pass it back to us we can help with the

resources to analyze the malware and get you the results but you're right i think funding something more large-scale that is an international effort is a great idea just when we haven't explored yet so I knew somebody was gonna ask this question our team is not we're strictly defensive in nature that being said there has been a lot of reporting about the willingness to take action against the adversaries so if we glean information on the defensive side that we can attribute to a malicious actor that is trying to target us or US interests then we pass it to the appropriate parties and then they can make that decision from there so an example it doesn't really matter which

which apt but what we try to do is leveraging something like the minor attack matrix well we can figure out is what are the most observed TTP's for that apt from there you really need to get down into the weeds of what information do I need to collect if I'm looking for evidence of SMB for lateral movement what is the piece of information in the network traffic that need to identify from there if I can break that problem down that's that's my biggest challenge is what information feels what data do I need to collect then you look at what tools and resources you have to collected so for example if I'm trying to find information on the host do I have a

login capability in here in Windows Windows has event logging and some other things you can do but do you have a a server or any kind of aggregation of those logs where you can truly do analysis at scale pushing something win log beats or sis mom is a really easy way that is free it's open source and then if you can configure those to get the right data points you need then it's a matter of how do I extract that data now for my analytics what is my Cabana dashboard look like what is my Wireshark or my my Moloch query look like to get that data out and then there we also build in that

process of validating the information so for example if I walk through that process identify the key points that I need to collect and then I make sure that I'm collecting that data in the network and that I'm analyzing it with my whatever my team is now is it truly absence of evidence does that mean that an adversary isn't there or does it mean that they're not using that particular TTP if I've come back and validated that all my data sources are correct and my entire process up to that point is good and valid then at what point do I say I don't have evidence of this and then from there we try to figure out what

else might they be doing do I understand the procedure part enough of what an adversary is doing that maybe instead of using this dll maybe they're using this one so do I understand it enough that I can look for some other file or some other piece of information that they might try to make it new just a tweak on an old process how do we know if we're achieving success over the long term from my perspective success point number one do I get an invitation back so in virtually every case every country that we've gone to thus far we have been invited back which is which is very important it also gives it an opportunity to see the recommendations

that we gave you did you implement them and what we're seeing as we now start to return to continue to work with these countries they are making substantive changes and improvements which is good because one from us it means you care and you're taking an active approach you're doing what you can resource constraints aside you're doing what you can but depending on the country size and how much money you can devote to it you might see small incremental process of improvement or you might see bigger leaps just depends on the country yes that is a a process that we have it's called a deconfliction process but we try to work with the foreign governments not only the mission partner

whose country were in but also with our government partners and other countries to say if we release this publicly does that cause us problems so for example if you have a a new situ infrastructure with a new piece of malware that nobody's openly discovered yet and we found out if I out that publicly then our ability to collect that information now is significantly hindered so what's the balance of getting the information out to maybe some antivirus companies maybe I don't want to focus on antivirus maybe I want to focus on like firewalls can I get a company like say Palo Alto or some other company from a firewall perspective to capture those rules maybe report it back to us build that

agreement they report it back to us but not necessarily take action on it yet I will say for the record that was complete conjecture as far as what we will or won't do in those instances but that is a way which we can we are definitely D conflicting within the governments of what gets released that part is is fact but the other piece about identifying new infrastructure I can't release one of the ways that we gain trust is our Guard and Reserve forces within the u.s. have state partnerships with a lot of foreign countries so they may already have mil-to-mil relationships and in that case I say hey we can have a cyber relationship now too and that is usually

an easy way to get into the door to have the conversation other times it's relying on our regional security cooperation efforts to say hey if you would like we can send the cyber team in they can help you with the defenses of your networks and if the country says you know what that's a good idea they submit a request for support or request for assistance to our government and our government firmly says yep we can do that here's a team here's the resources and and then we start planning it from there doesn't always work out as quickly and easily as we would like but that's basically how the process works for all these countries were working now

depending on the country that we're in determines if we can leave the equipment potentially or if we have to take it with us when we leave but when we configure the equipment within that mission partners Network they're right there with us and we show them exactly how its configured we walk them through the configuration process so for example in one country they didn't have a scene at all and so we use security onion with the Alex TAC to show them how easy it is to set up their own scene for a small enough network you can get away with that as far as storage capacity for logs and some some other data that you're trying to collect like pcap but we

absolutely will sit down and we will show them how to configure that based on our best practices that we have gathered over the years and then try to share that so they can implement those as well but we're very transparent they're very generic so that as I mentioned we don't have a lot of times a pre coordination with the IT departments and so we don't know exactly what we're getting into when we go to show up with our equipment so we inherently have to have more generic equipment that we can configure quickly to account for the changes in that particular Network yes so the question was if if are one of our goals is to build up other teams that can also

do this as well as working with other foreign governments - to build the same capabilities the answer is both so our intent when we go out on these missions is not only to build up the defensive capacities of the teams that we work with forward so for example if the country's trying to establish a stock we're working with them to try to identify how they should organize their stock how they should configure their equipment making sure they're getting the right data feeds coming in throughout their network making sure you're getting host logs all that tends to be one of the biggest problems we see is not having hosts logging might be on by default on that particular machine

but it doesn't go anywhere so it's hard to get all that configured up front what we're also trying to do is we're trying to make this an international effort so if I can get the Australian government if I can get the British government other governments on board with these type of defensive operations it truly becomes an international effort to help other countries so when it comes to helping you know whether it be NATO or other international organizations we're absolutely focused on trying to build those relationships build up capacity as well so that other teams can go do the same thing that we're trying to do with that I think my time is up but if you

have any additional questions we'll be around for the rest of conference [Applause]