BSidesNCL (Newcastle) 2022 - Main Stage

BSides Newcastle · 20228:14:55337 viewsPublished 2022-09Watch on YouTube ↗

Tags

About this talk

Show transcript [en]

things you learn at b-sides newcastle yesterday we found out that dan card is an avid golfer hey dan [Laughter] so make sure you mention that to him when you see him oh yeah my gmail's there not a very good lawyer but i haven't got much money

announcements you know about canteen being closed i don't know what's happening later by the way apparently brian welton's organizing everything so um there may be not mistake again and newcastle are playing crystal palace today so town's going to be quite busy tonight i feel so um good time to have a fight that's what chris and i did last time we didn't actually have a fight we stopped to fight and then the guy got knocked out after we left which was deserved i think he was a dick and my second screen should be here he tried to to uh he kicked the taxi we were in and then tried to fight a very small taxi driver at the taxi rank where

the other taxi drivers were yeah

this is a really good video we might play that video later [Laughter] anyway he got knocked out not by us because we don't break the law we make the law are we good yeah it's yours right big big big round of applause for rose please [Applause] he's gonna help us get jobs i've not spoken for a long time in public so this might be a little bit rusty i'll just put out there now um so who am i i don't know how to use this so i think i'll give up in a minute no no give me one second i'm suddenly at the end i'm gonna present via memes uh i can't get this can i have a

oh i told you it's gonna be rusty how do i get so i can move my slides i've just gone straight to the end oh have you all right okay

perfect right okay sorry who am i i'm rosie anderson i do not work in tech i work in recruitment and i've been doing that for two decades despite my slightly hungover babyface um the last seven years i've worked in cyber security recruitment so over the past two decades i've helped hundreds of people get jobs in either tech or cyber i'm head of industry mentoring for capstock which i volunteer to do uh caps locks a boot camp i'll talk about that a bit more in a bit i'm a working parent i've got two kids um so i'm an advocate for advocate for flexible working for people not just parents but for everybody and i'm a retired party girl

so last night i might have been a party girl but not today um so i'm to do this talk in two half i'm going to talk about hacking your career for 10 minutes and ask you can then ask questions and then i'm going to talk about how to hire how to hack that recruitment process um so feel free to ask me questions so you want to work in cyber so i'm going to aim this at people who are new to the industry so saying you want to work in cyber is like saying you want to work in science the field is so broad so if that's what you want to do you think right i do want to find out what

this sexy cyber security is all about you need to start thinking about what areas of cyber you want to work in and there's what's your motivations what you kind of enjoy so you can find the right path there's so much free resources out there if you go onto youtube and watch the crest day in a life you can watch the day in life of a pentester the day in the life of a red teamer and you can get some insights as to all the different types of roles in cyber so before you kind of go out networking with people have a bit of an idea so you can really help people pinpoint the advice that they give to

you there's so much more to life than just being a pentester or being a stock analyst there's so many roles in cyber security if risk is your space there's so like so many different opportunities and paths that can go down um there really is a role for everybody so there's devsecops there's risk management there's identity access management there's building secure systems we need so many different people in cyber you can bring transferable skills from anywhere so like i said it's really broad this is just i'm sure it's probably some more stems since then so if you're trying to start out in a career and you think okay there's a lot of people trying to get into cyber security

if you look at something like identity access management or cloud security it's somewhere that you can um really sort of it's not as competitive or there's not as many people saying i want to work in that area so i'm going to have a drink okay so you've decided what you want to do and where you want to work or you've narrowed it down a little bit so now we're going to build some technical skills if you're coming in from a starting point of zero in terms of technology like me you're going to have to start building some technical skills to prove your interests shall we say there's so many different opportunities here i've mentioned security plus

network plus these are you can do some of the professor messer training for free um to kind of start building that knowledge and it is something we see on job specs for entry-level candidates you can go on to try hack me and then as you get a little bit more technical you can go on to hack the box and build out those kind of technical skills there are boot camps so capslock is a boot camp and there's fantastic opportunities to learn in that environment if you want a training obviously you couldn't go and get a degree for me i would look at a bootcamp um you can do so with capslot you can do it as

a student loan so you don't actually pay anything back and still you're earning more than x amount there's discord channels and places where you can start to meet other techies like yourself so digital overdose capture the talent these are discords for rookies with experienced people in as well i've put simply cyber there they've got a really good um entry master risk analyst where you pay what you can and it's really really good content to start building upon that knowledge the advantage with all of these sort of labs that you can do on rangeforce and you get a shiny certificate and with that shiny certificate that's something that you can put on your cv so when

you're applying for a job they can see that you are actually doing some self-study on your own and you like to learn so we've built some technical skills and then we're going to build some professional skills so what i would recommend doing um so is i'm going to start again any good pen tester knows that you can phone the box and get domain admin but actually now you've got to write a report so these are the professional skills that everybody's sort of going to need so if you want to be a pen tester when you've hacked the box or whatever you've phoned you then need to do a write-up about that you if you do that sort of write-up

as though you're describing what you've done with a walk-through you're practicing those technical skills and then if you do a write-up as a executive summary of what you've done these are things that you can put in your portfolio and you can share on social media share on linkedin that shows your knowledge and your passion it's again something that's showing that although you don't necessarily have technical experience already this is what you've been doing um i think one of the really good things with the rise of discords and things like that is you can find a community like like here like at b-sides i don't know if b-sides has a discord but you can find a community of people who want

to help you learn and build upon those technical skills and start writing that blog that is one of the ways that you're going to get a role um an entry level role and make yourself sort of known now i know some for some people they don't really like linkedin or they feel a bit scared about sharing your first things i would say you know you're at b-sides here now you're networking networking on linkedin is not scary it's it's way less scary than speaking to strangers in person so let's hack your career you've done all these things um you see a job advertised on linkedin or wherever don't just apply for that job that's what everybody's doing

contact the hiring manager figure out who's going to be the hiring manager there figure out if you know somebody who works for that company so if company x if national grid is hiring for a stock analyst go and speak to somebody that you know at national grid ask them about the culture ask them why they're a great place to work you're socially engineering your way into speaking to that person who's potentially the hiring manager network with people at all levels network with people who are doing the job that you want to do and ask them you know how how did you start how what would you do if you were back in that position um

these are the sorts of things like i say if you don't if you're networking on linkedin before that job's advertised and you're doing all these posts of what you're learning and the journey that you're on you should then get notified about opportunities before you even um before they go live to market this is how i would get my first job if i was in that situation i am obviously a recruiter chances are you're not going to get your first job through a recruiter like me um because a business won't necessarily want to pay a fee because they pay fees to recruitment agencies for firemen talon now the only thing i will say is if you want to be a sock analyst go and

speak with renee and tarzo that's all he does that's all he recruits for and he helps lots of businesses build socks um any questions sorry it's very hot up here

oh sorry

yes there's a level four apprenticeship i think in cyber so one of the people um that i placed without a degree in a consultancy actually she'd done that apprenticeship and i think apprenticeships yeah we do see it they don't necessarily come to recruitment agency and it's one of the things i recommend to customers and say when you're hiring talent it shouldn't just be experience talent it should be all these different routes what we also find is i think we're the thing with apprenticeships even apprenticeships are heavily competitive so i'm pretty sure there was a guy at an automotive finance company shared they wanted to hire an apprentice but even people coming out of uni school

or university they're not get being given this advice they're just applying for jobs and i think even at that sort of level you need to be doing something to make yourself stand out and not necessarily you don't have to have technical experience but even apprenticeships are really heavily competed i think what companies is that the word in cyber any other questions because i fixed the mate

nope um you always get the best teams when you get a diverse workforce how do we encourage people from non-traditional backgrounds to apply for for jobs in cyber oh tough one um pizza yeah yeah i think a lot of companies will allow or should be allowing their staff to go out and do stem outreach so there's plenty of stem events i actually think we are getting more diversity in terms of diagrams degrees i think that's starting to turn the corner but actually going out and hunting for that talent where if you want to hire apprentices going out to the colleges and saying hey we're hiring or going out on on linkedin you know so many jobs are found on linkedin

and saying does anybody have a teenager or child or can anybody recommend and normally it is those sort of networks i think what besides do fantastic as they have careers tracks for kids and they have you know it's a friendly environment steelcon does the same don't they but it shouldn't just be about kids it should be about everybody and there's a big push to reskill the workforce so capstock again um they're re-skilling people in cyber and that's what we need but if you're hiring if you're company x sorry i'm going to use national good again because you're there if you're national good you should be going out to people within your business to say the

itv team is crying out or the cyber teams crying out for people is anybody interested doing meetups um like meetups i know ladies hacking society is fantastic to get with meetups and things like that but just sharing the knowledge like that again this is why b-sides are fantastic sharing the knowledge of what we're doing and it's not just you know i.t network room and it's not cyber with the hoodie um sort of bringing the people alive of what we're doing i hope that answered it i'm regretting drinking last night just one comment on the last one sponsor a table at a b sites and have your team there saying that they're recruiting i've done it at two events yeah really

good candidates from diverse backgrounds yeah and it doesn't cost a lot and i'm sure b-sides definitely always need more sponsors indeed all conferences not just b-sides but yes uh yeah lots of people need extra bodies and this is a nice way to meet people so remember introduce yourself to the people sitting next to you yeah and it's easier it's easier on linkedin right i'm gonna do the second half now so this is for people who are hiring and my advice and what i've learned so again i've been hiring for two decades i've been here for a long time doing this um yeah i'll just start that let's start with your job description the job description should be what you

want from the candidate and what they need to do what they're going to be doing day to day what's a typical day look like what we see with job descriptions and recruitment is we get a job description and it's normally got a date stamp and it's about four years old now let's be honest the role will have changed in the last four years so the hiring manager should write the job description and fraying off then give it to hr to put whatever tools that they do to make it hrey um but then go and speak to the people in your teams and say is this right so we had this once in recruitment where people were coming in and thinking

this was the previous company i worked at people were coming in thinking the job was going out and meeting people and all of this which it is the more senior you get but when you start you're on the phone speaking to people there's no face-to-face contact but it was in the job description that that's what it was so there's a misalignment um your job description try and take out all of the things you know really question do i need a degree that's my first question to a hiring manager if they put a degree on there degree or equivalent there's plenty of other equivalent experience than having a degree does it have to be x amount of years of

this and i see all of the time and we place people all of the time that don't match all those things on the job spec if it's on there you're going to be putting people off now your job description is not your job adverts your job advert is why they should come and work for you so why are you a great employer why do your workforce love working for you why um you know why should somebody come and pick your job don't put on your job advert desirable skills because it will put people off as a female there's statistics that back this up i will only apply if i hit 70 percent of that criteria now i will also

say apply if you hit 30 as a man you all apply if you hit 40 to 50 there's some statistics around the back of that so think about when you're advertising definitely don't advertise any desirable skills you can use that as part of your interviewing process um if you ask your current staff why do you like working here and they can't answer recruitment's going to be in your future so these are things to sort of work look at um now stop asking for x when you mean why so if we see a job spec that says um which i think of a perfect example had one i'm going to go through some good job specs in a second we see a job

description this massive wish list let's just call it what it is do you really need that technical skill do you need this scene tool or can it be any seam tool let's widen out to try and make a job specs actually reflect the job so many times i see a job spec that's got well look at it it's like it's that's two jobs well that's three jobs like let's really narrow down what we're hiring for and then show the salary and if you say to me we can't advertise the salary because our current staff will get upset again i'm probably going to be speaking to them staff soon advertise your salary or put a range now

i do get some people can't do this for whatever reason but you'll get 76 more applicants if you advertise the salary many a time i speak to a candidate who says oh i saw that job advert i didn't know what the salary was so i wasn't going to apply but yeah i'll apply through you rosie as a recruiter because i can advertise salaries same for benefits what are the benefits what are the real benefits don't just say you get a pension what's the percentage you get a bonus what does it look like please do this and it will help it will help you so much so some really good job adverts so what you should be doing as well with

your job adverts like this guy did he he's the cso this is a live role he's hiring he's shared it to say no anybody who's interested now what i love about this we're not looking for certifications or years of experience hooray and remote or at one of our office or a mixture you choose he has massively increased his talent pool because he's put that now when i clicked on the job the salary is on the job it's not putting on his post and the benefits are there and that's actually quite a decent benefit thing he's not saying you get 20 days holiday that's the minimum you can give somebody so many different things and he's talked

about maternity and paternity pay so again he's showing that a really good company that's got some decent benefits now this one is so this is glenn skybet sent me this isn't a live job but again he's got a salary banding which is quite a wide banding and he's got some really good benefits but he also talks about the team's goal is lots of decent things in there which isn't just a list of technical skills and doesn't bring it to life i also again love the flexibility it opens up your talent pool now interviewing anybody that you interview you should give feedback to if they're giving up their time to come and interview with you even if it's a no you should give some

constructive feedback because that person say it is a newbie and the person you had um you did a really good interview we thought your skills in x y or z were excellent but the person we hired we felt was a better fit where i think you could develop in the future if you focus on learning more about linux or active directory then come back to me in six months time that's constructive feedback you should have taken notes during an interview anyway so you should be able to give them something or at least very least tell them it's a no and the amount of people that i speak to that don't get interview feedback that person will never come and work for

you again and when they get that first job you might want to hire them in six months time so anything you can do to show that it's you you're a decent person to be honest will help you when you're coming to recruit now you've interviewed your person i told you there was some good memes you've interviewed your person and they've got a 12-week notice period which is normal uh for a senior person you need to be speaking to them really regularly because just because you've offered them doesn't mean that all the other interviews they had aren't still hounding them it doesn't mean that their current employer has not gone oh [ __ ] we're going to lose this person let's

offer them 10 grand more or that promotion that they wanted and all the way through that process all the way through that onboarding period before they actually start with your company one thing you could do is get somebody within the team to start reaching out to them invite them to any socials that you do invite them to meet the team come for lunch with the team because that's a long period for you to still lose somebody it's not a done deal until they start so that onboarding process and sometimes it does feel like it can take two years think about what you can do to already make them feel like they're within your business any questions

sorry i can't see yep

okay questions question question question three it's really bright up here yeah um hi um just wondering what what you're seeing in the industry at the moment keep hearing that it's um hard to recruit or it's an employee's environment at the moment and employees market and stuff yep what are you seeing so it is wild um i'm seeing on boarding um what's the word sign on bonuses i'm saying particularly for experienced staff there is a war on talent i do have some data if anyone wants salary data just message me with how much the salaries are rising so for example network security salaries in the last six months have risen 25 of what people are advertising and it's it's

different in different locations but i've got those sort of stats and things and i think we are whether or not we're heading into a recession let's probably won't get political um i don't think that's going to make a problem at all with cyber staff people this there's still more threats there's still that struggle to get good people what i see is there are lots of jobs out there but there's lots of processes that make it difficult to hire and if you are a if you're already in work and which is talent that people come to me to find you're not out there looking for a job so if if you are hiring it should be

down to you and your recruitment partners to be in the industry and finding the best people for the job now the best person the job might not even know about you and that's where you do need headhunters for experienced staff i think there's so much good going on to get more people in and like b-sides ladies hacking society there's so much to get the interest and these community events need help if you can volunteer or give some time or speak at these sorts of things or like caps lock we have people who come and talk to us as mentors um or come and be a guest speaker and then they can go and hire from that diverse talent pool

it's not easy that's why i think i've done this talk before and i've called it talent attraction it's not hard is it it is hard it's easy to drop the ball somewhere which is where you have to think about it it's not just stick an advert out and that's hope for the best kind of thing everybody who goes through that experience with your company who's who's has a touch point at some point with your company through that recruitment process that's your impression you're giving in the market and it's very easy to get a bad name against you yourself if you're not nice to candidates or you're not a great place to work i think what i am seeing one of the

first things i do say to people is if you are looking to leave so with recruitment one of the things i see is the reason people are looking to leave is because they're not getting promotion opportunities or experience with the experience that they want within their current company and actually i think that's a mistake that companies make you need to be looking at your current staff and saying okay let's let's the pandemic has reset everybody's expectations what was right before isn't now how can we keep you what can we give you as like a promotion opportunity so can you give somebody help can you get them to help in the recruitment process can they buddy with

somebody to get some experience before they're ready to be a team leader and the companies that invest well and do bring in junior talent you can see how fast they grow because they are investing in people rosie do you know want people to like have terrible job or experiences so they want to then move and contact you no um one more question over here i'll move into the light so you can see me sorry i sneaked in at the end of the session but one thing i was wondering you may have covered it already but do you think that recruiters um put in place enough support to deal and cater for the neurodivergent community yet because that's quite

prevalent within our industry so uh i think in cyber i feel there are there are there is a lot of support um out there there's resources there's lots of information out there to how how to hire and how to attract neurodivergent talent it's not one size fits all if you're working with a recruitment agency you should let them know if there's any adjustments you need and i think where we get like the ctf events and things like that if we want to hone in on people who've got technical skills that's something that you can do as a way to assess people's talent without the cv i feel with like autocon and mfilpot's company um i can't think what

it's called i asked me might be i asked me um there is support and there's ways that you can tap into that talent but i think newer diversity is a superpower it's one of those if you put sort of two different neurodivergent types of people in a team together they can complement each other with the different skills but i think with if you want to hire that type of talent maybe look at technical assessments rather than face-to-face interviews um eye contact can sometimes be a struggle for people there's things that you can do to make your recruitment process more tailored if that's the type of talent you want to tap into

have i gone over probably no no there is there is there is so here we go cheers oh yeah um a few of us were talking yesterday and we were saying how um you know one of the things with some arms prioritize is team fit over skills because you can teach skills so yeah do you have any tips on providing feedback to somebody you don't think is going to fit well with your team because sometimes that can be a struggle how to positively give them feedback of you know don't be too full of yourself whatever you know um i do i do sometimes get you might need to give some pers a person some pointers

on this this and this i think what you're better off doing is giving that message in a positive way um you can say the person um the person that we hired had this this and this something to work on for your next interview might be this um or if you've got a recruitment partner get them to deliver the message i think it's better to be honest with a person you know like you turned up late for the interview the amount of people that we have to say that to or you didn't put camera on on a video call or a video interview that sometimes actually if they don't know they're doing something wrong how can they fix

it and they're better off having that message then because that will help them in the long run they might be a little bit pissed off at getting that message but temporary pissed offness but you get a job later on when you take on board to create the positive criticism um i would say deliver the message or get your hr or recruiter to deliver the message yeah don't just say oh it's not a good fit because that doesn't help anyone and it's a wussy way of getting out of it yeah

how are you saying things change towards remote work or away from remote work is what i'm starting to see i think we must have you in next days in the office yeah and you must be within x distance i used to see that all the time and pandemic has really reset things there is no one size fits all and you shouldn't do like the same with inside ir35 blanket assessments you shouldn't just go this is what we're doing um we are seeing more hybrid working and clients requesting that and i will say to them okay do they need to be in the office one day a week has it got to be a certain day or how

flexible it is but i also see particularly so we do tech and cyber with software developers company x has now mandated that you've got to be in the office company x's employees are all replying to my messages that they've not replied to for however long um so it is a risk but if you actually approach it as a sensible conversation with with your staff and say right i.t team do you want to be in the office what works for you right that's you sales team accounts team shouldn't just be the whole company now does this because it's like anything you approach a blanket assessment to it all you're gonna alienate and you're gonna shrink that talent pool

so [Music] it's hot up here so i notice if we coordinate the order in which we put our hands up someone has to run quite a lot is that something you're doing on purpose um you mentioned how much more interest you get from a posting when the salary is listed yeah and what conversation what conversations can you have within an organization when that's something that um your talent acquisition folks are resistant to are there ways of having that conversation that you know of um i understand sometimes why people don't do it they don't want the salary bindings known because you know i hear regular arguments for not doing it but the evidence is there with how many more

applications you get and i think it's it depends who owns the recruitment process is it hr is it the hiring manager if you keep having the same conversation and keep talking and communicating hopefully you can get to the bottom as to why and if it is about internal salaries people know it anyway um what you can do if it is a problem so we have one customer who will say to us um you're not allowed to advertise salaries and i'll kind of go back and go ah really i know what i'm doing okay well we won't advertise the salary but talk to us about it if you have a conversation with us we'll then discuss

the salary bonding so that's one way you can potentially get it around but yeah just keep having that conversation and keep trying to batter them into submission

could someone further away ask a question just so dave can run a bit further i am going to be around after as well if nobody gets tired or you want to come and speak to me afterwards hi um just a question about any advice like you say being a working parent and if you're seeing um more accommodation from businesses with flexible work and just think how it is tough to either reduce your hours as a working parent or make up hours and even though lots of especially in tech it's quite flick can be flexible work and not time pressured sometimes um it's still tough it's like it's like old-fashioned view of you've got your eight hours a day yeah

um because you say about sometimes like working school hours and stuff didn't you say so yes any advice or if you're seeing anything so we companies that do it really well will kind of go look you're the professional as long as the deliverables are hit i don't care how you do it and if you have that type of organization or team where you're trusting your team to get the job done it doesn't matter what hours they do now obviously it's not going to work in a sock or a 24 7 environment but if that's a benefit that is a massive benefit that should be on your job adverts when you're going out because you will open up the talent pool

it's 100 and it's not just working parents it's people with caring responsibilities it's anybody if somebody says to you i don't care what hours you do as long as you do eight hours at some point over the day or 40 hours over the week or whatever it is that is a massive perk so i am probably unemployable which is now why i work for myself because i work school hours and then i work in the evening now that doesn't suit everybody if you've got um if you have asia stakeholders you're probably gonna work at seven in the morning till three don't sort of think about your environment and then think about the benefits of that and

again if you if you speak to your staff and they say i love working here because you don't give a [ __ ] if i'm not online at nine o'clock or that's a perk that you need to go out into your job adverts with to say we're the type of environment where you can do this you we trust you to get your job done it's not about presenteeism which is why we don't care if you're in the office but so many times i see a job advert and when i speak to them it's like oh yeah you don't have to be in the office why have you advertised it as london then like it's it's these sorts of things that you

can do to massively open up that talent pool and flexible working is something that's here to stay and will open up for you different types of people thank you um i was just wondering what do you find most frustrating about the recruitment industry i do love it i do love it um job offers so when you're offering a candidate and you've been through that process and say they want 50k as an example and you offer them 45 the first thing i'll say to you is really if you offer them 45 and they say no and we're going to go back to 50. you've put a seed of doubt in that person's mind who's changing jobs

that seed of doubt if somebody else else offers them 50 that you've eventually got to they're going to go there don't low ball just to try and save a couple of grand offer people what they want and what they're worth if you say i'm going to offer you 45 but if you do this and this and this which i'll pay for then you can get to here do it that way but don't just low ball to save like a couple of grand on the agency spend or whatever any other quote you did actually have a question thank you for waiting close across the site though um everybody gets disappointed when they don't get a job

but what's the flags that go they've actually had a lucky escape for not getting the job in your opinion oh oh so many um they don't get any feedback um like if if you get if you get offered a job um and you think i only had one interview i want to speak to some of the team um you there's no reason why you can't say can i have any how can i have like an informal chat with whom i'm going to work with and if they won't do that or they're not very accommodating through that process that's a red flag for me um we do hear of places where there's toxic cultures toxic management

you can normally start to gleam if you're going to get on with the person who's interviewing you in that interview and if if there's no time for you to ask questions or it's like a one-sided thing it's they're taking the box if you fit with them that that for me is a red flag it needs to be you know changing jobs is a career decision it's a big decision so many times we hear i need to speak to my partner and because it can be a life-changing decision to move if you're going to move um for a different role different things it affects so many parts of your life so if if you're not getting an opportunity to ask those

sorts of questions or there's something normally in that interview which will give you a sign that this might not be great go on glassdoor um you know have a look at companies there is this quite it's not really funny but it makes me smile there's a company on glassdoor and i think one of the reviews is the management is like a cancer in this company and i'm like there's more than one of them yeah and speak to people like have a look on linkedin and look at leave recent levers you know if this if all of the sock team have suddenly left they've probably like made everyone go back in the office or things like that

hiring managers you should always have a meet the team part of the interview process because like this person have to work with them so yeah yeah definitely oh i did that yesterday am i off and i'm not off okay you're fired um one more yeah there's lots of organizations that need to do significant change with their i.t systems at the moment and you know the ransomware threat isn't going away anywhere time soon because of the people higher up the organization and their inability to fundamentally change what they've had for years how do you sell the people into the job that they know is going to be arduous horribleness i don't do it it needs to actually be

different oh okay so be honest um okay we need to change culture in this team we're hiring obviously maybe not put that all of that in the job advert but we're hiring somebody who can come in and real make real change that will be an interesting challenge for somebody if it's a we need to rip out a system and you can't you can't polish your turf you get a contract to come to come in and do it um there's you just need to be honest about what it is because if you catfish a candidate it's called a working environment and it's not what you say they're not going to last for long you're better off looking at well

there's multiple different types of talent there's contractors there's there's people who enjoy coming in and dealing with conflict and sorting things out that's a different skill set to a technical person who needs to deal with security architecture and design something brand new in critical national infrastructure just be honest about what you actually need it would be my advice there okay a round of applause for rosie [Applause] you're gonna be around all day right oh yeah i'm still around foreign excellent i think you're gonna get more questions yeah yeah i mean it's a great topic next up we have mark who for some reason like decided that he would like mess with me earlier by getting people to run

backwards and forwards so this presentation is going to go super well less robots this time i'm already disappointed fewer anyway [Laughter] nice i'm sorry and we've got any other announcements whilst uh mark's getting started uh teas and coffees are upstairs uh oh slight schedule change again i'll get we'll get it yeah i got a new one right so at 11 45 um we're gonna have another non-streamable in here but you can bring your phones apparently just don't record the whole thing and then the ransomware talk will be upstairs so uh so you're undoing the schedule change from earlier yeah it's fluid it's fluid oh yes and for all the late comers morning we see you

is this loud enough for your hangovers

you really have a thing for chickens i think we need double round of applause for mark because he's spoken twice yep and that's i can explain [Laughter] is that because he wasn't clear no because he weren't here brian we wanted us to do the whole talking it's a different topic he still seems to be finishing his slides i'll do that later okay you're good

that looks like no image that looks like that there we go there we go let's chicken display this chicken okay besides welcome for mark whoa that's right i want a presenter display how do you do the presenter display thing in keno oh technicals there we go rosie broken oh i need to not mirror displays first don't i yep computers hi to folks on the stream how you doing scott tan card live from the golf course something something 18th hole stop mirroring there we go and then if i do that worked yesterday you're fine all right another round of applause yay mark goodwin welcome back to the stage thank you very much the stage is yours

where the weird things grow i just want to say and given that my steel con finished with riding a hobby horse while being chased by uh scott with a coconut making horse noises there's some competition so why am i talking twice yesterday was mark the enthusiastic amateur i was building robots despite no experience or professional qualification in doing that thing today is mark as a reluctant professional i'm wearing a shirt and everything and i'm talking about application security and my notes aren't displaying for some reason even though i told it to do that never mind we'll wing it so i want to start out by telling two stories there's a reason for this the first story is

part of the story of how i got into information security i got into security by complete accident um i was looking after some people's web servers as part of some consultancy work i was doing one of them got broken into and i ended up ringing a bank who were the receivers of some of the malicious traffic that was going via a compromised machine and said did you know this was happening and they said no do you want a job and um on hearing that they had jobs available in application security i spent a couple of months learning everything i could about it and it was a really difficult experience for me because i'd worked as

a software engineer for all of my professional life up to that point i had built a lot of systems that frankly i was quite proud of you know obviously they were brilliant right um and one by one i i lost respect for the things that i'd done as i realized that every one of them had a different sort of set of security vulnerabilities in them you know i think all of us had a moment when we were learning about security where we got that sort of cold knot in the pit of our stomach once a penny dropped and we realized that um not everything was the way that it seemed before now that was a long time ago i know i

don't look old enough um getting on for 20 odd years anyway so i ended up getting a job at this bank it was my first full-time job in infosec who remembers egg yeah it was egg at the time though the world's largest internet bank and it was a fun challenge for lots of different reasons we used to get loads of fishing when fishing wasn't really a thing we had to build a lot of technologies to to and provide counter measures for that sort of thing before the industry had really caught up so it was really really useful for me in lots of ways but i remember on my first day the first bit of work that i was given there's a chat

there called grant and i've been given the corporate issue laptop and i had no tools and he said um oh we've got this thing i'd like you to take a look at it and it was a visual basic application that talked to a database and i had no tools but i had wordpad and i'm thinking hmm what can i do so i had a look at the the visual basic application i thought i wonder if i can open that in wordpad and i could and i scrolled down and i saw what looked like ucs2 encoded sql strings in the binary and i thought so made some changes and and that's how i hacked a bank using wordpad but um

my point there is that first of all there's a realization there's that that cold knot in the pit of your stomach when you realize that the world isn't the place you thought it was and the second is that there's this sort of massive enthusiasm for a technical thing that gets you into apsec in the first place right absect is what uh people who would otherwise be pen testers would do if they want reasonable hours and not have to write reports all the time right anyway um as i said that was a long time ago and this talk really is about what i've learned since then because i've spent most of my time since then working for three different

companies one of which was that bank and the company it subsequently got bought by i then spent most of 10 years working at mozilla where i did security engineering and security assurance on firefox and i now work for matillion where i look after upset there and um by chance all three of those places i joined um at or around the time that software security first started being a separate thing considered within that organization and it means that i've had a perspective on how that works in different environments i wanted to share that and the first lesson is this i excitedly on my first day attacked the task that garant had given me um thinking that i was going to be in a

technical job but what i've learned since is that security is mostly cultural that's the first thing that i wanted to talk about so let's say you're entering a new organization they've got no apsec program what's the first thing that you're going to do chickens people would be disappointed if they weren't chickens the first thing to do is to be curious okay this is important for a bunch of reasons it's important because you need to know how the company that you're joining ticks what makes the company work you know what what is the thing they do what's their product is the the software which you're dealing with the security for actually one of the company's products or is it enabling

something that they do what is the relationship between that that software and the company's business model because you know it's very very different for um a company like a bank where software enables the business than it is for a company where the product is is software um you need to work about work out how the these company is structured you know what are the different teams what are the different departments how do they work together and this is really important because it tells you a lot about the power dynamics within the company it tells you a lot about where the levers are that you'll need to pull to get influence within that organization and also it tells you the parameters

within which your day-to-day work is going to operate so for example software security is a very different game if you're just doing software security assurance than if you also have engineering responsibilities where you need to build part of the security machinery that the company uses so first question is do you have a security engineering department or am i responsible for bits of that as well if i'm responsible for bits of that as well well am i part of engineering or am i separate from engineering and that's really useful because you need to know whether you've got actual control over something or whether you're going to need to exercise soft power when you're doing things but there's another really really

important reason why being curious is one of the first things you need to do and that is because it's all about the people right it's all about the people and if when you join an organization you sort of sit down behind your desk and you do the thing that you're doing and you spend no time going out and finding about finding out about other people you're never going to get anywhere um i learned something from someone that i work with recently um i work with a guy called aaron and if you're watching hi if you're not um don't worry he's a really nice guy but i noticed a thing which is that um whenever we go out for lunch or

something when we're working together he'll always have a conversation with the person that serves him it's not just transactional you know handing over the money and perhaps saying thank you if he's bought something he'll always say how are you how's your day going you know there's always a little bit of small talk and the effect it has on people is incredible you know what started out as a transactional interaction actually turns into something that's a lot more pleasant for everybody and here's the really weird thing and neither of us actually work in in the office we're fully remote but occasionally we'll catch up in altering them and we'll go out for lunch and the people that served him before remember

him again and they'll say oh hello how's it going and immediately the relationship has improved and it's the same in the workplace right and so if you've gone out and you've taken the time to understand what people are doing and why and how the company works well do you know what you've just put a face on your department you've told people who you are as well as finding out who they are and what they do and that's really really important now remember the cold not in the pit of the stomach story there's a learning moment there right and what you do when you join an organization and start their security journey kind of mirrors that in a way because

you're giving them lots of moments where maybe they're not feeling very comfortable and there's a bit of empathy here as well because as someone who thought they were a pretty good developer i had stuff that i could learn and the people that you're working with are in the same place as you were now i find it quite useful to think in terms of perspectives here because nobody who you're working with in application security wants to build insecure software and so i think it's helpful to think about why it was that i needed that that realization the sort of horror of of having that realization now when you're using a computer system you've got a goal in mind

um if you're a software engineer you're thinking about how the system you're building is going to work perhaps you've got a ticket and you're trying to work out how you can organize the code restructure things to make the software do this new thing if you're working in quality assurance you're looking at the spec and trying to find out ways in which the code might not do that thing if you're a user you're probably not actually thinking about the software at all it's just a means for doing something you know you're trying to log into your bank or put a picture of a chicken on a slide or something and as security people we have a

different perspective right and the one of the most important things we can do is teach people how to see the world from our point of view and my first question for you really is to think about how reasonable it is for us to do that if we're not going to take the time to do the reverse to understand what it is that they want to do so again that's the first thing be curious second one this is much shorter and find a direction that's from alice in wonderland you may recognize it um not every organization will have the same direction when it comes to software security um if you are a bank and the software

serves a business purpose then your needs are going to be very different from if you're mozilla and you want to ship firefox or something and but also um depending on the type of organization and the security environment it lives in then your requirement is going to be very different so what is applicable for for company x is different for company y uh one site is does not fit all it's really really important to try and figure out what's appropriate sounds a silly thing but you need to work out what's appropriate for the organization you also need to find out what people at that organization think is appropriate for them it's actually really important to ask

this question when you're interviewing for a role because if the answers for those things are different you're going to have a really bad time and how can you do a sort of thing well there's things like cmmi where you can figure out what a company's appetite is for various things what level of maturity they want you can map that to various things things like the the various maturity models for software assurance and that sort of stuff and you can you can get an idea of where it is you want to go but finding a direction is a really really important thing you've got to be able to tell people where it is that you're going and

to do that you've got to determine that in the first place i had a weird moment a few weeks ago where i was looking at something on youtube and a video popped up about someone i knew in it and i've never looked for them on youtube or anything like that but i watched the talk and it was a talk on leadership a chat called peter anderton he did this talk about leadership where he's got um two rules and they're really simple the first is it's not about you and the second is it's only about you um that's really clear right um it's not about you um is around the fact that when you join an

organization and you want to affect change because that's what leaders do it's really really important to understand that you can't do that thing on your own yeah um very often an organization will succeed um in its own way regardless of whether or not you're doing a thing your job is to help them do that quicker and sometimes when you're doing security in an organization other people do your best work right i don't know if that makes any sense sometimes other people do your best work um so going back to this idea of finding out about an organization and figuring out what makes it tick finding out who people who who the people are that might be

allies in a particular area is really really useful looking for aligned incentives ways to make things happen that aren't necessarily labeled security when they're being driven really really useful give an example um all of the the big browser vendors these days are hastily and finding ways of supporting safe languages in their development efforts so um chromium are looking at including rust within their code base and mozilla have been doing so in firefox for several years now and that happened in firefox because the project called stylo where they took the the style rendering engine from the servo browser and ported across the firefox in i think firefox 57 and it's led to massive security improvements in the browser because

loads of the memory safety issues temporal and um spatial are fixed by having a a language that's guaranteed safe at compile time right um but this wasn't a security project the the work that was done in in stylo for firefox 57 was actually a performance thing they wanted a way of having concurrent rendering of a style sheet and to do that they needed a way of allowing concurrency and to do that the easiest way of doing it was to use a language that supported that stuff better and so the biggest improvement in browser security in probably a decade actually came from a performance thing which i think is quite interesting and so other people will do your best

work for you it's not about you and it's only about you is about a different thing it's only about you is from the observation that leadership is almost entirely in how you show up yeah if you're the person that nobody wants to talk to you're never going to get anything done and so that's a really really important thing to learn um it's only about you and you know what it's um only about you applies not only to you it also applies to the people in your function as well because everyone in a function like apsec is a technical leader in their own right yeah if they're talking to developers well they are mentoring other people

in technical issues which they are experts in and other people aren't and so a lot of the leadership tips you'll hear are important for people even if they're not people leaders within your organization so i think that's a useful thing as well so yay for that random youtube finding and thank you peter anderton so you're going to need to measure some stuff now we all like metrics right first observation on measuring stuff your problem is almost always going to be that you have too much information not that you don't have enough um and sometimes the the noise to signal ratio is a bit too high um i think it's worth thinking about metrics in two ways firstly internal

stuff you need to measure what you need to drive a feedback loop um it's all very well known where you want to go you need to figure out whether or not we've got there yet and measuring is a key part of that so you've got this feedback loop driven by the stuff you collect um but then there's the stuff that you feed to other parts of the business and again it comes back to security being cultural right you're telling a story and what you measure can help tell a story to other people in the business so think about not only what you measure but also how you can use that to help other people make the right choices

know your tools so i was talking to uh andrew last night and i said i'm tempted to throw my talk away and just spend 30 minutes ranting about how bad upset tools are um and that might be a talk for another time so if you'd like to hear that talk if you want to hear me rant for you know half an hour or more on why appset tools are all terrible and you know give me a shout i'll do that sometime um and you know there's the usual stuff you might know about you know you might know about software composition analysis tooling and that will give you comprehensive and accurate information but not all of it's

pertinent um the way i like to think about this um let's say you're using a platform like java um java has really dangerous things in it like um system exec right you know that's there it's always there the question for you as an apsec engineer is does that ever get hit and so when an sca tool tells you that you've got such and such a dependency it has this vulnerability actually that's no more informative than there is dangerous stuff in the api you're using sure it's better to upgrade to the non-vulnerable version of that thing but unless you know you're exposed to the vulnerability the finding itself doesn't actually tell you much um this again is a case of you've got too

much information and the noise to signal ratio is sort of probably quite high you've got tools like dynamic application security tooling um generally the quality of this tooling isn't brilliant the open source stuff seems to be best and i know simon bennett but that's not necessarily a plug plug for for his stuff um how well this tooling works usually depends very much on how your application is built and the weirder your application is the harder time you're going to have getting good results from it then you've got things like static analysis tooling that sort of stuff and you'll get a lot of false positives from that sort of thing and again it's an issue with the amount

of data and how much noise you've got there but you shouldn't just think about tooling in terms of the stuff that you can buy there's also the developer tooling there's also the question of what platforms do people choose to use what toolkits um what utilities you've got internally that stop people from making mistakes and my main bit of advice on tooling is that um systemic is always way way more effective than superficial if you can find ways of making a change to an application or an application architecture such that it becomes really really inconvenient for people to do the wrong thing that's going to help you a lot more than bolting on some kind of

tool to retrospectively look for a hole and so think about that sort of stuff as well i would like to rant a lot more about tools but i'm not going to verify and how do you verify your efforts within an organisation and there's the internal stuff right you can have security things as part of your internal testing activity so there can be automations there can be security specific stuff within your um unit and integration test automation definitely a good idea you can have internal manual testing as well if you've got um quality assurance engineers looking at stuff you can give them a list of things that you can look for you know i've got this theory that

injection floors will never get past a qa team that knows what to look for right you don't need to be a security expert to find a lot of this stuff and then there can also be internal security specific testing from europe and appsec folks as well so that's useful and then there's the external stuff right um pen tests um really really blunt tool for actually verifying how well you've done your job and they have their place mostly in sort of sales enablement and all things like bug bounty programs as well they're a good thing but it's good to know what options you've got there for verifying your efforts and working out how effective those various

things are and i seem to run out of time and that's kind of all i wanted to talk about anyway but to to finish off i just want to sort of um spend a few more moments thinking about where i started which is that um there's a lot of people stuff involved in doing application security work you know it's a technical discipline obviously but also it isn't your success is more likely to be down to how well you do the non-technical things and than it is how well you do the technical things um and empathy and leadership skills are an important part of that um yeah so that's all i had to say thank you for your attention

[Applause] i love the fact you've got the breadboard today when you didn't have it yesterday yeah nice i didn't actually have a breadboard yes that i just didn't use it fair enough any questions for mark please start down that end of the room just like watching you run i want to hear the other talk as well yeah yeah you're bypassing cfp for next year [Laughter] questions oh hi mark um in terms of a career in apsec do you think a development background is essential desirable is appsec um an entry-level job in cyber security or do you think people need to have a certain technical background before doing it i don't think experience as a developer is essential

i think that it's much easier to go from a role in development to apsec than it is to get into any security field any other way so um current developers are a really really good talent pool for potential apsec people i think it's useful to understand software development how it works i think it's useful to understand um the basics of the technologies that an organization you're working with users um i don't think you need to be a particularly brilliant programmer um interesting aside on on this actually i i discovered when i went to mozilla and spent some time going back to actually building stuff there that my experience of working in security made me a much different

programmer and not necessarily a better one and i think what i learned from that is that maybe it's just the way my mind worked but i was constantly agonizing about security stuff when i was trying to work on a ticket and it made me a lot slower and i think that perhaps tells us a little bit about how app second dev can work together i think if you you know foster this environment where you're um approachable and helpful then you can free up developers to do their thing well and quickly and know that they'll come and talk to you and there's something that looks interesting but if that helps at all any more questions for mark

[Laughter]

well a little bit sorry we were having fun watching you run back and forth um so what is the best way that you have retained your sanity uh through your journey there's an implication there he has well i was gonna say did it

[Laughter] i did address myself today to clarify um uh it's kind of fun i've got a theory about apsec if you if you draw a chart where um on one access one axis you've got and the amount of hassle you have to endure on the other you've got the the rewards the curve isn't a flat one and and so it means that you know there's a there's a maxima you can find and my personal opinion is that um having done dev stuff having done security stuff and probably what i'm doing at the moment is the optimum for me at the moment so i do actually genuinely really enjoy it um i find surprising things draining i

spend a lot of time in meetings um meetings are a lot harder um for me now than they used to be because i'm spending so much time on zoom and so disconnecting doing a lot of stuff that doesn't involve computers chickens chickens are great i like to work a lot with my hands you know mending stuff making stuff uh yeah hobbies and things like that so my antidote to the stresses of work is lots of not work that's an excellent point yes i approve of that message 100 yeah but your hobbies drinking it's still not working maybe it is work any questions for more oh that's all right you stay there mate save your legs

[Laughter] if you find an issue and you pass it back to the devs to look at and fix what do they appreciate that or are they annoyed at your phone stuff and just want to ship it out as fast as i can um again i think it is entirely defined about how you build a relationship with that dev i think if the only interaction you ever have with them is to give them bad news first of all they're not going to be delighted to talk to you in the first place you know you know granted there's probably still of a silly bit of a pause for breath when i say hi to someone um but you know if most of the

conversations i have with the dev is on how to do something rather than what's wrong then the what's wrong conversation is going to be a very different one and i've never found a dev that isn't interested in fixing a problem sometimes they won't understand but i think folks generally aren't resistant if they if they understand what's going on cool one more question however time actually wouldn't be there one last one talk to us about supply chains because obviously the thing is that you've got some control over your staff and your code base and all that the majority of organizations have zero control over the stuff that they use so you're you're in a very privileged

position to be able to talk to the dev how do we talk to three devs away or however many to get that same message across so that the stuff we use that's old and out of date or needs to be repaired in one way or another can actually get looked at fixed and sorted um excellent question actually um it's not easy um yes you can influence the stuff that your organization maintains itself um but no one is only using their own stuff there's always libraries even if it's the platform standard library right and therefore there will always be upstream problems um i think there are two interesting things here one is that the question around

open source i'm a massive fan of open source i think most of the problems that we have in using it are down to the fact that we want to be able to use it and not help with the cost of maintaining it i think that there are efforts underway to improve that situation but it's going to take a while right um so so i think that um a good starting thought on that one is to um factor in the cost of ensuring that you have enough maintenance of that thing when you make the decision to use it and it was more common at mozilla than it was at other places that i've worked in but you know

it's not um entirely unexpected for open source projects to get sort of random commits from contributors for security reasons right so that's one interesting thing another one is that um the nature of the way that we aggregate stuff on the web really changes software supply chain you know when you load a website um you've also got a whole load of third-party analytics and services and things that you're using and i think a lot of people haven't fully internalized the fact that anything that you're allowing to execute um in your page has the the full privileges the user has right and so that's an interesting thing that's harder because very often security isn't front of mind for any of

the people producing those tools and there's obviously a lot less transparency around the way they're developed or even what's in there than there is for a lot of the open source stuff does that answer your question is there another aspect that's a question i think for the break because we're going to get into it's tea and coffee time still yep and i i love your questions i just think the two of you should sit down and stare at each other over a cup of yorkshire tea nice not nescafe why did ben buy nescafe okay everybody all a round of applause for mark [Applause] okay break time quick 15 minute break and then we'll be back in for more

weirdness

[Music]

so [Music]

[Music]

[Music] oh

[Music]

[Music] [Music]

[Music]

foreign

you

foreign

[Music] so

[Music]

you [Music]

[Music]

yes it's warm i'll be sitting next to you in a minute uh it's in the ceiling [Laughter] uh apparently it's centrally controlled and just five minutes after we all pass out from heat exhaustion uh it will kick it uh to keep the keep the bodies cool so there's no smell so yes we are having a conversation around temperature more on that later okay we are going to have a lightning round now where all the talks will be only 10 minutes long as an extra special bit of lightning round we're going to have a lightning lightning room because we're going to have one talk in it so without any further ado jerry's going to give our lightning talk

yes just a quick one thank you so much for selecting my talk for the one lightning talk i appreciate it um so we're going to talk about the epss which is the exploit prediction scoring system about me uh my name's jerry gamble i'm the director of security research at cisco i was with kenna until we were acquired 14 months ago so what is the epss the epss is an open source version of what we built at kenna and and sold the cisco that we're able to give back to the community it takes the same data points that we're using in the main canon model in a smaller way and gives it to the community for free to let you guys

move to a risk-based vulnerability management assessment so it helps you understand hey is this being exploited on the internet is this cve likely to be exploited should i look at it and we'll dig into that but as we talked about yesterday there are 183 thousand cves now over 16 000 this year alone so anything that you can do to help chip down on the number of cves that your organization has to take care of will greatly help you so the data behind cvss is pretty simple it's the miter list where cves are born if you sit through my talk yesterday you now know that mitre is an mit front for the deep government of the u.s

text-based images tags so we go through and we mine the the data in the cve and get tags out so that we know kind of how many days it's been published we have a report out that you can look at it's the pdp report it shows that all cves are normally exploited between zero and 90 days or believe it or not between 120 and 180 days right there's a there's a little bump there where nothing's gonna happen and then you have your second round of where hackers might go back and try to pick those up we also have some partners in the open source community uh sniper jails uh intrigue and then we use the cvss

vectors to do that so everybody asked me why is this such an important thing well we know for a fact that no matter where you're sitting at in here how many stock analysts you have how many network administrators you have that no matter what size your company are you're only patching 20 percent of the vulnerabilities on your network every month if you're industry best we've not seen anybody do better than twenty percent um low scoring companies do between five and eight the average is about 15 this year and we run this report every year um it's in our p2p report you can go and pull the numbers so you know that i'm not just making it up but but we talked to a ton

of people about this we sell to some of the biggest companies in the world and they're all like yeah we're only doing about 20 percent of the open vulnerabilities on our network a month and we need to know which ones we need to patch so the problem is between three to six percent of cves are only ever exploited right the rest of it is just noise do we have any i haven't seen an rtld talk here i was hoping mark would have hit some of the radio stuff in his robot talk but but he didn't but signal to noise is is always a big deal and you're talking about a 97 noise to signal ratio when you're talking about

your average cve count that's that that's terrible right most people can't do can't handle that so here's the epss we're going to go through the measuring performance if you've done 7 plus on cvss which the government thinks is great um you're only covering i think it's about three percent of all the vulnerabilities you need to let's see yep yeah so the efficiency is your everything that's in the blue that's not overlapped by the red is wasted effort by your sock team so how many of your stock can patching team have that much time to be wasting efficiency to not be making progress on securing your network

so here's where we're trying to get to right cvss 3 version 3 only is a 5 efficiency if you're saying that you're going to patch everything that's 7 and above you're working at about 5 version 1 of epss which was out last year which was our first public release doubled that a little bit plus a little bit got you about 13 efficiency just using the open source data um version 2 we were super proud of got you the 42.5 efficiency um the model that we charge companies for is at 85 right now so the model that kenneth sells and cisco sells is a more mature model but we're giving away half of our model for free

basically at this point and we'd love for you guys to go and dig into the model it's hosted on first.org which is a european-based organization there are open calls every week that you can hop on and help us figure out where we're where we should move this model to how we can make it more useful to people what products can go in and use this model but what it does is every day we got we score every cve and tell you if we think it's going to be impactful on your network or not and you can bring that into your sim to your scoring or any other piece of software that you use to manage

your day-to-day operations

all right so that is my seven minute talk with three minutes for questions the i'm sure the next person will come here and do a talk just like this right yeah let's let's yeah but if you go get yourself a coffee yeah sure uh okay that's awesome uh and yeah we need have a conversation after this purely business level uh any questions and anybody spell cbss yeah god yet no questions are at that side no all right here we go um so when like i so this is for cves basically but correct if i was doing a pen test how would i score it if it was eps s would it be like is there a similar kind of grading

system there or is it really just for vulnerabilities it's really just the vulnerabilities but we we talked to people about this and there is a model that you can use and the model is all in the is in the paper and a lot of it comes down to to like those first couple slides says what the vendor is is it being exploited is there anything in metasploit right i have a sort of follow-up that is not related at all um you mentioned oil can only hit 10 to 20 percent how many new per month are being identified uh on average this month there are 68 new vulnerabilities a day so whatever success yeah they're not really making

much headway yeah yeah there's zero headway being made and to be honest a lot of that it would be a lot worse if it wasn't for windows 10 windows windows 10 is actually a great driver for organizations because of auto patching it pulls their numbers way down we ran the model without windows without windows 10 and it falls down to the best orgs patch about seven percent of the stuff on their network that's terrifying any more really you thought while i'm up there put the hand up yes thanks joe that was really interesting uh from patch inside i love the idea of being more efficient the numbers you've got at five percent are somewhat terrifying

with this sort of model if we try to use it do you have any experience for coming up against sort of the usual policies or um sort of outside compliance frameworks that say you must patch all the things all the time yes and and uh i've helped big companies i've sat down with their her with their holidays and i've said they're not doing this now and they're saying but that's what we want them to do i'm like would you rather them just keep lying to you or do you rather than say hey we're moving to this where we're at least going to patch what we know is vulnerable first and then try to get to the rest i've never in my

lifetime told anyone not to patch everything if if i go into a business meeting if my sales team calls me in and the stock guys like we patch 100 of everything i'm like amazing let me go buy you dinner because you are doing what everyone else wants to do it's really it's really about being honest with yourself and being able to show numbers like 20 is industry leading to your board and have them not freak out because they believe that you're patching a hundred percent of everything on your network all the time any more questions awesome that was terrifying and amazing all at the same time uh right but please go to first.org backslash epss this is an open source

project um anybody who has any interest in vulnerability management our computer science like machine learning we'd love for you to join the sig the special interest group that helps building the next model and to help use it in any product or process that you guys want okay run an applause for jerry

okay next up uh with the schedule being changed around is james uh we're not streaming this talk you don't have to turn your phones off but if you please don't record anything because he's shy [Music]

[Music] [Music]

[Music]

[Music] foreign

[Music]

foreign [Music]

[Music]

foreign [Music] [Music]

[Music]

foreign [Music] foreign

[Music]

foreign [Music]

[Music] more [Music]

[Music]

[Music] so [Music]

[Music]

[Music] so [Music]

[Music] so

[Music] so [Music]

[Music]

[Music] [Music]

[Music]

[Music] [Music]

[Music]

[Music] so yeah uh i don't know the things that get ran right they shoved across right next up we have callum who is going to be talking to us about joining the industry i think hey quick shout out to our sponsors while he's coming up quorum cyber couldn't do this stuff without you x beam you too we've got emphasis governance pentas partners mimecast jumping rivers kasich and that security stroke that security company stroke pocket seam and cyberfest eh we literally cannot do this stuff without sponsors so please make sure that you like them follow them go visit them work for them buy their stuff all that right how are we doing i'm duplicating like i was

it's not let me duplicate it it's going pc screen only annoyingly so

[Music] is your screen being detected actually because that was working last time

you're not being detected

excellent right round of applause for callum [Applause] thank you for coming i'm aware i am the talk just before we all go for lunch so i will promise to keep you for ages i will not ramble at you for so long and thank you for bearing with me well troubleshooting nothing scary and doing it in a room full of people it's horrific so my talk is from graduate to con con consultant um i've been initially about two years now and the idea behind the talk was more to give people who are joining the industry potentially just starting uni i've just joined from different roles a little bit understanding of kind of what someone goes through in that sense

and there's a few different kind of stories i wanted to tell just to take away some of the nerves that some people might have for sort of joining the industry in that sense firstly who am i so i pick on these photos and i'm desperately clinging on to the fact that i graduated union in 2020 and i don't want to let the student life go and they were me in my four years at uni the final year being me asleep on the sofa which is very much how i felt a lot of the time outside of that i am a security consultant for waterston so i sponsor from cyberfest um a little bit more information about them at the end if

you're interested in any sort of rules or anything like that as i said i graduated union in 2020 uh desperately not the fact that i am now working full time which is weird i'm a kickboxer outside of that i still have all my original teeth which i'm very lucky about i'm a metal head uh seriously any gigs please come and say hello and for those that are fuss buyer i use nano rather than vim and some people don't like that so i'm very sorry about that kind of they do behind the top as i said um as a grad i found it really difficult i found it very difficult um in my own sort of belief in my sense for what i

wanted to do and i also realized that illinois isn't just for graduates here there's a lot of people who have been in the industry for maybe a little while and i want to thank you as well for all the support that i personally also that you give out in general and yeah so just the there's two sort of target audiences for this just a couple of disciplines to typically get depends on my own um and those who are grads may not feel this i lack a lot of confidence in my own ability and again you may feel just fine so and that's always really good good to hear and again my former union employer that did not represent those in that

sense so firstly for grads show our hands here uh i can vaguely see i'm it's quite bright up here um who is still at uni at the moment i see a couple of hands few hands excellent stuff has anyone recently graduated been in the industry of two or three years ish a few more hands excellent stuff lovely stuff let's get everybody and those have been in for sort of five years or more rough short hands excellent stuff so really split split room which which i'm loving i'm really really enjoying so yes for those still at uni and for those recently graduated again you may feel some of these this i feel was me and still is me

now uh literally overloaded with too much information i definitely felt there was a lot to kind of get get used to when i first started these are thoughts that cross my mind and they may cross yours i don't know anything i don't want to ask questions which really got me i want to learn everything as you always do when you're quite curious in this sort of world and where do i even start these thoughts are very very normal and just make them right in the sense that again we want to try and work around those but the point with us is to show that you're not on your own with this so some tips for those kind of each

thoughts really i don't know anything this was a big one for me when i first left i got a story i'll tell in a moment um for recent sort of clients and that kind of thing you have a lot of information throughout you when you're at uni i did four years um and again mountains and mountains of information is trying to digest anything but then trying to apply it to a practical sense is very very difficult and i think the biggest point to raise faults that in time things will improve you will be able to talk about areas of your interests and so on you'll be able to talk to if you're going to a sort of consultancy

role which is where i'm based you will have more information you can confident talk about your abilities depending on what area you kind of go down give yourself time don't think that you have to jump into it on your first day and know everything you talk on about everything that you need i don't ask questions i really struggle with this i didn't want to seem stupid i didn't want to feel the imposter syndrome kicking i think was the big one but asking questions is the only way we're going to learn anything and it's scary it's horrific and again everyone's room for a test didn't want to ask a question to a colleague to a friend at some point about their role

but it is worth doing and a good mentor will give you the time that you need to learn and won't mind putting things in different ways if there's certain ways that you want to learn biggest advice i can give to those is to take notes any way you want and take notes however you please however work for you it shows your interest and allows you to look back i don't think there's a day going by where i don't refer to notes i've taken on previous engagements because again they're always worth knowing i want to learn all the things um this is a big thing i didn't really know where i wanted to go in my career when i

first started again i'm still relatively new and things may change but i do enjoy my role and i still want to learn everything and the biggest thing is there's always cool things out there there really is um the ground is that my twitter bookmarks ever expanding i need to go through and review and find out what i actually should delve into because there's so many cool things in there a couple of quotes that people went for me was inch deep about a mile wide was a start of a roll again you're getting exposed to multiple different sort of technologies and different areas it's worth again just getting flavors of each one to begin with another one was

leaning more towards the burnout side of things was it's a marathon it's not a sprint hopefully you're going to be in the industry for a long time you don't want to burn out within the first six months and end up really struggling again you've got a long way to go a lot to learn in that sense i think if you want to learn everything pick a path again whether you're thinking this broad sort of red team blue team there's different areas you can go the you can pick a pattern you can always change later people change areas of interest all the time and it's always good it's always good to do where i even start that was another big

one that i really struggled with and i think the biggest advice i can give is what's picture interest if it's everything fantastic let's again let's start with those little areas of interest for me personally i started with my sex plus and then realized that again i went i wanted to go back to basics and let's try very very basic i went on to try hacking again many people in this room will have heard of that and i think i personally love it it gives really really good solid grounding for again different areas and you can explore further and further there is other options out there as well but i think for me personally what is a really good

solid grounding so my journey very briefly aware i am starving as well so lunchtime is very much calling so my first six months i joined a help desk i again wanted to get exposure to a little bit of help desk and then i moved over to a sock again getting very used to just getting exposed to as much as i could after about six months i joined the consultancy team and i've been there ever since it's been about 18 months now i've learned my first project within the first six months they're the cyber essentials business adventures plus gap and nlss which again was amazing and taught me quite a lot about how the business side of things

work that was really really interesting since then again i've been there about 18 months now i have multiple um assessments range declines from really small housing associations quite big sort of designing firms as well there's a bunch of different ones out there supporting the team building sort of pen testing offerings and so on and there's it's a big area now i achieved myself plus which was great fun first exam out at uni and first closed but one in a long time so that was that was really interesting having to remember stuff from the top of my head and there was hyacinto's basic assessor course that was good fun as well and i'm stood in before my crest cps at

the moment which is proving rather difficult but i am enjoying it thoughts i've mentioned earlier uh just of how things can be really difficult and again the impostor can kick in i don't want to ask questions all that stuff they do cross on my mind daily and had a couple of setbacks with failing a couple of exams and again questioning my own ability but they will happen but it's how we keep moving forward i think is how much i want to stress for this for those in the room who've been in infrastructure a while and are supporting a lot of people i just want to say a big thank you to you conferences like this everything that

you do is phenomenal and yeah i can't play any more than just say thank you you do so many amazing things i'm sure mentees if you have anything like that will feel how i felt before but will also be thanking you at the same time and i think i've heard from people who are mentors that they absolutely love it and it's something that we can all we always ask happy people do more and the biggest thing is that your expertise your experience and expertise is always valued very well known as time so i don't want to keep people much longer but no thank you very much and has anyone got any questions that's my twitter if you have

any questions please come find me on twitter anything like that please come and have a have a chat thank you everyone

thank you very much so questions for cattle straight away

just a quick question i'm curious what your degree was in to see how you progress from whatever course you chose into the profession you've gone into so i did an ethical hacking degree um yeah it was four years and it was again it was very i loved it i i really really enjoyed it and transferring the skills was very different as it was heavily linux focused for my sort of bachelors in that sense seeing it go from sort of smaller sort of in lab time to doing for clients was a big jump i think um but yeah i'm very fortunate in the fact that i started with sort of a uni background to come into the industry in that sense i think

but yeah it is still a big jump of going from an academic sense to a work sense but no it was a big change but valuable at the same time annie okay then fine i didn't want you to work for um could i just ask in your degree did you do anything about business and how business works and what you would be doing in the business and how would you wasn't necessarily covered in that sense um from sort of memory i'm really recalling how business kind of works again we've covered very basic like here's how you can set up as a general network so we'll take some ad as the example we did a little bit of ad

it wasn't covered in kind of how that applies business how a business will be set up in that sense and even things like decision making and so on that was all learned in my role of having to speak with a client for example a recent one um it's two users and trying to work out how to apply certain controls to their estate whether that's going to affect their business on a day-to-day basis and how it fits in with their budget and so on is really difficult and i get that that all came from on the job really that's the main thing any other question so all the way back you

hello and yeah i just wanted to say a really good talk i think i saw you a couple of years ago in b-sides leads yeah and so yeah it's really interesting to see your journey i just wanted to know if you could give one piece of advice to a graduate say a 2020 t graduate yep and what would you give them for someone who wants to get into the industry oh that is a fantastic question one bit of advice this is going to sound incredibly cheesy and very sorry it's more i was gonna say they just do it i'm not sponsored by nike or anything um more down the level of as i say find your sort of area of

interest if it is everything have a look at career paths again i'll go back to try hacking i'm not sponsored i promise even though i've got a hoodie with me that's got a little one not sponsored it gives you an idea of career paths that you can go into and whether that's through the formal education route apprenticeships that there's different options there to do and just find what sort of piques your interest really and yeah um yeah so find that area and kind of just see where it can sort of lead you i think is the advice that i would give okay any other questions all the way across really all the way groups that's it next year there'll be a

queue we're going to do a question there'll be a queue there and we'll just set up a mic and i want to run about the place thank you i'm curious oh that's very loud um yeah i'm curious like how much you think that people should value certifications in comparison to say like making personal projects and things like that how do you think they sort of compare against each other when or how do you think they fair against each other when you're applying to positions or trying to progress do you think it should be a good mix of both or would you lean on one side of oh that's a very good question i would say personally for me i find that

certainly i quite enjoy doing sets i i say enjoy when i pass them and so on as everyone kind of wants to do it one day yeah big green tick you've done it i really enjoy um seeing both i recently was heading over with interviews and it was a case of seeing what qualifications person had but also how they are as a person especially in a consultancy role is more when i'm speaking from again it's how you can talk to people how you can talk to a different group of people i think seeing a personal project again whether that could be ios for example right right in your own book that would be phenomenal because it shows

the passion you've got for the role that you may be going into certs are great again for some job sort of specs always by looking at you you clearly have the knowledge there but also users i would value both equally personally anyway and jobs may be different but personally i would say both i would value both this this sort of same really as a hiring manager yeah individual projects show what type of person somebody is certs yeah you've gone and sat and it can be depend if you're looking depends where you're looking for entry level or or not sometimes you'll be hiring for uh and you need a particular skill set having that set in that skill set

is great but if you have a thousand different search for tons of different skill sets but you've not been in the industry that long that just means you're really good at passing exams which isn't necessarily what i'm looking for so it can act it's never a bad thing to have a cert but you have to be able to back it up with the i know the stuff it's not just i could sit and pass the exams because i know plenty of people i know marines that can like fix do signal intelligence under fire but cannot set an open book exam without burst without sweating and failing which was impressive uh because it's an open book exam

but so yeah certs are great especially in some businesses where you need them for to sell your services as a business and stuff like that but uh personal projects and showing what excites you that's that that could be really telling about a person any other questions come on people

uh how much of a culture shock was it switching from being in academia doing your bachelor's over to being full-time in the workplace oh uh i'm going to say in a word huge did you have to get up in the morning and stuff like that let me go back let me go back i could no longer do the sleeping in the in the afternoon that was interesting i am not a morning person at all um so that was interesting and realizing that the night with uni i very much found that there was an end point four years i'm here i'll get my degree at the end in a working world not necessarily again if you're a contractor for six months

twelve months so on maybe with me personally there was no end date to my sort of employment i realized that i now make my own path i've gone from very much some education kind of up through the sort of levels so yeah it was a big big shock for me um yeah getting up in the morning was hard just little things i didn't realize in that this is for a while now but that's also a really good thing to know that i i've got time to build my skills up it's forever yes it's forever dark over the speech was horrifically scary yeah yeah what you do want to do is because when you're graduating union you've got that

plan and you know in four years this is where you're going to be after that it becomes your problem to figure out where you're going to be in four or five years time and if you get yourself a good mentor there's plenty of communities and stuff like that out there the first thing they're going to do is turn and say where do you want to be in five years time right what does that need what do you have now how do we get you there so yeah you got yourself into uni and someone mapped essentially mapped the course out for you you now need to go and do that for yourself nobody's going to do it for you and you

can coast from one thing to another but if you want to achieve and you want to get to the top of your profession you have to have a plan and you have to chase it and that passion is for you to do sorry about the mic question for the room has anybody's five-year plan [Laughter] see there you go you should still have a plan you don't have to achieve it nobody's going to fail you for it but you should have a plan well you're going to fail yourself always yeah well that's fine okay any more questions for callum oh come on why are you asking a question rude um so you graduated during covid how do

you think that affected your career progression oh so i joined a remote i joined a new job working from home for 12 months that was weird i very much enjoyed the fact that again i was still at home and i had to commute to the office no all that lazy student life i'm going to call her because i was still again not used to it i definitely found that it it makes different for getting to know people knowing people through a screen it's different to knowing someone in person and so yeah i definitely think that that's the difference is if you can and you're willing to try and meet the people in person is the

biggest thing but again obviously teams is always good but you do get to know people a little bit better when you're sat face to face having a drink and like a coffee or whatever that always is better i think any more questions for girl yeah watch it you okay then another round of applause for callum because he was amazing

we are now going to have a break for lunch and then some sort of outdoor aerial thing i i honestly don't know i'm gonna be as surprised as everybody else but yes enjoy and we will meet back here shortly

weird that's what he says [Music]

[Music]

foreign [Music]

[Music]

[Music] um [Music]

[Music]

you [Music] [Music]

[Music]

wow

foreign

[Music] so

[Music]

so [Music]

[Music]

[Music] so

so [Music]

[Music]

hmm

[Music]

come on [Music]

[Music]

[Music] foreign [Music] to [Music]

[Music] um

[Music]

[Music] [Music]

[Music]

[Music] me

[Music]

foreign [Music]

[Music]

um [Music] [Music]

foreign [Music]

[Music]

um [Music]

[Music]

[Music] now [Music]

[Music]

[Music] um

[Music] so

[Music]

[Music] so [Music]

[Music]

[Music] so [Music] [Music]

[Music]

[Music] [Music]

[Music]

[Music] so [Music] so [Music]

stuff okay so while uh anne gets prepared to come up and talk to us a quick shout out to our wonderful sponsors who of course we could not do this without to them okay quorum cyber exim emphasis governance a woo for governance pentest partners love you guys mimecast jumping rivers kasich that security company along with pogetseem and the wonderful peoples of cyberfest all of those people we love you and thank you hi to scott on the stream [Laughter] scott cam scott girl you don't want the scott cat i don't want scott nobody wants scotland where's chris can we reverse

so one of my favorite people on twitter is about to do some talks this is anne and she's lovely [Laughter] so we are talking to you anna you've got cats and i like cats yes i'm excited awesome big big round of applause for anne okay all right love it to you thank you thanks yeah so um i'm anne and um i am on twitter as affinity editing as my grown-up adult self and fairy cake pixie for the b-sides community um no that's my normal tour to handle um so i'm gonna talk today about um the way that humans work when we communicate with each other and how that goes wrong and quite often between different

communities and different groups of people and what we can do about that because i think you know we've had a number of talks today that have already mentioned how important culture and communication is within security um so just a little bit of background as to why i'm talking about this subject um my degree is in english language and linguistics and studies in sociolinguistics and psycholinguistics and then ended up in information security after my graduate program following university where i started out in training communications i have not stood on the stage for a very long time so i'm breaking it um but um yeah so i spent the last 14 years working in information security as an

information security consultant and now i work as a writer copy editor and proofreader um for affinity editorial um which is uh it's been going for just about a year now just coming up to a year so um so yeah that's that's a little bit about me and um so we'll crack on so working in security can sometimes feel a bit like we're like we're talking to a wall um no one seems to listen to what we have to say uh even if they say they are um and i'm also tricky one um we don't usually show up with a great deal of good news to say we're a bit like the police knocking at your door um if they're

doing that they're probably it's probably not going to be news you want to celebrate um and kind of inherent in what it's sort of a bit inherent in what we do um in that we um we do everything that we can to make sure that people are doing the things that they should be doing to make sure that organizations are secure a lot of the time we don't actually have direct control over the security of a business we guide people to do the right things but we're absolutely dependent on them doing it to make our security and practices successful um and so that can often come with its own challenges as well from a business point of view from a

financial point of view we're generally a cost center we don't directly derive profit for a business so we're also you know not the um we're not in the pretty sales job that drives all of the lovely customers and things we're the people that hide in the back and are a bit difficult to talk to um and yeah we we monitor risk we advise people against less than sensible actions for very good reasons obviously and we're the first to shout about an incident and then we're the ones that go and investigate to find out who did or didn't do more likely what they should have done to prevent that event from happening in the first place

um sort of how to lose friends um and alienate people rule one number one i think um so yeah we've established that the responsibilities of our role often will drop us a few places down people's christmas cards list um and you know worse than being unpopular because really who needs the social pressure we are often seen as the bad guys it's very easy to perceive security as the no people and when we're not the no people we are the evil trying to catch you out people i'm just going to say the words fishing exercise and leave it at that shaming people is never going to build solid trusting relationships and the other thing is that security and cyber security

are very scary things to a lot of people mainly because the messages that that we bombard them with are hideous they're costing businesses millions and millions of pounds they're costing people their jobs um and they don't these are these are about things they don't understand they can't conceptualize what's going on we're saying it's their fault and they're the weakest link and all of this other you know stuff we're not not neces not always very good at helping people feel confident around security and when we don't understand things we either ignore them and pretend that it isn't real or we fight against it and that creates this sort of us and them mentality so security non-security i think sometimes

we've probably all experienced that that kind of feeling and fear is the path to the dark side the more that gap increases the harder it is to change people's perceptions and to break down the barriers that we that we suffer that we're struggling with and it's not just this it's not just non-security people the people we're trying to work with are affected by this we're directly affected by it as well we either feel like this we can't take it anymore or we feel like this so what can we do about it how do we help people to engage better with security so to explain this i want to move away from security and into the

world of linguistics for a little bit so we perceive information um socially psychologically humans are social creatures even though some of us would prefer to sit on our own in a room with cat than stand in front of a room full of people but we function in tribes and i say that in an anthropological sense um those tribes being groups of people that share common knowledge experiences interests we're all part of many of those right if you enjoy going to the gym that's one if you enjoy motorsport there's another we're all security professionals there's another um you might enjoy esport running you know photography any of these things each of those groups is a tribe and each of those tribes has

their own linguistic norms their own language their own ways of communicating with each other so they can be in the form of um words and phrases that they use the way that they um the accent that they use with each other or the kind of the idioms that they use between each other to an extent the body language that we use as well when we're when we're talking with each other so all of these features added together um the study of those features is the is the field of sociolinguistics it's very closely related to anthropology and sociology um but yeah it's we create these kind of from a linguistic point of view we create these speech communities

um and that is kind of security is a very powerful one of those communities we have a lot of our own um language and terms you think of the language of i.t and technology and security is that multiplied right so um we as humans because we belong to all of these different tribes they become um an nimble part of our identity and we can have many identities that's fine and we'll code switch between the different groups that we're with but only generally speaking when we have an interest to do so and the other thing that's important to recognize is that we have a knack of filtering out the strange sounds that surround us every day so those sounds

that are not part of any of the communities or tribes that we are a part of we're not interested in them we're not part of them okay so our language the words we use and how we use them are as i've already said an integral part of our identities and in our own tribes we don't necessarily realize that our language is as private and as coded as it actually is it's all familiar and it's standard to us and um we sort of rarely hear ourselves as being the ones with the accent right everything that we're saying makes complete and perfect sense to us even if the person staring at you trying to figure out what you're

saying you might as well be speaking a different language literally

now sometimes we do deliberately use language to keep people out um we may do this to assert a kind of dominance over somebody to suggest that we are the authority voice on a subject because you know i think this is something that particularly happens in academic writing and academic um publications and things is is often you kind of write in and communicate in this kind of elevated language to suggest that you are the subject matter expert actually subject matter experts can absolutely distill that message down to really simple human everyday terms you might use analogies and metaphors that are not perfect that's fine because people understanding those messages is way more important than you using your favorite big word

in in what you've written or what you're communicating to somebody the other reason that we sometimes will choose to stay within our language community our language tribe and without considering other parties is um is for camaraderie and support from peers and colleagues um you'll you might have you know conversations with people that you're someone new to the gym and the people who are regular to the gym will have a word or a phrase for their new gym person who's just appeared and doesn't have a clue what they're doing right so you will you will be able to use your internal language to point out to somebody who is on the inside that that person doesn't know

what on earth they're doing right we've all done that and we've all had that done about us as well um so those are reasons why we sometimes stay within our language community and um yeah it's not it's not always helpful but these slides have gone mixed up so i'm going to jump to this one so knowing this knowing you know that um language and the the language that we use is related to the specific speech communities that we're operating in at any given time we naturally switch between them we ignore and we're very very good at filtering out language of communities that we are not part of right so that's security people we're part of it so we are inherently in it

people who are outside of security are those people who will filter out stuff not intentionally necessarily but because it's just not part of their world so we have to start doing things to help to open up between these different communities that we are part of so i just wanted to explain a couple of studies because there is quite it's old research now but um it kind of illustrates the point um quite well so famous linguist william lebov in 1972 did a study at martha's vineyard and this was an observation of linguistic change on an island that came about from a community within a community that was originally reliant on fishing to fuel the economy but the fish stocks started to decline

and so that local community became a lot more dependent on tourism and visitors to the island now what happened with the language community on that island is the accent started to started to shift between those people who were trying to protect the traditions of the island so think of it inside the community and those people who had to build stronger relationships and would build independent relationships on people who were visiting the island and the the people who were visiting the people who were dependent on those visiting the island diverged their accent away from the the original island community those that were dogmatic about protecting those traditions pushed even stronger and deeper into that accent and in a similar study in 1974 in

norwich treadgirl also showed that speakers diverged or converged their accents based on the relationship that they had or that they wanted to have between individuals that they were communicating with now obviously those two studies were both focused around accents but it isn't just accent this is vocabulary all of those other communication factors that we've talked about body language um idioms phrases all of those other things and just those act those studies are quite nice illustrations of um the behavioral aspects if you like that we have around language and the way that we communicate with each other so we need to find some common ground we need to converge towards our colleagues and peers we need

to find these areas of common understanding now that may mean actually seeing if we can find a dive a convergence of related languages and speech communities that we belong to so i'm i like running and i like cats and i like motorsport they're all quite good subjects to have to talk to people with and you can start from any of those or relate security concepts into other parts of your of your tribal community if you like so trying to find those areas of common understanding even if they may not directly be um they're not security specific things but that helps you then to position the security content that you're the security message you're trying to share

in a world that someone else is more involved with and more engaged with and they will take so much more out of that conversation because you've been able to do that we need to reduce our reliance on our in-group shorthand so you know we we will talk about firewalls and um allow lists annihilus blockless whatever um like you know they just run they just roll off the tongue and you can just carry on well someone who's never come across these things it's like hang on a minute what and we forget how many people are not really aware of how these things work and what they do and so quite often it is a case of

of sort of remembering to strip everything right back and explain what things do um in like say in normal everyday language for people we need to care a lot more about being understood than protecting whether it's consciously or unconsciously our security identity and credentials if you like um more often than not that ends up moving away from security and honestly i've done a number of workshops with people where we've ended up um workshopping security solutions with dragons because that's how we managed to start you know dragons and castles and things like this that's how we managed to break through all of those things and make progress because people started to understand what we were trying to do and conceptualize

what or you know the objectives of what we were trying to achieve in a way that they understood it's not their job to understand the technology they're not necessarily the techies each person has their role in this we just have to help everyone understand you know everyone get to the same page so that the the people who specialists in their field can focus on the bit their specialist in but we all understand what we're trying to achieve

so it's not all about changing our message um into the language of someone else's tribe we're not trying to change the message we're not updating our um our message to suit someone else's agenda i'm not talking about presenting security problems in financial terms to talk to the finance people sometimes security people need to talk about security things because security is the thing right but what we can do is try to find this area of common ground that allows you to step people through that security message in a way that becomes accessible to them i've done a couple of talks before about plain language principles for writing and a lot of those will apply in any

communication as well it's just that i'm not going to stand up in front of you and say well when you're talking to someone talk in short concise sentences for example and use punctuation for clarity it doesn't work like that does it um but the same the principles of you know avoiding jargon explaining important terms using everyday words um like i said many times in this talk now and find common ground to work from even if that's from another tribe that you share with them and that's outside of security so ah yeah that's it no if you have questions i will try and answer them clap for ellen

do we have any questions for anne i like to use fire as a common thing i have to explain instant response to people and everyone's scared of cyber i quite often use the hey you know what to do when the fire alarm goes off don't you yes you understand what that risk is yes this is exactly the same yep and if you can use that if you use something that's common with them then yeah and that's the easiest way to break down those barriers i've spoken to many people that are terrified of cyber i mean it's just the same as fire they go oh all right yeah okay fair enough i understand that we just have to have a

process yes and practice it occasionally would be good right no nobody speaks english that wants to have a question oh there we go oh i wasn't asking if you speak english [Laughter] or

scottish a very interesting talk because uh i've just been looking at things around culture and whatever one of the things you said at the beginning was a bit of that you know the security says no um and that all we end up doing is going and finding the person who whose job it was to do something and didn't do it but do you think that's also part of the problem um i was reading something by mcgregor who was looking at maslow's hierarchy of needs and suggesting that you know people aren't interested in those higher level needs until they've satisfied the basic ones one of the basic ones is for security and if you're afraid that people are

going to tell you off um then you're not going to get beyond that so do you think that's perhaps something we need to work on in how we address that yeah it comes back to all of this is about finding ways to build relationships with people ultimately that's what that's what this comes down to is is building relationships beyond our security bubble i think um one of the the things that we have in security is it can be quite insular we are often working a lot kind of on our own and within our own community and um but when we have to engage outside of that we sort of don't switch off from that side of things um

so one of you know i think there's a lot of work that we can do about it it's mostly about making things understandable for people i like dave's fire analogy i've used ridiculous things with people i say i've genuinely done um all right this the the thing that ended up with castles and dragons was a pci compliance program mapping the end-to-end project for a pci compliance program but we got there because we had this framework that everyone could engage with in terms that they understood and it takes away some of that fear so yeah they weren't scared of the dragons no they're weird but the order came in and went right so can you show me you

say here you've got a dragon we're increasing dragon pci for targaryens so carrying on the security say no thing um and phrase i heard once was security we put the no in innovation my question was um in your experience of the particular terms that people find really hard to understand is it around the complexity of the concept or is it more just a linguistic thing do you think i think in a lot of cases it's just the the quantity of terminology and we use a heck of a lot of initialisms and acronyms for things and we're so familiar with them we we consider them almost words now you know lan nas sock if only we just used one acronym for

each thing that would be helpful and didn't reuse acronyms for completely separate things as well any other questions we're on

hi um i don't really have a question but i wanted to share an analogy as well um so i run a project that's targeted to a specific fan base that i'm a part of so kind of communicating with my own tribe for tech and security education and in a thread on twitter explaining two-factor authentication the analogy i used was that your account is a house and then saying that your password's the front door like the lock on the front door and then 2fa is the deadbolt yep useful we like stories stories is good stories stories and common ground wouldn't be the same if i didn't say something so there you go and the analogy i like uses health and safety

just nothing cyber security is some is where health and safety was say 20 years ago and it just it's going to take time for it to be common practice but have any thoughts about um people in the c-suite i always find that the most difficult to persuade to sorry say that again well people in the c-suite saw your the directors and they're they're often such a gulf away from the it team that it's quite hard to communicate in their language i think the key to communicating with those people is respecting their absolute lack of time honestly it and it's just gets immediately to the point don't i i get incred i get very frustrated with

because i think that's one of those communities of people that we're often told oh change your message put it in pounds put it in terms of pounds and dollars because that's what they understand you're like but this is nothing to do with pounds and dollars it doesn't i can't do that maths it doesn't translate that way i just need them to understand that there is a threat to the business that is as real as you know the office built burning down and the reason we put all those precautions in so what i would say for that community it's respect this enormous lack of time that they have and written forms of communication probably better but

absolutely plain language for that um yeah excellent right and with that i think we give an another massive round of applause please

that was amazing and also thank you for speaking whilst qualifying's going on um you get the second half now and i'm on the stage that bit right um before we do the next one we need to empty the place and then when you come back in i will remind you afterwards there will be stuff happening on the stage and it's been requested that everybody stays seated and not do anything that might distract them if you are of a nervous disposition and don't like blood the next talk is not for you as in the sight of it not drinking it or anything like that just excellent so please leave please leave and then most of you come back also if

anyone happens to be under the age of 18 please don't come back for the next 40 minutes or so but there are lots of sweets upstairs

[Music] do [Music]

[Music] [Music] foreign

[Music]

oh [Music]

[Music] foreign

[Music] me [Music]

foreign [Music]

[Music] um

[Music] [Music]

foreign [Music]

[Music]

foreign [Music]

[Music]

b [Music]

[Music]

so [Music]

[Music]

[Music] foreign [Music] [Music]

[Music]

foreign

so [Music]

[Music] so

[Music]

thank you very much hello hello everyone and did we all enjoy that or did everybody go when they did the back of the hand it it's not even the the cut or the it's the violence of the spatula thing going underneath which i was not expecting that at all but uh yeah that was uh interesting right next up we have a key and uh can we all give him a big round of applause please and away we go all right so hello everyone and welcome to uh besides welcome to newcastle for those of you who traveled a bit far my talk is going to be about linux network defense division so i want to kick things off for the

quick agenda you know i just want you know so let you know what's going to come next so i'm going to give a quick introduction as you know just who i am um going to be talking generally about linux defenses so you know just in general what i've seen in linux environments before um and then i'll be talking about specific technologies in linux so i'll be discussing in particular firewall called ip tables and then i'll be talking about two major techniques which i've researched before and some of them i've actually used in testing before not first one's going to be bypassing the firewall ip tables and then i'll be talking about delivering malware to a

target without actually sending it to the target so just a quick who am i then um currently i'm a penetration tester filing cyber uh those you may have heard of it it's a um it's a security consultancy we provided various services um before that i used to be an assistant manager at durham university unofficially penetration testing there so that's a lot of where my experience comes from um worked in previous organizations as a consultant and also have founded a training course for linux penetration testing so the first thing i want to talk about is linux defenses what exactly do i mean by the next defenses so there's three different types of linux defenses that i want to get into

the first one is going to be network based all right so when i talk about network based what i'm talking about is like first line defenses you know firewalls i'm also talking about prevention systems so some of you may have used them we've got brawl we've got zeke we've got snot and we've got a few others and the purpose of these defenses are basically when a threat comes in the idea is to block it or to prevent it or even detect it so what would happen is threat comes in gets detected alarm is raised and then it's then prevented hopefully prevented by somebody on the in the operation center secondly what i want to discuss is

systems based so what is system based well that is what what it says really is system-based security so when it comes to linux it's built upon a kernel and that kernel has a lot of lot of guts inside it and it also has a lot of flaws inside it so system defenses focus specifically on how can we secure the kernel how can we prevent very major attacks on linux systems and that also comes into tools like wazoo okay one of which is deprecated and then physical based um and that is kind of like you know things like um disabling usb ports so when you're in like a data center environment kind of things to do things to consider

because if an attacker walks in they've got physical access one of the first things i'm going to try you know take in the role of an adversary try to plug in something into a usb port you know am i going to get access am i going to be able to execute something via the usb port um is a carpenter unlocked you know can i literally walk up to a server can i actually execute commands on it is it unprotected and finally buy us and grow passwords so what i mean by this is system passwords especially grub for those of you who have used linux before um you'll know about the grub bootloader very easy to spawn a root shell on

something like that get an administrative access so one consideration to make is probably password the grub if you don't want to end up with a compromise so today's focus um especially as i said the two techniques i'll be talking about um it's all going to come into the network defense of asian site because that's generally what you're going to come across when you're engaged in penetration testing you will be attacking from the network as opposed to having physical access or even system access you know that would be that would fall into more shall we say niche penetration tests first of all i want to dig a little bit more into ip tables now for those of you

who use linux before you will be aware there's a lot of technologies out there when it comes to when it comes to linux you know you've got fireball d you've got um you've got pf sense you've got big ip f5 checkpoint uh might pronounce that wrong um there's also my favorite which is iptables which is now being developed as nf tables and what iptables is it's a firewall and what a firewall is as i said first line of defense the purpose of it is to prevent any any attacks coming in what kind of attacks am i talking about so what i'm talking about is discovery attacks any particular exotic attacks you know anyone crafting particular packets

anyone attempted to do a denial of service anyone basically trying to either get into the network or knock it down so just like anything not just a firewall like any technology if it's configured right it's amazing it works really well but if it's not configured right then that can serve two means for us first one being gathering information from a shall we say misconfigured iptables instance and we can also use that as a means of defense evasion which is which is what i want to talk about today so what is what are the issues with ip tables as much as i love ip tables i have to say a few bad things about it um so there are different rule sets with

ip tables as a fireball you know you've got drop you've got reject you've got mangle you've got all kinds of different actions which which the fireball can take now depending on the use case of it reject is shall we say the nice one you'll try to connect to a port you'll try to make a connection and reject will say sorry i can't connect to you right now because i'm not allowed to drop on the other hand is not so nice you try to connect drop won't say anything it's it's silent basically now depending on how you roll this out if you end up sending something like let's say you configure a particular port which is facing the

internet with the reject rule now what i'm going to try and do is i'm going to try to port scanner port maybe using nmap netcat whatever you know i choose to use and what i'll get back is an icmp administratively prohibited message well done you've just told me your port is open because you're using reject rules so now what i can then do is i know that port is open now i'm going to try to do more tailored perhaps phishing attacks and i'll know that port is open so what i'll probably then do later on in the attack is attempt tunnels or attempt other attempts to you know access that port now one key measure here

is as good as ip tables can be and you can configure it really well all the ipv4 configurations which are used in a lot of infrastructures today don't apply to ipv6 ipv6 is one of those things it may not be used and i know this uh many people have told me this i've already had this debate with people i work with people who i've you know done this kind of thing before and they've always said well ipv6 isn't used well i know it's not used but it's sitting there and it's waiting to be exploited in some means so in terms of exploiting ip tables i want to present a particular scenario which was involved in a penetration test

so in this particular test you need to assume the role that you are already inside the internal network you've got basically you've got access and now you want to exploit a particular port running on a286 on a technology called influx db just to give everyone a bit of background what's influx db it's a time series database and it can store various information depends what you put in it so you know you would generally put things like any kind of data which needs which needs to be tracked in terms of time now what needs to be considered is that this device has been issued with firewall rules and you can't access this poll in this particular example i'm

talking about ipt i'm talking about influx db i could be talking about any other port it applies to any other port you know it could apply to secure shell which you can use to remotely access a host it can apply to network file share it can apply to any other network port which you can use to communicate with your target um now one thing to consider you can't port scan the target you can't even reach the port why is that because iptables has been put on ipv4 and you know it's fireballed because you've already run a script well what do you do now well most people in this case would say yeah you know it's firewood let's

move on but there are particular measures that you can take so when it comes to exploiting something like ip tables you can't perform firewall enumeration from a very very basic um a very basic way so you can send particular network packets and then you can judge what is the response uh returned from that packet so is it going to be a one is there going to be a zero is there going to be something else and then we'll know is that particular port firewalled or not now in this particular case i used a very specific set of tools so those of you who use linux you know bash i mean i love a bit of bash well it's

probably my favorite shell in linux and it's got a device file which is called dev tcp or dev tcp you can use it for many purposes you know you can scan ports with it you can drag information and out of it you can do a lot of things so what i'm going to what i'm doing essentially what i'm essentially doing here is i am sending a packet to a target on a fireball port so i'm going to test a particular port i'm going to see if it's fireballed or not now if the ports firewalled should see code number one two four come back based on sending that particular pocket now for those of you who

may want to get a bit of a visual idea of it let's take this screenshot for example of what i've done here is i've flushed the ip tables rules so the the firewall is now clean i've then added deliberately out of the rule of port 810 and it's a drop in traffic in other words if i contact this port it's not going to let me in it's not going to say anything it's just going to hang so what i'm going to do is i'm going to run my tool which i showed in the previous screenshot and um it should say one two four if the ports firewall and then we know iptables is potentially on this port so now we've

been able to enumerate that there is iptables on there so coming back to the particular scenario what i'm essentially doing here is i'm trying to reach the host i'm trying to reach that particular port that i said before i want to attack this port i want to see you know i still want access even though it's firewalled so you can do the brute force method you can constantly try to send admob packets on the ipv4 channel even though it's firewalled i mean you're not going to get very far because as we can see in the screenshot the state is closed meaning it's not reachable it's not going to say anything and in terms of the setup here

those of you may be wondering why i'm using proxy chains to reach the host what's actually happening here is i'm using a sox5 proxy so i'm essentially what i'm doing is i'm connecting to one host and then i'm connecting to the host i'm intending to connect to so i'm essentially rooting all my traffic through a jump host and that's very helpful so if you are in a penetration test and let's say you don't want to make a mess on the internal network okay you don't want to install nmap everywhere you could easily have the entry point machine as a jump as a jump host set up a dynamic ssh tunnel there and then be able to proxy change all the

traffic from outside now when i say outside i mean a machine which is completely connected outside of the network so at this point it's very clear right we can't get any anything out of ipv4 it's very it's limited it's closed it's not saying anything back it's useless so what we now need to do is we need to use an alternative communications channel so we need to move on to ipv6 now i know ipv6 is new ipv6 hasn't been utilized much and that's what makes it so so valuable because they're not going to see it coming in terms of in terms of a penetration test so in terms of exploiting iep tables it's going to happen in three stages

two of those stages are going to be discovery and then at the end you're going to craft everything together and you're going to cook the final payload so to run you through it what we're first of all going to do we're going to use ipv4 right so we are going to use the icmp protocol which is going to be able to uh send send packets to our target discover that it's live and then we're going to move on to using other protocols like op and then we're going to use the equivalent of it which is the neighbor discovery protocol and then at the end we're going to move on to creating a ap load which is going to talk to our

firewall port and we're essentially going to gain access even though it's firewalled so that's the objective but we need to we need to reach um we need to conduct certain steps to reach that goal first thing you want to do whenever you're doing any kind of any kind of discovery any kind of reconnaissance one of the one of the things that i've tend to tend to see in especially internet-based hosts is do a quick dns lookup what addresses does the target hold do they hold several ip addresses or are they running on a particular setup like that do they have an ipv6 address i mean if you try to do any dns lookups on particular hosts

then you may actually see ipv6 addresses you may not in this case i tried to do an uh and then a slow cup and i only came back with ipv4 addresses so in other words that approach failed couldn't go any further so what we then did well what i then did was send a uh pink packet so most of you have probably used ping before just to see your internet goes down doesn't respond you'll quickly ping your router you'll pick the outside you'll pin google and you'll see is this working is it not if it is great it'll be working soon if it's not disaster but in this case it's working so you send a pink packet

and it's what it's given back so when you send a ping pocket that then associates with the op protocol and what that gives back is uh valuable components of information so it gives back first of all the mac address which is the physical address of the device that's what we're going to need for our um for our for our stages going forward and we're also going to need the physical link in terms of where the traffic is going out and what um and that's what we're going to use in in the next payloads so talking about a little bit about ipv6 ipv6 is the the solution for ipv4 the truth is there seems to be that ipv4 we're

running out of addresses you know there's a shortage well that's what they said um recently but i don't know when we're going to reach a shortage but anyway um as a result you've then got ipv6 which is the replacement it's it's huge it's i'm not even going to try to pronounce that number because it's that big um so that is the replacement now there's one particular component of ipv6 which you can you can utilize within an internal network in order to perform horse discovery and that is called link local addressing so link local addressing helps you to identify several hosts in the network using multicast addresses and what we get out of this so why we're

doing this is to use the ndp protocol nearby discovery protocol we essentially want to see who's got um who's got a link local address so you know that's the purpose of it so what we're going to do then is using the node on our internal network or using the one which we've started the tunnel over we've got access to we're going to use this particular port device and we're going to send messages we're going to send multicast messages to be able to gather who's got an ipv6 address and who's alive on the network now based on reading it i mean it it to be honest i don't really think it's it's very helpful when you just

read it so that's why i've got to go to diagram here so the machine in the middle which is which has a sort of dark blue tone to it um is that's your attacking horse that's a horse you control you'll then send out messages and what you'll send out is you're going to send out solicitation messages you're going to say ipv6 you know where you are basically and i need to know where you where you're all at so once you send no solicitation messages it works the same as ping does you send out maybe a ping and then ping will you know send a message and you'll get a message back via up but in this case

neighbor discovery protocol is going to turn around and say yes i'm here or the other host is then going to say yes i'm here as well and then so on and so forth and then the process what then happens for us and what we're hoping for is our neighbor discovery protocol table is then getting populated so when that table is getting populated we've now got a list of link local addresses and we've got a means of alternatively communicating with our with our target so in terms of exploiting ip tables in an internal network um that's that's the payload right there so what we're going to use is we're going to use pinksix binary within linux

we're going to specify the interface as i said before we need the physical link so we get the physical link and we put it in here and then we make a call to all nodes on the internal network and we send four packets just for just for assurance so once we send this payload we then have to perform a little bit of filtering you know when it comes to internal network testing things can get very messy very quickly those of you in the audience who may have done internal testing before will know for an absolute fact give it five minutes and you've already got a big big mess to filter through so what we then do is we will check our

nearby discovery protocol we will then fill our down as i said before we needed particular parts of information we needed an ip address mac address physical link what we're going to do now get the ip address get the mac address and these are the two things that we want to filter out from our daimba discovery table and as you can see we now have the link local ipv6 address so we are now able to communicate with this host using link local ipv6 addressing so so what is the point in the i mean why why go through all this trouble so in terms of going through all this trouble as i said before you essentially want to reach a particular

port a particular service which was firewalled blocked right now using this technique and using this payload we're now going to communicate with that service we're now going to gain access to that service and we are going to be able to talk to it so the payload as it as as you see we will start a call to the via the link local ip address um ipv6 address and then we will use the interface name so the physical link available on our machine that's where the traffic goes out and that's what is going to be used to talk to everyone else we then use our port number our target port number and then we do some and logic so what we

basically say is if this first part works then if this first part works and this needs to work as well so that's why we end up getting port is open so yeah so it's now now it's exploit time um image is a little small apologies about that but on the on the top on the right of the top you will notice first of all i'm going to do a port scan on the device via the link local address and i'm going to say unpo is open what do you know ports open because i've done it through the link local address what i then did was i used the same link local address tried to reach the

blocked port and i came up with a message unable to pass authentication credentials so to give you all a bit of a bit of a bit of a background here the instance was backed up with credentials which is good that's blocked me out but the point is i've managed to overcome one layer of defense so i'm now able to access this particular service and now from this point what i can now do is be able to you know perhaps write a password cracker be able to crack these credentials and gain access into influx db so ip tables in this case as as good as it might be it's about as use is about as useful as that yellow gate you see

all you need to do is step left or step right move forward and that's it gates defeated and that's because we've managed to use ipv6 as our um as a as our approach to communicate with the host now a bit of bonus knowledge here uh something that i've that i've done in the past is vlan hopping depending on how the network's connected you will see some networks are connected all as one so you know link local addressing flies above very widely and as a result if you keep an eye on it you might even be able to hop into very restricted areas so vlans those of you who may wonder what are vlans well they

are virtual local area networks they are different segments of a network and you can split them in for specific purposes so you can have what we call a user land vlan a user lan vlan would be for low privileged users do your job and that's it and then you've got management vlans you know those are for administrators people who manage the infrastructure using this technique you can go from user to management because of the fact that you're using ipv6 linked local addressing it's it's one of those techniques it helps you to do that to give you a bit of a bit of a visual example you've got the attacker on the left who's going to use that machine that they've owned

inside the network they then send a message to the other side but they can't do that by ipv4 because it's all vland you know vlan 10 vlan 20 those two are not meant to see each other those two are meant for talk so as a result what we then do is we take an alternative route we choose the ipv6 route and then depending on depending on this management machine here if it's got a link local address if it's got an address which is actually running and it's active when it's working on the network well then you've basically managed to infiltrate the management vlan so what would you do from there let's just say port 22 secure

shell is open on this management machine you could then perform a password crack you could gain access into this machine and i would never recommend to any penetration tester to do this please don't drop all the configurations and the entire network is down i mean in a penetration test you would actually report this immediately because it's a critical finding so that is technique number one um i'm going to move on to technique number two which is going to be fireless malware delivery so this is a bit more a bit more wider it's a bit more elaborate it's not very specific to um ipv6 i'm not going to discuss this a little bit so generally when it comes

to delivering malware to a target when it comes to you know general penetration testing what you can end up with is when an attacker wants to deliver something they'll drop it right on the disk i mean it's natural of course you're going to drop it on the disk where else are you going to drop it you need to put it somewhere but the problem with that is you know you've got security operation centers you've got others who may be monitoring the network you've got defenses which may be uh actively listening and they could easily catch that you're doing something malicious and there you go you've now been burnt in terms of the penetration test or if you're red teaming and you

get burnt well then that's not going to be very good now is it because the point is to remain stealthy but in this case you've you've been burnt in other words you've been detected so to speak so how does fileless malware delivery work well it uses again it uses the linux kernel and it uses a particular component and that is called mfd create now mfd create especially for attackers or those who are penetration testers is is very useful without repeating exactly what it says i'll try to paraphrase what it essentially means is the way you could normally work in a file a normal file system so you know you would you know be able to write to a file

you'd be able to save a file you will delete your file in the same way you can use mfd create to be able to talk to files in memory be able to delete files in memory be able to append the files in memory so as a result it's a little more sneakier because you're not actually dropping anything on the disk you're actually putting it in in memory so finalist payloads and sort of like the the actual contents that were that would be involved in the exploitation phase they can be done using various techniques and various methods now based on the research conducted and based on the findings of others you can do this in two different ways the first one is

code packing which in my opinion is amazing it's portable it's clean and it's much more it's much more useful because you can use wider payloads with it so what you would essentially do is you would get malicious binary you would get some a piece of malware you pack it up and you would send it over the network using uh secure shell pipes i'll explain soon what i mean by secure shell pipe or water to give you a rough idea what i essentially mean is we'll get some data from our site and we'll send it across to the target over the network i'm not going to put anything on the disk we're going to do it over the network thanks

to the capabilities of of ssh and the second technique which um which i've actually utilized in this in this presentation is hosting the payload an http server and having a command well the http server would be a command and control a command and control would be a machine owned by the attacker it's the machine which an attacker can use to be able to communicate with with their targets and be able to do a lot of things so how we're going to connect and how everything is going to happen it's going to use something called a dropper payload so a dropper you may have those of you who are a little bit into the the malware scene you may know that

a dropper is essentially it takes a piece of contents and it drops it into the into the network so our approach you got the attacker who is actually going to be hosting the command and control server now on the command and control they are hosting a payload this payload can be absolutely anything it can be to scan ports within the network in other words gather information it can be a specific piece of malware to gain administrative access it could be never seen this before but i imagine someone's probably going to try it at some point you know maybe even use put ransomware on there and be able to deliver it into into a network so what we do

is we will have our our dropper payload which is going to be a python script and what that's going to do is it's going to make contact to our http server it's actually going to go to the payload it's going to grab it out and it's going to drop it into the network without actually storing anything on disk which is in a way that is a lot more it's it's a lot more dangerous because it's in the sense that those uh defenses which are supposed to be which are supposed to be uh watching on the disk are not going to see anything because it's all being put in on memory so as a result as what you see here is

the payload gets dropped in it gets executed on a well executed on what should be a non-executable file system and as a result the target machine has absolutely no traces of the offensive tools except for being stored in memory so now we do a little bit of preparation we prepare our attack we get everything ready from our site so you've got the attacker on the left and what i'm doing in this in this case i'm using what we call an ngrok instance and grok is one of those really useful tools where you may have a um you may have a particular service that you want to expose to the internet in my case i want to expose a a web server

this is where the payload's going to be hosted this is where i want to actually um i want i want to actually contact this particular i want to contact this web server so it needs to be exposed somehow so as we see here on the right hand side the negroc instance is active it's listening and you've got the link ready ready to go so exposing port 8080 via the wide area network using ngrok so now we're going to take a bit of a dive into python the python is a programming language and what you're seeing right now is actually code which is served to be which is meant to be doing something something malicious so let's just kind

of go over it so what it's going to do it's going to grab what i said before it's going to make a system call to linux it's going to make a mfd create instance it's going to say right i need mfd create and i also want to grab what we call the process identification number in other words the pid so once it makes a call to mfd uh it actually creates a file which we're going to use what then happens in this case what i've done is i've written what we call a function so this piece of code is designed to be reusable i can use this in in many situations i don't need to

cater it for one situation i can use it for many as long as it as long as i give it a web based url so from this point once i've actually called the file i'm then going to take all that data and i'm going to read i'm going basically i'm going to take all the data from the web server i'm going to read all this data into the target so where we actually do this is we do this in the proc file system so as we see with the the line which says with open what we actually do here is we spawn a file inside what should be a non-executable file system we then insert our payload into this file system

and we need two particular components for that in order to refer to the file in order to have a reference to it we first of all need the process id the process id is one component and we need the name of the file without these two we can't actually make any contact so we need these two we put them in and then the response is written once the response is written this is why i don't quite like the approach yet this is why i believe it can be made more efficient now if you notice where the os system call is being made python 3 is being launched on the other side now this is an assumption

what makes you think python3 is actually on the other side what makes you think python3 is even installed if python 3 is not installed this whole attack has gone right in the bin so we now you could now think of ways to make this a little bit more flexible a little bit more portable so that you don't need pisces three but in this case if you if python 3 is definitely on the other side you can confirm this either through social engineering or other means um you can you can go ahead and use this but it can't be improved so what we then do is we send our payload right so what we do is we will run

this big massive block of code into one line where we're going to grab the payload we're going to read it and we're going to drop it into our network over what we call an ssh pipe so now is execution time so now that you've done the preparation now that you've got the payload ready it's now time to go in and actually do the execution of it so some things to consider here we can't leave any traces on the target disk i mean that's the point of it right it's fileless if you leave a trace in the target disk then you've dropped a file it's no longer fileless you know it's it's pointless in that sense so what we

then do is as a term that i've constantly been saying uh and for the past five minutes or so is using ssh pipes to deliver our payload so we're essentially going to use a secure shell protocol to transfer some data over for us uh in this case um we're going to execute remote command on the other side python and then uh then we're making the assumption python 3's on the other side if it's not trouble but in this case it is it works but that's that's something to to to consider to improve so from this point what should what now happens is our dropper puts the payload into uh random access memory and it's now

sitting in memory now it's not sitting on the disk so if you were to perhaps run any defenses you want to try and find the malware well good luck because it's not on the disk it's sitting in memory so now let's actually look a little bit into what i'm talking about those of you wondering why i've put a big red ball there that's just to maintain privacy of particular host names particular information which isn't isn't meant to be disclosed um so what we'll do is we'll get our drop up here load that piece of code that you saw before we will have that output and what we'll then do is we'll use that character that

kind of looks like this we're going to use that and what that's called that's a pipe right there so what we're doing is we're getting this this out output from here and we're serving it as input into the ssh code so what we're basically saying is take that input send it to the target who i want to connect to and then run the remote command of python 3 and then as a result i've then done port scanning so now i can see 22 is open triple one's open 443 is open and that then informs me further what i can do what i can perhaps not do but what's been the point of this well you

could have dropped the uh you could have dropped the malware into the disk someone could have caught it and then you would have got it if you were on a penetration test you would have got an email saying yeah we just found our file game's over um but in this case nothing's been found or nothing should be found because it's in memory so as i said what's the point why do it what is the purpose of using fireless malware delivery well one of the first things i've keep kept saying there's security operation centers and host intrusion detection systems the two things which are going to catch you especially if you're going to dump a payload on the

disk someone could be watching the machine actively someone could be logged in if they see what we call a malicious file that's probably going to get deleted and your connection might even get removed so we don't want that what one when we would generally do that is using regular living off the land practices where we would perhaps write a script on the target environment but that's not going to be so useful for us here because let's remember someone could be watching us now another use case of wireless malware delivery let's say you've got a particular file system which isn't meant to execute anything so you know those of you who are linux users admins you will

you know see like no exec on some file systems that you can't execute stuff but in this case we can bypass the no exact flag completely because of the way the way the attack works and and finally the other good thing about this you don't need to go around deleting files threading files doing all that doing all that handy work it's all stored in memory once it restarts that's it once it restarts it's gone it's in memory it's been flushed out unless of course someone was to recover the contents out of ram or managed to get it soon enough but that that's another topic entirely now let's consider the scenario a little differently now so far i've been attacking a host which

is reachable over the internet right because we've been making contact web servers we've been doing everything pretty it's been it's been pretty good so far but if the target is an internal host then everything that you just saw gone it's not useful anymore and the reason for that if you've got a host inside the network they can't reach the web server and if they can't reach the web server i can't reach that target well then it's game over there isn't it i can't really do much there so in in that case we need to think about the strategy a little bit better now so what are the problems with our approach why why is it so bad

what causes a problem if it's an internal horse the first thing being the server can't be contacted from from the from the edge we want to send a payload direct to our internal machine that internal machine hasn't got internet it's probably plugged in to an internal domain controller plugged in perhaps to an internal server which so it's not meant to be exposed to the internet if we try to contact the outside it's not going to know where to go secondly you're not yet root when it comes to linux penetration testing privilege escalation can sometimes be be rare because of in some environments things are very heavily patched things are very heavily updated you're not yet root you can't

manipulate network connections and even if you were root you'd need to know the exact address of the device to get an internet connection so there's there's a lot playing on that second point you need to there no there needs to be a lot of need to knows before you can even consider that and finally we could cheat a little bit we could actually deliver the payload to an entry point machine and then we can easily just launch the attack from the entry point machine but then again it it's completely it's completely useless at that point it's no longer wireless malware delivery and the reason i say that is because you've just put a file inside the target

the target's infrastructure and you've you know it's no longer file this is the point i'm trying to make so what's the solution what do we what is the solution in order to um get into the internal host what are we exactly going to do as i mentioned before you do see a red ball that's just to redact particular names just to um make this a little bit anonymous as uh some of the actions taken we're gonna run a real penetration test um what we do is we do a reverse ssh tunnel the reverse ssh tunnel is i mean to put it in to put it in more understandable terms ssh is secure shell it's a

protocol which you can use to remotely access other hosts what we do with the reverse tunnel we take a service on our side and we deliver it to anywhere else where we also have ssh access something to consider here when i said before you've got internal access in this case you've got internal access via ssh ssh is one of those utilities you can use it for a lot of things and what we're going to do here we are hosting a python server as you may have seen we're hosting a python server on 8080 we now need to give that to our target on the internal site so they can talk to it on the on the inside so what we do is

we go from our site and then we will actually deliver this to the other side now to enlighten a little bit more give provide a little more clear light on these commands what's going on here well ssh minus fn this is pretty important those of you who are assignments network admins if you're using ssh one thing i'd always recommend never enable command execution on your tunnels if you're going to enable command execution a third party someone else in a malicious insider can easily start using your connection and start launching commands so what this will do this is going to background the tunnel this is going to disable command execution and then we get into the main the main

part of this of this payload we will take our python server we'll deliver it to the other site that that's where we that's where we want it to be accessed and then of course the minus j which is um what we call a jump host so first so what it essentially means is you've got you've got three three devices here you've got yourself who is sitting on the outside you're you're connected to the internet you have an internet connection you're reaching your target via internet number one number two is the machine which you use to enter the internal network number two number three is this machine that we want to reach so using this payload and

using the jump proxy what we're essentially doing is uh payload starts from here jumps to here and then jumps to here which is why we use minus j because we go from one two three tunnels being formed and now we have direct communications from our self to the target using ssh so then let's do let's do a quick check right so i've done a quick check on on the on the remote side just to confirm can i actually reach this server can i actually pull this off yes i can being logged into the other side what i've done is i've first of all checked is the processor live is it open is the port available yes it is

can i reach the server so do a quick what we call co in other words make a quick http request reach the server and then um all right okay try to be quick um so then what we do is we will run our payload using the jump hosts and then we will um be able to see what what ports are open we've managed to do this on an internal host now a quick something to quickly consider is the thing that with the big change that we've made is to go from an internal go from a web server we've now made the host internally available on one two seven zero zero one eighty because of the the

tunnel so something to quickly consider is how do we protect ourselves as defenders um [Music] from an offensive perspective this is all very good right you can be able to hide from the the disc but one thing you can't do is you can't hide from the network you're still leaving a trace you're still leaving information leakage someone who is on the defensive side will be able to see this and be sure they will knock you off and they will say yeah i've got you know so that's the end um is there any questions from anyone well a round of applause first thank you very much could you sit over there so that i would have to walk further

[Music] hi uh very interesting thank you um curious about the vlan hopping example you said you could use that to get a secure shell on a destination machine yeah not sure how you're achieving that because as an attacker you can create the packets of the double encapsulation with both vlans but the remote machine doesn't do that the packets don't get back to you depends on how the network configured really i mean in a previous in a previous engagement i was able to reach a particular host which had ssh open which is which is why i mentioned you can't perhaps hop a vlan that's based on previous experience but again it comes down to the way you've said it

depends on how the network's configured if the network is configured strangely enough yeah you can't reach it but if of course if the network is well configured then no you can't was that all right yes it's vlan hopkins always seemed like a one-way street because while you can double encapsulate your remote machine behaves and doesn't apply the second encapsulation that gets stripped out to make it back across well the only answer i can probably give is the network was convoluted enough in the background in order for that to happen any other questions well if not let's get back um massive round of applause thank you everyone

next up we're going to talk about deception technology which is one of my favorites so don't ruin it

okay massive welcome applause for andrew [Applause] and here we go is the tech going to work dude one second caller we shall find out get you a little no little laser pointer and everything

our survey says hey brilliant excellent okay take it away andrew that's right ah one second is the laser point of going to work is the next question okay there we go i mean i'll walk around far too much um hence why i don't like getting stuck where keyboard and those lights are really bright that's gonna get confusing why we're here uh as already we mentioned we're here for deception technology um and it's a one-on-one conversation uh the purpose of this talk was not everybody's come across deception technology in a way we can implement it in a business case um and i'll discuss some of that some of the reasons why i think you might want

to and some of the reasons why typically you don't get to do it in business because we don't always get to play with the fun stuff even if it is one of our favorite technologies and i'll touch on slightly a bit of infrastructure is called in the hope of it may provide one way that we can do more of this stuff to help um defend against our adversaries um and i'll try and combine the two warning despite the uh punt there might not actually be any profit at the end of it unless you like listening to me talk in which case i'll keep going forever lord dave likes pulling people off stage so i'll try my very best to do it

uh another disclaimer both of these topics are 101 i'm not going to be dropping any elite level knowledge we're not going to change your life too much with this unless you find you really really like it but hopefully we'll just spark some ideas that you can take away play with and just get hands on with some of this technology some more so that's the contents of the talk who am i i'm not just the idiot that stood on stage uh my name is andrew currently my day job i work as a cloud security engineer and if you want to hear more about this i spend far too much of my life on twitter uh talking

about all of this stuff as well to the point where there's somebody in the audience has already decided whether or not they can turn a drinking game to see if they can get drunk by the number of times i say the word honeypot on a presentation i think possibly that's a good way to end of catatonic in the back of an ambulance so i definitely would not recommend that one so i shall do my best um but before i do any of that i want to take advantage of standing on a stage up besides newcastle um to address an apology and a point of guilt i've heard does anybody remember this um was anybody here for our first one there's a

hands up i've i've got to say as a northern gent stood in a pair of shorts i would kill for a freezing cold skatepark right now because i'm boiling in this uh facility uh the point is if we zoom in slightly this this was the end of the keynote um you might have noticed this wrinkle on the keynote primary stage this is a reason why this is the only conference i've offered to help out you should not give me power tools so for everybody that was speaking to that event i apologize for the dreadful setup of the stage um that's got nothing to do with this talk i want to take out advantage of a couple of seconds to get

that guild out and finally unburden myself so apologies to anybody that had to present with that absolute abomination so so with that out the way um deception technology for me it's not going to change the world everybody in security loves a silver bullet we can put in this one new shiny toy go home everything's secure the back guys can't do anything we know it doesn't work so we always talk good game of defense in depth but often what does that mean um you've seen this come ahead of myself so this was the part that wasn't planned i've noticed uh from talks both yesterday today lots of people have mentioned mitre and the attack framework that salespeople

mentioned quite a bit it's been around for years a bit that's less commonly known i've given the game away slightly there is a might defend framework which does exactly the same thing as the attack framework and maps defensive technologies that the blue team can use to try to defend against technologies and for the purpose of this talk if you zoom in slightly there's a full column given over to sorts of deception technologies where we can put some of these techniques in place as part of that defense and depth model to help improve our overall defenses um i've mentioned that this is madness framework as previous speakers mentioned this is american deep state if you don't

want to get there um other models are available um does anybody recognize this table at all i can't see a thing with these lights no possibly not lovely obscure paper um this will pay about about 10 years ago released by lockheed martin was potentially responsible for starting what turned into complete uh marketing buzzword bingo or the term kill chain uh trying not to get too put off by the marketing side the paper itself is actually quite good uh and the same way give some time over to deception technologies alongside the rest of your defensive stack so that that's um deception technologies when i was starting my career too many years ago that i care to admit

when i'm stood on stage especially if it's been recorded i came across deception technologies for the first time in the case of honeypots please don't take a shot um and i thought this was the coolest thing in the world uh for some reason it just made sense to me i thought this could really be a game changer i thought this was brand new cutting edge we could really do something about this and i had talked to a couple of people and somebody said if you like a new pots what you need to do is read this book has anybody read cook news egg before plenty of hands up that's brilliant i'm not entirely sure how i managed to miss

it for those of you um that haven't read it i've i honestly fully recommend it but very short over story cliff our hero of the story was working on his university systems like a lot of us doing the day job went off to investigate some weird activity on his systems as part of that he deployed some fake user accounts some fake data that he thought his adversary and sort of threatening took a hypothesis put some data out there that he thought his adversary might be interested in so we get a better idea of what they're up to and in the end so i'll try to be quick found a foreign adversary that was trying to sell the data that was stolen

to the kgb again cutting edge bleeding edge if you've been watching the news this might seem fairly familiar uh this was back in 1986. the technology that i thought was cutting edge this guy was doing at a time i was still crawling around in diapers um so unfortunately yeah it wasn't that cutting edge i said i love this book give it a read i love everything cliff's done and there's a few spaces if you're interested take a look the one thing you might want to take some credit away from him as part of this work when he put these triggers in place this was before a lot of network defensive technology was in place one of his traps he had connected up to

a pager if anybody is old enough to remember those things so that when his adversary was on the network he would get a notification in real time and uh the guy might have invented honeypot technologies but it seems he's also invented the on-call pages so try not to hear them too much i think we've all done that before um so i'll skip really quickly over that so i don't get him too much so what's our options for defensive technologies um the frameworks i've shown before there was lots of different boxes i'll try to add some value to some of those now this is the point of the talk where i'm at serious risk of overrunning my time slot because i could

talk about this forever and keep coming up with more ideas so i'll try to keep these brief i'm going to try and start off with some of the less technical ones the easiest ways to get involved with deceiving our adversaries which ultimately what we're trying to do i'd imagine everybody in this room is going to be aware that somewhere out there we're responsible for systems there's bad people out there trying to do bad things we want to stop them doing bad things so we'll start off with an easy one and i can't see a thing with these lights who can tell me what a robot txt file is

exactly that with the emphasis on where they can't go um deception technologies if you look at a robot's txt file and a few of pentest news all that we've already seen some of the talks from yesterday of using some of this information to play with uh financial markets and make some nice profit if i'm a pentester seeing that i might just want to go and see what the q4 release are going to be that they don't want google to know about defensive side if i've got a monitor looking for any bad people looking for those directories they're probably having a look around um my robots txt file looking for things i don't want to know about that helps

flesh out some of the activity they're doing and might point me to other bad things that they were doing but it all already slipped under the radar um similarly if you're on a system might be compromised surely nobody would be stuffed enough to leave an excel spreadsheet full of domain new admin passwords lying around on the desktop mentioning no names um similarly you could populate that file with some usernames that are active on the system that don't actually get used and again you can look for activity on some of those gives you some indication of what people are doing around on your network i said this is the point where i'm at serious risk of overloading because i'm

going to add in another example which wasn't on the slide deck but it came to mind watching the previous chaps talk that one of the discovery phases really quickly you've all just seen it was abusing the art protocol to look for other systems on the network uh one of the oldest um honeypots that i'm aware of did something similar sat on the network looks for ops requests if a genuine system claimed that up address what the topic does is it just lets it go if there's not a system on the network claims that address it says yep over here that's me and then starts responding to the people looking for those systems really really slowly

so absolutely every system on a network if you do an map scan responds and says there's something there it starts going really slowly and slows your adversary down it's not the end of the world any competent pentester should probably see this quite quick work out what's going on and work around it but it's another hurdle i've got to get through it's another opportunity for the blue team to identify something's going on and start looking further so with that i'll get back on script come and see me yesterday again i do like a bit of audience participation can anybody tell me what this little bit of html um is liable to provide it is it's a form specifically

it's an admin form uh you can see we have username a password and it's a fairly basic form primarily because i'm not developed by any stretch so i stole this from w3schools as an example but if you edit it uh you might see a little addition of a hidden field next to the form with an admin that equals false now i know very few pen testers that are going to see this that aren't going to go oh that looks interesting what happens if that turns true a perfect example from yesterday i forget i'm dreadful with names i'll forget the chap who did the talk gave an example of authentication bypass very very similar to this

change the success of false to a success of true and bypass the authentication so most pentesters will see this automated two-ling legs uh zap or burp sweep i'm going to look at that give it a chance and see what happens again anything that came through the form that had admin of anything other than false probably means someone's doing they shouldn't because it's a hidden form and a human a normal user should never see that field should never interact with it so it gives us another trigger that we can see what's going on okay i want get more interest and this is where things um take a bit more time to set up calorie and i'll get the cow in a bit

more detail but um it is essentially you've just seen from the previous talk set me up perfectly uh as i keep said ssh can be used for all manner of things any linux system and men's going to know how to use it any combined pentester or attacker is going to know how to abuse it kaori where we'll get to that it's a carry honey pot for um taking advantage of people interacting with it and we all like uh serverless world clouds micro containers micro workloads all the serverless stuff so i've got an example of a honey talking for aws key pair which you can use to look at attacks against the cloud rather than traditional things so

moving on seth what what is calling detail it is it's it's that ssh daemon of a linux server uh ssh should gives you command level access into the box and calorie essentially fakes that system so what can you do with that it does an awful lot of things one of the most basic ones especially if you set one of these out on the internet i've got one running now viewport ssh open to the world without a firewall it's going to get attacked uh for my purposes it gets attacked very very rapidly very very frequently and gives me lots of things to get me distracted when i should be making tea for the kids and instead of playing with

honey pots example you can see what usernames and passwords are being used by real attacks in the world uh you can see come on wrong button uh you can see from file name this was just last week this was just one day's worth of data it's running off the end of my screen this isn't user names and password combinations that i'm pulling out of things like the roku database um all the attacking tools this is things that's been used in the wild against my system and i suspect all of your systems as well so if you want to do a password um check against the passwords you've got on your system it probably makes sense to make

sure that these combinations definitely aren't in use from a researcher side like myself it's interesting to take some of the more interesting ones like for example looking at the top zero one zero cdy gibberish i'll be honest when i get home i'm gonna be putting that into google to see what default password that is for some system and to see why it's suddenly so interesting uh to my adversaries and from a business perspective if it then becomes a platform that's default for a particular application particular network and then going to see if that particular service that particular device is on my network and more importantly if the admins have changed it from whatever the default password is

um one of the things i like about kauri um originally keyboard before it's rebuilt is if you guess the right password it will give you a shell restricted you can't do everything but from a user's perspective you get on at which point we can then start seeing what our adversaries are doing uh when i started doing this far too long ago as i've said the one thing i found really interesting is that human attackers on a system really can't type they make more typos than me when there's somebody watching me which is um impressive but you also see things like this um you can see the dark rear of sort of this block here this is lots of linux bash commands

chained together all in one go really good indication that the attacker in this instance was a bot there's not a humor at a keyboard nobody's sitting typing that out by hand all the way and there's a bit of automation and to a limited extent the uh kawaii ssh process will let it do what it wants in this case it's gone away this attacker's going okay i want to get some more attack previous com uh previous talk on fireless malware using that dropper to make the second payload in this case carry will let that connection go it will take the file and it'll do absolutely everything with it with the exception of executing it but then i've got a copy of that fireless

payload and in this case this was the first payload which went off to get more attacks and very very brief analysis i'm not going to go through any of the reverse engineering for any of this i spent about 30 seconds on my sofa uh last night to make sure i knew what this was it looks like this is a copy of the murai botnet that's still bouncing around trying to attack things um and if you want to play with all that and kelly i got fascinated every time i install the system i find they've added a new feature by default it fix ssh it can do ftp smtp all minor number servers as well but it provides a system on your network

which you want your adversaries to engage with one it distracts them but anything interacting with this system you want to take a look at because it's probably someone doing something nefarious and for my side i'm a strange geek um it's fun i spend far too much time watching bad guys attack systems that i don't care about so that's yesterday's one i said very briefly i've got some keyless unipod i'm gonna do this really quick so if anybody that was at defcon 44191 a few months ago you've already spent uh got got a full 30 minutes of me explaining this so really quickly what it is keeper aws terminology if you've not used aos it's essentially username and

password you generate one you link it somewhere on the internet see if anybody wants to abuse it we're not entirely crazy you give it a policy that gives it no permission so we can't actually do anything all it does is it means that when someone tries to talk to aws's platform with this key aws associates that key back to me so i get the visibility of what's going on instead of just their sock leave out the guts using various services monitors all the logs and ultimately we'll try not to give cliff too much uh grief at this point it fires off a message to the page to tell us that somebody's abusing that key um

as you can see in this instance there's a fair few moving parts it took me the first time when i was working this out by hand it was a good few hours poking boxes randomly making sure i got it in place and it took a bit of time to build um but the end results are quite good so hopefully without very brief overview of some of the options that you can get in deception technology i'm hoping i've generated one a bit of interest and potentially a few ideas for where you could take some of this mindset to help defend some of your networks to get some better visibility to me i think a lot of this is a

no-brainer i hope everybody else does as well i seem to get excited people when i start talking about this that do quite like the idea so what's stopping us one it's time old world the first cowie honeypot i built it took me several days build a new linux system um yeah my boss isn't gonna be too happy if i'm playing with that if it's not done achieving sprint so there's some time involved there is some expense you're running a system old world if it was old-fashioned tin these things get expensive and fundamentally we've got higher priorities you look at that big table of all the defensive controls we should be putting in place including that you've got patching

anti-virus firewalls all the system hardening stuff that we should be doing and as much as i love this technology in all honesty if you're not doing any of that if your antivirus isn't up to date if your patches are missing although apparently 20 patching is good from uh previous talk which was a step that somewhat scared me uh but if you're missing the basics deception technology you're probably not quite at maturity yet and that's one of the problems we'll get it's that return on investment what's going on and biggest problem i've seen management buy-in um i'm speaking at a technical security conference here trying to explain what this technology is hopefully i've not lost anybody yet

but equally it's not a technology everyone comes across this audience isn't too bad you go to management you go to the c-suite and you tell them that you want to pay money to deploy your system that you purposely want the bad guys to attack hack and crack they're going to look at you like you've got three heads and it's not the easiest of sales pitches especially if you tell them that you want to take time out from doing other things and spend their money to do it um it's an interesting sales pit and the roi is just not there and one of the biggest ones i'm saying whilst as an industry we always talk about defense in

depth defense in depth is good there's no silver bullets everything i feel we need extra i've never once come across a regulatory or compliance framework that says hey you need a honeypot you need some deception antivirus patching all the stuff that everybody does do the orders are going to be really hard to go yep you need to do this i've never once had an order that's come to me where where's your honeypot now i say that slightly sung in cheek i'm sure if there's any um iso 27001 people in the audience my own compliance guys do the same thing well it's absolutely in the framework you have it as a compensating control and that's fine but

you've got to define that as a control it's not something that's mandated which means management has to let you do it so that's a lot of things that are stopping us but i don't want to be too negative because i like playing with fun toys i hope everybody else does as well so what if we can change all of that and disclaimer yep i'm not going to do all that management buying for this doesn't matter what we do technically it's going to be more interesting and i'm probably not changing the compliance guys view of the world either but one of the bits i've wanted to deal with especially the concept um the blockers of not having enough time

um to do some of this we've all got busy day jobs and the expense of running these things get them up and running get some value out and get them down i don't know why my slide to that is which you might have got to guess is leveraging infrastructure scored it's nothing new the ops guys have been doing this for many years lots of you possibly doing this as well um but equally especially from security people i've seen a lot of security people that they know their operations team use infrastructures cord but there's some security people don't actually know how to use it for security tooling so hopefully i'll try to explain a bit of

that so really however what this infrastructure is called it kind of names itself it is chord that defines your infrastructure um and the key advantages is it's repeatable from the the carry perspective i said the first one i built took me three days playing with the linux box to get it up and running getting all the patches in place getting all all them the requirements in place recompiling it it was a mess but eventually within going down the infrastructure's chord route once you do that work once the deployment of that thing becomes repeatable and at the click of a button as we'll show a bit later on you can do that thing again and again and again

which makes it automatical and as much as i like playing with shiny toys i am also inherently lazy um i don't like doing the same thing over and over and that's sisyphus pushing the rock up the hill that's not what i want to do i want to do one thing once and then play with the goodies and now that i've got this in place and i can share the links later for my carry honeybots if i want a new one i tell terraform to go and give me one and it just does it i love infrastructures code i love automation ultimately i love sitting in a hammock reading a book instead of building the same system i've spoke three times

the other advantage of it is is um is because it's repeatable it's the same thing it should be less ever prone once you get it right once you've got no chance of making a mistake and the example i showed earlier with the rest key said the first time i did it by hand made a few changes it was quite a manual process simple enough process but lots of manual steps plenty of place especially when you're distracted phone call odd tweet i need some coffee the dog wants letting out forget where you are miss a bit just let the automation take out of it and do it all in one go ah one of the blockers reduce costs

one of the things especially for my sides as a individual researcher for myself a lot of the stuff i do especially in the honeypot world that's not tied directly with work is it's all attached to my credit card um i'm sure everyone's aware of various horror stories there's one i believe sitting in this room yep there he is of potential really really nasty aws bills i don't want to call you up but if you stick your hand up that's absolutely fine these things terrify me running something in one of the clouds forgetting to turn it off and at the end of the month getting a horrendous build because i forgot that's the kind of thing that keeps me up at night that's

the sort of thing i really don't want to have to explain to the missus that i can't pay the child care for the kids because i forgot to turn the server off infrastructure's code all goes away you finish your project you finish your tingle at the end of the night you run that destroy command everything that's been deployed fire infrastructure is caught gets destroyed via the same system it tracks it all for you my memory is atrocious i don't have to remember that i just need to remember to kill the project i was working on uh helps keep my credit card bills down and if you're doing it as an employer it might helps you keep your costs down as

well as a brief show of hands not necessarily an infrastructure call but in your network how many people at some point in the career have had a random box that sat in the data center that nobody quite knows what it does nobody remembers who puts it there but nobody's quite got the steel balls to turn it off because nobody quite knows what it does um i've got at least a couple of hands i've got a lot of very nervous faces that aren't willing to put the hands up but same sort of thing you build everything as infrastructure code at the very least you've got that documentation history of what's there it means that you can turn it off

if you need to means that if you've got the infrastructure's code it turns out you really shouldn't turn it off you can deploy it back but it also keeps a record of exactly what that configuration was i said use the example of the carry installation for myself it took me three days to get that working by the time i got it working i tried that many different things to get it working i had no idea what i'd done to get it working um and it was almost as long to do with the second time round so keep everything documented it makes life easy um infrastructure is cord there are almost as many options for infrastructure records as they are for

languages for writing any piece of software and for any devs in the room there's lots of arguments and lots of options causes lots of arguments everyone's got their favorite uh if you'll come across it there's things like ansible's one option pollumi chef there's native tools if you want to stick with a particular platform like aws is cloud formation and the cloud development toolkit is actually one of my personal favorites at the minute i love the concept of it just because it lives inside of other programming languages you don't need to learn another syntax for the infrastructure chord in my case i can now write infrastructure as code as python you might prefer typescript and it leaves it that close to you

without learning something else um for my infrastructures chords i use terraform i'll i'll debate the pros and cons separately as to which one's better than others i'll be perfectly honest i use terraform because when i started looking at infrastructure scored that's what my operational team were using that's the people i could go tap on the shoulder to get some help with when it all went horribly wrong um so i'd love to tell you there's a wonderful technical reason for that it was just where i get the most help to get it up when running but for the purposes of this it serves as an example um infrastructure called this is some terraform um if you this is part of the

deployment of that aws key in this case it's creating the policy that says go away um if anyone's look at this if you don't have terraform hopefully it's fairly readable if you've got any experience of any um sort of object-oriented type language it looks a bit like a class we define a thing in this case it's a user policy and we give it a name we set some variables um one of the powerful bits of is now when you looked at that there was lots of moving parts for setting up something even just something as simple as a user key lots of different components interacting you can all be self-referencing so if you don't know what a particular thing is

going to be at the time give a reference in the chord let terraform work it all out and it just does it for you um for the purpose of time i'm not going to go in too much detail but that's an example of what it looks like and to us if i can work this out fairly quickly you don't have to be too much of a genius to work this out so go and have a play especially when the one big bit i will say for um terraform is hashicorp have done an absolutely fantastic job with the documentation emanuel uh and i never thought i'd stand on the stage and say some documentation was good i hate

documentation generally i hate reading it i'd most definitely hate writing it and i most definitely hear watching documentation as a video um people that do that can get heated in the sun um but terraforms documentation it's brilliant usually i look for the thing that's erroring quick look in there scroll up and down a few lines get the answer get it fixed that's one of the few places where without being too insulting i will just say our tfm so if you're playing with that and it's relatively straightforward there's a core workflow which if you use other infrastructures called platforms as well it's fairly similar but i'll stick with the terraform one for example first thing you do initialize your directory

if you play with source uh repositories your gits your um subversions things like that very similar just sets it up say yep this directory i'm going to deploy some terraform to it then we write the code that might be writing something like you've just seen or just cloning somebody else's chord and reusing what they've got the bit that for me makes infrastructure score because i'm a tinkerer i play with new things i don't always know what i'm doing when i'm started it's got the concept of a plan you can write some code you can run a plan it'll look at your code it looks at where you're trying to deploy in this example i'm using aws but it can talk to

other other cloud providers are available gcp azure digital ocean wherever your kit is if you're on prem you can get providers for vmware uh for example or docker repositories if you're containerless so you can work with whatever you've got and it will map the thing you've just defined as code with the work environment and it will give you an idea of okay i'm looking at this to make the environment look like what it is you've described i think i bring the toe of um the terraform the infrastructure scored i think that's what i'm going to do and it'll tell you what it's going to build what it's going to create what it's going to look like

and it does all of that without actually making any changes so you can verify that it's doing what you want to do without touching anything uh when i'm playing in my own environment that's not the biggest end of the world if you're playing in a corporate environment knowing what it's going to do before you go and break production it's slightly important and i find that rather useful once you're happy you apply it and it goes off and does all the hard work for you um in this deployment example it took a few seconds as opposed to several hours of manually pushing the buttons even when we knew exactly what we wanted to do thus saving us time

and as i've already alluded to when you when you're all done hit the destroy button everything goes away no more big credit card bills for andrew everybody's happy there's a couple of other steps you might guess from the gap there's automatic formatting in there which is just nice makes my code look like everybody else's code makes it look like i'm somewhat confident because it looks like a decent developer wrote it and there's a validation step in there that checks that the syntax right silly type those things before you get it's not 100 foolproof it's quite uh it's quite possible to write some infrastructures code that passes validation passes the formatting the plan says yep this is what i'm going to

do and you still end up with a problem once it starts making those api calls but believe that's a problem um for later not for this use case if you're interested in some of this you can get ridiculously complex i've purposely tried to keep it the examples i'm using quite straightforward the carried installation is just using terraformers code to deploy one box to get exactly what i want uh the aws example is just deploying one aws key to watch those but the world

BSidesNCL (Newcastle) 2022 - Main Stage

Related talks