Playing Games With Chimaras

all right as uh i was introduced my name is jacob torre uh this is my talk on playing games with camaras um so thank you everyone for being here i know it's rather early especially if you're coming in from further west like me it's even earlier also very much thanks to all of our sponsors who make this possible and again thanks everyone to come out here i know there's a lot of cool stuff going on here there's villages there's other talks there's people talking about talk to you know friends you can meet uh and so i appreciate you guys at least for now you know as you see the talk you'll probably get up and leave but at

least for now i appreciate you for coming to my talk so i'll have another thank you for those who stay all the way through at the end so you can look forward to that so diving right in the kind of thesis or the people who are going to take notes and then go back and tell their friends what they saw this is what really what what it's all about is that we live in a world now of unbridled complexity and basic attackers or clever attackers have turned into these mythical beasts we call hackers or malicious hackers especially in the news and i think that what i'd like to say is that it doesn't have to be all doom and

gloom we can attack these mythical beasts at any scale of resources and i'll i'll get into that a little bit when i go into my background so kind of first i live in southwestern colorado so it's one hour earlier for me so the coffee is is kicking in thanks for thanks for that coffee um i had quite the trip over here yesterday uh some of the things i like to do for fun um well sort of fun i put out fires not for fun but it's pretty good uh for fun i do like to go skiing um and ice climbing in the winter and then trail running in the summer more probably relevant to this crowd

i've had kind of a career that's let me kind of see both ends of the spectrum in terms of scale of resources so when i started working you know it was just me individual contributor to kind of intern and i worked my way up to leading a smallish team you know at a company called the shirt information security um and then i went from that kind of small scale to a very large scale i was at darpa as a program manager um so that's a much bigger thing if you've never heard of darpa um you could ask siri which was invented at darpa or look it up on the internet which was invented by darpa

where you can look up where it is on google maps using gps which is also invented by darpa so they do some cool stuff there um and i was really privileged to be part of that i then spent about a a year at aws managing some security teams there and now i'm at things which no one's probably heard of but they've probably heard of canaries um so i run their new labs group which is just me so now i'm at the smallest scale which is basically like one deadbeat engineer myself so if someone wants to come and double the size or triple the size of my team please let me know so just kind of roughly

i think we were like it my team was maybe two million dollars a year in budget at ais and then i was like 200 300 million a year in darpa um that i was personally able to kind of direct aws a lot of compute resources i mean we had this thing called the cloud that we could use and it was really fun kind of seeing how much my boss was getting built for us using things to do fuzzing at scale but not that much in terms of human resources pretty small team still and then you know things just like maybe a pity half dollar there of me and getting to play around with stuff so

um this is kind of an interesting thing is this is going to be something where i want to say that we can do interesting work at all different scales whether or not you're an individual person working on a beat-up chromebook to you know a pretty rich country that spends a lot of money on defense you can play in different places and that's kind of what i'm gonna talk about how you can still be effective at whatever scale you have and also the end of the day money doesn't necessarily mean value right i feel like i've gotten more free credit monitoring in the last couple years than i ever have before i think at this point

i don't think i'll ever have to pay for free credit monitoring um and ransomwares are really starting to get into impacting daily life right so thanks i have money some and that gets impacted you know meat that's something pretty important i mean we heard that talk earlier about the stake if we can't get state because ransomware that's pretty sad world you know gasoline is also pretty important i'm not too sad about insurance companies that go on the record saying how people who get ransomware are idiots and then get ransomware so that one's just kind of funny and then this one i didn't make really doesn't make sense i mean why would you ransomware a computer company because

then you can't ransomware the people who buy those computers and use those computers but i guess they're making money anyway so we're not really doing that well i guess is kind of the point of that so what's going on and here's a little bit of audience participation don't worry there's no wrong answers so the physical world has physical limits and we've pretty much become to understand this right if i take this water bottle and i drop it who here thinks it will fall to the ground show of hands there are some anti-gravity people here that is you are entitled to your belief it's actually in this case not really harming anyone so i'd much rather you be

anti-gravity than anti-other things so i think that these physical laws and the the expectations and when we live in a physical world is like a speed limit on complexity which is actually a good thing right simplicity and predictability allows us to create amazing things and it allows us to generalize knowledge right i don't need to write like a mathematical formula or you don't need to see me drop this exact water bottle onto the stage to understand that it's probably going to happen you can generalize because you probably all dropped something probably heavy and it probably hit your toe at some point in your life and so you've learned that lesson and now you're pretty good at that right

and really we've lived for many many eons with these constraints right without them though designing a building even could be a near impossible task so i like this picture m.c escher uh famous dutch illustrator is showing this kind of infant staircase and without the physical world and the physical constraints you could probably build this and people who have ever looked at code that someone else has written they've definitely seen this building written in code something that should not ever have existed and you want to burn it down and then you look up and you realize oh crap i wrote that code three years ago and i'm an idiot definitely done that and it's always pearl sorry

so unfortunately system today i mean all systems right you can think of that in very generic any scale no longer encumbered by these physical laws right they have near limitless complexity mike walker who ran cyber grand challenge had this great great quote that software tells the cpu what not to do rather than telling his computer what to do so you think about it the cpu could be in almost any state and the software is trying to say please stay over here and then the attackers are saying please go over here um and they're also more interconnected than ever before i mean healthcare meat computers everything is connected i skip credit so thomas deleon also halver flake gave a great uh talk on

complexity and the economics of complexity at scicon which is like a nato cyber security conference in estonia a couple years ago definitely worth checking out um much smarter than me uh so in case this one is peaks for curiosity but i don't do a very good job of presenting it go check these out and we'll definitely do a much better job so let's take a very simple example everyone's probably configured some software your home router computer done something so have you ever thought about how many ways you can configure a piece of software so let's think biggest number someone yell a big number three three okay three is bigger than some numbers one million okay anything bigger

all right well i've been hearing you guys your master making it hard to hear sorry i'll just say you guys said 10 to the 18 which is roughly the estimate of the number of grains of sand and all the beaches in the world and then someone really clever said 10 to the 80 which is the estimated number of fundamental particles in the observable universe it's a pretty big number i mean more than i could count two and then we get to a google which is pretty funny number it's not very useful that's 10 to 100. it's just a very large number and then we get to the number of ways you can take a standard install of

windows 10 and use gpo to configure that's a very big number i don't think there's a name for it i tried looking for a name for it i couldn't figure it out so we can just call the windows 10 number and i mean this is not to dig at microsoft i mean a little bit it is but only a little bit um and this is essentially the same for os x and linux there's thousands of configuration options when you're building the linux kernel and then you can go into the whole world of system d and mac os has the same type of complicated p list and everything so it's just it's essentially unreasonably complex and i

use the term unreasonably is a very careful choice of words is that you cannot reason over that as a person you know if you were going to the grocery store and you wanted an apple and there was 10 to the even 10 to 100 types of apples there you'd be a little overwhelmed and a computer can't reason over that i mean i think 10 to the 80 is a pretty good estimate for like the best automated reasoning and this is many many times bigger than that and that's just for a single computer you plug two of them together and now you double that right and then we get to my favorite topic to dash on i had to do an aiml thing

because that's the hot topic and everyone loves it and maybe in the future if i go and ask vcs for money i can say i gave a talk on ai and ml and they'll give me lots of money but realistically deep learning neural nets they basically take an unknown complex function like is that a banana or a bicycle and then they just make an enormously complicated like four to eight thousand dimension functions so like you know x to the 8 000 plus x to the 7 999 and massive data sets unfortunately we don't know what they're learning and generally they're not really learning much other than repetition and we can never understand how they're like reasoning in this high

dimensional space i can reasonably think in three dimensions that's about it i can't go to 4 000. and they definitely fail in very strange surprising and sometimes very funny ways so there's a pretty well known research out there that a classifier that was trained is this a wolf or a dog they actually dug into it and all it was looking for is there's snow in the background because wolves are generally majestic in the woods with snow and then dogs are a little less majestic laying on the grass or getting belly rubs and so essentially they spent enormous amounts of compute resources to say is the bottom couple pixels white or not because that's that's what it's learned and we don't

understand that unless you spend a lot of time figuring it out and because lots of vcs are throwing lots of money at that these things are being integrated into all sorts of systems and anytime you have this chaos machine it's going to be causing weird faults you know they've been mostly comical there's a great blog post of kind of all the times when ai's have been trained to play video games and then found like really strange things like if you uh make it a little bit further into a game and then you die you lose more points so they just commit suicide before they start playing and zero is better than minus points unfortunately that's not always the case

uh you know a couple years ago someone was fatally hit by a self-driving car and killed this year a tesla drove into a tree that i guess jumped out in front of it and killed two people so it's it's not entirely funny but it is definitely going to be happening more frequently i think so we're all here because we like learning we have that curiosity i personally have spent my entire career minus a little bit of ais doing submit or aws doing some management looking at research because i think that's the most fun i can play around i can like learn something that maybe no one else has ever learned and then it's really cool

to like share that and learn another from other people so how can research beat back that complexity so i'm proposing divide and conquer so this is something that actually i proposed a long time ago in a blog post about i don't know seven years ago that you know there's these multifaceted parts of attacks and a lot of times myself as a researcher i just ignore all the like parts that make things impactful and focus on what i find to be the most technically interesting i call these chest problems i know if any of you guys are old enough to remember newspapers it was like the news but printed out on paper and if you flip through it they'd

have a little chess board and they'd say like three moves to mate how do they do it and you have to kind of reason through this and so it's a very constrived you know contrived constrained problem space and you felt really clever when you figured it out because you're like hey if i was ever in this space on tv playing chess against a grand master i could now checkmate that person in three spaces and that's what i feel like a lot of the research that i've done i've seen a lot of research i mean poker is more about like playing against players trying to figure out how to use what you have as an advantage

and i think that if we're not really playing the right game we're never going to win and then just to be meta uh my boss who wasn't my boss at the time found my blog post took a screenshot of it on his keynote at blackhat and so i decided to take a screenshot of him presenting my screenshot so i can take a screenshot of this and send it to him because now he's my boss so that is why that picture is there so i think we're a little bit more than just chess versus poker so i'm going to just come up with a new thing because it's awesome camaras they're frightening because you have like these crazy dna research but the

very classical mythical thing right so it's a monster that has a head of a lion a random other head of a goat sticking out of its back which must be uncomfortable and then a snake's head for a tail and so here's the kind of camari camara kind of thesis of attacks right so there's kind of three things right there's some incentive an attacker doesn't get up and be like you know i'm just going to do something that i don't want to do and there's no reason to do it so there's some incentive could be money there's some way that they get there it could be physical access if it's a spy movie it could be you know a huge

infrastructure chain it could be a simple fishing link so there's some technique tech tactics and procedures to get there and then lastly there's like the actual technical means which is like the the digital the exploit or something right so uh when i was working in the government we just kind of either assumed that there was access and so that someone else was dealing with the technical means and we were just trying to figure out how to actually leverage that or vice versa so they do partition that into these three things and then you know the general says you're going gonna go and do that and then we had to kind of figure out okay how do we build the infrastructure

around that and then some people which you can probably guess which three-letter agency would be comes up with like elite zero day or something like that that plugs into this machine and so this is kind of the three pieces that i see so i think if we can divide if you can conquer any one of these if you can slay any one of these heads you can really kind of decimate your attackers or more importantly cause them to go after someone else it's very much like the bear in the woods if you can outrun someone else the bear will probably go after the slow person so you've got to be faster than someone else i think these all kind of tie into

complexity right so if an attacker has an incentive to attack you they probably will if they don't they probably won't understanding what their incentives are may be very challenging but really there's only kind of base incentives that are driven by some human need and so i would rate that as kind of a low thing like you can understand that other people may have incentives you may not agree with them but you can probably kind of fathom what they are then you get into the ttps this can be incredibly complicated like massive supply chain attacks like you see in the nation state or very very simple like a phishing link again this is something that a human may have designed and built

but it's relatively you know medium moderate complexity and then finally there's the technical means like if you ever read a google project zero you may need to read it like four times to even figure out like roughly how they turned a one byte overflow into a kernel like prevest and then you know manage to print money or something and so that's a very high complexity because you're playing in the space of software now purely and you don't have any of those physical constraints there unfortunately you see a lot of partial efforts which are not trying to slay anyone they're just like poking the snake in the eye kicking you know the line in the chest and then like yelling

at the goat which doesn't necessarily do very much so i want to focus on how do you kill one of those three things so killing snakes again they're very hard to empathize and understand but they're not very complex and unfortunately pen testing and red teaming you've already set their incentives their incentives are to get you to pay them and then pay them again in the future unfortunately that doesn't help you here it definitely helps with the other parts but you told them what their incentives are on the contract is this to build a nice record is it to say that there's really nothing wrong here so you can go to your board and say you're happy or is it to like scare

people and say yeah there's a lot of hype critical things here what we're going to do is we need to invest more in security but generally i think there's roughly three-ish incentives and it can be a mismatch depending on who you are right there's you know some state secrets stealing intelligence ip theft which is kind of what you see at the very high level kind of the targeted attacks um you see money which is a pretty big one you know ransomware other types of things and then causing havoc or damage i think it's interesting because i have some examples of this so a friend of mine was a ciso at a hedge fund and someone

breached their network and they were like oh like we have literally billions of dollars of financial information on this network and the attacker looked at it and said and went over and stole their ups account number so that they could steal or they like to ship stuff for free so they were entirely motivated by money and it's honestly a lot of work to understand the whole hedge fund thing so i get it but they were motivated by that so they left a billion dollars on the table to probably spend like three thousand dollars in free ups and fedex i guess also the same thing with with havoc and damage it's definitely a scary thing that the press likes to talk about like

hackers were going to blow up a power plant or something and certainly they could but generally they don't i still think that there is some humanity left in everyone and that's like a step it's a lot further and also yeah that would cause a pretty serious reprisal from whichever government or you know organization is behind defending that and i think there was some interesting work by charles paran who he basically set up a fake factory so it was a full ics scada environment that had you know actual you know actuators all the components of a factory it had an i.t environment that had multiple people and users in the whole thing and then it also had like a fake company so it was

registered with google maps you could actually look at these people he had like the nice shiny you know smiling pictures of all their board members and everything and then he let it out on the internet and just kind of left it there for months and months and months and what was interesting is he got ransomware like every day and then people were leaving notes on his computer being like mike who was a fictional person in charge of i.t is an idiot don't have him work for you anymore because it was so easy to hack you guys but what was interesting is after all those months no one jumped to the trivially accessible factory and started

causing any physical havoc i mean realistically they were driven by money and there was no one that was like i'm gonna go blow up a factory in the midwest today which i think is good i think that's good um so understanding what kind of thing you are and that depends a lot on your organization i think there are some clever ways you might be able to disrupt or change those incentives but generally if you're hated by the north koreans there's not too much you could do at the end of the day so looking at kind of goats right so the complexity here again is it's human generated you can generally fathom how they're going to do it they're going to

have some you know infrastructure on their side they're going to have some infrastructure and kind of gray space or like you know they pop some for grandmother's computer and they use that to pivot through and so you can generally reason about how that's going to look you can you can model that and unfortunately this is actually well fortunately for us this is one of the areas where attacker infrastructure is just as fragile as the defenders right darpa had this huge push to move from the notion of a kill chain to like a kill web which sounds pretty horrifying either way but they were worried that someone would be able to break just one link in that attacker chain and then

they wouldn't be able to deliver their payload which in this case was probably a bomb so they had to come up with this nice like mesh warfare mosaic warfare and so that's actually nice because if darpan is spending hundreds of millions of dollars doing it generally attackers probably don't have those resources to build a highly redundant attack system that is like they can just spin up and just waste those resources on every random person they're going to attack and then if you can break their canned ttps and then force them to be like oh now i need to like hand jam this for them they're going to get really irritated they're going to go look for a

slower person to go eat i think also what's interesting with ttps is humans here are very explicitly part of this network um you know in some cases they're legally mandated to do something so if you can put them in a situation where they have to follow something you can like kind of use them to jump air gaps but also they're the people who are going to be clicking on you know fishing links and those types of things so again if you can figure out how to use your humans to disrupt those chains you can put them on their back foot increase their paranoia and then finally i think the biggest one is the research one is interesting is

the taming the lines right that's looking at the technical means the code the whole world of security that a lot of the research comes through and here the complexity again is unreasonable we can't imagine the state space of a very simple program let alone a distributed system i mean i've seen some crazy stuff um from the langsec world where they have found touring completeness in the most bizarre of places so the intel cpus memory management without ever running and executing a single instruction is actually turing complete you can play any you know program any game to it and it will run just by the page fault logic the bgp routing network is a distributed turing machine so by setting up certain

routes and making certain requests you can actually are you know arbitrarily execute on this distributed network and i think someone did that to make the routing tables of the world look like nyan cat kind of going across if you look through the historical changes someone just basically you know benignly made an iron cat just kind of float through the ether another one is there's a tool called moffa skater which lets you compile any software any c or c plus plus code to the only one assembly instruction move so the move instruction which is supposed to just copy memory from one place to another is so powerful that you can recompile to only move instructions now it's a lot of move instructions but

that's still just these complexities kind of creep up and so being able to you know limit that is very very challenging in this world so you get your classic security hygiene you have app set gardening segmentation i think what's really important is it you know us is really important buying a vendor's tool is great but unless you have people who can make that you know integrated into your environment or be able to make that dynamic to respond to what's happening the tool itself is never going to be as smart as us and so i think that's also where i think some of my disdain for ai and ml is is that unless it's tailored to your environment and

like you know that you run some billing batch process every quarter the machine learning thing doesn't know that and so unless you can tailor it which requires a lot of human effort it's never going to be as good as like some smart guys on the keyboard or gals on the keyboard and then you can actively frustrate attackers and then you get into the world which i think is a lot of what we're seeing is complexity facing complexities if that's you know adding a lot of diversity you know aslr we've seen some even better things than slr and then you get into this bot versus bot of who can spend more money you know the attacker or um

the uh the defender and that can work i think um that was kind of the strategy i think uh between the us and the soviet union of let's just make them spend an unreasonable amount of money and then they'll give up but it doesn't always work if you're being attacked by um well-funded adversaries so i think again i wanted to bring this back back complexity the ultimate lion and i think if you look at it you know the actual the real gains you get are from reducing complexity making things simpler generally works better i had a program at darpa looking at building like guaranteed or provably correct machine learning primitives they weren't as powerful as what there

was but they were actually like they would not get deceived by any type of um of malicious input and that was done actually a lot of the techniques were by reducing the complexity of the network to reduce the function to something that more closely matched the process they were modeling i think you know it's the ultimate line as well because there's market forces it's way cheaper for someone to go build a generic cpu or a microcontroller that costs i don't know three cents or something to make and then have software do it rather than building a custom asic for something and then you end up with literally hundreds of computers in your computer i when i the more i learn in

the low-level security the more bonkers it is that it even turns on right you have you know i learned just the other week that your wi-fi and bluetooth chip radio which is one chip has multiple processors an out-of-band management port because they share the same rfid or rf frequencies and so if the bluetooth to say oh i'm going to send something it goes to the wi-fi over this unmanaged unknowable channel that's built into the silica and says hey wi-fi i'm going to be transmitting so like be careful and then they actually talks and so there's actually some exploits now that if you can break the bluetooth or the wi-fi you can jump across between those two and so that's just one radio

in one ship that's like my watch has wi-fi and bluetooth on it my phone has that and then there's the memory controllers which are already turning complete there's the cpu which has multiple cpus in it memory cards micro sd cards have atmel 8-bit mcus in them that you can break the firmware and so it's all over the place and it's again it's driven to be it's because it's cheaper than custom fit you're going to have to be fighting this all across your organization and i think if we contain the line of complexity that's where we'll see gains in security and i think you see that in things like formal methods so formal methods is based on prove

that something is operating correctly or not operating incorrectly and that requires the fact that you have to be able to reason over this state space and so that limits things to roughly that 10 to the 80 state space and once you can get this that's basically a check to make sure you've done all the work up front which is kind of reducing that simplicity but that's very very expensive it's roughly 150 million dollars to formally verify 50 000 lines of code for the highest so faa flight controllers have to be certified as life critical so you need to spend however much it costs to write 50 000 lines of code and then 150 million dollars for

people to verify that that code will not kill people that is very high expense but unfortunately that's kind of where we're at right now a lot of the security automation so fuzzings and all these uh you know fuzzers symbolic execution is just using additional complexity to try to check complexity so you fuzz for millions of cpu hours you're just hoping that you're going to kind of bound that state space of a program through random mutations formal methods is the same thing but through mathematical principles and you're just spending more and more time on that trying to do it rather than taking a step back and figuring out how we can reduce that complexity so looking at the research

i just worry that if we spend so much time doing these chest problems we're going to end up kind of marginalizing ourselves and you know not supporting the people that we actually should be because we're so focused on this like really leaked you know one bite overflow that turns into a colonel privest and not helping solve people's problems of today so i think it still resonates and you know i think yeah i see this you know today even so that was from seven years ago uh one of the things i do at thanks to we just released a thing called thinkscapes it's free thinks.com ts basically me and our team we read every abstract presentation paper of every conference

in the world so and we release every quarter so there are 277 security talks between august 15th and november 15th and they have all these talks and we go through all of them and we look for things that are interesting and we also look for things that are kind of like maybe the start of the next trend so i see a lot of content out there and i also see not a lot of needle moving in some cases and i think a lot of that comes either we're trying to slay all the heads but not quite succeeding and so we don't slay any of them or we're trying to compete solely in very high complexity without with

limited resources and it comes comes back to the scale and the ability and what resources you have if you're a individual contributor versus you know the defense industrial base with your many millions i think that's looking back at my career it was figuring out what battles to invest in to still be successful i'm maybe successful so going back to who am i in my career so at ais you know one of the things we built was a custom bios that just assumes that whatever the state of the system was before it was there was bad and we just wiped it all down we wrote drivers to directly talk to the hard drive to the display and load any

operating system um and so basically any pre-med letter was there hopefully wasn't there after that and that really attacked the ttp so that was kind of that moderate complexity and again this was like the two dollar bills if we go back to that first slide so you know a couple million dollars is a team of however many people over months and then i got into darpa and i was like all right well now here's just one of my projects was taking incoming binaries or source code lift them up to llbm intermediate representation diversify them so maybe in one variant the stack goes up the other the stack goes down or maybe in one there is no

stack whatsoever and then you run them in parallel to find an exploit at the time of exploitation because they are semantically equivalent and we spent a lot of time proving that but structurally diverse so if they start behaving differently it is because someone is attacking the structure so that was an enormous project focusing on the technical means of how exploits work in various classes of attacks but that was a huge amount of resources that i had to play with at the time i got to aws like looking for bugs finding and fixing bugs in open source and then reporting them upstream getting them fixed for everyone um technical means again but i could just spend as much money as i wanted on

fuzzers and formal verification and symbolic execution if you aren't aware aws does have a lot of computers and so i could use a lot of those for that kind of thing again so i'm focusing on technical means and now things for things left which is again that one deadbeat engineer of me um now i'm looking at the incentives because that's the simplest and generally as you all know i'm pretty lazy and so i want to think of what's the easiest thing i can do that can still have some some value and so this is like looking at how i can turn offensive tricks to pretty simple into defensive things so now an attacker may not be incentivized to go and grab that

data and start pouring through it because they don't know if it's actually you know kind of this canary token or honey data or things like that and so if we can attack that incentive then we have a chance of being successful for a relatively low investment i think this thing is like a few hours of my time so looking at that specifically this was again a couple hours of my time i found uh someone sent me a mysql dump file that had some conference data in it i opened it up and it was i don't know maybe 40 megabytes so i was not looking at that in emacs or vi um so i imported into a doc container

running mysql did some queries got some stats it was great and i was curious like how would you be able to figure out if someone was doing this if someone had dumped your database loaded up and was poking around in your production payment information so i kind of was thinking about that and so i looked up okay well this is essentially an explication technique i just need to be able to expect some data and so i looked in all the like the attacker blogs and you know there's some some cool work out there actually um there's something called data thief which uh was cesar silvario who did against oracle so basically he used some of the java bindings in oracle

to basically bootstrap a networking stack and then be able to exfiltrate data from sql uh the thinks guys back in the day they did similar things for maest or mssql where they were able to like break out and actually do some kind of shell commands and send data out and so really this is like a blind sql injection so you can you can execute sql injection against a database server but they scrape all the errors so you can't see what's happening here this is a way that really what you can do is then just use sql to be able to send it out to another server so i started looking at for mysql replication i was happy to discover that you can

turn on and configure replication directly through sql and so i set up a listening post one of my servers and then the server that i was attacking would reach out to that one it actually didn't do anything it just connected and didn't do anything so i was lazy again as i mentioned we only have one deadbeat engineer um so i just copied a real handshake and wireshark that worked copied those bytes and then just echoed them in python and then sure enough it sent in this case a username from the server which i could set when i was configuring it and so i built like one stored procedure in sql let me send the contents of a table so i just say send

you know password database table and it would just send it out it's pretty slow 315 bytes per second or bits per second sorry but definitely enough to grab some password hashes that's the offensive trick turning that around now if you look at it in defense can we embed these types of things into either production databases or mysql database dumps that we're leaving on our own infrastructure that then call home so we have a couple fake databases out there on canarytokens.org for free you know we have a hr one and maybe a payments one or we can just give you the commands you can embed in your own sql dumps if you'd like and if any attacker does the basic

thing of import this sql it then sends you an email saying hey this person this ip address just opened it up so you might want to check on that and so this is again now we're looking at the incentives right so an attacker wants to go and steal data that's useful and probably not be detected we're now playing that i think it would have been very interesting because the thing is the deception is you don't actually have to be deceptive to be deceptive you just have to tell people you are so if after the snowden leaks the nsa had all these power points out there with all these horrible things they were doing if they

just said oh yeah but every friday we have a drinking game where we come up with absurd sounding code names silly projects and we put them in the same folder but only we know which ones are real that would have definitely changed the incentive there because now you don't know if you know one third or one half of those things really existed and you don't actually have to do it you can just tell people if you're doing it i think looking at the dark market one of the most valuable pieces of information out there is someone's health records through a very convoluted series of trades that ends up coming out to pharmaceutical companies to do market

research because they want to know should i invest money in in building a drug for people with sore toes and you know twitchy ears let's go and figure that out it's a lot cheaper to through a complicated set of things look at breached hospital records rather than it is to you know have surveys and ask people now imagine if every hospital has 10 000 big patients in there that have you know probably unrealistic and silly things but you won't know that unless you're a doctor looking at it so now you say oh yeah you can you can use that data for your market research but i would bet billions of dollars on that because perhaps as much as two-thirds or

however much you want to invest in that may be fake unless you look at this with a doctor in every single record so i think you can change their incentives by attacking the value that they're going to get from that so i think we can win if we can slay the head of any of these chimeras the whole beast will die i hope that's mythologically accurate i don't actually know i didn't read any old stories to make sure that's the case doesn't grow back or something i think again us and the tools that we build ourselves allow us to scale our own complexity and our speed in which we can reason about complexity and then we can you know

basically allow us to then go and attack their attack genes because that's the fragile part i think it'd be really fun to make attackers stressed and paranoid as we are and i think we can actually drive revenue not only costs i've seen this happen a couple places one is is this analogy that security is like the breaks in a really fast car there's a conference in germany called troopers and one of the speaker perks is they pick you up in like this absurd audi mercedes thing and you go on the autobahn and then they just hit the speed limiter and it's pretty fun until like a peugeot pulls out doing like 60 miles an hour and you're doing 200.

then you realize that the reason that that car can go so fast is those brakes work overtime and so the security can allow people to do crazy stuff so sim cards the security of the physical sim cards allow people to kind of trust that they can put out mobile phones for very cheap and all this kind of stuff so you can you can drive revenue by allowing business risks i've actually seen companies that have successful security programs they acquired so many companies they got so used to doing security for a hodgepodge of random stuff they just started offering that as a service so other companies they pivoted becoming an mssp because they were already doing it for

you know a worldwide consortium of 200 small companies they bought they figured why not charge other people and do the same thing now they're actually generating revenue rather than being a cost center which is you know a good way to get more resources to play with more fun stuff so kind of in conclusion if we can understand their incentives if we can target their ttps and then lastly you know the technical means i think are the most fun but they do require the highest amount of resources you can provide a pretty good return on your investment if you're trying to make partial progress in the multiple games you're playing with attackers you may result in losses

across the board and i think there's really cool research out there i mean again not to you know kind of shout the free thing but there's really cool research i've really enjoyed reading thousands of talks every quarter because there's people doing some crazy stuff and there's a lot more work that can be done out there and you can really move the resource the needle even when you don't have tons of resources like i feel like you know probably the two hours i spent building a canary token may actually frustrate or catch an attacker whereas the 65 million dollars i spent at darpa that unfortunately has never been deployed this is so complicated and difficult to

use will probably not stop anyone and so if you can target your resources to your strengths you can probably do some pretty cool stuff and then if you're building anything so there's people here who are developers looking at complexity is a cost when you're designing software and then that way you can really track it and figure out how you can isolate complexity from the business or safety critical functions all those ransomware attacks that took out the meat processing and the other the pipeline those were not targeting their ot systems they had just co-mingled the billing process with that function business critical function and so then when the billing system got taken down it then trickled on and caused that kind

of knock-on effect realize that i know this is very [Music] very uh sac religious to say but ai and ml is not a panacea unless you are asking for vc funding in which case slather that all over your deck and it can fail in really like weird ways so limit these failures right they'll assume that thing is going to fail in the worst possible case and then try to make sure that it doesn't act on that and then if you are in a high complex environment just double down on that right so fuzzing software as part of your ci cd pipeline you're exposing software you know your own internal software to complexity you've been you

know could just be an idiot user typing the wrong thing or it could be an attacker doing adversarial training of aiml was just basically giving it attack type inputs to see what happens and then it can learn oh this is actually bogus this is you know noise or something and then we always see the kind of chaos monkey right so um netflix has processes that run through their networks turning off servers crashing demons all sorts of injecting chaos so they can build resilient systems and they have different types of monkeys they have like gibbons and gorillas and the most powerful one actually just goes and like yanks the power to an entire data center and can

they still stream all the video and all the content to everyone if they lose an entire data center which is pretty amazing and that's looking at these distributed systems so again actually not that many people left which either means you're very comfortable in those chairs or thank you very much i have some time for questions but please give me feedback conference feedback anything else feedback i think i have about 15 minutes for questions if people want to if not it's awesome to be here thank you so much for your time and look forward to the rest of the day

fantastic