BSides Ottawa 2025 - Day 2 Keynote and Speakers

Hi everyone. Thanks. >> Okay. No, that's okay. I'm glad we didn't collide. Um, so I'm a pacer. If it's distracting, wave at me and tell me to stop clumping across the stage. Uh, my name is Lena Dabbitt. I retired from the RCMP in May of this year. Uh, so what you're seeing is like Lena's retirement iteration. Uh, retirement's awesome. just by the way for those of you who are looking at that journey. Uh but I joined uh but before I joined OPTIV I had a number of roles in the RCMP over the past 30 years. So that includes everything from uniform policing out in BC, running a police boat, uh undercover operations, organized crime, intelligence, national

security, protective operations. My last few years were running the cyber crime team out of Toronto. So I will just shout out to my old team. We did the uh Netwalker investigation a few years ago from Gatnau. Uh that was my team. We at the time it was the largest up until recently the largest crypto seizure um in Canadian law enforcement at 37 million at the time. Um and we literally just did a big investigation that took down in uh February right before I retired and it was a cyber enabled fraud involving spoofing 16 financial institutions thousands of victims across Canada. So, uh, they did an amazing job and those, uh, that resulted in convictions recently, uh, with some

pretty, uh, precedent setting sentences. So, why do I want to talk to you about FIFA? I think of all the things we are considering and we're looking at major events and we're looking at the future, we're looking at the next 12 months, FIFA to me uh, is more than just, oh, I I want to make sure everyone has a good time at the games. This is a significant risk for a number of reasons and we're going to talk about them. We're going to talk about what that challenge looks like, but there are some sectors. So, I do speak a lot uh in my current role at uh at Optive in executive advisory. I do speak to a lot of sectors about their

preparedness for FIFA and the people that are sort of one or two levels removed from, you know, we're not at the stadium, we're not doing people security, we're not a a vendor selling merchandise. What do I have to care about FIFA? The problem is we have a lot to worry about FIFA and we're going to talk about that. But before I do that, I want a show of hands. How many people in here have been involved in a largecale uh event like FIFA, like the Olympics, like G7? Can I just see a show of hands? Okay, so a few of you in here, thank you for sharing that. That's great because it gives you some insights.

Before we talk about it, can anyone of you who did uh take part, what was the single biggest failure that you saw? Just one word. Anyone yell it? Pardon? >> Communications. Anyone else? >> Coordination. >> Coordination 100%. And these are common. And I mean again over the past 30 years um in my roles especially when I was running things something like the air marshals where you're seeing you know large-scale operations and protective operations those those things are still an issue we have not managed to solve them but we're going to talk about some strategies on how we can work together to make that happen this is why I want to talk to you about FIFA when you look at the sheer scale

and for those of you who have been involved in an event it is an event in a city usually at one venue um and you understand the challenges we had with communication and with logistics. Now add to that all this. So this will be the largest FIFA in history because this is the first year that there are 48 national teams. So they upped from 32. 32 would have been a lot to manage. Make it 48. So now you have 48 national teams plus their delegations plus their fans plus multiple venues. This is also the first FIFA where the events are taking place across three countries. That is unheard of. And now you can imagine the challenges because

what might work in, you know, in in the US or Mexico from a privacy and and and data information protection isn't going to be what it is in Canada. And now you have the logistics. How do you cross how do people cross borders? How do people how do you share information about fans, delegations as well? When you look at the critical infrastructure in this geopolitical climate, it is significant. We have some real challenges. We live in a world and you know, I've always been a glass half full. Um, unfortunately, right now, my glass is probably half full with wine because I need it to think when I think about just how crazy this world has

become. And so, this is we do live in a darker world. Like, I look at my kids who are in their 20s and I think, oh, what kind of like environment are they are they growing up under? I grew up in the 80s where you know you had the big threat of you know nuclear war and remember that okay I'm totally dating myself here but that show the the day after or whatever and it was on and and that was a really big thing for us but this environment this current geopolitical environment the the the meanness that's out there is unprecedented. Uh, and I mean really how many of us call in to CRA or to our insurance companies or or

anybody and on the voice recording it says we will not tolerate abuse, we will not tolerate um abusive language, you know misogynist racist whatever. Since when did we have to start putting things to tell people to be decent to each other? So this is not that same world. So when you look at this attack surface there are so many sectors there are so much uh there are there is so much critical infrastructure that is going to be impacted by what happens the problem here is all the things we traditionally plan for and prepare against it's it's also expanded exponentially. So how have cyber threats impacted sport? So let's be clear. Sport has been uh uh attractive to those who want to

have a message you want to you know have a whether it's politics activism whatever sports has been a target for many years. So you look at the 20s and 30s you had the exploitation of sport. Sport is a propaganda machine. You had, you know, the 40s and 50s after the World War II, you saw s things like sabotage and misinformation in from a propaganda perspective. You also had and then as we evolved, you had the, you know, the ' 60s, '7s, ' 80s where terrorism started to take a a sort of a bigger picture because all of a sudden you could do something at a games and it would be broadcast around the world. So,

how better to amplify your message than by attacking sport, which is a soft target in and of itself. And as you you could recall in Atlanta when you had the bombing in 1996 um you started to see a more interest uh a greater interest into how we we held these events. What sort of things did we have to look at come 2008 and with with the um with the advent of how cyber and how the sort of digital space fits in. What did we start seeing? We started to see cyber take on a bigger and bigger role. You started to see how it could actually dovetail really nicely and I mean that facitiously very nicely into

what threat actors want to do because it gave them an opportunity a platform a means a highway in how to do it. And with each games whether it's the Olympics or whether it is um whether it's the Olympics or whether it's FIFA you were each each event the threat has grown exponentially. When you look at something like uh Paris, Paris really upped the the threat actor game, the amount of narratives, the misinformation, the disinformation, the the threats, the deep fakes, it all tied in and then it tied into the physical when you saw that the metros at some of the trains ended up being sabotaged. So, it all fit together. But I would say Paris for me in my mind was probably the

first time that you really saw it as a cyber threat warfare. So we're going to talk about the security layers and the defense lines. There are so many things that go into an event that have to be considered and we're going to sort of delve into them a little bit. Um we're going to touch on them because they are all they are all layers. They're all part of that same cake. At the end you're going to end up with this this very multi-layered piece. But what I want you to remember all the way through is any one of those layers that has an impact or goes down is critical. But what happens when you put

them all together? So I want you to think about it from that perspective. Now when we look at these layers, this is what defenders have to think about. And it's beyond the obvious. Like when I first started out and we would do a large event, it was all about, you know, perimeter safety. even to now, you know, your job at G7, you know, or G8 is to guard a door. This is what you're doing. You're guarding a door. You're making sure athletes, you know, are are safe, that everyone is able to move in a safe manner. So, we're going to look at what happens when when we look at each side, each pillar of security separately. So,

physical security priorities. This is what everyone really thinks about when they think about uh something like FIFA. You're looking at things like access and perimeter control. So, how are you controlling who's getting in, who's getting out? And if you think about it at its base level, are people getting in without tickets? How do you keep uh, you know, venues safe? How are you looking at it in a way that you're able to manage crowds so you don't have rushes of people coming in, which happens at some events globally where suddenly you have a massive crowd surge and people get trampled to death. So, those are the those are always considerations and those have been considerations for sport

for decades. has while it has nothing to do with cyber I just want you to keep in the back of your mind as we go through these layers what does that look like when you throw a cyber threat in there when you look at the physical piece so you see in there protection of highv value targets so how many times do you open the paper the paper okay so again I'm dating myself here how many times do you turn on your phone and look at the news and you see a um a major event like the World Series and you see all the VIPs that are there whether they're actors influencers politicians everybody wants to be there because

that's the place to go. F for anybody who has ever worked in that space or in this realm. VIP protection in and of itself is a whole other animal. Uh there are so many considerations you have to think about. Are they traveling with their own security? What is their security allowed to do, not allowed to do? Um you know, how does it fit into general security? So you have to So that just adds a whole another layer of of complexity to protection. So yeah, so I'm going to go back to the transportation mobility. This is a huge one. So you look at in Canada, we have two sites. We have Vancouver and we have um Toronto. Both of them are major

cities. So you look at the level of transportation that uh the transportation logistics alone to get people to venues. So you have every venue from you know buses, cars, Ubers, taxis, pedestrians. In BC you have fairies and people are like you know what do fairies have to do? It's in Vancouver and no one's going to Victoria. But if people are traveling and they and they will the the estimate is about 6 million people coming to North America for the games. That is a lot of people. So people, if you're if you're traveling and you're coming from overseas or even from the US or Mexico and you want to you're in Vancouver, you may very well end up in Victoria. And we

anticipate that there will be um a greater demand on the fairies. So again, adding that to the mix, are are people in fairies prepared for the logistics of of protection? So now this is the one where this is all your purview in your area. But I want you to look at any one of these pieces that goes down. Anyone like not just digital any one of those pieces that go down will have an impact. So you know you look at things like digital ticketing and accreditation. If that goes down are your um are the staff or the volunteers prepared to do this manually? How what happens if you have to go manually? Do we have an over

reliance that the tech will work? I mean, look at us what just happened now trying to get a cable um and a system to get my laptop up. And just so you know, tech hates me. Um public sector tech public sector teams really hated me. Um I will say in private sector it likes me a little bit better. But inevitably there will be an issue with the tech. That is a guarantee just like with comms, with radios, people not being able to talk to each other. That is going to happen. So how are we preparing for it? So when you look at things like and again we talked about you know you have your core sort of entities that are

going to be impacted by any event at FIFA. So that will be your telecoms that will be your um your venue your transportation that's going to be a a core piece but you also have that ripple effect. So what happens when somebody takes down the payment system? So now you have fans who can't buy merchandise. You have fans that can't get in. Fans that can't get food. So, how are the banks preparing? How are your payment systems preparing for a threat like this? Uh, and power and critical infrastructure. To be honest, power is probably the one thing, not just in FIFA, that scares me more than anything. The fragility of our uh our power systems is front and center in mind. And

any impact there is going to have a significant impact. And you remember, okay, so people who really like soccer, otherwise known as football, are very passionate fans. So what happens if your telecoms goes down and now the game as they're watching and you know it's like literally the last few minutes and someone uh takes it out. So what happens there? You're going to have mass panic. People are going to be very upset. So the onus is on telecoms to keep things going. So, if I was a threat actor, I would target it right after the game started because if you think about that whole goal of of having someone to pay a ransom, you're going to pay a ransom to

make sure that the game keeps going. So, it is all about leverage and using that leverage effectively. Supply chain. So supply chain is one of those things that uh as you know is a significant thing. And people say to me, you know, Lena, what keeps you up at night? Um well, other than menopause because that sucks. Just throwing that out there for anyone who's either experiencing or living with someone experiencing it. Um but supply chain, this keeps me up at night. And it doesn't matter if it's in your digital supply chain, it is a physical supply chain. supply chain impacts have been uh like they have grown exponentially and this is something that I was asked to

speak about when I was still in the RCMP and you know here we are now and I'm still speaking about them like look at again look at Jaguar Land Rover look at Markx and Spencer those are all you know uh third party and supply chain uh impacts that have revertebrated around the world like they impacted the GDP of the UK so it is significant and you look at the supply chain logistics around an event like FIFA. And it isn't just the actual events themselves. So, we'll talk about the actual events, but I want you to think about what that supply chain looked like for building, what that supply chain looked like for preparing, what that supply chain looks like around

uniforms, even a little blip. And I mean, and it wasn't even a cyber at Paris when some of the US athletes realized that I don't know who did their uh sizing, but the sizing were wrong. So, you're a world-class athlete. You've been preparing for four years for this event and you're getting ready to go on and you don't have a uniform that fits because it's so tight that you can't move. So, that sounds so insignificant, but what happens if teams can't get uniforms? What happens if you if your uh your event space is not ready? We all know every time there is a major event, there is a huge push in construction. There is a huge push in permitting

looking at trying to get permits. Are the are these stadiums built to the same standard across all 16 venues? What upgrades? So, how does that impact? I mean, it sounds so out there, but it's not. It's all part and parcel of if you're a threat actor and you want to embarrass a host country or you want to apply some political leverage, this is a good way to do it because it it shows that you're not professional or you're not modern, you're not um you're not able to put on a worldclass event. So, food services So, for those of you who did who have been at a at a at a major event, how many of you have had

challenges getting food? Anyone? So, this sounds like such a small thing, but it's actually really significant. So, okay. So, I'm going to go back historically. Look at even Napoleon uh in his excursion, his failed excursion into Russia. Yes, they didn't factor the weather in. Uh that was a big piece but the the failure of their supply chain actually led to disobedience in the military within 3 days. Uh and it it led to disobedience. People as they were retreating people were just like this is ridiculous. We haven't eaten. Food is food is a basic need. So I can tell you from events that I've been at uh there have been challenges and you know and part of you wants to say my god you've

known about this for how long? you know that we need to eat. We're out for 12 hours or 15 hours or 16 hours. You got to kind of factor that in. And the reason I bring up food is it isn't just about feeding people. If people are feeling neglected, people are feeling like they have been left out and cut loose. If people feel like they don't even have basic needs met, do you think that those people's priority is on their their role? It is not. So, I'm I don't mean it in like a malicious insider threat, although that can happen. I just mean as are people focusing on their job or are they so focused on not having a basic need met

that they aren't as they haven't bought in as much to what their role is. And that's and that's a really big part of planning. And you know, and I want to say, well, the devil's in the details. The devil is always in the details. You can pay huge attention to all the big parts of your of your event, but you have to have those little pieces that are the foundation. And you pull out something as basic as food, you are going to have problems. The other side of it is thinking about it from a food supply chain piece is what happens if someone has an issue with one of the delegations. How do you know that someone isn't going to put

something in the food to make athletes sick? you know, whether it's as a competitive advantage or an advantage um to just send a message out and take out an entire entire delegation. I mean, that sounds again far-fetched and people are like, "Lena, you worry about the craziest things." I do, but again, if you're up at 3:00 in the morning because you can't sleep. This is the stuff that goes through my head. And also, do penguins have knees? So, let's talk about people. If drilling down into FIFA, is it about sport? Yes. But it is all about people. It is about athletes. It's about national pride. It's about representing your country, being proud of your country. This is the

best of what we can do. And and how do you not how do you not look at the opening ceremonies and feel that sense of pride when you see that Canadian flag up there in our athletes because they're in this year. Um so it's a human network. It really is. But there's so many components. So when you look at the people involved in FIFA, these are all like there is there is the athletes, there is the delegations, but you got to think about things like how do you control crowds, how do you communicate your staff, your volunteers, your personnel, um we talked about VIPs already, but when you look at how how you bring that all together, this is

what it's all about. People have the ability and we all know this in our organizations is you know people are our best uh our best sort of defense but they're also our weakest link. They really are. So how do you work with the people of FIFA to make sure that they are they are part of the solution and not part of the problem. So in Paris this is the numbers. So again, like I've worked a number of events and actually ironically, so funny story here. Um I had retired from the RCMP in May and the very first trip I took um in my new role was to Calgary. So I get to the airport in Calgary in

June and I know half the people on the flight because they're all flying out to G7 to do all kinds of details. So the reason it's funny is so I know a whole bunch of people. I'm talking to them all and then as we're going to pick up the luggage, you know, I'm going to grab my bags off the carousel and as I'm going to grab my bags, I'm like, "Okay, guys, I'll see you later. I got to go figure out what shuttle I'm on. I'll see you after." And one of the um I guess bus marshals, coordinators, whatever he is, you know, with his lanyard on for G7 comes running over and he's like, "No,

no, no. You don't get to you don't get to decide what shuttle is on. You haven't even signed in. You need to check in first and we'll tell you where you're going." And I'm like, "Bye-bye. I retired 3 weeks ago. So it was anyways it was and all the guys that I knew were like we're going to come with you. Um so all that to say when you look at the numbers of people that you need for security alone this is just security. This is what it was at Paris. And in Canada when we have a major event like G7 we fly people across the country. When we had the Olympics in 2010, uh I

would say probably 90% of our people in my unit went to Vancouver and they were gone two to three weeks. So if you need this kind of bodies for an event, what happens when you have two events across the country simultaneously? Where are you going to get all these bodies? Uh this is something that concerns me because I already know there's leave restrictions in effect. They there always are. even though in Vancouver. So, the RCMP is not the lead for FIFA. It is Vancouver Police and Toronto Police, but there is no way that either of those entities um and they're both excellent organizations, by the way. There is no way that they have enough resources from

a policing perspective to to to do this. So, they have to draw on RCMP. So, RCMP is already preparing that they're going to send bodies, but again, where are we going to get all these bodies? So you look at how many so so peak days are things like a major game between two you know major countries like something like a soccer or a basketball game those are the kind of events but that is still a significant number um and when you look at the vetting so how does FIFA work so when you talk about that people the people um the people engine the people cogs the nontechnical part they are the the the the wheels that make this go

round but it counts on volunteers very very heavily reliant on volunteers. So if you were a threat actor and you wanted to be able to have an impact on something like FIFA, would you not volunteer? I would talk about a great way in. It doesn't even have to you don't even have to have a a really high level role. It could be something as simple as you know what gate are you guarding? Are you guarding something at athlete at the athletes village? Are you guarding the food trucks? What are you guarding? Any one of those is going to be a vector. any one of those has the potential to create significant um damage. So we vet them. So in Paris they

had 300,000 volunteers 300,000 people submit to be volunteers at FIFA and they only selected 10 to 15%. This is consistent whether it was Qatar, uh, whether it's, you know, for any of the events that they have had, they're usually selecting 10 to 15,000, but anyone in here who's done a security clearance knows how slow it is. How long do you think that's going to take? That is significant. So, another layer, we're going to add another layer here, public safety and emergency response management. So, this is something that's very near and dear to me because I'm a I'm a trained incident commander in emergency response. So, this is an area that I look at and I think are we prepared for

worst case scenarios and do we train for that? Because a lot of times what I have seen is people train for the most likely scenarios. Uh unfortunately, while there's a chance that that'll happen, you're going to get hit by an outlier. You're going to get hit by something you didn't see coming. So, how do you plan? What's your workaround? How are you going to get around it? So again, you you will always have the threats of terrorism, the risks of physical threats, all the risks there, but how do you move people safely? Like we talked about all these great controls and you know, we're going to have this so nobody gets trampled and we're going to do

that, but what happens when those fail? Like they may work great on paper. Have you practiced? And how do you look at how do you move people in an emergency? And this doesn't even have to be a a a malicious. It could be something really benign. What if there's like suddenly a massive, you know, rainstorm? What if we're in Vancouver and there's an earthquake? Have you planned for what that looks like and how you move people safely and protect protect people? So again, sabotage, we talked about the the the trains being sabotaged in Paris. That is a real risk and it doesn't take much. So again, if you have a breach like a one part of your of your people's

supply chain is breached, these are the types of risks that are are prevalent. You always need to plan for these worst case scenarios. So um I don't know if you like it happens fre seems to happen more frequently in the airlines recently, but when you look at something like you know they had a a problem with the ticketing system in the boarding passes a couple of months ago. It was a gong show. um and people so you couldn't you couldn't check people in electronically. So what's your workaround having to do it manually? So things like preparing to do things manually. What if the power is gone? Are you preparing for that? So this is a really big one. Um and it

is national security. Make no mistake. So you talk about crowd behavior and environmental. What if someone leaves a bag? I mean, you you we saw this in Atlanta with the with the backpack left that had a bomb um and that poor guy who ended up getting arrested and he didn't have anything to do with it. But um but all that to say is who's monitoring, who's watching, what threat groups, what are people tracking, uh you know, are from a disinformation narrative? What where seems to be the target? What is being targeted? What are nation states looking at? What are cyber criminals looking at? What are activists looking at? where are they seeing uh that they

can focus on? So protests in and of themselves I mean no issue there but who's behind it and why are they behind it and understanding what that what the implications are. So this one so cyber enabled fraud. So I will say of all the things AI has done it has made mediocre criminals really good. Um because you don't even have to be your really good criminal anymore. You could be kind of a terrible criminal, but you can pay your subscription service and now you have the ability to be a really good criminal and make a lot of money, unfortunately. Um, and we see this time and time again, but this one in particular is one that's

going to hit everybody that goes there. So, these are all like I'm not going to read them all out, but I mean these are all exactly the areas that are going to be targeted. probably other ones as well. But that fake site, fake credentials, I mean, you saw that in Qatar when people had to have that Haya app. There was fake um fake apps, people were really impacted by the ticketing by, you know, the all around the websites, people putting their information in. You talk about Wi-Fi. So, I'm paranoid. I don't use Wi-Fi for anything um when I'm not in my home or at the office. Uh but people don't realize that or these people that have

their and you look at phones now uh even something as simple as somebody going through the crowds and grabbing people's phones in the UK this is a in the London specifically this is almost a pandemic of people grabbing people's phones they're unlocked they throw them into airplane mode um and off you go and now you have somebody's phone and and you think of all the information and you think of what a lucrative target that is if you're a threat actor and you want to you want to be able to defraud people or just general criminality, this is the place to do it. So, we talked about all the layers. We talked about how any one of them has the

potential to impact literally take down the game. So, why do threat actors do that? Well, again, we talked about um disinformation campaigns or narratives to embarrass host countries, to embarrass the IOC. We saw a real uptick in that with um Russian groups and Russian affiliated um threat actors because they were banned and their athletes if they did want to compete had to compete as independent. So we definitely saw this as a as a challenge but it has become uh it has become much more sophisticated and much more targeted. So what happens when they all collide and how are we preparing for that? So, I'm going to I'm going to delve into disinformation because a lot of people

look at disinformation. They're like, Lena, it's just a bunch of, you know, cute cats, you know, picking up eagles or picking up children. And I mean, don't get me wrong, I love those videos, too. My kid sends them to me all the time. Look at this cat. He's making a Subway sandwich. And I'm like, that's a really smart cat. Um, and I get it. But the problem is there is a lot of people that do not understand the impact. And I'm going to delve into it. So, I put this up there because there's a lot of people that use misinformation and disinformation um as the same thing and they are not the same thing. So, what you could have

is a disinformation campaign. Disinformation is deliberate. Um I always remember it because they both start with D. Deliberate. It is deliberate and it is done to control a narrative or to put out a narrative. Misinformation is unintentional. Misinformation is when you're, you know, your dad sends you a picture of an eagle literally lifting up a kid and he's like, "Oh my god, what kind of bird is this?" I'm like, "Dad, it's fake." But that is misinformation. He is forwarding information without realizing that it is fake. And that's okay. But the problem is those who run disinformation campaigns are very, very good at building a narrative and sending it out and then let the internet sort of

do its thing and off it spreads. And it spreads like wildfire. I will say based on if you look at the best lies, the best lies, the most believable lies are those that are built around a kernel of truth. Excuse me. So if you have a truth in there and you wrap it all around, it's going to be a lot more believable than something that comes out. So what does that mean? That means things get taken out of context or someone focuses on one part of it without understanding all the implications of what they're looking at. So how is information used as a weapon? And this is where I really like if my one message to you here is is

understanding the value of helping people recognize when they are not when when when it is misinformation and disinformation and having them pause and think about it. So these are all really significant. Why? Because we have crossed that threshold that says people get their news from Walter Kronhite or Barbara Walters or 60 Minutes. We have crossed that threshold. The majority of people now get their news from social media. So we all know the issue with that is whatever news media you follow, whatever the algorithm sees that you like is just going to feed you more of it. So it becomes an echo chamber. So your biases get reinforced. Your belief system gets reinforced because hey, I'm

looking at the news on XYZ site and it all reinforces exactly what I'm feeling and I'm thinking. Why is that dangerous? It's dangerous because people are making significant decisions based on what they are consuming on social media. Things like who to vote for. And I don't care what political affiliation you are, what you believe about vaccines, what you believe about anything. It doesn't matter which side of that you sit on. The point is your belief system is going to be reinforced by where you get your news and how you get your news. So, it does manipulate public opinion and trying to get people to pause, go to a different site, check that out. That's been a

challenge. I I don't have an easy answer for that. I mean, I'd love if someone could say to me, "Hey, Lena, we're going to we did this and this worked really well." Great. We need to find a way to expand that. But when you look at why threat actors focus on misinformation and disinformation, if you think about any really big society, any big empire, they didn't they didn't collapse because of exterior pressure. They collapsed from within. Every one of them, Roman Empire, British Empire, Mongolian Empire, all of them had internally internal strife, internal chaos. How better to spread internal divisiveness um and that distrust of authority than to continually continually hammer at people in their in

their feeds of of what they should be believing in. What it does is it reinforces the divisiveness that we are all feeling. And you know, gone are the days where you could say, well, you know what, we're going to agree to disagree on politics, but we're still friends and we're going to go for a beer. Great. That that world unfortunately isn't there. Uh it's gonna that's going to take a lot of work to get back to that point. Can we ever? I don't know. I'm trying not to be really depressing on a Friday morning. But um but all that to say is the the ability of a threat actor to be able to especially as a nation

state come in. So that divisiveness so discord think of how much easier it is. You may never have to fire a weapon. You have basically collapsed a society from internally from within. the other. So I will add in there you have disguising real world real world actions. So think false flag. Somebody puts out a video that says so and so is doing this and that person or that entity or that organization or that country isn't doing that but now there's video out there so people are believing it. So these are all implications of just how badly uh we need to pay attention to this. I think this is one of the biggest issues currently facing

us from a national security level from a uh distrust of government level. So what what did we see how did we see this play out in sport? How did we see this play out in Paris? So all of these there was probably I think about 11 10 or 11 different narratives that were being tracked that were being put out there as influence campaigns. But we saw all these, you know, the Sen River being dyed blue, the French military, and and I will say that that one again, when you look at that one based on a kernel of truth, the angle that the picture was taken, um, and I don't know how people are going, well, you know, it it was the

Russian flag, it's also the colors of the French flag, but okay. Um, but it all depended on angle. So that's what I mean about context. It was a picture taken from an angle that was different than other angles and it looked like they were done the the fly past the angle looked like it was done in the order of the colors of the Russian flag rather than the French flag. This was you know dis debunked by you know pictures from the other angles but it doesn't matter that narrative got away like wildfire. So, and again, you look at that um the willingness or the the motivation of threat actors to sew that discord and and cultural divisiveness. You know, the

the IOC deleted the opening ceremony because people were upset that the um pagan ritual that was there was was a mockery of the last supper. It was yeah it the video wasn't available in some countries but that was basically because of the way that their um their you know policy is around videos and what is there but that video is still there but again a kernel of truth um buried underneath a bunch of of lies and mistruths. So how powerful is misinformation? So, you know, we talked about disinformation and how it can be used, but if you look at something, this was done, I want to say it's misinformation cuz I really don't believe that the um that the gu I

believe it was in the Guardian sent meant to put it out as a mistruth, but basically the headline read 6,500 migrant worker deaths in Qatar World Cup. So, context context is important. what it was trying to say and the headline was very uh not helpful. Now am I saying that there isn't uh you know human rights issues in Qatar? No, that is not what I'm saying. But what I am saying is presenting it in this way did a disservice for a lot of things because again it just show it just shows um distrust. But it was 6,500 deaths in the 10 years since the World Cup was was awarded. So if you want to dissect that and you look at it within

that that 10 years, yes, there was 6,500 deaths, but that was deaths of all migrants. So you see what I mean about that little piece of information, the way it was done. And this this headline was seized on and people were using it as like a a battlecry. So we know that there's misinformation, disinformation. We talked about all the layers of threat, the cyber thing. Who are our adversaries? So, we talked about nation state. Um, again, we have geopolitical agendas. So, it doesn't even have to be a um an aggressive uh attack. It is something that is done to to destabilize. So, what is the agenda? You have all these levels. I think I put

this up there and I organized them like this because they are all different groups. But I think the takeaway from this, what I need you to understand is these are all blurred. And the reason I say that is, you know, it you aren't going to look at a breach or an attack and go, "Oh, well, that's a nation state, so we're going to address it this way." And that one, those are just cyber criminals, so we're going to go this way. They're all blurring and they're all taking advantage and piggybacking on each other. So, if you think about it, if let's say for example um from a nation state they put out a thing saying

the train, you know, don't take the train in Toronto because the TTC is going to be um there's threats, credible threats to the TTC and that happened in Paris. Somebody put out a very real looking CIA bulletin warning of elevated threats to the metros for US travelers. So someone says that a nation state may have put that out, but a activist group may be like, "Oh, this is great because yes, that is um that is great. They're targeting the trains. Now is a good time for us to protest over here or for us to attack on this side." So it's opportunistic. It's where are they going to get the biggest bang for their buck. Sometimes they even coordinate together,

right? And so that's the part you need to remember is sometimes they actually seek out each other. Um and and what does that look like and why are they working together? Because truthfully, they collaborate better than we do. You know, I have people say to me, "Oh, Lena, you know, that's something we have that the threat actors don't have is that we work together and we collaborate." And I call BS on that. We don't collaborate. We don't work together. You still have silos. Well, public sector's over here, private is over here, academia is over here. uh this is something that they have they have managed to do so well because if you're a threat actor group and you know

that threat actor group is really good at something why would you replicate why reinvent the wheel they go to that threat group and be like hey you need to do this for us we'll split this we'll do this for you like they have it down way better than we do so the reason I put this up here is so that you know that we have a very big range of adversaries there's really like so many to choose from but they all are capable of working together and they you work together. So we talked about collaboration. So let's take a page out of their threat, out of their playbook. So I want you to think about these three

pieces. So are we using our expertise in the best way possible? I I would I would strongly tell you that we are not. Um how do we break down those silos? I will say in the federal government, we're really good at silos. Like really good. Like we have it down to a science, but we need to break those down. So, how do we break those down? And are we empowering our human firewall? Have we empowered our people to be able to come to us? So, if you have someone who's working security and are we empowering them to come to you and say, hey, something's really weird here. I need someone else to come and look at it. Or are we just basically

saying, you know, just shut up and do your job. Your job is just to guard a if you don't involve people as active participants, you are missing the boat on how to protect. So, I'm going to put this up as a blueprint, but I do want to talk to you about one thing. And this does go back to the whole piece of collaboration. So, in 911, when 911 happened, anyone any police officer who wasn't in a uniform put on um a uniform and had to guard. So, you guarded critical infrastructure, you guarded airports, you guarded uh financial, you guarded nuclear power plants, whatever. So my argument is to to counter this is in this day and age if we have a a 9 a

9/11 and if we do it will be cyber I like that is a given like why why risk they're not going to put people on a plane they don't need to put people on a plane it will be a cyber attack so what are you going to do put a bunch of police officers in uniforms to guard what laptops like and coming from that world I can tell you you know probably 80 85% of police officers are not cyber trained this is not their purview. They are I can arrest for robbery. I can do really good homicide investigations. I'm very good at national security, but they aren't trained for cyber. So, how do you supplement that? Do we wait till a

crisis? Do we wait till 9/11 and then run to all our private sector partners and be like, "Oh my god, you got to help us. We need help." No. You need to plan in advance. So, what does that look like? Why don't we have a cyber militia? In my mind, that is how you do it. You prevet. you proactively find people who are willing to step up and say, "Hey, me, I will come. I will help." Prevet them. Know who you're working with. Understand the value that people bring from the skills that you don't have because if threat actors can do it, we need to do it, but we need to do it better. So this is to me I look at FIFA as an

opportunity um not as a not as a negative even though I talked about all the negative and there's so much but it is an opportunity to showcase how we can all work together. So what does it look like when we do work together? When we genuinely collaborate don't just write collaborate and think that hey I'm good I wrote it down we're collaborating. No we're not collaborating. authentic. Be authentic. But this is a chance for us to show how we can bring together all aspects of security, whether it's digital, physical, um, you know, people, all of it. If we can bring that together and showcase it in something like FIFA, we can actually use that as a blueprint

for how we do it for the rest of our for the rest of our world. And that's it. I think I'm good for time. Thank you.

Uh any questions? I think we have time for one or two. Anyone? >> Or have I told Yeah. Go ahead. >> Yes. Yeah. And you should do and actually that's an excellent point. You should do tabletop exercises, but they can't just be within your own organization. I strongly encourage cross- sector and cross trainining because you are going to get threat actors that are going to target one aspect and then hit another. So do tabletop, but don't just do it as a tabletop when everybody's there on a Tuesday. This is probably my and I don't get me wrong, I I love tabletop exercises, but you can't just do them on a Tuesday morning when everybody is

there and your CISO is there and your tech team is there because when is it going to happen? Statistically speaking, 30% of the incidents will happen or you face a 30% increased risk of an event happening on a weekend on a holiday. So that's when it's going to happen. So does the poor person who's sitting uh there who is the decision maker know that they're the decision maker, know that they're the one that has to, you know, get that ball rolling. A lot of times they don't. So do a tabletop but also look at it from a crisis of we're going to do it and we're going to involve all our partners but we're going

to do it on a day where the person who's maybe three or four removed from the decision-m process knows that they are part of that decision-m we yeah we are doing it with some of our our uh our clients absolutely that's a really big part of preparing and it's all about what would you do in a crisis yeah 100%. Okay, thank you.

How's everyone doing? Hopefully it's been a good conference so far. Um, thanks thanks for having me. I know you guys uh I think the organizers asked for the commander to show up and uh unfortunately get me so kind of stuck with it. Um so today I'm just going to do a quick talk um and can enter hopefully I have time to entertain questions uh kind of at the end I'll get through some slides. There'll be some organizational stuff. I'll try to make it as less boring as possible. Uh but really what I want to try to get out there is is educate or inform people on what we are and why CAF cyber command has to exist. And so I'll use the term

CAF Cyber Command. So that's Canadian Armed Forces Cyber Command. Um we'll get into why we think it was a good idea to do that. Uh it's not just for having a cool name and not just be like everyone else. Um and uh let's go. All right. So first I'll just do a quick intro of uh who who is this guy up here talking? Um a little bit of my journey and and connection to this community. uh or at least I'll try to sell you that I've got a bit of a connection to the community as my journey did pass through uh besides once uh or twice. So about 2012 I was kind of doing some graduate

studies at our military college and got a bit exposed uh to the cyber security nexus and one I think there was like one course that was offered at the time um and it was really cool. Before then I was like a big naysayer. I was kind of like, "This stuff doesn't matter." Like, "Come on. I just got to get on with the job." And I was an engineer at sea on warships just, you know, worried about whether I was going to get in trouble for moving a a cordless phone too close to a system. And I was like, "This is a bunch of garbage." Anyways, that all changed in 2012. I got hooked pretty quickly. Uh and then I spent you know

seven years trying to figure out how to secure warships which is a bit of a different problem and there's been talks in the past besides from different parts of the teams on what that looks like and kind of how complex it is. Uh how sometimes we make it more complex than it needs to be and how sometimes we aim too high uh and miss some of the lowhanging fruit. But really interesting stuff. Um got to dig into that for a long time. Although sometimes it felt like it was a bit of a burden. In that time though, I did come to Bides for my first time in 2014. So I don't know if is that the second one because there was

like a gap. It was 2010 and then there was a gap. Were there ones before that? There's four. Okay. Anyways, super awesome. I didn't go to any presentations. I just went and CTFed and said all the boring speakers like me were boring. So thanks for all those who uh pulled your head out of CTF. I don't know if there are any. I know a couple people talked to me and said, "Hey, we're not coming to your talk because we're doing fun stuff." That's okay. Um, and then I got a bit of a vacation from Navy Engineering. I went off to do a cyber operations task force, which was super awesome. It was my uh definitely a

vacation. I got to meet some great people. um some who are here today uh and kind of learn more about how the business actually got to be done and then you know continued to try to muddle my way through this community as a Navy engineer in a Navy that's still trying to find its way in this space and um and then got an opportunity to go down to the US to kind of look at what does this stuff look like the cyber domain look like at the strategic level which was super interesting and then that landed me in cyber command um which was kind of like a dream come true. A dream I never knew I had until I landed there. And a

dream I didn't even know was possible until like days before they're like, "Hey, there's this big program. You can go study cyber security and cyber domain operations at the national security strategy level." And I was like, "That exists? Awesome. So, let's go do that." And then I got so 2024 I came back from that and I've been in cyber command ever since. And hopefully you'll get a sense uh of where we're at and what what our journeys looked like in the last about year. Uh a little more than a year is my journey, but the command's only uh just over a year old. Um but uh that's my story. All right. Why why establish a cyber

command? For this community, it may make sense, may may not. Um for internal to the Canadian Armed Forces, it doesn't always make sense to everyone. and they don't understand why we need to focus and cohhere our thoughts and efforts uh on a cyber domain. They get it, the internet's important and everyone uses computers, but they don't often think in depth about what that means. And so we have to face that as an institutional challenge and and what we're getting after. And I think it's not broadly not different than what you know corporations uh in private and even other parts of the public um areas have gone through as they evolve to understand how important it is and how

you have to focus and get your efforts sorted out. But really what we were trying to fix uh was kind of a command and control problem uh in that we already had organically established uh a number of organizations that were fighting and operating in the cyber domain in the space and we'll talk about what they were. So the so I'll say the tactical units. So the tactical units broadly have already existed. They pre-existed cyber command and the joke from the commander. So major general Jarker the guy on the right uh who's our commander right now he said the only thing we created on the day of cyber command establishment was his position. Everything else was just slammed

together of bits and pieces of organizations that were spread out all over. Um the big challenge that those organizations had wasn't about doing the business. Although there's always uh we could get now that I look at some of the audience I'm got to be cautious because they're going to come get me after and be like yeah we're not we're not doing the business right yet. Um and they're right in a lot of ways. But doing the business was not really the problem if you look at it from the big picture. It was about pulling it all together and making sure it was hooked in at the most senior levels of the organization. uh and I think this I I think this should

resonate kind of in private industry this is this is still a thing um at at times challenge depending on the maturity of the organization it's also uh across government can also be a bit of an issue but for us um when we talked about doing kind of strategic level uh planning and engagement so that's the chief of defense staff really presenting options to government for how we navigate and operate in the cyber domain this stuff was a bit buried under layers and layers of organizations and sometimes it would flip between militaryonly organizations and then to a civilian-led organization and then back to a military person and then eventually back up to the decision makers. And so, as you can

imagine, this caused some real challenges and that um the people who were doing the good work or trying to do the best work they could were often in the shadows. sometimes they wanted to be sometimes maybe they regret being pulled out of the shadows now uh because people know what you're doing and understand it a bit better but at times it's mostly not enabling for them to be kind of buried under all this nause and and people not really understanding the business. Um, and so what we did is we flattened all that, took all those headquarters and the multiple layers of decision makers and people who passed on emails to pass on emails and now we have

a direct line from the tactical units to the commander and then the commander, the chief advance staff. So we're much better enabled um to to get after the business of joint war fighting in the cyber domain and electromagnetic spectrum. Um, I think also there's definitely side benefits. is it cohered the staff's effort. So we'll talk uh maybe a little bit uh maybe not. My efforts are really focused on the future force. Uh we will touch on it at the very end. um and trying to figure out what do we need to be and those efforts were disconnected from the units before, but as a single command really brought it together and cohered my effort towards making Cyber Command and all the

units better enabled and better positioned for the future fight. All right, this I'm not going to dive into the context. So I think we so this is part of this uh slide package or presentation is what we call our cyber command 101. So we're out in the world and in in the Canadian armed forces in government with uh industry and the public trying to educate people on what we are and so depending on your audience you you kind of need to go through this. So the top context I think is probably well known to this group. Um, if you showed up here, it took the effort to get here, you got a good sense for

things are things are happening in the cyber domain. And it's a challenge. It continues to be a challenge. It's uh used by nation states all the time. We are busier than ever as a cyber command uh getting after defending Canadian interests and operating uh under government authorized missions. Um, this doesn't slow down. It's not getting any easier. Um, and it's going to continue to be used uh kind of in conflict or in competition and uh used by adversaries against Canadians broadly. Um, and this is a problem. So, I think we all get that. You know, that's the context and the threats for us. So, just because everyone becomes aware or at least a few people are, that doesn't mean you ne

necessarily just someone shows up with a wheelbarrow full of money and says, "Hey, you got to go fix some stuff. go figure it out. You have to fight through it. You need policy coverage. You need, you know, government organizations to tell you you have a mission in there. And people will fight you and say, "Well, you don't have an approved mission. You're not actually supposed to do that." And you're like, "Well, we got to defend our networks." Like, come on. Um, and so you can see we've we've highlighted a bunch of the things over time. You can see kind of back to 2017 with strong, secure, and engaged. If you if you've read it, awesome. uh if you

haven't read it, okay, I had to read it, you know, as part of it. But there's some good stuff in there. Um and sometimes those words do get traction and sometimes they drag on. So you can see uh the SSE 87, 88, 89, 90. These are basically tasks the government gave the Canadian Armed Forces to get after. Some of them we've progressed reasonably well. Some of them we have a lot more work to do uh to meet those those objectives. Um, and just because it's written in a policy, uh, doesn't always mean you get the traction you think you should. Um, but obviously an initial start to government level recognition on the importance of what we have to get

after. And then most recently with RNR Strong and Free, um, even simpler two two tasks and that's what I've highlighted there. stand up a cyber command, establish a a joint Canadian cyber operations capability with uh communication security establishment. So check we stood up a cyber command October of 2024. um our joint uh or I would I would call it an inter agency capability with communication security establishment was ongoing already and we continue to work that and build that out to be what the government needs um kind of for optionality against our adversaries. So kind of check and check. Uh but lots of work to do.

This slide really just trying to emphasize what what we are. Um because we're we're different than what we used to be in some respects. Um a little bit of a breakaway from what is the digital services group which is where we came from. Um, and just kind of trying to differentiate what we're focused on. And we we're still working on this because, you know, I get a lot of I get a lot of uh interaction with industry, which is awesome. I get to see all sorts of cool stuff that industry is doing and offering, but sometimes it's clear that they don't quite understand that uh difference. Uh, and that's on us for not explaining it. But really, we're we're

about operating in the domain. So we're really the cyber security uh operations side of the business uh in that we're not building the infrastructure. We just have to live with it. We have to try to fight through it. We have to try to get the adversary out of it. We need to find the adversary in it. Um strictly in the cyber defense side. Uh we'll talk about the other parts of the business as well. Um but this is really trying to highlight that and you'll note in there that we also use the term sig sig ant. So signals, intelligence and joint electronic warfare. So our kind of mission set is four war fighting functions. So and we'll talk more about

it. So offensive and defensive cyber operations, joint electronic warfare. So we can talk after about the definition of that. What does that mean? that that's really us dealing with uh transmissions and signals and and having influence on adversary uh RF systems or or radar systems etc. And then signals intelligence that's us listening on uh military missions listening to communications listening to transmissions in the RF spectrum uh and using that information to generate advantage. Um, these are all our things. And so when you look at it, you're like, well, why did you guys call yourself Cyber Command? Because you do more than that. And there's part of the team that's like, hey, we're not cyber guys

or I I would argue they are, but um we're more we're doing signals than the end of the spectrum. And uh the answer is well, most of our allies and nations went that way until the UK showed up and went, "Oh, we heard all your questions." So now they have a cyber and electromagnetic spectrum command or EM command, sorry. So anyways, you know, good for them and maybe that's the right name for us too. Uh but we're not going to change the name uh anytime soon. But it mean what I what I want to emphasize though is we encompass all of that. Um the second bullet really talks about our allies, partners. And so we have close

close partners with uh communication security establishment and we'll talk more about other government partners and allies and partners globally. So cyber is a team sport. You can't do it by yourself. Even the US and they'll admittedly say it. They can't do it all by themsel. It is a big cyerspace. It's a big world. Uh and in order for us to really uh get advantage over the adversary, we have to band together. So that's a key aspect of what we do. The third bullet's talking about pan domain operations. So this is really uh we we used to focus a lot on the joint. So that would be navy, army, air force or as the navy guys called it Jeremy

which is just a comment to say it's all about the army but or they think it is. Um really pandemain means space, army, air force, navy, cyber. And so it's really as we fight in modern days, it's all aspects of warfare that come together across the board that matter to each other. And so we're a huge enabler because we cross uh we cross cut across all the domains. So Navy, Air Force, Army all rely on cyerspace to do the business they do. space. Is there any space space command or uh three CSD people in in the audience? I feel bad when I make fun of them when they're not here. Anyways, what's what's space uh

what's a space asset without cyber orbitable orbital debris? So, I usually tell that joke, but I got that from a space command guy in the US, so I feel like it's okay to say it. Anyway, super important domain we rely on. just can't do much without it these days. Um, but we have a clear implicated uh task uh to help support that and enable them and keep them uh doing the mission. And then the last one talking about a cyber resilient calf. Um, we also have an obligation for being kind of the cyber domain expertise for the Canadian Armed Forces to make sure that everyone who relies on technology is able to be resilient through um through

the fight and kind of continue to rely on on those things that the adversary is going to try to take away or influence. And so that becomes uh an important aspect of what we do and get after. I think that's been up there long enough for people to read as they ignored what I said. So that's cool. Hopefully you weren't ignoring me. Um, I'm not going to read the mission and vision statements. I'm It's kind of a bit repetitive, but you can really see we really focus on those four war fighting areas are emphasized there in our mission. You can see partnership and capacity building. So again, this is the team sport thing. So you are as strong

as your weakest link. So as we band together in different regions of the globe um that face against uh different levels of threat from the adversaries um if we're partnering with them we're only as strong as we can make them. So we really need to uh uplift kind of everyone we work with. Uh so whether that's in Canada with government and industry, uh whether that's out of Canada with different areas of the world where we're all banded together as like-minded nations against uh people who want to um damage or destroy the way we live. And then the vision, you can see again it it it's pretty uh re-emphasizing uh on what we need to do and a bunch of

military jargon in there. uh but broadly that last line to enhance global security um and as well as uh focused on those four war fighting areas and of course we want to be world class. I think in a lot of ways we are uh but just because you're world class doesn't mean uh you don't have uh a lot of room to grow. I told them I'd be really quick but then I just realized I'm talking a lot for the first six slides. So see how we're doing. Just going to take a pause here. I'm just fighting through getting over a cold last week.

So, what do what do we do? Um, and so you can see up there we've we've kind of broken it down in into kind of three buckets. Um, one thing that a lot of people don't know we do even inside the Canadian Armed Forces is we provide kind of continuous indications and warnings. And this is us out being out in the world listening to and understanding what our adversaries are planning getting after doing. And this enables us to keep Canadian armed forces members uh deployed globally or domestically safe. Um so I'm kind of covering across uh both domestic and expeditionary there. Um of course we're responsible for defending the Canadian Armed Forces and DND networks. That's a team effort. It's

not just us but like I said on the U maneuver defense side um that's us uh in combination with other parts of the government. Um we play a role in the government uh cyber incident response um mainly when it when it affects D&D calf systems. Um but we are a part of that and we work together with the rest of the government on that under the leadership of CSC and we provide s signals intelligence u based on intelligence requirements. So this is normal normal military business. And then you can see expeditionary. We do a lot of the same things. Whenever we take Canadian armed forces uh personnel assets and put them globally, we have the same responsibility whether they're

in Canada or outside of Canada. So those overlay uh kind of in um the same ways just not located in Canada. We do cyber effects uh globally. So when authorized by the government, we're out there shaping cyberspace uh and trying to make our adversaries day a little worse. Um and and that keeps us busy and we do that uh again under authorized missions uh with our partner. We lastly we maintain effort across kind of some key allies. So, NORAD, um, Five Eyes, so the, you know, the big five intelligence sharing nations in NATO, as well as other partners, and we get out in in the world and help our partners defense. So, you may or may not know,

but we're persistently in Latvia um on a cyber defense mission out there. And so, we have a task force that's deployed there all the time. We rotate it uh and they do great work with the Latvians. And, uh, so we get out in the world as well. So we're not just sticking at home defending our own stuff. We're also helping our allies out. And then the last one is really talking about what I worry about day-to-day is how do we how do we build out the cyber force? Uh get the right people trained to the right level, generate the right numbers, shape into the force we need, um get the capabilities we need. So technology, but

the training as well and the people to put it together to be able to get out and do the missions that we're assigned and predict what the new missions are that we might not be doing today that we have to do tomorrow and be ready to do those when we're called upon. Um, and then the last point is making sure that we're always mission assured in and through cyerspace. So everyone relies on cyerspace to get their job done. It's always easy to be like, "Well, I'll just go back to paper and pen or or grease pencil as the army guys say." And you're like, "Okay, we'll do it then." Uh, and then when you make them do it, they're

like, "Wow, that really sucks. It's super slow and we haven't done it a long time, so we're really rusty." And you're like, "Okay, so let's talk about mission assurance from the adversary in and through cyerspace and kind of get their planning going there and start thinking about that." Oh. Oh, I almost skipped the orchard. So it in case some of you aren't military or haven't been exposed to military, every presentation is required to have an org chart. If I put that up, military police and I didn't have an org chart, military police would come in, arrest me, and take me away. Um, I feel like this is the least bad org chart I've ever put up. So, you're welcome. Um, I

didn't create it, so I'll find out who you should thank. Anyway, but this is how we're structured. So like I said, we kind of on operations, we have a direct line to the chief of defense staff uh through the commander um digital services group. We were born of them. Uh we're still tightly connected. They provide us money. It's important. Um they also provide a lot of services that we just couldn't grow into as we're kind of a minimal sized command as we're established. Um, so there's a lot of things that we can't necessarily do on our own that we rely on a bigger organization to help us out with. So they're definitely there. You can see

the connection to communications security establishment uh down when we plug into the cyber effects unit. Again, they're our key partner um and I would argue that they're a key partner across all four war fighting areas. Some are more nent than others but we are well integrated with them and rely on their um capabilities, capacity and enterprise to get after the business and in really uh awesome ways. Um so they are someone uh an organization we work with a lot and and consistently and continuously. Across the bottom uh and the next slide talks about who they are. Um you have what are our current units. Uh we're growing. Um we may establish new units in the near future. We may not. Um we

have Canadian Force Station Literum, the Canadian Force Electronic Warfare Center, Canadian Forces Network Operations Center. Uh our HQ we call a unit, but it's really just to make sure all the colonels and captains navies aren't wandering around lost without uh guidance and go to the right things on time. And then our cyber effects unit which is integrated in with the communication security establishment and we'll talk about what they are now. So won't really read that. Talked a bit about the HQ. So there's a bunch of us that need coordination and organization and support and that's really what they get after really uh critical enabling function for us to to do the business as a command. Um, Canadian Force Station

Literum, our oldest unit. Um, you know, coming out of World War II, late late years of World War II or mid years of World War II, doing signals intelligence for like 80 plus years. So, this has been around for a long time, you know, hanging out south of the city, pretty good, pretty good digs down there. Uh, free parking. It's a great spot. Um and they do really critical missions at the strategic level, operational level and tactical level. Uh and again in conjunction with communication security establishment um our electronic warfare center. This is our joint EW nuculus uh unit. So we are growing in this space. That's a nent space, but they do some really critical activities uh that deal

with understanding what the adversary does with the electromagnetic spectrum. And they're a key enabler across the Canadian armed forces um in keeping itself safe and enabling, especially when you look at kind of the fifth generation fighters that are coming and modern warfare. They are a key enabler uh for us to actually get after modern warfare. Um, and we're looking to grow that uh grow that space as well. Canadian Force Network Operations Center. This is the cyber defense unit. I don't know why they named it the network operations center. It's a security operations center, but it also generates cyber defense task forces that go out in the world. Our network operations center is called the defoc,

which I can't remember what it stands for, but it's not a security operations center. But for whatever reason, we decided to confuse people with the names. Um, maybe to give me an extra two minutes to talk about why we're bad at naming stuff. Anyways, cyber defense generate globally deployable cyber defense task forces as well as our security operations center for D&D CAF. Uh, and then the cyber effects unit. Um this is our offensive cyber unit and they're uh doing authorized missions uh for the government uh right now but they are integration as part of that establish a joint Canadian cyber operations capability the government uh tked us to do and RNR are strong and free uh and they are awesome

key partners so you can see um it's a big the big the wheel of pain. I can't remember what they call it. I think they call it the wheel of pain. But the we we work with everyone in the government. Um we we are plugged in across those are key areas. So there's some missing that we probably work with, but these are these are key organizations in the government on the right that we work with every day and we have to and I can think it really just speaks to the kind of how it is a team sport no matter what level you look at. So when you look just in government, it takes a whole bunch of organizations

working well together uh to get it done and you know this is challenging. We have to plug into this um I've emphasized a bunch on on cse as our key partner but we definitely have regular interaction with the rest of those organizations on a daily basis and then not to mention internal to the department of national events. Our list of global key partners is incorrect. There are many more that haven't been added there. Um, but these are some of the key partners that we work with. Uh, we do exercises, training uh uplift uh operations. Uh, and we're out in the world doing that stuff every day. Uh, sometimes it's almost too much. uh we're we can be

stretched pretty thin because we're getting out in the world with all our partners and all of them want more uh Canadian uh Canadians in their teams and working with them. So that's I think that's a good sign. U but again this is just the team sport side. All right, we're almost we're almost to the end. So now this is the so the first two part I think if you saw what the title of my presentation was it was who we are what we do and what we need to figure out. So I think we're through who we are and what we do. Uh and now I'm trying to tell you what I think we need

to figure out because although we are out there doing the business and we're doing a good job at what we do, there's lots of room to improve and there's lots of stuff that we're not necessarily doing. we're not organized to do. Um, but we know we have to and there's just a ton to figure out. All right, I know I'm I'm going slower than I said I was, but I'm almost done. Um, so we're just about a year old or just over a year old. Uh, so as you can imagine, if any organization of this complexity comes out after a year and they're just like firing on all cylinders, then good for them. But we we are we are certainly

riding the struggle bus up the hill of growth. Uh, and it uh, it's awesome. It I'm not driving, I don't think. If I'm supposed to be driving, then that's a problem because I definitely not hanging on to the wheel. I'm just looking out the window. Um, so we got we got we got a ton of stuff to get after. The demand is everywhere as I noted. Uh, and we're trying to figure out how to develop in all those war fighting areas. U, which is something we weren't doing in the past. We were really just focused on a few niche areas of development. Now we're trying to do it all with the same team. And so that's a real stretch.

I noted there's a difference between what digital services does and they're growing into really getting after what is a big task to digitize something like the Canadian Armed Forces and the Department of National Defense. huge task and they're doing great work there and we're trying to keep synced with them and figure out how we can maneuver to defend all the great stuff they add uh to the network and work with them as we kind of step into the future together. Um real challenge. Um what what I I think this slide is really kind of pointed at is talking about trying to get people to think and understand what is the difference between building engineering and

maintaining cyerspace and operating in it. And we do maybe a little bit different separation of those duties. Sometimes it's not always the most efficient but that's what we do. And we're still trying to figure out how to find the right balance between between that. And then the last point is really we also really need to figure out how better to plug into industry to tap all your collective minds for those who are from industry um and figure out how to solve hard problems uh together. So these are just some bullets on you know what are what are we what are we getting after? What do what do I lean into every day is well we're not the

force I could tell you that today we are not the force we need to be tomorrow and like just tomorrow we're also not the force we need to be for 5 years from now really hard to predict what 5 years from now looks like in this space um we're focused a little shallower but we're trying to be more agile and I spent a ton of effort my team spends a ton of effort trying to figure out what is the cyber force for the can armed forces for the government of Canada what does it look like and what do we have to do to get it there uh as fast as possible because the adversary is not slowing

down. Our biggest challenge is people. People are core to what what we get after. And you'll note my little my little bearish on AI. I don't have time to get into that talk. I agree we have to use AI. We have to figure it out, but we also have to be realistic of what it can deliver to us in the next couple years. Um, and so we won't gain I don't I don't see that we'll gain the enhancements that are advertised today immediately or fast enough to be able to have them in position ready to fight against an adversary tomorrow. Therefore, I got to focus on people. Uh, and that's a big part of our growth uh because they make

up whatever force we have and will have for the next coming years. Um, what are the capabilities I need for years from now or for tomorrow? Sometimes I don't know. So, we got to figure that out and sometimes industry tells us that. Sometimes we figure it out and we have to get industry to understand it in our context and help us build it. Um, and then kind of a couple bullets talking about this community. I use the term infosc. I don't know what the current term is for this community, but the infosc community, at least that's what it was when I was young. Um, you know, some of you might want to join us. So,

hopefully this this brief will get you excited and go, maybe there's some stuff I can go do in uniform. That's great. full or part-time, we've got opportunities. Come talk to me later. Um, some of you maybe will help us through commercial offerings. You might come to us with solutions, help us solve the problems. And then I just want to note that it by doing what you do, you are all helping us get better as can uh as Canada. That helps Can Armed Forces because you're making the world more secure. So, keep doing that. Uh, I do appreciate it. And then the last one I've noted, we got to figure out how to do better interface with industry. Um,

that's always a challenge in government. We're trying to figure it out, but we definitely want to adapt. Uh, we know we can be better. These are just some industry engagement SL uh points, things I want to do. I'm not going to talk to it because that's it. And then in case you want to know who to blame for me showing up, those those guys are in charge. Those are the unit commanders. They have a lot of power and do a lot of cool stuff. Um they don't have names there, but I I made sure the ranks were all right there. So you can see Army, uh Navy, and Air Force. Um and yeah, that's that's my

talk. Happy to take a few questions if there's time.

>> Yeah. Can you speak to uh integration with joint targeting in initiatives? Oh, sorry. I was looking for who asked that because I was going to chuck something. No, I'm just kidding. Yeah, so joint targeting is a hard problem because the joint targeting system for how we plan to drop bombs in like protracted operations. Um really challenging for cyber operations on on especially on the offensive effects side and even even I would say on the electronic warfare effect side. um because there's usually emergent properties that come up as you discover uh what you're doing and how the adversary target system looks. So we are we are hooked up with them on the strategic kind of how do we do joint

targeting strategically. Um we are also working kind of on the inside to try to come up with how can we build up a proper and and fit for purpose uh dynamic targeting approach to figure out how to maneuver and do the effects and deliver them not uh six years from now. Um and how can we plan capability development because often um mission planners are like we've got a problem we need to solve. Okay well when do you need to solve it? Well, like tomorrow you're like, "Okay, well unlike the bomb you might have in the shelf, I can't just pull that out because I I need to understand the problem. So, you got to talk to me earlier." So,

kind of an answer. We are definitely plugged in. It is an active area of focus for us to understand how to do better because we know the kind of older system doesn't work for us perfectly. I think there was another one

within the reserve space operator

like it's very narrow skill set Are you looking at expanding? >> Yes. Uh so yeah, two two comments. So one, you don't to be a reserve cyber operator. You don't need to have a a diploma from a specific college. Uh it is all uh learning assessed. So we'll take a look at what program you studied at and what your experience and skills are and determine whether or not you meet what you've said is a fairly narrow uh thing if that's what you want to do. for the wider problem of what are all these other things that cyber operators don't do? Uh how are we getting after that? So cyber command at the is not specifically growing its non-commission

member occupations wider than that. There are other ones. The air force has a occupation that is more flexible for specialists that have special skills to come in um that we're looking to leverage. Uh it's not a cyber command occupation that we're looking to leverage. So I can probably uh talk to you about that afterwards. Um as well, you know, we're in the process of studying like a cyber officer occupation which will provide a wider swath of of skills and capabilities and needs. Um but that is something that's in progress right now and down the future. And that may offer more flexibility to get after what you want to say, but first we have to establish it rag force and then

reserve will quickly follow. So down the road. So get get what you're saying. Uh but down the road we need a bit more time to get it sorted out. >> Uh why is uh recruitment so painful? >> Why is recruiting so I'll give you an example. See my son and his friends are in third year at Carlton computer science. Uh they're in the cyber security stream. They've all applied for the Air Force uh signal corps. No response. Black hole. Nothing. No follow-up. They're all going to end up in the private sector. But they actually wanted to work with you. Yeah. So, uh, the chief of defense staff has put the pressure on the Canadian Forces

Recruiting Group, which is separate from Cyber Command, to really improve their processes. I think we are starting to see very positive signs that they're improving that process. I I don't personally have any answers for like I could tell you over a beer why I think it's paid, but I don't personally have any kind of official answers to say how we're going to get after improving it. But I know for certain we have seen positive improvements in the last year. It's got a long way to go. That is something that we raised as an issue to us because at the pace we need to grow. We need that recruiting group to produce recruits for us to take and we need more

and more of those. As we grow cyber officer, that will give us levers to pull people like your son in that example into our occupation and put pressure on uh on the recruiting group to pull those people in faster. But until then, um we're at the mercy of of them getting better at it. And they are getting better. So, we should probably give them a bit of um pause to say they have made improvements, but certainly not enough for what we're facing. So, understand your frustration. Hopefully hopefully they'll stick it out and and maybe circle back around and we'll get stuff fixed to to pull them in because we got a lot of work to do.

>> Like you you Yeah. >> Okay.

Couldn't

I have done that and stayed in the calf? >> Yeah. So I think you know whether or not the calf will retain people who don't meet universality of service is a hot topic um that is not a cyber command topic. So I you know we've gone different directions on whether that um whether that's possible or not a as a as an institution and the current direction is is is not not possible for retention in uniform. That said, from a cyber command perspective, we are looking at different ways to enable those with the right skills as um uh in a reserve capacity, but maybe a different capacity than what you're thinking of reserve, a reserve capacity that doesn't currently

exist today. That wouldn't require the same things as you would be to be like a class A or class B reserveist. we are exploring and trying to figure that out because we know we need to widen the net in industry and so we need to capture these people. Um, where I would say we are continuing to grow is we continue to grow unlike a lot of other parts of the government right now. We're we're blessed to be growing in our civilian workforce who are integrated into our units and organizations that do the missions every day. And so there are civilian opportunities um with D&D in the public service to bring those skills back to us. um sort of an answer but

yep and and there are many I think we're trying to create new avenues to serve that haven't existed before um those are to come but public service is still uh integral to our capacity okay uh sir you mentioned the creation of a an officer uh cyber trade I'm wondering how far out do you think that is what kind of qualifications would you need to join is that and how difficult of a process would it be to transfer from an NCM to that officer trade? >> Okay, there's a lot of questions pack. >> Yeah, I'll keep it short. How far out? Super hard to predict. Uh commander uh beats me up every meeting on where we're

at on the progress on generating that occupation. It's takes takes time. Uh so I can't really predict it uh on how quickly we'll get there, but we're working. It is a one of the higher priorities activities for us. What does it look like? Um well, we know that it's you don't want to be boxed into being like you need this degree or that education or that experience to become it. So we're trying to create a many paths uh solution that meets the aim because it's a wide field that you need. Uh and then the last question is how hard would it be to go uh from NCM to officer? I would say no harder than it

is to go from NCM to officer right now. Um except we are looking to have that as a key pathway to generate technical experts is from the non-commission members to give them a path to cyber officer where they can remain and be focused technical experts uh or domain experts if you will. So it will have probably an enhanced capacity to do that if we get the design right. So, no promises, but that is a design intent for us to be able to transition our senior folks into that. All right. Thanks.

Thank you very much. You're so many people. You're so kind. Thank you. All right. So, this is my presentation, Defense Through Deception. It's a little project I've been uh working on for a little while. I'd like to intro show off to the world here. All right. So, uh, what we got here, what, uh, we have for the presentation here is I got we're going to start with an intro. We're going to do a little bit of a a misison. We're going to set the scene and the history of what of the the landscape that I'm coming from. We're going to really start to talk about the deception and that's where all the fun stuff is. We're going to talk about some

real world considerations. Um, and then kind of, you know, my future plans uh for this project. Uh, and then if uh I'm gonna have a question bit of section. >> Sorry. You want me to speak up >> closer to the speaker? Oh god. I'm sorry. All right. Sorry. So uh the plan is uh we have uh so we're going to talk about some real world considerations uh for the project and like this idea that I have and what my hopes and future plans are for it. And then uh with the question period I have I'm gonna have a slide with all the links. So if you're really interested it'll all be right there. All right. So before I start um

uh yeah I'm nervous. This is something. Um I've got this really crazy idea that you want to hold it. Okay. All right. Let's try this. I think that sounds a little more Oh, thank you. Thank you. I got this crazy idea, but um as we can see, my ability to put into words is uh Anyway, so who am I? I'm uh my name is John. My name's John Moore. I've been uh working the IT industry for 25 or so years. Um the last 10 years, really seriously focusing on cyber security. Um and I've worked with literally thousands of different customers on all kinds of different problems. You name it, I've seen it. I'm a big big proponent of open

source. I love it. Uh a lot of my project is based on open source. Uh and then this idea, I've been working on this idea low-key kind of side project for coming up just about 10 years. Um you know, just kind of making sense of everything. It's a crazy thing. Uh I also told myself I need to get out of my comfort zone and uh yeah, we're there. All right. So, what's this idea? All right. So, it's uh it's this, like I said, it's this crazy idea I've been working on. It's taking the red, blue, purple team to a different kind of idea, a different twist on it. Not uh what we normally think of as purple teaming. Uh

it's like a you can think of it of a like as a bit of a honeypot, but not quite. And there some key differences. Um it's definitely not a replacement for any um security practices. This is just something to take it to another level. Um, and if you want to see what start to get an idea of what I'm talking about, if anybody's got your your laptops and you got some port scanners, you can just run end mapap or port scan. johnmore.duckdns.org and then you can just, you know, see what I'm get a start to get an idea of what I'm talking about. All right. So, a little bit of uh laying of the of the of the scene. So, the

traditional approach to network security is, you know, it's the old school stuff. It's just really we're only allowing and routing uh the ports and services that we are offering, right? And we're just dropping and not routing anything else. It's very passive. So, you just kind of set up your routes and then there you go. You're done. You forget about it. Um the problem with that is you're telling you're telling the attackers exactly what services you're offering and what services to target. Um, and then when we when we talk about set and forget, the emphasis is maybe a little more on the forget because you just set it and then like that's it. You never think about it

again. Then we kind of matured uh network security and and just uh IT security matured where uh we got a little more uh selective on protocol filtering. Uh we start to get into web filtering, application filtering, right? We just bring that inspection up a few layers in the IP stack. The problem with this is filtering is easy to bypass, you know, and it it's it could be misconfigured and misused and, you know, just because you think you have it set up properly doesn't mean it is. Um, and it's, you know, very static. You know, it just do your inspection until you get an update or or a different rule set or something. Today, the more a little bit more of a

modern approach is it's it's a little bit more kind of react. It's a it's a faster reaction. It's a reactive where we're waiting for something to happen and then we're reacting to it. So like for our best zero day protection, that's kind of what we're seeing is we're seeing, you know, malware or something being triggered and then we're just reacting to it before it gets even worse. Sandboxing is the same kind of idea. You just set that off in a sandbox instead and, you know, wait to see what happens. Uh the the bigger problem with this is it's it's a twofold. It's if you don't react quickly and fast enough or properly and fast enough, you're just

kind of doing too little too late, right? But on the flip side, if you react too quickly and too harshly, you start to impact business and users. All right? So what are so what's the So this is kind of the where we are, how we got here, right? And this is the the landscape that I'm coming from. Uh so what do we do? You know, what's the plan? You know, what are we talking about here? So we're not just I'm not looking to solve any of these problems. Just kind of talk about where they are, right? We're just what we're talking about is fundamentally altering that that playing field that they're coming from. Right? We the short answer is that

we give the adversary everything they they're looking for, right? And how do we know what they're looking for? Well, it's it's we're we're the hackers here. We know exactly what they're looking for, right? But in more technical terms, they tell us exactly what they're looking for, right? And they tell us because, you know, if we think of a simple TCP connection, it's a sin synac and act. What's the next piece in that puzzle? It's coming from the client. It's coming from the attacker and it's telling us what what we're looking for, right? And that ultimately determines the protocols and and what's going on with the with that connection, right? And at a really basic level, everything really is just

uh network connections. Even the handshake itself, that initial sin, synac tells us a lot of what they're looking for, right? A sin on port 22, you're looking for an SSH server, right? AD and 443 is your web servers, uh file servers, DNS. That port tells us what they're looking for. All right. So, so what do we do? We give them everything they think they're looking for, right? We flood them with realistic and fake looking services, but ultimately garbage data, right? We can just pretend to be a really bad drug pusher, right? If we don't got it, you don't want it. All right? So, I'm like, okay, but how? Right? So, we're just going to go, how

do we do this? We go back to those basics and kind of frustrate and troll the adversaries. That's what we're looking for. A simple answer is that we forward or not all of our unused ports and services to essentially a honeypot. Right? So if they're doing a port scan, we just give them all the ports. Right? If they're doing a sin on an SSH uh uh port, we give them an SSH server or an SSH shell. Right? You want some emails, here's some emails. You want to send me some emails, I'll take it all. Right? You want some files, here's some trash. Yeah, sorry. We're going back to that. All right. So, this is where we really

get into the deception, right? So, like the level one, a real simple thing we can do is that we can forward uh all of our unused ports to like just this NC uh command. You just it's a port simple very very basic port responder. Um and you can just forward that toot and like there you go. There's a simple way to just respond to all ports. You can be fancy and set up a message of the day server, an ancient protocol that isn't used, but it still exists. Give them something. They're doing an end map on port 17. Give them something. Uh there's a project actually that does this at a at a very good level called support

spoof, you know, and then we can move that up a level. I've got uh a little telnet server running in little ninecat, right? like you're looking for Tnet. Here's some Tnet. You know, you can set up some port uh IPF and IPF 3. Those are network bandwidth speed test um applications. You can just set up some basic speed tests. You're not actually trying to test legit speed. You're just trying to give them garbage. You can set up an SSH honeypot. Uh there's a couple of projects to accept all emails, right? And then just keep taking it up. Right now we're talking about making some fake DNS, right? You just set up a a fake DNS and respond to everything

with bogus IPs. Couple that up with a bad web server where you accept all URLs and domains. Suddenly everything's just forwarded to garbage. Uh file servers, just give them actual garbage data. Give them files but with, you know, nothing in it or just random data in it. Uh same with emails. You can even just keep taking that up. This is kind of where I'm trying to get to. Uh we can do some like active redirection. Everyone who's done some uh capture the flags and bug bounties. Everyone's seen this. We all hate it. Uh we get the uh page not founds, but it's an HTTP 200 code, right? So the it just frustrated. So it's frustrating as a bug bounty hunter.

Frustrate your attackers with the exact same thing. Um and you know, the kind of list goes on. fake data across multiple services, right? So, you have a a database with uh other financial documents that all match up. Uh and you can start denying known password lists. It sounds like fun, right? But why why would we want to do this? And this is where we get get interesting is why we're doing this. We're not just trolling the attackers. That is is definitely a big inspiration. That's where I'm coming from. But I've got a proof of concept and it's showing uh decrease in attacks where you know you get lots of attacks and then we're just seeing port scans where you got multiple

daily to weekly to monthly and then just a decrease in pattern. IPS, ids all see that kind of repeating or downwards pattern until you get a new public IP uh where you get another spike again because it's a new public IP, but then the downwards tre it trends lower faster and it keeps doing that until eventually you're like at a very low level. Um, it gives us gives the attacker the the blue team a bit of breathing room in that it helps us eliminate noise uh noise connections from just attackers and bots kind of gets you it seems to get you off of a an active target list. So what we seem to see is um we see the kind this

kind of behavior where you know multiple port scans um all from a from a single or the same source IP. We see multiple port scans. We see them do an IPS uh uh alerts. We see them connect to SSH and a fake SSH shell where they try to exfiltrate some fake data and then they do that a couple more times and then they kind of stop until a new IP is assigned. Right? So, what we're what we see is we see them they're finding something that looks shiny. They're downloading what they think is some nice fancy goodies. They open it up and it's just a bunch of trash and they wasted all this time to to get nothing out of

it and they just after repeated frustration of seeing this again and again, they're just I'm not going to scan this IP anymore. Just get it off my list. All right. So, for for the sake of this conversation, there's two kinds of attackers that we're talking about. There's some highly motivated attackers and some opportunist attackers. Uh their motives and reasons and even their backing are kind of irrelevant. nation states and individual loan hackers can fit into either category. It's really about how much effort that group or you know is willing to put forth to get to their goal. So the highly motivated these are like they got they got no limits. They're they're going to get their goal. We see this

again and again that sufficiently resourced there's nothing that's going to stop them. If they really really want to get in they're going to get in. And it happens again and again. And we see it all over the news. There's an argument that there's nothing you can do to stop them because, you know, regardless of what uh defenses you put into place, they're just going to find a way to bypass it, which is kind of different from the opportunists, right? Where they they very much have a a a limit on how much effort they're willing to put into something to get something out of it. And, you know, it's got to be worth it to get out of it.

They're looking for, you know, low loweffort, high payout uh uh targets, right? We're talking about mass campaigns. Uh they're really like they're going after low hanging fruit is what they're doing, right? Um they're basically just businesses, right? They're just looking for lowhanging fruit with a high uh ROI, right? Your your return on investment. You just want to get a high payout. Um, for these ones, there very much is a threshold on how much effort they're willing to put forth to, you know, reach their goal, whatever that is. And this is where we're this is the uh the bigger majority of the attacks is the the the mass campaigns, the highly targeted attacks are uh very they're very niche. They're

few and far between and they're very very targeted. Um, and these mass campaigns are really the vast majority of what's hitting us. So now we're just trying to ease those out, right? So we're talking about they're going after the lowhanging fruit. We're just going to raise our fruit a little bit and we're going to put out some poison decoy fruit and then longterm we're just going to discourage them from hassling us and and looking at this anymore, right? We're increasing their cost of recon and analysis, right? with just by flooding them with data, right? We're just getting them just above where, you know, we're raising that the uh barrier to entry, right? So, it's just too much

trash for them to make sense of it, right? So, I I years ago I saw a video. This video kind of blew my mind because it was the same idea, but just a very different context because this is coming from George St. Pierre. He's a mixed martial arts artist, but he describes this idea, his idea, his different concept for martial arts, but it's very kind of relevant here, of course. Right. >> It's uh loud. Holy smokes. Sorry. Try that again. Sorry. Bear with me. I'm looking up. No, like flinching up. You want to load up the nervous system of your opponent by giving him different useless information to make him worry about. So, I'm faking I'm so he's

reacting and flinching of all the the stuff I'm giving it to him. In reality, maybe I want to relax. I don't want to attack him, but I'm like I'm looking up, you know, like flinching up. That's what I'm doing now is I'm loading up his nervous system, make him react. And by doing so, his reaction time will diminish because the it's like a muscle. The more rep you do, the more the muscle get tired. At one point, like you know, you can't lift as much weight. Same thing the nervous system. The more I make you react, the more tired you become. for your nervous system. Not physically, but it's a nervous system. The less performant you will become.

>> Yeah. So, when I saw that, I'm like, "Holy gez, this is this is exactly what I'm talking about, but just in a more, you know, real-time martial arts uh style." But that's kind of what we're talking about here, right? This is maybe another way of uh thinking about it, right? Like find Waldo, find the goodies in here. You're just flooding them with trash and hiding the good stuff. So, a couple of real world considerations on this, right? Because it sounds fancy. It sounds expensive and and all kinds of stuff. And actually, it's really simple. Uh my current PC is just like a little old desktop appliance. It's two cores, two gigs of RAM. Like, it's not anything fancy at

all. It's all open source software, a few custom scripts. Um, and you know, like I you'd set this up in a day or two or something. You know, you can just use an old decommissioned laptop. It's a piece of cake.

Sorry, give me a sec. All right. So, for the for the hardware, right, we want to presume that the hardware is going to get compromised, right? So, we don't want to just set this up in as a VM deep in your VM farm. And like it sounds, I mean, it's tempting, right? Like I could just set this up on a VM. Piece of cake. We want to assume, right? We're sending all of our attackers there. So, we need to assume that they're going to find some kind of jailbreak or um VM bypass or exit, right? It might not be there. It might not be a documented CVE, but we got to presume that they're that they

can do so. So, we just kind of set up this uh hardware. It's got to be dedicated hardware up towards the inter, you know, it's close to the source of the internet, your internet facing firewall. and just set up some very strict firewall rules. Uh, you know, where you just set the device to anything uh we the bo they're referred to as boon networks. It's not just the regular internal RFC1918. It's a few more extra networks that should not be present on the internet. Uh, and so basically you're setting up a a DMZ but not your actual DMZ. And you definitely want to set up some bandwidth, some bandwidth and rate limiting. Uh because uh I have some rate

limiting at 56k per second. Uh just simulate an old dialup modem kind of joke. Um and I'm still passing like 750 gigs a month of just tnet traffic at 56k a second. It's kind of weird, crazy. So this is kind of what we're talking about, right? We just want it right off of the network with with no internal access because we just want to presume it's going to get compromised. So, we've I've had this compared to port knocking and uh setting something up like that. And there's a fancy description for port knocking, but basically it's just you don't expose your services until you get the special the special knock on a series of ports. Um it's this works if you're not

offering services or publicly accessible services, right? So if you don't have a website, it's fine to set this up because you don't have a website. You don't have anything happening out there. But the minute you have a publicly accessible service like a website, you're kind of your your your presence is known. You're you're there. You've got a website. It's there. Like there's no denying that this IP is live. Uh so what we're talking about is I'm not talking about hiding our services and uh hiding in hiding them. Um but just like more of uh distraction and you know look over there at all this other fancier stuff, right? So kind of u port knocking would

be you know something you know stealthy and unseen. You just you don't know what's going on, right? So kind of like a stealth bomber. Um, but what we're talking about here is we're here, you know, we're doing a thing, right? We're not hiding. We're in plain sight. We're right here, you know, but this is just one of our methods on how we're going to protect the thing we're doing. Um, so it sounds a lot like a honeypot, and it kind of is. Uh, there's another fancy description of a honeypot. Um, this is a honeypot's great for like adversary and intelligence gathering. You're trying to trick them into uh thinking something's there and you want them to show your hand. You want them to

show your hand. Show you their hand and you know spill the beans and you know find out what all their fancy TTPs are, right? And that's not quite what we're doing here, right? We don't want them. We I don't care if they spill their beans, right? We're not trying to get that. But if you do, I'll take it. But we're trying to just distract you. Another another thing that kind of plays into something similar is some canary tokens. Um, again, another fancy description. Um, this is just basically, you know, a canary in the coal mine. When these activities go off, uh, you have reason to suspect something malicious is going on, right? It's kind of like some

internal trip wires, right? We we expect that any files we put out on this thing are going to get used and opened. So you just want to be careful about setting up too many canary tokens because then you're just going to flood yourself here with too much stuff. All right. So a different idea, right? Your canary tokens is like the internal trip wires around your safe. Honey pots like the rat, you know, the researcher looking at a rat in a maze. Uh what we're talking about here is maybe a little more like a fun house, you know, and just setting them all inside there. Or maybe it's a little more like the Mallister house if you're a fan of Home

Alone. Thank you. So what about setting this up in the cloud? No, please don't do it. Uh you don't have any you have too little control on that public IP, right? Like you can costs can quickly get way out of control. If you recall earlier, I made a mention about 750 gigs per month on a 56k per second connection. That is very literally multiple 247 connections. They are just on 24/7 for the entire month. Now imagine doing that at max speed. So now imagine some kind of connections to your cloud. Max speed connection for 24/7 and just that uh it's they're trying to just do a little bit of a it's a low-key war of

attrition. You know, if they if they dodo you and take you out, hey, that's great. If they ransomware you and take you out, hey, that's great. If they bankrupt you because of your cloud bill, hey, that's great. You're still offline. All right. So, uh, what's the plans? What's the future for this for this project of mine? Um, I need to figure out how to better set it up. Um, it's very, very manual right now. I've got all kinds of dreams and hopes and fancy stuff. How far I get along with it, I don't know. We'll see. But really, it's just that that next the setup, a a minimum viable product is what someone said earlier.

You know what? So, but what's the big picture here? like what are we really trying to accomplish? And like big picture, I'd love to see this as mass deployment and then everything kind of centrally logged. There's a treasure trove of thread intel in all those connections that I've got. I've gone through hundreds of gigs of logs on connection details. I've gotten dozens and dozens of files that virus total and everybody says is benign, but it's definitely not. There's nobody putting benign files there. Um and you know you can use you can use this data to start easily identifying bot and human activity. Uh so you know my really serious next steps that I'm looking for is that

deployable product minimum viable product. I I just heard that term yesterday so I didn't get to put it in there. Um I don't know how to really set it up but you know that's what I'm looking for info. Um, the the next real big thing is I want to just I I need to prove, you know, I want to prove this theory. Right now, it's just a proof of concept. I've got it set up in my basement. It's a residential IP with a sure it's got a it's got a website, but I don't have thousands of users every day. Right. So, is that a real target? Right. So, that's what I'd like to do. get this out to a real target and and

see do we see that same kind of decreasing trend in in malicious activities. You know, it's this crazy idea seeking a mature security program because we definitely need to be mature and um you know, definitely not in the cloud, please. All right, questions.

Can you speak for a moment to protect system?

>> Yeah, I wish I had a beam for that one. That's the funny thing. You don't That's why you presume compromise at the very beginning and then you set up those very strict firewall rules. So even I mean you obviously we're trying to use secure stuff. We're trying to be smart about it, but you want to presume that that's what's going to happen. So, you set it off in its own DMZ. So, when it does happen, who cares? It can't reach anything. And then you just go back and blow it away, restart, and there you go. >> Thanks for trying to learn. Every time I started to have a question, your slide came up going, "So, let me

explain this awesome presentation. Thank you so much. I am a fan, so I'm a little biased, but um my baby ethical hacker question is, have you looked at the other side of it? Have you figured out how to detect that it's the fun house or the Mallister house or or is there a way so far that there's tells? >> Uh there's maybe a couple tells if you're really familiar with the honeypot services, Calan specific. There's a few tells that you can see there, but that's kind of part of the plan, too. You want to make it as indistinguishable from real services as real services. And like my TNET server is a perfect example. It's a genuine server. It's got genuine

it's there's something there, right? It's not a fake server. You can connect with Tnet and you get something like it's really there. So you make it indistinguishable from what's real real. Anybody else? Hey,

it was just to know in your research, did it give you insight on how to protect the real stuff? Like because if you're if you're giving these goodies, this fun house on port 22 for example, um and then you do need a real SSH port, clearly it's going to have to be somewhere else. I know just insight maybe that you might have gathered. >> Yeah. So that's part of what we're that's maybe the the limitation of this is we're only being you can only really do it with all of your unused ports. So everything that else that's unused, right? So, if you think your your web server, right, does your web presence, an internet web presence really have an

SSH there? I mean, maybe it does, but if it doesn't, that's where we're forwarding this into the funhouse. >> Hey, um, have you looked at much how to keep it fresh so that attackers don't get, you know, eventually they'll get >> Yeah. stale data, >> right? Yeah. There's uh there's different projects that can generate fake data so you can just kind of script that. Um spicy autocorrect also called AI might fight might fit into that really nicely, right? Because you're using it to generate garbage like hey there you go. >> Great. Thank you. >> Super good talk. >> Can you hear me? Oh, there we go. >> Uh I'm not good at this either. So, uh,

super good talk, man. Um, have you thought about leveraging, and this is something that just popped in my head, like a load balancer sort of style where you could say if this comes from a potential bad IP address based on known thread intel, that redirects to like that could be a whole new redirect to the funhouse where it's like every service is fake and then only if it's not there, then it could go into the the good stuff. >> Yeah. Yeah. Yeah. Absolutely. if you can get that kind of configuration but the downside of that is then now you're getting a a further step into the network right so if we want to presume compromise right like I mean you can

still maybe do it securely and that's fine right but you just want to be careful about that questions anybody else another one >> um have you considered maybe using Nyx to set up your project in the future I see you've listed a lot of other things I would assume you probably wouldn't want to use Docker because you said something about VMs and containers. I think Nyx would fit pretty well. >> Yeah, I've thought about that. I've looked at the the Nyx project. I think it's interesting. I just there's a lot of custom and specialized stuff going on. I just don't know how would fit that in with Nyx. Sorry, this guy. There's another one. We'll get to you afterwards.

all you >> um thank you very much. Um >> yeah, cool. >> You said something uh very interesting just toward the tail end of your talk. Uh and I was wondering if uh you could elaborate on it uh briefly and that was uh the ability to detect human behavior versus bot behavior. >> Yeah. Yeah. Yeah. There's a lot of interesting stuff with that. Um the quick one the quick story I got for that is uh we can see some SSH connections where uh the connection is very quickly a command to download wget and it downloads a a file but then before the files even finish downloading we're already we are already running the chmod command to make it executable

and then before just after it finishes we're finally trying to run it itself but we it's it's the timing is all off and it's very kind of a robotic we half second half second half second but whereas for human activity you see that it's typing on a keyboard and you see letters and you see backspaces you have followup cool >> um is uh there any uh way to properly automate that or is that human intervention to detect the bots always >> I I mean, you can set up it. It's definitely possible to set up scripts that simulate that human typing. So, yeah, it's absolutely maybe still a bot, but I mean, you're you you've put in the

bot to put in backspaces. It just seems rather inefficient for, you know, that kind of mass scale. So, I mean, maybe it is, right? But it's just it's that interesting telemetry that you know you gather it over time and like oh there's an interesting story to tell here. >> Hey thanks again. It was a really good uh presentation. My question was earlier you were saying you were collecting a lot of data on portals and sites and stuff like that that even virus total were not saying as malicious. So I wanted I was curious what are you doing with that data? Are you sharing it with them? Are you saying hey you should add this to your list or consider it?

Yeah, not much. I'll be honest. I And that's part of the part of where I'm trying to go with this this project and and this talk and presenting it to everybody is, you know, I I have all of this data that like I don't know what to do with it, right? Like I've thought of throwing it to virus total and I've done that and to limited degree of success but you know when it's when the file is a shell script bash script that just runs wget to download another file how really malicious is that sort of gets to some interesting analysis >> I was more focused on like the web portals that are reaching out

>> sorry which web portals >> are conctions from sites that are showing up on listicious. Oh, so it'd be just like IPs uh that so these source so it'd be source IPs that uh if you throw them into uh grrey noise right you can see that oh hey this is a mass scanner that's known to mass scan the internet or hey no this is one actually is not a mass scanner maybe this is something a little more interesting and yeah all that info and it's just kind of sitting there to be honest I had to run a script to just cycle through delete old data because it's just sitting there. It's filling my hard drive.

Anybody else questions? Oh, we got one over here. >> Have you uh considered including like a lot of garbage data at the end and then compressing it so you're just wasting attacker compute? >> Yeah. Yeah. Yeah. It's exactly like that's all in line, right? Uh, it I don't have I don't have the the specifics of working it. I've definitely thought of it. It'd be great.

>> Uh, you said one of your goals was to reduce the attacks over time because >> Y have you run this concept long enough to actually see that? >> Yeah. Yeah, I've been running this for it's been long term. It's been like 10 years. So, and I very very it's I don't I didn't I didn't realize it at the time, right? So, I didn't make specific notes and I don't have specific, you know, documented evidence kind of thing, but definitely absolutely and that's kind of what I'm trying to do here too is get this out there and then get this to a real target who can maybe help start quantifying that, right? Like I see this here in my proof of concept in

my basement, right? Do you see this out in the in the real world? >> Something government always under attack. >> Yeah. Yeah. Exactly. Right. So it' be nice to just frustrate them in in chain in in turn and just get them to quiet down a bit. >> Yeah. Zip bombs. 100% zip bombs. That's what you want to. Absolutely. Yes. Anybody else? I think we're done. All right, we're done. Thank you very much.

Awesome.

Thanks so much. I'm gonna have the panelists and our moderator come join me on the stage, please. And then I'll just say a few opening remarks and uh make introductions. >> We have Yeah, we have us all organized here. So, good afternoon everyone and welcome to Bsides. Uh my name is Erica Cogill and I'm here representing women in defense and security wids. Um, I am on the executive committee. It's a volunteer executive committee. Uh, and my role on there is VP community relations. And I'm also the director of marketing and communications for ADGA Group. It's a Canadian defense and security uh, company that delivers cyber security and technical solutions to the Canadian Armed Forces uh, government and

industry. So, uh, sincere thanks to Bsides and to, uh, Ottawa and to, uh, Jared, of course, for inviting WIDS to produce this, uh, spotlight session today. For anyone unfamiliar with WIDS, uh we're a national volunteer organization dedicated to advancing and supporting women across Canada's defense and security ecosystem. Today's uh discussion explores resilience from a human perspective. Uh we're fortunate enough to have an exceptional group of leaders here today that will share how community inclusion uh cross- sector collaboration play an essential role in building resilience. Uh, one of I'll just briefly say that one of the things that I've learned is that real inclusion isn't just about bringing someone to the table to be there just for the sake of being there.

It's about understanding how they want to contribute, their strengths, their instincts, their creativity, and making space for that um to meaningfully influence outcomes. So, without further ado, I will introduce our moderator, Amy Yei. Some of you may know her already. She's chief digital transformation officer and SVP ecosystems at C3SA and she's host of the Wired for Change podcast. I recommend everybody download it, listen to it. It's excellent. Amy has spent her career leading complex organizational transformations across healthcare critical infrastructure and the public sector. A global speaker, board member, and rep recipient of multiple leadership awards, including 40 in their 40s, Amy brings a rare combination of strategic insight and human- centered leadership that makes her the perfect guide for

today's conversation. Uh, next to Amy, we have Kelly Bradshaw. Kelly is senior manager policing and public safety at Accenture, and she's also on the WIDS executive committee as VP industry relations. She brings over 26 years with the RCMP where she held operational investigative and senior leadership roles across cyber crime, intelligence, financial crime, and international policing. She holds a master's degree in peace studies and conflict resolution and has led major safety, security, and modernization initiatives across public and private sectors. Next to Kelly is Amaly Deany. She is team lead of enterprise security monitoring at shared services Canada. She has built a multifaceted career in federal technology spanning software development, robotic process automation and cyber security. She is also the

co-founder of shared service Canada's women in cyber which is a community dedicated to elevating women across the federal cyber landscape and she's also a recipient of WID's 20 in their 20s recognition. Next is Dan Doran. He is vice president business development and marketing at ADGA Group. He brings over 25 years of experience across the Canadian Armed Forces, academia, and private industry. His background spans engineering, human security, and peace building, and strategic business leadership. He leads business development and innovative initiatives across defense, cyber, and secure digital systems, strengthening Canada's national security community. And finally, Ulrika Bargodalia, strategic global technology, business and public policy executive. A multilingual award-winning leader whose career spans six countries and more than

25 years, Olria has led national international portfolios in AI, cyber security quantum telecommunications and digital economy policy. She's chaired multiple national councils, uniting more than 200 organizations, and has been recognized as a WXN top 100 most powerful women in Canada Hall of Famer and an RBC top 25 Canadian immigrants. So, lots of accolades, lots of achievements up here on the stage. Amy, the floor is yours. >> Thank you so much, Erica. Thanks so much, everyone, for the warm welcome. And I don't know if there's ever been like a 20 under 20 and a 40 under 40 and a 100 under 100 I'm gonna say and all on the same panel uh before but it's a lot of numbers and it's my

honor and privilege to be here today uh with you um as uh also supporting uh besides for sure and uh who's enjoying like besides this year last couple of days. Yeah, it's so great to see you here and what a great way to spend a Friday afternoon. So as uh all of you in this crowd know in cyber security resilience is about more than just bouncing back. It's about the ability to anticipate, withstand, and adapt to threats while continuing to operate. That idea of operation under pressure is something that applies also to us as individuals, to our people, and to our communities. With that in mind, I'm going to ask our panelists, each of them, what resilience

brings to mind for them and how community might have shaped that journey. I'll kick kick us off. So, for me, resilience brings to mind a keynote I delivered in BC earlier this spring to a healthcare audience. My keynote was about shifting the framework or the framing of resilience from being just a cost center to something that delivers value and outcomes and has impact and what would happen if we did that. What impact would that have on weight times in healthcare on how we take care of people in our systems? One of the examples that I talked about was from Australia. In Australia, they have national programs that explicitly invest in community-led initiatives that build resilience. And the reason they do

this is because due to climate disasters, floods, and fires, they've discovered that so much of their strength lies in the resilience of the community and in community directed and community-led actions. Of course, we've seen some of that in Canada as well. And I'll say in Australia, the example was in Northern River. uh in the Northern River disaster that they had, it was neighbors uh with boats. It was community hubs um who eventually rescued people, kept them fed, and even kept their community of care, continuity of care when clinics no longer had access to their systems. In Canada, we have examples like in in BC with the floods, Fort McMurray, and of course, uh the ice storm where

neighbors, uh faith communities, uh indigenous guardians, advisers, volunteers all came together to really support at the end of the day. And that's what it means to me. It's it's about it's about connection. It's about knowing that neighbor down the street has had a problem or an accident and now there's, you know, someone alone at home taking care of their three young children, for example. It's about building on that connection and then building into that connection. And that's why I love this conversation today. It's about bringing people together and how we can have more impact with those connections that we build. Kelly, I'll turn it over to you. Keep >> I would say when I think about

resilience at the personal level, it's about showing up as your true self in the good times and the bad times on the good days, bad days. um and trusting your instincts. And also when you know in times where things don't go exactly how you want them to go or in times of failure, it's about being able to you know show up, learn from your mistakes, right? That's how you grow and making sure that as an individual and an organization you don't repeat those mistakes again. You learn from them and you become better. Um I also think resilience for me too is about having people in your life, whether it's friends or family or folks at work that

you trust or people in a community outside of work where you know that you can go and support each other and you know that you have trusted um allies that you feel safe bouncing ideas off of or um maybe having a cry on their shoulder when you need to. Um but it's about having that in place. Um, so that's what resilience means to me. >> That was interesting. I was uh also going to mention how my support system is really important for me to be resilient. I first need to be able to regulate my emotions. So I often rely on my people to go to them and maybe just vent or look for advice. But in the

context of my work in cyber security, often you don't have time to just make a call. Um so then I would go turn to gratitude of my support network and maybe um I would think of uh instances where I had some advice and just uh ground myself with those memory and so there's one in particular my first uh impression of wids actually was at the award s uh the the award breakfast event and the host uh Katy Priestman came to us the 20 in on the 20 in our 20s recipients and she said look around in the room there there were maybe 7 800 people there and even more virtually um and she said every single person in this

room is there um for you if you need to but they're also rooting for you and they want you to succeed so when um I have the there are examples that comes to mind but like last year my director called me and He said, "Do you want to lead the recovery of a a network that was targeted by a ransomware attack?" I was like, "Sure." But then I thought of that instances where Katy came to me and was like, "There are people behind you and there for you." And that gave me the strength to not panic in that moment. And so, yeah, emotional regul uh emotional regulation is for me thinking about my community.

Okay, it works. Uh, yeah, I think I, you know, I don't really have a ton to add at this point because all the good answers have have already been given. Um, you know, I I'd suggest that that that resilience, you know, there's and and there's already been discussion about sort of that individual component of being individually resilient. Um, learning from your mistakes, those kind of things. And then the collective resilience. And I think that's kind of that's where you ultimately want to go um as a leader or as a member of an organization. And for that to happen though, you know, it there that collective strength and collective resilience to me the only way to achieve

that is through trust, right? Creating those communities of trust uh within your organization. You know, if you imagine everybody on stage right now is a glass of water and let's say everybody's glass is full except mine that's empty, but we don't have a little connecting tube between our glasses. Well, everybody here is going to be fine except for me. Um, but if there's that little collecting tube or there's a trust relationship where everybody can pour a little bit of their own glass into mine, well then collectively now we've achieved a degree of resilience that we didn't have before. We may have had it individually but you know not collectively. Um another piece and this is more of a question because I don't

have an answer to this. It's something that I've I've thought about certainly in the context of military career is that historically or traditionally you know when we think about resilience it's been associated with sort of toughness and and and and these kinds of elements. Um and maybe there's a degree of truth to that. I don't know. Um, but certainly, and Kelly can probably speak to this as well, is that this was always something that was really reinforced when we were going through training and when we lived through operations. And um, and and granted, when you're going through operations and you're going through training, you are building your community. You're building trust. You're often very young. You're looking for

acceptance. You're working together as a team in high stress environments. But the the dark side I find of of of training and building resilience in that context and then living and breathing that that resilience you have when you're in a in a high stress operation um is also trauma and and then there's like the million-dollar question and I asked this I don't have an answer is that you know can you develop resilience without exposing the people that are that are going through that to a degree of trauma you know is there is there a correlation between the two and and then what's the upside and the downside? Um because there are certainly downsides to to to prolong experience to trauma um

that you know run counter to collective resilience. So um I don't have an answer to that question but it's something that I do think about. >> Yeah. Thank you. So uh Erica introduced me as somebody who has lived in six different countries and uh for me resilience if I look at the journey really meant to always start again a new and find a community in those countries. So I'm originally from Germany which is very easy to identify. I don't uh with the accent hide it and I wanted to joke actually and start off by saying I I have a originally from Germany German education that makes you also resilient because a lot of education if you think

about it in different cultures and countries you are being educated to be uh to accept failure failure is something positive you pick up the p pieces and move on and to be assertive and uh it's it's okay to be assertive um but that's part of of education but going back to the six countries. So what I felt um where the resilience came in in the community was um and I go back to my about 20 years ago when I immigrated to Canada as um to Nova Scotia actually Halifax to find a community that supports you as a newcomer um and to find a community also that supports you with your career plans and profession and not to have to start all over again

from scratch. um and it was the immigrant community but then I very quickly realized if immigrants only talk to immigrants we are staying with within our own community and don't go beyond this and as as I come from a um history and career in tech um where it was always very male-dominated and I uh I never felt for me as I used to be the only girl on a boy soccer team I never felt it was something too difficult to deal with but on the other hand um taking that immigrant example, you also need when I was looking at women communities and women in tech, I said no, we need actually everybody in tech. And uh so for me resilience is to go

through all these stages adapt very quickly and and look beyond the groups that you define as a closed community but a larger community because that's where I think the inclusion and equity also uh comes into play. So um that's um basically how how I see resilience and community connected and of course it's it's a long it's a topic to be said much more about it but thank you. it is and thanks so much for that. And so there's lots to talk about uh as we can see here and we certainly won't get it through it all and I'm sure that there are lots of thoughts that you have out there in the audience as well your own experiences

with community and resilience and resilience happens when everyone participates um and we've got everyone's skill sets and lived experiences um all contributing to being prepared and then also responding and adapting. So I would encourage you to just see this as the beginning of a conversation or perhaps a con continuence of a conversation you're already having and uh I won't be able to ask every participant uh on every question. Um but I do hope that you see yourselves as part of this discussion as well and and and share uh back with us or or reach out to our panelists after the panel today. So, I'm going to ask a few questions about resilience uh from an organizational and systemic kind of

standpoint uh as and then follow up with some questions uh more from a personal resilience perspective uh and then we'll wrap it up in the next half hour or so. All right, thanks so much. So, I'm going to start with systemic and or uh organizational resilience and thinking about collaboration across sectors. And collaboration is something that we talked about uh we've been talking about throughout the conference. You heard it from Lena Dabbat, our keynote this morning as well in terms of what real collaboration is and breaking down silos between public sector, private, academia um and grassroots uh as well. You know, I'm going to ask you, have you seen collaboration directly strengthen the resilience in your workplace or

organization? And this one is going to go to Kelly and then to Dan. >> Okay, thanks for the question. Um I think so when I think about my career in the RCMP, I think about teamwork. It's about teamwork, but it's not only about teamwork who's in the uniform, right? We work with civilian members, public servants. We work with other police departments, uh whether it's like locally or proincially or nationally. We work with international partners. Uh we also work worked closely with um you know the security sector as well, right? So deconliction with uh some other agencies in Canada. Um, and so when I think about my work and being resilient and achieving results, it was about

teamwork. Like we can't do it by ourselves. We're better together. Um, and so I I think if I was to give, you know, what I think helped there is it's about relationships. It's not just working together to achieve a goal. It's about getting to know the people that you work with and establishing trust. I think I've heard trust a couple times already, but relationships are so key in everything that we do. And it's about understanding each other. You know, you might not like like everyone that you work with, but people bring different I think skills, different capabilities to the table and it's learning how to work together to achieve the common objective and to be resilient to the threats, the

crime, the cyber attacks. It's about collaboration. It can't be done individually. It's it's it's not about the I. It's about the Wii. >> That's all I have to say about that. >> Thanks, Kelly. >> Dan. >> Uh, yeah. I think, you know, it's funny. Um, so the question that was asked is is uh, you know, do you have you seen collaboration directly strengthen resilience in your work organization? So, I think Kelly fully answered that one. I'm going to go on the other side. I'm going to talk about some of the challenges maybe uh that inhibit or prevent um that development of resilience. And I think um the defense sector interestingly is a fascinating case study that we are all collectively

going to live over the next years with respect to you know where that's going to go. I wish the stakes weren't so high. Um but this is the world we are living in now. But realistically now, and I'm not saying anything that you haven't probably read in the paper, is that there is a trust deficit um within the defense sector between industry um the government and the public um with respect to who's doing what, who's responsible for what, how are we moving things forward. Um and and if we're going to be successful in transforming the Canadian forces like the prime minister wants to do, um I think it's the big the big hurdle, the big cultural

hurdle that we are going to have to uh overcome in in order to have one of the outcomes be a greater resilience among with from a national perspective. um in the context of national defense um is that trust piece is building trust of getting through that trust deficit and Kelly nailed it on the head when she said it comes down to relationships because the government has a bad habit of doing two things when things are difficult or going wrong is they stand up a new department to deal with whatever the new problem is or they develop a whole bunch of new processes or regulations to try and mitigate or address some issue when in reality

um a lot of those things can just be addressed by two people that trust each other and that are in the right positions having a conversation and saying look what's what's really going on here how do we address this and how can we do it efficiently um because what policies really do is is they are they are a a documented manifestation of an absence of trust I mean, that's what a contract is, right? It's here are the terms and conditions of how we want to do business. Um, but if I'm lending my lawn mower to Kelly, I'm not asking her to sign a contract because I trust that Kelly's going to mow her lawn and then

she's going to give me my lawn mower back. Right now, I'm not suggesting that's how we buy F-35s, but uh you know there there's a middle ground, right? where if we can build those trust relationships, if we can then like achieve a greater degree of collaboration that will then inherently create a more resilient defense sector uh within all components whether it's the general public's trust in government and industry, industries's trust in government and government's trust in industry. >> Thanks so much, Dan. You know, trust is such an important thing. I'm going to ask an ad hoc question here and I do talk about trust a lot on my podcast. not allowed to go off. >> Shameless plug. I'm going off script.

>> What do you think about the idea that, you know, trust is hard to build and easy to lose? Uh, and that idea that over time because you alluded to, you know, time being kind of a factor here and that deficit of trust are the words that you used. Any thoughts on on whether or not that's true and and is that part of the challenge? >> Kelly, Kelly, do you want to start or is this was this directly? Are you >> either one of you can answer? Anyone can answer on this one. >> I've got a I got a quick answer. I don't know. Maybe it's a hot take. Um I find as someone in their late 40s um that my

threshold to of trust has declined with age. When I was 18 and just joined the military, if I met another 18-year-old that I served with and like we had the same initials, I was like, I trust you. So like the threshold was, hey, we're both in uniform. We're running around and we smell bad. like great, like let's be friends. Um, and then and then those, interestingly enough, and and I think this does come with age, when you're young and you're seeking inclusion and acceptance and want to be one of the group, especially if you choose to wear a uniform. Um, you're primed for that, right, at that age. and and um I think that and those those trust relationships

that are built between that let's say ages 18 to 25 for people that haven't served it tends to be university right frost week and all that stuff living in res together all those things you develop these trust relationships and you carry them with you but as you get older like there's no frost week for 45 year olds right that's just called high functioning alcoholism so like that's like that those those those those environments don't exist anymore and at the same time you're not in a point of your life where those things necessarily resonate. So I think trust is hard to hard to grow and I think it becomes harder with people at senior leadership positions because of their age, their

experience, their trauma that have undercut their ability to just trust somebody. And and I think that's that's a human nature, you know, component that again is going to be really challenging to to overcome. >> And I'll just stay really quick. I think trust is not a oneanddone, right? It's an investment of time commit. It's a commitment and it takes effort and it and I think as I get older for someone who's beyond 40s I choose I think a little wiser where I choose to focus my time and my energy and my efforts in that trust. >> Thanks Kelly. Thanks Dan. Thanks for indulging me on trust. I'm going to move on to our next question which is about

adaptability uh under pressure. Um the defense and security landscape changes you know all the time uh from cyber threats to global instability. What are some effective practices or tactics you have seen that help cultivate teams and cultures that adapt quickly without burning out because that can be kind of an endless churn of of having to adapt. So what are some practices some practical things that that you've seen uh that that work in helping to do that? And I'm going to start with uh >> yeah thanks I I actually wanted to add one more thing to the trust question. Uh I I agree with everybody as with age it gets it really changes a lot and there's

something else um it's also when you are being asked to provide a signature or to accept certain terms and conditions whether it's online or and uh you see that a lot of younger people um haven't yet developed maybe also the knowledge that there could be uh something hidden behind uh that acceptance button and providing your signature. So it's always like a shout out um also to all of the uh social media enthusiasts um just be careful right and so we develop that in terms of organizational resilience I always felt that it's best built when you in internally communicate well and openly and regularly so everybody's on the same page and nobody feels out of the loop. Um particularly with respect

to cyber security also how you build resilience. Um it is really cyber hygiene across teams across departments for everybody and in particular in organizations who are usually not as familiar with what cyber preparedness means and who often have told me why would anybody come my way. I'm a small nonforprofit or I'm anme and nobody would ever be interested in my data or in my product and so forth. And so I've been working actually throughout the my career with these kinds of organizations to ensure that they understand um no matter your size or where you're located or your product, you're all basically can can become and fall victim. And again so communicating from those who know about it and have learned about it

built the resilience for these organizations they need a lot of help sorry I think but also within organizations that you have um regular cyber training for for all the the team members um which I find doesn't happen often enough in terms of the regularity that is being applied and I would even think that cyber training should be mandatory for organizations to build that resilience and build it into people's performance reviews and say if you haven't taken this training and uh once a year isn't good enough I mean that really I think it should be happening quarterly and people should be held accountable and responsible and lastly it has to come from the top up but not only the sea level the board of

directors need to be as well um there has to be buy in there they need to be informed and there need to be cyber smart and and be educated and prepared. >> All right. Enthusiasm for uh for that preparedness uh that you're talking about. Thank you. Uh Emily. >> Yeah. So, one strategy that I use in my team is really investing during slower cycles. Um so, we never slack off in my team and I found that we um have benefited so much already. the the service the operations have matured. Um we have had some periods just for for more context before. So we do enterprise security monitoring focusing on insider threats. Um we also have threat

detection engineering capabilities within my team. Um but we have like a a more uh you could say uh a certain pace we have with our constant operations but then in addition to that we also have things that happen maybe on boarding of a new system to our service. So so that's where the threat detection um engineering uh activities will ramp up and then we have to deliver fast so the the pace is is faster. Um but during those slower times uh we really take time to uh improve our processes our documentation uh we put in place new visualization maybe for our analyst some more correlation that will reduce the investigation time and that's where we

really see the benefit after that when we have to be fast at a um we have to operate at a faster pace and just last week we've welcomed a new team member he has a lot of experience over 18 years in that field and he's working in public private sector and uh he's been telling us how um we're the the the most wellorganized team and we have the the best documentation he he has ever seen. So that's um uh a comment that I will keep close to my heart. >> Thank you Emily Kelly. I'll try to be quick here, but for me, I love a good crisis. Like when you know what's hitting the fan, that's when I

perk up and it's when I'm at my best. Otherwise, I'm a little bit of a procrastinator, but but I know not everyone is like that. But as an example, um I think leadership can set the tone on how to be like under pressure, how to lead the team. So that it's so important under pressure to know your team to to make sure that people have good training because muscle memory and like your instincts come into play under pressure. Um also it's about uh good communication. I can't like I can't think of one thing that I did in my policing career or even now at my in my career with Accenture. It's about having open communication. It's about meeting

with the group and having the group communication. So understanding where the group's at. It's having that taking the time one-on-one to have conversations with people and knowing like some people's resilience or level of tolerance of of certain things. Sometimes they need a break. It's okay. It doesn't mean you're weak. It means you're strong because you notice it and you need a break. Um but it's really about I think there's a lot of it's on the leaders to make sure you're setting the tone for your team. You know your team. you know them collectively and you know them individually and you set them up for success and and just remembering not everyone loves a good crisis and is firing on all

cylinders when you know what's hitting the fan. That's right. There is some diversity there for sure and I love your point about uh leaders modeling behaviors. Um that's really important to make it a safe space for for those behaviors that you want to see. So that's that's great. Thank you. U I'm going to ask a question about where the system comes from, right? when you're building the system and I don't mean just a technical system um building system having representation inclusion how can organizations ensure that diverse voices are not just included but really at the table if they want to be uh in building resilient systems um I'm going to ask uh Dan to start with this

one >> so um I'll start with um I don't I'm going to be a little esoteric here for a second is I want to if everybody If anybody ever went to Sea Pier uh then you may have studied Plato's Republic and you might have studied the allegory of the cave um where he Plato describes a group of wise men that are looking at a wall in a cave and they're looking the shadows at the cave of what's going on outside the cave. They can't see what's going on outside the cave. can just see the shadows and they their whole view of reality or perception of reality is predicated on the shadows that they're seeing on the wall. And then one of the

the wise men leaves the cave, goes and sees what the real world is like, comes back to the cave, tells the other uh the other guys that stayed in the cave and they throw rocks at him and say, "Get out of here. What you're talking about is is farcical. It's not real. What we're looking at is real. We've spent our whole lives looking at this. We are experts at this. get out of here with your crazy ideas. Go sell crazy somewhere else. Um, and and I think I think that speaks to one of the huge challenges in building in building resilient organizations, in building systems and structures, is that often people that are institutionalized, people that have grown up in an

organization and become, you know, an expert or a seasoned senior leader within that organization. Well, they're living in a cave, right? They they may think that they know what what they know, but they they don't they don't the word they don't listen with the intent to be changed, if that makes sense. And and I think that's that to me is is is the biggest element of of of creating representation. Um but then I'm going to sound like a broken record. It goes back to trust, right? Um, and I can, you know, um, I can use a very specific example, uh, Erica, who is, uh, who is the director of marketing at at ADGA. Um, I've known Erica for a number of

years. And over those years, we've developed a trust relationship. And when when we started working together, um, you know, I had a lot of questions to ask her about marketing, about comms, about wids, about all these things. And in some cases there were they were questions that I had pri prior to having uh Erica uh with our team did not have a trust relationship with anyone to the degree to be able to have these exchanges and Erica got me out of my cave. I got Erica out of her cave and we went and looked at each other's wall shadows and and and we were able to come away wiser from it. But it goes back to

that listening with the intent to be changed as opposed to defending your own perspective as as the absolute truth. So that to me would be that piece of of getting towards inclusion and representation of really, you know, quoting Donald Rumsfeld is like trying deeply to understand the unknown unknowns. >> Really well put. That has to be a conscious mindset shift for some people. For sure. For sure. Thank you. Yeah. Um I'm going to move on to some questions about personal resilience at this point. Um a question about mentorship uh and allies. Mentorship can play a big role in >> I think you skipped me for the >> I'm I'm doing that in terms of time.

>> Yes. Sorry. >> I had some great ideas. Okay. >> You can save it till the end. I'll try to give you some time. Okay. >> Okay. >> Um mentorship and allies. So mentorship can play a big role in how we navigate of course uh navigating change and uncertainty. Uh, has a mentor or ally helped you to build resilience at a key point uh in your career? And I'm going to go to Emily and and Kelly on that one. Emily. >> Um, yes, of course. So, I have an amazing mentor I met two years ago um at a conference actually. She's uh for context the CIO of a crown corporation and we were chatting with some of her

peers and I could see she was the the younger one there. Um, and I could see how much her insights were great and other people were looking at her and asking for her opinion uh, most times. And then I was just looking at her probably with stars in my eyes and thinking like, can I be you when I grow up and then um, I asked her to be my mentor. She agreed. And for me, my mentor, what she has achieved is really and it comes back to a metaphor I heard recently. It's a chained elephant. So when elephants are young, trainers would tie them with a chain to a stake in the ground and they try to get free. They're

not strong enough as they grow. They don't even try anymore to get free just because they think they wouldn't be able to do it. Um so it comes back to limiting beliefs and sometimes you don't realize yourself what you're capable of doing or how you can achieve your true potential. Also, my mentor, she hasn't broken the chains for me, but she told me like, "You can do it." And I think sometimes that's all it takes. So, >> thank you, Kelly. >> I'll be quick. Um, yeah. So, I wouldn't have been able to get where like where I got to in the RCMP without people who supported me and believed in me. Especially, you know, I was saying when

we all met that I wish I knew then like what I know now. And also I know that's often said but like just having the confidence that I have now when I was in my 20s it would have been amazing but I mean that's the way we grow. Um but definitely you know the formal I do believe in formal mentor mentorship for sure but I think I had a lot of informal more like sponsorship along the way which really helped uh helped me believe in myself when maybe I didn't believe I could do it or didn't feel ready. Um I felt supported in things. I think that's that was so important and something that I'm really enjoying now in this phase of

my life and where I'm at in my second career is I am so enjoying informally mentoring other men and women who are you know in their mid30s you know going for their career hard and just offering words of guidance advice when they ask um but just being um kind of that lived experience and just trying to impart some of the maybe mist mistakes I made or things that I wish I would have considered when I was making uh you know choices in my career. So, I'm really enjoying that. It actually fills my cup to be able to to see other people succeed and and achieve what they what they want to achieve in their careers. I

can see just from your expression how excited you are about it. Uh Rick, I'm going to come back to you on the on the system building and and inclusion and as well if you have any comments on mentorship ask you at this point as well. >> Okay. Thank you so much. um quickly. So two things on systems. Um I wanted to um look at them from an HR perspective and then a technical or technological perspective. Systems within an organizations are for example you have your HR handbook, your employee handbook and your policies. That's great. It's written. It's a certain system you follow and a process but you never implement anything. So, uh, the policies are great on paper, but if they're not

being implemented in terms of in an inclusive and equitable lens, I always had that policy handbook. I mean, you can't really park it in the shelf. So that's the internal system where I really think um that things need to change uh in some organizations and um from a technological perspective a system is only as good I feel as the inclusion of the end user early on because whatever systems or products and features and services we provide we need to keep the end user and a very diverse audience as well in mind because those will be our users and so um that's what I wanted to mention about systems that it's uh often we talk about systemic

changes and they need to be really applied whether it's in the HR and human factor and also technological factor and when you do you know when you code we often talk about um bias in algorithms so that system needs to be as well addressed mentorship I just quickly add apart from mentorship I think sponsorship is very important so um because uh while I I'm mentored as well and was mentored um in addition to this many people in my life and was mentored men and women alike. I always felt the sponsorship is really what got me further. Somebody saying, you know, I offer you this new opportunity. I put you onto this board uh C or board and

would you be like to be part of this committee. So you were visible, your voice was heard and you weren't only mentored but you were really given the next step and I I think this is really an opportunity where we should be next and thinking about it. And I might not be a very popular comment, I still make it that most of my sponsors were actually men, not women. Um, so and uh therefore that's to my earlier comment when you look at communities, you not need to look beyond the community that you find yourself in and uh it should be diverse and multicultural in anybody basically. Thank you. >> Yeah, I like that I like that uh comment

quite a lot. Uh it's it's popular here. I think we're okay with that. Thank you. And I liked your point also about uh in including you know diverse users and sometimes it's not just users it's it's people who might be impacted by a system as well so that you can avoid unintended consequences um and those sorts of things also. So so great points thank you. Um so staying grounded so sometimes it's interesting to hear how leaders personally stay grounded uh during moments of you know needing resilience. um when the pressure is high, you know, are there any practices or mindsets that you might share with the audience that you personally uh use to stay grounded

and and to lead effectively? Anyone can answer this one. >> Breathe. >> Breathe. >> Breathing is really important. Really taking a few moments to take a few deep breaths before you react to something. Very helpful. >> Or walk around the block. >> Thank you. I heard once that you can trick your brain to think that your stress or your anxiety is actually like excitement. So if it's not true, don't tell me because it's probably possible effect. But it really works for me. So yeah, say that >> uh yeah, I this is going to sound super cliche, but whatever. The army is full of cliches, I guess. But um is trust your people and don't let the perfect be

the enemy of the good. Right. The 80% solution on time is better than the 100% solution late or not at all. >> Yeah. I always think when the pressure is high, don't panic, slow down because this is also as we know from uh a lot of cyber incidents uh when we panic, we click that button or attachment and we do actually a lot of mistakes. So I often feel it goes a little with a breathing that um just slow down. It's and I and I often said to the teams I was working in as I worked in tech and digital uh economies and policies all my life. I'm we're not doing heart or brain surgery. This is we we're just doing

digital. However, I mean it's really coming back to the point to really slow down and um just assess the situation. I mean panic gets us uh nowhere and um so therefore uh the breathing the tricking the brain and what you as well mentioned then and just um ju just slow down and take a moment. >> Great. Excellent tips. Okay. So last question. I'm just going to ask for one takeaway from each of you for the audience. I'm going to start uh with at the end. Um just one takeaway. If you could leave the audience with one action or mindset that strengthens resilience through community uh in in your own world, what would it be? It is um for me also get out of your

comfort zone um in terms of building resilience and what I mean by this is as well when you go into different communities approach different communities you haven't been in contact with uh and this is again how you build larger communities and also your own resilience and you do learn a lot and grow a lot through that experience. >> Thank you. I would say certainly when if you're a team leader and this is hard for the reasons I I mentioned before start with trust. Don't see trust at least again tricking your brain. Don't start with trust having to be earned with your team. Start at a place of 100% trust and then let your team determine where that

goes from from that uh from that start point. Um, I I've found and again it's tricking the brain because again we don't have that natural habit. If I found that in doing that, you save yourself a lot of agony because 99% of the people you're going to work with are completely and totally trustworthy and they will work their butt off for you, especially if um they sense that you trust them um out of the starting gate. >> Thank you, Mike. Um, I would say find your people. We're we're social beings. So, I don't really see how we can truly be resilient if we don't have a support system. Um, I don't encounter many 27 year old women like me that are

franophhone and team lead and in my field and things like that. So, I join wids. I have a cyber security um group and yeah, just find your people, look for them. >> Yeah. In on that vein, I would say just join a group outside of work and get to know people from other like other walks of life or other types of work. It's amazing. Like it's about relationships and networking and I think you'll be surprised what doors that opens for you or for others around you. So join a group. Thanks, Kelly. Uh I would say uh well I guess uh I'm an engineer so I like to measure things. uh and uh sometimes if you shift your perspective

to looking at uh community and to resilience as a capability uh and measure it that way then uh then that can help sort of drive change in organizations as well. One example that I've used before is within healthcare uh thinking about um instead of just measuring you know the number of overtime hours logged measure the number of people who are crossrained uh in different areas from an organizational perspective. So thank you so much. Uh I don't I think we're out of time. I don't know that there's time for Q&A, but I really appreciate everyone's attention on a Friday afternoon and and thank you to the wonderful panelists and to Erica and to Wids. Thank you.

So, uh, hi everyone. Thank you so much for being here. My name is Olivia Galuchcci and I'm a security engineer at Data Dog, which is a security and observability company based in New York City. Today I'm going to be talking about crossplatform exploitation, specifically about how operating systems architecture shapes binary exploits. I created this presentation uh because I realized around a year ago actually that a lot of the struggles I had with transferring my skills from one OS to another u mainly Linux to to Mac OS. I know nothing about Windows uh came from subpar understandings of the topics that we're about to discuss today mainly the system 5 AI posics the Unix philosophy and BSD

now let's start with an element that underpins a lot of binary exploitation techniques which is the system 5 application binary interface or ABI the system 5 AI defines an interface between application programs and the operating system this specification dictates how different components like the processor, the operating system, and the compiled code interact. It governs essential processes such as function calls, argument passing, and how the stack is managed during program execution. Exploits often hinge on our ability to manipulate the stack registers, and control flow precisely the areas governed by this interface. So a weak understanding of the AI led to a weak understanding of what I needed to accomplish as an attacker. One of the key roles of the AI is to

standardize how function calls are handled across compilers and architectures. For example, it specifies which registers are used for passing arguments to a function, where the return value is stored, and how the stack should be cleaned up after the function completes. When crafting an exploit, having this knowledge allows us to predict where values will be stored in memory and how we can manipulate that execution flow. To illustrate how the system 5 AI works, let's consider a function call and assembly. In this example, you'll see how the AI dictates registers um and where they're used for arguments and how the functions return value is handled. By exploiting vulnerabilities in this function call process like buffer overflows, we can

influence control flow and ultimately gain control over the execution of a program. Given how central the AI is to binary exploitation, investing time into understanding what this is is a must in my opinion. Now that we have a foundational understanding of the system 5 AI, let's move on to a key aspect of its operation, stack management. First, let's discuss the stack itself. The stack is a region of memory used to store function specific information such as local variables and uh return addresses which indicates where execution should continue after a function completes. It also holds function arguments that don't fit uh into registers depending on the calling convention. And then understanding how the stack is handled under the API is

important, especially when it comes to managing local variables, return addresses, and function arguments. All of which are essential in binary exploitation. The two registers I needed to learn about were the stack pointer or RSP and the base pointer or RBP. Also, RSP and RBP differ based on which architecture you're using. The RSP points to the top of the stack and is constantly changing as data is pushed onto or popped off the stack. The RBP uh also known as the frame pointer serves as a fixed reference point within the stack, helping to locate function parameters and local variables relative to that current stack frame. Understanding how the stack is then organized gives us insights into where return addresses and

function arguments are stored. As a result, understanding stack management was imperative to me since my goals often around uh revolve around manipulating the stack structure to overwrite return addresses or control the flow of execution. Now let's shift uh our focus to the role of Pix standards in binary exploitation. So Pix or the portable operating system interface defines a set of standards that aim to maintain compatibility between Unix like operating systems. This allows applications to interact with the underlying OS in a consistent and predictable way, which is incredibly important for developing and porting exploits across platforms. One of the key advantages of POSIX is the crossplatform portability it enables. Since many OSS are POSIX compliant, an

exploit developed for one system might be adapted with minimal changes for another. For example, system calls such as file IO operations are standardized under Pix, which means an exploit leveraging these system calls on one platform might be easier translated to another. To illustrate this, let's consider file IO operations using POSIX compliant systems. The uh these system calls would be like things like open reader write. These system calls work the same way across all POSIX compliant systems providing a consistent interface for interacting with files. This allows us to craft bioblase exploits that work with limited modifications across different platforms, maximizing the effectiveness of our exploit and the knowledge that we currently have. Additionally, POSIX governs threading

and signal handling, both of which are important when it comes to exploitation. Threads introduce new attack vectors such as race conditions where we can exploit the timing between threads to corrupt memory or influence program behavior. Similarly, signal handling, such as the way an OS manages interrupts, can be leveraged to manipulate a program's flow or trigger specific actions under certain conditions. I wrote a whole article on this, which you can find on my blog if you're interested in these types of attacks specifically. So by understanding Pix standards and how they influence system behavior, I was able to learn how exploits I made for one OS might transfer over to another and recognize the patterns of when something involving Pix's

transferability might apply. Now let's examine how the Unix philosophy can streamline operations through patterns that we can potentially exploit. One of the core principles of Unix is its modular design. In Unix-like systems, small single-purpose tools are designed to perform one task well, and these tools can be combined or chained through mechanisms like pipes. This modular approach often offers flexibility to build complex workflows by chaining together these simple commands. However, this introduces opportunities for exploitation, particularly when user input is passed between commands. Thus, this modularity can then be helpful for binary exploitation. Many binaries in Unix systems rely on external programs or libraries to perform tasks. Meaning that if we can control or influence these interactions,

we may be able to hijack that process. So consider how uh user input is passed into system utilities within a binary. If that input isn't properly sanitized, we can craft inputs to manipulate the underlying system calls potentially leading to vulnerabilities like buffer overflows or command injection. A great example and very old example of this was shellshock which exploited how Unix systems used the bash shell allowing us to inject malicious commands via environment variables. Here, bash had a flaw where it would execute malicious commands contained in environment variables since the input wasn't properly sanitized. Instead of uh corrupting memory, we manipulate the environment variable to inject malicious commands. When bash executes these variables, it inadvertently runs the

injected commands, enabling remote code execution. While shell shock is not a classic example of memory corruption like buffer overflows or heap corruption, it's still a form of binary exploitation through command injection. This is exacerbated by the predictable behavior of Unix systems. The same features that make them powerful and modular also provide us with the patterns that we need to transfer exploits. My last topic is the Berkeley software distribution or BSD and its influence on shaping architecture and how we think about memory management within binary exploitation. BSD implemented features like virtual memory, copy on write and memory mapped files. All of which have a direct impact on uh how applications interact with system memory and by extension how we

approach exploiting these systems. Now I'm going to cover each of these things virtual memory copy on write and memory mapped files in some depth and then how it relates to BSD and architecture before continuing in a broader sense. Unfortunately this is going to be a rather long detour but I think these concepts are important into understanding how deep differences can go in some areas as well as finding out where behaviors overlap in architectures. To start off with uh the BSD traits I previously listed, virtual memory is a hardware software abstraction that gives processes the illusion of a large contingious address space, isolating them from each other and from uh physical memory details. The OS maps

each process's virtual addresses to physical RAM or disk back swaps which are uh on disk spaces that are used to hold inactive memory pages when RAM fills up. And then it maps these processes virtual addresses via an MMU and page tables. For reference, an MMU or memory management unit is a hardware component that translates CPU generated virtual addresses into physical memory addresses using page tables. And then uh page tables are the data structures that the OS uses or that the OS and the MMU uses to map each virtual page number to its physical address frame and then inverse uh per page uh access permissions. This lets the program run as if they had more memory than physically present

through a process called paging. This paging also enforcs protection and isolation, meaning each process only sees its own memory. In security terms, virtual memory provides memory isolation, aka preventing one process from reading another's pages. It also provides controlled sharing, for example, through shared mappings or copy on write. It's kind of like a uh bank of safety deposit boxes. Each customer gets a locked box that only they can open so nobody else can peek at their valuables. Memory isolation essentially keeps these processes data just as securely partitioned. And in this diagram, you can see how an MMU takes a virtual address split into a base page and an offset and then replaces the uh base page with a

physical frame number from a relocation register and then adds uh that offset to the final physical address. Notably, these virtual memory implementations will vary by architecture. x86 adds segmentation and uses multi-level page tables with canonical addresses. ARM uses TDBR registers with different uh page sizes and TLB behaviors. Thus, exploit uh techniques like uh address calculations, TLB flushes, and smuggled faults must adapt to each ISA's virtual memory scheme. So, let's look at a BSD example of this. FreeBSD's virtual memory drives everything through explicit VM object and VM page structures. It sorts pages and optimizes that CPU cache locally and then shares that same unified buffer cache for both anonymous and filebacked data. NetBSD and OpenBS's uh UVM, which is

essentially just a different type of BSD virtual memory, also builds on virtual memory objects, but leans into higher level sharing features. things like zero copy page loan out, whole region uh map entry passing and a simplified MAC style uh copy on write layer rather than FreeBSD's cache tuning focus. So if you could imagine your operating systems memory as like a big library of books that these programs uh check out in return, you can think of like the library books representing physical RAM pages where both FreeBSD and netopenbsd organize and share these books using virtual objects, but then they tune or extend their system aka their library in different ways. Knowing how virtual memory works, so how uh the MMU and page

tables enforce per process isolation, permissions, ASLR, and CAL, which are all things we'll we'll cover later, lets us try to predict or manipulate these address layouts, bypass no execute bits or craft reads like uh ROP uh chains and heap sprays and all of that that will subvert these protections. Now, there's other areas with just as much complexity surrounding architecture differences at virtual memory. For example, copy on write or cow is a technique where initially shared pages are only duplicated when a write occurs. In OS terms, cow lets the kernel postpone copying memory until needed. Here you can think of two roommates sharing a single cookbook. Each can read any recipe page freely, but neither is

allowed to jot on that original book. The moment that one of them wants to jot a note or uh tweak a recipe, they have to make a personal copy. like they'll take a picture or a photocopy of that page and then write only on their copy. This leaves that roommate's copies if they have any and that original cookbook unchanged and then uh you know no extra copies are needed until someone actually needs to edit something or change something. It's it's left alone otherwise. A classic use of this uh copy on right is fork. This diagram illustrates the typical Unix process life cycle around fork. A parent process A calls fork to create child B which may exec a new program and then

exit and become a zombie until the parent calls wait to reap it and clean up the process table. It also shows uh the delivery of a sig signal uh child to the parent when that child exits. For reference, a uh sig child is the pix signal. Remember pix that uh delivers to a parent process whenever one of its child processes stops, terminates or resumes after being stopped. In general with fork, the child and parent initially share the same memory pages marked as readon. And then on a right fault which is the type of fault that occurs when a program tries to uh write to a page with the readonly permissions the kernel will then cache it allocate a

new page copies the data and then let that process continue. This avoids the costly immediate copy on fork if the pages are never modified. In this situation, these immediate copies are costly because it duplicates the entire parent process address space up front. Copying like every single page regardless of whether or not it's being modified and this it just incurs a lot of unnecessary time and then memory overhead. Right? So if we take a look at this from a security standpoint, cow ensures that after a fork, a change in one process's virtual memory does not affect the other because the kernel breaks that sharing on right. And as you can see here, after a fork, both the

parent and child point their code readonly data and heap pages at the same physical frames. Only when one process writes to the heap does the kernel allocate a new copy of that frame for it, leaving the other process uh still referencing that original frame. And essentially what this does, this illustrates the essence of copy on write, which is share until right then copy. Now, you're probably like, Olivia, oh my god, like what does this what does this have to do with architecture exploitation? Well, cow causes any right to a shared page to fault and be duplicated, which is a behavior that is consistent across platforms. By knowing how each CPU marks and traps cow pages,

so x86 write protect bit versus ARMS page permissions, we can try to predictably induce page faults and then leverage them for read, write, and uh leakage attacks on both x86 and ARM. Lastly, we have memory mapped files. So a memory mapped file is a region of a process's virtual address space that corresponds directly to a file or or a file like a resource. And then after using MAPAP, the process can read and write that mapped region as if it was virtual memory. The underlying page then faults and will load and store that data to a file. You can think of these memory mapped files like uh laying a clear plastic sheet over a page in a book. A

read would then be like seeing like you can uh you can just see text if you have a clear piece of plastic, right? And then a write would then let you jot notes on that plastic. And then with a private mapping aka a cow, it's as if you're using a disposable overlay. Your scribbles will stay on that sheet and won't go anywhere, but you'll never actually mark up that original book. So the benefit to memory mapped files then is that it's often faster and more convenient than read write IO for things like random access or shared memory. And in security terms, the OS enforces these file uh permissions uh on the mapping. And this this involves things if you

ever heard of like protect read or pro protect right. It's like a little code that looks like pro read or prot write. That's what this is referring to. Thus, the mapping obeys cow semantics if it's private. So, rightites won't alter the file unless it's explicitly shared. And then this diagram here is a maybe a diagram you guys have seen before where it's like a database uh files on disk that's memory mapped into a process's virtual memory address space. And yeah, so that's pretty much what that is. And then um okay yeah to bring this back to BSD every MAPAP call every one that like loads your executables code and data segments will then go through this same UVM or uh vnode pagery

machinery. So you'll get these filebacked VM objects uh unified buffer caches cow shadows for private map and even BSD specific flags like map no sync or map wired. And for reference, just because I know that's kind of obscure, uh, map private creates a cow private mapping map wired uh, pins, pages, and RAM so they won't be paged out. And then map no sync suppresses these automatic disyncs. And then these flags just pretty much exist so that they give control over these filebacked VM objects, unified buffer caching, cow shadows, and any sort of a performance and consistency tradeoffs. Um, but that's again a little more obscure, right? And then in terms of crossplatform exploitation, this behavior is something uh like these

flags is then defined by BSD's kernel's virtual memory system and not by the CPU instruction set architecture. So you have to know the differences between you know what's going to be defined by the ISA, the AI or the CPU and all that stuff. So in this specific case, these ones will actually behave the same on x86 ARM and aside from any sort of architecture specific uh page sizes or cache management details. And thus understanding how BSD lays out and uh protects these mappings like how it chooses addresses and forces permission bits and handles uh faults and cows is important when you're trying to now poke at a program's memory to build a rock chain or bypass ASLR which again are are

things that we'll we'll cover later. So when you decide to exploit a binary across different ISAs, you must adapt to each platform's page size and various other things that we don't have time to cover today like alignment rules, Indianness and TLB behaviors and virtual memory per permission encodings as well as any sort of OS specific loader information that would be relevant. And here the reason why I'm covering this is that learning about virtual memory models to predict where code and data will live in memory and what protections I'll face really helped me learn how to craft read related exploits that might work on a given architecture and OS. With that said, we can go back to the

BSD overview and then compare system 5 and BSD memory management and how they influence these exploit strategies. Under the system 5 approach, memory management is much more rigid and I've often encountered fewer dynamic optimizations like copy on write or cow. This can sometimes make traditional memory exploits such as buffer overflows or stack smashing more predictable and easier to execute. On the other hand, BSD's management includes additional layers of protection and abstraction making exploitation a lot more complicated but not impossible. Then when targeting BSDbased systems, we need to account for these defenses and then develop alternative strategies to exploit memory vulnerabilities. And understanding these differences in memory management is now crucial for when we're trying to transfer these

exploits. But this skill is unfortunately often skipped over or maybe even unrealistic to cover in some cases when teaching about these topics. So now we're at this point in history where you might be wondering what are these additional defenses that can make exploiting uh BSC complicated uh at least for me. Well, there's actually quite a few um and they're they keep improving, but the most common ones that apply to both system 5 and BSD and can impact transferability are ASLR, write exorcies. First, ASLR or address space layout randomization randomizes the memory addresses used by system and application components, making it much harder for us to predict where our exploit payload will land in memory. In the past,

exploits often relied on knowing the exact memory locations of key data or code. But with ASLR in place, those addresses are randomized every time a program runs. Next we have write xorex execute uh or write xor execute policy which ensures that memory can either be writable or executable but never both at the same time. This prevents us from injecting malicious code into a writable memory segment and then executing it from that same location reducing the effectiveness of code injection attacks. Thus we've had to shift strategies towards uh things like code reuse attacks like uh return oriented programming or rop. Lastly, we need to talk about uh stack canaries which protect against stackbased buffer overflows by placing a small random

value between a function's local variable and control data like the uh return address. When the function exits, the program checks to see if that canary has changed. If a buffer overflow alters the canary, the program will then terminate, preventing control flow hijacking. This makes it harder to execute simple buffer overflow attacks as we must then bypass or defeat that canary. Each of these features ASLR write exorcute and stack canaries creates additional layers of complexity for us. And then understanding how these mechanism work, how they differ across oss and architectures impacted how well I was circumventing them because quite frankly I didn't know that there was going to be a difference between them. So in conclusion, what did we learn

today? First, we looked at how the system 5 AI dictates how functions manage the stack registers and control flow. Next, we examined stack management, learning about how stock operations uh especially the use of like RSP and RBP enables control over return addresses and local variables. We also covered uh POSIX standards. Posix standardization facilitates that cross-platform exploit portability by providing a consistent API across Unix like systems especially for things like system calls, threads and signals. We learned about the Unix philosophy and how modularity of Unix utility can be leveraged for exploitation especially through uh command injection and poorly sanitized inputs. The BSD architecture was also discussed. BSD's memory management features like uh virtual memory, copy on write uh and all that

other stuff introduce additional layers of abstraction and protection which influence these exploit strategies when compared to the system 5 systems. And then lastly, we covered security mechanisms such as ASLR, write, exor, execute policies and uh stack canaries. All of these things together in uh complicate binary exploitation and understanding their implementations is key to developing bypasses. So in summary, the system 5 AI posics, the Unix philosophy and BSD and honestly anything that relates to memory management were all topics that helped me learn how to transfer my security skills from one OS to another. I highly recommend if you're someone struggling to exploit uh vulnerabilities on systems less familiar to you to check out these and similar topics on your OS of choice

and on the OS that you're familiar with because at least for me it was a lacking understanding and these fundamentals that made my life more difficult than it needed to be. If you want to reach out to me afterwards um that's how you can find me. Um yeah, so thank you so much for attending my presentation. Uh, I hope you all enjoyed it. And if you like Mac OS, thank you. If you like uh Mac OS specifically, I have a newsletter on it's called RT to read. It's available on my blog. Um, that's kind of my favorite thing to talk about and what I know the the most most about of the security topics. So, yeah.

Thank you.

So yeah, hi. If anyone has >> Hi. Um, if anyone has questions, let me know. I will say um when I've given these types of presentations in the past, a lot of times people have asked me like really specific questions including like how to debug their current like Gedra environment. So, if that's the type of question you have, you're going to have to send me screenshots. I can't do that from up front. Um, but if you have like a overview question um that doesn't require screenshots or anything like that, please please let me know. So, there's two.

>> I can hear him. I'm not sure. Uh, >> yes. Um, so on my blog there is this, it's funny. I someone tweeted at me on Twitter. They were like, "This is a terrible blog post. There's so much information and it's terribly disorganized." But anyways, it kind of follows uh this presentation in a way and it it covers all of these areas which like I just were so confusing to me. Um, and within that blog post, I have a ton of links like where I learned about plastics, where I learned about this, where I learned about that. And one of the things that, uh, unfortunately I didn't do in that blog post, but I started doing in future blog

post because of this, is that I include a link of a list of references at the end and how and why I used them. Um, so yeah, hopefully hopefully that's helpful. Um, it is a picture with a stock image of a snowy mountain in I think Switzerland. So that's the one it and it's like how I think it's like how Pix stuff messed up my understanding. >> Sorry. >> I think it's that one. Yeah, thanks. Yeah, that blog post is titled how what what was the title again? >> How OSI >> how OS uh affects binary exploitation. Wonderful. I I write a lot a lot of blog posts which is why I don't remember what

they are and I think that one's like three years old. So, but I think you also had a question. >> Yeah. Uh I just wanted to ask you to repeat the name of your blog or like the URL because I didn't quite catch it. >> Um the URL is Olivia Oi Via A Galuchi G a Lucci.com. >> Okay. Thank you. >> Totally. Uh >> Oh, thank you. >> Oh. Uh thank you. Uh my name is Aral. I had a question regard to the uh as we see every day the AI modules added some more functionality uh to the malares and kind of malicious codes. I was wondering that if the type of the uh kind of attacking to a making

a buffer overflow or attacking to a heap or stack or uh those kind of protected reserve memory area with the type of the malware that is changing the nature you know we call it like a morphism right more from one signature to another signature one capability to another cap. capabilities. So that's uh I wanted to know your insight about that how uh this going to be how we can defend that. Is there any way to defend this type of the morph attack like a malware or malicious code that change the uh dynamic of the activity either in memory in the heap or kind of stack? >> Yeah. So, when it comes to like specific like uh those really like low-level

exploits and stuff, I'm assuming that is probably happening more on uh Windows and Linux than it is on Mac. And for those questions, I would uh want to address people who are experts in those areas because I know those things do happen and unfortunately they're things I'm uneducated on. um where I can tell you about with like things like the signatures changing and all of that uh that's that's common across OSS and what we see in Mac malware is there is like differences in capabilities and all that so it's like uh what exact capabilities is it going to do um and those ones are weirdly it's kind of like an exciting time like those things are starting to

be uh like developed like I think it was only last year when we started seeing Mac mauware routinely have uh people starting to actually obscure the malware itself. Like our malware like didn't even do that. They were just like we're going to pop a launch agent on here and we're going to just like go. Um so they wouldn't even try to hide it. And in those things in those cases the the uh it's more what we look at is more of the behavior itself because they're still using consistent um tactics. None of them to my knowledge really relate to like the memory component. it's more so behaviors on the the device itself. Um, and they're all

like legit behaviors which is making them hard to flag. There has been cases which uh I know of where there were like odays dropped that were more serious like in the nature that you're talking about on Mac. XET actually had one where they were able to infiltrate like Xcode environments through I think something memory related. So if you're looking for specifically Mac, that's really the only instance. Um, and I'm really open to hear what anyone else says about this because I'm very open to being wrong here. Um, that's really the only place where I think I've seen anything related to uh memory and a malware in particular uh rather than just some like like Patrick Wordle or someone like some

researcher. Uh, it that's the only thing I've really seen with like memory specifically. So hopefully that that helps. Any more questions? I don't think I see any. Cool.

I'm probably best known for this thing I started back in 2001 called East Entire. I stepped away from East Entire a few months after this thing happened. I felt like I'd sort of got as far with the company as I could and wanted to go and do some other things. And so now I have that that flexibility and that that singular luxury of doing um only what I want to do. And so what I do most of the time now is sort of work with startups and scaleups in cyber security. Uh I had somebody from a professor from a BC university about six weeks ago uh send me a note and said I want to thank you

for working with one of my MBA students. They had a capstone project. they had to speak to somebody and thank you for your your feedback and you know could they ask you a bunch of questions and I said I never spoke to this person I and I I was sort of like I was sort of gaslit was like did I speak to somebody and I so I went into chachi and said you know pretend that you're elener I'm going to ask you some questions and it did a really good job of telling my history so I'm not going to elaborate on that either so just I'm this I'm this sort of weird Swiss army army knife of stuff. So, uh

I've got a a BMath degree uh computer science economics uh that is probably older than at least half the the attendees here today. uh went to you know the usual sort of Linux uh BSD cisadmin database infosc sort of uh you know I got into this thing before it was called cyber and it was my place and I found my thing and so then I started a company and there was this big gap when I that was my constant care uh and then sort of stepped away as I said became an adviser board member I wrote a book and then instructing as well So, one of the things I've been doing for almost 5 years is now working with uh Roger

Cypress Catalyst. They have a booth here. Two wonderful young women who will gladly talk to you about the things that they're doing. I personally think that Rod, this program has the best chance of improving the startup uh uh world in for Canada that it has the to to get comp companies out of that difficult early startup phase and into scale up and escape velocity. Uh so if you think that uh you have any interest in sort of helping out as a mentor or other things that I will get to later on the talk um I'm going to put up a QR code and there are a couple people here who uh you could absolutely speak to. One of the companies that I

managed to meet as a core mentor through this program uh is Shadow HQ. So I'm I'm you know you survive on sponsors here. Nick is here. I met him. I was I was his core mentor. He was his core mentee. I'm working with him now. If you have no interest in starting a company or uh just, you know, spend the next 45 minutes and go to talk to, you know, Nick and his two guys out there at the booth. So, as I've been working with the startups out of Catalyst, I've probably worked with about six dozen companies in the last five years and they're all in different stages and everything just sort of distills to that

Japanese Yiki, right? What's the problem? Will they pay you to solve it? Can you solve it rapidly and accurately? And now it's so you know I say you would be surprised how many startup founders do not actually ask these questions. They usually start off with something. This is my capstone project. I'm going to fall off the stage if I keep walking. So I'm coming down here. You know they have a capstone project. They think somebody something was interesting and they put all their time and effort into it and not actually trying to figure out whether or not this is a problem that people have. So I ask these questions when they come in and you know is it a big problem? Do

many people have it? Who knows about it? Is it being solved? And the last one is are you a prophet? And if you haven't asked anybody if they're actually having this problem, but you think you are so far ahead that you know what the problem is, then the world will eventually catch up to you like you are Steve Jobs and you knew 15 years ahead that people would be addicted to iPhone. The odds of you being that prophet not zero but approaching zero. And if you are actually a prophet, can you survive long enough for you to have solved this problem? It's not good enough to talk to your potential clients and say, "Hey, what are your problems?" They tell you

your problems because you could go build something and then a year later you come back and they say, "Well, it wasn't really a problem at all or they've left the company or they fixed it with something else." I get about a dozen inbound emails every week or through LinkedIn and they say, "I want to I've built this thing. I want to show you this thing I've built. The number one question I ask now, who are your design partners? And almost 90% of the time it goes dead. Then like unless you think you know the problem better than your clients, your you you'll be unless you're Steve Jobs again, you'll be surprised that they understand their