Defending Beyond Defense

So with that, give it up for Kathy. >> Thank you so much. Uh and and first of all, thank you to uh Beatsides 3 and2 for having me. I suspect that many of you saw me on your way in because I was also running Regge. >> Um >> because I'm a glutton for punishment having, you know, done thoughtcon first and stuck around. So uh so thank you for for having me here. Um the the idea for this talk, we're gonna we're going to go through the agenda in a second, but the idea for this talk, you'll see um came from seeing things happen over and over again and uh and basically not changing um in a nutshell. So, here's what we're

going to go over. Uh I I'll talk very briefly about me because you don't want to hear about me and if you wanted to hear about me, you could just ask Robert because he would tell you. Um the background in history part is really about the subject matter and how I came up with the idea uh for this information. Um this information is all stuff that is in a book that I wrote called the active defender. Um but I want to introduce you to the concepts because if you find it interesting you might want to get the book but if not that's cool. I think it's more important to get the information out there than

anything else. Um, we'll talk about the uh assumptions defenders make and why they're problematic and as a result why we need to immerse ourselves in offensive security as defenders and we'll wrap it up. I'm happy to do questions in between um you know I know uh as I'm getting older especially I'll have like a dying burning question and I'm like oh yeah wait for the questions and then I forget the heck what the heck I was asking. So, um, if you have a question, you know, feel free raise your hand and I'll I'll do my best. You're scattered a bit, but I'll do my best to try to answer it for you. So, a little bit about me. Uh, my little

sloth buddy up here, that's Flash. He is a sloth with the Buffalo Zoo. Big fan of sloths. That's the most important thing on this slide. I do a lot of conferences both as a speaker. I volunteer with a bunch of things. Um, I'm on staff uh with Packet Hacking Village at Defcon, blah blah. If you want more, let me know. All right. So, to the meat and potatoes and the important part of this talk. So, where the idea came for this uh was that originally uh working at the University of Buffalo, we decided that we wanted to put together a uh a CCDC team. Who's familiar with CCDC or CPTC? Bunch of hands. Okay. For those of you

not familiar, um CCDC is the collegiate cyber defense competition and CPTC is the uh pentesting equivalent of that. So you have essentially a defense and an offense co collegiate competition set. And it's very cool because students get to participate actively in these things. Um, and so we had a student who had gone to CCDC on his own and it had gone not particularly well because he wasn't he he hadn't prepared. So to do this they decided to bring in a bunch of people from the industry and from those working on campus. And I've been at UB for over 25 years but I work in the technical space. I'm not an instructor although I I have been brought in to do guest

lectures in you know sort of talking about my day job. So we created this thing called net defaf and when all of us got together we started talking about our experiences. This was the very first time I was introduced to anybody who worked in offensive security at least as far as I knew. It was very new to me and I said hm tell me about this. I don't know a whole lot about this sort of thing. And he started to tell me about it and I thought wow that's really interesting. I said how can I find out more? and he said, "Get to a B-sides." And I said, "What the hell is a B-sides?" Now,

obviously those of you who are here, thankfully you know what a B-sides is. But I had no idea, and this was very foreign to me. I had gone to some infosc conferences, some Microsoft things and that sort of stuff. Um, and so I realized there was going to be one in Rochester. So I signed up for the conference and I show up and I, you know, do the thing, right? I have no idea what I'm walking into. And I sit down next to some folks who are playing a CTF. I had no idea what a CTF was. And they were super awesome. And they asked all kinds of questions about me and I asked them all kinds of things about

CTFs and bides and whatever. And I found it to be a very warm and welcoming space. I hope that all of you have found a warm and welcoming space here too. Um that is certainly what what we intend. Um I run the besides Rochester that I walked into all those years ago. I now run because it made such a profound impact on me. So, thank you. Um, the folks there were really kind to me and so I I have this experience at Besides Rochester. I start to learn about offensive security and it literally was like I'd walked into another world. Now, I love asking this question. Who here has seen The Matrix? Oh, good. At least some of you. Cuz let

me tell you, if I ask this in a room full of college students, I get about maybe a quarter of the room if I'm lucky. And it's only because they went to see the fourth one when it came out. They didn't even know it existed before that, which makes me feel incredibly old. So, thank you. I'm glad that most of you at least have seen The Matrix. So, in The Matrix, you can go down, you know, you can take the red pill or the blue pill. And the idea behind taking the blue pill is you sort of stay in this reality and nothing changes. or you can take the red pill and it opens your

eyes to another world. Well, going to Bides Rochester for me was in fact opening my eyes to another world I had no idea that existed and ultimately over time I went to a bunch more conferences and got to know more folks and I started thinking more about the challenges we have with defense and that led to this idea of an active defender. So, we're going to talk a little bit about what an active defender is. So, I'll start with Sunsu. Who's familiar with Sunzu? Oh, good. A bunch of you. Fabulous. So, you know, to know your enemy, right? This is the really important part. You have to become your enemy. Well, in terms of the active

defender, we're not like literally asking you to like change your job. We're not saying that you somehow have to mythically, you know, morph into the enemy. It's this idea like the things that you see below here. So you know you need to understand the motivations, their thought processes, their problem solving patterns. It's moving beyond the very superficial nature of what an attacker is and these were things I definitely did not understand in a traditional defense role. Now my job coming into the university was a support space. I did user desktop and server support for a particular portion of the university. That is what I did. And the bulk of the security stuff that I learned as I did that were pretty

standard things that defenders learn, right? You learn to patch, you learn to do vulnerability scanning, you learn to um, you know, configure things for uh, lease privilege, etc., etc. And we'll talk more about that. But that was sort of my, you know, a very typical uh experience. So let's talk a little bit about this idea of active defense because I see active defense used a lot of places and I want to make it very clear what I'm talking about. So when I talk specifically about active defense, what I'm talking about is this concept that first starts in the military. And the military has bastardized this idea since. And so what we hear now when people talk about active defense,

there's this idea of hacking back or or going after the attacker. Well, the original thought behind active defense had nothing to do with attacking back directly. It was about, you know, being agile, being mobile, moving around, not just staying static. How many of you know much about, you know, whether it's US or world history? Anybody history buffs? All right, a few of you. So, if you know anything about in general about history, we see lots of pictures and lots of writeups of the troops marching forward or the tanks moving forward, right? And they're very static. There's not a lot of moving around. There's sort of everybody sort of placed in certain spots and that of course makes it a lot

easier to pick them off, right? Like the two come at each other. Um, and in the Civil War it was a complete mess because you fired your guns and nobody could see anything because of all the powder residue. But, um, this the idea is to think about the movie Home Alone. Who's seen Home Alone? Okay, most people. So, in Home Alone, right, he doesn't step outside the property. He doesn't leave that area. He stays in his own space, but puts up all kinds of booby traps. Right? The idea is that if the enemy comes into your own territory, you can be agile and you can see them and you can be aware of what's going on and you

can potentially keep them from going any further. And I would hope that most of you who are in Let me ask you this. Who's in the defense space? And by defense, I mean whether you do support or you actually do defense, whatever. And how many of you are in the offense space? Cool. I love that there's a mixture because when I get to some stuff about offense, I'm going to be tagging you folks to to answer some questions, too. So, you know, when we're thinking about this as defenders, we need to think about this in this sort of home alone idea. We want to focus on being flexible and seeing attackers um not necessarily just keeping them out. I

mean, in an ideal world, right, we don't want them coming in, but who's in the cloud? Anybody in the cloud? we're in the cloud, right? If you're in the cloud, they're in. Like that's just kind of a foregone conclusion. Um any even if you're not in the cloud, right? It's not hard to get in. So assuming that you're in is is a good place to sort of start this mental process because once you're in, that's when the rest of the layers of security are going to be important. So this is this idea that originally was in this document from 1973. Now, let's talk about passive versus active in this context. So, most people think of passive, they think of things

that that there's no connection with, right? There's you're not doing anything with. Well, that gets confusing when you're talking about this because people would say something like an AV product can't be passive. It's doing something. Well, when I say passes versus active, I mean humans doing something. So your antivirus products, your IDS's, your AV, all of this stuff, your EDRs, all of that by default is passive because it's doing automagically whatever you've tuned it to do. When I'm talking about active, I mean humans that are monitoring and looking for things and using their critical thinking skills, which are hard to come by these days. I recognize that. Um but you know if you're you know observing things and

you're learning from them and you are taking information away because you know your networks that's the kind of active we're talking about. All right. So this term probably won't bother anybody in the room because you're here right? But I'm going to talk about it anyway for anybody who doesn't know. It has become pjorative. We hear the word hacker and people have watched way too many news programs where they talk about the bad hackers, right? And of course all hacker the term hacker was coined at MIT. It was a model railroad club and they had folks that knew how to think outside the box and do cool things and those cool things were called hacks and hacker came from that. It has

nothing to do with anything bad or, you know, uh, the law or whatever. It's literally just thinking outside the box and coming up with creative ways to do things that using tools maybe that they weren't intended for. And there's nothing by default that is bad or wrong about that. So, you know, I wear a lot of hacker gear and I wear a lot of hacker gear because I think it's important to say, "Hey, I'm a hacker." And I'm a hacker not because I'm, you know, doing something bad, but because I'm thinking outside the box. I'm trying to understand other ways I can do things that are different. So, that leads us to the hacker mindset.

And as I mentioned, there's this idea, right, of curiosity, right? thinking outside the box, creativity, being patient. Um, those of you who raise your hands as offsec, how patient do you have to be because you try something 27 times and it doesn't work? Anybody go through that? Yeah. See, your offsec colleagues, I'm telling you right now, they get this right? >> Boring. >> It's really boring. Like it's hysterical to me how many people that come through our university who are like, I'm going to be a pen tester and it's going to be badass, which isn't necessarily wrong, but oh my god, there's a whole lot of boring that goes on with that that they don't even see. And it's this

persistence and you just got to keep doing it over and over again, right? So these are the kinds of qualities we're talking about. Hackers think about things. They want to know, you know, why not, not why. And they say, "hm, if I wonder." Um, and what if? And I love this quote from Einstein where he says, "I have no special talent. I am only passionately curious." And hackers are passionately curious. They want to understand how things work. And I saw a great keynote by Casey Smith who was quoting John Ericson who said, "Hackers get their edge from knowing how things really work." So, those of you in offstack or even uh those of you in

defense, how many of you took something apart when you were a kid because you were like, "Huh, how does this work? How does the knob change?" Anybody have that? Yeah, you're a hacker. It's cool. That's the whole idea because things don't always work the way we think they're going to or the way they're supposed to. And we'll get back to that. So this is ultimately the definition of active defender that I came up with putting all of this stuff together. So somebody who is aware of and actively engaged with folks in the offset community, right? And the whole idea is the more you're around these people and the more you spend time, the more you

come to things like this, you will develop a hacker mindset and that ultimately will make you a much stronger defender. So, just to be clear, when we're talking about defense versus offense, I purposely use this language, not red, not blue. I mean, I talked about the pill in the movie thing, but I I I want to stay away from red and blue language for a variety of reasons. I think it's much better to talk about defending and offensive uh in terms of role uh because there's a zillion definitions of what a pentester is and a red teamer is. Forget it. We need to understand what they're doing at a broader level. So these this is what I'm sticking to. So this is

defense and this is offense. So defense are the people who put up the defenses. Offense are the folks who are testing those defenses. That's it. Plain and simple. Don't need to go down that rabbit hole any further. All right. So this is the example that I love to use. Who has done and helped with or done an install of a web server before? a bunch of you, right? So, this is meant not to be an exhaustive list, but mentally, let's assume that we have an exhaustive list of all the best practices of building a web server. We're going to do things like we're going to install the operating system, we're going to patch it, we're going to

scan it, we're going to look for vulnerabilities, we're going to figure the firewall, we're going to lock things down, we're going to do everything we're supposed to do with it. And then what do we do? nothing, right? Until it needs to be patched or something needs to be changed or we see a problem, we do nothing. And that's the initial part of the problem. We as defenders go, we're done. >> Yep. Sit and forget, right? And and for years that was fine, right? That was sufficient. But unfortunately, it's not fine anymore because your offset counterparts look at the same exact web server and this is what they see. Huh? Port 40 or port 80 or 443

uh or both are open. What can I do with that? They look at if there are fields that you can fill in. They wonder what if I change something. What if I put certain text in there? How can I manipulate this? And all of these different kinds of questions are the sorts of things they're thinking about. Am I right offsec folks? >> See, the most important thing that they're thinking about is this last comment. What is its relationship to other systems? because usually they don't care necessarily about one system. They want to get beyond that one system. >> What? >> Think with graphs. >> We're getting there. We're getting there. He said with think with graphs.

Yes. So, speaking of that subject, you were just a step ahead of me. So, John Lambert said this, uh, defenders think in list and attackers think in graphs. and as long as that's true, the attacker is going to win. And uh John was kind enough to say, you know, you're welcome to use my quote in his presentation. And I've had some push back from folks who have said, well, graphs blah blah blah. And I say, look, at the end of the day, it doesn't matter if it's specifically a graph. What it the graph, the point of the graph, is it showing a relationship? And that's really what we're talking about here. Relationships. Relationships are key. For any of you

who've done defense and don't know about this tool at all and have never heard of it, this is Blood Hound. Blood Hound is a tool that offensive security folks use all the time to look at relationships between accounts and how the path you can get, for example, from a standard end user who has no rights to anything to domain admin or in the Azure universe to global admin because they they have a a product that allows you to look at Azure as well. There's the Azure hand. The cool part is we can use these tools too with permission. But if we don't know they exist, how do we test? How do we know? We don't.

So, because we don't know a lot of these things, defenders wind up making some really bad assumptions. Who's heard of the the killchain? Anybody heard of the kill chain? Right. Lots of people have heard of the killchain. And the concept behind the kill chain here is you stop an attacker at any one of these points, which and I know it's hard to see here, but any one of these stages, right? And you you stop the attack. All right, offsec folks, does that stop you? >> No. >> No. Because here's the thing. All right. If I stop If I stop them here, uh, they're just going to try a different technique and then they're going to wind up here.

>> There's 100 chains. >> Cuz there's a 100 chains. Yes. Exactly. Another one. And some of you will laugh uh at some of these. Yes, we have edr. We're good. And it and I know you laugh because you're like, how can anybody actually think that? But I have literally had conversations not just with management but with IT support uh CIS admins who think because we're using these tools they're good to go and they're not. And it's not just because there's something wrong or bad with the tool. EDR is very good. XDR is very good. All of these tools have come a long way. and your offset counterparts will tell you if it's configured right, it's harder now to get places, right? Am

I right? >> Yeah. So, this stuff's good stuff, but it's not the beall endall. There are lots of ways to get around it. One of the easiest ways is, you know, let's just redirect some of what it's telling you somewhere else. We could just shut it down. Um, but LOL bins is probably one of the easiest So, who here knows what a LOL bin is? A few of you. All right. So, for those of you who don't know what a LOL bin is, it's living off the land binary. It's effectively anything that is sort of native to your system. So, typically it's an operating system file that's native to the system that's just part of

the operating system. But realistically, a LOL bin can be any any normal program that is on your system. And one of the quasi lol bins that we see now are these remote management tools. So you know if you use RDP or let's say you use team viewers, attackers figure out what you're using and they use the same tools because it's right there. If an attacker lands something on a box, it is way more likely to be detected than if it's already part of the operating system or part of something that is being used regularly. Your EDR is never ever ever going to trigger on these things because it's normal functional behavior for what it expects. So you

need other ways to look at it. Okay. So this is this is going to be a little harder because I know this is hard to see. Um but this is this has to do with detections in particular. So here's the problem with detections. We talk about things like this which is a miter heat map. And the whole idea behind the MITER heat map is that it's categorizing different kinds of attacks and it's saying if the the green is meant to illustrate I have some sort of defense in place, some sort of detection for whatever kind of badness uh is being thrown at me in the particular category. The problem is and this will be clearer

in a minute, we only see these detections in a certain way. So, let me take a step back and talk about the TTP pyramid. Anybody familiar with that? At least a few of you. So, the TTP pyramid talks about tactics, techniques, and procedures. Tactics are pretty straightforward. They're like, you know, we're going to go after credential access. Really basic. Lots of tools see credential access and can detect it. The technique is how generally speaking they're going to do this. So for example, credential dumping via Elsas, that is one way to obtain these credentials. Here's the trick. That's the layer at which your tools operate. But there's another layer and that's the procedure. The procedure is the exact

type of file and the details that an attacker is using to go after that password. So, it's not just password dumping via Elsas memory because there's a gazillion ways you can password dump with LSAs memory including using task manager to do it. So if you say you have something a technique and you're like I have a detection for that that's great but if you don't have the procedure level then what are you detecting? >> Some of it. >> Some of it. And that's the problem. Again these tools are not bad tools but they have restrictions and you need to know what those are. So, and I can't wait because Olaf actually or Will, excuse me, uh Olaf's

on the next slide. Will has continued to work on this particular problem. So, Microsoft has some features built in that detect and are supposed to block dangerous drivers. There is this idea of bring your own driver that is really dangerous. Uh and we've seen problems with this already. There's supposed to be these driver block lists in place. Well, Will did this research quite some time ago. He is a security researcher. He does offensive security research. And what he discovered was initially this particular feature wasn't even enabled. Like there was literally nothing in the list at all. And he called Microsoft out about it and they were like, "Yeah." And so eventually they added stuff to

the list. And then what do you think Microsoft did? nothing nothing more. Right? So there's no mechanism to keep the list updated. There's no mechanism to keep this going. And he's continued to do research on this. So if you Google this, you'll see like periodically we'll put something new out uh on social media saying, "Oh yeah, here's a thing that I found that still doesn't do what it's supposed to do." Um so you were supposed to be able to have these rules in place. Yeah. No. Um, so O Olaf, who's the other person who's done some research on Defender and he's he's continuing to do uh cool stuff and he was just accepted I think at Black Hat to do another talk

and um he did this talk uh at Wild Hackinfest a couple years ago and what he discovered was Defender is supposed to use telemetry and telemetry are these little bits and pieces that tell you when something is happening. happening. So for example, you have a detection, right? The detection is based on seeing certain features in that telemetry. What happens if that telemetry is not there? You're blind. The detection doesn't work. What he discovered was there were detections in place where by default the features were never turned on and none of this is documented because that never happens. But but here's the point. You know, we all laugh, but the reality is we have these tools and we think they're going to work

the way they're supposed to, but offensive security folks know they don't always work the way they're supposed to. And that's in fact in ways they can get around some of the defenses you put in place. Ah, MFA, it's the panacea. It fixes everything, right? We have MFA, we're good to go. Yeah. Again, this is one of these conversations that I have with folks who should know better. And when I tell them, "Yeah, I understand we have Duo, but let me show you how one of our users just did something that completely bypassed Duo entirely," it blows their minds. So, um, for those of you who are not familiar, the most common way around MFA, aside from push push, push push

push push push push push and then the user gets tired and clicks yes or okay or whatever, uh, is the, uh, attacker in the middle. And there are a bunch of these different uh, things uh, evil jinx uh Mirana Mojishka uh, that are um, used to get around it. And the idea is that they use a proxy So what your users see may be in fact the real page they're trying to log into but the attacker has put up a proxy in the middle so that that information also goes to them and that includes the two factor code the username the password and everything and to the end user it's flawless completely flawless and this is

if uh if any of you were at thoughtcon and you saw the talk about the dark Uh, this was some of what they were talking about. Um, because those those kits are freely for sale on the dark web. There's also, of course, social engineering and and um cookie theft and other things. And I did promise you sloths. So, uh, I've not seen this particular sloth myself, but baby sloths are adorable. And the whole idea here is because we're seeing this kind of stuff and defenders are making assumptions based on what they know, which is a reasonable thing. We need a different perspective, a new perspective. And the perspective that I offer is this idea of immersing yourself in offensive

security. So for those of you who are not familiar with this, I know my offsite friends will be like, "Yeah, yeah, yeah, I know how this works." But for those of you who don't, these are the stages of how they do their jobs. They're going to target. They're going to figure out what they're going to attack because even though there's some sort of of work uh work order that's been, you know, agreed upon, they still need to within the scope that they've decided they're going to work pick certain system to go after. And then they have to figure out how they're going to get into it. Once they're into it, they have to figure out

how are they going to stay in. Then they have to figure out, all right, we're in. Now, how can we go further into the network and see other things? Ultimately, how do they get data out? Right? Um, you know, we we are no exception to this, but I'm telling you, Xfill is really hard if you've locked your systems down so that I don't know, you can't send something off site somewhere else. But very few places lock that down which is problematic. Uh and then of course you know they think about how they're found and then what they have to do. So just be aware these are the stages. This is actively what they're doing and this is exactly what

the attacker is doing because your offsec folks they're mimicking this behavior. This is exactly what they're tasked to do to test your defenses. So where do you find these people? Look around offsec folks raise your hands again. Look around. You've got offsc folks. They're here and they're awesome. Guaranteed. You can also find them at local security meetups. Yo, Burpe. Yeah. Uh, so I'm very fortunate to be a member of a couple of different communities. Uh, Chicago being one of them with with a lot of burps friends. I'm also part of my in Michigan. Uh, there's a meetup in in Buffalo that I'm a member of. So, you know, it's it's a great way to meet meet folks. If you

have maker spaces in your area, uh Defcon groups, 2600 meetings. There are online communities if it's hard for you to get out and about. There's lots of those online. Um, and traditional security communities. I have a lot of friends that are in things like the ISSA, which are more corporate, but they're still offs folks still go to those things and and network with each other. So, you never know where you're going to find these folks. So I would also encourage you to get some fundamental training. And again, the goal here is not to say, "All right, you need to completely change your job." It's so that you can try some of these attacks yourself and just kind of see

what they look like. When an attacker is doing something, what does it leave behind on your system? Go to talks that aren't defense talks, even if you only understand an itty bitty part of it. Because every time you go, you'll learn a little more and a little more. And as you engage with the Offset community, you can ask questions. The number one thing I walked out of Bides Rochester with was these people love what they do and they love to talk about it and they're excited about it most of the time. And when I go to in traditional infosc conferences, people are frustrated and they often don't want to talk and they don't have time and

they're too busy and whatever. Even if they make the I'm seeing nods. Even if they have the best of intentions to say, "Oh, I'll help you." They often don't. But I have found in the offset community, man, they want to help you. And they will show you stuff because they want you to see it. And sometimes it's cutting edge, like you know, new hacks and whatnot. Cool. Like whether it's a toaster or a server, it's still neat. Um, there's lots of security companies that offer this training. There's obviously at conferences there's sometimes training. Um, you know, there's some online options that you can do and and higher ed. Um, so so I work at the University of Buffalo. We have

classes again. We've got the ability to send students to CPTC, which is the collegiate pentesting competition, where they are hired, they are a team that gets hired by a company to pentest their organization. And here's the cool part, and again, you Offset folks are going to laugh at this. Part of what they have to do is not just do the pen test, they have to write the report. >> Yes. >> Guess who regrades the reports? >> Me. I learned so much from getting involved with CPTC and grading reports about what those reports should not look like, right? Um, but it's a learning experience and we try to make it as realistic as we can, which I think is

awesome. Uh, and and even when I do CCDC, I try to give examples that are real world because I want students to learn that's the time. So, those those things do exist. Now, I want to talk just briefly about Intel types because I think you'll find this useful, too. So, um, tradecraft intel, what we're really talking about here is the kinds of things that your offsc friends know how to do, right? That's their trade craft. They know how to do certain kinds of attacks and certain kinds of things. So, where do you learn about those things even if you don't necessarily do them yourself? Well, what's really cool is there are things like Project Zero,

which is Google's researchers. Um, DFIR Labs, which which does really detailed writeups of attacks. They even have uh their CTFs are the most realistic thing I have ever participated in because you're given a bunch of logs and you have to go look through things to find the answers and it's not just like random questions that have nothing to do with anything and really esoteric like which can be fun but if what you really want to understand is how do I do incident response? How do I see when the attacker's done a thing? These are phenomenal. Uh, Attacker KB is Rapid 7's version of the of research. And then there's groups on Discord, uh, Slack, Twitter, Mastadon. Pick your favorite

social media. They're everywhere. Now, when we talk about organizational intel, we're talking about, of course, the open- source intelligence of an organization. And I'm always surprised with defenders who don't realize the amount of stuff that's out there about their own org. And uh offsec folks, do you find that useful? Even a little. >> Oh yeah, just a little bit. Right. So like you can find stuff on LinkedIn every time you have a posting for a job and it says we need an experienced administrator in Exchange online. What have you just told the world? your company uses Exchange >> your company uses well exchange online and probably the Microsoft ecosystem not that there aren't a hundred other ways

to determine that but sometimes if uh they're doing a test against they're looking for test against a particular esoteric piece of software this can be a great way to find it is in a job now I'm not saying your company should stop putting out job ads that are useful I'm just saying hey be aware what's out there because it can be used against your company and if you don't know it's there and you realize why it's useful to an attacker. Well, there's another blind spot. Um, you can also find really cool stuff on like GitHub and message boards. When your folks have a problem and they post to a message board and then you get

other details, GitHub's great for passwords. Tons of passwords on GitHub. And if you know how to look for it, stuff that's been deleted isn't really deleted and it's there, too. uh internal wikis once they get into your system or if they get a password and they can check out an internal wiki. Wow, how much stuff is in those internal wikis about how how you operate, right? So be aware that those things can all be used by an attacker offs pro either one. I've been pawned is great if you know an an account has been compromised in one thing. What do users love to do with passwords? >> Make new ones every time. >> Oh yeah, make you No, not

They like to reuse them, right? It's constant reuse. So, what are the odds if you see that they have an account somewhere that's compromised? Well, it's pretty good odds they're using that same password somewhere else. This is perhaps the most important slide for those of you in defense. These are the most commonly used offsac tools. Am I right? you I mean sometimes there's custom code that's gets written with these things or or you know really uh cool new utilities that offsets folks use to go after and test systems. But if you don't know what one of these things is, you need to spend just a couple of minutes and go look. You don't need to know how to use it yourself

necessarily and you don't have to spend hours figuring it out. But part of the reason I tell this story, who knows what Mimi Cats is? My Offsec folks are excited about this. If any of you do defense and you've never heard of Mimi Cats, it is a thing that if you see it in your logs, should make you very uncomfortable. >> Even if it says Mimi Kratz was blocked. I can tell you a story about a user uh well a CIS admin who saw Mimi Cats and didn't know what it was. Uh and then I have another friend who talks about somebody who said yes, it was the tiny kittens and they couldn't figure out

what tiny kittens were and it was Mimi Cats. The problem is back to the chain, right? So Mimi Cats, there's an executable version. Let's say you have that blocked, but there's like a gazillion other ways to our mimi cats where it's not actually called mimi cats. And attackers will sometimes try one version. It'll show up in your logs as blocked and you go, I'm good. And then you should immediately start looking for other versions of it because chances are pretty good they're there. All right, so I'm going to wrap up here and and open it up for questions. Um, so at the end of the day, realize that what you've learned as a defender for the most part

is really only half the story of security. Security encompasses both defense and offense. If you don't understand just the fundamentals of both, you're losing out. It's huge. And again, it doesn't mean you change your job. It doesn't mean you have to like spend hours becoming, you know, OCP certified. What it means is you need to understand how these folks are thinking and spend time around them so that when you see the other versions of Mimiats in your system, you go, "Uhoh." And you recognize it and maybe you can stop them from going further. Um, beware of assumptions. Anytime you put a control in place, assume that it will get removed circumvented something. Always, always, always assume that. I

have another talk that I gave at Cipher Con where I do some IR and firefighting comparisons because um the the uh thing that I always say when when Robert asks, you know, for a little tidbit about me, I've been a volunteer firefighter for almost 30 years. And there are some really interesting uh combinations that I've talked about, but uh one of them is this idea that controls always fail. No matter what they say, whether it's that they're fireproof or secure, both of those things are false. Jump into that other half of of the offsec story, which you're already doing by being here. Get to know some of your fellow offset counterparts, whether here or somewhere

else, and learn what they know. As I said, my experience has been usually they're excited to talk about what they're doing. Not everything is exciting, but usually they're doing stuff on the side or they've read something cool and they can share things with you. And at the end of the day, that makes you a better defender. So, if that interests you at all, and again, the message to me is the most important thing, but if you're curious about it, uh this is the book that I wrote which goes into more detail. I have some flyers up here which you're welcome to take that also has the information. You can get it from any book seller. It is a WY publication. So

independent, if you're, you know, an anti-Amazon person, WY has it direct to them. There's also um you can get your independent book seller can order it. And I will uh end with this quote and then open it up for questions. So I love this particular quote because my first degree was actually in uh music industry. It had nothing to do with computers and in fact I have four degrees and none of them have anything to do with computers. Okay, so I love this because you know I this may not have been where I intended to go but I think ultimately I'm exactly where I need to be. So with that, uh, Robert, you want to

>> Yeah, let's give it up for Kathy. Isn't she amazing? I love you. >> I love you, too. The other amazing thing is is Kathy usually turns into a pumpkin by about 900 p.m. But she came out and ripped it up last night. So if anybody saw her dancing, give it up. She was amazing on the dance floor. Do we have any questions for Kathy? Yeah. Nothing. Yeah. Anybody? Here we go. >> One over here. >> I think one of the best things I've heard was uh the question of how do you test your tools? And this applies both defense and offense. So yeah, uh always be thinking about that. >> Yeah, I would 100% agree. Uh you you

need to test your tools regardless of which side of that fence you're on. Um if you don't know how the tools work, then you can't possibly know for sure that they're working at least the way you sort of expect them to. Uh great example. So we use Canary technology a lot, which I'll tell you right now, it's really easy to implement. You do not need to be all mature the way folks tell you like it's it's super simple and we had implemented or I thought we had because our you know one of our CIS admins implemented a canary and I thought he had tested it he hadn't and we had a purple team test and that's

when we found out it had not been implemented properly and we had some other issues. It was a good learning experience. That was the point of the purple team. So we found out it wasn't working. I was able to fix it. We had a couple other issues uh that played into that, but it was great great thing to be doing. So, yes, absolutely. Test your tools and assume they're not going to work the way you expect them to. We have another question. >> Uh I just wanted to support some of the tools up there. Uh I got to play with some of them after I learned about it uh from Cipher Con. uh using like Hunter

Census and all the other stuff to say like, "Oh, look, here's first name, last name, ad email address for the company either you work at or the company you want to work at, it's really easy to find all the CIS admins and all the other people who do the architecture if you just use these tools and you'll get their personal emails. It's really >> Oh, yeah. Oh, yeah. For sure. And and I mean, and if you don't know this, because I literally just put this on a list serve to to a group that I'm in. Somebody was wondering like, "How did all our students get sent all of this fishing messages? How do they get our addresses? They're

in the M365 ecosystem." Okay, I have news for you. If you're in that system and I, as the attacker, the offsec folk create another tenant which has nothing to do with your tenant, I literally can get that information like it's trivial. And I have a friend, uh, Nick Geek, who's done a tremendous amount of work about that. Other questions? >> All right, let's give it up for Kathy. That was fantastic. Thank you.