Grey Days & Silver Linings

everybody for showing up today uh if you're joining us here in charlotte uh it's kind of some cloudy drizzly weather today so today seems like a great day to get your cyber on and join us for b-side charlotte so thank you very very much for showing up today so as you know this is community based conference so there's really no reason to do this if you're not here with us and today from a speaker lineup and a topic standpoint we have a pretty wide range that covers offensive and defensive uh topics as well as some satellites some hospitals some ransomware and more more than that so should should be a little bit of something for everybody in

in today's lineup and speaking of that i wanted to point out that in spite of some of the challenges that this year has brought this is something we've still been able to move forward with which which is a very positive thing uh and not only have we been able to move forward with it but we've really been able to even expand the scope of the conference to include attendees from across the u.s and possibly even outside of it and not only that but we've also had speakers submit from around the globe and one of them is actually uh it'll be a very very late evening for them when they they join us for their presentation q a

so we're very very thankful to all of our uh submission uh submitters as well as those who were selected so a huge shout out uh and thanks for that so moving right along there's a couple of logistics things i wanted to cover before uh handing off and obviously you're watching us on youtube live so it's great to be here but there's a little bit more if you're interested on our discord server there's a link in the video description below to get to that you can check our twitter feed for the link that's all up there that will get you into the discord channel and once you've made it past uh purgatory where you accept the and agree to abide by the code of

conduct then it'll open up and you'll see several channels and the ones that i wanted to point out specifically lobby con track one and track two so those are the main track channels the main channels for the event today so track one will have track one talks that is where the speakers are going to be when their talk is being broadcast so you'll be able to interact ask them questions as their talk is actually uh streaming and then the other thing to call out is the ctf so we do have a great ctf uh today from one of our sponsors and the ctf channel is open you should be able to see that now in

discord there uh if you are planning on participating you might actually click the little race flag that's going to pop up and talk to you about getting some extra roles and permissions for the ctf activities and that's all the logistics for now hope everybody has a great time today and with that i'm going to hand things off to one of our vice chairs alex hutton for information about sponsors good morning and thank you very much for joining uh we really appreciate the attendance and we also really appreciate those folks that helped make this happen our sponsors um our sponsors this year fantastic thank you so much for your support triaxium security secure ideas kevin johnson you're

wonderful leela studios bank of america john mazza in southeast financial services security code warrior and polarity thank you very much for your sponsorship and helping us make this great community event happen

hi everybody i'm jeannie rogers i if you don't know who i am i run fox pick and we are so sorry to not be able to do a lockpick village today i know i know a lot of you look forward to it and we do too but um the good thing about this time that we had um fox pick got to do a lot of improvements and we've been working on new game new tech new lots of stuff so speaking of improvements um one of the main things that brought up besides charlotte was you know what let's take advantage of this time and let's improve ourselves so we wanted to find out if you guys have been improving

yourselves we've all been presented with crazy challenges during 2020 but we always as hackers make the best of those challenges in creative ways so we look to this year as the year improvement improvements to take shape in different ways whether it be working on upgrades or in improvement projects dusting off that project you always meant to get back to or learning new growth and that's what we wanted to know what is your accomplishment what did you break build or learn during the quarantine so we're hoping to find that out today um so let's kick it off with our keynote mr sam kinch and i'll tell you about him right now uh wait why did you scroll

okay so sam is going to be uh his keynote is named gray days in silver linings the cyber world is not a trash bin on fire in light of the current world events there are silver linings um sam kinch is a hacker of many things as the ceo of hackers for charity he pioneers efforts to educate inform and enable cyber security technology solutions and other non-profits and charity organizations his work field efforts to provide offline cyber security platforms around the world and currently leads the hackers for charity red team since 1991 sam served in both the army and the air force with a multitude of tours to africa the middle east and europe following his early career as a cavalry

scout and c-130 aircraft pilot man you would really get along with my husband uh he currently serves as a cyber warfare officer in the role of national guard advisor to u.s cyber command and technical advisor to the defense science board i hope you guys really enjoy sam and i will see you guys later today enjoy the day sam take it away awesome thanks genie i appreciate the intro and uh the kind words the uh slides should be coming up shortly and let's just make sure we get a positive before i move forward on that

all right alex or somebody else can i get a thumbs up that we're good on the slides

be good awesome all right fantastic so this uh this talk um even though we're virtual uh this seems to be the the name of the day for for how we do business so that's all fine um it's uh it's relevant i think and i think it'll apply to being both a an awareness perspective for some of the things that i've been involved with uh most currently as well as kind of uh looking forward trying not to associate the the bad stuff that's happening with great a's but to look at the silver linings that are going to be happening and that are already happening uh throughout the world uh so with that let's get into the slides

it really helps to understand who i am i'll just level set the playing field um i tend to hide in the background a lot when it comes to hacks for charity and that's just uh the way i feel most comfortable i like doing stuff i like hacking um and an ode to johnny long i'm going to kind of play through a bunch of slides fairly quickly i'm not going to have much detail on the slides and i think this will uh this will get through at least the intro part and then once you know who and where i'm coming from it'll help kind of unders you'll have a better clarity on my approach and why i'm talking about what i'm talking

about so absolutely i'm a hacker by trade i love this stuff i've been doing it since i was a child uh most recently with hackers for charity as you heard in the intro i am a warrior when it comes to the military i've been doing so for for many many years i'm also a traveler and courtesy of the military they like to ship you off to random fire places in the middle and in rare and places i probably will never go back to again um but those are good experiences and they they definitely helped mold who i am today i'm a husband my wife four children as well so i'm a dad and that makes things very complicated

especially when they're all teenagers and below and then i'm a christian by trade and by uh fundamentally by the way i do business so i feel like that really does impress upon my life the decisions i make how did i get to where i'm at today 29 years ago i started with the military i started off with the army it was a uh tanks bradley's overseas bosnia sco uh macedonia kosovo war all that time that crisis back then but i didn't really want to stay in the army uh i wasn't married at the time it was a lot of fun but then around 2002 i started looking into another career i wanted to fly but the

army wouldn't let me fly so i switched over in 2002 to the air force the air force provided me an opportunity to be a c-130 pilot and i ended up flying for for many many years and again they sent me overseas that i ended up in africa middle east uh afghanistan pakistan a lot of iraq and this was just in the 2005 time frame so not too long ago but things have changed a lot since then as well 38 was the number of years ago that i transitioned i would say i started gaining i shouldn't say transition but gained a love for cyber um so i transitioned at some point with the air force i transitioned from being

a c-130 pilot to being a cyber geek and i started that uh when i was a child i actually ended up taking a c bus class when i was in middle school of all things and i can reflect back on that and i know that that was fundamentally where i started my passion for for cyber but the air force also had other opportunities for me and so this is how i ended up getting the cyber warfare arena uh i was bracked for those non-military that means our base was shut down and you're forced to go find a new job some other place thankfully in delaware they were standing up a cyber operations squadron and that operation squadron is focused

on offensive operations so it was really awesome and it really tied me um to something that i loved so now my military career and my love and passion in life were converging this was really cool this is also that around the time early 2000s or middle 2000s that i met some fantastic people that drastically influenced my life folks like rob fuller at mid-atlantic ccdc the national or the nsa cyber defense exercise johnny long and hackers for charity these people played big parts in developing who i am i also started red teaming with raphael mudge from armitage now cobalt strike and so raph and i became friends through that means we've maintained that friendship since and so that's really led to

a lot of opportunities in being an advanced business and threat team lead working with folks like don hess and others that are um within our military community very avid on the red team blue team sided house doing security assessments yes uh but really enabling younger generations as well as um organizations to refine their processes and become better at defending our networks which is fantastic and it's a lot of fun to do then in 2008 time frame is when i met johnny long with a hackers for charity but at the time he was working for a defense cyber crime center uh and that's where the ties started there and i started volunteering and supporting and engaging with hsc

i ended up doing a lot more cyber uh whether it's one job or another i stayed in the cyber arena on the military side and then on the personal side my passion's in love as well and i for for the record i am a advisor a national guard advisor which traditionally would mean that i am a part-time a military member but i've had the benefit of being full-time even though i'm a national guardsman working for cyber command working for the national guard on on all things cyber and that's where i'm at today so i'm the national guard advisor to the commander of u.s cyber command and i also work on the defense science board on projects such as jig which is

the future of joint cyber warfighting what is the architecture going to look like how are we going to fight these battles in these wars from a cyber perspective more effectively with better technology something that allows seamless interactions obviously thrown buzzwords like ai or ml these are you know these type of things are all being looked at as part of the solution they're already being used but are they the best way we're doing business so fundamentally that's who i am that's where i come from it wouldn't be a conference without starting off with midnick so so one of the things this quote uh we'll kind of set the stage for some of those discussions we're going to have

today we talked about gray days well when you look at hackers there's been a transition and we've seen this i wouldn't say a transition within the hacker community but hackers you know they've gotten a bad rap and we know that a lot of the the background fundamental work behind a hacker is breaking stuff unfortunately what we've seen in the last year is a massive of breaking stuff of big businesses state and local corporations and federal government to say the least and it's becoming a big business in other words people are making drastic amounts of money huge amounts of money doing this there are actually regimes maintaining um their regime status because they are conducting ransomware

attacks and then sucking that money in to prop up those regimes so what great days are we talking about um when we talk in the last year and i'm just going to look over the last year we've had some significant hurdles obviously with coven that is something that we can't underestimate um the impact it's going to have globally the the ability for it to influence what it's doing on our future what it's going to do and how it's going to impact our lives uh going forward it's fundamentally a massive change to how we are doing business and it's not just impacted the you know state the local the companies the civilian organizations i can tell you it's hugely impacted the

federal government and the way we're doing business the virtual nature the teleworking all that stuff is now forcing drastic changes into corporations uh way of doing business they're having to change their security mentality from a you know every users in the building to all of a sudden now you have all these remote systems all these teleworking microsoft teams google meet all those have been hugely refined in the last year

i am still here but i am tweaking my slide for a second because it doesn't want to cooperate okay civil unrest well it wouldn't be a discussion without that this one has uh caused controversy created um a real tension around our nation you know you think of cities like portland who are succumbing to all kinds of of protests in different fashions from extreme side to the more benign side and while this country is founded on the ability for free speech the civil unrest part of it it does affect people both emotionally physically it's all over the news the political agenda of today you know we have elections coming up in a month and this is another aspect

of the sensitivity where we see people modifying the way they're doing business we see them placating to certain parties regardless of what administration ends up either staying in power or taking over it's going to affect us permanently because those changes that those individuals and more so the administrations make are going to impact us for the long haul and we know that i mean this is not something that's new or or different from before finally i want to talk about ransomware i'm going to go into a lot more detail on this because i think there's a tie in here where i can highlight a bunch of of silver linings that have been happening within at least u.s cyber command and my

work with them over the last year where we've been able to play and help states and localities help fight these malicious cyber actors as i'll call them and those can range from you know local script kitties who are taking advantage of that low-hanging fruit in states or foreign nation states that are purposely attacking our country and we've been doing stuff to actually mitigate that as well you're aware of a lot of it and we're going to talk about some of that today so let's highlight some of the news articles recently and then what i'll do is i'm going to dig into how we've been able to help some of these organizations and these are all snapshots from uh the

last couple days pulling from google news feeds uh back in may the first one the first big one was texas department of transportation uh as well as their court judicial system was hacked a lot of the documents were pulled from there and that really uh for for cyber command was one of the the bigger ones that we were able to facilitate um some of the new remediation efforts from from our federal side helping out a state locality and you'll see that the first day of school in connecticut this was one that was really interesting because you know the ransomware managed to hit server infrastructure that then just hit um emergency services but also happen to

hit the school systems and so that first day of school they end up canceling it and starting the next day not a huge interruption but still when you talk about the impact on the state and of course the negative media coverage doesn't help the situation texas again uh in hamilton um emma ted is another big piece of ransomware that we're seeing uh played out emma ryuk uh conte ransom or uh ransom x is another one and texas will will mention tyler technologies just a couple days ago massive provider of software and services for state and localities and yet now they're hit by a ransomware attack we're hoping it doesn't impact uh beyond the company even though that's

that's a real negative uh you know that the fact that they could potentially be impact uh nation are not nations but states around the united states uh is a huge limitation that we're gonna have to fight through uh as organizations if you look at if you look at texas for example and you say okay the fact that texas was ransomed okay that's gonna happen um but now you start throwing in media and here's where the gray days get worse because media will spin the situation and start raising concerns about hey this will impact election security hey you shouldn't trust our political system or our government is not capable of defending themselves these type of media hype is not a good

thing but at the same time if we recognize it for what it is i think we can read between that and go okay we're gonna fight through this and like america typically does we will we'll overcome california it doesn't just hit home in texas or connecticut like i mentioned california had two weeks of school shut down and delayed in rialto because of disruption to their systems and we talked about state and localities this doesn't just impact them this is also a federal issue where you have federal agencies in this case a unnamed agency suffered a very sophisticated possible nation state attack so these type of effects are are not limited to local localities within north

carolina or texas or washington state but they are tied to federal issues as well and our agencies our federal government is not immune to that it's just to talk severity in statistics if you look at this 47 increase in severity of ransomware attacks and that's on top of the 100 increase from last year so these type of things are not going away in fact i would say that they're effectively getting much worse um and as long as we keep that in mind as we talk and have those discussions and and have the meetings with our with our leadership and our discussions to decide where we're going to spend money as long as we keep having those

discussions and keep a level heads uh during them i think we'll we'll uh we'll be much better off and much better position to be positive and find that that positive outcome in the end this quote is uh par for the course when you talk about ransomware ransomware attacks have tended to be ones that ransom the computer lock down files tell you you need to pay money and then uh if you don't pay the money they either leave them locked up or they'll burn down in effectively in the virtual way the networks or um other ways of ransoming um what we've seen play out in the last little few weeks has been a kind of a change in

some uh tactics where the ransom uh organization will impact a or a company or a state or locality they will exploit them they will drop their ransomware on the system but they might not encrypt files we've actually had phone calls and been able to get copies of phone calls that were very interesting that were from a paid for hire person on behalf of the organization that ransomed the the state or the locality uh leave the threatening note and say listen you need to follow the instructions on your desktop and then if you don't then uh we're gonna go ahead and we have your information we're gonna go ahead and release it but they they haven't locked down the

systems yet so they're trying to they're trying to keep those organizations on the hook without completely locking them down and causing pain immediately so it's kind of like a twist to it where they keep that that dangling threat above them in the hopes that that organization will pay and they really don't want to directly impact because they want to immediately because they do want to keep making money from you the longer they can suck money out of your organization the more they're going to dangle that that carrot there the way i see ransomware is is really it's become the tick tock of malicious cyber actors the way they are actually doing business is it is so prevalent um and we've seen

it play out not just like i mentioned before in the script kitty side but in the criminal actors as well as the nation state actors they're all using it and they're all using it very effectively so this is where i'm going to put on my cyber command hat if we if we if we just look at the negative side of things um you know that really brings us into a position of frustration of tension and i know that there's a lot of companies who are fighting back at this you know pretty effectively malwarebytes obviously bleeping computer other organizations all the mainstream you know mcafees microsoft they're all doing actually a really great work in trying to overcome

and defeat those type of actors but like we know in cyber things change on a dime within weeks something shifted into a brand new uh derivative of the previous work and so we have to be on our a-game all the time in order to stay ahead of that actor or at least stay on par with that actor the cyber nine line program was a means for cyber command to gain awareness for what's happening at state level and i wanted to bring this to your attention because a lot of people aren't tracking on this program it's new i started it in december of last year i was involved in red team exercises out of new england there's six states that

conduct an exercise called cyber yankee pretty massive exercise about 700 individuals all military are focused on training their defensive cyber operators in the northeast to better their skill set in conducting everything from you know secure protect type of ideas where you're going into a network that's compromised figuring out what's wrong securing it and then also trying to protect it and mitigate future infections when i was at these exercises and specifically specifically the cyber yankee one i noticed that there was not a means to pass information up out of the state up to the federal level and i'm concerned about the federal level the state does a great job at usually doing remediation in fact those

exercises really highlighted the the share between um localities or state level entities um there are representatives from dhs and fbi a lot of times the state police will run the operations center uh and or the fusion center within a state response actions within the state albeit they're all over the place are generally really good most states have some form of cyber disruption plan even if they haven't exercised it just the thought process to have one and and the ideas behind that is huge that's that's a great thing so the cyber nine-line program came about because when you saw general nakasone who's the commander for general for cyber command was looking across the nation he was frustrated that he wasn't able to

get information on state level action state level incidents sooner cyber command from a mission perspective has a responsibility to defend the nation and that's not an internal thing we rely on our partners our mission partners like dhs department of homeland security or fbi or other sub federal agencies like defense cyber crime center and those organizations to help facilitate the internal incident response our from cyber command's perspective our defend the nation perspective it's outside the united states it is how and this is general nakasoni speaking it's how do i persistently engage our enemy persistent engagement is really the fundamental um words the buzzwords of choice and those are all over the media when you look at cyber command and look for

general naga sony if he's talking he'll use those words what he wants to do and what he's been doing over the last year is fundamentally fundamentally changing the course of how we do cyber warfare within our nation it is actively pursuing our adversaries who are doing malicious activities against us it is not sitting back waiting for an attack to happen and then oh you know let me go ahead and figure out who it was go after them oh shoot i it's been a couple weeks i've done my research i know who it is it is it's a lot different now it is something where we are constantly digging in to the most simple incident response that is

happening within our nation looking for trends of a foreign nation-state actor where maybe they are looking at a particular weakness in a piece of software and we see them targeting several different states with the same tactic we also through other sources are able to identify that those that particular tactic is used by a nation state like north korea or china or russia or anyone else out there for that matter um when we start putting those those those um those things together those incidents and recognizing the trends that leads us to pointing a finger at a a malicious nation state who's targeting our country and going after us and this is where cybernine line really plays its strength

we didn't really have a means to pull that information in quickly now if you look at the cybernine program we are not trying to replicate what other organizations do in other words we're not trying to be the dhs for the federal government we rely inherently that states are going to deal with things at the most local level possible they're going to elevate things up and out of their state when they feel like they need help and that's the way we should be doing business our nation is founded our constitution has a fundamental uh premise that we are very independently minded in fact if you look across our nation there's 50 different states there's dis there's a district and there's multiple

territories every one of those locations is unique and different in the way they stand up their operations center their fusion centers their exchange of information to who they're gonna talk to maybe it's an isac maybe it's a maybe it's their analyst in the state maybe the state doesn't like federal involvement and they don't want they're very state-focused and they don't want any federal play so therefore they're not going to talk outside of their state about incidents and that's really okay what that's done for our nation is made it very difficult for malicious cyber actors to target one state and impact others which fundamentally is amazing that's a great strength to have um if us actor really wants to pursue our

nation they're going to have to go through a unique method really for every state that they want to attack so the cyber nine-line program provides a means to gain information quickly from a state level uh you see some of the bywords here of non-sensitive we're not asking for the company that was hacked all we care about from a cyber command perspective is what points us to the enemy foreign ips foreign domain names the urls that are uh that the implant is calling out to pieces of the malware that were dropped on your system information about the actor who's picking up the phone or the hired hand that's picking up a phone and making the ransomware threat

those type of things are hugely beneficial for cyber command to look at that and and make take action on it we're also bi-directional this isn't a let's suck up your information and not give any information back the one of the fundamental premises behind this is that as states um i say join the program when they are able to acquire accounts for our this program without even sharing anything initially we're giving them information that is cyber command from cyber command's big data platform our bdp uh you'll have full access to and then you can actually exchange uh poll information out you can exchange information with us via cyber nine line and uh we can start the conversations

for how to remediate those type of uh the incident whatever cyber incident that's happening right now within your state and i say it's it's focused on the national guard and that's because there's over 4 000 national guard across 54 state district and territories that live eat and breathe in those states those individuals are cyber trained assigned to cyber command and mobilize in support of those of cyber command's efforts so they're trained to do those defensive and offensive missions and therefore they're in a great position to actually have access and create a bridge between the state national guard itself and the state leadership the political leadership there either the civilians or the contractors or even the governor themselves

it really helps to play out what the incident is so if you look at an incident i'll go through this really quick uh let's say an incident happens in the state of hawaii a mission element responds a cyber task force might be stood up these are not military specific this is just the state and the way they're responding whether civilians or military it doesn't really matter this is just an overview of how that might look there's a joint operations center and an emergency operations center within a state there's also fusion centers once the state elevates that that issue to a higher level it could get pushed out and this is the typical means for doing so it goes out to dhs

their new term of art for their op center is now called cisa central so if you're part of dhs i don't think that was the smartest name but that is what you're calling it and that's fine you do have threat hunt teams at dhs that actually do response actions within uh states to help them remediate and this is only when the state actually elevates it to that level um and sometimes the states will employ their state national guard and those national guardsmen will go in their cyber forces they can go in and help assist the state they're usually supporting they're not usually the lead but the states are all different and again some states will use them and some

states won't what had been left out of this exchange was cyber command for the longest time we just were not getting information quickly yes information flowed from dhs to cyber command it just took a while so we created the cyber nine-line dashboard um and while that's not really the meat you can see some of the takeaways um of what why we created the dashboard and kind of the benefits of having access it just gives you a highlight of what's happening around the nation but then you can dig into each incident and in that incident is how we are responding so before i go into texas i'll uh i'll say that the fundamental premise behind the

program is twofold we are giving access to the states to better their state cyber self-defense and then we are also looking for information um iocs of indicators that will point us to those malicious cyber actors so that we as cyber command can take action within hours if not days um not weeks and months later when most likely the actors moved from their infrastructure and gone on to bigger and better things and by that time it's way too late so let's talk some examples texas was a really interesting one because it involved a push of information that happened from cyber command down to texas in part of their response and here's how it played out texas was succumbed by ransomware back

in may it hit their county courts in their department of transportation they were responding to it internally we at cyber command have additional and i'll say classified means for gaining access to other information around the world whether it's dark web forums or other things that point us into things that are happening so we can see trends so we can highlight what uh what attacks are forthcoming what attacks are happening and in one of the particular exchanges between cyber actors malicious cyber actors on one of these forums there was a yara rule that was identified as being something that could mitigate the threat that texas was actually in the midst of of of dealing with and they were

constantly getting still getting hit so cyber command was able to identify the cr rule they ripped it apart they verified its authenticity they actually tested it against systems in our networks validated it actually worked mitigating that particular ransomware and then sent that and we actually sent a cyber nine line out to texas to say hey texas this is an issue um you really need to deal with it we had a lot of exchanges between the texas ciso as well as their network boundary layer folks interesting thing here though is their network boundary folks are civilians they're not militaries no national guard so there was no relationship there it was just us reaching out on a law

enforcement nature to them to say hey we have an issue they were able to put that yar rule in place they actually stopped immediately stopped further further infections from that ransomware because the way the vector the attack vector that was being used so this was a really cool means for us pushing information down to a state that didn't ask for help but we saw something we were able to identify it as a solution to their problem and then reach out to them directly washington state washington state was an interesting one a couple months ago um during one of their election cycles uh they believed that they were being attacked their election system was being attacked and they did actually

have quite a few attacks against their election infrastructure none that i'm aware of actually were effective but the first one that came to light was one where they have access to our cyber 99 program they submitted a request for a cyber nine line let me step back for a sec because i want to say one thing the cyber nine line started because of my background in uh the military in the army uh for those of you who are military a medevac a nine-line medevac is something that i had had was unfortunate enough to be involved in many times and what that is is it's nine lines of information that allows an a individual at a

operation center to understand that there's a medical issue here's exactly the the very succinct non-emotional facts of the situation so that they know what type of response to send out to deal with that medical emergency whether it's a helicopter or a truck whether it's a broken limb or a death so the details are all there the incident information is all there it's the quick triage information that's what a nine line is when when we look at cyber we needed the same thing and the cyber nine line program allowed us to get that information the fundamental information the non-emotional non-sensitive information from a state to identify what was going on there and then deal with it and we can still

deal with it because we have the fundamentals of what we need a cyber command to affect that that change that fixed that solution washington state so if you look at that said we could use some help in malware analysis uh actually in uh not my analysis but in our exchange of information to some of the assets that we had access to our law enforcement relationships our counterintelligence relationships because obviously cyber command has a pretty strong working relationship with the nsa when they reached out they said we believe we're being attacked we did a lot of research on our end were able to push them back some clarifying indicators that then led them to ask their fbi counterparts who

intervened sent a request over to amazon because the aws stuff was being it was being hosted in aws were able to identify who the owners of that were and then over the course of that process they realized that this company was actually set up to do testing of their network systems but nobody had informed the state that that source would come from that aws instant even though that organization was hired to test the election systems so what was really cool about that was we saw within 24 hours a circle of life where we even saw the request from the fbi over to amazon to to sort out the information and realize that it wasn't a true attack on the washington election

systems it was actually a test to validate as part of their normalized processes

storms refine us so this is my uh fundamental second point to um what i wanted to to bring to light is that over the course of of your engagements wherever you're at uh those storms are actually a good thing um yeah a nice picture but um really what i wanna i wanna play out here is um i spent some time in seattle where it rains all the time where the environment isn't um the nicest it usually has a bad wrap of being rainy cold damp and drizzly but the really cool secret to seattle is that if you wait a week the sun comes out it's blue skies and completely blue not a cloud absolutely stunning sun and then not on

top of that you just look outside you see the olympic mountains the cascade mountains mount rainier to the south standing at 14 000 feet it's huge and it's awesome i also spent some time in boulder colorado when i was younger i lived there for almost a year the storms there are completely different storms roll through they hit there around noon thunder lightning for about an hour and then the rains roll out across the plains and you actually watch those clouds move away to the east and it happens every day but you know it's going to happen and you know those storms are going to come i think the big takeaway here is that even though boulder

colorado seattle washington are both different and unique in the way the storms are hitting it doesn't matter the sun still comes out at the end the storms move away they wash away all the filth and it leaves everything clean not to not to say everything's going to be you know unicorns and rainbows when it comes to how we're dealing with cyber that's not what i'm trying to say you know really i think you get the point that we're going to have storms we have to face the the light of the day and we have to face them head-on you know we can't hide behind it we we just know that those storms will come we plan for

the best we can we adapt as the storms roll through us and then we overcome them connecticut uh when we reflect on the cyber nine line program and what we did there was another unique one one of our teams here similar to texas was looking in some locations across the internet and found that the admin credentials for the state of connecticut department of health were compromised and was for their department of health their actual systems their one of their admins for their state state health department uh we called up and put a cybernine line in we called up connecticut they validated that they were actually current and valid um but thankfully it looks like that the

even though the sale went through on the particular forums we were watching they had changed their password by then and they never saw any effect from that so being able to quickly identify potential threats against states really helped mitigate connecticut in this situation virus total so i work with an organization called cyber national mission force they are a component of u.s cyber command and over the last couple of years you've probably seen a virus total and reflections of this in media where our cyber national mission force has released signatures of foreign nation states this is part of a process we call hunt forward and hunt forward is where that organization will send a defensive team out to a nation-state

that is being used by a malicious cyber actor either as a pivot or um you know some type of redirector or just absconded with infrastructure there that they're using to just host their malware could be anything where we go into that with the state's permission with the nation states permission and we help them clean that up we take that malware we bring it back to our place we rip it apart and then we release it so that the independent security firms that are out there can do their due diligence to figure out what this uh software is what it's doing why it's malicious and then attribute it to a foreign adversary and that's that's work that we were able

to really i thought it was a very unique play on the way we normally that security researchers tend to do business where it's not just a security researcher coming across it on some forum this was actually the federal government identifying the same thing and giving it to the security researchers to do the work to put out the media um and point people um to a foreign nation state that's doing bad stuff um to our nation last big point uh is all things get difficult before they get easy and we talked about this in in a few different ways uh but i want to point out two uh um examples for this hawaii has a cyber

disruption plan and their cyber disruption plan um you know has been exercised in the past but to their admission it's not the most ideal um i think every state can reflect on their disruption plan and go we'd like to exercise it more and to hawaii's credit they have a very proactive uh team that's actively working to integrate the military because of the ties to our pacific command as we call it the the nearness of them to north korea and china and russia um you know we think back to and we we have reflections of these uh pearl harbor but you hear the cyber pearl harbor they don't want to be that they don't want to have that same issue again

and so hawaii is coming up with another it has another exercise coming up in november where they're going to be proactively exercising our cybernine line program but also refining their cyber disruption plan tweaking it even more integrating the agencies within that we're working directly with the state ciso and others to make that happen so it's a whole of state effort and a really good news story for uh for one state in particular rhode island is another one and uh rhode island was um was an interesting one because of their um and actually misspoke earlier i just want to be clear on this rhode island was the one that uh that had the department of health uh credentials being released we

worked with them on that so um the connecticut situation as i was referring to before was actually uh one where ransomware owned their servers and in this case that ransomware affected almost 300 of those servers we talked about the fact that it delayed school for a day and uh we were able to assist them because they called in their uh national guard their national guard reached out to us because they were part of the cyber nine line program and they said can you help us out they were able to provide us foreign indicators as well as malware and in that situation it was about 20 hours later we had two male reports that had ripped

apart their malware and we're pointing them towards other indicators that they could use to defend themselves on top of that those malware reports like any good report will actually point you to where those files live on disk so now you can see in memory and on disk where you need to go hunt out and root out that adversary plus you can scan your systems for additional indicators that you might have so like any good talk what i want to do is leave you with three fundamental points these will be quick and this is the last little bit of my my my keynote fundamentally fundamentally failure is not falling down you are going to fall down you are going

to have great a's it's the refusing to get up part that will keep you from succeeding i think most organizations are very um flexible when it comes to failure as long as the person that's failing has the gumption and the motivation to get back up on their feet and keep going learn from their mistakes attempt not to do them again although being human that's hard to do sometimes and just keep going success doesn't always go to the strongest it doesn't go to the smartest it doesn't always go to the fastest uh rather success comes from hard work persistence and an ability to work with others fundamentally clear and concise communications matter and it underpins your ability to nurture

partnerships and those partnerships i would challenge you could be outside of your locality of your state could be with the federal government whereas the federal government gets scoffed at a lot of times with the we're here to help i would say that over the last few years we've seen a drastic and highly reflective change of the federal government and particularly cyber command to engage the state and localities help them rebuild when needed help enable their self-defense not trying to you know be overbearing or getting their wheaties but really trying to help them succeed and lastly agile creative thinking will enable you to adapt to your environment as it inevitably changes this goes and reflects back to you will

be succumbed by events but as long as you persist as long as you get back up on your feet again you will overcome

i'm going to close out with this slide i'm gonna leave it up um because what i wanted to do was i talked about the cyber nine line program um i'm really not trying to make this an advertisement for it but if you had any talking points or if you want to reach out to me on that um the cybernine line at cybercom dot mil is the best way to do so um that really sets this slide really summarizes uh what i talked about in some of those efforts i hope it leaves you with a better feeling for what the federal government's trying to do we're using this program not just for elections this is an election this is

not an election specific solution this is a holy government solution that has long lasting efforts it's the way that cyber command can receive information from companies states locals you name it so with that i want to see what questions you have and have a little dialogue back and forth so just double checking sam you can hear me right i can thank you all right so um we're we're cutting a little close on time unfortunately due to the uh the demons of the interwebs giving us a little trouble this morning i think we can go for for one question on here quick and then are you going to be available in discord for a few to follow up on the others and i'll i'll

help get the questions that weren't queued to you via discord um so one of the things that came up that hopefully will be a good one to to close out on because it was a major theme so someone asked what part do ransomware and breach insurance companies play in either encouraging or deterring malicious cyber actors and the context around that was they've heard that some for some organizations it's cheaper to pay the deductibles than it is to actually secure their network yeah i think like any good malicious cyber actor and i'm going to use that term broadly to mean criminal or nation state the intent is the same to suck money from an organization whether it's a state or

local um and what we've seen is a trend towards the request for payments they're not asking for millions they're asking for thousands hundreds of thousands um which is significantly less and sometimes less painful for a state or locality um we don't we don't get into the knowledge uh base for what's happening with what a state chooses to do and how they're responding so i don't know if i can really answer the question to the extent that the um the requester was you know the question was asked we have seen that actors are adjusting to the fact that there is cyber insurance and that companies would rather pay the insurance than deal with um other things but we've also seen a

lot of organizations and states for that matter not paying even though they have insurance not paying the ransom because they could see it as an you know what we typically see in ransomware is either it's going to come in a different form or the the malicious cyber actor is going to change their ttp and instead of locking down their systems they don't lock down their systems but they threaten to and then they validate their proof um so i think i think if the issue hasn't happened i've seen the actor morph to a position where because the cyber insurance won't pay out because the network hasn't been locked down there's no actual result of the ransomware yet it's just

the threat and proof from the actor that actors are manipulating the way they i say manipulate they're actually changing their tactics to adjust to those you know those rules and regulations within the payouts yes they want their money but when it comes to actually the the payouts themselves i don't think i have a better answer than that unfortunately okay well a huge thank you for the presentation your time today uh the i was listening the whole time on the background to know when to jump back in it was great material and uh and thank you for for the overview and the insight i i think it resonates with with a lot of the community uh here

in the b-side charlotte group um so with that um uh sam will be joining us on discord for a little while to to answer any of the other follow-up questions i know there's a few outstanding so we'll get to those and just a couple logistical items as we're moving into the ten o'clock time frame uh the first one is the ctf so anybody who's participating in the ctf they are going to be doing an overview of the ctf platform and how to use that platform in the ctf channel so go over there take a look at that uh we've got some folks if you're having trouble with that that may be able to help you out

and then the final thing is there'll need to be a couple of minutes transition between us closing down the livestream here and getting going on the talks so please just bear with us for a few minutes and and and we'll be right back thank you so much

um

you