Stephen Mathezer: Cybersecurity Lessons from Mandalore

[Music]

[Music] welcome everyone i've been looking forward to this talk it gave me a good excuse to uh you know watch tv and uh pretend i was working so uh there's there's uh nothing wrong with that at all it's it's nice to do a fun talk instead of a uh you know a talk about some particular subject that everybody wants to learn more about although hopefully you'll all learn something from this uh talk we'll see how it goes uh spoiler alert obligatory i'm not gonna spoil things too too badly uh i hope but uh i will be talking about several episodes and what happened in them and so on and so forth so just be aware of that if you're going to uh

watch or if you haven't watched the show so far beyond that uh i thought it would be a fun idea to like i said watch the mandalorian again take some notes see what we can learn see what lessons we can draw from it and and just have some fun putting together a talk so that's where this came from uh i looked around there there are you know talks similar to this on various shows and star wars especially in the past uh you know star wars does not have a great uh history of security uh we've seen all sorts of things from impersonation attacks and you know people pretending to be who they aren't bad control of data or governance

there's no encryption anywhere lots of single points of failure no physical security to speak of shared passwords you know terminals anywhere giving you access to anything and of course they lost three death stars so uh something isn't quite working very well for the empire um you know i grew up i'm just of that age which is kind of scary now where i saw a new hope um at the showcase theater on first street in calgary when i was five years old that's uh that's a long time ago i guess it's called the grand now something like that but uh so i i definitely grew up enjoying star wars so let's have some fun um and talk a little bit about security in

a star wars context i've broken this down into six or seven lessons i can't actually remember uh from the mandalorian so we will start with lesson number one which is of course that while the show is called the mandalorian uh it takes a lot of people um doing a lot of things you know mando acts like he's a one-man show but pretty much throughout the show he had help he was working with other people he was doing uh doing his thing um with a lot of support whether that was fixing his ship you know extra dragons people peeling himself up peeling him up off the ground and so on he had a lot of friends

um and he wouldn't have survived on his own i think that's that's pretty clear and and you know maybe i'm preaching to the choir but cyber security is the same sort of idea there's many different ways we can look at that obviously everyone has a part to play in terms of you know our users our administrators and so on but even if we just look at a security team or an it team right or or groups of security people the security community everyone has a role to play everyone has something to contribute that's hopefully why you're all at b-sides that's hopefully why you're all part of the community um it is a broad broad broad

um [Music] space that's not the word i'm looking for and no pun intended but cyber security is very broad nobody can learn everything you will need help from your friends and from other people uh throughout and you will be asked to give that help or you should give that help as well because it's such a broad subject area and nobody knows it all of course everybody has something they know better than everyone else everyone's got something to contribute everyone's got their skill set uh you know whether it's it's uh uh above board uh legal skill set if we're talking about the mandalorian here or not uh everyone's got something to contribute and something to help

so that's that was a quick first lesson i've got got a few more here kind of building on that theme let's talk about fun topics like training and mentorship and of course documentation because who doesn't love documentation i don't know if anyone remembers uh you know baby yoda he's small he can fit inside the bowels of the razor crest inside uh mandalorian ship uh at one point he was tasked with uh doing some repairs deep down in there and uh well just like anyone else he had a lot to learn he was gung-ho he was in there one wire in each hand right we all learn things on the fly i do every single day pretty much i mean at

least we have google these days to help with that but you have to get that experience somehow right you you you learn by doing you learn by trying if you're not willing to do or try then you're probably in the wrong industry you got to try stuff figured out that's the only way we're going to get better um as i said the field is broad you'll never know everything but there is a ton of knowledge that you can gain from other people from google your search engine of choice um various forums and communities and slack and discord and everything but most of all my point is you know don't be afraid to try stuff it's the only way to learn but you still

don't have to go it alone because uh this was the best image i could grab of it but there are risks to going it alone as grosgu discovered when he um did exactly what he wasn't told to do and and touch the two wires together so you want to try to figure things out but also you need to know when to ask for help and uh actually if you listen to paul's security weekly or if you've ever listened to it you'll heal hear paul many times talk about his philosophy which is he wants he does this and he wants people to go out and try and solve problems for themselves don't come and ask me if you haven't put in the work to

try and figure it out for yourself but at the same time you can't just bang your head against the wall forever so try something try to figure out try to find a solution and then go and ask for help right and when you come and ask me for help tell me what you tried uh you know because and and when i tell you to try other things don't go back and continue to try the things i i worked i've had that experience before too but tell me what you tried what your thought process was and maybe i'll give you something else to try maybe i'll help you over hump or or get you going down a path or or help

solve the problem so try to figure it out don't be afraid to ask for help at some point and i hate to say it but i've seen tons of environments i've worked in many i've caused this problem myself you know we're constantly dealing with environments where nobody knows how they work so anything you can do to make that a little bit easier on the people that come after you documentation doesn't have to be perfect it doesn't have to be formal my wife teaches literacy right it's about communicating ideas not not uh being perfect because that will help others from getting their wires crossed so as mando says every day is a school day right you don't want to rely on other people

to do your thinking for you as i said try and figure it out but not for too too long because after point you are wasting time and effort i want you to learn i don't want to waste your time so try first ask for help tell me what you tried and share what you know uh most of my talks at some point i seem to end up talking about imposter syndrome it's real it it but it shouldn't be right everybody has unique expertise that we can all learn for from in this broad broad space and of course most importantly be a force multiplier see what i did there what i mean by that is um

and and i i this is something i repeat often as well for me i mean i'm in a in a customer-facing role so my customers are a priority but putting that aside or after that my number one priority is the things that i can do that will unstick somebody else that will unblock someone else if i can do anything for my team or for my customers that will help them progress in what they're doing that is my priority that's what i mean by being a force multiplier right if i can get somebody else on a path to being productive now two of us are being productive so that that to me is one of the most

important things uh in our industry so moving on from people although i'll come back to it at the end lesson number three from the mandalorian is preparation and response right uh there was a plan a and a plan b and probably a plan c in a lot of different episodes uh the example that i will give of preparation is the mandalorian himself he has many tools at his disposal whether you talk about his armor to start with various different weapons from the flamethrower to the long gun to the pistol to the you know his hand-to-hand skills his rocket his staff or you know his uh rocket jetpack and so on he had many different ways of

approaching any sort of problem of getting himself out of a jam if one thing didn't work hopefully another would right the middle of an incident or an attack or a mission if you will is a bad time to figure things out he was generally prepared for anything and had a lot of contingencies or a lot of different ways that he could uh get himself out of a jam achieve his goal so on and so forth because things will go wrong and when they do go wrong you need to have an alternative whatever that alternative is we're talking about um you know just day-to-day in an operational role in an incident response role um you need to understand your tools

understand their capabilities figure out what uh you need to do or what you're capable of doing and different ways of doing it i mean i could talk for for days on preparation in an incident response context um you know it's it it is the probably most critical phase everything from thresholds you know when am i going to knowing in advance that at this point i'm going to make this decision or take this actions rather than arguing about it in the moment stuff like contracts and having the right tools and the right permission and the right people engaged the right information decisions pre-made we could go on and on and on you want to know what you're going to do and how

you're going to do it and how you're going to do it if that fails before you have to figure out what you're doing in the heat of the moment and you know i kind of use the the various weapons and and skills i guess that the mandalorian has as an analogy for that on the opposite side of the fence we have the single playbook brute force approach bring in more stormtroopers and continue to miss right that seems to be the the empire's response uh or or solution to preparation right just throw more stormtroopers at the problem uh we all know they don't practice they're shooting enough that that would be a start from a preparation

perspective and quite often you know as we saw in the mandalorian that lack of preparation led to mass stormtrooper casualty i mean clearly uh in an incident response context they didn't really do their lessons learned very well as is evidenced by the three death stars that they are now without so mando has spoken come prepared for anything uh defense and offense obviously his role was more in an offensive capacity but you know the concept of defense in depth or offense in depth what i mean to that by that is you often build a security practice around a dominant security control every organization has one product one capability one thing that they tend to build their security program or

capabilities around or maybe it's two or three but it's a small number so in the mandalorians case that's his armor he walked through a lot of um things that would kill him basically with that armor that's his i don't want to say his crutch but his foundation and then he built all of his other um capabilities in his case offensive around that baskar around his armor and of course he had multiple ways to accomplish each task so you know i've seen lots of organizations that go best of breed that have every tool under the under the sun and then they don't use them i'm very much of the the philosophy you want to build your

security around one or two core capabilities and then fill in the gaps with with other other capabilities just like mandalorian did so moving on to a few more lessons these ones are a little bit bigger um i'll go into a little bit more depth and the first one is uh key management or should i say key management uh this this is a trope i think throughout all of the star wars movies is these empire code cylinders uh to me they're just passwords and they're not very good passwords right it's empire 123 exclamation mark i'm sure that's a pretty uh pretty common password these cylinders and it happened many times in the mandalorian uh it seems like you know it's it does

anyone remember back when somebody discovered you could open those uh kryptonite bike locks with uh a bic pen that's what these things remind me of right it's everyone's got just a cylinder um and they they aren't they're not uh you know doctor who pens either these are just cylinders stick men turn them doors open they work the same one works to open doors they control computers they decode communications they do everything and there doesn't seem to be any real difference between them you know we we saw that many many times throughout the mandalorian you know in a world where there is hyperspace and hyperspace travel they don't have biometrics and basically what they're doing is they're using torx

screws to secure the empire right just yeah you know we've got a tool or it's like you know the apple laptop screws too but we've got a a special um input output port if you will and as long as you have the right uh dongle to connect to that then you're going to be successful there's not a lot of uh um variability or or fit for purpose security here these code cylinders they seem to work on just about everything passwords are not a strong suit like it amounts to a shared password number one that's what the code cylinders seem to be there's no concept of least privilege because these things as we saw and i'll

talk about again you know this the same cylinder will open every single door it will do everything there's no separation of duties as a result everybody can do everything um and uh yeah it's we this this is something we're all familiar with it's it's the same idea of those shared accounts those shared passwords those terrible passwords and and in some cases and i'll come back to this that lack of segmentation or or um well yeah segmentation between different i don't just mean a network level but uh you know data classification and and so on as well something else the empire uh was subject to many times uh throughout not just mandalorian but in star wars the movies as well were

replay attacks a very pervasive problem how many times do you recall someone uh you know a situation where a password or passphrase or code was stolen somewhere along the way and it works days months years later uh and and that's the only kind of security basically i heard this password used in the past i'm going to use it again we've got replay attacks right mayfield we're going to talk about him some more it's a former prisoner of the empire still had valid access codes to an internal imperial terminal okay you send the guy to jail he knows your passwords maybe that's a clue that you should start changing them um so definitely a challenge for the the

empire so mando's recommendations we need or the empire needs more multi-factor you know sound familiar it's probably one of those um easiest or best bang for the buck uh capabilities i saw a statistic that azure or microsoft as a whole is still only at about 10 percent adoption for mfa i think and and that seems really really low to me but but that's that's the number that's been published uh yeah the empire needs more multi-factor um we want to eliminate shared passwords we want to change passwords that have been breached and i put an asterisk there because i am not a fan of willy-nilly password changing you know you choose a bad password today you'll choose a bad

password tomorrow making you change it doesn't make it any better but so i'm not a fan of the 90 day password uh change policy and i could go on for a long time about that um if uh given the opportunity so you know we we've the the i i will tell the quick story that that 90-day password change policy to my understanding anyways maybe this is urban legend but it goes back to a 1984 nist i think they called them green books manual that was based on the fact that if you had a 9600 baud modem yes i remember those two uh it would literally take you 180 days to transmit every possible eight character password

uppercase lowercase with special characters uh therefore they say well if it takes 100 180 days to brute force or or transmit every possible password if we force you to change them after 90 days you're probably in pretty good shape right uh well somewhere an auditor and sorry if there's any auditors here read that standard and it stuck and we've been living with it ever since i know it's changed and nist has finally updated their guidance recently but i am not a fan of those password change policies uh at all i mean my my pet peeves or or guidance you know change passwords when they're breached absolutely or when you think they've been compromised but otherwise you know just make them

long that's all we really need to do and have intelligent lockout account lockout on everything that and build that capability in again if someone fails their login 10 times in a row i don't care i'm not they're going to have to phone in for help at some point i'm not going to just automatically unlock your account i give you 10 tries in a row it doesn't matter how long it takes you to fail those 10 tries it's not 10 tries in 30 minutes then i'll reset you to zero no if you fail 10 times in a row without getting it right then you need to call in for a new password now we need to deal with the flip side

of this which is brute force attacks from the outside and so on and so forth that's where multi-factor and other things come in but i'm just talking internally um if you fail that many times you don't know your password just call me and i'll unlock your account so sorry a little bit of a tangent there but that's kind of the point of this um principle of least privilege we all know it's fundamental uh principle uh definitely a problem every episode of the mandalorian once you get in the door which didn't have any locks on it either uh you could walk around the whole place and you know use the same key to enter the the cockpit as the lab as the prison

cell as the whatever right and and separation of duties goes right along with that why is somebody carrying you know why does one person have that level of access why is it not spread amongst uh multiple people and and you know another terrible dad joke i guess i'm also of that age uh key rotation it does not mean what you being the empire think it means key rotation means something very very different let's do that occasionally speaking of physical security as we know the empire did not have great physical security for example there were two different episodes the prisoner and the harris harris wow heiress um where involving essentially secure transport prisoner was a prisoner prison

ship the heiress was a ship transporting weapons and in both cases mando and company were able to um well slightly different scenarios but essentially dock or open a door land on the ship and go straight in um you know no it's it's literally again i guess it's that same kind of door right you turn the turn the key and any key works right but in both cases as well the computers were completely unprotected in some cases or in one case um was the prisoner i guess from outside yeah we'll just connect into the computer and and take control of everything from outside in the prisoner the droids would only fight if engaged you could walk right past them

but if engaged then alarms would go off then that you'd get into a fight um and then then you know they would they would try to get you know defend the ship basically there was absolutely no segmentation again whether it was the prison ship or the transport you know you've got weapons in the hold but there's nothing preventing you from getting there or in the in the case of uh the heiress with the the transport ship they actually trapped the empire folks in the cargo hold and then open the doors uh from the other side you know they they managed to in the end after giving mandon company free reign on the ship they were you

know going through up and down levels through corridors then they finally said oh maybe we should close these doors which apparently they didn't have central uh control of and they trapped them in the control room where they could then open the outside doors and flush everybody out and so on they had no ability to compartmentalize to segment to lock down and trap the intruders or restrict their mobility um yeah the critical doors could be open from the wrong side in the prisoner the mando ended up in a prison cell which had a lock or a door opening mechanism on the inside he literally grabbed the arm with the key off of a robot and used it

to open the door from the inside like i don't think these people understand what a prison cell and what physical security means uh and that was a great example of something else that we see a lot uh these days which is living off the land uh mando was trapped in a prison cell you know a robot helpfully stuck its hand in the door i keep saying robots why am i not saying droids anyways a droid stuck its hand in the door mando ripped off its arm and was able to use that to unlock the door but that's living off the land which is what our attackers are doing uh or attackers are doing in our

environments these days right they're not using exploits they're not running fancy custom tools although those obviously exist they are coming in and still running local utilities whether that's powershell whether that's built-in other management utilities whatever they are that's exactly what happens and that's pretty much what mando does throughout uh the mandalorian oh and i should mention too in both of these ships i think uh they were able to walk literally walk into the cockpit which is the control room um which apparently even though they knew there were you know intruders on the ship the empire wasn't able to secure so they would not do well um against any sort of hijackers is as well so

you know mando has spoken in this case some lessons learned in his report obviously physical security breaches enable electronic breaches we we understand that but what i want to do is relate some of these physical security concepts back to cyber security and it all starts with strong architecture do the basics well i'll go i'll talk about this a bit on the next couple of slides but if you do the basics well if you have a good foundational architecture the rest becomes so much more simple easy scalable separate from that we do obviously want to secure administrative or management access you don't want intruders running around your ship controlling all the doors opening all the cells stealing all

the stuff whatever segmentation and compartmentalization enhance security in two contexts one making creating more barriers for attackers to get through to get to what they're after but also so that you can when faced with them you can add more faced with them being attackers you can add more compartments add more segmentation add access lists close some doors restrict their movements so that you can control and get them out of your environment and of course monitoring and detection and alarms matter because there were none in any of the scenarios i've been talking about but they only matter of course if you have capable response going back to the just flush a whole bunch of stormtroopers out the door and see if

they can hit the target and not end up sprawled on the ground which was pretty much the theme of the mandalorian and i guess talking about segmentation and network segmentation i've said it a few times you know honestly if you think about it least privilege is a form of segmentation as well dare i say zero trust same idea i i don't want to go down that road but we have we want to segment and um break up our networks as well as our access control speaking of architecture i stole this from sans but i i just wanted to really quickly come bring uh bring this up we have lots of things we can do from a

security um perspective it starts with architecture then we have passive defense which is basically built in inherent defense then we have active defense which involves the people who are monitoring and responding and we can augment that even further with intelligence and if we want go on the offense and not necessarily offense in a hacking back context but um actively trying to block the attacker trying to um well get them out of the environment or shore things up against them as we go it looked at a different way and this is why i wanted to go down this path this is your return on investment architecture has the greatest value because it's foundational it's fundamental for the

least cost that's why that the previous slide this one goes left to right is because architecture is biggest bang for the buck and everything in security is about bang for the buck then we have the passive and active in intelligence and offense and a lot of organizations don't get to the top of the pyramid the value pyramid and that's fine we absolutely want to start with architecture um because that's that makes everything else much simpler and that's something that the empire failed to do lesson number six the empire does ics and of course it wouldn't be the empire if they did it well so the empire does ics badly there was the siege a different episode

where there was an imperial base that was uh that got its power from thermal energy there were lava rivers apparently that flowed by every day and and shocker there was a code cylinder that granted a single one that granted access to the lab to the research contained in the lab to the data to the control room and to the heat shaft and the process itself now we all know in an ics environment we need to segment or corporate in our control networks in this case they had the lab you know this single key meaning no segmentation worked for the the lab the test network the research network the business network aka just the base itself and of course the ics in the

heat shaft in the lab itself there was no authentication no encryption all the data was there for the taking there was no monitoring of the process though we had this little fancy gauge that was that went from green to red but that didn't do anything nobody came nobody came to stop it nobody tried to resolve the issue no systems kicked in to try and fix it there was basically no process monitoring and no safety instrumented system which for those of you familiar with ics its sole job is to keep things safe as at that objective third party looking in and saying hey you just closed the cooling ducts i think that's what they did i can't

remember um now it's getting hot maybe i should stop the process shut things down um nothing like that so again bad job of ics security there um this was uh you know again the same things applied there's no segmentation there are shared passwords there's no monitoring and talking about the sis right we want to have our process be inherently safe that means it stays safe on its own you know nuclear reactors in theory do this right they generate steam that steam uh turns a turbine then it condenses turns back into water which ensures that the nuclear rods stay covered in water that's self-contained no human needs to interfere with that that's the way it works

um that's an inherently safe process that's where we want to start then we have controllers that try to programmatically manipulate things to keep it safe then we have operators who can take their steps to fix problems when when those measures fail then we have the safety system which can can take that outside view and shut things off and then we even have passive controls like safety valves or things like that can that can blow out and even external um protections like downstream dams and you know additional dams downstream and so on the point i'm trying to make though is that you need to securing your ics is about securing this process the process is what rules and i don't really care

how you do that real world protections are just as good as electronic protections but if you don't notice when your process is about to go boom then you have a problem one other ics story more or less was the believer where there was a rhidonium mining and refining plan long story short they needed to get in because this was apparently a good place to get access to a an empire terminal to find out where the bad guy was where his ship was uh and and so apparently this this plant refinery was the place to do that um and it happened to be a and of course speaking to no segmentation again or compartmentalization of networks and

data why you would go to a mining remote mining world to get access to the central database you know again but rydonium blows up in this episode they first hijacked a truck by stopping it in a tunnel you know chatting for a while getting in the truck and driving it on so why did nobody notice that but there was that was essentially i mean analogous to a phishing attack right a remote endpoint compromise somebody they stopped the truck got social engineered basically more so than fishing but anyways uh and that remote endpoint was compromised and they were able to drive the truck kind of analogous to poor endpoint security so it got take it got not only

was it stopped but they were able to get in the truck drive it escalate privileges and use it to enter the plant by impersonating a trusted user we never see that happen do we uh you know put on a helmet and nobody knows who you are this one though was a bit uh bizarre in that they literally at least the way i i understand the episode had the empire had a list of genetic signatures of people who were not were not allowed into the plant a negative enforcement model well come on can the empire really maintain a list of all of their enemies all of the bad people from their perspective in the world what

what possibly makes them think that is a good idea that's a negative enforcement model we want a positive one right we want to list a permit list these are the people who are allowed there was a terminal when they got to the terminal it required a face scan mando was there because he was not on that list of genetic signatures nobody had seen his face and apparently any face could be scanned that i don't know whatever any face was good enough to be authorized they had unauthorized access to data to learn the location of the ship their escape was data exfiltration and of course they blew things up on their way out the door which is kind of

more or less ransomware so we saw in this one episode a full attack chain i guess there was no command in control really um but other than that this was a full kill chain or full attack chain of an attack um and and i just want to enforce and i'll mention it on the next um reinforce i'll mention it on the next slide that negative enforcement model what i'm saying is they had a list of known bad people kind of like antivirus does traditional antivirus that weren't allowed in in empire facilities um so anybody else was permitted in that's a default permit right they need to move to the default deny a positive enforcement model which says this is

what i will permit um and and you know i usually think those things in terms of firewalls it's really bizarre to have that in an authentication system basically yeah anyone who i don't say who i see anyone who i don't say cannot come in is allowed in that's my authentication so you can be anybody as long as you don't authenticate yourself as a bad person that was just bizarre so mando's after action report the empire didn't detect the truck stopping and being delayed there was an anomaly mayfield his his ex-criminal partner in crime on this one wasn't was the only uh trooper anyways in the episode not wearing a helmet for the whole time and

of course because he wasn't wearing a helmet he got recognized but why well anyways he's standing out as an anomaly by not wearing a helmet the deny list was incomplete the not only was it a deny list but it wasn't complete they didn't keep track of all the bad because they didn't detect mayfield there a terminal on morack that was the name of the planet can access sensitive information in the core of the empire network again segmentation data governance access control their mfa there was no mfa and the biometrics were not functional since any face would do um and of course i talked about the positive enforcement model at length so uh yeah that's uh they did not do and

these are critical you know this was a facility where things were blowing up all the time this was not great security price yes so finally a little bit of miscellaneous little bit of a grab bag we saw tracking beacons throughout the mandalorian privacy was not a thing mando could see and hear through walls and long distances and so on and so forth uh i was going to do a full slide about this but i decided not to in the sanctuary i think it was called they built a defensible architecture and trained a bunch of noobs to successfully stop an ats key in many cases as well throughout the show they bypassed defenses aka blew doors off hinges

rather than trying to defeat them so you just have to be aware that attackers aren't always going to come at you the way you think they are every time i do a pen test i think i know how it's going to go and at least half the time i'm wrong i it goes a completely different way stormtroopers i just thought it was kind of interesting you know it'd be pretty easy to create an ioc for stormtroopers because they're all the same that's just one ioc i gotta manage and another point too is tools like say metasploit or like ig-11 the uh whatchamacallit droid uh the bounty droid they're neither good nor bad ig-11 got reprogrammed and used for very noble

purposes protecting grogu they're just tools and the same thing is true whether it's powershell that's a tool that's a blue team tool it's a red team tool or metasploit or whatever else they are just tools so a couple of concluding slides you know just some takeaways i guess the basic controls they still matter a lot the defensible architecture that's your foundation i started there your network segmentation authentication authorization mfa lease privilege separation of duties management of privileged access obviously these are core security concepts they still matter every single day of course they're going to get defeated as we saw monitoring logging alerting those things all matter too so that you have an opportunity to respond it's not just about detection

you know it's about your defenses like mando's armor are there to force the attackers in down a different path where they are weaker where they might be revealed where you might detect them or have an opportunity to fight back against them but you have to be able to fight back you have to be able to respond data governance was not the empire's strong suit from you know death star plans to passwords neither was backup fault tolerance or redundancy you know there was a single point of failure in every one of those death stars and encryption apparently really wasn't a thing so basic controls still matter but to finish where i started so do people and maybe more so

as i mentioned earlier you don't want to be the bottleneck you want to um be that force multiplier but you also want to ask for help and offer help as appropriate as i've tried to to make clear everybody has something to offer so join those community communities participate share your knowledge because i guarantee you there's somebody out there who's interested in what you have to say even when it's trying to uh relate television to cyber security and torture some analogies and all of those things so uh i just wanted to say thank you for for joining me this was a little you know i had more fun putting this together hopefully you guys had some fun and ladies and

everybody had fun